Yahoo Groups archive

Lpc2000

Index last updated: 2026-04-28 23:31 UTC

Message

re: CRP exploits using JTAG

2006-02-08 by Jayasooriah

Dominic,

My apologies. I misread nSRTS as nTRST, and I incorrectly referred to 
EmbeddedICE-RT macrocell as ETM -- I did not meant to discuss ETM at all.

I have no experience with EIRM debugging myself and what I am raising here 
is mainly based on scanning ARM7-DTMI-S Technical Reference Manual (TRM) 
(Revision 4) for the purposes of this discussion :)

At 03:19 09/02/2006, lpc2000@yahoogroups.com wrote:
>    Date: Wed, 8 Feb 2006 16:58:45 +0100
>    From: Dominic Rath <Dominic.Rath@...>
>Subject: Re: re: CRP exploits using JTAG
>...
> > To use the boundary scan interface, nTRST must be driven LOW and then HIGH
> > again. You appear to have held it low, and hence your observations.
>No. This behaviour has been confirmed by someone from Rowley.

I was quoting the above from 5.12.1 of the TRM.  Note that it also says in 
this section that when the boundary scan interface is not used, you can tie 
DBGnTRST input low.  Is this what your OpenCD tool does?

>...
>On the LPCs, driving nRESET low keeps the TAP controller in reset, too.
>Period.

I heard you the first time, but where would one find this information? If 
it was  established by experimentation, how was nTRST driven?  LOW then 
HIGH or just LOW?

>Just because you believe that this is the reason why Philips dumped the
>exception vectors doesnt necessarily mean that there's a way to cut the
>number of TCK cycles down.

IMHO we (you and I) cannot conclusively say one way or another.  Only the 
designers can, and they have chosen not to.

What they have said, however, is:

"EmbeddedICE logic ... allows instructions to execute at a slow debug speed 
or at fast system speed"

"The scan chains that are around the core for production test are reused in 
the debug state ..."

If I had my JTAG to play with (and the time to play), I would try the 
following while nRESET is held low:

a) select SCAN_N instruction
b) select chain #1 (later 5,6,7,9-15 and so on)
c) select INTEST instruction
d) scan DBGBREAK bit (for chain #1)

and then see how long it then takes to enter debug mode in halt state upon 
releasing nRESET.

Jaya

PS:


Send instant messages to your online friends http://au.messenger.yahoo.com

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.