Page 1 of 1

JTAG access?

Posted: Thu Jan 08, 2015 11:05 am
by berserko
Has anyone looked at using the JTAG port yet? it looks like the CPU is supported by OpenOCD I'm sure there are a few bricked units out there the could benefit from a JTAG. I'm going to start looking at it in the next couple weeks just curious if anyone has looked that this attack vector yet?

Re: JTAG access?

Posted: Thu Jan 08, 2015 8:42 pm
by CloneNum3
Are you referring to the JTAG SPI Flash SSP3 ? I investigated it quite a bit and ended up with the idea of using a BlackCat SPI flash programmer (of which I actually have already) or seeing if the xbox 360 SPI programmer could be used for reading&writing the wink flash. I think it should work in theory but I am not sure how I would go about determining the pinout between the BlackCat and the Wink Flash JTAG. I believe the flash chip is a 128MB Spansion S34ML01G100TF100 which is pretty well documented. Someone more knowledgeable than me in nand flash programming could probable fill in some blanks and make this happen.

Re: JTAG access?

Posted: Wed Aug 26, 2015 12:46 am
by translucent1
I know this post is old, but I reverse engineered the CPU JTAG pinout:
http://jalderman.org/?p=318

I used this to dump a NAND image and root my hub.

Re: JTAG access?

Posted: Tue Oct 06, 2015 10:13 am
by CloneNum3
translucent1 wrote:I know this post is old, but I reverse engineered the CPU JTAG pinout:
http://jalderman.org/?p=318

I used this to dump a NAND image and root my hub.


translucent1,

Ok, you impressed me! That's pretty awesome work.

FYI, I made you a site moderator. I encourage you to update us with any further findings! I appreciate your post.

-CloneNum3