Debugging a Samsung EVO 860 via JTAG

[jeremyb]

Hello, I’m trying to get my hands dirty debugging ARM based SSD’s through the JTAG port for some reverse engineering & data recovery fun. I’ve read a few articles showing its possible.

https://wrongbaud.github.io/posts/jtag-hdd/
https://github.com/derco0n/SSDdiag
http://www2.futureware.at/~philipp/ssd/ ... Manual.pdf <-- Good Info on Samsung 840 EVO
https://www.fmad.io/blog/ssd-bricked-restore

I’ve managed some success with PS3112’s via SWD, downloading the contents of memory and disassembling it using IDA Pro and modifying IP's but right now I’m focusing on a Samsung 860 EVO trying to do the same.

There's an old Samsung 840 EVO OpenOCD config file here although it uses the old format and doesn't appear to be applicable to the 860


This is my OpenOCD file

Code:

adapter speed 2000

if { [info exists CHIPNAME] } {
   set  _CHIPNAME $CHIPNAME
} else {
   set  _CHIPNAME s4lr030
}

#jtag scan chain
if { [info exists CPUTAPID] } {
   set _CPUTAPID $CPUTAPID
} else {
   set _CPUTAPID 0x5ba00477
}

set _ENDIAN little

jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x01 -irmask 0x0f \
   -expected-id $_CPUTAPID

# Cortex-R4 target
set _TARGETNAME $_CHIPNAME.cpu_r4
dap create $_CHIPNAME.dap -chain-position $_CHIPNAME.cpu

target create $_TARGETNAME.0 cortex_r4 -endian $_ENDIAN -dap $_CHIPNAME.dap

which returns:

Code:

Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : J-Link V11 compiled Sep 22 2022 14:53:28
Info : Hardware version: 11.00
Info : VTarget = 1.786 V
Info : clock speed 2000 kHz
Info : JTAG tap: s4lr030.cpu tap/device found: 0x5ba00477 (mfg: 0x23b (ARM Ltd), part: 0xba00, ver: 0x5)
Error: JTAG-DP STICKY ERROR
Error: Could not initialize the APB-AP
Warn : target s4lr030.cpu_r4.0 examination failed
Info : starting gdb server for s4lr030.cpu_r4.0 on 3333
Info : Listening on port 3333 for gdb connections

Also if I use the J-Link GDB Server I get the following output:

Code:

SEGGER J-Link GDB Server V7.80d GUI Version

JLinkARM.dll V7.80d (DLL compiled Oct  4 2022 16:40:52)

-----GDB Server start settings-----
GDBInit file:                  none
GDB Server Listening port:     2331
SWO raw output listening port: 2332
Terminal I/O port:             2333
Accept remote connection:      localhost only
Generate logfile:              on
Verify download:               off
Init regs on start:            off
Silent mode:                   off
Single run mode:               off
Target connection timeout:     5000 ms
------J-Link related settings------
J-Link Host interface:         USB
J-Link script:                 none
J-Link settings file:          none
------Target related settings------
Target device:                 Cortex-R4
Target device parameters:      none
Target interface:              JTAG
Target interface speed:        2000kHz
Target endian:                 little

Connecting to J-Link...
J-Link is connected.
Firmware: J-Link V11 compiled Sep 22 2022 14:53:28
Hardware: V11.00
Feature(s): RDI, FlashBP, FlashDL, JFlash, GDB
Checking target voltage...
Target voltage: 1.79 V
Listening on TCP/IP port 2331
Connecting to target...
ERROR: Cortex-A/R (connect): Could not determine address of core debug registers. Incorrect CoreSight ROM table in device?
ERROR: Could not connect to target.
Target connection failed. GDBServer will be closed...

I suspect my configuration file is incorrect as I can't halt the CPU due to examination failing. Any suggestions? I'm hoping one of the UBER geniuses here can help. Any ideas, I'm stuck. Any help is appreciated.

Attachments

JTAG Information seems the same as
http://www2.futureware.at/~philipp/ssd/TheMissingManual.pdf

[DRUG]

I would say the issue is that you are assuming that the CPU has X cores active instead of Y.
Usually if CPU has some kind of issue or being debugged it uses 1 core only, instead of 4.
You can try to manipulate the cpu using something like a chipwhisperer.

[jeremyb]

I would say the issue is that you are assuming that the CPU has X cores active instead of Y.
Usually if CPU has some kind of issue or being debugged it uses 1 core only, instead of 4.

Unless I'm misunderstanding my OpenOCD config, it only accounts for the one device/CPU showing up on tap discovery.
thesourcerer8's EVO 840 script accounts for 3 CPU's.

You can try to manipulate the cpu using something like a chipwhisperer.

I'm not sure what you mean, I'm already using a debugging adapter that works with OpenOCD

[pepe]

I worked with 850EVO (and some older ones) and built a config file to work with the cpu cores, and reversed some of the firmware, it is quite a nice challenge
pm me if you want to collaborate ...

pepe

[crackz0r]

May be worth trying a lower interface speed for your JTAG connection even down to 8mhz.

I also noticed that "Target voltage: 1.79 V"

I'm ignorant about the working parameters of these controllers but very often RE and debug other MCUs, typical nominal working voltage is 3.3 and Core is 1.8.

How are you powering the controller as you are trying to connect via JTAG? Might be worth double checking those conmections.