All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Debugging a Samsung EVO 860 via JTAG
PostPosted: November 12th, 2022, 14:26 
Offline

Joined: July 30th, 2012, 3:37
Posts: 310
Location: Fairfield, CT USA
Hello, I’m trying to get my hands dirty debugging ARM based SSD’s through the JTAG port for some reverse engineering & data recovery fun. I’ve read a few articles showing its possible.

https://wrongbaud.github.io/posts/jtag-hdd/
https://github.com/derco0n/SSDdiag
http://www2.futureware.at/~philipp/ssd/ ... Manual.pdf <-- Good Info on Samsung 840 EVO
https://www.fmad.io/blog/ssd-bricked-restore

I’ve managed some success with PS3112’s via SWD, downloading the contents of memory and disassembling it using IDA Pro and modifying IP's but right now I’m focusing on a Samsung 860 EVO trying to do the same.

There's an old Samsung 840 EVO OpenOCD config file here although it uses the old format and doesn't appear to be applicable to the 860


This is my OpenOCD file

Code:
adapter speed 2000

if { [info exists CHIPNAME] } {
   set  _CHIPNAME $CHIPNAME
} else {
   set  _CHIPNAME s4lr030
}

#jtag scan chain
if { [info exists CPUTAPID] } {
   set _CPUTAPID $CPUTAPID
} else {
   set _CPUTAPID 0x5ba00477
}

set _ENDIAN little

jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x01 -irmask 0x0f \
   -expected-id $_CPUTAPID

# Cortex-R4 target
set _TARGETNAME $_CHIPNAME.cpu_r4
dap create $_CHIPNAME.dap -chain-position $_CHIPNAME.cpu

target create $_TARGETNAME.0 cortex_r4 -endian $_ENDIAN -dap $_CHIPNAME.dap


which returns:

Code:
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : J-Link V11 compiled Sep 22 2022 14:53:28
Info : Hardware version: 11.00
Info : VTarget = 1.786 V
Info : clock speed 2000 kHz
Info : JTAG tap: s4lr030.cpu tap/device found: 0x5ba00477 (mfg: 0x23b (ARM Ltd), part: 0xba00, ver: 0x5)
Error: JTAG-DP STICKY ERROR
Error: Could not initialize the APB-AP
Warn : target s4lr030.cpu_r4.0 examination failed
Info : starting gdb server for s4lr030.cpu_r4.0 on 3333
Info : Listening on port 3333 for gdb connections



Also if I use the J-Link GDB Server I get the following output:
Code:
SEGGER J-Link GDB Server V7.80d GUI Version

JLinkARM.dll V7.80d (DLL compiled Oct  4 2022 16:40:52)

-----GDB Server start settings-----
GDBInit file:                  none
GDB Server Listening port:     2331
SWO raw output listening port: 2332
Terminal I/O port:             2333
Accept remote connection:      localhost only
Generate logfile:              on
Verify download:               off
Init regs on start:            off
Silent mode:                   off
Single run mode:               off
Target connection timeout:     5000 ms
------J-Link related settings------
J-Link Host interface:         USB
J-Link script:                 none
J-Link settings file:          none
------Target related settings------
Target device:                 Cortex-R4
Target device parameters:      none
Target interface:              JTAG
Target interface speed:        2000kHz
Target endian:                 little

Connecting to J-Link...
J-Link is connected.
Firmware: J-Link V11 compiled Sep 22 2022 14:53:28
Hardware: V11.00
Feature(s): RDI, FlashBP, FlashDL, JFlash, GDB
Checking target voltage...
Target voltage: 1.79 V
Listening on TCP/IP port 2331
Connecting to target...
ERROR: Cortex-A/R (connect): Could not determine address of core debug registers. Incorrect CoreSight ROM table in device?
ERROR: Could not connect to target.
Target connection failed. GDBServer will be closed...


I suspect my configuration file is incorrect as I can't halt the CPU due to examination failing. Any suggestions? I'm hoping one of the UBER geniuses here can help. Any ideas, I'm stuck. Any help is appreciated.


Attachments:
File comment: JTAG Information seems the same as
http://www2.futureware.at/~philipp/ssd/TheMissingManual.pdf

Samsung 860 EVO JTAG.jpg
Samsung 860 EVO JTAG.jpg [ 217.73 KiB | Viewed 3980 times ]

_________________
Recover My Flash Drive
Top
 Profile  
 
 Post subject: Re: Debugging a Samsung EVO 860 via JTAG
PostPosted: November 12th, 2022, 20:33 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
I would say the issue is that you are assuming that the CPU has X cores active instead of Y.
Usually if CPU has some kind of issue or being debugged it uses 1 core only, instead of 4.
You can try to manipulate the cpu using something like a chipwhisperer.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: Debugging a Samsung EVO 860 via JTAG
PostPosted: November 13th, 2022, 11:15 
Offline

Joined: July 30th, 2012, 3:37
Posts: 310
Location: Fairfield, CT USA
DRUG wrote:
I would say the issue is that you are assuming that the CPU has X cores active instead of Y.
Usually if CPU has some kind of issue or being debugged it uses 1 core only, instead of 4.

Unless I'm misunderstanding my OpenOCD config, it only accounts for the one device/CPU showing up on tap discovery.
thesourcerer8's EVO 840 script accounts for 3 CPU's.

DRUG wrote:
You can try to manipulate the cpu using something like a chipwhisperer.
I'm not sure what you mean, I'm already using a debugging adapter that works with OpenOCD

_________________
Recover My Flash Drive


Top
 Profile  
 
 Post subject: Re: Debugging a Samsung EVO 860 via JTAG
PostPosted: November 15th, 2022, 16:41 
Offline

Joined: October 3rd, 2005, 0:40
Posts: 4311
Location: Hungary
I worked with 850EVO (and some older ones) and built a config file to work with the cpu cores, and reversed some of the firmware, it is quite a nice challenge :)
pm me if you want to collaborate ...

pepe

_________________
Adatmentés - Data recovery


Top
 Profile  
 
 Post subject: Re: Debugging a Samsung EVO 860 via JTAG
PostPosted: December 2nd, 2022, 2:03 
Offline
User avatar

Joined: March 30th, 2016, 15:52
Posts: 27
Location: Washington, USA
May be worth trying a lower interface speed for your JTAG connection even down to 8mhz.

I also noticed that "Target voltage: 1.79 V"

I'm ignorant about the working parameters of these controllers but very often RE and debug other MCUs, typical nominal working voltage is 3.3 and Core is 1.8.

How are you powering the controller as you are trying to connect via JTAG? Might be worth double checking those conmections.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 19 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group