JTAG!!! Please work.

I got some time to finally take apart the second remote that I use at home for my TV. The one with the missing pad should still work fine in its place, so I’m not too worried about that. After scratching off the pad covering again, I wired everything up. This time I connected the TCK correctly and was ready to give communication another try. I setup my test application to do a couple things. The most important was making a simple single bit scan function. It basically just takes in the TMS and TDI values, and returns what comes back in TDO.

  UCHAR FakeJTAGScanSingleBit(FT_HANDLE ft_handle, UCHAR  TMS, UCHAR  TDI);

To make sure the TAP state was in test logic reset, I just sent 10 signals with TMS = 1. This ensures that no matter what state the TAP was in, it will get back to the reset state.

  [TMS,TDI] -> [1,0],  [1,0],  [1,0],  [1,0],  [1,0],  [1,0],  [1,0],  [1,0],  [1,0],  [1,0]

Then I tried to navigate the TAP state machine to the shift IR state.
Reset->Run Test Idle->Select DR Scan->Select IR Scan->Capture IR->Shift IR

  [TMS,TDI] -> [0,0], [1,0], [1,0], [0,0], [0,0]

I didn’t have any feedback at this point so I’m just assuming I am in the right place. I’m under the impression that if I’m in Shift IR, I can start shifting in bits with TDI, and I should see the same pattern come out on TDO. I decided to just send a bunch of 1s on TDI and see if TDO matched.

  [TMS,TDI] -> [0,1], [0,1], [0,1], [0,1], [0,1], [0,1], [0,1], [0,1], [0,1], [0,1], [0,1], [0,1], [0,1], [0,1]

It turns out it doesn’t work. It seems like the only time I get anything but a 0 on TDI is when the last signal had TMS=1.

Jtag Output

Jtag Output

After playing with it for over an hour, I still haven’t figured out why I’m having this problem. I tried tweaking the data I was sending to send only a single signal instead of 3 with the clock in the middle. This didn’t seem to work.

I need to go back and look at the code to make sure it’s doing what I think it is doing. Since all the signals seem to be being output correctly, I wonder if the JTAG on this device is just disabled. If that is the case there isn’t much more I can do. However, I’m not giving up yet. I have some folks that know a lot more about JTAG that I can ask for help. Maybe I’m missing something obvious.

I’m also going to go back and read the entire section of the MAXQ610 user manual and hope that there is something in there that gives me a clue as to why things are not working. During the week I don’t have a lot of time to work on this, so I probably will not be able to try anything until at least next weekend.

Although I haven’t yet made any interesting discoveries, I still feel that this is a great learning experience. I’ve never had the chance to work on a hardware hack that someone didn’t already do and explain how to get it to work. It’s fun trying different things and seeing what happens. I never would have tried any JTAG stuff because I always assumed it was super complicated and would take forever to understand. It turns out the concepts aren’t too bad, and if you can find someone that has worked with it before it can be fairly simple.

Now that I’ve got my hands on a second remote, I can finally laugh at what happened last week with the ripped off pad. Here is a photo to remember the first fallen remote of this project. RIP.

Missing Pad

Missing Pad

Why so cheap???

I decided it was time to get to work and try to learn something new about this device and JTAG. I’ve never used a JTAG interface before so why not just jump right in. I started by watching this video of Felix Domke, it explained the concept, and the basics about using the JTAG interface and how most hardware doesn’t bother disabling it.

First things first… Even though the pads are clearly labeled on the board, I wanted to find more information on the chip that was being used in the remote. The MAXQ610, a 16-Bit Microcontroller with Infared Module. Doesn’t that just roll of the tongue?

More Info: http://www.maxim-ic.com/datasheet/index.mvp/id/5939
Data Sheet: http://datasheets.maxim-ic.com/en/ds/MAXQ610.pdf
User Guide: http://pdfserv.maxim-ic.com/en/an/AN4812.pdf
Other Documents: http://www.maxim-ic.com/datasheet/index.mvp/id/5939/t/do

MAXQ610 Pinout

MAXQ610 Pinout

I was psyched to get started, so I got my soldering iron out, my wires all cut and ready, and began connecting wires to my JTAG programmer. It didn’t take long to get it all hooked up, and after some programmer issues, I was up and running with a small test app using the FTDI drivers and libraries directly from http://www.ftdichip.com/Drivers/D2XX.htm. I tried doing some simple stuff like navigating the JTAG TAP. It didn’t seem to work though, I tried several things reading in streams of 1’s reading in streams of 0’s none of it seemed to work. I guess it’s time to check the signals.

I hooked up the scope with the intent of probing each signal to make sure it was getting to the board. In doing so I noticed that I forgot to hook up the TCK connection, and that totally explained why nothing was happening. Without clocking the process cannot move forward. As I reached for another piece of wire to connect TCK, the probe that was connected to my TMS pin fell off the table and ripped the pad off the remote board. ARGGGggggg.

Well I guess I’m done for the day until I go get another remote to start over with.

Where is the Media Center Button???

About a year ago I moved to use Windows Media Center for my TV viewing at home. I planned on using the Xbox 360 as an extender, and was just stuck waiting for my backordered Ceton tuner to arrive. After months of waiting it showed up at my door, and the rest is history.

Xbox 360 Media Remote

Xbox 360 Media Remote

Fast forward to last month… I got my hands on the new Xbox 360 Media Remote, and loved the new look, the feel of the buttons, and the size. Something was missing though, I had become used to the Big Green Button on my other remote jumping right into Media Center. This remote had no Big Green Button, it had a live tv button, but that didn’t do anything useful. After being frustrated for a month with this design, I decided I’m going to try to make it better.

I don’t know a lot about hardware hacking, but I’ve replicated some hacks in the past done by other smart people. This device is small, cheap, and probably fairly simple in design. The price tag and complexity make this an ideal learning experience for me. So I got my screwdrivers and camera out, and began tearing it apart.

Media Remote Guts

Media Remote Guts

Six screws on the back of the remote, and the thing popped right open. Wow, pretty empty inside, a single board, no wires, nothing fancy at all. I tried to get some pictures to reference so that it would be a bit easier to inspect rather than trying to read the tiny print, and follow traces on the actual device. To my surprise they didn’t come out too bad, and I was able to clearly see several areas of interest. RX/TX pins, and what appears to be a clearly labeled JTAG interface. (Click image for GIANT size)

I immediately went to work with a razor blade scraping off the black covering to expose all the pads on the board. It appears Microsoft has pulled every pin that might be interesting out to an easily accessible location. The black covering scrapes off fairly easily as well. It is pretty clear that these boards were made as cheap as possible though, they are paper thin. That doesn’t matter, it just means they hopefully were cheap on the security of the chip as well.