Lpc2000

Hello,

On Wednesday 04 January 2006 17:50, unity0724 wrote:
> Case 1) If JTAG port enabled by hardware automatically
> - Hardware copies the state of P1.26/P1.30 and updates PINSEL2
>   after reset.
> - For CRP, the bootloader have to read location 0x1fc early and
>   disables JTAG ports if CRP enabled
> - This gives a hacking window of JTAG port not disabled between
>   reset and before bootloader disabling it.
> - The hacking windows could be "ENLARGE" by clocking the ARM CPU at
>   much lower clock speed.  i.e. 10KHz
> - You could send in all the JTAG commands in that window then and
>   controls the ARM7 CPU...
> - For manufacturing, Philips could use the JTAG port to program
>   very first copy of bootloader when the chip is completely empty.
>
JTAG is enabled after the chip comes out of reset, and it is disabled on the 
third instruction. I've tested this by applying a continous TCK and 
monitoring the output (see my posts in the original thread). The bootloader 
then checks the value present at 0x1fc, and reenables JTAG if it didn't find 
the 0x87654321.
You can't exploit this window because on ARM7TDMI-S cores the JTAG input is 
synchronized with the processor clock (hence the RTCK carrying a synchronized 
version of TCK).

Kind regards,

Dominic