SlideShare a Scribd company logo

Jtag

TELE-audiovision eng
TELE-audiovision eng

The document discusses using a JTAG interface to reprogram receivers when the firmware is corrupted or a firmware update fails. It explains that receivers use a bootloader program to run the firmware from flash memory. If the bootloader is still intact but the firmware is corrupted, the receiver can still be reprogrammed via JTAG. If the bootloader is also corrupted, reprogramming may still be possible if the manufacturer provides JTAG software and the pinout layout. The document provides steps for using jKeys software to reprogram an STi-based receiver via JTAG, including downloading the flash memory contents as a backup, deleting the flash, and programming new firmware.

1 of 5
Download to read offline
FEATURE Receiver Firmware 该独家技术信息由工程师所做 JTAG- Interface ■ Standard JTAG interface for a parallel port. It can be ordered from many electronic shops. TELE-satellite Magazine Business Voucher www.TELE-satellite.info/11/11/jtag Direct Contact to Sales Manager • Reprogram a Defective Receiver • All Necessary Information can be Found in the Internet • Can Also be Used On Other Boxes With Flash Chips • Allows for Better Understanding of Receiver Functions 214 TELE-satellite — Global Digital TV Magazine — 10-1 1/201 — www.TELE-satellite.com 1 www.TELE-satellite.com — 10-1 1/201 — TELE-satellite — Global Digital TV Magazine 1 215
FEATURE Receiver Firmware The Solution for a Faulty Firmware Update Vitor Martins Augusto For those of you who update satel- starts a program called the “Bootload- won’t be able to start the receiver and lite receiver software on a more regular er”. The “Bootloader’s” job is to deter- it instantly turns into a brick. Nothing basis, you will almost certainly recog- mine at the start if a firmware update works anymore. nize these two aggravating problems: should be undertaken. If that’s not the uploading the wrong software or a ver- case, it would then copy the contents There are two different situations sion that is incompatible as well as the of the flash memory into RAM and will here: if the “Bootloader” is still intact unexpected power failure during an up- start the firmware from there. This pro- but the firmware itself is missing or cor- date. If either of these problems show cess of copying the Flash to RAM and at rupt, it won’t be able to start the re- their face, the result is almost always a the same time uncompressing it is re- ceiver, however, since the “Bootloader” “dead” receiver or as it’s also called, a sponsible for the time delay that occurs is also responsible for firmware up- “brick” - good for nothing. during a receiver power up. dates, the user can still upload the cor- rect firmware through the “Bootloader”. But wait, there might still be one last The “Bootloader” program can be But it’s much worse if the “Bootloader” chance to upload the software if the re- found in the flash memory at a specific itself is missing. You won’t be able to ceiver comes with a JTAG interface. But address (usually the last 64KB, start- do anything at all. Many manufacturers first things first. What actually happens ing at &H7FFFE000). If no program can offer updated firmware that doesn’t in- when you turn on a receiver? When the be found at this address or the wrong volve replacing the “Bootloader” in or- receiver is turned on, the processor one happens to be there, the processor der to prevent problems like this. If the ■ The inside of a standard receiver. The arrow points to the JTAG connector while the circle highlights a white triangle that indicates pin #1 on the JTAG connector. The JTAG interface is plugged in such that the red line on the cable is on the same side as the triangle. 216 TELE-satellite — Global Digital TV Magazine — 10-1 1/201 — www.TELE-satellite.com 1
1 3 “Bootloader” is defective, the receiver receiver, for example, because the ceiver. Either you unsolder the Flash to fabricate a JTAG interface so that Quite often manufacturers use a stan- interface and should therefore be an can no longer be started. On the whole, hardware is identical. Many budget re- chips, reprogram them externally and it can be inexpensively purchased in dard plug with 20 pins. If this isn’t the integral part of your toolkit. Windows it would probably be better to include ceivers are based on the same hard- then resolder them in place with all of many electronic shops. If you can’t find case, it becomes necessary to deter- Vista and Windows 7, especially the 64- a new installation of the “Bootloader” ware; the manufacturer simply match- this requiring professional equipment a JTAG interface in your local store, you mine the correct pin layout. Normally, bit versions, often have problems with program with every new firmware up- es the firmware to the receiver. It could to remove, reprogram and reinstall the can build one yourself. All you need is a the correct JTAG pin layout for specific the tools for firmware uploads. date. therefore be quite interesting to try out chips, or, with a little bit of luck, you’ll few resistors and a standard 74HC244N receivers can be found by performing a the firmware from another manufac- find a JTAG interface on the main circuit building block. You’ll find schematic Google search when you’re not dealing Many receivers are based on proces- If the receiver displays “8888” or turer. In this case though you almost board. The JTAG interface provides an diagrams in the Internet for every ca- with a standard 20-pin connector. sors manufactured by STi. This is the nothing at all, then the firmware up- always have to update the “Bootload- indirect way to access the Flash chips pable receiver that can be programmed case with most budget receivers. And date has failed. If the receiver can no er” software. It’s easy to mistakenly via the processor. When the box is via JTAG. The JTAG interface is connected to just for this family of processors there’s longer perform an update via the se- upload the wrong firmware and at the turned on, the processor is placed into your PC via the parallel port. But first an excellent freeware program: jKeys. rial interface, then it’s safe to say that same time the wrong “Bootloader”. a specific mode so that you can read, The JTAG protocol consists of six you have to check and see if such a PC This tool functions perfectly with the the “Bootloader” has been deleted and delete and reprogram the Flash chips. lines: still exists in your house. Your best bet JTAG interface on the parallel port and nothing will work anymore. If the receiver can no longer start would be to use an older laptop with through a current database automati- up because of the lack of the correct For this to work you’d need a JTAG • TRST • TDO • TDI Windows XP. A laptop like this would cally recognizes most of the STi pro- Experienced users enjoy the idea of firmware and “Bootloader”, then there interface along with the corresponding • TCK • TMS • GND also be perfect to use for uploading cessors in common receivers. Most of uploading the firmware from another are only two ways to repair the re- software. Fortunately, it’s fairly easy new receiver firmware via the serial the time, however, jKeys cannot rec- ognize the receiver’s Flash chip. There are far too many different Flash chips out there and every manufacturer uses 2 4 their own set of chips; you’d have to be able to read the name of the manu- facturer and the model of the chip and then find the corresponding datasheet in the Internet. For our example we’ll use a standard receiver. The built-in Flash chip is the model MX 29LV160CTTC. A search on Google yields numerous websites that provide the necessary datasheet. Why is it so easy to find this? It has to do 1. The rear panel of an older laptop: parallel ports and serial interfaces were standard back then and are needed for the JTAG interface. Don’t throw away or give away those old laptops! They can serve as excel- lent repair tools! 2. Our workstation for our JTAG firmware work. 3. If the receiver only displays “8888” or nothing at all, then the firmware upload has failed. If the receiver doesn’t talk anymore regarding a firmware update through the serial port, it’s safe to say that the “Boot- loader” was also deleted. 4. A look inside our defective sample recei- ver: here you can see the STi chip to the lower left (an STi 5518BVC) as well as the MX 29LV160CTTC-70G Flash chip and the JTAG connector. These components are always located close to each other since the connections between them have to be kept short because of the high frequencies being used. 218 TELE-satellite — Global Digital TV Magazine — 10-1 1/201 — www.TELE-satellite.com 1 www.TELE-satellite.com — 10-1 1/201 — TELE-satellite — Global Digital TV Magazine 1 219
Update via jKeys with electronics wholesalers that pro- vide datasheets for every component so that prospective buyers can choose the correct component for their needs. That’s just perfect for us! From these datasheets we can get all the relevant information regarding the makeup of the chip. We are interested in the following information: - Size of the chip, in this case 2MB - Construction of the memory banks - If any write-protection needs to be bypassed before deleting and writing on the chip This information is entered into the jKeys Definitions Data. In jKeys Defini- tions we search for the group with these Flash definitions and carry in the data structure of the Flash chips. Now we can actually start jKeys. As a precau- tion, you should download the contents of the Flash memory. It’s a task that would only make sense with a function- ing receiver. We’ll hold on to this image dump just in case a future firmware up- grade isn’t completed successfully. If that does happen though, you can then reload your backup image. For this purpose we would need to use the jKeys Flash menu to which a receiver reset would be necessary. Perform these steps in order: turn the receiv- er off, turn it back on and at the same time press the jKeys OK button. If ev- erything is OK, the programming menu will be displayed. Let’s assume that nothing works any- more. The first step is to delete the entire Flash. This process sets all the bits in the Flash memory to “1”. The programming function can only set a bit from “1” to “0”, not the other way around. This would explain why an in- terrupted firmware update always leads to a defective receiver: the “Bootload- er” is located in the last 64KB and is de- leted before the Flash process! Lastly, you select the desired firmware data and program the Flash chip. Many STi based receivers link the Flash chip to an address range of &H7FE00000 to &H7FFFFFFF; this corresponds to pre- 1. jKeys has in this case recognized the receiver with its Flash chip since the cor- responding definitions are already in the database. 2. Reading the entire Flash chip (address &H7FE00000 to &H7FFFFFFFF). It’s always a good idea to make a backup of the firm- ware with new receivers. 3. To activate the deleting and program- ming mode of the Flash chip, the receiver must briefly be turned off and then back on. 220 TELE-satellite — Global Digital TV Magazine — 10-1 1/201 — www.TELE-satellite.com 1
cisely 2MB. Once the programming pro- the firmware and are not programmed 4. If the deleting and programming mode cess has been completed, you simply onto the Flash chip. In a case like this, of the Flash chip has been successfully activated, this menu will appear. turn the receiver off, remove the JTAG you would need to open the firmware in 5. Security question before starting the interface and then turn the receiver a Hex editor and delete the extra bytes Flash chip writing process. back on. The newly uploaded software that don’t belong to the firmware. This should then automatically start. actually sounds harder to do than it re- cessor on the main board where a user ally is. could attach a JTAG connector. On top To make sure that the receiver was of that, the Flash chip is made inacces- correctly programmed and won’t crash First of all, the firmware must be ex- sible by a special type of glue. All of this because of some faulty configuration, it actly the same size as the capacity of is designed to prevent a hacker from is recommended that the original firm- the Flash chip. If it’s 2MB (2048 KB) in gaining access to the contents of the ware be loaded via the serial interface. size, then the firmware must be exactly Flash chip which would contain critical The process described here works with the same size. Therefore, you simply encryption data. nearly every STi processor based re- cut out the corresponding bytes right ceiver. at the start. Sometimes only the “Boot- If you tried working with JTAG just loader” is made available. This would once before, it won’t seem so diffi- But what do you do if you have a re- have to be loaded at the end of the cult the next time. The big advantage ceiver that doesn’t come with an STi Flash chip’s memory space, typically at is that once you know how to do it, processor? It still pays to look into it &HFFFE000. This involves the last 64KB you can easily return a receiver to its further: many manufacturers use a and the data containing the “Boot- original condition through JTAG should JTAG interface on the main circuit loader” must have exactly this size. If something ever go wrong. board and offer either officially or unof- you’re only loading the “Bootloader” ficially JTAG software for their receiver. program, the receiver still won’t work, Smaller specialized digital TV com- A quick search via Google will reveal but at least you’ll be able to upload the panies would certainly be able to bring the necessary pin layout for the JTAG firmware through normal channels. many receivers back to life since there interface as well as the corresponding are many end users out there that will programming software. This will allow Modern, more sophisticated receiv- manage to make a mistake uploading you to program various Linux receiver ers quite often don’t come with a JTAG firmware. Digital receivers aren’t the models through JTAG. connector. In order to handle any firm- only devices that utilize the JTAG pro- ware upgrades, a slightly different con- tocol; in fact, you’ll find it in almost Another problem is that many users cept is used: the receiver operates us- any device that uses a processor and a don’t have a backup of the firmware ing two “Bootloaders”. The “First Stage flash chip. This would make it possible that they can use to reload onto a re- Bootloader” checks to see if any firm- to save even Smartphones and other ceiver via JTAG. Even here there are ware needs to be uploaded. If that’s not devices after a failed firmware update. possibilities: the case, a “Second Stage Bootloader” is run that then starts up the existing But let’s not forget that safety is par- 1) You can extract the firmware from firmware. The advantage to this meth- amount! Be careful when working in- a second functional receiver. od is that the “First Stage Bootloader” side an exposed receiver! Keep in mind 2) You can search the Internet to see is never overwritten; this would allow that receivers come with an integrated if someone else has exactly the firm- the user to reload the firmware in any 220V power supply (110V in some parts ware that you need. situation. of the world)! Take every safety pre- 3) You can extract the firmware from caution! One false move could place the a manufacturer’s firmware update. Manufacturers of proprietary re- JTAG interface in contact with a power ceivers for PayTV providers do things supply component; this could lead to With the last option you should note quite differently. Here there’s not only serious damage to the receiver and po- that a firmware update often includes no JTAG connector (it’s been omitted tential electric shock to the user. Make a so-called “header”, in other words, a on purpose), there are also no circuit sure the JTAG interface is securely in specific number of bytes that describe board tracks available from the pro- place before turning the receiver on. 222 TELE-satellite — Global Digital TV Magazine — 10-1 1/201 — www.TELE-satellite.com 1

