Reverse engineering AT32UC3As JTAG Introduction Overview LSE - - PowerPoint PPT Presentation

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Reverse engineering AT32UC3A’s JTAG

LSE Summer Week 2014 Pierre Surply

EPITA 2016

Jul 19, 2014

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 1 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

On-Chip Debug

Figure: AVR Dragon

avr32gdbproxy -e "avrdragon" -a ":4242"

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 2 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

JTAG

Join Test Action Group Published in April 1990 IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 3 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

JTAG pins

TCK : Test Clock TMS : Test Mode Select TDI : Test Data Input TDO : Test Data Output TRST : Test Reset

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 4 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Registers

Instruction Registers Data Registers:

IDCODE BYPASS BSR

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 5 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

JTAG Block Diagram

Figure: JTAG Block Diagram

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 6 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Shift Register

Figure: Shift Register (1/5)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 7 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Shift Register

Figure: Shift Register (2/5)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 8 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Shift Register

Figure: Shift Register (3/5)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 9 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Shift Register

Figure: Shift Register (4/5)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 10 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Shift Register

Figure: Shift Register (5/5)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 11 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

DR: Data Register IR: Instruction Register

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 12 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (1/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 13 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (2/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 14 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (3/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 15 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (4/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 16 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (5/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 17 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (6/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 18 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (7/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 19 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (8/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 20 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (9/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 21 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (10/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 22 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (11/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 23 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (12/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 24 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

TAP Controller State Machine

Figure: TAP Controller Example (13/13)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 25 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Daisy Chain

Figure: Daisy Chain

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 26 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

BYPASS

Figure: BYPASS Register

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 27 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

BYPASS

Figure: BYPASS and Daisy Chain (1/3)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 28 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

BYPASS

Figure: BYPASS and Daisy Chain (2/3)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 29 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

BYPASS

Figure: BYPASS and Daisy Chain (3/3)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 30 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Boundary Scan

Figure: Boundary Scan

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 31 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Boundary Scan Instructions

EXTEST SAMPLE/PRELOAD INTEST

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 32 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Boundary Scan

Figure: Scan Cell

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 33 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Boundary Scan Description Language

Describes boundary scan layout for a specific integrated circuit VHDL subset Provided by manufacturer

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 34 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

UC3 JTAG Overview

32-bit AVR device

J TAG data registers TAP Controller Instruction Register Device Identification Register By-pass Register Reset Register Service Access Bus interface Bou n d ary Scan Ch ain Pin s an d an a log b lock s Data register scan enable JTAG Pin s Boundary scan enable

2nd J TAG device J TAG master

TDI TDO Part specific registers ... TDO TDI TMS TMS TCK TCK Instruction register scan enable SAB Internal I/O lines

J TAG

TMS TDI TDO TCK

Figure: UC3 JTAG Overview

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 35 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

UC3 On-Chip Debug Overview

On-Chip Debug JTAG Debug PC Debug Instruction CPU Breakpoints Program Trace Data Trace Ownership Trace Watchpoints Transmit Queue

AUX JTAG

Internal SRAM

S e r v i c e A c c e s s B u s

Memory Service Unit HSB Bus Matrix

Memories and peripherals

Figure: UC3 On-Chip Debug Overview

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 36 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

SAB Slaves

Slave Address [35:32] Description Unallocated 0x0 Intentionally unallocated OCD 0x1 OCD registers HSB 0x4 HSB memory space, as seen by the CPU HSB 0x5 Alternative mapping for HSB space, for compatibility with

• ther 32-bit AVR devices.

Memory Service Unit 0x6 Memory Service Unit registers Reserved Other Unused

Figure: SAB Slaves

HSB: High Speed Bus

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 37 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Finding Pinout

Figure: Pullup Resistors

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 38 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (1/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 39 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (2/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 40 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (3/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 41 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (4/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 42 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (5/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 43 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (6/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 44 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (7/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 45 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (8/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 46 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (9/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 47 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (10/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 48 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (11/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 49 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (12/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 50 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (13/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 51 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (14/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 52 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (15/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 53 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (16/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 54 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (17/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 55 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (18/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 56 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (19/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 57 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (20/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 58 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (21/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 59 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (22/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 60 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (23/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 61 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (24/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 62 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Data register length scanning

Figure: Data register length scanning (25/25)

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 63 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Daisy Chain length scanning

Figure: Daisy Chain length scanning

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 64 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

OpenOCD Low Level JTAG Commands

irscan auto0.tap 0x1 drscan auto0.tap 512 0 -endstate DRPAUSE drscan auto0.tap 1 0 -enstate DRPAUSE

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 65 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

UC3 JTAG Analysis

Figure: Bus Pirate as JTAG probe

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 66 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

UC3 JTAG Data Register Length

Opcode: Length 0x0: 1 0x8: 1 0x10: 34 0x18: 4 0x1: 32 0x9: 1 0x11: 35 0x19: 1 0x2: 224 0xa: 1 0x12: 34 0x1a: 1 0x3: 224 0xb: 1 0x13: 1 0x1b: 1 0x4: 224 0xc: 5 0x14: 34 0x1c: 1 0x5: 1 0xd: 1 0x15: 39 0x1d: 0 0x6: 1 0xe: 1 0x16: 1 0x1e: 1 0x7: 1 0xf: 1 0x17: 16 0x1f: 1

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 67 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

UC3 JTAG Data Register Length

Opcode: Length 0x0: 1 0x8: 1 0x10: 34 0x18: 4 0x1: 32 0x9: 1 0x11: 35 0x19: 1 0x2: 224 0xa: 1 0x12: 34 0x1a: 1 0x3: 224 0xb: 1 0x13: 1 0x1b: 1 0x4: 224 0xc: 5 0x14: 34 0x1c: 1 0x5: 1 0xd: 1 0x15: 39 0x1d: 0 0x6: 1 0xe: 1 0x16: 1 0x1e: 1 0x7: 1 0xf: 1 0x17: 16 0x1f: 1 BYPASS, CLAMP, CHIP ERASE IDCODE Boundary Scan AVR RESET, SYNC Service Access Bus ???

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 68 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Instruction 0x18

Present in BSDL file but not in datasheet

attribute INSTRUCTION_OPCODE

• f UC3A3256-BGA : entity is

" PRIVATE0 ( 10011 ), " & " PRIVATE1 ( 01100 ), " & " BYPASS ( 11111 ), " & " CLAMP ( 00110 ), " & " EXTEST ( 00011 ), " & " IDCODE ( 00001 ), " & " INTEST ( 00100 ), " & " PRIVATE2 ( 11001 ), " & " PRIVATE3 ( 11010 ), " & " PRIVATE4 ( 11011 ), " & " PRIVATE5 ( 10001 ), " & " PRIVATE6 ( 10010 ), " & " PRIVATE7 ( 10000 ), " & " PRELOAD ( 00010 ), " & " SAMPLE ( 00010 ), " & " PRIVATE8 ( 10111 ), " & " PRIVATE9 ( 11000 ) " ;

Strange behaviour when Data Register is set to 1 or 2

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 69 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Nexus (IEEE-ISTO 5001-2003)

Device A U X + J T A G d e b u g to o l J T A G A U X h ig h s p e e d M ic to r 3 8 T r a c e b u ffe r P C

Figure: AUX+JTAG based debugger

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 70 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

References

http://www.fpga4fun.com/JTAG.html http://www.elinux.org/JTAG Finder http://events.ccc.de/congress/2009/Fahrplan/events/3670.en.html

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 71 / 72

Reverse engineering AT32UC3A’s JTAG Pierre Surply Introduction Overview TAP Controller Scan Chain Boundary Scan UC3 JTAG Reverse engineering Conclusion

Contact

Git: git.psurply.com/uc3jtag IRC: Ptishell@irc.rezosup.org Mail: surply@lse.epita.fr Twitter: @Ptishell

Pierre Surply (EPITA 2016) Reverse engineering AT32UC3A’s JTAG Jul 19, 2014 72 / 72