All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 21 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Palmer, Charger or any other...
PostPosted: June 23rd, 2019, 4:58 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2517
Location: Kuwait
Well, with the Ref. to the prev. post here (DIY Spider Board): viewtopic.php?f=13&t=38508

And here too (Marvell JTAG) : viewtopic.php?f=13&t=20324&start=80

and finally here (The PCB): viewtopic.php?f=13&t=38331

It took me some time to test and verify few things before posting here.

attached here is ONE of the pins (marked in RED), the 1st. step to the answer. :idea: :idea: (you may find the rest)

How to read it? Which App.? blah blah ...... you need to do your own homework.

good luck


Attachments:
2018-04-10_00052_Palmer.jpg
2018-04-10_00052_Palmer.jpg [ 427.32 KiB | Viewed 4865 times ]

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein
Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: June 23rd, 2019, 7:30 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3370
Location: Adelaide, Australia
between this point, and another, using resistor you get tiny console?


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: June 24th, 2019, 13:36 
Offline
User avatar

Joined: August 15th, 2006, 3:01
Posts: 2690
Location: CDRLabs @ Chandigarh [ India ]
Hello,
Was This Project To Unlock PCB Or You Wanted To Do Something Else

_________________
Regards
Amarbir S Dhillon , Chandigarh Data Recovery Labs
Logical,Semi Physical And Physical Data Recovery
Website-> http://www.chandigarhdatarecovery.com


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: June 25th, 2019, 4:49 
Offline

Joined: March 7th, 2009, 12:43
Posts: 902
Location: Angel Data Recovery
HaQue wrote:
between this point, and another, using resistor you get tiny console?

There is no way to get tiny console with hardware tricks. It is deactivated in MCU code.

_________________
Angel Data Recovery


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 4th, 2019, 6:17 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2517
Location: Kuwait
Another point to motivate the researchers..

Hints:

There is 2 types/ways to deal with it...

A- Open heart surgery >> working/editing Decoding DUMP directly from the chip >>> Requires Pro. Tool & needs some time to understand how it works... (not nuclear science)
B- Normal Dump via JTAG (As dejan explained) Decode Dump then Modify then Write it back >>> does the job, but longer path...


I vote for the 1st. option believe me you will know later more than what you thought... and this will open a door which will help you figure out ANY JTAG interface...

have fun & enjoy it....

My Advice is to work in 701499 with option A since you know all inputs....

good luck again

"no more hints/points to the 800066 pcb"

:idea:


Attachments:
2018-04-10_00052_Palmer.jpg
2018-04-10_00052_Palmer.jpg [ 427.32 KiB | Viewed 4394 times ]

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein
Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 4th, 2019, 7:29 
Offline

Joined: March 11th, 2012, 12:36
Posts: 27
Location: china
the rom use a sha-256 to verification ! in offset 1ef8 is public key data. and in header->length - 0x100 is a sig data. you can use the public key to decrypt sig . you will get blow data

0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003031300D0609608648016503040201050004202EF99614C175E7FFC0D78415A07415F1DAB634BDEB79769D13C6624B06C9803D

good luck


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 4th, 2019, 17:21 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11714
Location: Australia
flykiller wrote:
the rom use a sha-256 to verification ! in offset 1ef8 is public key data. and in header->length - 0x100 is a sig data. you can use the public key to decrypt sig . you will get below data

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000040  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000050  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000060  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000070  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000080  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000090  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000A0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000B0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000C0  FF FF FF FF FF FF FF FF FF FF FF FF 00 30 31 30  ÿÿÿÿÿÿÿÿÿÿÿÿ.010
000000D0  0D 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20  ...`†H.e.......
000000E0  2E F9 96 14 C1 75 E7 FF C0 D7 84 15 A0 74 15 F1  .ù–.ÁuçÿÀׄ. t.ñ
000000F0  DA B6 34 BD EB 79 76 9D 13 C6 62 4B 06 C9 80 3D  Ú¶4½ëyv..ÆbK.É€=

See viewtopic.php?f=1&t=36673 (Palmer ROM breakdown)

... and another example:

viewtopic.php?f=24&t=37429

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 7th, 2019, 9:57 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3304
Location: Chicago
HaQue wrote:
between this point, and another, using resistor you get tiny console?

AFAIR there is no tiny console on Palmer/Charger drives, it is just not in the code.

JTAG is locked on locked PCBs, unless you have PCB with disable security, finding JTAG pins will be pointless exercise.

