10:51 <firelegend> Hey guys. I...have a question. I have a device with a JTAG interface, but it's actually JTAG-like. It supports boundary scan, but the rest of the powerful debug stuff which allow me to modify registers and single step are hidden. Any advice how I may be able to reverse engineer the protocol?

11:07 <firelegend> I mean I guess I could try openocd as-is, but I doubt it would work. My guess is a special mode must be entered by writing specific values for a specific duration

11:09 <karlp> you can do boundary scan with openocd, though tit's not very common.

11:09 <karlp> you're on your own for figuring things out though,

11:09 <karlp> things like TI's icepick might provide some inspiration on what the mechanisms are though?

11:10 <karlp> it's kinda hard to give useful feedback with "I've got this thing, and I want to figure it out" with no further information though :)

11:11 <firelegend> Well it's the proprietary Hitachi Debug Interface so thats about as much as I know. Shares the same pins as JTAG, but everything else is hidden behind an NDA or expensive hardware worth thousands.

11:17 <firelegend> But I also have no idea how to start. Bruteforce the protocol by fuzzing or decap the chip and see what hides underneath, but I have no microscope for that.

11:19 <karlp> I'd be looking for old tools and docs, and, _at least_ talking specifically about what actual part you're trying to target when you speak to people :)

11:20 <karlp> I mean https://www.manualslib.com/manual/1204310/Hitachi-Sh7750-Series.html?page=712 looks relevant?

11:21 <firelegend> Well it's an automotive ECU with a Renesas MCU. I've been reverse engineering the firmware, however without tracing and single stepping I am at a loss

11:21 <firelegend> Yes, I have access to the datasheet, but it doesn't say anything about the other modes except boundary scan, and upon further research I was told all that related documentation of the JTAG-like interface is hidden behind NDAs for select few companies.

11:22 <karlp> well, maybe someone else will help. You stillw on't even say what cpu you have, so I'm going to back to my own work.

11:23 <firelegend> They are all pretty much the same, but it's SH7055

11:26 <firelegend> Due to the nature of the architecture and compiler, without tracing, register inspection, a lot of functionality is not revealed.

11:26 <firelegend> Especially when important MMIO registers were accessed with adding to a previous offset(not obfuscation) for space savings.

11:34 <firelegend> This might be interesting https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=69ac07f94832ceb4d2344c9c2d2bc8fc04e68124