I can haz your boardwith JTAG!

Dobrica Pavlinušićhttp://blog.rot13.orgFSEC, 2014-09-19

Talk overview

● How to rescue hardware from e-waste○ or reverse engineer existing boards

● What tools are required for job at hand?● Find out pinout on unknown board

○ ground, voltage regulator, voltages used○ useful GPIO pins around board

● Re-purpose board using JTAG● We are not talking about microcontrollers!● This is CPLD, programmable hardware

NComputing X300

Multiseat solution with poor Linux support

We’ll focus on X300 dongle with Altera EPM3064A TC44

JTAG is available on board!

But it doesn’t come nicely labeled like this ;-)

What is JTAG?

● IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture for testing printed circuit boards using boundary scan

● Every platform has different pinout, but protocol is same as long as voltages match!

● Can have more than one device on same chain● on embedded systems allows access to flash!

JTAG signals

1. TDI (Test Data In)2. TDO (Test Data Out)3. TCK (Test Clock)4. TMS (Test Mode Select)5. TRST (Test Reset) optionalAltera JTAG pinout:

Always start with multimeter!

Continuity (beep) for the win!

2. find voltage regulator5V -> 3.3 V

1. find ground and trace it around board

3. mark JTAG pins and trace them to connector(they are flipped!)

4. figure out connector pinouts - PS/2 has 5V, data, clock, GND

5. R2R ladder is D2A converter connected to 3.5mm audio jack

Take picture of both sides of board, use perspective tool in gimp to align them and use transparency to see as much detail as possible (part numbers, board tracks)

Bus Blaster ($35)

http://dangerousprototypes.com/docs/Bus_Blaster● Based on FT2232H with high-speed USB 2.0● Buffered interface works with 3.3volt to 1.5volt targets● Reprogrammable buffer is compatible with multiple

debugger types● Compatible with 'jtagkey', 'KT-link' programmer settings

in OpenOCD, urJTAG, and more● Should support Serial Wire Debug when available● Mini-CPLD development board:

self programmable, extra CPLDpins to header

● Open source (CC-BY-SA)

● Streaming data to PC○ unlimited capture size!

● 8 digital channels● Cypress FX2LP chip● Saleae/USBee AX

difference is in USBdevice identifier, can bere-programmed!

sigrok support: http://sigrok.org/wiki/Fx2lafw

Saleae/USBee logic analyzer ($10)

Test setupDangerous Prototypes

Bus Blaster - universal JTAG

USB doctor to monitorpower consumption

USB logic analyzer to monitor signal changes

RJ45 breakout

X300 dongle under test

5V power through PS/2verified with unimer

PS/2 pins connectedto logic anaylzer

UrJTAG http://urjtag.org/jtag> cable jtagkey vid=0x0403 pid=0x6010 interface=0Connected to libftd2xx driver.jtag> detectIR length: 10Chain length: 1Device Id: 00010111000001100100000011011101 (0x170640DD) Manufacturer: Altera (0x0DD) Part(0): EPM3064A (0x7064) Stepping: 1 Filename: /usr/local/share/urjtag/altera/epm3064a/epm3064a

jtag> print chain No. Manufacturer Part Stepping Instruction Register-------------------------------------------------------------------------------------------------------------------* 0 Altera EPM3064A 1 BYPASS BYPASS

# IMPORTANT: load signal aliases for this package

jtag> include /usr/local/share/urjtag/altera/epm3064a/t44

# get values of all pins

jtag> instruction SAMPLE/PRELOADjtag> shift irjtag> shift drjtag> dr010010111010111010010111010010010010111111111010111010111010010010010111010010010010010010010010010010010010010010010010010010010010010010010010010010010010010010010010010010010111010111010010 (0x0000000000000000000000000000000024924924924975D2)

UrJTAG http://urjtag.org/# toggle single pin

jtag> instruction EXTESTjtag> shift ir

jtag> print chain No. Manufacturer Part Stepping Instruction Register-------------------------------------------------------------------------------------------------------------------* 0 Altera EPM3064A 1 EXTEST BSR

jtag> set signal IO10 out 0jtag> shift dr

# re-read values of all pins

jtag> instruction SAMPLE/PRELOADjtag> shift irjtag> shift drjtag> get signal IO10IO10 = 0

# SVF programming (generated with Altera Quartus II and a bit of VHDL, converted to SVF)

jtag> svf /blue-zfs/FPGA/Altera-x300/x300_dongle/output_files/dongle1.svf stop progressdetail: Parsing 20/520 ( 3%)warning: unimplemented mode 'ABSENT' for TRSTdetail: Parsing 520/520 (100%)detail: detail: Scanned device output matched expected TDO values.

Don’t believe when the Internet tells you that UrJTAG doesn’t work for setting or reading pins! You have to shift both ir and dr for it to work! Otherwise, you are just changing internal state of UrJTAG and not sending anything over wires!

Cypress CY7C68013A EZ-USB FX2LP ($7)

● 8051 device which can emulate any USB device!● Including Altera USB blaster JTAG programmer…

○ http://ixo-jtag.sourceforge.net/○ http://fpga4u.epfl.ch/wiki/FX2

● hint: Debian has older SDCC 2.9 in package cc1111● can be used as Saleae/USBee logic analyzer with correct software!

Altera Quartus II Web Edition

http://dl.altera.com/?edition=webwithout security set, examine programmed chips!

Altera USB blaster ($8 clone)

Should be perfect solution for Altera JTAG● supported by Quantus II synthesis tool● STM32F1 MCU on board (clone!)● in practice doesn’t work for this case (?!)● YMMV, don’t give up on first road-block!

Resulting GPIO pinouts

pin pull desc1 GND2 1 VGA?3 0 IO?4 1 VGA?5 0 IO?6 1 VGA?7 IO108 5V

Keyboard (left, purple)

pin IO1 (data) IO435 (clock) IO44

Mouse (right, green)

pin IO1 (data) IO345 (clock) IO35

state min maxoff 64.17 mV 95.54 mVIO23 1.664 V 1.696 VIO22 864 mv 895 mVIO21 472 mV 503 mVIO20 283 mV 299 mVIO19 189 mv 221 mV

state min maxoff 3.3 mV 50 mVIO33 113 mV 144 mVIO31 207 mV 254 mVIO28 395 mV 442 mVIO27 803 mV 850 mVIO25 1.603 V 1.635 V

RJ45 was disappointment, I was hoping to get more than one GPIO, but it seems that rest of pins are connected directly to VGA R, G, B, H-sync and V-sync (from traces on board and inability to toggle those pins with JTAG)

What about OpenOCD?!

http://openocd.sourceforge.net/● The Open On-Chip Debugger (OpenOCD)

aims to provide debugging, in-system programming and boundary-scan testing for embedded target devices.

● better suited for microcontroller work than UrJTAG which is very low-level tool○ OpenOCD is gdb hooks for your hardware

● supports even more hardware JTAG adapters than UrJTAG, so pick any :-)

Future work: PCI card

Make this Cyclone FPGA+CPLD do something useful :-)

Questions & comments?

This presentation: http://bit.ly/fsec2014-jtag