The Hardware Hacking Tutorial series is to share information on how to do hardware hacking and how to do reverse engineering. The series is useful both for beginners and experts.
In this video I will introduce the JTAG interface, an interface that you can find on almost all of your IoT devices like routers, webcams, electronic toys, TV remotes and so on.
I will explain why this interface can be so useful in hardware hacking and how to find its position and pin-out using simple techniques like, for example, using a multi-meter or a cheap Jtagulator board. And when the pin-out is known, but the JTAG interface is not working, I will explain the reasons why this can happen and what to do to solve the issue.
This is the third episode of the series “Hardware Hacking Tutorial” in this complete series we will talk about the hacking process based on:
- Information Gathering from our device
- Building an emulation environment where to run interesting binaries
- Discovering how the device works
- And then hack the device and modify its firmware
In this episode we will talk about how to find the JTAG Interface and why this interface is so important in the hardware hacking process.
The JTAG Interface
JTAG is an industry standard, usually implemented in complex integrated circuits; this standard was issued for the first time in 1990, with the purpose to simplify the testing of PCB after manufacture.
It allowed controllability and observability of each bit of internal memory of each integrated circuit and allowed to check the integrity of each single trace connecting different integrated circuits in the PCB.
Controllability is the ability to easily set, to zero or to one, each internal bit of memory of an integrated circuit to check that none of them is stuck at zero or 1.
Observability is the ability to easily check the value of each internal bit of memory or register. It is achieved using additional circuitry and specialised long shift registers.
A side effect of this purpose is the possibility to read and write the flash memory content and, with later improvement to the standard, the possibility to use the JTAG interface as the primary mean to do in-circuit debugging that means being able to run a debugger on the real firmware running on the real hardware.
Multiple integrated circuits in a PCB are daisy chained together so that we can access each one of them.
The JTAG interface usually has 4 or 5 pins that are
- TCK, test clock
- TDI, test data in
- TDO, test data out
- TMS, test mode select
- TRST, test reset. It is optional because it is possible to reset the interface with a command sent using the other pins
The JTAG Interface in the Hardware Hacking
In hardware hacking project we are very interested in the JTAG interface mainly for two reasons:
- it allows to read and write the content of the EEPROM, so it can be used to dump the entire EEPROM content. It can also be used to restore the original firmware in case of bricking the device during our firmware modification trials. Obviously we should have saved the original firmware before tinkering with it!
- it allows to break into the boot cycle and use the JTAG interface as a mean to do “in circuit debugging” this means using a debugger with the real firmware on the real hardware
- doing these two things is not easy, there is a lot of information on Internet on how to proceed, but it is quite complicated
- and we need a serial based interface board to attach a PC to the JTag interface, the two most popular interface boards in the Open Source and hacker community are Bus Pirate and Bus Blaster (links below)
- we also need a software to interact with the interface boards and the JTAG itself, to dump the EEPROM content or to enable “in circuit debugging”; the most popular software in the Open Source world is OpenOCD (link below).
How To Find The JTAG Interface
To find the position of the JTAG interface we follow “the easiest path first” principle, this means that first of all we search on Internet to see if someone else has already done the job for us and has already found where is located the JTAG interface in our device.
We can start looking at the board searching for pins labeled with the names of the JTAG interface like TCK, TDI, TDO and TMS.
If we are not lucky in searching on Internet or in looking at labels on our board, finding the position of the JTAG interface it’s not easy; one of the reasons is that there are no standardised connectors and pin-out; anyway there are few popular pin-outs, some of these pin-outs are available on the jtagtest website (link below). This website seems to not have been updated recently, but probably, it still has the largest number of popular JTAG connectors and pin-outs.
The most common pin-out are logically arranged based on the System on a Chip that you have on your board, often, for the same System On A Chip you can have many possible pin-outs. Sometimes it is the SoC manufacturer to recommend a specific pin-out, sometimes it is the board manufacturer that prefer a specific pin-out and some other times the pin-out is totally custom and is not available on this website. Anyway this website is a good starting point.
If we don’t find any JTAG pin label on our board, we start searching for pin headers arranged in a single row of 5 or 6 pins or in a double row of 10, 12, 14, or 20 pins.
When we have found the pin candidates we can use a multi-meter to find the possible pin-out because finding GND and VCC is easy, usually TMS and TDI have a pullup resistor, TRST usually can have a pull up or a pull down resistor and TDO should be an high impedance input.
Once we have identified GND, VCC and taken pin resistance and voltage measurements we can compare what we have found with popular pin-out in the jtagtest website and, if we are lucky, we can identify the JTAG pinout using a simple multi-meter. On the video there is a demo of this approach.
If we know the System On a Chip and if we have his data sheet we can locate the JTAG pins on the chip and then follow PCB traces to identify the connector, but this is usually very difficult for two possible reasons:
- often the System On a Chip is a surface mount device with pins below the package and it is impossible to identify them on the Printed Circuit Board.
- when the System On a Chip has a package that shows his pin and it is easy to identify the JTAG pins, it can be difficult to follow the traces on a multi-layer board and today, almost all boards are multi-layer.
The best and easy solution, once we have identified potential JTAG pin candidates, is to use Jtagulator. Jtagulator is a fantastic tool, it has a lot of headers that we can attach to potential JTAG pin candidates, it can run some automatic scanning logic and identify the JTAG pinout. On the video there is a demo using Jtagulator.
Why The JTAG Interface doesn’t work
Also if you find the JTAG connector visually inspecting the board, checking with a multi-meter and comparing what you have found with the jpegtest website, more often than not you will not able to confirm the pin-out with Jtagulator and you will not be able to use OpenOCD, or other software, to interface to your JTAG connector, because there are many possibilities that this interface has been disabled:
- may be in the mass production it is missing the pull-up resistor in the TRST pin, in this way the JTAG interface is always in a reset state and it will not function. This issue can be solved putting a resistor of about 300 Ohm or 1 KOhm between this pin and VCC
- usually between each JTAG connector pin and the related SOC pin there is a low value resistor that can be missing during mass production and it is included only in the prototype boards. This issue can be solved putting back this resistor or making a direct connection short circuiting the resistor pads
- many System On a Chip have multiple functions assigned to the same pin; writing to a CPU register it is possible to select what kind of function you want on a certain pin. Often, after boot, in our device the JTAG pin is not available because another function has been selected on the multi-function SOC pin
- Many System On a Chip have the possibility to temporary disable the JTAG interface and this can be disabled writing to a register by the boot loader or by the Operating System
- Few System On a Chip can permanently disable the JTAG interface with an instruction blowing a fuse, in these cases there is no possibility to bring back the JTAG interface unless you have expensive and specialized equipment and silicon expertise
- If the JTAG interface has not been permanently disabled usually it will be available when our IoT device cannot boot, may be because it has a corrupted boot loader; in these cases no instruction has been executed yet on the SOC to disable the JTAG pins and they are available to be used to restore the content of the EEPROM and to un-brick the device.
- Channel’s Author
- Channel’s Web Site
- The sample router (Gemtek WVRTM-127ACN) on techinfodepot
- The sample router (Gemtek WVRTM-127ACN) reverse engineered on GitHub
- The JTagulator website
- TTL Serial Adapter (affiliate link)
- PuTTY, the terminal emulator
- Bus Pirate
- Bus Bluster
- J-Link Debug Probes
- Website with popular JTAG pinout
- Previous episode #02