jtag

50 Articles

Teardown: Cobra XRS 9740 Radar Detector

March 18, 2020 by 46 Comments

Drivers with a lead foot more often than not have Waze open on their phone so they can see if other drivers have spotted cops up ahead. But avoiding a speeding ticket used to involve a lot more hardware than software. Back before the smartphone revolution, that same driver would have had a radar detector on their dashboard. That’s not to say the gadgets are completely unused today, but between their relatively high cost (one of the top rated models on Amazon as of this writing costs over $300) and the inevitable false positives from so many vehicles on the road having their own radar and LIDAR systems, they’ve certainly become a less common sight over the years

The subject of today’s teardown is a perfect example of “Peak Radar Detector”. Manufactured back in 2007, the Cobra XRS 9740 would have been a fairly mid-range entry offering the sort of features that would have been desirable at the time. Over a decade ago, having an alphanumeric display, voice alerts, and a digital compass were all things worth shouting about on the box the thing was sold in. Though looking like some kind of Cardassian warship was apparently just an added bonus.

As the name implies these devices are primarily for detecting radar activity, but by this point they’d also been expanded to pick up infrared lasers and the strobe beacons on emergency vehicles. But false positives were always a problem, so the device allows the user to select which signals it should be on the lookout for. If you were getting some kind of interference that convinced the detector it was being bombarded with IR lasers, you could just turn that function off without having to pull the plug entirely.

But it’s important to remember that this device was built back when people were still unironically carrying around flip phones. Detecting laser and multi-band radars might sound like something pulled from the spec sheet of a stealth fighter jet, but this is still a piece of consumer electronics from more than a decade in the past. So let’s crack it open and take a look at what goes on inside a radar detector that’s only a few years away from being old enough to get its own driver’s license.

Continue reading “Teardown: Cobra XRS 9740 Radar Detector”

The Newbie’s Guide To JTAG

February 24, 2020 by 16 Comments

Do you even snarf?

If not, it might be because you haven’t mastered the basics of JTAG and learned how to dump, or snarf, the firmware of an embedded device. This JTAG primer will get you up to snuff on snarfing, and help you build your reverse engineering skills.

Whatever your motivation for diving into reverse engineering devices with microcontrollers, JTAG skills are a must, and [Sergio Prado]’s guide will get you going. He starts with a description and brief history of the Joint Test Action Group interface, from its humble beginnings as a PCB testing standard to the de facto standard for testing, debugging, and flashing firmware onto devices. He covers how to locate the JTAG pads – even when they’ve been purposely obfuscated – including the use of brute-force tools like the JTAGulator. Once you’ve got a connection, his tutorial helps you find the firmware in flash memory and snarf it up to a file for inspection, modification, or whatever else you have planned.

We always appreciate guides like these that cover the basics, since not everyone is in the same place in their hardware hacking journey. This puts us in the mood to crack something open and start looking for pins, if for no other reason than to get some practice.

[Thumbnail image source: LufSec]

Xbox Controller Provides Intro To SWD Hacking

February 11, 2020 by 12 Comments

It’s amazing to see how much technology is packed into even the “simple” devices that we take for granted in modern life. Case in point, the third party Xbox controller that [wrongbaud] recently decided to tear into. Not knowing what to expect when he cracked open its crimson red case, inside he found an ARM Cortex microcontroller and a perfect excuse to play around with Serial Wire Debug (SWD).

Though even figuring out that much took a bit of work. As is depressingly common, all the interesting components on the controller’s PCB were locked away behind a black epoxy blob. He had no idea what chip was powering the controller, much less that debugging protocols it might support. But after poking around the board with his multimeter, he eventually found a few test points sitting at 3.3 V which he thought was likely some kind of a programming header. After observing that pulling the line labelled “RES” low reset the controller, he was fairly sure he’d stumbled upon a functional JTAG or SWD connection.

The Serial Wire Debug architecture.

As [wrongbaud] explains in his detailed blog post, SWD is something of a JTAG successor that’s commonly used by ARM hardware. Using just two wires (data and clock), SWD provides hardware debugging capabilities on pin constrained platforms. It allows you to step through instructions, read and write to memory, even dump the firmware and flash something new.

For the rest of the post, [wrongbaud] walks the reader through working with an SWD target. From compiling the latest version of OpenOCD and wiring an FTDI adapter to the port, all the way to navigating through the firmware and unlocking the chip so you can upload your own code.

To prove he’s completely conquered the microcontroller, he ends the post by modifying the USB descriptor strings in the firmware to change what it says when the controller is plugged into the computer. From here, it won’t take much more to get some controller macros like rapid fire implemented; a topic we imagine he’ll be covering in the future.

This post follows something of a familiar formula for [wrongbaud]. As part of his continuing adventures in hardware hacking, he finds relatively cheap consumer devices and demonstrates how they can be used as practical testbeds for reverse engineering. You might not be interested in changing the ROM that a Mortal Kombat miniature arcade cabinet plays, but learning about the tools and techniques used to do it is going to be valuable for anyone who wants to bend silicon to their will.

