[SOLVED] JTAG disabled? "Could not measure total IR len. TDO is constant high."

This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

  • [SOLVED] JTAG disabled? "Could not measure total IR len. TDO is constant high."

    For a home project I am attempting to debug a VoIP phone. It has 2 ASICs that appear custom. One definitely has an ARM11 core (The firmware includes 3 files, 2 look encrypted the 3rd is ARM code that seems to cover all features). The board has 20 pads on it which allowed easy attachment of a JTAG header. But when I connect to it with any of the Jlink tools they all fail silently. The only tool that gives me any feedback is Jlink.exe and it says "Could not measure total IR len. TDO is constant high." Just to make sure I wasn't crazy I brought it to work and used a Jlink there, but got the same results. Tear down of the hardware

    I tested it with a multimeter and TDO and its ground are both high. What does that mean?

    Does that mean JTAG has been disabled in the code, or in hardware? If code, is there a specific address in the code typically associated with disabling JTAG?
  • Hi,

    there has been a lot of reverse engineering of the Cisco 7900 series.
    I remember watching a talk that got quite into detail regarding the hardware used in that series.
    Maybe is it was this one, but i cannot watch it to confirm it, but it should be useful:

    events.ccc.de/congress/2012/Fahrplan/events/5400.en.html
    youtube.com/watch?v=f3zUOZcewtA

    Best regards,
    Niklas
    Would you like to be added to the J-Link software update notification list, so you get informed automatically when a new version becomes available?
    Just write me a PM or in case you want to subscribe to it yourself, please use this link: Link
    Notification for J-Link, J-Link Debugger, SystemView & J-Scope: Link
    Notification for Embedded Studio: Link
  • Thank you for the help and those links. That was an interesting talk. Sadly it seems to apply to almost every single Cisco 79xx series phone except the 7940/60. It even applies to the 7941/61.

    I assumed since this was such an old and long-dead product that this phone would be an easy target to explore with JTAG, and if not JTAG I could just modify the firmware to spit out the data I needed and make my own changes. Nope. JTAG appears to be disabled (I assume in the boot loader, if not hardware), the boot loader is encrypted so I can't modify it, and the firmware is cryptographically signed and verified by the bootloader so I can't change it either. I figured an easy workaround would be to install an older version of the firmware without those safeties, but the bootloader won't let you install the older insecure versions. Well played Cisco.

    I appear to be left with finding a flaw and exploiting it to run my code. In an older version there is an overflow in DNS response parsing, but I don't know enough about DNS yet to know if I can send it a multi-megabyte DNS response long enough to overwrite the stack pointer.