Recommended

FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGDobrica Pavlinušić
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)Nitesh Bhatia
 
Jtag presentation
Jtag presentationJtag presentation
Jtag presentationklinetik
 
The IEEE 1149.1 Boundary-scan test standard
The IEEE 1149.1 Boundary-scan test standardThe IEEE 1149.1 Boundary-scan test standard
The IEEE 1149.1 Boundary-scan test standardJose Manuel Martins Ferreira
 
Prezentare tcs2011
Prezentare tcs2011Prezentare tcs2011
Prezentare tcs2011Alexandru IOVANOVICI
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerDobrica Pavlinušić
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 

Recommended

FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGDobrica Pavlinušić
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)Nitesh Bhatia
 
Jtag presentation
Jtag presentationJtag presentation
Jtag presentationklinetik
 
The IEEE 1149.1 Boundary-scan test standard
The IEEE 1149.1 Boundary-scan test standardThe IEEE 1149.1 Boundary-scan test standard
The IEEE 1149.1 Boundary-scan test standardJose Manuel Martins Ferreira
 
Prezentare tcs2011
Prezentare tcs2011Prezentare tcs2011
Prezentare tcs2011Alexandru IOVANOVICI
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerDobrica Pavlinušić
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 
Keysight Mini-ICT - Testing Days México
Keysight Mini-ICT - Testing Days MéxicoKeysight Mini-ICT - Testing Days México
Keysight Mini-ICT - Testing Days MéxicoInterlatin
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
Jtagppt
JtagpptJtagppt
JtagpptChiranjeevi Chiru
 
Básicos de Functional Test Systems - Testing Days Tijuana
Básicos de Functional Test Systems - Testing Days TijuanaBásicos de Functional Test Systems - Testing Days Tijuana
Básicos de Functional Test Systems - Testing Days TijuanaInterlatin
 
Migration ux to windows - ICT i3070
Migration ux to windows - ICT i3070Migration ux to windows - ICT i3070
Migration ux to windows - ICT i3070Interlatin
 
