Poking Around With JTAG On A Guitar Amp

May 30, 2026 by Al Williams 6 Comments

You would think a guitar amplifier would be a straightforward piece of analog electronics. But, of course, these days, everything has firmware, including [mforney]’s Yamaha THR10c. The service manual showed both a UART and JTAG header on the schematic, so as many of us would, he took that as a challenge.

Of course, the production board doesn’t have headers for these ports, but that’s not a real problem. The serial port seemed quiet, but the JTAG port was more productive. This revealed two binary images: a bootloader and the main firmware. Once you have the code, it is a straightforward, if not laborious, process to reverse engineer what the code does.

The next step is to figure out how to load new firmware. You can see in the post that this was done, and custom features sprang into life with custom-patched firmware.

We never get tired of seeing people dig into consumer devices like this. Things like JTAG and the wide availability of JTAG tools have made it easier but no less fun. Of course, there are even more features [mforney] has in mind, but now that’s just a matter of coding.

Emulating A 74LS48 BCD-to-7-Segment Decoder/Driver With An Altera MAX 7000 “S” Series Complex Programmable Logic Device

November 11, 2025 by John Elliot V 25 Comments

Over on the [Behind The Code with Gerry] YouTube channel our hacker [Gerry] shows us how to emulate a 74LS48 BCD-to-7-segment decoder/driver using an Altera CPLD Logic Chip From 1998.

This is very much a das blinkenlights kind of project. The goal is to get a 7-segment display to count from 0 to 9, and that’s it. [Gerry] has a 74LS193 Up/Down Binary Counter, a 74LS42 BCD to Decimal Decoder, and some 74LS00 NAND gates, but he “doesn’t have” an 74LS48 to drive the 7-segment display so he emulates one with an old Altera CPLD model EPM7064SLC44 which dates back to the late nineties. A CPLD is a Complex Programmable Logic Device which is a kind of precursor to FPGA technology.

Continue reading “Emulating A 74LS48 BCD-to-7-Segment Decoder/Driver With An Altera MAX 7000 “S” Series Complex Programmable Logic Device” →

A thick, rectangular device with rounded corners is shown, with a small screen in the upper half, above a set of selection buttons.

Further Adventures In Colorimeter Hacking

September 9, 2025 by Aaron Beckendorf No comments

One of the great things about sharing hacks is that sometimes one person’s work inspires someone else to take it even further. A case in point is [Ivor]’s colorimeter hacking (parts two and three), which started with some relatively simple request spoofing to install non-stock firmware, and expanded from there until he had complete control over the hardware.

After reading [Adam Zeloof]’s work on replacing the firmware on a cosmetics spectrophotometer with general-purpose firmware, [Ivor] bought two of these colorimeters, one as a backup. He started with [Adam]’s method for updating the firmware by altering the request sent to an update server, but was only able to find the serial number from a quality-control unit. This installed the quality-control firmware, which encountered an error on the device. More searching led [Ivor] to another serial number, which gave him the base firmware, and let him dump and compare the cosmetic, quality-control, and base firmwares.

Continue reading “Further Adventures In Colorimeter Hacking” →

JTAG & SWD Debugging On The Pi Pico

January 18, 2025 by Tom Nardi 20 Comments

[Surya Chilukuri] writes in to share JTAGprobe — a fork of the official Raspberry Pi debugprobe firmware that lets you use the low-cost microcontroller development board for JTAG and SWD debugging just by flashing the provided firmware image.

We’ve seen similar projects in the past, but they’ve required some additional code running on the computer to bridge the gap between the Pico and your debugging software of choice. But [Surya] says this project works out of the box with common tools such as OpenOCD and pyOCD.

As we’ve cautioned previously, remember that the Pi Pico is only a 3.3 V device. JTAG and SWD don’t have set voltages, so in the wild you could run into logic levels from 1.2 V all the way to 5.5 V. While being able to use a bare Pico as a debugger is a neat trick, adding in a level shifter would be a wise precaution.

Looking to get even more use out of those Pi Picos you’ve got in the parts bin? How about using it to sniff USB?

Smartwatch Snitches On Itself And Enables Reverse Engineering

July 4, 2024 by Dan Maloney 10 Comments

If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you. You may or may not like that, but that’s part of the deal when you buy these things. But with some smarts of your own, you might be able to make that widget talk to you rather than about you.

