Howto: JTAG interface on a Dish 3700 Receiver
I picked up this receiver in a box of stuff at a yard sale for $2. We have DirecTV service here, so I was left wondering what the hell I could do with such an archaic device. A quick search shows up that apparently I can’t get the card activated any more. From dabbling with various embedded environments, I was familiar with a JTAG interface and I learned that this box indeed has one.
So what can we do with this? I’m led to believe that Dish hackers use this interface to take a snapshot of the firmware on the dish and replace parts of it as they need to. We’ll go into no such nonsense – under fear of the DMCA – however I don’t believe that discussion of or probing the JTAG interface falls under such legislation, unless I receive a letter from a company involved. So here we go:
You will need:
- 5 100ohm resistors, at least 1/4 watt.
- Category 5, or some other kind of signal cable
- A female DB-25 connector
- Some software to read the JTAG interface on the parallel port
You will also obviously need a soldering iron and some proficiency in using it. We’re not dealing with any SMT devices or anything here, the pin holes are quite large and should pose little difficulty for anyone that’s ever soldered anything before in their life. You will want your cable long enough to reach from the box to the back of your PC. In my case, I simply chickened out and cut up a printer cable, but OrganizedChaos used Cat5 with success.
It became obvious that I would have been able to access the JTAG port from outside the case, without even opening it – I assume this is so that Dish can test and possibly program the boxes before they leave the factory. The JTAG pins are pins 184-190 on the CPU (as can be referenced from the datasheet found at Datasheet Archive). The traces are absolutely tiny, so it takes some serious time to follow them to the correct pads – an ohmeter with tiny probes speeds things up considerably.
In our case, we won’t be powering the JTAG interface – we’ll simply plug the unit in, leave it off, and let the standby power supply the juice necessary for our probing. I imagine this would be much more reliable than trying to supply 3.3v from our parallel port.
The first thing I did was source 5 100ohm resistors. I managed to find two in an ATX power supply, and another four off the board of a television set. I needed the extra one because I broke one swinging it around on the PCB. I straightened the legs out, and soldered one resistor into each of the pads that require them.
In the diagram below, I’m labeling each of the pins going down in two pairs from what I’m assuming is the “#1 pin” (the one closest to the angle that’s been chopped off the box on the PBC). This pin layout is not the standard 20-pin JTAG! I was probably pretty lucky I traced the tracks and didn’t just assume it was standard, because I’m sure I’d either have killed my printer port or the dish box (the former being the bigger deal) if I’d just blindly hooked it up. By the way, if you check out the full-size photo to the right, the pins are highlighted in mouseover notes for your information.
You will notice that pins 19-25 are connected to the grounded pins on the JTAG interface – this probably isn’t necessary, one would probably suffice (I’m pretty sure pins 18-25 are all connected at your PC’s parallel port), I just got frisky with the soldering iron. Pins 2, 3, 4, 5 and 13 are where the action is, so you’ll want to make sure the connections through the resistors are pretty good. OC put his resistors on the DB25 connector, I put mine on the board, either way… doesn’t matter.
Once everything’s soldered up, plug the DB25 cable into your PC, then plug the box in but don’t turn it on. You’ll need some software – after googling around I found some software called jKeys which seems to work pretty good. I should point out that it’s often used for theft of service and I’d really rather steer clear of that on this website – do not email me about trying to steal Dish Network TV.
Once you point your software at the parallel port, you should be able to find out all kinds of nifty information about the device. I’m led to believe JTAG supports in-circuit debugging… we’re actually toying with the idea of playing around with a Dish x700 “hello world” application, because looking at the datasheets for the STi5500 CPU the OSD modules seem pretty trivial to operate.
But for now, we can experiment with all kinds of neat functions that JTAG allows. Happy hacking!
I’ve gone ahead and hosted Jkeys anyway, but I want to make it clear that I don’t support theft of service. The reason I’ve included it is because I haven’t yet found another (free) way of programming the flash after you build something using the STi5500 toolkit. So far I’ve not yet managed to even so much as get the LED to flash, but I did manage to resurrect the box after I thought I’d bricked it.
I’m also including a nifty program called JTango. It’s a JTAG program again, but it’s used for in-circuit debugging. At least, that’s what I gather, I couldn’t make it work with Windows XP. I’ve included the driver that’s allegedly supposed to fix the “Privileged Instruction” error, but it didn’t work for me. If you figure it out, please do let me know.
Now it’s time to hit up more documentation and see if I can at least make the freakin’ box flash it’s LED or something… at least something to tell me it’s working.