
Reverse Engineering PCBs with JTAG - meneses
https://drive.google.com/open?id=13p6O0C3aY-LSeqGAjfEge2XQT6ArfYnJyvu_fhAZlJI
======
anoonmoose
I found this presentation really interesting, in no small part because I've
been doing a lot of reading on JTAG for work lately.

One idea I'd like to add: using EXTEST to identify the pins. If I understand
the command correctly, it seems as if one could utilize the BSDL file to
generate a series of EXTEST patterns that would each set one I/O pin high and
the rest of them low. Then, you could just probe the IC pins until you found
the high one. This is more or less the reverse of what he describes- he's
applying a voltage and using the SAMPLE command to detect it.

To my understanding, this EXTEST method could also be used instead of the
suggestion on slide 90 to write some VHDL/Verilog to copy a known input to an
unknown output.

Doing any of this in an automated/programmatic way would probably take a
better software suite than 20-day one mentioned, or at least a lower-level
tool of some sort, I suppose.

~~~
omgtehlion
Setting pin high or low can get you in conflict with other devices connected
to that pin. In the best case you wouldn't tell which pin is which and in the
worst you could damage that other device.

~~~
anoonmoose
This is an excellent point, one that I overlooked because I am usually testing
devices in isolation from the systems that they are a part of.

EXTEST would probably work well in a situation more like the Arduino example
from the slides, where the board is more of a breakout for a chip rather than
the chip being part of a bigger system.

Edit: although, since he's using a wire and pushbutton to apply 3.3V to
different pins, wouldn't he have the same problem you're suggesting I have?

~~~
VLM
He doesn't mention it directly but if you look at the pix you can see a
resistor inline and he kinda tangentially mentions limiting current to prevent
disaster. I suggest throwing a LED in series too, when it lights up you've
found yourself a ground pin.

Look for fun with pull-up resistors, sometimes you'll need to pull up and
down. I2C with pullups on both pins unless you have active termination comes
to mind. So throw another pull up in parallel with the existing hardware,
nothing happens, hmm... Sometimes you're gonna want to pull down thru a
resistor too.

------
xwintermutex
If you have a few pins that you suspect to be JTAG, but don't know which is
which, there are tools for that too [1], (instead of manually trying).

[1]: [http://hackaday.com/2013/10/02/jtagulator-finds-debug-
interf...](http://hackaday.com/2013/10/02/jtagulator-finds-debug-interfaces/)

~~~
teh_klev
This is mentioned in slide 51 (with picture of said device in all its lurid
pinkness):

[https://docs.google.com/presentation/d/13p6O0C3aY-
LSeqGAjfEg...](https://docs.google.com/presentation/d/13p6O0C3aY-
LSeqGAjfEge2XQT6ArfYnJyvu_fhAZlJI/edit#slide=id.gb78815f63_0_74)

------
VLM
Nice presentation. Around slide #84 or so, for a good time don't just put in a
current limiting resistor, put in a current limiting resistor and a LED. Hmm
the LED lit up I guess the pin is a grounded pin?

------
jakeogh
Google drive/docs closing in 3...2.. argh I wish they would just get on with
it.

