@DonAndrewBailey

Similar documents
Comparing JTAG, SPI, and I2C

Ilmenau, 9 Dec 2016 Testing and programming PCBA s. 1 JTAG Technologies

Testing Sequential Logic. CPE/EE 428/528 VLSI Design II Intro to Testing (Part 2) Testing Sequential Logic (cont d) Testing Sequential Logic (cont d)

7 Nov 2017 Testing and programming PCBA s

Raspberry Pi debugging with JTAG

Saving time & money with JTAG

Tools to Debug Dead Boards

16 Dec Testing and Programming PCBA s. 1 JTAG Technologies

18 Nov 2015 Testing and Programming PCBA s. 1 JTAG Technologies

Section 24. Programming and Diagnostics

Subjects. o JTAG Technologies (Rik Doorneweert, Area Manager) o JTAG Technologies B.V. activities o Introduction to (classic) Boundary Scan

JTAGcable II In Circuit Emulator for Atmel AVR microcontrollers. User s Guide REV 1.0. Many ideas one solution

3. Configuration and Testing

Spider. datasheet V 1.0. Communication and fault injection of embedded chips. rev 1

CoLinkEx JTAG/SWD adapter USER MANUAL

Section 24. Programming and Diagnostics

Solutions to Embedded System Design Challenges Part II

Using the XC9500/XL/XV JTAG Boundary Scan Interface

XJTAG DFT Assistant for

Senior Design Project: Blind Transmitter

CMOS Testing-2. Design for testability (DFT) Design and Test Flow: Old View Test was merely an afterthought. Specification. Design errors.

JTAG ICE... User Guide

UNIT IV CMOS TESTING. EC2354_Unit IV 1

BASCOM-TV. TV Code Features: ICs supported: BASCOM versions:

Using the XSV Board Xchecker Interface

XJTAG DFT Assistant for

Overview of BDM nc. The IEEE JTAG specification is also recommended reading for those unfamiliar with JTAG. 1.2 Overview of BDM Before the intr

Remote Diagnostics and Upgrades

of Boundary Scan techniques.

Product Update. JTAG Issues and the Use of RT54SX Devices

XJTAG DFT Assistant for

XJTAG DFT Assistant for

A Briefing on IEEE Standard Test Access Port And Boundary-Scan Architecture ( AKA JTAG )

SignalTap Plus System Analyzer

Fox-Bus (FxB) Protocol Timing (Version 4) 9/1/2011

JRC ( JTAG Route Controller ) Data Sheet

Design and Implementation of an AHB VGA Peripheral

Based on slides/material by. Topic 14. Testing. Testing. Logic Verification. Recommended Reading:

Unit V Design for Testability

Virtex-II Pro and VxWorks for Embedded Solutions. Systems Engineering Group

SAU510-USB ISO PLUS v.2 JTAG Emulator. User s Guide 2013.

RF4432 wireless transceiver module

Introduction to JTAG / boundary scan-based testing for 3D integrated systems. (C) GOEPEL Electronics -

Laboratory Exercise 4

BABAR IFR TDC Board (ITB): system design

Image generator. Hardware Specification

ECE 372 Microcontroller Design

RF4432F27 wireless transceiver module

Remote programming. On-Board Computer

Lecture 17: Introduction to Design For Testability (DFT) & Manufacturing Test

Embest Emlink for ARM Cortex-M3. User Manual

Document Part Number: Copyright 2010, Corelis Inc.

the Boundary Scan perspective

MSP430-H2618 development board Users Manual

M89 FAMILY In-System Programmable (ISP) Multiple-Memory and Logic FLASH+PSD Systems for MCUs

Universal ByteBlaster

Pattern Based Attendance System using RF module

Error connecting to the target: TMS320F28379D. 1 Error message on connecting the target.

How to Enable Debugging for FLEXSPI NOR Flash

University of Arizona January 18, 2000 Joel Steinberg Rev. 1.6

AN1775 APPLICATION NOTE

Applied Measurements Ltd

BTW03 DESIGN CONSIDERATIONS IN USING AS A BACKPLANE TEST BUS International Test Conference. Pete Collins

12. IEEE (JTAG) Boundary-Scan Testing for the Cyclone III Device Family

OpenOCD - Beyond Simple Software Debugging

APPLICATION NOTE. Atmel AVR32850: ATSAM4L-EK User Guide. Atmel SAM4L. Features. Introduction

MSP430 JTAG / BSL connectors

ARM JTAG Interface Specifications

In-System Programmability Guidelines

Debugging IDT S-RIO Gen2 Switches Using RapidFET JTAG

ADC Peripheral in Microcontrollers. Petr Cesak, Jan Fischer, Jaroslav Roztocil

How To Build Megavolt s Small Buffered JTAG v1.2

Hello and welcome to this presentation of the STM32L4 Analog-to-Digital Converter block. It will cover the main features of this block, which is used

BSDL Validation: A Case Study

STA2051E VESPUCCI 32-BIT SINGLE CHIP BASEBAND CONTROLLER FOR GPS AND TELEMATIC APPLICATIONS 1 FEATURES. Figure 1. Packages

Digital Integrated Circuits Lecture 19: Design for Testability

Design and analysis of microcontroller system using AMBA- Lite bus

TV Character Generator

Hello, and welcome to this presentation of the STM32 system window watchdog. It will cover the main features of this peripheral used to detect

8 PIN PIC PROGRAMMABLE BOARD (DEVELOPMENT BOARD & PROJECT BOARD)

MSP430-HG2231 development board Users Manual

Configuring FLASHlogic Devices

Integrated Circuit for Musical Instrument Tuners

Reaction Game Kit MitchElectronics 2019

Embedded System Training Module ABLab Solutions

Optimized for Digital Motor Control

HEART ATTACK DETECTION BY HEARTBEAT SENSING USING INTERNET OF THINGS : IOT

Training JTAG Interface

Embedded Master Module

Device 1 Device 2 Device 3 Device 4

Memec Spartan-II LC User s Guide

Chapter 19 IEEE Test Access Port (JTAG)

ProMOS. Bravo1601. Stand-alone BLE SMD Modules. Datasheet (V1.0) ProMOS Co., Ltd. IoT Solutions Provider.

