Sponsored Links

Sponsored Links

JTag Port on PS3 Blu-ray Drive Board Located and Mapped


Sponsored Links
250w ago - Developers at DemonHades have located and mapped the JTag Port on a PS3 Blu-ray drive board today.

To quote, roughly translated: I found the JTag port for the Blu-ray Reader on the PlayStation 3. Last night after finishing the research meeting I went looking for information about BD integrated reader.

In and looking at the information that I found on the back of the plate reader I saw that there is no connector terminals, these terminals belong to a connector which connects 'something' via terminals and through the Internet I found the points used in a JTag, including the TDO, TDI, TMS etc.

Originally developed for printed circuit boards, it is currently used for test of submodules of integrated circuits, and is also useful as a mechanism for debugging embedded applications, as it provides a backdoor to within the system.

When used as a debugging tool, an in-circuit emulator that uses JTag as the transport mechanism allows the programmer to access the debugging module that is integrated into the CPU. The debug module enables the programmer to correct their errors and code logic of their systems.

There are consumer products that have a JTag port integrated, so that the connections are often available on the PCB as part of the prototype phase of the product. These connections can provide a simple way to reverse-engineer.

As you can see we have a door strike to try to get the firmware, decrypted data, and all that is able to control the Blu-ray reader.

The data from this integrated JTag will CXD5063GG-1. CXD5063GG-1 = ASIC / CPU - Video Decryption Device Sony Computer Entertainment Inc., CXD5063GG-1, 2005 SCEI, 120,748 0608HAL.







Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 50 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

CJPC's Avatar
#40 - CJPC - 249w ago
Well - the post really isn't too clear - but the thing w/ JTAG lines, it requires multiple lines. If even just the right one is blown it will never work, sadly. Some clever people have gotten around this with other embedded devices by rewriting FW to allow output over a UART - but the catch was that the FW wasn't encrypted!

We can all hope that it does work, but in all of our tests - the JTAG was blown.

SCE's Avatar
#39 - SCE - 249w ago
News coming from ubo on demonhades...

[Register or Login to view links]

The voltages are obtained v 5.08 v 3.25, corresponding to the first 4 that are in the scheme, at No. 39 also have v. 3.25

Jtag seems that the connection is active, except that the voltage is there you can try to pin No. 37 NTRST = target system reset, if you make a bridge from that to another pin of the connector resertea the reader, as advised : do not accidentally give him as easy, if reading the disc to spin it off and turn the lens and begins to read it again, the same sequence as when you turn off and switch on or you turn off the reader, if this stand is put into operation again, we see and hear clearly is a "reset". At least at 1, 2, 3, 4 and 37 is what the outline says.

Before I leave the JTAG information that does not know the function of the port, taken from wiki.

JTAG, an acronym for Joint Test Action Group, is the common name used for the IEEE 1149.1 standard entitled Standard Test Access Port and Boundary-Scan Architecture for test access ports used to test PCBs using boundary scan.
JTAG was standardized in 1990 as IEEE Standard 1149.1-1990. In 1994 he added a supplement containing a description of the boundary scan description language (BSDL). Since then, this standard was adopted by electronics companies worldwide. Currently, Boundary-scan and JTAG are synonymous.

Originally developed for printed circuit boards, is currently used for test of submodules of integrated circuits, and is also useful as a mechanism for debugging embedded applications, as it provides a backdoor to within the system. When used as a debugging tool, an in-circuit emulator that uses JTAG as the transport mechanism allows the programmer to access the debugging module that is integrated into the CPU. The debug module enables the programmer to correct their mistakes and logic of their code sistemUna JTAG interface is a special interface for four or five pins attached to a chip, designed so that multiple chips on a board can have their JTAG lines connected in daisy chain, so that a JTAG test probe needs to connect to a single "JTAG port" access to all chips on a printed circuit. The connector pins are:

1. TDI (Test Data)
2. TDO (Test Data Output)
3. TCK (Test Clock)
4. TMS (Test Mode Select)
5. TRST (Test Reset) is optional
6. Since it has a single line of data, the protocol is necessarily serial, as the Serial Peripheral Interface. The input clock signal is on pin TCK. The device configuration is performed by manipulating a state machine a bit at TMS pin. One bit of data is loaded into another from TDI and TDO for each pulse in clock signal TCK. You can load different mode of instruction such as reading the chip ID, sample the value pin input / output, output pins to handle, manipulate chip functions, or functions of bypass connecting the TDI pin TDO to logically shorten chains multiple chips (chips in cascade). The working frequency of the clock signal TCK pin varies with each chip, but typically is in the range of 10-100 MHz (10-100ns/bit).
7. When done performing boundary scan integrated circuits, signals are handled between different functional blocks of the chip, rather than between different chips.
8. The TRST pin is an optional low-active signal to reset or restart of the test logic (usually asynchronous, but sometimes that is synchronized with the clock, depending on the chip). If the pin is available, the logical test can be restarted by a reset instruction.
9. There are consumer products that have a JTAG port integrated, so that the connections are often available on the PCB as part of the prototype phase of the product. These connections can provide a simple way to reverse engineer.

The second photo is an enlargement of the area selected in the first image to locate the port.

cfwprophet's Avatar
#38 - cfwprophet - 249w ago
For get it!!
The BD-FW will be encrypted with SHA256bit.Even if this ports are not blowen.Without the correct encryption keys it would take forever to decrypt the data.

Im not sure if the hdd will use the same de-/encryption so there for they can use here hdd trick to decrypt the data.

But in case that sunny will really be such lazy then how to resign?So that it could be injected into the PS3 FW?

SCE's Avatar
#37 - SCE - 249w ago
Looks like good news coming up... Hope it is not dead...

Hello ticos. It is with great joy to return to the news in our forum.
In the JTAG port of the PS3 BD ROM 3v mixed signals. Then it probably is not dead but we have to do more tests and will soon put photos here

1 saludo to all

cfwprophet's Avatar
#36 - cfwprophet - 250w ago
In regards to the idea of dumping the BDROM firmware, wouldn't the firmware itself be encrypted?
Hasn't the Spansion IC already been dumped?
Yop it was already dumped and as to same time the ps3 devs recognized that the bd fw is also present in the ps3 fw the guy who dumped the spansion stated that the encryption of the BD-FW will also be SHA256bit and he stoped his work.
I are'nt a "iluminati" for mute and dont say nothing
No offence meant but some times it will be better to not let your enemy know that your behind his backplate.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News