Hi there, I have an embedded board with an ARM processor on it. There are also about 150 "test points" on the board. Does anybody have an idea how I can locate the JTAG port within all these test points? I would like to attach a debugger; and before you ask: no, I don't have any documentation... it's reverse engineering ;-)
Unfortunatley it seems to be a custom chip. At least I can't find anything on the web => no pinout (except for the pins I can trace to the flash memory and DRAM chip)
I don't have the board at hand right now. But, I am pretty sure it is a custom chip, and I've signed an NDA for that project. Publishing that number would make a too obvious link to the device, I guess. Well, the other chips on the board are well know standard parts and don't have JTAG ports... there is no JTAG chain.
Four: CPU, flash, DRAM, EEPROM Flash and DRAM are connected with independent busses, EEPROM is a serial type.
"Largest chip"... do you mean by area? gates? pin count? Well, the CPU has a BGA package. I would have to rip that off the board to count the contacts.
Hmm, hope that can help!?! I'll have access to the board on monday morning again.
Then forget about it. There is no generic way of tracing out the JTAG lines.
It is _probable_ that these lines run directly to the micro and nothing else, besides possibly a pullup resistor and (in the case of nTRST) possibly a cap to ground. Beyond that, there's nothing to help you guess what goes where.
In mass-market applications like set-top boxes, which is what I guess you have there, it is not usual to program via JTAG at ICT - the flash chips are normally preprogrammed externally. So the JTAG interface might not even come to test points.
I assume you've already searched the board looking for appropriately sized groups of contacts or an unpopulated space for a header.
Do you even know it is an ARM? Numerous proprietary 32-bit RISC cores used in multimedia applications, you know.
Wow, nice smartcard ;) No, I need to know what's happening at a particular moment. It's some crypto-related stuff and since the firmware is quite big, the CPU has a cache, runs an RTOS and some obfuscating techniques have been utilized it is a really hard task to just analyze the disassembly. A debugger interface would have made it much easier. Modifying the code and inserting some kind of spy hasn't worked yet.
Most of these sorts of questions boil down to someone with a satellite receiver trying to work out how to hack the access card interface. That's why I asked.
That would have been my next suggestion.
If you have gotten deep enough into this device to get an NDA, how come they didn't give you pinouts?
What is the development system - a flash emulator that goes into the flash space, or do you have to burn and pray every time you modify the code?
Nope, nothing like that. No smartcards and no satellite receiver.
My company is contracted to cracking that device (not by the manufacturer)
By now I wish I'd have an emulator. It's burning and praying because we actually didn't want to go that way and hoped it wouldn't be too many modifications.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.