Hello, I’m trying to get my hands dirty debugging ARM based SSD’s through the JTAG port for some reverse engineering & data recovery fun. I’ve read a few articles showing its possible.
https://wrongbaud.github.io/posts/jtag-hdd/https://github.com/derco0n/SSDdiaghttp://www2.futureware.at/~philipp/ssd/ ... Manual.pdf <-- Good Info on Samsung 840 EVO
https://www.fmad.io/blog/ssd-bricked-restoreI’ve managed some success with PS3112’s via SWD, downloading the contents of memory and disassembling it using IDA Pro and modifying IP's but right now I’m focusing on a
Samsung 860 EVO trying to do the same.
There's an old
Samsung 840 EVO OpenOCD config file here although it uses the old format and doesn't appear to be applicable to the 860
This is my OpenOCD file
Code:
adapter speed 2000
if { [info exists CHIPNAME] } {
set _CHIPNAME $CHIPNAME
} else {
set _CHIPNAME s4lr030
}
#jtag scan chain
if { [info exists CPUTAPID] } {
set _CPUTAPID $CPUTAPID
} else {
set _CPUTAPID 0x5ba00477
}
set _ENDIAN little
jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x01 -irmask 0x0f \
-expected-id $_CPUTAPID
# Cortex-R4 target
set _TARGETNAME $_CHIPNAME.cpu_r4
dap create $_CHIPNAME.dap -chain-position $_CHIPNAME.cpu
target create $_TARGETNAME.0 cortex_r4 -endian $_ENDIAN -dap $_CHIPNAME.dap
which returns:
Code:
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : J-Link V11 compiled Sep 22 2022 14:53:28
Info : Hardware version: 11.00
Info : VTarget = 1.786 V
Info : clock speed 2000 kHz
Info : JTAG tap: s4lr030.cpu tap/device found: 0x5ba00477 (mfg: 0x23b (ARM Ltd), part: 0xba00, ver: 0x5)
Error: JTAG-DP STICKY ERROR
Error: Could not initialize the APB-AP
Warn : target s4lr030.cpu_r4.0 examination failed
Info : starting gdb server for s4lr030.cpu_r4.0 on 3333
Info : Listening on port 3333 for gdb connections
Also if I use the J-Link GDB Server I get the following output:
Code:
SEGGER J-Link GDB Server V7.80d GUI Version
JLinkARM.dll V7.80d (DLL compiled Oct 4 2022 16:40:52)
-----GDB Server start settings-----
GDBInit file: none
GDB Server Listening port: 2331
SWO raw output listening port: 2332
Terminal I/O port: 2333
Accept remote connection: localhost only
Generate logfile: on
Verify download: off
Init regs on start: off
Silent mode: off
Single run mode: off
Target connection timeout: 5000 ms
------J-Link related settings------
J-Link Host interface: USB
J-Link script: none
J-Link settings file: none
------Target related settings------
Target device: Cortex-R4
Target device parameters: none
Target interface: JTAG
Target interface speed: 2000kHz
Target endian: little
Connecting to J-Link...
J-Link is connected.
Firmware: J-Link V11 compiled Sep 22 2022 14:53:28
Hardware: V11.00
Feature(s): RDI, FlashBP, FlashDL, JFlash, GDB
Checking target voltage...
Target voltage: 1.79 V
Listening on TCP/IP port 2331
Connecting to target...
ERROR: Cortex-A/R (connect): Could not determine address of core debug registers. Incorrect CoreSight ROM table in device?
ERROR: Could not connect to target.
Target connection failed. GDBServer will be closed...
I suspect my configuration file is incorrect as I can't halt the CPU due to examination failing. Any suggestions? I'm hoping one of the UBER geniuses here can help. Any ideas, I'm stuck. Any help is appreciated.