ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Reverse engineering AT32UC3A’s JTAGLSE Summer Week 2014

Pierre Surply

EPITA 2016

Jul 19, 2014

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 1 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

On-Chip Debug

Figure: AVR Dragon

avr32gdbproxy -e "avrdragon" -a ":4242"

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 2 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

JTAG

Join Test Action Group

Published in April 1990

IEEE 1149.1

Standard Test Access Port and Boundary-ScanArchitecture

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 3 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

JTAG pins

TCK : Test Clock

TMS : Test Mode Select

TDI : Test Data Input

TDO : Test Data Output

TRST : Test Reset

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 4 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Registers

Instruction Registers

Data Registers:

IDCODE

BYPASS

BSR

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 5 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

JTAG Block Diagram

Figure: JTAG Block Diagram

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 6 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Shift Register

Figure: Shift Register (1/5)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 7 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Shift Register

Figure: Shift Register (2/5)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 8 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Shift Register

Figure: Shift Register (3/5)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 9 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Shift Register

Figure: Shift Register (4/5)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 10 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Shift Register

Figure: Shift Register (5/5)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 11 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

DR: Data Register

IR: Instruction Register

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 12 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (1/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 13 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (2/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 14 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (3/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 15 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (4/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 16 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (5/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 17 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (6/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 18 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (7/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 19 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (8/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 20 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (9/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 21 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (10/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 22 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (11/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 23 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (12/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 24 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (13/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 25 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Daisy Chain

Figure: Daisy Chain

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 26 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

BYPASS

Figure: BYPASS Register

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 27 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

BYPASS

Figure: BYPASS and Daisy Chain (1/3)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 28 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

BYPASS

Figure: BYPASS and Daisy Chain (2/3)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 29 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

BYPASS

Figure: BYPASS and Daisy Chain (3/3)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 30 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Boundary Scan

Figure: Boundary Scan

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 31 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Boundary Scan Instructions

EXTEST

SAMPLE/PRELOAD

INTEST

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 32 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Boundary Scan

Figure: Scan Cell

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 33 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Boundary Scan Description Language

Describes boundary scan layout for a specific integratedcircuit

VHDL subset

Provided by manufacturer

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 34 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

UC3 JTAG Overview

32-bit AVR device

J TAG data registers

TAP

Controller

Instruction Register

Device Identification

Register

By-pass Register

Reset Register

Service Access Bus interface

Bou

ndar

y Sca

n Cha

in

Pin

s an

d an

alog

blo

cks

Data register

scan enable

JTAG

Pin

s

Boundary scan enable

2nd J TAG device

J TAG master

TDITDO

Part specific registers

...

TDO TDITMS

TMS

TCK

TCK

Instruction registerscan enable

SABInternal I/O

lines

J TAG

TMS

TDI

TDO

TCK

Figure: UC3 JTAG Overview

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 35 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

UC3 On-Chip Debug Overview

On-Chip Debug

JTAG

Debug PC

Debug

Instruction

CPU

Breakpoints

Program

TraceData Trace

Ownership

Trace

WatchpointsTransmit Queue

AUX

JTAG

Internal

SRAM

Service Access Bus

Memory

Service

Unit

HSB Bus MatrixMemories and

peripherals

Figure: UC3 On-Chip Debug Overview

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 36 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

SAB Slaves

Slave Address [35:32] Description

Unallocated 0x0 Intentionally unallocated

OCD 0x1 OCD registers

HSB 0x4 HSB memory space, as seen by the CPU

HSB 0x5Alternative mapping for HSB space, for compatibility with

other 32-bit AVR devices.

