JTAG

Some iPods seemingly have the ability to be debugged over JTAG. Here's some documentation on getting started.

Devices

Nano 2G

The following pins carry 'classic' multi-wire JTAG on the Dock Connector:

In addition, the following pads need to be bridged on the logic board:

Nano 5G

The following pins carry 'classic' multi-wire JTAG on the Dock Connector:

In addition, the following 01005 footprints need to be populated with 0 ohm resistors (or bridged with a wire) on the logic board:

'Memory locked out' JTAG

Even though JTAG is accessible on the N2G/N5G, and the CPU core can be controlled over it, no memory is accessible anymore. In fact, it seems like the CPU core gets fully disconnected from the AHB bus any time JTAG is enabled. During the Nano 2G initial reverse engineering process low-level access to Dcache was used to dump memory. However, no method of re-establishing full memory access has yet been found.

The above listing shows OpenOCD/GDB connected to a Nano 5G a while after it has been first scanned via JTAG. It seems to be stuck in a permanent 'data abort' handler loop, with some pretty trashed register values (although some of them are still in valid range for running the BootROM).

What has been attempted so far:

1. Making sure the WDT isn't running.
2. Writing to CHIPID in an attempt to 'demote' the devices à la iOS.
3. Connecting while the device is in the BootROM.

Other observations:

1. The 'memory bus disconnection' seems to happen immediately after a JTAG chain scan, so this might be implemented as extra logic somewhere in the SoC that needs some magic TDI bits to be fed so it doesn't lock out the AHB bus (or whatever it does).
2. This might just be a bug in openocd ARM11, or some quirk of the ARM1176 core (or SoC) in which caches break during debug access, but that seems unlikely.