4 posts • Page 1 of 1
Has anyone looked at using the JTAG port yet? it looks like the CPU is supported by OpenOCD I'm sure there are a few bricked units out there the could benefit from a JTAG. I'm going to start looking at it in the next couple weeks just curious if anyone has looked that this attack vector yet?
Are you referring to the JTAG SPI Flash SSP3 ? I investigated it quite a bit and ended up with the idea of using a BlackCat SPI flash programmer (of which I actually have already) or seeing if the xbox 360 SPI programmer could be used for reading&writing the wink flash. I think it should work in theory but I am not sure how I would go about determining the pinout between the BlackCat and the Wink Flash JTAG. I believe the flash chip is a 128MB Spansion S34ML01G100TF100 which is pretty well documented. Someone more knowledgeable than me in nand flash programming could probable fill in some blanks and make this happen.
translucent1 wrote:I know this post is old, but I reverse engineered the CPU JTAG pinout:
I used this to dump a NAND image and root my hub.
Ok, you impressed me! That's pretty awesome work.
FYI, I made you a site moderator. I encourage you to update us with any further findings! I appreciate your post.
Who is online
Users browsing this forum: Bing [Bot] and 1 guest