217w ago - Developers at DemonHades have located and mapped the JTag Port on a PS3 Blu-ray drive board today.
To quote, roughly translated: I found the JTag port for the Blu-ray Reader on the PlayStation 3. Last night after finishing the research meeting I went looking for information about BD integrated reader.
In and looking at the information that I found on the back of the plate reader I saw that there is no connector terminals, these terminals belong to a connector which connects 'something' via terminals and through the Internet I found the points used in a JTag, including the TDO, TDI, TMS etc.
Originally developed for printed circuit boards, it is currently used for test of submodules of integrated circuits, and is also useful as a mechanism for debugging embedded applications, as it provides a backdoor to within the system.
When used as a debugging tool, an in-circuit emulator that uses JTag as the transport mechanism allows the programmer to access the debugging module that is integrated into the CPU. The debug module enables the programmer to correct their errors and code logic of their systems.
There are consumer products that have a JTag port integrated, so that the connections are often available on the PCB as part of the prototype phase of the product. These connections can provide a simple way to reverse-engineer.
As you can see we have a door strike to try to get the firmware, decrypted data, and all that is able to control the Blu-ray reader.
The data from this integrated JTag will CXD5063GG-1. CXD5063GG-1 = ASIC / CPU - Video Decryption Device Sony Computer Entertainment Inc., CXD5063GG-1, 2005 SCEI, 120,748 0608HAL.
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
Well - the post really isn't too clear - but the thing w/ JTAG lines, it requires multiple lines. If even just the right one is blown it will never work, sadly. Some clever people have gotten around this with other embedded devices by rewriting FW to allow output over a UART - but the catch was that the FW wasn't encrypted!
We can all hope that it does work, but in all of our tests - the JTAG was blown.
News coming from ubo on demonhades...
Test voltages and some info on jtag connections:
JTAG interface pins seem to range from 29 to 41 who are depending on the scheme would be these:
The DBGRQ signal is used by the run control unit as a debug request signal to the target processor.
The DBGACK signal is used by some run control units to detect entry or exit from debug state.
TDI is the Test Data In signal from the run control unit to the target JTAG port.
RTCK is the Return Test Clock signal from the target JTAG port to the run control unit.
TCK is the Test Clock signal from the run control unit to the target JTAG port.
This signal is the Test Data Out from the target JTAG port to the run control unit.
TMS is the Test Mode Select signal from the run control unit to the target JTAG port.
This is an open collector output from the run control unit to the target system reset.
You must pull this pin HIGH on the target to avoid unintentional resets when there is no connection.
The nTRST is an open collector signal input from the run control unit to the Reset signal on the target JTAG port.
TDI (Test Data)
TDO (Test Data Output)
TCK (Test Clock)
TMS (Test Mode Select)
TRST (Test Reset) is optional
The voltages are obtained v 5.08 v 3.25, corresponding to the first 4 that are in the scheme, at No. 39 also have v. 3.25
Jtag seems that the connection is active, except that the voltage is there you can try to pin No. 37 NTRST = target system reset, if you make a bridge from that to another pin of the connector resertea the reader, as advised : do not accidentally give him as easy, if reading the disc to spin it off and turn the lens and begins to read it again, the same sequence as when you turn off and switch on or you turn off the reader, if this stand is put into operation again, we see and hear clearly is a "reset". At least at 1, 2, 3, 4 and 37 is what the outline says.
Before I leave the JTAG information that does not know the function of the port, taken from wiki.
JTAG, an acronym for Joint Test Action Group, is the common name used for the IEEE 1149.1 standard entitled Standard Test Access Port and Boundary-Scan Architecture for test access ports used to test PCBs using boundary scan.
JTAG was standardized in 1990 as IEEE Standard 1149.1-1990. In 1994 he added a supplement containing a description of the boundary scan description language (BSDL). Since then, this standard was adopted by electronics companies worldwide. Currently, Boundary-scan and JTAG are synonymous.
Originally developed for printed circuit boards, is currently used for test of submodules of integrated circuits, and is also useful as a mechanism for debugging embedded applications, as it provides a backdoor to within the system. When used as a debugging tool, an in-circuit emulator that uses JTAG as the transport mechanism allows the programmer to access the debugging module that is integrated into the CPU. The debug module enables the programmer to correct their mistakes and logic of their code sistemUna JTAG interface is a special interface for four or five pins attached to a chip, designed so that multiple chips on a board can have their JTAG lines connected in daisy chain, so that a JTAG test probe needs to connect to a single "JTAG port" access to all chips on a printed circuit. The connector pins are:
1. TDI (Test Data)
2. TDO (Test Data Output)
3. TCK (Test Clock)
4. TMS (Test Mode Select)
5. TRST (Test Reset) is optional
6. Since it has a single line of data, the protocol is necessarily serial, as the Serial Peripheral Interface. The input clock signal is on pin TCK. The device configuration is performed by manipulating a state machine a bit at TMS pin. One bit of data is loaded into another from TDI and TDO for each pulse in clock signal TCK. You can load different mode of instruction such as reading the chip ID, sample the value pin input / output, output pins to handle, manipulate chip functions, or functions of bypass connecting the TDI pin TDO to logically shorten chains multiple chips (chips in cascade). The working frequency of the clock signal TCK pin varies with each chip, but typically is in the range of 10-100 MHz (10-100ns/bit).
7. When done performing boundary scan integrated circuits, signals are handled between different functional blocks of the chip, rather than between different chips.
8. The TRST pin is an optional low-active signal to reset or restart of the test logic (usually asynchronous, but sometimes that is synchronized with the clock, depending on the chip). If the pin is available, the logical test can be restarted by a reset instruction.
9. There are consumer products that have a JTAG port integrated, so that the connections are often available on the PCB as part of the prototype phase of the product. These connections can provide a simple way to reverse engineer.
The second photo is an enlargement of the area selected in the first image to locate the port.[/QUOTE]
Looks like good news coming up... Hope it is not dead...
Hello ticos. It is with great joy to return to the news in our forum.
In the JTAG port of the PS3 BD ROM 3v mixed signals. Then it probably is not dead but we have to do more tests and will soon put photos here
Yop it was already dumped and as to same time the ps3 devs recognized that the bd fw is also present in the ps3 fw the guy who dumped the spansion stated that the encryption of the BD-FW will also be SHA256bit and he stoped his work.
No offence meant but some times it will be better to not let your enemy know that your behind his backplate.