One of my neighbors knocked on the door yesterday. I figured he wanted to borrow some tools or wanted me to fix his computer because he came over with a six'er of Newcastle. I think Dr. "Bones" McCoy said on Star Trek IV, "Beware of Romulans bearing gifts..." And English Ale beats the crap out of Romulan Ale any day! Come on in!!! Turns out, he was updating the firmware in his home router and accidentally kicked the power cord out of the router in the middle of an update. Can anything be done? I stalled for time until the last Newcastle was gone and then said maybe we can JTAG it.
JTAG is actually a test point on a circuit board. It is a IEEE standard (IEEE 1149 Standard Test Access Port and Boundary Scan Architecture) that came about as a way to test circuit boards when we went to a multi-layer board design. This testing has evolved into a way to debug code, backdoor into a system and upload/download code in the NVRAM space. The cool thing about the standard is that it is designed to give you access to all chips on a board thru a single JTAG point by simply daisy chaining control lines. I started working JTAGs in my ASIC days when I was coding up Complex Programmable Logic Devices (CPLD's) and Field Programmable Gate Array (FPGA's). They are not that tough to understand if you take it slow. A great resource is http://www.asset-intertech.com/products/free_resources.htm They have videos,papers,etc to get ya going.
When equipment is trashed, this is no risk hacking. When I want to work on the JTAG ports, I use a device called a Wiggler. A Wiggler is CPU specific so you have to know which CPU you want to debug. I built my own Broadcom Wiggler out of four 100 ohm resisters, some 14 pin ribbon cable and use Open Source code from: http://openwince.sourceforge.net/jtag/ I have also used the pre made Wiggler from http://www.diygadget.com/store/jtag-test-tool/wiggler-buffered-all-in-one-jtag-programmer-version-2/prod_33.html and their H-JTAG software and it actually works better then mine! But not much...
The biggest time consumer is mapping the ports. Lucky for me his router is based on very well documented Broadcom CPUs which are a type of MIPS32 processor. Broadcom has implemented EJTAG version 2.0 in their chips. This allows the use of DMA transfers via JTAG which, while slow, is faster than the implementation of EJTAG v2.5 and v2.6 which do not support DMA transfers. Very helpful since debricking can take hours at serial speeds. But do not fall into the USB JTAG trap. The speed is a function of the software not the physical layer. For example the Raven JTAG adapter from Macraigor is very fast BUT that is due to the excellent software they wrote for this adapter. http://www.macraigor.com/raven.htm You have to want that booger though, cause it is kinda pricey. But man alive is it fast!
I plugged up everything and typed the command: ./wrt54g and I am in! At this point, you have to make your decisions carefully because these commands take a VERY long time to run. Run one command then reboot, then another then reboot again... Knowing that he kicked out the power cord in the middle of an update, I figured that NVRAM was trashed and inconsistent. With a deep breath I entered the command: ./wrt54g -erase:nvram
...22 minutes later...
The normal behavior of the router is to post the most complete copy of the firmware in NVRAM after a reboot, it just needs the space to do it in. Sure enough that fixed the problem! When ever I get a new piece of Cisco gear, I search for JTAG ports and then start poking around to see what is going on at the board. It is a real hoot to discover the chip functions and I highly recommend this to anyone interested in low level coding. With that task done it is time for me to play a little Fallout 3, oh no...here comes another neighbor with a smile, two cigars and a laptop...
Jimmy Ray Purser
Trivia File Transfer Protocol
Popeye used to really put the smackdown on Brutus after he finished his spinach. Many parents have forced that vile weed upon us when we where growing up because spinach has so much Iron it makes you mega strong. Too bad all of that was for not. A goober food analyst in the 50's made a one decimal place mistake and reported that spinach had x10 the Iron as other veggies. Sorry kids...grrrrr...
Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.
Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering.
The Leader in Network Knowledge
Money
Jimmy,
You're so money and don't even know it.
Thank you!
Visa sure does!!!
You
You are part of a dying breed, my friend.
Wish I was your neighbor -- I might actually learn something.
Sounds like you could have
Sounds like you could have used a serial cable and formatted the corrupted firmware partitions and TFTPed the new firmware over, which would take just a few minutes.
Reply
Thank you for your comment Mike. The problem is the device was bricked so it would not boot up to a operational level to allow me to do that. Services like serial ports, tftp, etc are not loaded yet since the OS is not loading. I had to tap into the ASIC to take control of the device at the opcode bootstrap level. The only way (that I know off) is thru the JTAG ports.
That is a bricked unit
That is a bricked unit indeed! While doing a google search on another subject, this post came back.
"When ever I get a new piece of Cisco gear, I search for JTAG ports"
Have you ever done any write ups on this? JTAGing is a new sport for me (can it be?) and I'd like to mess with some of my Cisco stuff too, starting with a PIX-520. It seems to have some un-populated serial ports too. I'm going to check that tonight.
Meant to say Pix-501.
Meant to say Pix-501.
JTAG'ing Cisco gear
Hey Mike,
I am currently working on a paper right now on my jtag notes with different pieces of Cisco gear. I will post a summary link when it is finished
Thank you for participating and reading this blog
Respectfully
Jimmy Ray
Your posts are informative and an inspiration to folks like me
Hi Jimmy Ray,
I have been reading your posts and seen some of the TechWise shows and must say that I have a new found appreciation for the term "alpha geek". But more importantly you have inspired me (and I am sure many others) to be better at what we do - a truly priceless contribution.
Thank you for your time and effort,
Sanjeev.
Thank you!
I am very grateful for your kind words. Thank you so much!!!
Jimmy Ray
Post new comment