JTAG Hacking

One of my neighbors knocked on the door yesterday. I figured he wanted to borrow some tools or wanted me to fix his computer because he came over with a six'er of Newcastle. I think Dr. "Bones" McCoy said on Star Trek IV, "Beware of Romulans bearing gifts..." And English Ale beats the crap out of Romulan Ale any day! Come on in!!! Turns out, he was updating the firmware in his home router and accidentally kicked the power cord out of the router in the middle of an update. Can anything be done? I stalled for time until the last Newcastle was gone and then said maybe we can JTAG it. JTAG is actually a test point on a circuit board. It is a IEEE standard (IEEE 1149 Standard Test Access Port and Boundary Scan Architecture) that came about as a way to test circuit boards when we went to a multi-layer board design. This testing has evolved into a way to debug code, backdoor into a system and upload/download code in the NVRAM space. The cool thing about the standard is that it is designed to give you access to all chips on a board thru a single JTAG point by simply daisy chaining control lines. I started working JTAGs in my ASIC days when I was coding up Complex Programmable Logic Devices (CPLD's) and Field Programmable Gate Array (FPGA's). They are not that tough to understand if you take it slow. A great resource is http://www.asset-intertech.com/products/free_resources.htm They have videos,papers,etc to get ya going. When equipment is trashed, this is no risk hacking. When I want to work on the JTAG ports, I use a device called a Wiggler. A Wiggler is CPU specific so you have to know which CPU you want to debug. I built my own Broadcom Wiggler out of four 100 ohm resisters, some 14 pin ribbon cable and use Open Source code from: http://openwince.sourceforge.net/jtag/ I have also used the pre made Wiggler from http://www.diygadget.com/store/jtag-test-tool/wiggler-buffered-all-in-one-jtag-programmer-version-2/prod_33.html and their H-JTAG software and it actually works better then mine! But not much... The biggest time consumer is mapping the ports. Lucky for me his router is based on very well documented Broadcom CPUs which are a type of MIPS32 processor. Broadcom has implemented EJTAG version 2.0 in their chips. This allows the use of DMA transfers via JTAG which, while slow, is faster than the implementation of EJTAG v2.5 and v2.6 which do not support DMA transfers. Very helpful since debricking can take hours at serial speeds. But do not fall into the USB JTAG trap. The speed is a function of the software not the physical layer. For example the Raven JTAG adapter from Macraigor is very fast BUT that is due to the excellent software they wrote for this adapter. http://www.macraigor.com/raven.htm You have to want that booger though, cause it is kinda pricey. But man alive is it fast! I plugged up everything and typed the command: ./wrt54g and I am in! At this point, you have to make your decisions carefully because these commands take a VERY long time to run. Run one command then reboot, then another then reboot again... Knowing that he kicked out the power cord in the middle of an update, I figured that NVRAM was trashed and inconsistent. With a deep breath I entered the command: ./wrt54g -erase:nvram ...22 minutes later... The normal behavior of the router is to post the most complete copy of the firmware in NVRAM after a reboot, it just needs the space to do it in. Sure enough that fixed the problem! When ever I get a new piece of Cisco gear, I search for JTAG ports and then start poking around to see what is going on at the board. It is a real hoot to discover the chip functions and I highly recommend this to anyone interested in low level coding. With that task done it is time for me to play a little Fallout 3, oh no...here comes another neighbor with a smile, two cigars and a laptop... Jimmy Ray Purser Trivia File Transfer Protocol Popeye used to really put the smackdown on Brutus after he finished his spinach. Many parents have forced that vile weed upon us when we where growing up because spinach has so much Iron it makes you mega strong. Too bad all of that was for not. A goober food analyst in the 50's made a one decimal place mistake and reported that spinach had x10 the Iron as other veggies. Sorry kids...grrrrr...

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT