supplierdeeply

DIGIC 5 JTAG

  • 1 Replies
  • 2079 Views
DIGIC 5 JTAG
« on: 20 / April / 2018, 19:14:53 »
Advertisements
Got bored doing static analysis on the S100 102a firmware, so I decided to investigate JTAG options on my Canon S100.

JTAG is available on an unpopulated footprint on the motherboard, similar to the one documented here : https://nada-labs.net/2014/finding-jtag-on-a-canon-elph100hs-ixus115/

I soldered some thin enamel/manget wire to the pads, it looks sketchy on the photo (because there's waaaay too much flux) but trust me, it works :-)



To interface with my computer, I used the Versaloon open source JTAG probe firmware (http://github.com/zoobab/versaloon), which uses cheap hardware ($2 STM32 development board on any random chinese import website) :



I wrote the following script for OpenOCD :

Code: [Select]
interface vsllink

debug_level 2

vsllink_usb_vid 0x0483
vsllink_usb_pid 0x5740

adapter_khz 100

transport select jtag

set _CHIPNAME digic5

source [find target/icepick.cfg]

jtag newtap $_CHIPNAME dap -irlen 4 -ircapture 0x1 -irmask 0xf -disable
jtag configure $_CHIPNAME.dap -event tap-enable \
"icepick_c_tapenable $_CHIPNAME.jrc 3"

jtag newtap $_CHIPNAME jrc -irlen 6 -ircapture 0x1 -irmask 0x3f -expected-id 0x1b93a02f

set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME arm946e -chain-position $_CHIPNAME.dap

# some TCK tycles are required to activate the DEBUG power domain
jtag configure $_CHIPNAME.jrc -event post-reset "runtest 100"

# have the DAP "always" be active
jtag configure $_CHIPNAME.jrc -event setup "jtag tapenable $_CHIPNAME.dap"

And the following output :

Quote
Open On-Chip Debugger 0.10.0
Licensed under GNU GPL v2
For bug reports, read
   http://openocd.org/doc/doxygen/bugs.html
debug_level: 2
adapter speed: 100 kHz
Info : Versaloon(0x15)by Simon(compiled on Oct  8 2017)
Info : USB_TO_XXX abilities: 0x0000176E:0x010001EF:0xC0000007
Info : clock speed 100 kHz
Info : JTAG tap: digic5.jrc tap/device found: 0x1b93a02f (mfg: 0x017 (Texas Instruments), part: 0xb93a, ver: 0x1)
Info : JTAG tap: digic5.dap enabled
Info : Embedded ICE version 0
Error: unknown EmbeddedICE version (comms ctrl: 0x00000000)
Info : digic5.cpu: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection on tcp/4444

Now for the random technical details :
  • nTRST is tied low (active), you need to pull it to VCC in order to active the JTAG interface (I didn't bother to cable nTRST to my JTAG probe)
  • Texas Instruments created their own JTAG route controller called "ICEPICK". Basically, instead of daisy-chaining all the bricks inside your SoC, you'll see from the outside one device, which can be usefull,
     but on the other hand you need to have your host JTAG software supporting it (OpenOCD does)
Canon S100, and some Canon DSLRs

Re: DIGIC 5 JTAG
« Reply #1 on: 21 / April / 2018, 06:36:56 »
Fixed the TAP id, now I can halt the execution of the CPU and dump the registers :

Quote
Open On-Chip Debugger 0.10.0
Licensed under GNU GPL v2
For bug reports, read
   http://openocd.org/doc/doxygen/bugs.html
debug_level: 2
adapter speed: 100 kHz
Info : Versaloon(0x15)by Simon(compiled on Oct  8 2017)
Info : USB_TO_XXX abilities: 0x0000176E:0x010001EF:0xC0000007
Info : clock speed 100 kHz
Info : JTAG tap: digic5.jrc tap/device found: 0x1b93a02f (mfg: 0x017 (Texas Instruments), part: 0xb93a, ver: 0x1)
Info : JTAG tap: digic5.dap enabled
Info : Embedded ICE version 5
Info : digic5.cpu: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection on tcp/4444
target halted in ARM state due to debug-request, current mode: Abort
cpsr: 0x20000097 pc: 0x00000010

OpenOCD configuration file :
Code: [Select]
interface vsllink

debug_level 2

vsllink_usb_vid 0x0483
vsllink_usb_pid 0x5740

adapter_khz 100

transport select jtag

set _CHIPNAME digic5

source [find target/icepick.cfg]

jtag newtap $_CHIPNAME dap -irlen 4 -ircapture 0x1 -irmask 0xf -disable
jtag configure $_CHIPNAME.dap -event tap-enable "icepick_c_tapenable $_CHIPNAME.jrc 0x10"

jtag newtap $_CHIPNAME jrc -irlen 6 -ircapture 0x1 -irmask 0x3f -expected-id 0x1b93a02f

set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME arm946e -endian little -chain-position $_CHIPNAME.dap

# some TCK tycles are required to activate the DEBUG power domain
jtag configure $_CHIPNAME.jrc -event post-reset "runtest 100"

# have the DAP "always" be active
jtag configure $_CHIPNAME.jrc -event setup "jtag tapenable $_CHIPNAME.dap"
Canon S100, and some Canon DSLRs

 

Related Topics