FSEC 2014 - I can haz your board with JTAG

1. I can haz your board with JTAG! Dobrica Pavlinušić http://blog.rot13.org FSEC, 2014-09-19

2. Talk overview ● How to rescue hardware from e-waste ○ or reverse engineer existing boards ● What tools are required for job at hand? ● Find out pinout on unknown board ○ ground, voltage regulator, voltages used ○ useful GPIO pins around board ● Re-purpose board using JTAG ● We are not talking about microcontrollers! ● This is CPLD, programmable hardware

3. NComputing X300 Multiseat solution with poor Linux support We’ll focus on X300 dongle with Altera EPM3064A TC44

4. JTAG is available on board! But it doesn’t come nicely labeled like this ;-)

5. What is JTAG? ● IEEE 1149.1 Standard Test Access Port and Boundary- Scan Architecture for testing printed circuit boards using boundary scan ● Every platform has different pinout, but protocol is same as long as voltages match! ● Can have more than one device on same chain ● on embedded systems allows access to flash!

6. JTAG signals 1. TDI (Test Data In) 2. TDO (Test Data Out) 3. TCK (Test Clock) 4. TMS (Test Mode Select) 5. TRST (Test Reset) optional Altera JTAG pinout:

7. Always start with multimeter! Continuity (beep) for the win!

8. Take picture of both sides of board, use perspective tool in gimp to align them and use transparency to see as much detail as possible (part numbers, board tracks) 2. find voltage regulator 5V -> 3.3 V 1. find ground and trace it around board 3. mark JTAG pins and trace them to connector (they are flipped!) 4. figure out connector pinouts - PS/2 has 5V, data, clock, GND 5. R2R ladder is D2A converter connected to 3.5 mm audio jack

9. Bus Blaster ($35) http://dangerousprototypes.com/docs/Bus_Blaster ● Based on FT2232H with high-speed USB 2.0 ● Buffered interface works with 3.3volt to 1.5volt targets ● Reprogrammable buffer is compatible with multiple debugger types ● Compatible with 'jtagkey', 'KT-link' programmer settings in OpenOCD, urJTAG, and more ● Should support Serial Wire Debug when available ● Mini-CPLD development board: self programmable, extra CPLD pins to header ● Open source (CC-BY-SA)

10. Saleae/USBee logic analyzer ($10) ● Streaming data to PC ○ unlimited capture size! ● 8 digital channels ● Cypress FX2LP chip ● Saleae/USBee AX difference is in USB device identifier, can be re-programmed! sigrok support: http://sigrok.org/wiki/Fx2lafw

11. Test setup Dangerous Prototypes Bus Blaster - universal JTAG 5V power through PS/2 verified with unimer USB doctor to monitor power consumption USB logic analyzer to monitor signal changes X300 dongle under test PS/2 pins connected to logic anaylzer RJ45 breakout

12. UrJTAG http://urjtag.org/ jtag> cable jtagkey vid=0x0403 pid=0x6010 interface=0 Connected to libftd2xx driver. jtag> detect IR length: 10 Chain length: 1 Device Id: 00010111000001100100000011011101 (0x170640DD) Manufacturer: Altera (0x0DD) Part(0): EPM3064A (0x7064) Stepping: 1 Filename: /usr/local/share/urjtag/altera/epm3064a/epm3064a jtag> print chain No. Manufacturer Part Stepping Instruction Register ------------------------------------------------------------------------------------------------------------------- * 0 Altera EPM3064A 1 BYPASS BYPASS # IMPORTANT: load signal aliases for this package jtag> include /usr/local/share/urjtag/altera/epm3064a/t44 # get values of all pins jtag> instruction SAMPLE/PRELOAD jtag> shift ir jtag> shift dr jtag> dr 010010111010111010010111010010010010111111111010111010 111010010010010111010010010010010010010010010010010010 010010010010010010010010010010010010010010010010010010 010010010010010111010111010010 (0x0000000000000000000000000000000024924924924975D2)