Functional Test Systems - Testing Days Bajío
Functional Test Systems - Testing Days BajíoFunctional Test Systems - Testing Days Bajío
Functional Test Systems - Testing Days BajíoInterlatin
 
ATMEGA-169P.pdf
ATMEGA-169P.pdfATMEGA-169P.pdf
ATMEGA-169P.pdfMiguel Angel Sejas Villarroel
 
At89s51
At89s51At89s51
At89s51Tarun Sharma
 
Boundary Scan Basics - x1149 de Keysight
Boundary Scan Basics - x1149 de KeysightBoundary Scan Basics - x1149 de Keysight
Boundary Scan Basics - x1149 de KeysightInterlatin
 
Boundary scan for support engineers and technicians
Boundary scan for support engineers and techniciansBoundary scan for support engineers and technicians
Boundary scan for support engineers and techniciansInterlatin
 
Synopsys User Group Presentation
Synopsys User Group PresentationSynopsys User Group Presentation
Synopsys User Group Presentationemlawgr
 
Medalist i3070 08.30p software release
Medalist i3070 08.30p software releaseMedalist i3070 08.30p software release
Medalist i3070 08.30p software releaseInterlatin
 
Micrcontroller iv sem lab manual
Micrcontroller iv sem lab manualMicrcontroller iv sem lab manual
Micrcontroller iv sem lab manualRohiniHM2
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityMichael Smith
 
Atmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdf
Atmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdfAtmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdf
Atmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdfMiguel Angel Sejas Villarroel
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Alexander Bolshev
 
2502s
2502s2502s
2502sAndi Gian
 
IDI 1300 Cut Sheet
IDI 1300 Cut SheetIDI 1300 Cut Sheet
IDI 1300 Cut Sheetguestd76ad1
 
Xmega d4 microcontroller
Xmega d4 microcontrollerXmega d4 microcontroller
Xmega d4 microcontrollerAlfredo Santillan
 
Vitorsworkshop
VitorsworkshopVitorsworkshop
VitorsworkshopTELE-audiovision eng
 
Netreg Presentation
Netreg PresentationNetreg Presentation
Netreg Presentationpetertrevino
 

More Related Content

What's hot

Keysight Mini-ICT - Testing Days México
Keysight Mini-ICT - Testing Days MéxicoKeysight Mini-ICT - Testing Days México
Keysight Mini-ICT - Testing Days MéxicoInterlatin
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
Básicos de Functional Test Systems - Testing Days Tijuana
Básicos de Functional Test Systems - Testing Days TijuanaBásicos de Functional Test Systems - Testing Days Tijuana
Básicos de Functional Test Systems - Testing Days TijuanaInterlatin
 
Migration ux to windows - ICT i3070
Migration ux to windows - ICT i3070Migration ux to windows - ICT i3070
Migration ux to windows - ICT i3070Interlatin
 
Functional Test Systems - Testing Days Bajío
Functional Test Systems - Testing Days BajíoFunctional Test Systems - Testing Days Bajío
Functional Test Systems - Testing Days BajíoInterlatin
 
Boundary Scan Basics - x1149 de Keysight
Boundary Scan Basics - x1149 de KeysightBoundary Scan Basics - x1149 de Keysight
Boundary Scan Basics - x1149 de KeysightInterlatin
 
Boundary scan for support engineers and technicians
Boundary scan for support engineers and techniciansBoundary scan for support engineers and technicians
Boundary scan for support engineers and techniciansInterlatin
 
Synopsys User Group Presentation
Synopsys User Group PresentationSynopsys User Group Presentation
Synopsys User Group Presentationemlawgr
 
Medalist i3070 08.30p software release
Medalist i3070 08.30p software releaseMedalist i3070 08.30p software release
Medalist i3070 08.30p software releaseInterlatin
 
Micrcontroller iv sem lab manual
Micrcontroller iv sem lab manualMicrcontroller iv sem lab manual
Micrcontroller iv sem lab manualRohiniHM2
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityMichael Smith
 
Atmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdf
Atmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdfAtmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdf
Atmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdfMiguel Angel Sejas Villarroel
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Alexander Bolshev
 
IDI 1300 Cut Sheet
IDI 1300 Cut SheetIDI 1300 Cut Sheet
IDI 1300 Cut Sheetguestd76ad1
 

What's hot (20)

Keysight Mini-ICT - Testing Days México
Keysight Mini-ICT - Testing Days MéxicoKeysight Mini-ICT - Testing Days México
Keysight Mini-ICT - Testing Days México
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
 
Jtagppt
JtagpptJtagppt
Jtagppt
 
Básicos de Functional Test Systems - Testing Days Tijuana
Básicos de Functional Test Systems - Testing Days TijuanaBásicos de Functional Test Systems - Testing Days Tijuana
Básicos de Functional Test Systems - Testing Days Tijuana
 
Migration ux to windows - ICT i3070
Migration ux to windows - ICT i3070Migration ux to windows - ICT i3070
Migration ux to windows - ICT i3070
 
Functional Test Systems - Testing Days Bajío
Functional Test Systems - Testing Days BajíoFunctional Test Systems - Testing Days Bajío
Functional Test Systems - Testing Days Bajío
 
