@mbrugman could you please share logic analyzer signals graph with decoder when messing with DirtyJTAG and physical steps what done when like when you power on when you issue cable dirtyjtag etc.
Thanks in advance! No rush
Edit: And me I think I will try with some simplier target that is not a brick at the moment.
@AreYouLoco - Here’s some data for you!
The target device is an Atmel ATMega64a.
There wasn’t much action on the logic analyzer when I powered up the target or t he BP, so I won’t bother with that.
┌──(matty💊s76)-[~/data/projects/BusPirate5-firmware]
└─$ sudo jtag
UrJTAG 2021.03 #d9a2943f
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors
UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.
warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.
jtag> cable dirtyjtag
jtag>
Logic analyzer:
It’s pretty clear what’s happening there.
jtag> detect
IR length: 4
Chain length: 1
Device Id: 01011001011000000010000000111111 (0x5960203F)
Manufacturer: Atmel (0x03F)
Part(0): ATMega64a (0x9602)
Stepping: A
Filename: /usr/local/share/urjtag/atmel/atmega64a/atmega64a
jtag>
And the Logic Analyzer shows a lot!
Here’s the protocol analysis from the detect:
| name | type | start_time | duration | value |
|---|---|---|---|---|
| JTAG | v1frame | 0 | 1.228266188 | Run-Test/Idle |
| JTAG | v1frame | 1.22826625 | 0.000009937 | Select-DR-Scan |
| JTAG | v1frame | 1.22827625 | 0.000009875 | Select-IR-Scan |
| JTAG | v1frame | 1.228286187 | 0.000074813 | Test-Logic-Reset |
| JTAG | v1frame | 1.228361063 | 0.000082312 | Run-Test/Idle |
| JTAG | v1frame | 1.228443437 | 0.000009938 | Select-DR-Scan |
| JTAG | v1frame | 1.228453438 | 0.00011975 | Select-IR-Scan |
| JTAG | v1frame | 1.22857325 | 0.000009937 | Capture-IR |
| JTAG | v1frame | 1.22858325 | 0.087783187 | Shift-IR …0x0E000D000C000B000A0009000800070006000500040003000200010002001002 …0xE000D000C000B000A00090008000700060005000400030002000100020010021 |
| JTAG | v1frame | 1.3163665 | 0.000064813 | Exit1-IR |
| JTAG | v1frame | 1.316431375 | 0.000054875 | Update-IR |
| JTAG | v1frame | 1.316486312 | 0.000059812 | Run-Test/Idle |
| JTAG | v1frame | 1.316546187 | 0.000074813 | Select-DR-Scan |
| JTAG | v1frame | 1.316621063 | 0.000009937 | Capture-DR |
| JTAG | v1frame | 1.316631062 | 0.065983375 | Shift-DR …0xD0320C02E0B02A0A026090220801E0701A06016050120400E0300A0200601002 …0xA0641805C160541404C120441003C0E0340C02C0A0240801C060140400C02004 |
| JTAG | v1frame | 1.3826145 | 0.000009937 | Exit1-DR |
| JTAG | v1frame | 1.3826245 | 0.000009937 | Update-DR |
| JTAG | v1frame | 1.3826345 | 0.000009875 | Select-DR-Scan |
| JTAG | v1frame | 1.382644437 | 0.000009937 | Select-IR-Scan |
| JTAG | v1frame | 1.382654438 | 0.000022438 | Test-Logic-Reset |
| JTAG | v1frame | 1.382676938 | 0.000039812 | Run-Test/Idle |
| JTAG | v1frame | 1.382716813 | 0.000094812 | Select-DR-Scan |
| JTAG | v1frame | 1.382811688 | 0.000009937 | Capture-DR |
| JTAG | v1frame | 1.382821687 | 0.006087563 | Shift-DR 0x1FFFFFFFFFFFFFFFF 0x1FFFFFFFF5960203F |
| JTAG | v1frame | 1.388909313 | 0.000057375 | Exit1-DR |
| JTAG | v1frame | 1.38896675 | 0.000062312 | Update-DR |
| JTAG | v1frame | 1.389029125 | 0.000032438 | Run-Test/Idle |
| JTAG | v1frame | 1.389061625 | 0.000009875 | Select-DR-Scan |
| JTAG | v1frame | 1.389071563 | 0.000079812 | Select-IR-Scan |
| JTAG | v1frame | 1.389151438 | 0.000009938 | Capture-IR |
| JTAG | v1frame | 1.389161438 | 0.000192125 | Shift-IR 0x2 0x1 |
| JTAG | v1frame | 1.389353625 | 0.000059813 | Exit1-IR |
| JTAG | v1frame | 1.3894135 | 0.000204625 | Update-IR |
| JTAG | v1frame | 1.389618187 | 0.00012725 | Run-Test/Idle |
| JTAG | v1frame | 1.3897455 | 0.000167188 | Select-DR-Scan |
| JTAG | v1frame | 1.38991275 | 0.000009875 | Capture-DR |
| JTAG | v1frame | 1.389922687 | 0.002423562 | Shift-DR 0x0000000000000000000000000000000000000000000000000000 0x01010044023581000049249200D1830552402492490492492012 |
| JTAG | v1frame | 1.392346312 | 0.000064813 | Exit1-DR |
| JTAG | v1frame | 1.392411188 | 0.000054875 | Update-DR |
| JTAG | v1frame | 1.392466125 | 0.000064812 | Run-Test/Idle |
| JTAG | v1frame | 1.392531 | 0.000009937 | Select-DR-Scan |
| JTAG | v1frame | 1.392541 | 0.000079812 | Select-IR-Scan |
| JTAG | v1frame | 1.392620875 | 0.000009875 | Capture-IR |
| JTAG | v1frame | 1.392630812 | 0.000149688 | Shift-IR 0xF 0x1 |
| JTAG | v1frame | 1.392780563 | 0.000062375 | Exit1-IR |
| JTAG | v1frame | 1.392843 | 0.000057312 | Update-IR |
That’s a lot of stuff. I’ve attached a .zipfile that has the two logic analyzer traces and a .csv of the protocol analysis of the detect. You should be able to open the .sal files in Logic 2 from Saleae.
dirtyJTAG_Saleae.zip (15.2 KB)
Thank you a lot! I will analyze it and compare to what I get now.
I have one saved capture from where it seems to worked once. Also will compare. It seems I am not passing by Capture IR → shift ir → and there is no Exit IR but just logic reset all the way further. Might indicate that I am not really activating JTAG mode at all with my latest tries. The board might be dead as well. Or cleaned content of a flash for sure. Because there is nothing on display any longer.
Ekhhh. One to break one to hack one for reference mantra.
