JTAG access to the Fon

[digininja]

I've just got back from BruCON and one of the workshops I did while there was on using JTAGs. I steered the class to have the demos done on a Fon rather than all the other hardware he had brought so I now theoretically know a bit about using JTAG to really unbrick a Fon.

For those who don't know, JTAG allows direct access to the system on a chip (SoC) which is the one chip that does everything for the device, processor, network, USB etc. Through this access it is possible to dump memory, upload memory, not through software running on the Fon but directly placing it into the storage on the device. The main use I can see for this is to replace a completely bricked redboot to restore serial access. You can do a full flash through this but the guy said he tested it and it took about 8 hours, redboot alone takes about 30 mins.

It also allows you to actually pause and restart the processor. Combined with direct memory access, how useful would that be for grabbing juicy info from running applications!

At some point, when I get time, I'll have a go at building a cable and having a play. The only downside to this is the best cables run from parallel ports and USB to parallel converters don't work well I was told.

If anyone here has experience with JTAG I'd be interested in hearing about it and your experiences.

[m1k]

Jtag is an interesting world...

i did use parallel port driven jtags to change firmware on many satellite receivers...

very simple interface...just some diodes...(parallel port is ttl level...0-5 volts)

Also serial port driven jtags are common...but you have to home-made a converter...

using a common maxim 232 chip...and some capacitors...to convert +12 -12 volts level to ttl

For our pourposes...let's say and consider jtag "the last chance"...

slow speed and time consuming.....

good to unbrick any device

(using of course a good FW and communication program)

My 20 cents...