- Wed Aug 15, 2007 12:13 pm
#33759
Hacking existing hardware is fun and maddening all at the same time. You need to be flexible and try lots of random things. Look for any door the designers forgot to close.
start tracing lines. Find the ejtag pins on the chip, see if they go anywhere. They may lead to a jtag header. Also, find any pins called RX and TX. Trace those. it's likely that they go to U140. Since you now know gnd, +V, RX and TX, you should be able figure out if it's some sort of RS232 driver in the max2xx family. You could then solder one in place.
However, I would build a small board with a 232 driver and hook up the 4 wires (rx,tx,+v,gnd). Then hook it up to a PC running something like hyperterm or similar. Boot the system and see if anything happens. you might need to fuss with different baud rates.
Another attack is to look at any upgrade firmware files. they are probably some standard format. Once you figure that out, you might be able to create your own. Make sure you know how to de-brick the device when (not if) you screw it up.
If this a networked device? I'd poke at the ports on the device to see what happens. some times they leave something open and it could give you a back door.
Finally, if you can track down the jtag port pins, you could get a debugger. I have no idea if something is available. reasonable price or not.
For me, the goal would be to figure out if there is some sort of boot loader. If there is, I would try to figure out how to use it to boot a file that I supply. Then I'd look to put Linux on it and go from there. I'd definitely bag WinCE.
[edit] I got curious and looked at the manual. the chip is a BGA so you won't easily get at the pins (balls, actually). The serial pins are called TD and RD but there is probably no way to trace. Do you have an O'scope or logic analyzer or access to one? great tool for this sort of thing. Might be hard without [/3edit]