From Hardware-Hacking

Jump to: navigation, search

firewall stock broker training thomas the tank engine chanel handbags orbitz novolog contemporary bedroom furniture gottex swimwear female masterbation young gay monster truch gas prices all poster free porn amature canon camera tips on house cleaning asian dating sage robbins colored diamonds for sale lexington steele sexology pain med cheap air tickets pill identification companies house raunchy granny old sex california realestate sauder computer desk with hutch victoria secrets butterfly tattoos pilot online free ring tones razor phone mortgage ammortization tables paris hilton sexvideo psp porn swinger hanging cosmetic bag addaware drape ketamine cyprus properties live sex cams replica anal stretching epic treadmills classic car insurance staple xxx sex xxx wedding band adelphia cable skimpy bikini weddings performance evaluation metal bar stool viagra motorhome blow job cum ivy tech state college bad credit credit cards nextel phone best time to buy a new car free beast sex movies ohio festivals uk chatroom bondage shops deodorant diet pills phentermine truck part free download game lion king celebs movies dupont real touch elite laminate flooring adobe illustrator cs2 indian cinema ryobi part lawyers singapore computer buy dvd decoder gothic halloween costume bmw wallpaper bank one international trucks military schools rent porn movie cheap baby shower invitations celcom caller ringtone live psychic daily free horoscope ovral princess cruise line aldara unsecured personal loans with bad credit czech glass pearls tmobile ringtones free powerpoint safety presentations keyless lock babes recumbent exercise bike trailer electrical plugs stacker 3 shelby mustang gt 500 pornstars ring tones proactiv wife naked gay porn star free young pussy plus size wedding dress rita faltoyano print greeting card concubine weapon download free motorola ringtones sigma lenses short stories free antispyware real child porn pennis enlarger outdoor furniture free corel draw paris hilton sex tape traffic lights designer imitation handbag internet betting nikki nova keygen bejeweled 2 honda crv 2007 laughlin nevada house paint mypay dfas mil ecommerce web site j k rowling wellbutrin withdrawal extacy red alert download revia depression pictures mimi macpherson inversion table haldol cadillac cts wholesale eyeglass case spread pussies jessica simpson nude caravan insurance citalopram charlie chaplin fuck me currency conversions well fargo jobs suzuki boulevard florida state hypnotized teen diesel shoes brooke annaversary lovastatin softice download tyra banks wifesharing manga girls cambridge soundworks sister nude armani perfume bike carrier texas holdem poker hairy pussy sex amateurstraightguys single dating free i730 nextel ringtone wallpaper esthetician equipment lesbian boobs olsen twins naked school gerls calpers black lesbians united airlines itunes bupropion effects of divorce on children work from home business jd edwards mature bitches discount wedding invitation foo fighters the best hawaiian airline norton anti virus food gift baskets mosquito ring tone alaska airline flight information raise your voice play station 2 grasshopper information on acyclovir paintless dent repair queens wet hot sex registered dietician schools yamaha portable generator rifle stocks basricliace


(E)JTAG in general

Most of modern MIPS SOCs support JTAG (IEEE 1149.1). The MIPS EJTAG is a proprietary extension which utilizes widely used IEEE JTAG pins for debug functions. EJTAG provides: run control, single-step execution, breakpoints on both data and instructions, real-time trace (optional) and direct memory access.

The EJTAG prior v2.6 was not documented, however many SOCs still use it. The v2.6 is fully documented and available on the MIPS site (free registration required). The IMPCODE register contains EJTAGver field, so software should read it to distinguish EJTAG version.

MIPS EJTAG has two modes, one is "DMA" mode where the JTAG can cause CPU bus cycles directly, the other "PrAcc" is where the JTAG interface is used to respond to CPU memory accesses in a special range of memory (DMSEG, 0xFF200000) and you have to write little bits of MIPS code to do what you want and emulate that memory on the host side. All systems support PrAcc mode by nature. The DMA mode is optional and not as widely supported as the normal mode. The presence of DMA mode is noted in the IMPCODE register.

JTAG header

EJTAG utilizes 5-pin interface defined in IEEE 1149.1 JTAG specification for off-chip communications. These signals (TDI, TDO, TMS, TCK and nTRST) forms a Test Access Port (TAP). EJTAG 2.6 defines a 14-pin header (mechanical connector) to attach a JTAG probe.

nTRST  1  2 GND
TDI    3  4 GND
TDO    5  6 GND
TMS    7  8 GND
TCK    9 10 GND
nSRST 11 12 -key
DINT  13 14 VCC

DINT pin is used to raise Debug Interrupt. Many chips has no this pin.

nTRST is a "TAP Reset" signal and it's active level is "0" (the first "n" indicates negative logic). nSRST is optional. This signal resets TAP controller independently from the CPU logic. To conform to MIPS EJTAG specifications this pin should be pulled to the ground via resistor ~1KOhm to keep TAP in reset state w/o probe attached. If probe does not control this pin, you need just to feed logical "1" to nTRST pin or pull this to the +VCC via ~300Ohm resistor.

nSRST is a "system reset" signal and acts like conventional "Reset' button.

(E)JTAG Cables

There is a page at the OpenWrt Wiki that discusses JTAG cables. Specifically, how one Wiggler-style buffered cable can be used for both ADM5120-based routers (e.g. Edimax) and Broadcom-based routers (e.g. Linksys). Most of the discussion centers on difficulties that can arise when using a Wiggler-style cable with the Linksys de-brick utility, but the cable information is applicable to Edimax (ADM5120) devices as well.

EJTAG software

In general, the state of EJTAG software is pretty bad.

Macraigor OCD Commander is a simple JTAG debugger with MIPS support, OCD Flash programmer DEMO version. Requires Wiggler probe or clone.

The openwince jtag software can be used to re-flash, but that project is a shambles. If you dig around enough through the patches and discussions there you can find enough to make it work. A revival is underway, named UrJTAG, but has not made any release available for download yet.

Processor-specific information


ADM5120 is a popular SoC based on the 4Kc core and AMBA bus. Unfortunately, openwince jtag can't identify this processor.

jtag> cable ppdev /dev/parport0 WIGGLER
Initializing Macraigor Wiggler JTAG Cable on ppdev port /dev/parport0
jtag> detect
IR length: 5
Chain length: 1
Device Id: 00000000000000000000000000000001
  Unknown manufacturer!
chain.c(110) Part 0 without active instruction
chain.c(133) Part 0 without active instruction
chain.c(110) Part 0 without active instruction

It seems, it's a real ID for this processor, other JTAG ulilities (i.e. detect subrotine from the wrt54g-debrick) returns the same value...

IMPCODE identification works:

jtag> instruction length 5
jtag> register IMP 32
jtag> instruction IMPCODE 00011 IMP
jtag> instruction IMPCODE
jtag> shift ir
jtag> shift dr
jtag> dr


31:29 EJTAGver 010 Version 2.6
   28 R4k/R3k    0 R4k
   24 DINTsup    1 supported
22:21 ASIDsize  10 8-bit ASID
   16 MIPS16e    0 not supported
   14 NoDMA      1 No EJTAG DMA support
    0 MIPS32/64  0 MIPS32


jtag> instruction length 5
jtag> register ECR 32
jtag> instruction CONTROL 01010 ECR
jtag> instruction CONTROL
jtag> shift ir
jtag> shift dr
jtag> dr

CPU Reset via PrRst bit in the CONTROL EJTAG register works.


2x7 pin connector

 nTRST  1   o   o   2 GND
 TDI    3   o   o   4 GND
 TDO    5   o   o   6 GND
 TMS    7   o   o   8 GND
 TCK    9   o   o  10 GND
 nSRST 11   o   o  12 (key)
 DINT  13   o   o  14 VCC

Some boards are using 12pin connector.

External links

Personal tools
Sponsored by SECONS Ltd. and FINTERA.

Apache logs processing
How to process apache logs