JTAG: 3 onward .... registers showing only 0x00000000?


I’m at a point where I think ‘the wheels came off the track’ … I definitely have openOCD connected to the router’s JTAG and the ‘halt’ command appears to be working, but ‘reg’ and the other related register commands in lesson JTAG: 3 & 4 exercises result in 0x00000000 or always 00s. What gives? Nearly everything has worked as expected until now … BTW thanks for your very informative and complete lessons.


In my experience, this is something i usually blame on the fact that we’re using open-source reverse-engineered tools and shoehorning them on to different platforms that were not designed with them in mind. Yes, OpenOCD has generic MIPS support, but Mediatek didn’t design their SoC with OpenOCD in mind. The result is that sometimes, OpenOCD and the device are out of sync and just ‘don’t work’

the first indicator is when you type the ‘halt’ command - you should see the address of the PC register. This should be something starting with 0x80, which is the location of DRAM in the SoC’s address space. If it starts with 0x00 then either 1) the SoC itself is in an unknown/undefined state or 2) OpenOCD is having trouble communicating with the SoC.

My best advice for the purpose of this class is to fully powercycle everything - Usually just the router, but it doesn’t hurt to disconnect and reconnect your tigard too. After that, it should go back to normal.
If it doesn’t, confirm things are working by looking at the UART log of your device to see it is booting normally.

Sometimes the JTAG pins themselves get shorted or broken in some way - however if that were the case, OpenOCD would spew errors about not detecting devices, instead of getting far enough to allow you to halt and resume. If power cycling doesnt work, go ahead and share a screen capture of OpenOCD’s startup info.


Humm… so, this could be a timing issue? When it appeared that JTAG was connected, actually the Halt command didn’t return anything, so I was wrong to write that Halt was working.

Today OpenOCD hasn’t ever successfully connected to the mt7620 via JTAG … this is the current screen capture -

ken@Ubuntu-coder:~/Downloads$ openocd -f tigard-jtag.cfg -f mt7620n.cfg
Open On-Chip Debugger 0.10.0
Licensed under GNU GPL v2
For bug reports, read
adapter speed: 2000 kHz
Info : clock speed 2000 kHz
Error: JTAG scan chain interrogation failed: all ones
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway…
Error: mt7620.cpu: IR capture error; saw 0x1f not 0x01
Warn : Bypassing JTAG setup events due to errors

Tried lots of powercycles and everything else I could think of … with no changes.

I hooked up the router UART pins to the Tigard and watched the boot of OpenWRT in another terminal with Screen - that all looks normal to me.

For Tigard to successfully connect, do I need to time when I power-up Tigard or launch OpenOCD? I got the feeling from your JTAG lab 3 walkthough that those steps don’t matter, as long as the router has booted.

Anything else for me to try? Seems like a hardware issue to me. How could the JTAG pins be shorted? Could that happen if Tigard’s JTAG switch was once in the wrong position?


Pardon my delay, I was out of the office last week and did a poor job of following up.

This indicates that JTAG isn’t working - the “JTAG scan chain interrogation failed: all ones” tells me that you’ve got a wiring issue, or that your router isn’t in JTAG mode.

Things to double check:

  • When you power on the router, what to the LEDs do? Normally, all LEDS flash once before booting. If you’re properly enabling JTAG, then they should not flash.
  • When clipping leads to the LEDs, which side of the LED are you clipping? Remember, we don’t actually care about the LEDs themselves, just the wires to the SoC which happen to be attached to easy-to-probe LEDs on this board. Look at the PCB and make sure you’re connecting to the side of the LED that goes toward the SoC.
  • Once your wires are all connected, give them a gentle tap. They should be sturdy enough to withstand that without falling out. If they do fall out, they probably weren’t sturdy enough to make good electrical connection
  • Be sure that you have a ground wire connected between your router and your JTAG adaper (tigard) and that you have the correct swiches set on Tigard (JTAG mode and VTGT=3.3v)

Let me know how that goes. If it still doesn’t work, perhaps share a photo of your setup so we can debug further.


