JTAG access?

[berserko]

Has anyone looked at using the JTAG port yet? it looks like the CPU is supported by OpenOCD I'm sure there are a few bricked units out there the could benefit from a JTAG. I'm going to start looking at it in the next couple weeks just curious if anyone has looked that this attack vector yet?

[CloneNum3]

Are you referring to the JTAG SPI Flash SSP3 ? I investigated it quite a bit and ended up with the idea of using a BlackCat SPI flash programmer (of which I actually have already) or seeing if the xbox 360 SPI programmer could be used for reading&writing the wink flash. I think it should work in theory but I am not sure how I would go about determining the pinout between the BlackCat and the Wink Flash JTAG. I believe the flash chip is a 128MB Spansion S34ML01G100TF100 which is pretty well documented. Someone more knowledgeable than me in nand flash programming could probable fill in some blanks and make this happen.

[translucent1]

I know this post is old, but I reverse engineered the CPU JTAG pinout:
http://jalderman.org/?p=318

I used this to dump a NAND image and root my hub.

[CloneNum3]

I know this post is old, but I reverse engineered the CPU JTAG pinout:
http://jalderman.org/?p=318

I used this to dump a NAND image and root my hub.

translucent1,

Ok, you impressed me! That's pretty awesome work.

FYI, I made you a site moderator. I encourage you to update us with any further findings! I appreciate your post.

-CloneNum3