A very very poor man's JTAG

..well, the title is a bit misleading. A poor man is unlikely to end up getting an expensive WoA laptop, unless he finds one in the trash after the wealthier buyer grew frustrated. But I digress!

There’s a very easy-to-execute trick to get raw MMIO r/w on Windows which can help you when e.g. you’re working on a funny SoC with no documentation or any kind of (public) Linux support.

As it turns out, WinDbg doesn’t ask too many questions.. To get there, you need to:

  1. Disable secure boot (possibly?)

  2. Set some magic values in BCD:

bcdedit /set debug on # Enable the debugging of Windows
bcdedit /dbgsettings local # Allow local (without another machine) debugging
poweroff /r /t 0 # Reboot, NOW

Be careful - this obviously opens up all the security holes a hacker could imagine.. But then, you’re not using Windows for anything serious on your Snapdragon/Otherwise ARM laptop - are you?

  1. Download WinDbg

  2. Start the installer, go through the usual legal fluff

(3a. Make sure to install WinDbg)

  1. Open it up as admin (Ctrl-Shift-Enter, left arrow, Enter)

Can't I just have one?

  1. Press Ctrl-K (“Konnekt?”), go to “Local” and connect the debugger

Look at me, I'm the debugge{e, r} now!

  1. Have fun!

Yes Adreno, Scooby Doo indeed.

For your convenience, the command you’re gonna be using the most is !dd (“display double-word”). The syntax is as follows:

!dd 0xaddr L num-of-dwords-to-read-IN-HEX

And try your best not to upset the hypervisor while at it, otherwise you’re gonna see the bootup spinner a lot..