maybe someone can give me some advice to know if jtag is disable on the target board ?
I read about:
hxxp://deadhacker.com/2012/06/08/ backdoor silicon fud
Maybe arduino may help ?
it is posible that only tdo is disabled but jtag chain still working as it should ?
sorry if this was already ask in this forum....
jtag disabled ?
-
- Junior Member
- Posts: 158
- Joined: Fri May 03, 2013 6:00 pm
- Location: Wild Wild West
- Contact:
Yes, JTAG connections are disabled
As many other devices the newer models of Set Top Boxes have disabled the (E)JTAG connection and locked the flash against tampering with. Some of the measures are hardware wise related (usually removal or adding a resistor) or firmware locks. The locks are protecting certain sectors of the flash to be modified or there is a hardware watchdog that also is enabled disabled by the firmware. There are commands that enable or disable those features (as many other convenient features that are disabled by default on CACO's demand). Unfortunately those commands (usually via serial port) don't work at lower levels (without authorization) while the higher security levels require tokens to be accessed.duffy wrote:... maybe someone can give me some advice to know if jtag is disable on the target board ? ...
I know this didn't help you much but the serious hackers always find ways to circumvent those measures. Unfortunately that takes significant time and money to figure out and motivation as well.
-
- Junior Member
- Posts: 101
- Joined: Fri Mar 31, 2006 12:15 pm
yeah exactly, thanks for posting ....
I was'nt really asking for "help" but a little more discussions about this...some time I wish about a little more knowledge in disassembly and code like some members here...
we already learn about theses kind of software and hardware watchdog like old ph unit (hardware) and dvi3000 (software). About this last one, and after some research, the firm 00 seem interesting for study...at least, telnet access is cool for debug purpose...
always a good hobby to learn about techno...
I was'nt really asking for "help" but a little more discussions about this...some time I wish about a little more knowledge in disassembly and code like some members here...
we already learn about theses kind of software and hardware watchdog like old ph unit (hardware) and dvi3000 (software). About this last one, and after some research, the firm 00 seem interesting for study...at least, telnet access is cool for debug purpose...
always a good hobby to learn about techno...
-
- Junior Member
- Posts: 158
- Joined: Fri May 03, 2013 6:00 pm
- Location: Wild Wild West
- Contact:
Here are just a few commands that might be executed from the serial port but unfortunately the box must be loaded with a special diagnostic code in order these to work, the samples are for one of the newer DCX models:duffy wrote:... we already learn about theses kind of software and hardware watchdog like old ph unit (hardware) and dvi3000 (software)..
14 "Dump memory of address by user input address range"
17 "Flash protect/unprotect for 100k times"
32 "Enable HW Watchdog"
33 "Kick the Dog--Watchdog test"
60 "Flash Password unLock and unprotect sectors"
61 "Flash Password Lock and protect sectors 0-7"
63 "OTP lock EJTAG"
87 "Ethernet External loop back test"
88 "Rear panel USB_1 Test"
89 "Front panel USB_2 Test"
One may see now why JTAG connection doesn't work, it's simply disabled but hopefully one day there will be solution available. I hope that the web master will continue the support for his tool. The problem is the people who have made some progress won't share because they don't want to lose their freebees.
-
- Junior Member
- Posts: 101
- Joined: Fri Mar 31, 2006 12:15 pm
some commercial box are interresting and may reveal some more debug/loading *options.
There is sprom (on socket and probably easy to read) in*dsr4400md that load the fpga which control the communication sended to the 24 ace elements (12 xc chip) on the serial *main stream data bus. *There is one serial connector soldered for each xc chip.
The dte7150(= dsr4850) have 2 *interresting sprom for loading the fpga to control the vbi module and that show 2 exemples of similar motorale mask pattern on sticker (over xilinx sprom) but on the xc chip it's directly printed on the ic. This does'nt prove that the xc encapsulate is a xilinx but the spartan ds60 (page 2) have similar package.
if some command was removed in newer firmware this may show that the initializing is done by spi-mcu port (like you said ?)*to enable the other serial port acces. Hardware or software logging these initializing command (dvi3000 firm00 ?) on the spi port could be useful to avoid looking and loosing time for any special firmware that fit for specific box ?
weird that theses days there is'nt so much posting on this knowlegde forum...
There is sprom (on socket and probably easy to read) in*dsr4400md that load the fpga which control the communication sended to the 24 ace elements (12 xc chip) on the serial *main stream data bus. *There is one serial connector soldered for each xc chip.
The dte7150(= dsr4850) have 2 *interresting sprom for loading the fpga to control the vbi module and that show 2 exemples of similar motorale mask pattern on sticker (over xilinx sprom) but on the xc chip it's directly printed on the ic. This does'nt prove that the xc encapsulate is a xilinx but the spartan ds60 (page 2) have similar package.
if some command was removed in newer firmware this may show that the initializing is done by spi-mcu port (like you said ?)*to enable the other serial port acces. Hardware or software logging these initializing command (dvi3000 firm00 ?) on the spi port could be useful to avoid looking and loosing time for any special firmware that fit for specific box ?
weird that theses days there is'nt so much posting on this knowlegde forum...
Who is online
Users browsing this forum: No registered users and 1 guest