Hi there, I have an embedded board with an ARM processor on it. There are also about 150 "test points" on the board. Does anybody have an idea how I can locate the JTAG port within all these test points? I would like to attach a debugger; and before you ask: no, I don't have any documentation... it's reverse engineering ;-)
Thanks in advance /Chris
There's no generic way. Is it a custom chip, or a standard part - if the latter, do you have the pinouts for it?
What are the part numbers of the ships ?? How many chips are on the board ?? Whats the number of pins on each side of the largest chip ?
Please list all the above or at least post a pics.
Unfortunatley it seems to be a custom chip. At least I can't find anything on the web => no pinout (except for the pins I can trace to the flash memory and DRAM chip)
I don't have the board at hand right now. But, I am pretty sure it is a custom chip, and I've signed an NDA for that project. Publishing that number would make a too obvious link to the device, I guess. Well, the other chips on the board are well know standard parts and don't have JTAG ports... there is no JTAG chain.
Four: CPU, flash, DRAM, EEPROM Flash and DRAM are connected with independent busses, EEPROM is a serial type.
"Largest chip"... do you mean by area? gates? pin count? Well, the CPU has a BGA package. I would have to rip that off the board to count the contacts.
Hmm, hope that can help!?! I'll have access to the board on monday morning again.
Then forget about it. There is no generic way of tracing out the JTAG lines.
It is _probable_ that these lines run directly to the micro and nothing else, besides possibly a pullup resistor and (in the case of nTRST) possibly a cap to ground. Beyond that, there's nothing to help you guess what goes where.
In mass-market applications like set-top boxes, which is what I guess you have there, it is not usual to program via JTAG at ICT - the flash chips are normally preprogrammed externally. So the JTAG interface might not even come to test points.
I assume you've already searched the board looking for appropriately sized groups of contacts or an unpopulated space for a header.
Do you even know it is an ARM? Numerous proprietary 32-bit RISC cores used in multimedia applications, you know.
If the part number starts with ES, it is not an ARM...
Damn, that's what I feared.
Yes, my first try :)
I have an disassembly of the flash memory and some logic analyzer traces of the flash chip... it is an ARM.
No, it doesn't. It is an ARM. That's about the only thing I know of this chip.
So what are you trying to do - capture smartcard transaction data in mid-stream?
Wow, nice smartcard ;) No, I need to know what's happening at a particular moment. It's some crypto-related stuff and since the firmware is quite big, the CPU has a cache, runs an RTOS and some obfuscating techniques have been utilized it is a really hard task to just analyze the disassembly. A debugger interface would have made it much easier. Modifying the code and inserting some kind of spy hasn't worked yet.
Most of these sorts of questions boil down to someone with a satellite receiver trying to work out how to hack the access card interface. That's why I asked.
That would have been my next suggestion.
If you have gotten deep enough into this device to get an NDA, how come they didn't give you pinouts?
What is the development system - a flash emulator that goes into the flash space, or do you have to burn and pray every time you modify the code?
Nope, nothing like that. No smartcards and no satellite receiver.
My company is contracted to cracking that device (not by the manufacturer)
By now I wish I'd have an emulator. It's burning and praying because we actually didn't want to go that way and hoped it wouldn't be too many modifications.
If this is a consumer device, have you searched for other third-party hacking efforts?
Jtags are usually 10, 14 or 20 pins in 2 rows. Anything like that?
You should be able to guess by the vias on the bottom of the PCB.
Yes. No hits.
That was my first try. Nothing like that.
Might work. But would it be of any help?
Only if it's a relabeled chip, not a real custom chip. You can compare the power and ground grids with popular chips.
Ok, good idea. I haven't thought about relabeling yet.
Okay, second try. I remember a 256 beeing in the chip label. Might be a BGA256 package. I'll check that monday morning
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.