Difference between revisions of "Nano2G HW analysis"
(Created page with '200px|thumb|Top layer, including JTAG 200px|thumb|Bottom layer 300px [[File:2G_bck_annotation.png|3...') |
|||
| (11 intermediate revisions by 7 users not shown) | |||
| Line 5: | Line 5: | ||
== previous work == | == previous work == | ||
| − | See [[ | + | See [[Nano 2G]]. |
== SOC analysis == | == SOC analysis == | ||
| Line 34: | Line 34: | ||
The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). | The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins). | ||
| − | After connecting a xilinx | + | After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG : |
| − | + | '''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd. | |
| − | + | In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | == JTAG cache dumps == | |
| + | As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes). | ||
| − | We | + | We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]). |
| − | |||
| − | + | ||
| − | + | ||
| − | + | Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. | |
| − | + | Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery. | |
| − | + | ||
| − | + | [http://f4eru.free.fr/8701/dump_example.txt Dump example] | |
| + | |||
| + | == getting code execution ? == | ||
| + | |||
| + | [[Notes_exploit]] | ||
Latest revision as of 03:15, 24 November 2010
Contents
previous work
See Nano 2G.
SOC analysis
Circuit analysis
After desoldering all components, the circuit was analyzed with a continuity tester.
Small test needles (nailbed needles are great) were used for contacting.
For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad.
Not all connection were routed, mainly the connections to the S5L8701 SOC.
Results are a detailed pinout of the 8701
See also S5L8701_analysis.
JTAG
The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why).
But now we have the locations of the pins : see picture
.
The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins).
After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG :
The screen freezes directly when we use the JTAG. This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches.
JTAG cache dumps
As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes).
We used some openocd and bash scripts. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at dumpsoorter.py).
Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery.