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 7th, 2019, 11:51 
Offline

Joined: March 11th, 2012, 12:36
Posts: 27
Location: china
if you can short cut those test points correctly. then the drive can enter serial boot mode. the serial mode has 4 sub command ( AA, FF, 70, 72, 2, 5)
70 - get serial baud rate list (min - 115200 ,max - 3125000)
72 - set baud rate
AA - sync
FF - get a ack pack, and set default baud
05 - Go
02 - upload data

for the jtag, you can not find any correctly config file in openOCD.


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 7th, 2019, 21:01 
Offline

Joined: March 11th, 2012, 12:36
Posts: 27
Location: china
flykiller wrote:
if you can short cut those test points correctly. then the drive can enter serial boot mode. the serial mode has 7 sub command ( AA, FF, 70, 72, 02, 05, 0A)
70 - get serial baud rate list (min - 115200 ...... max - 3125000)
72 - set baud rate by baud rate list index
AA - sync
FF - get a ack pack, and set default baud rate
05 - Go to PC
02 - upload data
0A - reSet

for the jtag, you can not find any correctly config file in openOCD.


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 8th, 2019, 2:58 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2517
Location: Kuwait
Doomer wrote:
HaQue wrote:
between this point, and another, using resistor you get tiny console?

AFAIR there is no tiny console on Palmer/Charger drives, it is just not in the code.

JTAG is locked on locked PCBs, unless you have PCB with disable security, finding JTAG pins will be pointless exercise.


Are you sure about that Doomer?

If you have both the Locked & Unlocked PCBs & JTAG pins ..... still pointless?? :shock:

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 8th, 2019, 9:11 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3304
Location: Chicago
For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 8th, 2019, 11:53 
Offline

Joined: March 11th, 2012, 12:36
Posts: 27
Location: china
this mcu use secure boot(Chain of trust). Therefore ,to unlock. must be connecting a logic probe to a PCB track or a package pin


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 8th, 2019, 12:21 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3304
Location: Chicago
flykiller wrote:
this mcu use secure boot(Chain of trust). Therefore ,to unlock. must be connecting a logic probe to a PCB track or a package pin

Interesting
Do you know the test point number?

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 8th, 2019, 20:58 
Offline

Joined: March 11th, 2012, 12:36
Posts: 27
Location: china
Doomer wrote:
flykiller wrote:
this mcu use secure boot(Chain of trust). Therefore ,to unlock. must be connecting a logic probe to a PCB track or a package pin

Interesting
Do you know the test point number?


Well , unfortunately I can`t find it either. If you are interested secure boot,you can refer to this url
https://www.cnx-software.com/2016/10/06 ... -s905-soc/
https://github.com/ARM-software/arm-trusted-firmware

if want to enable jtag ,can short cut test point (maybe e65 or e67 or e54, because I forgot)


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 9th, 2019, 3:28 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2517
Location: Kuwait
Doomer wrote:
For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level


Thats ONE of the benefits of having a good friend from the other side of the world.

@flykiller, you are getting close...... very.

:wink:

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 9th, 2019, 10:05 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3304
Location: Chicago
flykiller wrote:
Well , unfortunately I can`t find it either.

I see, I thought I missed something in the code

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 10th, 2019, 4:11 
Offline

Joined: March 11th, 2012, 12:36
Posts: 27
Location: china
einstein9 wrote:
Doomer wrote:
For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level


Thats ONE of the benefits of having a good friend from the other side of the world.

@flykiller, you are getting close...... very.

:wink:


I don`t think so. If can`t switch to uart boot mode, or change this port (0x30420064) value. Then is can`t unlock .... :P never


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 10th, 2019, 9:57 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3304
Location: Chicago
flykiller wrote:
or change this port (0x30420064) value.

This port reflects HW fuse settings, so it is not easy to change it
As I said unless you have PCB with disabled security, finding JTAG points is useless, UART is locked out too

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Palmer, Charger or any other...
PostPosted: July 11th, 2019, 3:41 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2517
Location: Kuwait
flykiller wrote:
einstein9 wrote:
Doomer wrote:
For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level


Thats ONE of the benefits of having a good friend from the other side of the world.

@flykiller, you are getting close...... very.

:wink:


I don`t think so. If can`t switch to uart boot mode, or change this port (0x30420064) value. Then is can`t unlock .... :P never



PM Sent... :wink:

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 21 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group