ATMEGA-169P.pdf
ATMEGA-169P.pdfATMEGA-169P.pdf
ATMEGA-169P.pdf
 
At89s51
At89s51At89s51
At89s51
 
Boundary Scan Basics - x1149 de Keysight
Boundary Scan Basics - x1149 de KeysightBoundary Scan Basics - x1149 de Keysight
Boundary Scan Basics - x1149 de Keysight
 
Boundary scan for support engineers and technicians
Boundary scan for support engineers and techniciansBoundary scan for support engineers and technicians
Boundary scan for support engineers and technicians
 
Synopsys User Group Presentation
Synopsys User Group PresentationSynopsys User Group Presentation
Synopsys User Group Presentation
 
Medalist i3070 08.30p software release
Medalist i3070 08.30p software releaseMedalist i3070 08.30p software release
Medalist i3070 08.30p software release
 
Micrcontroller iv sem lab manual
Micrcontroller iv sem lab manualMicrcontroller iv sem lab manual
Micrcontroller iv sem lab manual
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency Security
 
Atmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdf
Atmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdfAtmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdf
Atmel-7735-Automotive-Microcontrollers-ATmega169P_-968165.pdf
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
 
2502s
2502s2502s
2502s
 
IDI 1300 Cut Sheet
IDI 1300 Cut SheetIDI 1300 Cut Sheet
IDI 1300 Cut Sheet
 
Xmega d4 microcontroller
Xmega d4 microcontrollerXmega d4 microcontroller
Xmega d4 microcontroller
 

Similar to Jtag

Netreg Presentation
Netreg PresentationNetreg Presentation
Netreg Presentationpetertrevino
 
Gigaset N510 IP PRO VoIP/SIP DECT Base
Gigaset N510 IP PRO VoIP/SIP DECT BaseGigaset N510 IP PRO VoIP/SIP DECT Base
Gigaset N510 IP PRO VoIP/SIP DECT BaseTelephones Online
 
CNIT 140: Flashing Firmware
CNIT 140: Flashing FirmwareCNIT 140: Flashing Firmware
CNIT 140: Flashing FirmwareSam Bowne
 
How to put 10lbs of functionality into a 5lb package.
How to put 10lbs of functionality into a 5lb package.How to put 10lbs of functionality into a 5lb package.
How to put 10lbs of functionality into a 5lb package.Marc Karasek
 
fault finding for laptop
fault finding for laptopfault finding for laptop
fault finding for laptopTapan Khilar
 
Liztek HDDT2BS Dual Bay USB 3.0 Super Speed to 2.5 and 3.5 inch SATA Hard Dis...
Liztek HDDT2BS Dual Bay USB 3.0 Super Speed to 2.5 and 3.5 inch SATA Hard Dis...Liztek HDDT2BS Dual Bay USB 3.0 Super Speed to 2.5 and 3.5 inch SATA Hard Dis...
Liztek HDDT2BS Dual Bay USB 3.0 Super Speed to 2.5 and 3.5 inch SATA Hard Dis...Gurin Products, LLC
 
FTTx GPON System Troubleshooting.pptx
FTTx GPON System Troubleshooting.pptxFTTx GPON System Troubleshooting.pptx
FTTx GPON System Troubleshooting.pptxTedevTu
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...Felipe Prado
 
Common Computer Faults and Problems
Common Computer Faults and ProblemsCommon Computer Faults and Problems
Common Computer Faults and ProblemsSef Cambaliza
 
Reso problemas
Reso problemasReso problemas
Reso problemas1 2d
 
Reso problemas
Reso problemasReso problemas
Reso problemas1 2d
 

Similar to Jtag (20)

Vitorsworkshop
VitorsworkshopVitorsworkshop
Vitorsworkshop
 
Netreg Presentation
Netreg PresentationNetreg Presentation
Netreg Presentation
 
OpenWRT and Perl
OpenWRT and PerlOpenWRT and Perl
OpenWRT and Perl
 
Gigaset N510 IP PRO VoIP/SIP DECT Base
Gigaset N510 IP PRO VoIP/SIP DECT BaseGigaset N510 IP PRO VoIP/SIP DECT Base
Gigaset N510 IP PRO VoIP/SIP DECT Base
 
CNIT 140: Flashing Firmware
CNIT 140: Flashing FirmwareCNIT 140: Flashing Firmware
CNIT 140: Flashing Firmware
 
How to put 10lbs of functionality into a 5lb package.
How to put 10lbs of functionality into a 5lb package.How to put 10lbs of functionality into a 5lb package.
How to put 10lbs of functionality into a 5lb package.
 
Rohde schwarz
Rohde schwarzRohde schwarz
Rohde schwarz
 
fault finding for laptop
fault finding for laptopfault finding for laptop
fault finding for laptop
 
Atmega tutorial
Atmega tutorialAtmega tutorial
Atmega tutorial
 
External Docking Station
External Docking StationExternal Docking Station
External Docking Station
 
Liztek HDDT2BS Dual Bay USB 3.0 Super Speed to 2.5 and 3.5 inch SATA Hard Dis...
Liztek HDDT2BS Dual Bay USB 3.0 Super Speed to 2.5 and 3.5 inch SATA Hard Dis...Liztek HDDT2BS Dual Bay USB 3.0 Super Speed to 2.5 and 3.5 inch SATA Hard Dis...
Liztek HDDT2BS Dual Bay USB 3.0 Super Speed to 2.5 and 3.5 inch SATA Hard Dis...
 
