GoKawiilI’m having a lot of fun with reverse engineering lately, so when I was looking over the service manual for my guitar amp, a Yamaha THR10c, and saw references to a UART header in the schematic, I got excited. I wondered if anything cool was hiding in there. Next to it was a JTAG header. I knew next to nothing about JTAG, but had heard the name before associated with hardware hacking, so maybe that would be useful as well.
I had a few ideas of some changes I wanted to make to the firmware, so my main goal with this project was to find a way to dump the firmware and reflash the amp with a modified firmware.
One initial idea I had in mind was to add a way to toggle the guitar speaker simulation on and off so I could hook it up to real guitar speakers (either through a modification to add speaker out jacks, or hooking it up to a TPA3118 power amp module). While not officially supported, you can do this in the stock firmware by using a computer or phone to send a special MIDI SysEx command over USB. However, the speaker simulation reverts back to normal when you change the amp model, and the volume is raised considerably as a side-effect.
Another thing I wanted was a mode where the internal speaker would play even when the headphone port was connected (for instance, to additional speakers or a mixer).
Here’s the amp all closed up with JTAG and UART hooked up to the mini module.
I hooked all this up to a 2x5 header, along with a jumper wire from V3V3 to VIO as described in the mini module datasheet. I also added a jumper from CN3-1 to CN3-3 to use USB bus-power for the FT2232H.
On the FT2232H, AD0-AD3 are used for TCK, TDI, TDO, and TMS respectively. AD4-7 are regular GPIO pins and are configured in software. When I first connected my amp to the mini module, I did not connect the reset pins, which turned out to be a problem: TRST is active-low and pulled to ground by R17, so to enable the TAP controller it needs to be set high. This can be done by connecting TRST to VCC, but to allow the JTAG software to reset the TAP controller, we can use the GPIO pins on the mini module. I used AD4 for TRST and AD5 for SRST.
The JTAG header (CB3) on my amp had 8 pins, most of which were connected directly to a labeled pin on the SSP2 (the main chip of the amp) so I didn’t have to go through the process of discovering the mapping myself. There was one pin that went into an AND gate and then to a pin labeled ICN on the SSP2. The other input to the gate was the output of an R3112N291A-TR-F IC. This appears to be some sort of low voltage detector, and the datasheet mentions that it can be used for system reset, which seemed likely.
It seems that the most popular and well supported JTAG adapters are the FTDI FT2232H-based ones. One benefit of this chip is it has two multi-purpose channels, so I can use JTAG on one and UART on the other (assuming I could get it working). There are lots of options available here, but most of the links to these products from the UrJTAG and OpenOCD documentation were dead. I went with the FTDI FT2232H Mini Module.
One of the best resources I found was a post by wrongbaud , which walked through the whole process of using JTAG with a device you know nothing about.
... continue reading