• JTag Port Found on PS3 BluRay Drive

    PS3 Hacks , 13.10.2009

    celld0wn over at DemonHades have found the JTag port on PS3′s BluRay drive board.

    Rough translation from celld0wn below:

    I found the JTag port for the Blu-ray Reader on the PlayStation 3. Last night after finishing the research meeting I went looking for information about BD integrated reader.

    In and looking at the information that I found on the back of the plate reader I saw that there is no connector terminals, these terminals belong to a connector which connects ‘something’ via terminals and through the Internet I found the points used in a JTag, including the TDO, TDI, TMS etc.

    Originally developed for printed circuit boards, it is currently used for test of submodules of integrated circuits, and is also useful as a mechanism for debugging embedded applications, as it provides a backdoor to within the system.

    When used as a debugging tool, an in-circuit emulator that uses JTag as the transport mechanism allows the programmer to access the debugging module that is integrated into the CPU. The debug module enables the programmer to correct their errors and code logic of their systems.

    There are consumer products that have a JTag port integrated, so that the connections are often available on the PCB as part of the prototype phase of the product. These connections can provide a simple way to reverse-engineer.

    As you can see we have a door strike to try to get the firmware, decrypted data, and all that is able to control the Blu-ray reader.






    [ViA DemonHades]

    Thanks SCE for news tip.

    Tags: , , , ,

    Discuss in Forums (21)

  • 21 Comments

    1. BobbyBlunt
      10-13-2009
      11:33 PM
      1

      So there is a possibility we can flash the drive firmware like on the 360 or make a drive chip. The PS3 scene has seen a lot of advancements in the last few weeks.

    2. cvp
      10-14-2009
      12:49 AM
      2

      you do not worry! It is still a very far away!

    3. walidahmadi
      10-14-2009
      02:08 AM
      3

      From what I have read is that, the port is of no use. the Jtag port has been blown out while in manufacturing. So you cannot use it .

      but its still nice to see some progress.

      I am no ps3 god or something . I just said what I gathered in other places :aetsch:

    4. cvp
      10-14-2009
      06:00 AM
      4

      maybe you are right, but, maybe can a dev make a application what can connect to the Device. This is the hope what all have

    5. walidahmadi
      10-14-2009
      09:09 AM
      5

      I am still keeping my fingers crossed, I hope someone gets something out of this.

    6. Pockets69
      10-14-2009
      03:11 PM
      6

      What the port is not usable??? Damn when something great is found there is always a but... Damn... (gets back to his 360 finishing his JTAG hack)

    7. homedog
      10-15-2009
      02:17 AM
      7

      23:37:01 CJ Investigando (6) well, you have the docs
      13/10/2009 23:37:05 CJ Investigando (6) just wire up a jtag
      13/10/2009 23:37:19 CJ Investigando (6) parallel port, only 5-6 wires and some resistors
      CJ Investigando (6) well, dunno
      13/10/2009 23:41:46 CJ Investigando (6) need to find the cpu type, set up the jtag to do a boundary scan
      13/10/2009 23:41:49 CJ Investigando (6) assuming the jtag even works
      CJ Investigando (6) yes, need to see if the jtag works or not tho
      14/10/2009 0:01:26 Investigando (6) CJ but u dont test the jtag lol?
      14/10/2009 0:02:03 CJ Investigando (6) we tested a lot - found nothing useful sofar :/
      CJ Investigando (6) back, yeah that doc ive seen
      14/10/2009 0:56:08 CJ Investigando (6) thx tho
      14/10/2009 0:56:18 CJ Investigando (6) re jtag - there are 1000000 software out there
      14/10/2009 0:56:18 CJ Investigando (6) linux version works well
      14/10/2009 0:56:28 CJ Investigando (6) problem is, you need to know cpu info
      14/10/2009 0:56:28 CJ Investigando (6) so gets difficult
      CJ Investigando (6) of what you are jtagging
      CJ Investigando (6) like i said, it gets hard
      14/10/2009 0:57:06 CJ Investigando (6) best first step
      14/10/2009 0:57:11 CJ Investigando (6) is to hook up a logic analyzer / oscilliscope
      14/10/2009 0:57:21 CJ Investigando (6) to see if the right signals come out
      14/10/2009 0:57:21 CJ Investigando (6) or even, a digital multimeter
      14/10/2009 0:57:32 CJ Investigando (6) to see if it even has voltage
      CJ Investigando (6) to even see if there is a jtag signal
      14/10/2009 0:58:43 CJ Investigando (6) may be dead
      Investigando (6) CJ thanks friend for help me
      so cjpc is looking if port is dead or not

    8. BobbyBlunt
      10-15-2009
      05:16 PM
      8

      I have a broken 60 gig. I may be able to get the multimeter and oscilloscope readings that you need. I don't have an oscilloscope here, but I do have access to one in the lab so give me a few days and I will post my findings. If I may ask, what is the purpose of the scope here. Are you trying to find a certain sine wave?

