Palmer, Charger or any other...

[einstein9]

Well, with the Ref. to the prev. post here (DIY Spider Board): viewtopic.php?f=13&t=38508

And here too (Marvell JTAG) : viewtopic.php?f=13&t=20324&start=80

and finally here (The PCB): viewtopic.php?f=13&t=38331

It took me some time to test and verify few things before posting here.

attached here is ONE of the pins (marked in RED), the 1st. step to the answer. (you may find the rest)

How to read it? Which App.? blah blah ...... you need to do your own homework.

good luck

Attachments

[HaQue]

between this point, and another, using resistor you get tiny console?

[Amarbir[CDR-Labs]]

Hello,
Was This Project To Unlock PCB Or You Wanted To Do Something Else

[DR-Kiev]

between this point, and another, using resistor you get tiny console?

There is no way to get tiny console with hardware tricks. It is deactivated in MCU code.

[einstein9]

Another point to motivate the researchers..

Hints:

There is 2 types/ways to deal with it...

A- Open heart surgery >> working/editing Decoding DUMP directly from the chip >>> Requires Pro. Tool & needs some time to understand how it works... (not nuclear science)
B- Normal Dump via JTAG (As dejan explained) Decode Dump then Modify then Write it back >>> does the job, but longer path...


I vote for the 1st. option believe me you will know later more than what you thought... and this will open a door which will help you figure out ANY JTAG interface...

have fun & enjoy it....

My Advice is to work in 701499 with option A since you know all inputs....

good luck again

"no more hints/points to the 800066 pcb"

Attachments

[flykiller]

the rom use a sha-256 to verification ! in offset 1ef8 is public key data. and in header->length - 0x100 is a sig data. you can use the public key to decrypt sig . you will get blow data

0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003031300D0609608648016503040201050004202EF99614C175E7FFC0D78415A07415F1DAB634BDEB79769D13C6624B06C9803D

good luck

[fzabkar]

the rom use a sha-256 to verification ! in offset 1ef8 is public key data. and in header->length - 0x100 is a sig data. you can use the public key to decrypt sig . you will get below data

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000040  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000060  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000070  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000080  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000090  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000A0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000B0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000C0  FF FF FF FF FF FF FF FF FF FF FF FF 00 30 31 30  ÿÿÿÿÿÿÿÿÿÿÿÿ.010
000000D0  0D 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20  ...`†H.e.......
000000E0  2E F9 96 14 C1 75 E7 FF C0 D7 84 15 A0 74 15 F1  .ù–.ÁuçÿÀׄ. t.ñ
000000F0  DA B6 34 BD EB 79 76 9D 13 C6 62 4B 06 C9 80 3D  Ú¶4½ëyv..ÆbK.É€=

See viewtopic.php?f=1&t=36673 (Palmer ROM breakdown)

... and another example:

viewtopic.php?f=24&t=37429

[Doomer]

between this point, and another, using resistor you get tiny console?

AFAIR there is no tiny console on Palmer/Charger drives, it is just not in the code.

JTAG is locked on locked PCBs, unless you have PCB with disable security, finding JTAG pins will be pointless exercise.

[flykiller]

if you can short cut those test points correctly. then the drive can enter serial boot mode. the serial mode has 4 sub command ( AA, FF, 70, 72, 2, 5)
70 - get serial baud rate list (min - 115200 ,max - 3125000)
72 - set baud rate
AA - sync
FF - get a ack pack, and set default baud
05 - Go
02 - upload data

for the jtag, you can not find any correctly config file in openOCD.

[flykiller]

if you can short cut those test points correctly. then the drive can enter serial boot mode. the serial mode has 7 sub command ( AA, FF, 70, 72, 02, 05, 0A)
70 - get serial baud rate list (min - 115200 ...... max - 3125000)
72 - set baud rate by baud rate list index
AA - sync
FF - get a ack pack, and set default baud rate
05 - Go to PC
02 - upload data
0A - reSet

for the jtag, you can not find any correctly config file in openOCD.

[einstein9]

between this point, and another, using resistor you get tiny console?

AFAIR there is no tiny console on Palmer/Charger drives, it is just not in the code.

JTAG is locked on locked PCBs, unless you have PCB with disable security, finding JTAG pins will be pointless exercise.

Are you sure about that Doomer?

If you have both the Locked & Unlocked PCBs & JTAG pins ..... still pointless??

[Doomer]

For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level

[flykiller]

this mcu use secure boot(Chain of trust). Therefore ,to unlock. must be connecting a logic probe to a PCB track or a package pin

[Doomer]

this mcu use secure boot(Chain of trust). Therefore ,to unlock. must be connecting a logic probe to a PCB track or a package pin

Interesting
Do you know the test point number?

[flykiller]

this mcu use secure boot(Chain of trust). Therefore ,to unlock. must be connecting a logic probe to a PCB track or a package pin

Interesting
Do you know the test point number?

Well , unfortunately I can`t find it either. If you are interested secure boot,you can refer to this url
https://www.cnx-software.com/2016/10/06 ... -s905-soc/
https://github.com/ARM-software/arm-trusted-firmware

if want to enable jtag ,can short cut test point (maybe e65 or e67 or e54, because I forgot)

[einstein9]

For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level

Thats ONE of the benefits of having a good friend from the other side of the world.

@flykiller, you are getting close...... very.

[Doomer]

Well , unfortunately I can`t find it either.

I see, I thought I missed something in the code

[flykiller]

For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level

Thats ONE of the benefits of having a good friend from the other side of the world.

@flykiller, you are getting close...... very.

I don`t think so. If can`t switch to uart boot mode, or change this port (0x30420064) value. Then is can`t unlock .... never

[Doomer]

or change this port (0x30420064) value.

This port reflects HW fuse settings, so it is not easy to change it
As I said unless you have PCB with disabled security, finding JTAG points is useless, UART is locked out too

[einstein9]

For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level

Thats ONE of the benefits of having a good friend from the other side of the world.

@flykiller, you are getting close...... very.

I don`t think so. If can`t switch to uart boot mode, or change this port (0x30420064) value. Then is can`t unlock .... never

PM Sent...