Wednesday, February 21st 2018, 12:32pm UTC+1

You are not logged in.

  • Login
  • Register

Dear visitor, welcome to SEGGER Forum. If this is your first visit here, please read the Help. It explains how this page works. You must be registered before you can use all the page's features. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

skintigh

Beginner

Date of registration: May 13th 2016

Posts: 10

1

Friday, May 13th 2016, 8:41pm

[SOLVED] JTAG disabled? "Could not measure total IR len. TDO is constant high."

For a home project I am attempting to debug a VoIP phone. It has 2 ASICs that appear custom. One definitely has an ARM11 core (The firmware includes 3 files, 2 look encrypted the 3rd is ARM code that seems to cover all features). The board has 20 pads on it which allowed easy attachment of a JTAG header. But when I connect to it with any of the Jlink tools they all fail silently. The only tool that gives me any feedback is Jlink.exe and it says "Could not measure total IR len. TDO is constant high." Just to make sure I wasn't crazy I brought it to work and used a Jlink there, but got the same results. Tear down of the hardware

I tested it with a multimeter and TDO and its ground are both high. What does that mean?

Does that mean JTAG has been disabled in the code, or in hardware? If code, is there a specific address in the code typically associated with disabling JTAG?

skintigh

Beginner

Date of registration: May 13th 2016

Posts: 10

2

Monday, May 16th 2016, 8:35pm

Nobody has any hints for me? Anything at all could help.

I promise I'm not doing anything nefarious, this phone was end-of-lifed in 2010 and I bought it on ebay for $20.

darcyw

Beginner

Date of registration: May 12th 2016

Posts: 11

3

Monday, May 16th 2016, 10:30pm

Some manufacturers of silicon (thinking specifically of the ex-NXP LPC series) would lock down the jtag chain when you read-protect the device. The only way to release this was through ISP and erase the processor... could be happening for you?

SEGGER - Niklas

Super Moderator

Date of registration: Oct 6th 2014

Posts: 1,691

4

Tuesday, May 17th 2016, 9:17am

Hi,

there has been a lot of reverse engineering of the Cisco 7900 series.
I remember watching a talk that got quite into detail regarding the hardware used in that series.
Maybe is it was this one, but i cannot watch it to confirm it, but it should be useful:

https://events.ccc.de/congress/2012/Fahr…ts/5400.en.html
https://www.youtube.com/watch?v=f3zUOZcewtA

Best regards,
Niklas
Would you like to be added to the J-Link software update notification list, so you get informed automatically when a new version becomes available?
Just write me a PM or in case you want to subscribe to it yourself, please use this link: Link
Notification for J-Link, J-Link Debugger, SystemView & J-Scope: Link
Notification for Embedded Studio: Link

skintigh

Beginner

Date of registration: May 13th 2016

Posts: 10

5

Thursday, June 2nd 2016, 9:52pm

Thank you for the help and those links. That was an interesting talk. Sadly it seems to apply to almost every single Cisco 79xx series phone except the 7940/60. It even applies to the 7941/61.

I assumed since this was such an old and long-dead product that this phone would be an easy target to explore with JTAG, and if not JTAG I could just modify the firmware to spit out the data I needed and make my own changes. Nope. JTAG appears to be disabled (I assume in the boot loader, if not hardware), the boot loader is encrypted so I can't modify it, and the firmware is cryptographically signed and verified by the bootloader so I can't change it either. I figured an easy workaround would be to install an older version of the firmware without those safeties, but the bootloader won't let you install the older insecure versions. Well played Cisco.

I appear to be left with finding a flaw and exploiting it to run my code. In an older version there is an overflow in DNS response parsing, but I don't know enough about DNS yet to know if I can send it a multi-megabyte DNS response long enough to overwrite the stack pointer.

skintigh

Beginner

Date of registration: May 13th 2016

Posts: 10

6

Sunday, December 11th 2016, 7:29pm

Solution (I think): it's not a arm jtag header, it's a ti jtag header.

This post has been edited 1 times, last edit by "skintigh" (Dec 11th 2016, 7:46pm)