    9. Pockets69
      10-15-2009
      05:20 PM
      9

      can some one confirm this? BobbyBlunt can you test the port???

      thanks!

    10. homedog
      10-16-2009
      12:46 AM
      10

      i posted this from demonhades.org forum just ask cjpc from ******* but i heard he have a friend with the necessary equipment. i think they want to look if the port is blowed or there is voltage on it.

    11. SCE
      10-16-2009
      01:02 PM
      11

      news comin' up from demonhades..

      Originally Posted by skygames
      Hello ticos. It is with great joy to return to the news in our forum.
      In the JTAG port of the PS3 BD ROM 3v mixed signals. Then it probably is not dead but we have to do more tests and will soon put photos here: D

      1 saludo to all

    12. vinny13
      10-21-2009
      10:10 PM
      12

      Any more info on this yet? Or is the topic dead?

    13. homedog
      10-22-2009
      12:45 AM
      13

      i think we need a spanish translator :D i think they make some progress in mapping the jtag and the necessary voltages look at demonhades.org

    14. Pockets69
      10-22-2009
      04:10 PM
      14

      I can help the translation, I am not a native speaker, but i can understand it pretty well, there must be a lot of spanish users here, you probably won`t need my help, but i can help if someone wants to.

    15. provo
      10-26-2009
      06:14 AM
      15

      Here is the forum topic demonhades.org translated from spanish to english all forum pages on this subject updated as of 102609 712am eastern time PDF I made for ya'll

      http://www.mediafire.com/file/dmnzt2i3yyy/www.demonhades.org • jtag Provo.pdf

    16. $n!pR
      10-26-2009
      05:05 PM
      16

      Basically what I got from that PDF:

      Jtag data going to this integrated CXD5063GG-1
      CXD5063GG-1 = ASIC / CPU - Video Decryption Device Sony Computer Entertainment Inc., CXD5063GG-1, © & (M)
      2005 SCEI, 120,748 0608HAL
      Google that and I got this info:
      Oneohm:
      Recognizeable?? Yes. All things Sony in typical Sony style. Sony has always implemented what they call "the Dragon" mentality in their gaming consoles which basically means take a bunch of devices normally seperated and swallow them up into one package. I foresee this happening with this console. Here is what I know on the drive:

      BMD-001 board
      Rohm Motor Driver IC BD7956FS "Rohm 7ch Power Driver for CD-ROM" Datasheet available
      Samsung Ram IC K4S641632K-UC75 Samsung 64mbX16 64Mb SDRAM 7.5ns Datasheet Available
      Sony RF AMP (optical control) IC CXA2720R <researching test points for laser calibration (this is my field)
      Spansion EEPROM IC S99-50111-001 (AKA S29AL016D) Spansion S29AL016DFFI02 16Megabit Flash Datasheet Available <BGA device. Anyone willing to Dump?
      Sony MCU IC CXD5063GG-1
      Sony ??? IC CXD5064R < not sure what this does yet
      Macronix MX25L1005 Serial eeprom 1mbitx1 Serial Flash
      JRC/NJM NJM13403 Quad OpAmp <may be used for laser biasing
      Rohm BA5888 motor driver IC
      Sony KES-400A Optical Pickup Assembly

      I haven't dumped the firmware because it is a BGA device. I was really hoping the serial eeprom would be the key to being able to swap the drives.

      The MCU has what appears to be a debug bus on the front edge of the board which may be promising.
      Its tough to determine the interface on the drive. It is routed to the board through a flat ribbon cable which heads directly next to the SATA Controller on the mainboard but there is more than just a SATA connection through the cable. There is 60 pins total. It appears that they are routing both to the SATA controller and their DVD decoder on the original builds.
      Link

    17. provo
      11-20-2009
      09:39 PM
      17

      And just like that this topic fell of the face of the earth.

    18. sykoNsc
      11-03-2010
      08:29 AM
      18

      bump *****es, what's the deal? it's a year later, y'all have surely found something by now.

    19. Pockets69
      11-03-2010
      08:55 AM
      19

      why the hell did you dug this post?!?! its an year old!!! nothing was found!

    20. Mistawes
      11-03-2010
      01:20 PM
      20

      Can I Jtag my PS3 yet..? :P

    21. Pockets69
      11-03-2010
      03:36 PM
      21

      can you read?