How to get AB access via JTAG

  1. Solder a 0.05” connector to the JTAG pins. Note: The silkscreen is on the wrong side.
  2. Hook up JTAG interface board e.g. Tigard
  3. Create a config file e.g. mirror-jtag.cfg
    1. openocd -f mirror-jtag.cfg adapter driver ftdi transport select jtag ftdi vid_pid 0x0403 0x6010 ftdi channel 1 adapter speed 2000 ftdi layout_init 0x0038 0x003b ftdi layout_signal nTRST -data 0x0010 ftdi layout_signal nSRST -data 0x0020 set CHIPNAME mimx8mm6dvtlzaa set CHIPCORES 4 ;# adjust based on the silicon source [find target/imx8m.cfg] reset_config srst_only srst_pulls_trst
  4. Run openocd -f mirror-jtag.cfg
  5. Connect to OpenOCD server telenet 127.0.0.1 4444
  6. Select the AHB targets 5. AHB is IMX’s memmory mapped bridge
  7. Dump memory dump_image image.bin 0x40000000 0xFFFFFFFFF This will take a long time. Need about 800MB - 1000MB to get the right memory
  8. Find the place in the memory dump that we need to patch
    1. grep -bao adbd_auth_verify image.bin
      1. You will get something like 883054802:adbd_auth_verify
    2. xxd -c0 -p -s $((883054802-10000000)) image.bin| grep -bo 02000014e0030032e80f40f9 This is us looking within a 1000000 bytes of where we found adbd_auth_verify for a string of opcodes.
      1. Result will be something like 24783780:02000014e0030032e80f40f9
      2. We actually need to add 0x40000000 to the value to get the true address we patch. Also since we are using grep each character is two bytes so we divide by 2. 1. printf "0x%x\n" $((0x40000000 + 883054802 - 10000000 + 24783780 / 2)) => 0x74c6d824 `
  9. Back in OpenOCD we can verify that is what we see
    1. mdw 0x74c6d824 you should get back 0x14000002
    2. Then we can overwrite it mww 0x74c6d824 0x1f2003d5 this will change the jump instruction to skip a check for adb.
  10. adb shell should now work `