0x04 - Analyzing JTAG (2024)

1. JTAG Internals

JTAG is a hardware (debug) interface that communicates directly with the microcontroller
- If the IoT device is not running a full-fledged OS or
- the hardware does not provide a serial interface,
- a lower-level debug approach, JTAG, is usually available
JTAG is a standard way of testing and debugging chips on the device
- identifying manufacturing defects
  - identifying faulty components
  - missing components in a PCB
  - unconnected pins or incorrect placement of the device
- device failure conditions
- accessing individual pin values on each chip
- overall system testing
- debugging the various chips (actually running binaries or firmware)
JTAG is not exactly a communication protocol
Access instructions are found on the chip or on the microcontroller specification
Operation mechanism
- Testing technique is known as Boundary Scan
  - sends a data into one of the chips
  - compares the output to the input
  - verifies if it is OK
- Boundary Scan cells embedded into the chips itself (near each pin)
- Boundary Scan description language file
  - defines the capabilities of any single device’s Boundary Scan logic
- Boundary Scan instructions
  - BYPASS
  - SAMPLE/PRELOAD
  - EXTEST
- TAP pins
  - TAP is a collective name given to the JTAG interfaces on a device
  - Test Clock (TCK)
  - Test Data In (TDI)
  - Test Data Out (TDO)
  - Test Mode Select (TMS)
  - Test Reset (TRST, optional)
- TAP controller machine
  - consists of TCK, TMS, TRST
  - manages the overall exchange of data and instructions
- I/O pins of the device
  - are connected serially that form a chain
  - accessed by the Test Access Port (TAP) for testing
- Testing (Boundary Scan) Process
  - TAP controller applies test data on the TDI pins
  - BSR (Boundary Scan Register) monitors the input to the device
  - Data is captured by the Boundary Scan cell
  - Data then goes in the device through the TDI pins
  - Data comes out of the device through the TDO pins
  - Tester verifies the data on the output pin of the device

2. Pentest objectives

Bypass almost all software based security controls
- set breakpoints
- inspect/modify registers/memory/stack
- change binary/firmware execution flow
- inject code into the process memory
- bypass login
Read from/write to flash chip
- if PCB has JTAG access available and
  - contains an onboard flash chip, then the contents can be read/written via JTAG
- dump firmware/bootloader
- write backdoored firmware
- flash modified firmware to device for bypassing restrictions
Debug interfaces sometimes deactivated intentionally for security purposes
- either by software or hardware

JTAG pinout identifier
- JTAGulator (or)
- JTAGEnum Arduino
Communication
- minicom (or)
- screen (or)
- Attify Badge GUI
JTAG Converter/Adapter (any supported FTDI based hardware)
- USB-TTL (or)
- BusPriate (or)
- Attify Badge (or)
- Segger J-Link
OpenOCD
GDB-Multiarch

4. Identify JTAG pinouts

Look JTAG pinouts up online to learn appearance
- instead of pins or pads with holes, PCB usually have plain pads for JTAG
- therefore soldering experience is needed
  - to gain experience practice on Raspberry Pi or Intel Galileo
Open the device
Identify the JTAG pads on the PCB

TCK Test Clock

TDI Test Data In

TDO Test Data Out

TMS Test Mode Select
Method1: JTAGulator
- open-source hardware
- has 24 I/O channels
- discovers JTAG and UART pinouts
- screen or minicom is used for interaction
- connect relevant pins on target device to the JTAGulator channels
- connect GND to GND
- run a screen with the baudrate (need to identify before)
  See Also
  Embedded Analysis - cyphunk/JTAGenum GitHub Wiki Hardware Debugging for Reverse Engineers Part 2: JTAG, SSDs and Firmware Extraction JTAGenum: Unveiling Hidden JTAG Pins Using Arduino The excellent JTAGenum for Arduino
  
  screen /dev/ttyUSB0 115200
- on the command line
  - enter V to set voltage (i.e 3.3)
  - enter B to set number of channels for BYPASS scan instruction
- JTAGulator identifies corresponding pinouts
Method2: Arduino flashed with JTAGEnum
- much cheaper and slower
- discovers only JTAG pinouts
- Arduiono IDE
  - paste JTAGEnum application code
  - select port and Arduino type from menu options
  - upload
- interact with Arduino via a serial connection
  - Serial Monitor of Arduino IDE or
  - screen or
  - minicom
- on the command line
  - enter s to start scanning
- JTAGEnum identifies corresponding pinouts

5. Connecting JTAG

OpenOCD
- open-source software
- to perform On Chip Debugging via JTAG
- interacts with a hardware debugger’s JTAG port
  - debug chips
  - set breakpoints
  - program and interact flash chips
  - dump firmware and sensitive data
Adapter (Attify Badge) pin layout

D0 TCK Test Clock

D1 TDI Test Data In

D2 TDO Test Data Out

D3 TMS Test Mode Select
Connect the JTAG pins to the adapter (Attify Badge)

