HDD GURU FORUMS http://forum.hddguru.com/ |
|
Debugging a Samsung EVO 860 via JTAG http://forum.hddguru.com/viewtopic.php?f=10&t=42856 |
Page 1 of 1 |
Author: | jeremyb [ November 12th, 2022, 14:26 ] | ||
Post subject: | Debugging a Samsung EVO 860 via JTAG | ||
Hello, I’m trying to get my hands dirty debugging ARM based SSD’s through the JTAG port for some reverse engineering & data recovery fun. I’ve read a few articles showing its possible. https://wrongbaud.github.io/posts/jtag-hdd/ https://github.com/derco0n/SSDdiag http://www2.futureware.at/~philipp/ssd/ ... Manual.pdf <-- Good Info on Samsung 840 EVO https://www.fmad.io/blog/ssd-bricked-restore I’ve managed some success with PS3112’s via SWD, downloading the contents of memory and disassembling it using IDA Pro and modifying IP's but right now I’m focusing on a Samsung 860 EVO trying to do the same. There's an old Samsung 840 EVO OpenOCD config file here although it uses the old format and doesn't appear to be applicable to the 860 This is my OpenOCD file Code: adapter speed 2000 if { [info exists CHIPNAME] } { set _CHIPNAME $CHIPNAME } else { set _CHIPNAME s4lr030 } #jtag scan chain if { [info exists CPUTAPID] } { set _CPUTAPID $CPUTAPID } else { set _CPUTAPID 0x5ba00477 } set _ENDIAN little jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x01 -irmask 0x0f \ -expected-id $_CPUTAPID # Cortex-R4 target set _TARGETNAME $_CHIPNAME.cpu_r4 dap create $_CHIPNAME.dap -chain-position $_CHIPNAME.cpu target create $_TARGETNAME.0 cortex_r4 -endian $_ENDIAN -dap $_CHIPNAME.dap which returns: Code: Info : Listening on port 6666 for tcl connections Info : Listening on port 4444 for telnet connections Info : J-Link V11 compiled Sep 22 2022 14:53:28 Info : Hardware version: 11.00 Info : VTarget = 1.786 V Info : clock speed 2000 kHz Info : JTAG tap: s4lr030.cpu tap/device found: 0x5ba00477 (mfg: 0x23b (ARM Ltd), part: 0xba00, ver: 0x5) Error: JTAG-DP STICKY ERROR Error: Could not initialize the APB-AP Warn : target s4lr030.cpu_r4.0 examination failed Info : starting gdb server for s4lr030.cpu_r4.0 on 3333 Info : Listening on port 3333 for gdb connections Also if I use the J-Link GDB Server I get the following output: Code: SEGGER J-Link GDB Server V7.80d GUI Version JLinkARM.dll V7.80d (DLL compiled Oct 4 2022 16:40:52) -----GDB Server start settings----- GDBInit file: none GDB Server Listening port: 2331 SWO raw output listening port: 2332 Terminal I/O port: 2333 Accept remote connection: localhost only Generate logfile: on Verify download: off Init regs on start: off Silent mode: off Single run mode: off Target connection timeout: 5000 ms ------J-Link related settings------ J-Link Host interface: USB J-Link script: none J-Link settings file: none ------Target related settings------ Target device: Cortex-R4 Target device parameters: none Target interface: JTAG Target interface speed: 2000kHz Target endian: little Connecting to J-Link... J-Link is connected. Firmware: J-Link V11 compiled Sep 22 2022 14:53:28 Hardware: V11.00 Feature(s): RDI, FlashBP, FlashDL, JFlash, GDB Checking target voltage... Target voltage: 1.79 V Listening on TCP/IP port 2331 Connecting to target... ERROR: Cortex-A/R (connect): Could not determine address of core debug registers. Incorrect CoreSight ROM table in device? ERROR: Could not connect to target. Target connection failed. GDBServer will be closed... I suspect my configuration file is incorrect as I can't halt the CPU due to examination failing. Any suggestions? I'm hoping one of the UBER geniuses here can help. Any ideas, I'm stuck. Any help is appreciated.
|
Author: | DRUG [ November 12th, 2022, 20:33 ] |
Post subject: | Re: Debugging a Samsung EVO 860 via JTAG |
I would say the issue is that you are assuming that the CPU has X cores active instead of Y. Usually if CPU has some kind of issue or being debugged it uses 1 core only, instead of 4. You can try to manipulate the cpu using something like a chipwhisperer. |
Author: | jeremyb [ November 13th, 2022, 11:15 ] |
Post subject: | Re: Debugging a Samsung EVO 860 via JTAG |
DRUG wrote: I would say the issue is that you are assuming that the CPU has X cores active instead of Y. Usually if CPU has some kind of issue or being debugged it uses 1 core only, instead of 4. Unless I'm misunderstanding my OpenOCD config, it only accounts for the one device/CPU showing up on tap discovery. thesourcerer8's EVO 840 script accounts for 3 CPU's. DRUG wrote: You can try to manipulate the cpu using something like a chipwhisperer. I'm not sure what you mean, I'm already using a debugging adapter that works with OpenOCD
|
Author: | pepe [ November 15th, 2022, 16:41 ] |
Post subject: | Re: Debugging a Samsung EVO 860 via JTAG |
I worked with 850EVO (and some older ones) and built a config file to work with the cpu cores, and reversed some of the firmware, it is quite a nice challenge pm me if you want to collaborate ... pepe |
Author: | crackz0r [ December 2nd, 2022, 2:03 ] |
Post subject: | Re: Debugging a Samsung EVO 860 via JTAG |
May be worth trying a lower interface speed for your JTAG connection even down to 8mhz. I also noticed that "Target voltage: 1.79 V" I'm ignorant about the working parameters of these controllers but very often RE and debug other MCUs, typical nominal working voltage is 3.3 and Core is 1.8. How are you powering the controller as you are trying to connect via JTAG? Might be worth double checking those conmections. |
Page 1 of 1 | All times are UTC - 5 hours [ DST ] |
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |