[SOLVED] JTAG disabled? "Could not measure total IR len. TDO is constant high."

This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

  • [SOLVED] JTAG disabled? "Could not measure total IR len. TDO is constant high."

    For a home project I am attempting to debug a VoIP phone. It has 2 ASICs that appear custom. One definitely has an ARM11 core (The firmware includes 3 files, 2 look encrypted the 3rd is ARM code that seems to cover all features). The board has 20 pads on it which allowed easy attachment of a JTAG header. But when I connect to it with any of the Jlink tools they all fail silently. The only tool that gives me any feedback is Jlink.exe and it says "Could not measure total IR len. TDO is constant high." Just to make sure I wasn't crazy I brought it to work and used a Jlink there, but got the same results. Tear down of the hardware

    I tested it with a multimeter and TDO and its ground are both high. What does that mean?

    Does that mean JTAG has been disabled in the code, or in hardware? If code, is there a specific address in the code typically associated with disabling JTAG?
  • Some manufacturers of silicon (thinking specifically of the ex-NXP LPC series) would lock down the jtag chain when you read-protect the device. The only way to release this was through ISP and erase the processor... could be happening for you?
  • Hi,

    there has been a lot of reverse engineering of the Cisco 7900 series.
    I remember watching a talk that got quite into detail regarding the hardware used in that series.
    Maybe is it was this one, but i cannot watch it to confirm it, but it should be useful:

    events.ccc.de/congress/2012/Fahrplan/events/5400.en.html
    youtube.com/watch?v=f3zUOZcewtA

    Best regards,
    Niklas
    Please read the forum rules before posting.

    Keep in mind, this is *not* a support forum.
    Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
    Should you be entitled to support you can contact us via our support system: segger.com/ticket/

    Or you can contact us via e-mail.
  • Thank you for the help and those links. That was an interesting talk. Sadly it seems to apply to almost every single Cisco 79xx series phone except the 7940/60. It even applies to the 7941/61.

    I assumed since this was such an old and long-dead product that this phone would be an easy target to explore with JTAG, and if not JTAG I could just modify the firmware to spit out the data I needed and make my own changes. Nope. JTAG appears to be disabled (I assume in the boot loader, if not hardware), the boot loader is encrypted so I can't modify it, and the firmware is cryptographically signed and verified by the bootloader so I can't change it either. I figured an easy workaround would be to install an older version of the firmware without those safeties, but the bootloader won't let you install the older insecure versions. Well played Cisco.

    I appear to be left with finding a flaw and exploiting it to run my code. In an older version there is an overflow in DNS response parsing, but I don't know enough about DNS yet to know if I can send it a multi-megabyte DNS response long enough to overwrite the stack pointer.