To continue the trend of hacking everything with a chip on it (IoT), we decided to tear apart a small device from a home security system. We are on the hunt for root access, but that’s not what this post is about, it’s about a cool improvisation we pulled off to save time and well … because it was traffic hour and we didn’t feel like driving.
A little background first. There are no references to the schematics for the PCB we are trying to modify, there is however an ARM processor which we were able to obtain a reference manual for and it clearly detailed JTAG pins for us. The problem: size. The chip has (as many hardware folks know) very little spacing between the pins that latch it onto the board. We thought we were being clever when we used a glue gun, outlined the entire chip’s external perimeter with a big chunk of clear glue and stuck needles onto it to ‘make contact’.
We are still convinced it should have worked, but for some reason it didn’t! So we removed the glue, and went to plan b. We were to map the pins we needed to the back of the board, and solder raised pins on it to latch our gear …
The problem continued, we were only able to map ONE pin to the back of the board! With camaraderie enabling us to continue this frustrating endeavor, we devised a third attack plan, the ARM chip had (what we thought) flat copper parallel contacts around the chip mapped to each pin so we should solder a tiny wire to it then happily latch our clips.
We managed to solder 49, 51, we were stoked it was cake!
Motivation highly increased, we were refreshed with confidence and ready to finish this task (2.5 – 3 hours in at this poitn). Then pin pin 53 wasn’t mapped to the golden strips around the ARM chip! We were convinced a supreme being hated us somewhere in the multi-verse! Quit? Plan D? We swapped places from holding magnifying glasses, wires, flash light and solderer and again, we managed to keep going! Plan D it is: A hybrid approach. This involved using some pins (directly on the chip) and some golden strips.
As if on purpose, the only mapped pin to the easy part of the board was the optional one -_- pin 50 (see Figure 2). Pin 33 latched with a soldered needle, on to the the second on-chip pin (on the chip) BRIDGED! Yes, after all this, we bridged 2 pins together with solder and spent the next 1 – 1.5 hours undoing this in an attempt at salvaging the board.
It was late, we were tired, frustrated, and our eyes were shot due to the size of the components on the board. The magnifying glass we were using wasn’t enough, no microscope, so I ran to get my HDMI to microUSB (Phone to TV/Monitor) adapter. I had an idea. It was a long, long shot, but worth it if we could salvage the board. Testing the bridge was the worse of it, because we had no visual way to predetermine if we had removed enough solder to test if the bridge was broken (annoying!!!).
I got my old S6, plugged it onto the adapter, plugged it onto my top monitor, and turned the camera on the phone on. The visual was useless, it was a bigger picture of the chip, but still not enough to help us. As a last and desperate attempt for a little break, I zoomed in all the way via the touch screen zoom on the S6 and failed, it was too blurry! Then it hit us, we could focus it with the magnifying glass!
So to recap:
Phone to HDMI Adapter
Camera on Chip
Zoom in (and light up the board/chip with a good desk lamp)
Focus with the magnifying glass!
Here’s what it looked like! The picture does little to merit to convey the success, but remember the 32″ monitor is a tad larger than the chip in real life.
Bridge was removed, we were ready to throw in the towel but we already had 2 of the 4 contacts on the ARM chip needed to obtain our JTAG connection! We originally had three, two on the copper parallel strips, and one on pin 33 directly but while fixing the bridge we ripped one of the copper wires off.
One last breath, I hold two needles manually on two pins while Joseph plugged away at OpenOCD communicating with the ARM chip! Success!
I hope our improvised electro-mobile-scope hack helps someone else!