Lpc2000

Tom, I cannot find anything in your reference that says you cannot access 
the JTAG port while the processor is in reset. I hope I am not missing 
something obvious in your reference.

The TEST-LOGIC-RESET (nTRST) referred to in your reference many times is 
independent of processor reset (nRESET) which I refer to as LPC reset.  If 
these are linked in LPC, I like to see where this is stated.

Also, in relation to your comment that IEEE JTAG publications are no 
secret, yes JTAG is open but the IEEE does not (and cannot) define 
instructions for designer added chains.  Only the designer can tell you 
what these are and what they do.

Note that the specifications (as interpreted in ARM7DTMI-S TRM) states that 
you cannot use EXETEST, SAMPLE, and PRELOAD instructions on the scan chains 
1 and 2 because "unpredictable behaviour occurs".

This simply means that what actually happens is not covered by the 
specifications.  This is because it depends on the particular 
implementation.  There has been at least one instance I know of personally 
where such an instruction was exploited to do "creative" things the 
designers could not have predicted or anticipated.

Summary: a) with JTAG enabled (before and) upon reset, it is hard to prove 
that it cannot be cannot be used to exploit CRP; b) it would be easy to 
show how JTAG can be used to exploit CRP here but there are legal 
ramifications to consider; and c) given boot loader is a core and necessary 
component of CRP, I would not recommend anyone rely on CRP without any from 
of certification as to the integrity of boot loader implementation.

Jaya

--- In lpc2000@yahoogroups.com, Tom Walsh <tom@...> wrote:
 >
 > Jayasooriah wrote:
 >
 > >Dominic, I do not think this is the threat the designers were defending.
 > >
 > >
 > >>You can't access the JTAG port while the device is in reset, because the
 > >>LPCs keep the test logic in reset, too.
 > >>
 > >>
 > >
 > >I am curious if this is stated anywhere or if you determined this by
 > >experiment.  Note, besides ETM chain, there is also a processor chain that
 > >can be accessed.
 > >
 > >
 > >
 > Understandably, Philips does not go into detail as to how JTAG operates,
 > this is an IEEE spec now and documents are available elsewhere. JTAG is
 > very very well documented: Joint Test / Action Group.  JTAG is not a
 > "secret" but was created in response to a growing problem in the ATE
 > (Auto Test Engineering) and software development arena in dealing with
 > more complex processors.
 >
 > This link would get you started into understanding JTAG:
 > http://klabs.org/richcontent/old_news/old_news_7/old_news_7.htm
 >
 > TomW

Send instant messages to your online friends http://au.messenger.yahoo.com