No problem at all, I figured you were tied-up. Meanwhile, I worked out my JTAG problem - it definitely was a connection issue, I was a bit of a noob with the HP probe clips.The Dupont wires were correctly attached to the right LED leads, the connectors were all snug, in fact the TDI and TDO connectors were in their shells but not connected to the pin, next to it! The black insulation did its job and the wires were not connected … I’m amazed that occasionally I got anything to work, without I/O! After I properly connected the wires to the probes, the exercises in the lab worked perfectly.

Thanks for all the advice and support,

1 Like

Half my time is spent checking and double checking wiring. The other half is spent confused or cursing myself for not triple checking.
The hard part is figuring out how to give everyone hands-on experience with that without driving them mad…


I see your dilemma with devoting just enough time to teaching the sound practice of double checking all connections. In my case I would add this advice - when prudent, check the electrical conductivity of new connections.

After my experience of botching the wire connections, I did go back to watch your video about the HP probe clips, to see if you addressed my problem but I missed it … didn’t see anything about the connectors on your wires, other than you are in a process of changing your source or type of those wires. https://learn.securinghardware.com/topic/probes-and-clips/

Your email brings to mind some early experiences with Tandy/ Radio Shack junk, where they used power supplies that had DC negative on the center of the power connector, the opposite of everyone else. My take away lesson from those days - triple check the polarity of all DC power connections. Over time, this practice has saved me lots of grief!

I do have a question about my Applied Physical Attacks #1 coarse … I’d like to finish my remaining lessons in the allotted time. How much time is left of the 3 months coarse time for me? I tried to fit a lot into this spring and mostly succeeded but wished I had more time for your you classes. I hope to finish my JTAG sessions this weekend. I’m really interested in doing all the Firmware sessions - those looks really interesting to me.

I see that some of the Advanced Hardware and Practical Exercises are ‘still a work in progress’ … do you plan to complete those during this coarse period?

Thanks for offering this class. I’ll be watching for your future classes, so I can participate and continue my ‘improving hardware’ education.


Sorry for my huge delay, my post notifications still seem to be flaky and i totally missed this one.

I haven’t yet put any limits on locking out anyone from material, and at this point i don’t think I plan to.

The 90 day limit allows me to do a few things:

  1. limit the number of people who will be requiring support at any point in time
  2. ensure that the hardware in your kit matches the labs on the site
  3. have a hard cutoff point for people trying to use the training as a cheap alternative to hiring a hardware security consultant.
  4. give me an ‘out’ after 90 days in case I am no longer able to maintain the online training.

I’ll be revising my website’s wording shortly, but in effect, the ‘90 days’ will be full access, support, and guarantee the material matches your hardware, plus replacement of broken hardware. After the 90 days, you’ll still have access the all the material.

In practice, I’m always going to answer questions, but my priority will be to those currently enrolled in the latest version of the course.

The Advanced Hardware and practical exercises were previews of APA#2 labs that i put into APA#1 rather than keep locked up. I’m hoping to wrap them up and roll out APA#2 online this fall, when those currently enrolled should get access to the final versions (but new registrants will need to pay extra) :slight_smile:


1 Like

Ha came here with the same question - in my case I was getting:

Error: isa info not available, failed to read cp0 config register: 0

I’d powercycled, checked the LED connections etc but your comment made me realise that one of the cables had come out from one of the clippers :man_facepalming: - pushed it back in and works again.

Dumb stuff but not used to ‘debugging’ the ‘hardware’ elements!

One thing i like to emphasize - especially to people starting out - is that no matter how deep into hardware hacking you get, you’re gonna deal with stuff like that.

Imagine a software project where a stray semicolon or whitespace changed the functionality of your program - but there was on error message telling which line the problem was, and no way to ‘diff’ your code versus a known golden copy - that’s what chasing down wiring issues is.

1 Like