Hackaday Podcast 053: 1-Bit Computer Is A Family Affair, This Displays Is Actually Fabulous, And This Hoverboard Is A Drill Press

February 7, 2020 by 3 Comments

Hackaday editors Mike Szczys and Elliot Williams navigate the crowded streets of the hackersphere for the most interesting hardware projects seen in the past week. Forget flip-dot displays, you need to build yourself a sequin display that uses a robot finger and sequin-covered fabric to send a message. You can do a lot (and learn a lot) with a 1-bit computer called the WDR-1. It’s never been easier to turn a USB port into an embedded systems dev kit by using these FTDI and Bluepill tricks. And there’s a Soyuz hardware teardown you don’t want to miss.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 053: 1-Bit Computer Is A Family Affair, This Displays Is Actually Fabulous, And This Hoverboard Is A Drill Press”

Slice Through Your Problems With A Shukran

February 4, 2020 by 38 Comments

We’d wager most hackers are familiar with FTDI as the manufacturer of the gold standard USB-UART interfaces. Before parts like the ultra cheap CH340 and CP2102 became common, if you needed to turn a USB cable into a TTL UART device, “an FTDI” (probably an FT232RL) was the way to make that happen. But some of the parts in the FT232* family are capable of much more. Wanting to get at more than a UART, [linker3000] designed the Shukran to unlock the full potential of the FT232H.

The FT232H is interesting because it’s an exceptionally general purpose interface device. Depending on configuration it can turn USB into UART, JTAG, SPI, I2C, and GPIO. Want to prototype the driver for a new sensor? Why bother flashing your Teensy when you can drive it directly from the development machine with an FT232H and the appropriate libraries?

The Shukran is actually a breakout for the “CJMCU FT232H” module available from many fine internet retailers. This board is a breakout that exposes a USB-A connecter on one side and standard 0.1″ headers on the other, with a QFN FT232H and all the passives in the middle. But bare 0.1″ headers (in a square!) require either further breadboarding or a nest of jumper wires to be useful. Enter the Shukran. In this arrangement, the CJMCU board is cheap and handles the SMT components, and the Shukran is easy to assemble and makes it simple to use.

The Shukran gives you LEDs, buttons and switches, and a bunch of pull up resistors (for instance, for I2C) on nicely grouped and labeled headers. But most importantly it provides a fused power supply. Ever killed the USB controller in your computer because you forgot to inline a sacrificial USB hub? This fuse should take care of that risk. If you’re interested in building one of these handy tools, sources and detailed BOM as well as usage instructions are available in the GitHub repo linked at the top.

Old Cisco WAN Card Turned FPGA Playground

November 20, 2019 by 33 Comments

Many of us think of FPGAs as some new cutting edge technology, but the fact of the matter is that they’ve been around for quite some time. They’ve just traditionally been used in hardware that’s too expensive for us lowly hackers. A case in point is the Cisco HWIC-3G-CDMA WAN card. A decade ago these would have been part of a router valued in the tens of thousands of dollars, but today they can be had for less than $10 USD on eBay. At that price, [Tom Verbeure] thought it would be worth finding out if they could be repurposed as generic FPGA experimentation devices.

So as not to keep you in suspense, the short answer is a resounding yes. In the end, all [Tom] had to do was figure out what voltages the HWIC-3G-CDMA was expecting on the edge connector, and solder a 2×5 connector onto the helpfully labeled JTAG header. Once powered up and connected to the computer, Intel’s Quartus Programmer software immediately picked up the board’s Cyclone II EP2C35F484C8 chip. The blinking LEDs seen in the video after the break serve as proof that these bargain bin gadgets are ripe for hacking.

Unfortunately, there’s a catch. After studying the rest of the components on the board, [Tom] eventually came to the conclusion that the HWIC-3G-CDMA has no means of actually storing the FPGA’s bitstream. Presumably it was provided by the router itself during startup. If you just want to keep the board tethered to your computer for experimenting, that’s not really a big deal. But if you want to use it in some kind of project, you’ll need to include a microcontroller capable of pushing the roughly 1 MB bitstream into the FPGA to kick things off.

It might not be as easy to get up and running as the 2019 Hackaday Superconference badge, but it’s certainly a lot easier to get your hands on.

Continue reading “Old Cisco WAN Card Turned FPGA Playground”

A Raspberry Pi Is A Hardware Hacker’s Swiss Army Knife

May 2, 2019 by 33 Comments

By now most of us have used a Raspberry Pi at some level or another. As a headless server it’s a great tool because of its price point, and as an interface to the outside world the GPIO pins are incredibly easy to access with a simple Python script. For anyone looking for guidance on using this device at a higher level, though, [Arun] recently created a how-to for using some of the Pi’s available communications protocols.

Intended to be a do-everything “poor man’s hardware hacking tool” as [Arun] claims, his instruction manual details all the ways that a Raspberry Pi can communicate with other devices using SPI and I2C, two of the most common methods of interacting with other hardware beyond simple relays. If you need to go deeper, the Pi can also be used as a full JTAG interface or SWD programmer for ARM chips. Naturally, UART serial is baked in. What more do you need?

As either a tool to keep in your toolbox for all the times you need to communicate with various pieces of hardware, or as a primer for understanding more intricate ways of using a Raspberry Pi to communicate with things like sensors or other computers, this is a great write-up. We also have more information about SPI if you’re curious as to how the protocol works.

Thanks to [Adrian] for the tip!