FTTx GPON System Troubleshooting.pptx
FTTx GPON System Troubleshooting.pptxFTTx GPON System Troubleshooting.pptx
FTTx GPON System Troubleshooting.pptx
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
 
Tp link error codes
Tp link error codesTp link error codes
Tp link error codes
 
Common Computer Faults and Problems
Common Computer Faults and ProblemsCommon Computer Faults and Problems
Common Computer Faults and Problems
 
P21gv31
P21gv31P21gv31
P21gv31
 
Dektec
DektecDektec
Dektec
 
Reso problemas
Reso problemasReso problemas
Reso problemas
 
Reso problemas
Reso problemasReso problemas
Reso problemas
 
XS Boston 2008 Network Topology
XS Boston 2008 Network TopologyXS Boston 2008 Network Topology
XS Boston 2008 Network Topology
 

More from TELE-audiovision eng

More from TELE-audiovision eng (20)

Tenow
TenowTenow
Tenow
 
Tekniksat
TekniksatTekniksat
Tekniksat
 
Satlink
SatlinkSatlink
Satlink
 
Satbeams
SatbeamsSatbeams
Satbeams
 
Logitech
LogitechLogitech
Logitech
 
Jimedstein
JimedsteinJimedstein
Jimedstein
 
Editorial
EditorialEditorial
Editorial
 
Alpsat
AlpsatAlpsat
Alpsat
 
TELE-audiovision 1505
TELE-audiovision 1505TELE-audiovision 1505
TELE-audiovision 1505
 
Sparos
SparosSparos
Sparos
 
Mktech
MktechMktech
Mktech
 
Haenlein
HaenleinHaenlein
Haenlein
 
Globalinvacom
GlobalinvacomGlobalinvacom
Globalinvacom
 
Formuler
FormulerFormuler
Formuler
 
Fernsehfee
FernsehfeeFernsehfee
Fernsehfee
 
Eico
EicoEico
Eico
 
Editorial
EditorialEditorial
Editorial
 
TELE-audiovision 1503
TELE-audiovision 1503TELE-audiovision 1503
TELE-audiovision 1503
 