Such an opportunity presented itself to [Benjamen Lim] when a bunch of brand X smartwatches came his way. Without any documentation to guide him, [Benjamen] started with an inspection, which revealed a screen of debug info that included a mysterious IP address and port. Tearing one of the watches apart — a significant advantage to having multiple units to work with — revealed little other than an nRF52832 microcontroller along with WiFi and cellular chips. But the luckiest find was JTAG pins connected to pads on the watch face that mate with its charging cradle. That meant talking to the chip was only a spliced USB cable away.

Once he could connect to the watch, [Benjamen] was able to dump the firmware and fire up Ghidra. He decided to focus on the IP address the watch seemed fixated on, reasoning that it might be the address of an update server, and that patching the firmware with a different address could be handy. He couldn’t find the IP as a string in the firmware, but he did manage to find a sprintf-like format string for IP addresses, which led him to a likely memory location. Sure enough, the IP and port were right there, so he wrote a script to change the address to a server he had the keys for and flashed the watch.

So the score stands at [Benjamen] 1, smartwatch 0. It’s not clear what the goal of all this was, but we’d love to see if he comes up with something cool for these widgets. Even if there’s nothing else, it was a cool lesson in reverse engineering.

Fixing Issues With Knockoff Altera USB Blasters

June 9, 2024 by Maya Posch 14 Comments

One exciting feature of hardware development involving MCUs and FPGAs is that you all too often need specific tools to program them, with [Doug Brown] suffering a price tag aneurysm after checking the cost of an official Altera/Intel USB Blaster (yours for $300) to program a MAX 10 FPGA device with. This led him naturally down the path of exploring alternatives, with the $69 Terasic version rejected for ‘being too expensive’ and opting instead for the Waveshare USB Blaster V2, at a regretful $34. The amazing feature of this USB Blaster clone is that while it works perfectly fine under Windows, it works at most intermittently under Linux.

This led [Doug] down the path of reverse-engineering and diagnosing the problem, ultimately throwing in the towel and downclocking the Altera CPLD inside the adapter after finding that it was running a smidge faster than the usual 6 MHz. This was accomplished initially by wiring in an external MCU as a crude (and inaccurate) clock source, but will be replaced with a 12 MHz oscillator later on. Exactly why the problem only exists on Linux and not on Windows will remain a mystery, with Waveshare support also being clueless.

Undeterred, [Doug] then gambled on a $9 USB Blaster clone (pictured above), which turned out to be not only completely non-functional, but also caused an instant BSOD on Windows, presumably due to the faked FTDI USB functionality tripping up the Windows FTDI driver. This got fixed by flashing custom firmware by [Vladimir Duan] to the WCH CH552G-based board after some modifications shared in a project fork. This variety of clone adapters can have a range of MCUs inside, ranging from this WCH one to STM32 and PIC MCUs, with very similar labels on the case. While cracking one open we had lying around, we found a PIC18 inside, but if you end up with a CH552G-based one, this would appear to fully fix it. Which isn’t bad for the merest fraction of the official adapter.

Thanks to [mip] for the tip.

Pi with the PiFEX shield on the right, the SSD under test on the left with testpoints held by a jumper clip, jumper wires connecting the two together

JTAG Hacking An SSD With A Pi: A Primer

May 12, 2024 by Arya Voronova 4 Comments

[Matthew “wrongbaud” Alt] is well known around these parts for his hardware hacking and reverse-engineering lessons, and today he’s bringing us a JTAG hacking primer that demoes some cool new hardware — the PiFEX (Pi Interface Explorer). Ever wondered about those testpoint arrays on mSATA and M.2 SSDs? This write-up lays bare the secrets of such an SSD, using a Pi 4, PiFEX, OpenOCD and a good few open-source tools for JTAG probing that you can easily use yourself.

The PiFEX hat gives you level-shifted bidirectional GPIO connectors for UART, SPI, I2C, JTAG, SWD and potentially way more, an OLED screen to show any debugging information you might need, and even a logic analyzer header so that you can check up on your reverse-engineering progress.

Continue reading “JTAG Hacking An SSD With A Pi: A Primer” →