This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course. exploitation/index.html

Student ID: IoTE-728


In this post I will show how I connected to the MIPS Creator Ci40 with Bus Blaster V3c via JTAG.

The MIPS Creator Ci40 board has a MIPS EJTAG interface. I found a pdf file which described how the interface can be used on this board. The description in the pdf file suggested a Bus Blaster V3c for MIPS kit for debugging the board. I followed the steps and installed all the necessary software on a Windows7 x64 machine. I installed the USB driver, the OpenOCD and the Codescape MIPS SDK. I also connected the Bus Blaster to the MIPS Creator Ci40 board and to my computer.

The OpenOCD installed a config file for busblaster. The full path of this config file is this one:

C:\Program Files\Imagination Technologies\OpenOCD\openocd-0.9.2\scripts\interface\mips_busblaster.cfg

However I did not have config file for MIPS Creator Ci40. For OpenOCD, both the config file of Bus Blaster and the config file of the MIPS Creator Ci40 board are necessary. I had to create a config file. OpenOCD can detect some information with autoprobing, but not all thing.

I found some useful information on this site. The CPU is a cXT200 SoC with a dual core dual threaded MIPS interAptiv CPU. The Hardware User Guide contained information regarding the JTAG configuration. With this information I created the following config file:

if { [info exists ENDIAN] } {
} else {
   set _ENDIAN little

reset_config trst_and_srst separate srst_gates_jtag trst_push_pull srst_open_drain connect_deassert_srst

# Define TAPs in reverse order
jtag newtap rpu tap -irlen 5 -expected-id 0x1ffff11d
jtag newtap cm tap -irlen 5 -expected-id 0x34321c33
jtag newtap cpu0vpe0 tap -irlen 5 -expected-id 0x14321c33
jtag newtap cpu0vpe1 tap -irlen 5 -expected-id 0x14320c33
jtag newtap cpu1vpe0 tap -irlen 5 -expected-id 0x04321c33
jtag newtap cpu1vpe1 tap -irlen 5 -expected-id 0x04320c33

# Define targets for gdb
target create cpu0vpe0.tap mips_iAptiv -endian $_ENDIAN -chain-position cpu0vpe0.tap
target create cpu0vpe1.tap mips_iAptiv -endian $_ENDIAN -chain-position cpu0vpe1.tap
target create cpu1vpe0.tap mips_iAptiv -endian $_ENDIAN -chain-position cpu1vpe0.tap
target create cpu1vpe1.tap mips_iAptiv -endian $_ENDIAN -chain-position cpu1vpe1.tap

# Define clock rate
adapter_khz 15000

Since the processor dual core dual threaded, there are four TAP (Test Access Port).


Finally I started OpenOcd with the following commands:

cd “C:\Program Files\Imagination Technologies\OpenOCD\openocd-0.9.2\bin”

openocd-0.9.2.exe -c “telnet_port 4444” -f “C:\Program Files\Imagination Technologies\OpenOCD\openocd-0.9.2\scripts\interface\mips_busblaster.cfg” -f “C:\Program Files\Imagination Technologies\OpenOCD\creator_ci40.cfg”

Then I connected to the telnet port with Putty (localhost:4444). Since the MIPS Creator Ci40 has dual core, I had more than one target. I managed to get the list of the available targets in the telnet session. 

The two core: cpu0 and cpu1. The two thread (for each core): vpe0 and vpe1. Each of them is a target.

The target can be changed by typing the targets command and the name of the new target. The target current command show the currently active target.

I was able to dump the values of the registers and content of the memory through the telnet session. I also tried to connect to gdb via JTAG, however I always got an error when I tried to load a binary. I tried to find more information on the internet, but I could not find any useful information. I spent more time with this JTAG post than with the other blog posts. Learning to use JTAG properly requires lots of time and dedication. It might be useful trying more than one JTAG capable devices. I decided to try another thing instead: remote debugging with gdbserver.