how to sniff Serial Wire Debug?

[Mykle James Hansen]

Hi all,

Yet another request for advice!

As I hack on my Pocket Operator daughterboard, I keep wishing
there was some way that my board could communicate
with the EFM32 MCU on the Pocket Operators. The MCU debug/flash
pins are exposed on them — see here for details:

http://hackingthepo.weebly.com/

OTOH the author of that page found that the debug interface
was locked at the factory, so normal poking-around in the MCU is probably
not an option.

But I’m just wondering if there’s any
information at all available on these four pins
(SWCLK, SWDIO, SWO, RESET). The tiniest clue might be useful for
determining, for instance, which of the 10 different
Pocket Operator models I’m talking to. Maybe something
is reported after reset, somehow?

I admit I'm puzzled where to start with this, even,
although I’ve used protocol analyzers for network traffic,
and I imagine similar things might exist for bus traffic.

Should I borrow a logic analyzer? Do I need a JTAG
reader or a SerialWire bridge? (And is that a piece of
hardware, or software, or both?)

How would a smart hardware hacker approach this problem?

-mykle-

[Joseph FitzPatrick]

That page says "The original firmware is locked. Once a new firmware is flashed, it is not possible to restore the original one!"

That most likely means SWD is there and operational, but they have set a configuration bit in the microcontroller preventing users from dumping the firmware in an attempt to prevent people from copying the firmware and cloning the device. Most of the time there's nothing stopping you from completely erasing the firmware, clearing the read-only bit, and programming custom firmware to the device.

Sometimes that means JTAG/SWD still works for debugging, but not for reading flash. Sometimes it means they disable debugging too. Sometimes it means they completely disable the SWD/JTAG pins.

Assuming it's not completely disabled, you'll need a JTAG/SWD controller. The easiest answer is probably @esden's Black Magic Probe which supports the EFM32: https://1bitsquared.com/products/black-magic-probe

My personal favorite, however, is Tigard plus OpenOCD software https://github.com/tigard-tools/tigard.

Either combination (as well as more or less expensive alternatives to both) should give you some level of control over the device.

SWD and JTAG are both debug interfaces - they're typically silent in normal operation, so a logic analyzer won't tell you any more info until you attach your JTAG/SWD controller. You could plug a logic analyzer in while using a blackmagic probe or tigard and watch the SWD happen - but in that case you're typically already 'in control' of the interface and you don't really need to observe it with a LA. If you're trying to debug connectivity issues, then a logic analyzer might help. Another shameless plug - bitmagic https://1bitsquared.com/collections/embedded-hardware/products/bitmagic-basic works with the open-source pulseview https://sigrok.org/wiki/PulseView software. It's what I choose to use in my classes because it's inexpensive (compared to Saleaes) but also a bit more robust than the $10 aliexpress knockoffs.

Hope that helps,

-joe

--
You received this message because you are subscribed to the Google Groups "dorkbotpdx-blabber" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dorkbotpdx-blab...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dorkbotpdx-blabber/24695228-EB83-4DA8-A532-BFF5A635EDD2%40mykle.com.

[Mykle James Hansen]

Joseph FitzPatrick <joe...@joefitz.net>: Aug 15 12:24PM -0700:

> Assuming it's not completely disabled, you'll need a JTAG/SWD controller.
> The easiest answer is probably @esden's Black Magic Probe which supports
> the EFM32: https://1bitsquared.com/products/black-magic-probe
> My personal favorite, however, is Tigard plus OpenOCD software
> https://github.com/tigard-tools/tigard.

OpenOCD! Okay, that looks like it’s got plenty to play around with.

Thing is, I already built this board with a Teensy with USB on it,
with all of the SWD pins attached to GPIO pins on the Pocket Operator.
So in theory my board could be the SWD controller btwn the EFM32 and OpenOCD, right?

I’m trying to find some open-source example of how exactly one of those
controllers translates between the pins and USB. Your link to the Tigard
repo on GitHub seems to only contain the KiCad files.
Is the firmware available somewhere to look at?

> SWD and JTAG are both debug interfaces - they're typically silent in normal
> operation, so a logic analyzer won't tell you any more info until you
> attach your JTAG/SWD controller. You could plug a logic analyzer in while
> using a blackmagic probe or tigard and watch the SWD happen - but in that
> case you're typically already 'in control' of the interface and you don't
> really need to observe it with a LA. If you're trying to debug connectivity
> issues, then a logic analyzer might help. Another shameless plug - bitmagic
> https://1bitsquared.com/collections/embedded-hardware/products/bitmagic-basic
> works with the open-source pulseview https://sigrok.org/wiki/PulseView
> software. It's what I choose to use in my classes because it's inexpensive
> (compared to Saleaes) but also a bit more robust than the $10 aliexpress
> knockoffs.

Sigrok — that looks like the ticket! Sounds like I could solder the pogo connector I
use for the PO directly to the BitMagic and see something right away.

I want to try out PulseView … although I see they distribute an unsigned app,
and their Jenkins server is exposed to the entire internet, so I’m a little bit
nervous to actually open it! Do you know if the developers publish an MD5 hash or
some other signature for the downloadables, just so I can be sure it hasn’t
been tampered with?

> Hope that helps,

Tons! Much thanks,

-m-

[Joseph FitzPatrick]

Thing is, I already built this board with a Teensy with USB on it,
with all of the SWD pins attached to GPIO pins on the Pocket Operator.
So in theory my board could be the SWD controller btwn the EFM32 and OpenOCD, right? 

you might take a peek at the Black Magic Probe's code, which implements SWD and JTAG on a microcontroller: https://github.com/blacksphere/blackmagic 

If you do opt to use a separate SWD controller, it should be no problem as long as you put the teensy pins in high z mode

 

I’m trying to find some open-source example of how exactly one of those
controllers translates between the pins and USB.  Your link to the Tigard
repo on GitHub seems to only contain the KiCad files. 
Is the firmware available somewhere to look at? 

My favorite part about Tigard is i didn't have to write any firmware. It's a dumb usb-to-gpio board, and all the logic lives in OpenOCD. The readme has instructions and a config file for using openocd SWD.

 

I want to try out PulseView … although I see they distribute an unsigned app,
and their Jenkins server is exposed to the entire internet, so I’m a little bit
nervous to actually open it!  Do you know if the developers publish an MD5 hash or
some other signature for the downloadables, just so I can be sure it hasn’t
been tampered with?

since ubuntu 20.04 came out i've only just installed from the package manager, prior to that i built from source, so unfortunately don't have an answer for you there. 

Tons!  Much thanks,

Glad to help!! 

-joe