Yahoo Groups archive

Lpc2000

Index last updated: 2026-04-28 23:31 UTC

Message

Re: [lpc2000] Re: CRP exploits using JTAG

2006-02-06 by Dominic Rath

Hello,

On Monday 06 February 2006 21:01, dr_danish_ali wrote:
> Hi Dominic,
> If the clocks are unrelated / asynchronous and you rely on RTCK, then sure
> the fastest you can run the TCK at is 1/6 of the core frequency. But if you
> control the core frequency (i.e. generate it and feed it into the
> oscillator pin) and also generate TCK, I reckon that you might be able to
> push TCK up to 1/2 of the core frequency and get it through the
> synchronizer.
>
> Now I don't know how many TCK ticks it takes to issue a command over JTAG
> (or if you can take over while the CPU is held in reset all the way from
> power-on). But the MAM is fully disabled so you'll need seven core ticks
> for each FLASH memory access. I do hope that someone who knows JTAG can
> tell me "Well the scan chain is 32 bits long and a command is 4 bits long
> so you'll need at least 36 TCK, i.e. 72* core cycles to take over. And in
> that time the core has executed over 10 instructions so the potential
> trapdoor is already bolted shut". I don't know JTAG so I can't say such
> things.

You can't access the JTAG port while the device is in reset, because the LPCs 
keep the test logic in reset, too.

Test logic comes out of reset in Test-Logic-Reset. From there, you have to go 
to Shift-IR to select the SCAN_N instruction, that's 5 TCK cycles. The IR 
register is 4 bits long, but the last bit is scanned when moving out of 
Shift-IR, so you spend 3 ticks shifting bits into the IR reg. From there, you 
have to move to Shift-DR to select the EmbeddedICE scan chain. This takes 7 
TCK cycles. The SCAN_N register is 4 bits long, so you shift 3 bits. Back to 
Shift-IR to select INTEST takes 8 ticks. 3 ticks for the instruction. 7 Ticks 
back to Shift-DR. The EmbeddedICE scan chain is 38 bits long, requiring a 
shift of 37 cycles. The synchronization latches only open in Run-Test/Idle, 
so you have to move there in 5 ticks, plus one tick in R-T-I for the debug 
request to register.
5 + 3 + 7 + 3 + 8 + 3 + 7 + 37 + 5 + 1 = 79 TCK cycles.

>
> *according to my suspicion that you can push TCK up to half the core
> frequency
>
> Regards,
> Danish
>

Regards,

Dominic

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.