Skip to content

JTAG

Jump to bottom
Jmaxxz edited this page Aug 11, 2016 · 13 revisions

JTAG is available on the AUG-SL01 smart lock. It is highly recommended prior to altering the locks firmware, or working on this project to backup your device's factory firmware. This will allow you to unbrick your lock's main MCU if something goes awry. I believe it will also let you unbrick the Bluetooth chip as well, but fortunately (for me not you) I have not had to do this yet.

What you will need

Solder to JTAG Pads

August JTAG

Solder wires the the pads labeled in the above picture. While the pads are very small the fact that they are through hole will greatly aid in soldering. If your lock is not running factory firmware you can skip soldering to the TX pin. This pin is not used for JTAG and it is a UART debug interface. Do yourself a favor and label every wire shortly after soldering it with masking tape and a marker.

I recommend running removing the white plastic insert covering up the LED ring on the front of the lock and placing masking tape over the wires to limit stress on the solder joints. August JTAG

Connecting to debugger

With the wires attached connect your j-link debugger in the following way

Lock JTAG Debugger
3.3v VTref
RST nTRST
TDI TDI
TMS TMS
TCK TCK
GND RTCK
TDO TDO
GND GND

Extracting firmware

  1. After connecting your JTAG debugger open J-Flash.
  2. Select Create project from template.
  3. Select the ST\STM32L152CC.jflash template.
  4. Click Start J-Flash.
  5. Save project to your home directory.
  6. Open Options>Project Settings.
  7. On the Target Interface tab select JTAG.
  8. Set speed before and after init to 1000kHz.
  9. Select Target>Connect.
  10. Select Target>Read back>Entire chip.
  11. Save result as a .bin.

At this point we have a complete copy of the MCUs flash memory. In order to have a copy of only the firmware I recommend truncating the file to the first 79968 bytes. If your lock had the factory firmware (version 788113bb) these first 79968 bytes will have a SHA1 hash of 79eee9f9b67d85d49bc1693f70b70efc6d8fbf27.

Unbricking lock/Restoring firmware backup

The follow procedure can be used to unbrick the MCU of the lock. It assumes you have made a backup of the locks firmware prior to bricking, and that the lock's JTAG interface is still functioning.

  1. After connecting your JTAG debugger open J-Flash Lite.
  2. Set the Device to ST STM32L152CC.
  3. Set Interface to JTAG.
  4. Set Speed to 1000.
  5. Click OK.
  6. Select previously backed up firmware for the Data File.
  7. Click Program Device.

If you break yours or anyone else's lock it is your own fault. While I've tried to make both the tools and directions in this repository easy to use there is an inherent risk associated with any project like this. Please use all information provided on this site in a responsible manner. As with any lock picking only use these tools and information on locks you own or have permission to manipulate.

API

MTiM proxy

iOS App

Bluetooth

Firmware

Hardware

Clone this wiki locally