JTAG Adapter

CLK TCK (D0)

TDI TDI (D1)

TDO TDO (D2)

TMS TMS (D3)
- NOTE: The pins functioning as CLK, TDI, TDO, and TMS differs
  - based on the processor or controller of the target device.
  - Need to review datasheet
- find the OpenOCD configuration file for the adapter (Attify Badge JTAG)
  - badge.cfg is available
- find the configuration file for the device
  - check if the target device’s TAP controller is supported by OpenOCD
    See Also
    JTAGenum Open Source Project
    
    ls openocs/tcl/<target>
  - if it does not exists, manually create one for it
```
openocd –c "telnet_port 2121" –f badge.cfg –f target.cfg telnet localhost 2121reset initflash bankshalt
```

JTAG	Adapter
CLK	TCK (D0)
TDI	TDI (D1)
TDO	TDO (D2)
TMS	TMS (D3)

6. Read data

Read data over JTAG

Method 1

flash banksdump_image firmware.bin 0x08000000 0x00010000flash banks

Method 2

mwd 0x00 0x20

7. Write data to target

Write data over JTAG

flash banksflash write_image erase firmware.bin 0x08000000flash banks

8. Debugging with GDB

gdb-multiarch program.bin set architecture arm target remote localhost:3333

hbreak < function-name >
continue standard binary reversing

References

JTAG Explained

FAQs

What is JTAG analysis? ›

JTAG (named after the Joint Test Action Group which codified it) is an industry standard for verifying designs of and testing printed circuit boards after manufacture. JTAG implements standards for on-chip instrumentation in electronic design automation (EDA) as a complementary tool to digital simulation.

Discover More Details ›

What is JTAG debugging? ›

JTAG hardware debugging is a vital technique for diagnosing and debugging hardware and software issues in embedded systems and integrated circuits, making it a valuable tool in the field of electronics design and testing. Debugging: JTAG is commonly used for debugging embedded systems and microcontrollers.

What is the TMS signal in JTAG? ›

TMS (Test Mode Select) – this signal is sampled at the rising edge of TCK to determine the next state. TDI (Test Data In) – this signal represents the data shifted into the device's test or programming logic.

Read On ›

What is JTAG interface used for? ›

You may be familiar with JTAG because you have used tools with a JTAG interface. Processors often use JTAG to provide access to their debug/emulation functions and all FPGAs and CPLDs use JTAG to provide access to their programming functions.

Tell Me More ›

What is JTAG for dummies? ›

Introduction. JTAG is commonly referred to as boundary-scan and defined by the Institute of Electrical and Electronic Engineers (IEEE) 1149.1, which originally began as an integrated method for testing interconnects on printed circuit boards (PCBs) implemented at the integrated circuit (IC) level.

What are the signal levels for JTAG? ›

JTAG/TCK frequencies from 30MHz to 8KHz are supported, at integer divisions of 30MHz from 1 to 3750. Common frequencies include 30MHz, 15MHz, 10MHz, 7.5MHz, and 6HMz.

Explore More ›

What are the names of JTAG signals? ›

When you debug your design with the JTAG interface, the JTAG signals TCK , TMS , TDI , and TDO are implemented as part of the design. Because of this, the Timing Analyzer flags these signals as unconstrained when an unconstrained path report is generated.

What is a TMS signal? ›

The most generally used reference compound is tetramethylsilane (TMS). In practice, a small amount of tetramethylsilane is usually added to the sample so that a standard reference absorption line is produced. The distances between the signals of the sample and the reference signal are given in hertz.

Keep Reading ›

Why is JTAG needed? ›

Embedding JTAG/boundary-scan logic in chips makes the pins readily accessible and allows test signals to be transmitted between devices, independent of the type of package or device complexity without external probing. Testing is essential to guarantee the quality of your products.

Know More ›

What pins are needed for JTAG? ›

A device operating in JTAG mode uses four required pins— TDI , TDO , TMS , and TCK — and one optional pin, TRST . The TCK pin has an internal weak pull-down resistor, while the TDI , TMS , and TRST pins have weak internal pull-up resistors.

Read On ›

Where can I use JTAG? ›

This means you can use JTAG to debug embedded devices by allowing access to any part of the device that is accessible via the CPU, and still test at full speed. This has since become a standard emulation debug method used by silicon vendors. JTAG can also provide system level debug capability.

See Details ›

What is the importance of JTAG? ›

JTAG is more than just a testing protocol; it's a critical tool for designing, manufacturing, and testing modern electronics. Its ability to probe hardware and do in-system programming makes it indispensable in ensuring the quality and reliability of electronic products.

TCK	Test Clock
TDI	Test Data In
TDO	Test Data Out
TMS	Test Mode Select

D0	TCK Test Clock
D1	TDI Test Data In
D2	TDO Test Data Out
D3	TMS Test Mode Select