Yahoo Groups archive

Lpc2000

Index last updated: 2026-04-28 23:31 UTC

Message

Re: [lpc2000] re: CRP exploits using JTAG

2006-02-08 by Dominic Rath

Jaya,

On Wednesday 08 February 2006 15:32, Jayasooriah wrote:
> Dominic,
>
> I believe you are not distinguishing between JTAG reset and LPC reset.
I am distinguishing between JTAG reset and LPC reset. I wouldn't say nSRST if 
I meant nTRST, or vice versa. nTRST is hardly of any use (my OpenOCD works 
fine without it).

> JTAG operations are carried out using the TAP (Test Access Port)
> controller.  This TAP controller can be forced to its "reset" state by
> driving signal nTRST LOW or by pushing a sequence through TMS for a given
> number (I recall 5) of TCKs.
Yes.

> To use the boundary scan interface, nTRST must be driven LOW and then HIGH
> again. You appear to have held it low, and hence your observations.
No. This behaviour has been confirmed by someone from Rowley.

> Driving nTRST HIGH does not mean you have also to drive nRESET HIGH.  The
> TAP controller can be accessed with nRESET held low, and this how "boundary
> scanning" is used for debugging in the days before ETM (Embedded Trace
> Macrocell).
Debugging doesn't use the ETM. Debugging uses the EmbeddedICE macrocell.
On the LPCs, driving nRESET low keeps the TAP controller in reset, too. 
Period.

> ... snip ...
> PS:  I bet you can find ways to reduce the 79 TCK requirements by taking in
> to account the state the shift registers before you shift but this is not
> why I would not take the 79 TCK requirement seriously.  If you needed this
> many cycles then it does not make sense to reduce the window of opportunity
> by one jump instruction at the expense of exception handling, as was done
> on the 2292.
The scan chain select register is set to 0 after reset, and the instruction 
register is set to the IDCODE instruction. That means you have to:
- select the SCAN_N instruction
- shift in b0010 (Scan chain 2 is the EmbeddedICE macrocell)
- select the INTEST instruction
- shift in data for the EmbeddedICE control register to request a debug entry
Just because you believe that this is the reason why Philips dumped the 
exception vectors doesnt necessarily mean that there's a way to cut the 
number of TCK cycles down.

Regards,

Dominic

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.