Shulou(Shulou.com)06/01 Report--

Author: Hcamael@ knows the laboratory time of Chuangyu 404: October 21, 2019 original link: https://paper.seebug.org/1060/

Recently, when I was working on a router, I accidentally hung up the CFE and found that I could save bricks through jtag, so I conducted a wave of research on jtag.

At first, I just wanted to save the brick, but I didn't want to study it in depth.

Try to save bricks

The model of the brick router is LinkSys wrt54g v8

The CPU model is: BCM5354

The Flash model is: K8D6316UBM

First of all, the order of jtag interfaces on the device is obtained through jtagulator.

It just so happens that the company has a jlink, but failed to take part in the test and could not identify the device.

Then I found a tool called tjtag-pi through Google.

You can use raspberry pie to control jtag, and then learn a wave of raspberry pie operation.

Raspberry pie Pins

I use rpi3, and the interface number is as follows:

Or in raspberry pie 3, you can use gpio readall to view the status of each interface:

Python in rpi3 has a RPi.GPIO module that controls these interfaces.

For example:

> from RPi import GPIO > GPIO.setmode (GPIO.BCM) > GPIO.setup (2, GPIO.OUT) > GPIO.setup (3, GPIO.IN)

The first is the mode that needs to initialize the GPIO, and the pin sort corresponding to the BCM pattern is the orange department in the figure above.

Each pin can then be set separately, such as in the image above, No. 2 pin is set as output and No. 3 pin is set as input.

> GPIO.output (2,1) > GPIO.output (2,0)

Use the output function for binary output

> GPIO.input (3) 1

Use the input function to get the input of the pin.

We can use a thread to connect the two pins to test the code above.

After connecting the raspberry pie pins to the router, you can run the tjtag-pi program. But in the process of running but encountered problems, often stuck in writing flash. By adjusting the configuration, sometimes it is possible to write successfully, but CFE is not saved, backup flash data, found that the data was not successfully written.

Because I failed to use the wheel, I had to try to research and build the wheel myself.

Jtag

The first is the pins. The devices I have seen generally provide jtag with more than 5 * 2 pins. Some of them are generally ground pins, and the other half only need to know the 4 most important pins.

These four pins are generally sorted as follows:

TDITDOTMSTCK

TDI represents input, TDO represents output, TMS control bit, TCK clock input.

The architecture of jtag is shown in the figure above, and the architecture of TAP-Controller is shown in the following figure:

According to the above two architectures, the principle of jtag is explained.

The core of jtag is TAP-Controller, which determines the relationship between input and output by parsing TMS data. So let's first look at the architecture of TAP-Controller.

From the figure above, we can see that in any state, the output of 1 five times will return to the TEST LOGIC RESET state. So before using jtag, we send the data as 1 five times through the TMS port, and the state machine of jtag will enter the recovery state of RESET.

When the TAP enters the SHIFT-IR state, the Instruction Register will begin to receive the incoming data from the TDI. When the input is over, when it enters the UPDATE-IR state, it will parse the value of the instruction register and then decide what data to output.

SHIFT-DR is a control data register, which is usually used when reading and writing data.

At this point, there is a problem, TMS is only one port, how does jtag know what the value of TMS is each time? At this point, you need to use the TCK port, which can be called a clock instruction. When the TCK changes from low frequency to high frequency, a bit of TMS / TDI input is obtained, and the TDO outputs 1 bit.

For example, we ask TAP to perform a reset operation:

For x in range (5): TCK 0 TMS 1 TCK 1

For example, we need to pass 0b10 to the instruction register:

1. Reset

two。 Enter the RUN-TEST/IDLE state

TCK 0TMS 0TCK 1

3. Enter the SELECT-DR-SCAN state

TCK 0TMS 1TCK 1

4. Enter the SELECT-IR-SCAN state

TCK 0TMS 1TCK 1

5. Enter the CAPTURE-IR state

TCK 0TMS 0TCK 1

6. Enter the SHIFT-IR state

TCK 0TMS 0 TCK 1

7. Enter 0b10

TCK 0TMS 0TDI 0TCK 1TCK 0TMS 1TDI 1TCK 0

Then enter EXIT-IR-> UPDATE-IR

According to the above theory, we can write a function that sets IR:

Def clock (tms, tdi): tms = 1 if tms else 0 tdi = 1 if tdi else 0 GPIO.output (TCK, 0) GPIO.output (TMS, tms) GPIO.output (TDI, tdi) GPIO.output (TCK, 1) return GPIO.input (TDO) def reset (): clock (1,0) clock (0) 0) def set_instr (instr): clock (1,0) clock (1,0) clock (0,0) clock (0,0) for i in range (INSTR_LENGTH): clock (INSTR_LENGTH = (INSTR_LENGTH-1), (instr > > I) & 1) clock (1,0) clock (0,0)

After a clear understanding of the above code, you basically understand the logic of TAP. Then there is the question of instructions. What is the length of the instruction register? What is the value of the instruction register?

Different CPU have different answers to the above. According to the results of my search on the Internet, each CPU should have a bsd (boundary scan description) file. The CPU model studied in this article is BCM5354, but I did not find the bsd file of this model CPU on the Internet. I can only find a bsd file of the same manufacturer and different models of CPU for reference.

Bcm53101m.bsd

In this file we can see the location of the jtag port on the cpu port:

"tck: B46," & "tdi: A57," & "tdo: B47," & "tms: A58," & "trst_b: A59," & attribute TAP_SCAN_RESET of trst_b: signal is true Attribute TAP_SCAN_IN of tdi: signal is true;attribute TAP_SCAN_MODE of tms: signal is true;attribute TAP_SCAN_OUT of tdo: signal is true;attribute TAP_SCAN_CLOCK of tck: signal is (2.5000000000000000000e+07, BOTH)

The definition of instruction length can be found:

Attribute INSTRUCTION_LENGTH of top: entity is 32

The valid value of the instruction register can be found:

Attribute INSTRUCTION_OPCODE of top: entity is "IDCODE (11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

When the value of the instruction register is IDCODE, the output channel of the IDCODE register is open. Let's look at the IDCODE register:

Attribute IDCODE_REGISTER of top: entity is "0000" &-- version "00000011011111" &-- part number "00101111111" &-manufacturer's identity "1";-- required by 1149.1

From this we can see that the fixed output of the IDCODE register is: 0b00000000000011011111001011111111

So how do we get the output of TDO? At this point, the data register DR comes into play.

TAP state machine switch to SHIFT-IR output IDCODE to IR switch to SHIFT-DR to get the TDO output value of INSTRUCTION_LENGTH length exit

The representation in code form is as follows:

Def ReadWriteData (data): out_data = 0 clock (1,0) clock (0,0) clock (0,0) for i in range (32): out_bit = clock ((I = = 31), ((data > > I) & 1) out_data = out_data | (out_bit

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.