13. UrJTAG http://urjtag.org/ # toggle single pin jtag> instruction EXTEST jtag> shift ir jtag> print chain No. Manufacturer Part Stepping Instruction Register ------------------------------------------------------------------------------------------------------------------- * 0 Altera EPM3064A 1 EXTEST BSR jtag> set signal IO10 out 0 jtag> shift dr # re-read values of all pins jtag> instruction SAMPLE/PRELOAD jtag> shift ir jtag> shift dr jtag> get signal IO10 IO10 = 0 # SVF programming (generated with Altera Quartus II and a bit of VHDL, converted to SVF) jtag> svf /blue-zfs/FPGA/Altera-x300/x300_dongle/output_files/dongle1.svf stop progress detail: Parsing 20/520 ( 3%)warning: unimplemented mode 'ABSENT' for TRST detail: Parsing 520/520 (100%)detail: detail: Scanned device output matched expected TDO values. Don’t believe when the Internet tells you that UrJTAG doesn’t work for setting or reading pins! You have to shift both ir and dr for it to work! Otherwise, you are just changing internal state of UrJTAG and not sending anything over wires!

14. Cypress CY7C68013A EZ-USB FX2LP ($7) ● 8051 device which can emulate any USB device! ● Including Altera USB blaster JTAG programmer… ○ http://ixo-jtag.sourceforge.net/ ○ http://fpga4u.epfl.ch/wiki/FX2 ● hint: Debian has older SDCC 2.9 in package cc1111 ● can be used as Saleae/USBee logic analyzer with correct software!

15. Altera Quartus II Web Edition http://dl.altera.com/?edition=web without security set, examine programmed chips!

16. Altera USB blaster ($8 clone) Should be perfect solution for Altera JTAG ● supported by Quantus II synthesis tool ● STM32F1 MCU on board (clone!) ● in practice doesn’t work for this case (?!) ● YMMV, don’t give up on first road-block!

17. Resulting GPIO pinouts pin pull desc 1 GND 2 1 VGA? 3 0 IO? 4 1 VGA? 5 0 IO? 6 1 VGA? 7 IO10 8 5V Keyboard (left, purple) pin IO 1 (data) IO43 5 (clock) IO44 Mouse (right, green) pin IO 1 (data) IO34 5 (clock) IO35 state min max off 64.17 mV 95.54 mV IO23 1.664 V 1.696 V IO22 864 mv 895 mV IO21 472 mV 503 mV IO20 283 mV 299 mV IO19 189 mv 221 mV state min max off 3.3 mV 50 mV IO33 113 mV 144 mV IO31 207 mV 254 mV IO28 395 mV 442 mV IO27 803 mV 850 mV IO25 1.603 V 1.635 V RJ45 was disappointment, I was hoping to get more than one GPIO, but it seems that rest of pins are connected directly to VGA R, G, B, H-sync and V-sync (from traces on board and inability to toggle those pins with JTAG)

18. What about OpenOCD?! http://openocd.sourceforge.net/ ● The Open On-Chip Debugger (OpenOCD) aims to provide debugging, in-system programming and boundary-scan testing for embedded target devices. ● better suited for microcontroller work than UrJTAG which is very low-level tool ○ OpenOCD is gdb hooks for your hardware ● supports even more hardware JTAG adapters than UrJTAG, so pick any :-)

19. Future work: PCI card Make this Cyclone FPGA+CPLD do something useful :-)

20. Questions & comments? This presentation: http://bit.ly/fsec2014-jtag

FSEC 2014 - I can haz your board with JTAG

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

FSEC 2014 - I can haz your board with JTAG

Plus De Contenu Connexe

Diaporamas pour vous (20)

Les utilisateurs ont également aimé (20)

Similaire à FSEC 2014 - I can haz your board with JTAG (20)

Plus par Dobrica Pavlinušić (19)

Plus récents (20)