INVENTEK SYSTEMS ISM4390-L57 Embedded Serial-to-Wi-Fi Module es-wifi Data Sheet

LED Array Board.

XDS560R JTAG Emulator Technical Reference

User Manual. Product Link:

DSTREAM ARM. System and Interface Design Reference. Version 4.4. Copyright ARM. All rights reserved. ARM DUI 0499E (ID091611)

Using on-chip Test Pattern Compression for Full Scan SoC Designs

Instructions. Final Exam CPSC/ELEN 680 December 12, Name: UIN:

Transcription:

@DonAndrewBailey donb@isecpartners.com

whois donb?

whatis isec Partners?

Technology is The Great Equalizer

As Technology Increases, Control Decreases

Examples of Emerging Technology?

No, really. Cellular enabled pill bottles Track pill usage remotely Email alerts when Pill count is low Pills haven t been taken When its time to take your pill

Wait. That sounds bad.

But, it s helping people. Alzheimer s patients Children with severe diseases Physically disabled patients Overworked security consultants

Wait. That sounds good.

Everything will be a computer

Examples? Medical devices (personal, industrial) Industrial monitoring Automated Teller Machines Industrial/Commercial Alarm Systems Home Alarm Systems Car security systems

Common M2M Example from Microchip

Find Architectural Commonalities Baseband modules must be approved The approved list is public few features can t drive Application Logic Microcontrollers Small RAM Small Code Space (flash) Minimal security surface (if any)

Find Architectural Commonalities Communication Network Comm = Baseband Peripheral Comm = uc Comm between Baseband & uc = UART Cryptographic Capability Only some Basebands provide HTTPS/SSL Usually only Java VM capable uc is usually baked (or non-existent)

Easiest Way to Attack? Sniff USART SPI I2C Debug ports JTAG SWIM DebugWire etc

The GoodFET

Open Source JTAG Adapter (and more) SPI I2c JTAG AVR Glitching SmartCard NordicRF PIC

Architecture Simple hardware architecture Few components Open Source Simple software architecture Python based Open Source

AVR Port Simple hardware architecture Few components Open Source Simple software architecture Python based Open Source

AVR GoodFET Requirements Simple board design Boot loader needed No soldering! Portable to almost any Atmel AVR Cheap!! Components must be easily accessible world wide

AVR GoodFET Hardware ATmega1284P One pull-up resistor (1K Ohm) One 0.1uF and one 1uF capacitor 20MHz external clock (Abracon ACHL-20MHz) FTDI Cable

AVR Boot Loader 20MHz 0.5M USART baud rate Flash from file Flash from web Peek Signature Fuse bytes Page Size

AVR Boot Loader Shouldn t have to know Chip Requirement of Travis Fromweb & signature = solution Request sig (1E9705) Download per-sig image 1E9705.hex Flash image Fuses can be validated per signature Each chip has slightly different fuses

Boot Loader Bugs A section can t exceed one file Can t use.data,.bss Word address versus Byte address Vectors are /required/ IVTs must get naked (ISR -> BL_ISR) WatchDog spinlock Pgm_read_byte_far() is buggy Undocumented bits in P models (SIGRD)

AVR Port Code Build library files Integrated donbfet support Adjusted for silly AVRnesses Go!

JTAG Scanning

What is JTAG? Standard for debugging/monitoring chips Originally used to test manufactured equipment Used to test/debug embedded devices Simple state machine protocol Daisy chain-able Field updates!

What is JTAG? 5 Pins TCK Clock TMS Mode Select TDI Data In TDO Data Out TRST Reset TRST is optional Not always (AVR)

JScan Application 646 Lines of C (firmware) 143 Lines of Python (client) Dynamic Pin definition Control endianness Select delay (pin state sync) Store/retrieve results Core is based on Hunz s slides ArduiNull (LeKernel)

How Do We See JTAG? 11111b is Always a state machine Reset Then 0: Run Test Idle 1: Select DR 1: Select IR 0: Capture IR 0: Shift IR Shift IR activates TDO Shift in via TDI, monitor TDO

Hunz s Method Only 4 pins are required Yes, still NRST Still N! operations Approximately 120 tests per minute

Results ~0.55% FP rate 5 pins 6 pins 7 pins 8 pins @20MHz, 120 tests per minute Pull-ups are required False positives are easy to detect Output arrays should feed other Apps

Issues False positives often drive invalid states Logic gate w/ power control Delays should be adjusted when R = 0 220 330 Ohm resistors Must be used Output -> App requires dynamic Pin control Can only fit ~100 results in response Limited by GoodFET protocol

Future Requirements Select Profile mode (i.e. AVR, ARM, etc) Fingerprint JTAG subtleties Automated target power control ala JTagger Apps should interleave Protocol scanning should be genric Pattern based Language should define pattern

Demo

Summary? Need More Tools like GoodFET and UberTooth Opening up GoodFET s arch further will help JTAG scanning is easy Integrating it is hard Other protocols are needed

Thanks to isec Partners Travis Goodspeed Mike Kershaw Mike Ossmann Nick DePetrillo hunz@hunz.org LeKernel.net

Pull up the people. Pull up the poor. - M.I.A.

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback