Getting into the Pace 5268AC Router, part 3: Sacrifices Must be Made (to the JTAG gods)

After several unsuccessful attempts to figure out how the password for the PKCS12 archives is generated, I decided to build a jig to interface with the diagnostic port on the front to see if I could find a JTAG interface.  Unfortunately, the connector used had a 1mm pin pitch that was difficult to find an off-the-shelf board to solder to.  This was going to take some Dremel work.

Here’s where we started…

And this is what we ended up with.

Hey, it may be ugly, but it worked.  The next step was to do some bit-banging and other horrible stuff to look for any useful interfaces on these pins.

After a ton of attempts, I came up empty-handed other than the serial console I’d already found. At least this jig makes the console a lot more reliable.

Thanks to the OpenWRT project, I did have a pinout of the particular SoC used in this device.  The next step was to remove the SoC from the board and use a multimeter to find test pads tied to the pins I cared about.

Time to get my hands dirty. After some less-than-precise work with a hot air gun, I got the SoC off of the board and cleaned everything up.

I took photos of both sides of the board to document what I found, and after some time, I managed to find test pads on the board that corresponded to each JTAG pin on the Broadcom SoC. This was a huge pain because the pins on the SoC are 0.4mm wide and 0.4mm apart, so tying into individual ones was pretty frustrating.

The next step is to figure out how to set up a generic MIPS JTAG toolchain using OpenOCD.