JTAG clock glitching on a target similar to CW308T-MPC5748G


#1

I have a JTAG locked target similar to CW308T. I want to perform clock glitching to unlock JTAG and access flash. I am using PE Micro’s programmer. I hooked up the JTAG signals to the logic analyser and can verify the JTAG pins I found on the target are correct. I read through the tutorials on clock glitching and looked at the github repo for CW308T. I still have some questions on it.

  1. Should I feed JTAG clock as input to the chipwhisperer and connect the glitched clock output from cw to the microcontroller’s jtag clock. Or should I use the glitched clock output from cw module as the external clock to the microcontroller?

  2. How do I determine at what point I should glitch the clock? Is this generally a specific number of cycles after the TRST/JCOMP signal resets? or when the bootloader is checking a register to see if the JTAG is locked. How can I determine at what clock cycle this operation occurs?

Thanks in advance.


#2

Hi br1234,

The JTAG clock is only used for synchronization between the debugger and the microcontroller, meaning clock glitches here would probably just corrupt the data between the two. I don’t have the reference manual handy for the MPC5748 (assuming it’s similar in this aspect to your target), so also make sure that the microcontroller is actually using an external clock in this state. Some have internal oscillators that they use on startup and only switch after the boot sequence is completed. In that case, you’ll probably have more luck trying Vcc glitching instead.

As for your second question that probably depends on how the lock is implemented. The STM32F0 in RDP level 1, for example, doesn’t lock SWD access until a read is attempted on flash (though that’s probably since it still needs to allow access to RAM and registers). I believe the actual updating of the protection status is done in an early part of the POR/OBR reset sequence.

Let me know if that answers your questions,
Alex Dewar