t-hack.com

cancunia · 13. May 2009, 08:52

I read some posts from margadon that it is possible to JTAG direct to the chip, but could not find any details about how it was done. Any chance that we can get some info compiled on how-to? It seems clear that we'll need to JTAG to make any wider use of the boxes. From what I've read the same problem of missing JTag Headers exists on the X300 as the BT Vision box. I'lll be happy to pull any info together, and if it looks good, maybe even try my own box....

Thanks

is0-mick · 13. May 2009, 09:03

Hi,
Its in the WIKI

http://www.t-hack.com/wiki/index.php/EJTAG_on_SMP

Mick

cancunia · 13. May 2009, 10:47

hi Mick,

Yeah, I saw that, but it's just the pin-outs, which is for sure a good start. I thought there might be a special way of doing it, drilling holes perhaps. Also still the question of how to apply the 3,3v what resistors were used etc.

mce2222 · 14. May 2009, 11:33

there is no "easy" solution for the direct soldering.
however it is possible... there was a photo of a successful jtag soldering on the WIKI but I cannot find it anymore.

you need good equipment to get this done.... without a steady hand, a microscope and a very tiny soldering iron you should probably not even try to do it.
so this is not really usable for the masses, it is just a solution for a "hero-attack" where the jtag is only applied once to read out the flash and then analyse it to find any security holes.

is0-mick · 14. May 2009, 12:21

What may be useful, is to scrape the surface of the chip slightly and meter out from the known jtag pins to other points on the board to see if they go anywhere..

I did this myself to verify the JTAG Enable jumper on the 1st BT box I looked at.

Mick

andi · 14. May 2009, 12:47

Hi guys,

Quote from: mce2222 on 14. May 2009, 11:33

however it is possible... there was a photo of a successful jtag soldering on the WIKI but I cannot find it anymore.

This is the one: http://www.t-hack.com/wiki/index.php/Image:Pirelli_jtag_soldering.jpg

Quote from: mce2222 on 14. May 2009, 11:33

you need good equipment to get this done.... without a steady hand, a microscope and a very tiny soldering iron you should probably not even try to do it.

Yes, these are all prerequisites plus a lot of experience :-)

Btw. (off-topic, sorry) any new news i am not aware of?

cheers
andi

cancunia · 14. May 2009, 14:19

Wow, it's beyond my soldering abilities for sure! Thanks to andi for locating the link. I'll see if any of the tracks on the board look interesting but my guess is that for the majority of people we'll need to wait for a software solution.

is0-mick · 14. May 2009, 15:03

Unfortunately its doubtful a software solution will become available, unless there is some bootloader exploit in the signature check routine (buffer overflow or null bypass).

Mick

spazbob · 15. May 2009, 15:09

I have this problem as well

My soldering ain't bad but it ain't great...time to put my BTV box on eBay I guess.

JTAG Direct to Chip - Howto?