Titanium
TitaniumTitanium
Titanium
 
Sumavision
SumavisionSumavision
Sumavision
 

Jtag

  • 1. FEATURE Receiver Firmware 该独家技术信息由工程师所做 JTAG- Interface ■ Standard JTAG interface for a parallel port. It can be ordered from many electronic shops. TELE-satellite Magazine Business Voucher www.TELE-satellite.info/11/11/jtag Direct Contact to Sales Manager • Reprogram a Defective Receiver • All Necessary Information can be Found in the Internet • Can Also be Used On Other Boxes With Flash Chips • Allows for Better Understanding of Receiver Functions 214 TELE-satellite — Global Digital TV Magazine — 10-1 1/201 — www.TELE-satellite.com 1 www.TELE-satellite.com — 10-1 1/201 — TELE-satellite — Global Digital TV Magazine 1 215
  • 2. FEATURE Receiver Firmware The Solution for a Faulty Firmware Update Vitor Martins Augusto For those of you who update satel- starts a program called the “Bootload- won’t be able to start the receiver and lite receiver software on a more regular er”. The “Bootloader’s” job is to deter- it instantly turns into a brick. Nothing basis, you will almost certainly recog- mine at the start if a firmware update works anymore. nize these two aggravating problems: should be undertaken. If that’s not the uploading the wrong software or a ver- case, it would then copy the contents There are two different situations sion that is incompatible as well as the of the flash memory into RAM and will here: if the “Bootloader” is still intact unexpected power failure during an up- start the firmware from there. This pro- but the firmware itself is missing or cor- date. If either of these problems show cess of copying the Flash to RAM and at rupt, it won’t be able to start the re- their face, the result is almost always a the same time uncompressing it is re- ceiver, however, since the “Bootloader” “dead” receiver or as it’s also called, a sponsible for the time delay that occurs is also responsible for firmware up- “brick” - good for nothing. during a receiver power up. dates, the user can still upload the cor- rect firmware through the “Bootloader”. But wait, there might still be one last The “Bootloader” program can be But it’s much worse if the “Bootloader” chance to upload the software if the re- found in the flash memory at a specific itself is missing. You won’t be able to ceiver comes with a JTAG interface. But address (usually the last 64KB, start- do anything at all. Many manufacturers first things first. What actually happens ing at &H7FFFE000). If no program can offer updated firmware that doesn’t in- when you turn on a receiver? When the be found at this address or the wrong volve replacing the “Bootloader” in or- receiver is turned on, the processor one happens to be there, the processor der to prevent problems like this. If the ■ The inside of a standard receiver. The arrow points to the JTAG connector while the circle highlights a white triangle that indicates pin #1 on the JTAG connector. The JTAG interface is plugged in such that the red line on the cable is on the same side as the triangle. 216 TELE-satellite — Global Digital TV Magazine — 10-1 1/201 — www.TELE-satellite.com 1
  • 3. 1 3 “Bootloader” is defective, the receiver receiver, for example, because the ceiver. Either you unsolder the Flash to fabricate a JTAG interface so that Quite often manufacturers use a stan- interface and should therefore be an can no longer be started. On the whole, hardware is identical. Many budget re- chips, reprogram them externally and it can be inexpensively purchased in dard plug with 20 pins. If this isn’t the integral part of your toolkit. Windows it would probably be better to include ceivers are based on the same hard- then resolder them in place with all of many electronic shops. If you can’t find case, it becomes necessary to deter- Vista and Windows 7, especially the 64- a new installation of the “Bootloader” ware; the manufacturer simply match- this requiring professional equipment a JTAG interface in your local store, you mine the correct pin layout. Normally, bit versions, often have problems with program with every new firmware up- es the firmware to the receiver. It could to remove, reprogram and reinstall the can build one yourself. All you need is a the correct JTAG pin layout for specific the tools for firmware uploads. date. therefore be quite interesting to try out chips, or, with a little bit of luck, you’ll few resistors and a standard 74HC244N receivers can be found by performing a the firmware from another manufac- find a JTAG interface on the main circuit building block. You’ll find schematic Google search when you’re not dealing Many receivers are based on proces- If the receiver displays “8888” or turer. In this case though you almost board. The JTAG interface provides an diagrams in the Internet for every ca- with a standard 20-pin connector. sors manufactured by STi. This is the nothing at all, then the firmware up- always have to update the “Bootload- indirect way to access the Flash chips pable receiver that can be programmed case with most budget receivers. And date has failed. If the receiver can no er” software. It’s easy to mistakenly via the processor. When the box is via JTAG. The JTAG interface is connected to just for this family of processors there’s longer perform an update via the se- upload the wrong firmware and at the turned on, the processor is placed into your PC via the parallel port. But first an excellent freeware program: jKeys. rial interface, then it’s safe to say that same time the wrong “Bootloader”. a specific mode so that you can read, The JTAG protocol consists of six you have to check and see if such a PC This tool functions perfectly with the the “Bootloader” has been deleted and delete and reprogram the Flash chips. lines: still exists in your house. Your best bet JTAG interface on the parallel port and nothing will work anymore. If the receiver can no longer start would be to use an older laptop with through a current database automati- up because of the lack of the correct For this to work you’d need a JTAG • TRST • TDO • TDI Windows XP. A laptop like this would cally recognizes most of the STi pro- Experienced users enjoy the idea of firmware and “Bootloader”, then there interface along with the corresponding • TCK • TMS • GND also be perfect to use for uploading cessors in common receivers. Most of uploading the firmware from another are only two ways to repair the re- software. Fortunately, it’s fairly easy new receiver firmware via the serial the time, however, jKeys cannot rec- ognize the receiver’s Flash chip. There are far too many different Flash chips out there and every manufacturer uses 2 4 their own set of chips; you’d have to be able to read the name of the manu- facturer and the model of the chip and then find the corresponding datasheet in the Internet. For our example we’ll use a standard receiver. The built-in Flash chip is the model MX 29LV160CTTC. A search on Google yields numerous websites that provide the necessary datasheet. Why is it so easy to find this? It has to do 1. The rear panel of an older laptop: parallel ports and serial interfaces were standard back then and are needed for the JTAG interface. Don’t throw away or give away those old laptops! They can serve as excel- lent repair tools! 2. Our workstation for our JTAG firmware work. 3. If the receiver only displays “8888” or nothing at all, then the firmware upload has failed. If the receiver doesn’t talk anymore regarding a firmware update through the serial port, it’s safe to say that the “Boot- loader” was also deleted. 4. A look inside our defective sample recei- ver: here you can see the STi chip to the lower left (an STi 5518BVC) as well as the MX 29LV160CTTC-70G Flash chip and the JTAG connector. These components are always located close to each other since the connections between them have to be kept short because of the high frequencies being used. 218 TELE-satellite — Global Digital TV Magazine — 10-1 1/201 — www.TELE-satellite.com 1 www.TELE-satellite.com — 10-1 1/201 — TELE-satellite — Global Digital TV Magazine 1 219
  • 4. Update via jKeys with electronics wholesalers that pro- vide datasheets for every component so that prospective buyers can choose the correct component for their needs. That’s just perfect for us! From these datasheets we can get all the relevant information regarding the makeup of the chip. We are interested in the following information: - Size of the chip, in this case 2MB - Construction of the memory banks - If any write-protection needs to be bypassed before deleting and writing on the chip This information is entered into the jKeys Definitions Data. In jKeys Defini- tions we search for the group with these Flash definitions and carry in the data structure of the Flash chips. Now we can actually start jKeys. As a precau- tion, you should download the contents of the Flash memory. It’s a task that would only make sense with a function- ing receiver. We’ll hold on to this image dump just in case a future firmware up- grade isn’t completed successfully. If that does happen though, you can then reload your backup image. For this purpose we would need to use the jKeys Flash menu to which a receiver reset would be necessary. Perform these steps in order: turn the receiv- er off, turn it back on and at the same time press the jKeys OK button. If ev- erything is OK, the programming menu will be displayed. Let’s assume that nothing works any- more. The first step is to delete the entire Flash. This process sets all the bits in the Flash memory to “1”. The programming function can only set a bit from “1” to “0”, not the other way around. This would explain why an in- terrupted firmware update always leads to a defective receiver: the “Bootload- er” is located in the last 64KB and is de- leted before the Flash process! Lastly, you select the desired firmware data and program the Flash chip. Many STi based receivers link the Flash chip to an address range of &H7FE00000 to &H7FFFFFFF; this corresponds to pre- 1. jKeys has in this case recognized the receiver with its Flash chip since the cor- responding definitions are already in the database. 2. Reading the entire Flash chip (address &H7FE00000 to &H7FFFFFFFF). It’s always a good idea to make a backup of the firm- ware with new receivers. 3. To activate the deleting and program- ming mode of the Flash chip, the receiver must briefly be turned off and then back on. 220 TELE-satellite — Global Digital TV Magazine — 10-1 1/201 — www.TELE-satellite.com 1
  • 5. cisely 2MB. Once the programming pro- the firmware and are not programmed 4. If the deleting and programming mode cess has been completed, you simply onto the Flash chip. In a case like this, of the Flash chip has been successfully activated, this menu will appear. turn the receiver off, remove the JTAG you would need to open the firmware in 5. Security question before starting the interface and then turn the receiver a Hex editor and delete the extra bytes Flash chip writing process. back on. The newly uploaded software that don’t belong to the firmware. This should then automatically start. actually sounds harder to do than it re- cessor on the main board where a user ally is. could attach a JTAG connector. On top To make sure that the receiver was of that, the Flash chip is made inacces- correctly programmed and won’t crash First of all, the firmware must be ex- sible by a special type of glue. All of this because of some faulty configuration, it actly the same size as the capacity of is designed to prevent a hacker from is recommended that the original firm- the Flash chip. If it’s 2MB (2048 KB) in gaining access to the contents of the ware be loaded via the serial interface. size, then the firmware must be exactly Flash chip which would contain critical The process described here works with the same size. Therefore, you simply encryption data. nearly every STi processor based re- cut out the corresponding bytes right ceiver. at the start. Sometimes only the “Boot- If you tried working with JTAG just loader” is made available. This would once before, it won’t seem so diffi- But what do you do if you have a re- have to be loaded at the end of the cult the next time. The big advantage ceiver that doesn’t come with an STi Flash chip’s memory space, typically at is that once you know how to do it, processor? It still pays to look into it &HFFFE000. This involves the last 64KB you can easily return a receiver to its further: many manufacturers use a and the data containing the “Boot- original condition through JTAG should JTAG interface on the main circuit loader” must have exactly this size. If something ever go wrong. board and offer either officially or unof- you’re only loading the “Bootloader” ficially JTAG software for their receiver. program, the receiver still won’t work, Smaller specialized digital TV com- A quick search via Google will reveal but at least you’ll be able to upload the panies would certainly be able to bring the necessary pin layout for the JTAG firmware through normal channels. many receivers back to life since there interface as well as the corresponding are many end users out there that will programming software. This will allow Modern, more sophisticated receiv- manage to make a mistake uploading you to program various Linux receiver ers quite often don’t come with a JTAG firmware. Digital receivers aren’t the models through JTAG. connector. In order to handle any firm- only devices that utilize the JTAG pro- ware upgrades, a slightly different con- tocol; in fact, you’ll find it in almost Another problem is that many users cept is used: the receiver operates us- any device that uses a processor and a don’t have a backup of the firmware ing two “Bootloaders”. The “First Stage flash chip. This would make it possible that they can use to reload onto a re- Bootloader” checks to see if any firm- to save even Smartphones and other ceiver via JTAG. Even here there are ware needs to be uploaded. If that’s not devices after a failed firmware update. possibilities: the case, a “Second Stage Bootloader” is run that then starts up the existing But let’s not forget that safety is par- 1) You can extract the firmware from firmware. The advantage to this meth- amount! Be careful when working in- a second functional receiver. od is that the “First Stage Bootloader” side an exposed receiver! Keep in mind 2) You can search the Internet to see is never overwritten; this would allow that receivers come with an integrated if someone else has exactly the firm- the user to reload the firmware in any 220V power supply (110V in some parts ware that you need. situation. of the world)! Take every safety pre- 3) You can extract the firmware from caution! One false move could place the a manufacturer’s firmware update. Manufacturers of proprietary re- JTAG interface in contact with a power ceivers for PayTV providers do things supply component; this could lead to With the last option you should note quite differently. Here there’s not only serious damage to the receiver and po- that a firmware update often includes no JTAG connector (it’s been omitted tential electric shock to the user. Make a so-called “header”, in other words, a on purpose), there are also no circuit sure the JTAG interface is securely in specific number of bytes that describe board tracks available from the pro- place before turning the receiver on. 222 TELE-satellite — Global Digital TV Magazine — 10-1 1/201 — www.TELE-satellite.com 1