In-depth technology research: finding new ways to recover data, accessing firmware, writing programs, reading bits off the platter, recovering data from dust.
Forum rules
Please
do not post questions about data recovery cases here (use
this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...
June 23rd, 2019, 4:58
Well, with the Ref. to the prev. post here (DIY Spider Board):
viewtopic.php?f=13&t=38508And here too (Marvell JTAG) :
viewtopic.php?f=13&t=20324&start=80and finally here (The PCB):
viewtopic.php?f=13&t=38331It took me some time to test and verify few things before posting here.
attached here is
ONE of the pins (marked in
RED), the 1st. step to the answer.
(you may find the rest)
How to read it? Which App.? blah blah ...... you need to do your own homework.
good luck
- Attachments
-
June 23rd, 2019, 7:30
between this point, and another, using resistor you get tiny console?
June 24th, 2019, 13:36
Hello,
Was This Project To Unlock PCB Or You Wanted To Do Something Else
June 25th, 2019, 4:49
HaQue wrote:between this point, and another, using resistor you get tiny console?
There is no way to get tiny console with hardware tricks. It is deactivated in MCU code.
July 4th, 2019, 6:17
Another point to motivate the researchers..
Hints:
There is 2 types/ways to deal with it...
A- Open heart surgery >> working/editing
Decoding DUMP directly from the chip >>> Requires Pro. Tool & needs some time to understand how it works... (not nuclear science)
B- Normal Dump via JTAG (As dejan explained) Decode Dump then Modify then Write it back >>> does the job, but longer path...
I vote for the 1st. option believe me you will know later more than what you thought... and this will open a door which will help you figure out ANY JTAG interface...
have fun & enjoy it....
My Advice is to work in 701499 with option A since you know all inputs....
good luck again
"no more hints/points to the 800066 pcb"
- Attachments
-
July 4th, 2019, 7:29
the rom use a sha-256 to verification ! in offset 1ef8 is public key data. and in header->length - 0x100 is a sig data. you can use the public key to decrypt sig . you will get blow data
0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF003031300D0609608648016503040201050004202EF99614C175E7FFC0D78415A07415F1DAB634BDEB79769D13C6624B06C9803D
good luck
July 4th, 2019, 17:21
flykiller wrote:the rom use a sha-256 to verification ! in offset 1ef8 is public key data. and in header->length - 0x100 is a sig data. you can use the public key to decrypt sig . you will get below data
- Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF ..ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000070 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000080 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000090 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000A0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000B0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000C0 FF FF FF FF FF FF FF FF FF FF FF FF 00 30 31 30 ÿÿÿÿÿÿÿÿÿÿÿÿ.010
000000D0 0D 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ...`†H.e.......
000000E0 2E F9 96 14 C1 75 E7 FF C0 D7 84 15 A0 74 15 F1 .ù–.ÁuçÿÀׄ. t.ñ
000000F0 DA B6 34 BD EB 79 76 9D 13 C6 62 4B 06 C9 80 3D Ú¶4½ëyv..ÆbK.É€=
See
viewtopic.php?f=1&t=36673 (Palmer ROM breakdown)
... and another example:
viewtopic.php?f=24&t=37429
July 7th, 2019, 9:57
HaQue wrote:between this point, and another, using resistor you get tiny console?
AFAIR there is no tiny console on Palmer/Charger drives, it is just not in the code.
JTAG is locked on locked PCBs, unless you have PCB with disable security, finding JTAG pins will be pointless exercise.
July 7th, 2019, 11:51
if you can short cut those test points correctly. then the drive can enter serial boot mode. the serial mode has 4 sub command ( AA, FF, 70, 72, 2, 5)
70 - get serial baud rate list (min - 115200 ,max - 3125000)
72 - set baud rate
AA - sync
FF - get a ack pack, and set default baud
05 - Go
02 - upload data
for the jtag, you can not find any correctly config file in openOCD.
July 7th, 2019, 21:01
flykiller wrote:if you can short cut those test points correctly. then the drive can enter serial boot mode. the serial mode has 7 sub command ( AA, FF, 70, 72, 02, 05, 0A)
70 - get serial baud rate list (min - 115200 ...... max - 3125000)
72 - set baud rate by baud rate list index
AA - sync
FF - get a ack pack, and set default baud rate
05 - Go to PC
02 - upload data
0A - reSet
for the jtag, you can not find any correctly config file in openOCD.
July 8th, 2019, 2:58
Doomer wrote:HaQue wrote:between this point, and another, using resistor you get tiny console?
AFAIR there is no tiny console on Palmer/Charger drives, it is just not in the code.
JTAG is locked on locked PCBs, unless you have PCB with disable security, finding JTAG pins will be pointless exercise.
Are you sure about that Doomer?
If you have both the Locked & Unlocked PCBs & JTAG pins ..... still pointless??
July 8th, 2019, 9:11
For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level
July 8th, 2019, 11:53
this mcu use secure boot(Chain of trust). Therefore ,to unlock. must be connecting a logic probe to a PCB track or a package pin
July 8th, 2019, 12:21
flykiller wrote:this mcu use secure boot(Chain of trust). Therefore ,to unlock. must be connecting a logic probe to a PCB track or a package pin
Interesting
Do you know the test point number?
July 8th, 2019, 20:58
Doomer wrote:flykiller wrote:this mcu use secure boot(Chain of trust). Therefore ,to unlock. must be connecting a logic probe to a PCB track or a package pin
Interesting
Do you know the test point number?
Well , unfortunately I can`t find it either. If you are interested secure boot,you can refer to this url
https://www.cnx-software.com/2016/10/06 ... -s905-soc/https://github.com/ARM-software/arm-trusted-firmwareif want to enable jtag ,can short cut test point (maybe e65 or e67 or e54, because I forgot)
July 9th, 2019, 3:28
Doomer wrote:For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level
Thats
ONE of the benefits of having a good friend from the other side of the world.
@flykiller, you are getting close...... very.
July 9th, 2019, 10:05
flykiller wrote:Well , unfortunately I can`t find it either.
I see, I thought I missed something in the code
July 10th, 2019, 4:11
einstein9 wrote:Doomer wrote:For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level
Thats
ONE of the benefits of having a good friend from the other side of the world.
@flykiller, you are getting close...... very.
I don`t think so. If can`t switch to uart boot mode, or change this port (0x30420064) value. Then is can`t unlock ....
never
July 10th, 2019, 9:57
flykiller wrote:or change this port (0x30420064) value.
This port reflects HW fuse settings, so it is not easy to change it
As I said unless you have PCB with disabled security, finding JTAG points is useless, UART is locked out too
July 11th, 2019, 3:41
flykiller wrote:einstein9 wrote:Doomer wrote:For JTAG to work you'd need PCB with disabled security. Regular PCB has JTAG locked on HW level
Thats
ONE of the benefits of having a good friend from the other side of the world.
@flykiller, you are getting close...... very.
I don`t think so. If can`t switch to uart boot mode, or change this port (0x30420064) value. Then is can`t unlock ....
never
PM Sent...
Powered by phpBB © phpBB Group.