Lpc2000

--- In lpc2000@yahoogroups.com, Dominic Rath <Dominic.Rath@g...> wrote:
> JTAG is enabled after the chip comes out of reset,
> and it is disabled on the third instruction.

I have stated this from disassembling the code.

> I've tested this by applying a continous TCK and 
> monitoring the output (see my posts in the original thread).
> The bootloader then checks the value present at 0x1fc,
> and reenables JTAG if it didn't find the 0x87654321.

Disassembly is proof enough.  No need for testing.

> You can't exploit this window because on ARM7TDMI-S cores
> the JTAG input is synchronized with the processor clock
> (hence the RTCK carrying a synchronized version of TCK).

Is this is documented anywhere?

While it takes just one test to show a security vulnerability, is not
feasible (or valid) to claim a system is secure (or assure quality) by
testing alone.

There is a lot more that can be done via the JTAG inteface than what
is documented.

> Kind regards,
> 
> Dominic
>