I connected this to a DDWRT and the output is the same. Is there any other way I can test this BusBlaster?
I'm going off this image and have jumpers connected as shown. The only connections in question are nSRST is going to TSRST on the BusBlaster and nTRST is going to TRST on the busBlaster.
and ground is any one of the pins on the far right if the usb port is on the left.
just keep hitting detect in UrJtag and says TDO Stuck at 0 .... Kinda running out of ideas.
Yeah I actually found that about 10 minutes ago before I read your post. The device still says TDO stuck at 1. I jumper tdo and ground and it still says stuck at 1
Hey ya everyone. I picked up a BusbBlaster along with a JtagNT and a BusPirate..
Is there any how-to's on pulling/writing firmware with any of the windows and or linux jtag software on known devices like lets say the DDWRT54G?
In my quest to learn about devices I want to know how difficult it would be to identify jtag points on a device then pull firmware off it and then write it back? I'm kinda going into this semi blind but I have always wanted to poke around with some radios I have and compare firmware modify it and put it back on the device, perhaps attempting to decompile it and make better sense of it would be good too??
I have instructions to jtag the linksys device with a JtagNT and their software but wouldnt mind trying this BusBlaster device using other software to know what errors to expect when I poke around with some unknown stuff.
I'll have more scans soon on the boards I'm tinkering with. The larger flash chips seem to be identical for both radio types.
I'm going to have to do a bit more googling on the part numbers, I can't however find the info for this flash chip v54c3128804vbi7ipc
on the XM board there is another flash chip that the scan didn't seem to do very well on the bottom left hand corner, and looks like there's 4 pads right next to it i can poke around with... Anyone see any obvious points?
I have read some methods to enable read only to chips would be to simply lift a pad off the flash chip and ground it. The other method to simply ground the pad while its still attached ... I'm thinking out loud here, but If the pin would be attempted to be written to wouldn't this cause a short?
Anton.Todorov Thanks! http://deadhacker.com/2010/02/03/jtag-enumeration/ this link was a good read, I however am not quite experienced with C code, although I don't have a Arduino Duemilanove, I think that is the one they mention in the link having the most IO pins, I'm more an electronics person then c++. There is still much to learn on generalized jtag for myself to learn, which is why I'm here and going to dive head first into it.
I guess my question was more electronics based about how you can use perhaps a DMM or Oscope to identify pins or other methods.. Although that jtag finder does look mighty interesting.
Robots Actually that JtagNT is 12mhz because it lists 1200000000hz --- add or subtract zeros anyway,
That is very cool you can step though code, I guess my experience which isn't that much was just based off taking a firmware loading it onto a device and pulling firmware off, not actually operating the device while the jtag is connected and viewing data as it's changed and writing new data... exct.. At one of my older jobs one of the electronics person would always be using an xilinx, I remember 6 years ago the topic came up about how to identify jtag points if they were unknown... didn't really get very far on that.
So another open ended question, I might just be showing my lack of knowlage in the subject or just need a direction to go to but I'll go ahead and fire away.
I'll use this as an example there is a specific modem I won't get into details about this but its a 2meg flash chip, pulling the firmware off to back up is documented quite well along with a hack for it that's a specific byte length "smaller then 2mb" within the jtag software you can specify to program this "hack" onto the top of the firmware onto a specific memory location.
So what I don't quite understand is on this specific flash chip Flash One 2MB 28F160C3 Firmware 2MB $9FC00000-$9FDFFFFF RAM 16MB $80000000-$81000000
So maybe someone can learn me on this what exists between "$00000000 - $9FC00000" is there just nothing? is it the nature of the flash chip? why don't flash chips addressing start at 0 to some value rather then start at 9fc00000?
Then what exists between the end of the flash "$9FDFFFFF - $80000000" Is there again nothing between the end of flash and the beginning of ram?
Its quite possible my questions are a bit silly, Just humor me with the answers if they are smartass so be it, just be a bit easy on the smartass replies if they are really that obvious, again everyone has to start learning somewhere :)
Well the JtagNT writes at about 500k a second, read 900k
It comes down to the software though if the jtagNT has issues doing what I want it to do, and the bus pirate has more support then go figure... what kinda speed am i looking at? It must be faster then the parallel jtag and probably less prone to read/write errors based on cable length. I'm getting slightly ahead of myself though.
I'm just to be honest here I'm guessing in most scenarios that the jtag pins will all be very close together if not all in the same group, If someone makes something they need a way of putting on a flash and either a bench with pogo pins or headers, lots of points on my device has TP lots are in rows and some scattered around the board, some are actually labeled! so I guess im curious about how to go about learning to learn if that makes sense.
Is there a method of identifying jtag pins....?
1. TDI (Test Data In) <--- how to find this? 2. TDO (Test Data Out) <- how to find this too? 3. TCK (Test Clock) <------Just an oscope ? 4. TMS (Test Mode Select) <--- Not sure on this one 5. TRST (Test Reset) optional. <--- Grounding this pin I'm guessing should reset your device, although I wouldn't be sure if i was shorting out the device momentarily.
Well what about interfacing directly to the chip? somehow? I guess its sort of an open ended question on how to reverse engineer...
so if the chip is well known there's a possibility to convert the raw flash into something useable?????
Personally I was just going to dump the flash and look for plain text info, since I can read that ;)
the JtagNT software has some neat abilities and allows you to make a config for your specific flash type and within each config specify a beginning/ending address for easy extraction/writing of specific data.
Would the bus pirate be better suited to simply "Peek + Poke" data into addresses rather then dump megabytes of data?
I have never used this and I have a feeling I'm going to be way over my head but everyone has to start somewhere right..
Hey everyone I'm new to this forum thought I'd post here.
I have always been interested in taking things apart and poking around with them and after I saw the bus pirate a while ago I decided to buy one and poke around with it also I'm kinda diving head first into the unknown with it and hopefully learn how to work the software and how to technically "Learn enough to learn on your own" type of thing if that makes sense.
I'm interested in attempting to jtag some radios and compare firmwares with each of them, and general mischief with jtagable devices.. long story short "attempt to pull firmware off of 2 identical devices and compare"... and go to town with a hex editor... Anyway "I'm not sure if this kind of discussion is open here, but if anyone want's to know they can feel free to PM me and we can take it off the forum"
Since I am diving into the unknown and my attempt to reverse engineer or throw random code edits on dumped flashes and re upload them to the device is there really any method of ..."Forgive me in my ability to come up with the right wording of this" Is there any method to take dumped flash contents of a specific chip, the chip in question is an Atmega32L I believe, and convert this into assembly or some other human readable format?
I'm really curious what the bus blasters abilities are in comparison to the bus pirate since it also has the ability to do jtag.
I have also ordered a JtagNT for use with its own software so I'm really curious now if all 3 of these devices all in the long run do the same thing "Or if its just individual software limitations for each one, also crossing my fingers for the DSO Quad to come out soon.
I understand I have just dropped a whole bunch of open ended questions which will lead to other open ended questions but everyone has to start hacking somewhere right??
