search

syncsrc / jtagsploitation

scripts and examples for using JTAG debug tools to gain root access
GNU General Public License v3.0
172 stars 43 forks source link

Problem with RPI2 JTAG enabling #3

Closed ankitamarwah closed 7 years ago

ankitamarwah commented 7 years ago

I went through the PDF and the link http://sysprogs.com/VisualKernel/tutorials/raspberry/jtagsetup/ which is specific for rpi b(2835) and not rpi 2 (2836). so i followed https://movr0.com/2015/10/15/how-to-jtag-raspberry-pi-2-without-custom-kernel/ I modified the JtagEnabler.cpp for rpi 2.

I am currently on Ubuntu 17 and openocd 0.10 with ft232h adapter for jtag. I am getting this error.

For bug reports, read http://openocd.org/doc/doxygen/bugs.html adapter speed: 2000 kHz adapter speed: 1000 kHz adapter_nsrst_delay: 400 none separate Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'. Info : clock speed 1000 kHz Error: JTAG scan chain interrogation failed: all ones Error: Check JTAG interface, timings, target power, etc. Error: Trying to use configured scan chain anyway... Error: rpi2.dap: IR capture error; saw 0x0f not 0x01 Warn : Bypassing JTAG setup events due to errors Warn : Invalid ACK 0x7 in JTAG-DP transaction Warn : Invalid ACK 0x7 in JTAG-DP transaction Warn : Invalid ACK 0x7 in JTAG-DP transaction Warn : Invalid ACK 0x7 in JTAG-DP transaction Warn : Invalid ACK 0x7 in JTAG-DP transaction Warn : Invalid ACK 0x7 in JTAG-DP transaction Warn : Invalid ACK 0x7 in JTAG-DP transaction Warn : Invalid ACK 0x7 in JTAG-DP transaction Warn : Invalid ACK 0x7 in JTAG-DP transaction Warn : Invalid ACK 0x7 in JTAG-DP transaction

I am using 

interface ftdi
ftdi_vid_pid 0x0403 0x6014

ftdi_layout_init 0x0c08 0x0f1b
adapter_khz 2000

for ft232h.cfg

and

' 

adapter_khz 1000
adapter_nsrst_delay 400
reset_config none

if { [info exists CHIPNAME] } {
set _CHIPNAME $CHIPNAME
} else {
set _CHIPNAME rpi2
}

#
# Main DAP
#
if { [info exists DAP_TAPID] } {
   set _DAP_TAPID $DAP_TAPID
} else {
   set _DAP_TAPID 0x4ba00477
}
jtag newtap $_CHIPNAME dap -irlen 4 -ircapture 0x01 -irmask 0xf -expected-id $_DAP_TAPID

set _TARGETNAME $_CHIPNAME.cpu.0
target create $_TARGETNAME cortex_a -chain-position $_CHIPNAME.dap -coreid 0 -dbgbase 0x80010000
set _TARGETNAME $_CHIPNAME.cpu.1
target create $_TARGETNAME cortex_a -chain-position $_CHIPNAME.dap -coreid 1 -dbgbase 0x80012000
set _TARGETNAME $_CHIPNAME.cpu.2
target create $_TARGETNAME cortex_a -chain-position $_CHIPNAME.dap -coreid 2 -dbgbase 0x80014000
set _TARGETNAME $_CHIPNAME.cpu.3
target create $_TARGETNAME cortex_a -chain-position $_CHIPNAME.dap -coreid 3 -dbgbase 0x80016000

$_TARGETNAME configure -event reset-assert-post "cortex_a dbginit"

$_TARGETNAME configure -event gdb-attach { halt }

'

Where was i wrong??

securelyfitz commented 7 years ago

First error is "Error: JTAG scan chain interrogation failed: all ones" This means TDO is always high, so either 1) TDO is not connected properly 2) the rest of the jtag pins are not connected properly so that there is no TDO output or 3) pins are connected properly but the RPI is not.

To check for case 1, connect your TDO pin to ground and run openocd again. If it says "Error: JTAG scan chain interrogation failed: all zeros" then you know you have the right TDO pin.

To check for case 2, double/triple check your wiring, and if it looks good, get another device with JTAG on it to see if openOCD returns an IDCODE found.

Once you're sure you have case 1 and 2 figured out, then its time to debug the RPI2. I have not used the RPI2 with openocd, only the black magic probe. Take a look at https://github.com/esden/jtagsploitation for the RPI2 version. One of the first things i'd double check is that you changed the peri_base in jtagenabler.cpp

-joe

ankitamarwah commented 7 years ago

Thanks for the fast response.

  1. I tested the TDO by putting it in GND and this is what I got Open On-Chip Debugger 0.10.0+dev-00143-gf6449a7c (2017-05-15-12:43) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html adapter speed: 1000 kHz adapter speed: 1000 kHz adapter_nsrst_delay: 400 none separate Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'. Info : clock speed 1000 kHz Error: JTAG scan chain interrogation failed: all zeroes Error: Check JTAG interface, timings, target power, etc. Error: Trying to use configured scan chain anyway... Error: rpi2.dap: IR capture error; saw 0x00 not 0x01 Warn : Bypassing JTAG setup events due to errors Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Invalid ACK (0) in DAP response Error: Could not initialize the debug port Yes It does changes to All are zeros.

  2. I have individually checked the continuity of the jumper cables separately and conencted. Wiring is proper

img_20170516_122203 img_20170516_122236 img_20170516_122301

I have used the same adapter on my STM32f103 and it worked screenshot from 2017-05-16 11-49-16

  1. I have changed the PERI_BASE to 3F000000 and followed it to get the same output. screenshot from 2017-05-16 11-49-46

Now the final error even after new CPP file.

Open On-Chip Debugger 0.10.0+dev-00143-gf6449a7c (2017-05-15-12:43) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html adapter speed: 1000 kHz adapter speed: 1000 kHz adapter_nsrst_delay: 400 none separate Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'. Info : clock speed 1000 kHz Error: JTAG scan chain interrogation failed: all ones Error: Check JTAG interface, timings, target power, etc. Error: Trying to use configured scan chain anyway... Error: rpi2.dap: IR capture error; saw 0x0f not 0x01 Warn : Bypassing JTAG setup events due to errors Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Error: Could not initialize the debug port Is there a remote possibility that my RPI GPIO is fried??

securelyfitz commented 7 years ago

Try using the following ft232h.cfg. The one your using does not map the trst pin. If that fails, try a different RPi 2.

# config file for generic FT232H based USB-serial adaptor
# TCK:  D0
# TDI:  D1
# TDO:  D2
# TMS:  D3
# TRST: D4

interface ftdi
ftdi_vid_pid 0x0403 0x6014
adapter_khz 2000
ftdi_layout_init 0x0078 0x017b
ftdi_layout_signal nTRST -ndata 0x0010 -noe 0x0040
ftdi_layout_signal nSRST -ndata 0x0020 -noe 0x0040
transport select jtag

# references
# http://sourceforge.net/p/openocd/mailman/message/31617382/
# http://www.baremetaldesign.com/index.php?section=hardware&hw=jtag
ankitamarwah commented 7 years ago

Thank you so much. It worked. :) Closing this issue.