Flashing an unknown eeprom (or Getting started with JTAG)
318 views
Skip to first unread message
hevnsnt
Aug 16, 2012, 12:49:20 PM8/16/12
to cc...@googlegroups.com
Hey all, I am hoping someone might have an answer for me, or at least point me in the right direction.
I recently acquired a few of these:
Basically what happens when you plug this device in, it is identified as a HID Device (keyboard) and then sends CTRL+ESC, then "R" and in the run box, types out a web address (www.buzzcard.us/mcafee) and hits enter. I am working on a project for a submission for next year's defcon, that I was going to use a teensy device to do something similar. As I need several of these devices for my project these were an excellent find, because several teenys gets expensive, and several of these cards are very affordable (free).
As I disassembled the card, I found that these have what appear to contain a 4-pin JTAG port for programming (as seen closer below)
At this time I am unable to read the markings on the eeprom, I have a decent JTAG programmer (Goodfet 41) but my experience with JTAG programming is hook this to this, and run this. I have never been on the exploritory and development side. So my question is, is there anyone who can assist me in reprogramming these devices, or at least get me started?
Thanks
-Bill
Paul Kenyon
Aug 16, 2012, 1:40:36 PM8/16/12
to cc...@googlegroups.com
Usually devices of this type aren't EEPROM, they're usually either mask ROM or OTPROM. If you're lucky the world has changed, and it is indeed flash/E^2.
The existence of programming/JTAG pins is a good sign though - it's a sign that it's not a mask ROM. There isn't hardly anything you could do with a mask ROM as far as a hack. If it's OTPROM, there are a few hacks. First of all, if you're really clever, you can overwrite existing data. OTPROM/EPROM works by electrically breaking links. This is where the term "burning" comes from - a link is physically was blown or burned. In later iterations of the technology, the EPROM, this is actually done with a charge on silicon in the burning process. It's reversible with ionization from UV light. You always start with a field of one state and change to the other with a programming voltage, and reverse the process/clean the slate with the UV. You can always open more links - changing zeros to ones. This is where the hack comes in - with the right bit masking, you might get lucky an be able to make a change w/o erasing the chip. I've actually done this in the field once. Luckily, our engineer found a single line of code (in 8051 assembly language) to be changed, and the bitmasking allowed me to program over the existing ROM w/o erasing. In this case, we were using cheap PROMs instead of EPROMs, and IIRC i dind't have a blank, so this saved me an extra road trip to Des Moines. :-)
The other hack you can do is very hardware. OTPROMs are typically EPROMs w/o a quartz window. You might be able to physically remove the blob over the die. This is a common hack. You can chemically remove the epoxy w/o damaging the silicon die, and from there continue with your hardware hacks. (Probing, re-routing, or _erasing the EPROM._ xD) When you do this, be sure to shield the die, lest room light will cause erratic operation.
Have phun!
-P
The existence of programming/JTAG pins is a good sign though - it's a sign that it's not a mask ROM. There isn't hardly anything you could do with a mask ROM as far as a hack. If it's OTPROM, there are a few hacks. First of all, if you're really clever, you can overwrite existing data. OTPROM/EPROM works by electrically breaking links. This is where the term "burning" comes from - a link is physically was blown or burned. In later iterations of the technology, the EPROM, this is actually done with a charge on silicon in the burning process. It's reversible with ionization from UV light. You always start with a field of one state and change to the other with a programming voltage, and reverse the process/clean the slate with the UV. You can always open more links - changing zeros to ones. This is where the hack comes in - with the right bit masking, you might get lucky an be able to make a change w/o erasing the chip. I've actually done this in the field once. Luckily, our engineer found a single line of code (in 8051 assembly language) to be changed, and the bitmasking allowed me to program over the existing ROM w/o erasing. In this case, we were using cheap PROMs instead of EPROMs, and IIRC i dind't have a blank, so this saved me an extra road trip to Des Moines. :-)
The other hack you can do is very hardware. OTPROMs are typically EPROMs w/o a quartz window. You might be able to physically remove the blob over the die. This is a common hack. You can chemically remove the epoxy w/o damaging the silicon die, and from there continue with your hardware hacks. (Probing, re-routing, or _erasing the EPROM._ xD) When you do this, be sure to shield the die, lest room light will cause erratic operation.
Have phun!
-P
--
hevnsnt
Aug 16, 2012, 1:56:20 PM8/16/12
to cc...@googlegroups.com
well all of that sounds way more involved than what I was looking for. I would rather pony up the $$ for teensys than remove the epoxy with chemicals is not what I am looking for. This device identifies itself as a "webkey" and searching for "webkey +JTAG" brings up this page
http://jjshortcut.wordpress.com/2011/09/26/webkey-hack/ where a guy used a BusPirate to do something similar. I would like to replicate his efforts.
--
hevnsnt
Aug 16, 2012, 2:11:59 PM8/16/12
to cc...@googlegroups.com
yeah I have one, (infact I contributed to that project) but once again i am looking for a cheap solution, as my plan is to lose a significant percentage of them.
I took apart all that I had (5 at the moment) to see if any of the chips had better paint markings.. and success! I found one!
J24C02C
DP1D07
I have google'd and not found any info. :(--
ax0n
Aug 16, 2012, 4:00:24 PM8/16/12
to cc...@googlegroups.com
24C02 is a well known I2C EEProm chip
I don't know the difference between JTag and I2C, but it should be trivial to reprogram.
--
Reply all
Reply to author
Forward
0 new messages