Memory Service

Unit0x6 Memory Service Unit registers

Reserved Other Unused

Figure: SAB Slaves

HSB: High Speed Bus

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 37 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Finding Pinout

Figure: Pullup Resistors

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 38 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (1/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 39 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (2/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 40 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (3/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 41 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (4/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 42 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (5/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 43 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (6/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 44 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (7/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 45 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (8/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 46 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (9/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 47 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (10/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 48 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (11/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 49 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (12/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 50 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (13/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 51 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (14/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 52 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (15/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 53 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (16/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 54 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (17/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 55 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (18/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 56 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (19/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 57 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (20/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 58 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (21/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 59 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (22/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 60 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (23/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 61 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (24/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 62 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Data register length scanning

Figure: Data register length scanning (25/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 63 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Daisy Chain length scanning

Figure: Daisy Chain length scanning

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 64 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

OpenOCD Low Level JTAG Commands

irscan auto0.tap 0x1

drscan auto0.tap 512 0 -endstate DRPAUSE

drscan auto0.tap 1 0 -enstate DRPAUSE

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 65 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

UC3 JTAG Analysis

Figure: Bus Pirate as JTAG probe

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 66 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

UC3 JTAG Data Register Length

Opcode: Length

0x0: 1 0x8: 1 0x10: 34 0x18: 4

0x1: 32 0x9: 1 0x11: 35 0x19: 1

0x2: 224 0xa: 1 0x12: 34 0x1a: 1

0x3: 224 0xb: 1 0x13: 1 0x1b: 1

0x4: 224 0xc: 5 0x14: 34 0x1c: 1

0x5: 1 0xd: 1 0x15: 39 0x1d: 0

0x6: 1 0xe: 1 0x16: 1 0x1e: 1

0x7: 1 0xf: 1 0x17: 16 0x1f: 1

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 67 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

UC3 JTAG Data Register Length

Opcode: Length

0x0: 1 0x8: 1 0x10: 34 0x18: 4

0x1: 32 0x9: 1 0x11: 35 0x19: 1

0x2: 224 0xa: 1 0x12: 34 0x1a: 1

0x3: 224 0xb: 1 0x13: 1 0x1b: 1

0x4: 224 0xc: 5 0x14: 34 0x1c: 1

0x5: 1 0xd: 1 0x15: 39 0x1d: 0

0x6: 1 0xe: 1 0x16: 1 0x1e: 1

0x7: 1 0xf: 1 0x17: 16 0x1f: 1

BYPASS, CLAMP, CHIP ERASE

IDCODE

Boundary Scan

AVR RESET, SYNC

Service Access Bus

???Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 68 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Instruction 0x18

Present in BSDL file but not in datasheet

attribute INSTRUCTION_OPCODE of UC3A3256-BGA : entity is

" PRIVATE0 ( 10011 ), " &

" PRIVATE1 ( 01100 ), " &

" BYPASS ( 11111 ), " &

" CLAMP ( 00110 ), " &

" EXTEST ( 00011 ), " &

" IDCODE ( 00001 ), " &

" INTEST ( 00100 ), " &

" PRIVATE2 ( 11001 ), " &

" PRIVATE3 ( 11010 ), " &

" PRIVATE4 ( 11011 ), " &

" PRIVATE5 ( 10001 ), " &

" PRIVATE6 ( 10010 ), " &

" PRIVATE7 ( 10000 ), " &

" PRELOAD ( 00010 ), " &

" SAMPLE ( 00010 ), " &

" PRIVATE8 ( 10111 ), " &

" PRIVATE9 ( 11000 ) " ;

Strange behaviour when Data Register is set to 1 or 2

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 69 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Nexus (IEEE-ISTO 5001-2003)

Device

A U X + J T A G

d e b u g to o l

J T A GA U X

h ig h s p e e d

M ic to r 3 8

T r a c e b u f fe r

P C

Figure: AUX+JTAG based debugger

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 70 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

References

http://www.fpga4fun.com/JTAG.html

http://www.elinux.org/JTAG Finder

http://events.ccc.de/congress/2009/Fahrplan/events/3670.en.html

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 71 / 72

ReverseengineeringAT32UC3A’s

JTAG

Pierre Surply

Introduction

Overview

TAPController

Scan Chain

BoundaryScan

UC3 JTAG

Reverseengineering

Conclusion

Contact

Git: git.psurply.com/uc3jtag

IRC: Ptishell@irc.rezosup.org

Mail: surply@lse.epita.fr

Twitter: @Ptishell

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 72 / 72