I am trying to dump firmware from a Chinese MCU SC93F8333 (Shenzhen SinOne Microelectronics Co). It has an 8051 core and uses Compact JTAG - cJTAG IEEE 1149.7 (a compact variant of JTAG with only 2 pins CLK, and TMS). I bought a USB programmer from Taobao (manufactured by the same company) hoping it would be able to read the firmware as well, but to my surprise the software that came with it only supports flashing the firmware on the MCU and has no options to read it. I decided to try and sniff the programming pins using Saleae logic, but it does not have a cJTAG decoder. Sigrok does have it, but it doesn’t seem to work with Saleae Logic hardware. Has anyone evver created a cJTAG decoder for Saleae Logic
I have never used cJTAG (I didn’t know it existed until you mentioned it) but I suspect you can at least decode the byte level by adding a SPI analyzer, and setting one of the two data channels and the enable channel to “none”. That will allow you to decode generic synchronous serial data with 1 clock and 1 data signal. You will need to adjust the other settings (phase and polarity) to match cJTAG, which you can probably determine just by looking at the signal.
Feel free to post a sample capture here. If you’re able to decode the byte level reliably with the SPI analyzer, you could either export that to CSV, or attempt to create a cJTAG analyzer in python using our High Level Analyzer API: Extensions - Saleae Support
Thanks for the quick response. I didn’t think about that earlier. I will give it a shot
Taking a step back here, what do you think you’ll find if you can sniff the programming pins? It won’t be sending firmware out those pins all on its own. You could sniff a programming session when your USB programmer is operating but that also won’t necessarily tell you how to send “read firmware” commands. So, I wonder if this sniffing will be of limited use? Do you have a specification for cJTAG? As far as I know basically every chip does JTAG a little differently so there isn’t a good way to generically read firmware from a chip. It really helps if you have the proper JTAG adapter. Are you sure there isn’t any other software for your adapter that would support reading?
The application that came with the programmer has an option to verify the firmware that has been flashed to the chip so my thinking was that in order for the application to verify the flashed firmware it has to read first read the flash memory and then calculate some sort of checksum on the data read so it must be issuing some JTAG command (command specific to this chip) to read the flash, and that is what I hoped to capture during a programming session, and try to dump the firmware. From what i have read about cJTAG is that it basically is JTAG but uses just 2 pins instead of the 4 that JTAG uses so it multiplexes everything on a single bidirectional pin (the other pin being clock). Both the adapter and the software that I bought are made by the same manufacturer that made the MCU other than that I have found that Segger J-Link does support cJTAG, but it doesn’t support this manufacturer’s MCU