Hi,
Been reading a little about JTAG interfaces for satellite receivers and found one website (in Chinese) that dealt with Motorola Pro Radios.
http://www.avr.com.cn/MOTOROLA/
I am under the impression that information/codeplug/flash/firmware can be read and written to the radio outside of programming software.
There have been a few references on this board to JTAG, but aside from testing what else can be done with it.
Thanks, Eric
JTAG Interface
Moderator: Queue Moderator
Re: JTAG Interface
Yep, with a JTAG you can do all sorts of stuff from ripping firmware or CP information 
Not all radios have such a easy JTAG target like the HT1250/CDM series, but any radio with a TSOP that stores the firmware/CP information
is an easy target for hacking. You will have to find all the JTAG points scattered around the board - no just plugging in a flex.
Let say you want to read/write firmware (host/dsp) for a XTS3K. You'd have to have the detailed service manual which describes the memory structure of the target TSOP you want to read/write the certain sector(s), their memory address and what is contained in the specific areas of memory. Some (NOT ALL) areas of the TSOP, like the firmware can be write protected. Many TSOP's are write protected via a 12v to a specific pin. Apply 12V to this pin, and WOW, you can write that sector - amaizing security!! Write protection voltages can vary from device to device (IC). BFR mode must be used when playing around with the TSOPs. This mode powers up the radio, but put it in a stand-by mode so to speak...... The radio in this mode is NON operational, but alive!
Once you figure out the memory structure, bypass the write protection (if needed), your ready to make your own EEPROM/TSOP(FLASH) definitions for a programmed called JKEYS. Every radio will have completely different memory structures. The below could be a definition to read serial numbers/flashcodes/HOST/DSP etc. You would have to make another simple program to do the decoding of the dumped information if it's not in clear text. If clear text is available, then J-Keys could display the simple information. The below is a non working example to read certain sectors, however it does not display properly below because the board here deletes all the spaces. Once you learn how to read the radio, then writing it should not be a problem.
RADIO, 1, "XTS3000", 1, 1, 1, 1, 2, 2, 0x7FFFFFC0, 0x7FFFFFC4, 0x7FFFFFA0, 0x7FFFFFA8, 0x7FFEFFC4, 0x7FFEFFC7, "10G", 1, 1
Where:
RADIO - indicates the line is an RADIO definition
1 - is an index number used for referencing other components (ie flash chips), must be unique, sequential numbering
"XTS3000" - name of XTS3000, used to represent in various fields
1 - micro definition cross reference
1 - JTAG IO connections
1 - XTS300 series RADIOs, has BS1 and Radio Reset (also used for generic)
2 - Astro Saber 512 Radio, has BS1 and radio Reset
3 - Alinco POS - j/k....
4 - Astro Saber 1Meg radio
1 - JTAG device
1 - for JTAG and HC11F1 (STi based micro)
2 - for EJTAG and HC11F1
2 - Data width in bytes (typically 2, being 16 bits)
2 - Data delta in bytes
0x7FFFFFC0 - Absolute memory address of radio serial number
0x7FFFFFC4 - Absolute memory address of radio flashcode
0x7FFFFFA0 - Absolute memory address of model number
0x7FFFFFA8 - Absolute memory address of bean counter
0x7FFEFFC4 - Absolute memory address of Model ID
0x7FFEFFC7 - Absolute memory address of Software Version
"10G" - Model ID (assists in identifying Radio)
1 - EEPROM/FLASH Type
0 - None
1 - 28F004 (U727)
2 - AT28C256 (U706)
3 - 28F020 (U404)
1 - EEPROM Interface to microprocessor
0 - None
1 - STI micros using Pio1:7,2,0 for Enable, SCL, SDA
2 - STi micros using Pio2:6, Pio3:2,0 for Enable, SCL, SDA
A simple JTAG interface can be built for less than a few bucks using a 74HC244.
Not all radios have such a easy JTAG target like the HT1250/CDM series, but any radio with a TSOP that stores the firmware/CP information
is an easy target for hacking. You will have to find all the JTAG points scattered around the board - no just plugging in a flex.
Let say you want to read/write firmware (host/dsp) for a XTS3K. You'd have to have the detailed service manual which describes the memory structure of the target TSOP you want to read/write the certain sector(s), their memory address and what is contained in the specific areas of memory. Some (NOT ALL) areas of the TSOP, like the firmware can be write protected. Many TSOP's are write protected via a 12v to a specific pin. Apply 12V to this pin, and WOW, you can write that sector - amaizing security!! Write protection voltages can vary from device to device (IC). BFR mode must be used when playing around with the TSOPs. This mode powers up the radio, but put it in a stand-by mode so to speak...... The radio in this mode is NON operational, but alive!
Once you figure out the memory structure, bypass the write protection (if needed), your ready to make your own EEPROM/TSOP(FLASH) definitions for a programmed called JKEYS. Every radio will have completely different memory structures. The below could be a definition to read serial numbers/flashcodes/HOST/DSP etc. You would have to make another simple program to do the decoding of the dumped information if it's not in clear text. If clear text is available, then J-Keys could display the simple information. The below is a non working example to read certain sectors, however it does not display properly below because the board here deletes all the spaces. Once you learn how to read the radio, then writing it should not be a problem.
RADIO, 1, "XTS3000", 1, 1, 1, 1, 2, 2, 0x7FFFFFC0, 0x7FFFFFC4, 0x7FFFFFA0, 0x7FFFFFA8, 0x7FFEFFC4, 0x7FFEFFC7, "10G", 1, 1
Where:
RADIO - indicates the line is an RADIO definition
1 - is an index number used for referencing other components (ie flash chips), must be unique, sequential numbering
"XTS3000" - name of XTS3000, used to represent in various fields
1 - micro definition cross reference
1 - JTAG IO connections
1 - XTS300 series RADIOs, has BS1 and Radio Reset (also used for generic)
2 - Astro Saber 512 Radio, has BS1 and radio Reset
3 - Alinco POS - j/k....
4 - Astro Saber 1Meg radio
1 - JTAG device
1 - for JTAG and HC11F1 (STi based micro)
2 - for EJTAG and HC11F1
2 - Data width in bytes (typically 2, being 16 bits)
2 - Data delta in bytes
0x7FFFFFC0 - Absolute memory address of radio serial number
0x7FFFFFC4 - Absolute memory address of radio flashcode
0x7FFFFFA0 - Absolute memory address of model number
0x7FFFFFA8 - Absolute memory address of bean counter
0x7FFEFFC4 - Absolute memory address of Model ID
0x7FFEFFC7 - Absolute memory address of Software Version
"10G" - Model ID (assists in identifying Radio)
1 - EEPROM/FLASH Type
0 - None
1 - 28F004 (U727)
2 - AT28C256 (U706)
3 - 28F020 (U404)
1 - EEPROM Interface to microprocessor
0 - None
1 - STI micros using Pio1:7,2,0 for Enable, SCL, SDA
2 - STi micros using Pio2:6, Pio3:2,0 for Enable, SCL, SDA
A simple JTAG interface can be built for less than a few bucks using a 74HC244.