jtag disabled ?

Backup of earlier posts.
Post Reply
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

jtag disabled ?

Post by duffy »

maybe someone can give me some advice to know if jtag is disable on the target board ?

I read about:
hxxp://deadhacker.com/2012/06/08/ backdoor silicon fud

Maybe arduino may help ?
it is posible that only tdo is disabled but jtag chain still working as it should ?

sorry if this was already ask in this forum....
Wolfgang
Junior Member
Posts: 158
Joined: Fri May 03, 2013 6:00 pm
Location: Wild Wild West
Contact:

Yes, JTAG connections are disabled

Post by Wolfgang »

duffy wrote:... maybe someone can give me some advice to know if jtag is disable on the target board ? ...
As many other devices the newer models of Set Top Boxes have disabled the (E)JTAG connection and locked the flash against tampering with. Some of the measures are hardware wise related (usually removal or adding a resistor) or firmware locks. The locks are protecting certain sectors of the flash to be modified or there is a hardware watchdog that also is enabled disabled by the firmware. There are commands that enable or disable those features (as many other convenient features that are disabled by default on CACO's demand). Unfortunately those commands (usually via serial port) don't work at lower levels (without authorization) while the higher security levels require tokens to be accessed.
I know this didn't help you much but the serious hackers always find ways to circumvent those measures. Unfortunately that takes significant time and money to figure out and motivation as well.
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

Post by duffy »

yeah exactly, thanks for posting ....
I was'nt really asking for "help" but a little more discussions about this...some time I wish about a little more knowledge in disassembly and code like some members here...

we already learn about theses kind of software and hardware watchdog like old ph unit (hardware) and dvi3000 (software). About this last one, and after some research, the firm 00 seem interesting for study...at least, telnet access is cool for debug purpose...

always a good hobby to learn about techno...
Wolfgang
Junior Member
Posts: 158
Joined: Fri May 03, 2013 6:00 pm
Location: Wild Wild West
Contact:

Post by Wolfgang »

duffy wrote:... we already learn about theses kind of software and hardware watchdog like old ph unit (hardware) and dvi3000 (software)..
Here are just a few commands that might be executed from the serial port but unfortunately the box must be loaded with a special diagnostic code in order these to work, the samples are for one of the newer DCX models:

14 "Dump memory of address by user input address range"
17 "Flash protect/unprotect for 100k times"
32 "Enable HW Watchdog"
33 "Kick the Dog--Watchdog test"
60 "Flash Password unLock and unprotect sectors"
61 "Flash Password Lock and protect sectors 0-7"
63 "OTP lock EJTAG"
87 "Ethernet External loop back test"
88 "Rear panel USB_1 Test"
89 "Front panel USB_2 Test"

One may see now why JTAG connection doesn't work, it's simply disabled but hopefully one day there will be solution available. I hope that the web master will continue the support for his tool. The problem is the people who have made some progress won't share because they don't want to lose their freebees.
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

Post by duffy »

some commercial box are interresting and may reveal some more debug/loading *options.
There is sprom (on socket and probably easy to read) in*dsr4400md that load the fpga which control the communication sended to the 24 ace elements (12 xc chip) on the serial *main stream data bus. *There is one serial connector soldered for each xc chip.

The dte7150(= dsr4850) have 2 *interresting sprom for loading the fpga to control the vbi module and that show 2 exemples of similar motorale mask pattern on sticker (over xilinx sprom) but on the xc chip it's directly printed on the ic. This does'nt prove that the xc encapsulate is a xilinx but the spartan ds60 (page 2) have similar package.

if some command was removed in newer firmware this may show that the initializing is done by spi-mcu port (like you said ?)*to enable the other serial port acces. Hardware or software logging these initializing command (dvi3000 firm00 ?) on the spi port could be useful to avoid looking and loosing time for any special firmware that fit for specific box ?

weird that theses days there is'nt so much posting on this knowlegde forum...
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

Post by duffy »

not sure if it was something related to enable tdo after market with proper user 1 and 2 register ?
hxxp://forums.xilinx.com/t5/Spartan-Family-FPGAs/How-to-configure-a-Spartan-3AN-FPGA-for-JTAG-test/td-p/238192
Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests