Got bored doing static analysis on the S100 102a firmware, so I decided to investigate JTAG options on my Canon S100.
JTAG is available on an unpopulated footprint on the motherboard, similar to the one documented here :
https://nada-labs.net/2014/finding-jtag-on-a-canon-elph100hs-ixus115/I soldered some thin enamel/manget wire to the pads, it looks sketchy on the photo (because there's waaaay too much flux) but trust me, it works :-)
To interface with my computer, I used the Versaloon open source JTAG probe firmware (
http://github.com/zoobab/versaloon), which uses cheap hardware ($2 STM32 development board on any random chinese import website) :
I wrote the following script for OpenOCD :
interface vsllink
debug_level 2
vsllink_usb_vid 0x0483
vsllink_usb_pid 0x5740
adapter_khz 100
transport select jtag
set _CHIPNAME digic5
source [find target/icepick.cfg]
jtag newtap $_CHIPNAME dap -irlen 4 -ircapture 0x1 -irmask 0xf -disable
jtag configure $_CHIPNAME.dap -event tap-enable \
"icepick_c_tapenable $_CHIPNAME.jrc 3"
jtag newtap $_CHIPNAME jrc -irlen 6 -ircapture 0x1 -irmask 0x3f -expected-id 0x1b93a02f
set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME arm946e -chain-position $_CHIPNAME.dap
# some TCK tycles are required to activate the DEBUG power domain
jtag configure $_CHIPNAME.jrc -event post-reset "runtest 100"
# have the DAP "always" be active
jtag configure $_CHIPNAME.jrc -event setup "jtag tapenable $_CHIPNAME.dap"
And the following output :
Open On-Chip Debugger 0.10.0
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
debug_level: 2
adapter speed: 100 kHz
Info : Versaloon(0x15)by Simon(compiled on Oct 8 2017)
Info : USB_TO_XXX abilities: 0x0000176E:0x010001EF:0xC0000007
Info : clock speed 100 kHz
Info : JTAG tap: digic5.jrc tap/device found: 0x1b93a02f (mfg: 0x017 (Texas Instruments), part: 0xb93a, ver: 0x1)
Info : JTAG tap: digic5.dap enabled
Info : Embedded ICE version 0
Error: unknown EmbeddedICE version (comms ctrl: 0x00000000)
Info : digic5.cpu: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection on tcp/4444
Now for the random technical details :
- nTRST is tied low (active), you need to pull it to VCC in order to active the JTAG interface (I didn't bother to cable nTRST to my JTAG probe)
- Texas Instruments created their own JTAG route controller called "ICEPICK". Basically, instead of daisy-chaining all the bricks inside your SoC, you'll see from the outside one device, which can be usefull,
but on the other hand you need to have your host JTAG software supporting it (OpenOCD does)