We understand hardware hacking, a guide to JTAG and SWD

12 March 2024 4 minutes Author: D2-R2

The article is devoted to the topic of Hardware Hacking. This article is an educational resource for those interested in hardware hacking, providing detailed information on the key technologies and techniques used in the field.

JTAG

JTAG allows for boundary scanning. Boundary scan analyzes specific circuits, including built-in boundary scan cells and registers for each pin.

The JTAG standard defines special commands for boundary scanning, including the following:

  • BYPASS allows you to test a specific chip without the overhead of going through other chips.

  • SAMPLE/PRELOAD samples the data entering and leaving the device when it is in normal operation.

  • EXTEST sets and reads pin states.

It can also support other commands such as:

  • IDCODE to identify the device

  • INTEST for internal device testing

You may come across these instructions when using a tool like JTAGulator.

Test access port

A boundary scan includes checking the four-wire Test Access Port (TAP), a general-purpose port that provides access to the JTAG test support functions built into the component. TAP uses the following five signals:

  • Test Clock Input ( TCK ) TCK is a clock signal that determines how often the TAP controller will perform one action (in other words, move to the next state of the state machine).

  • Test Mode Selection Input (TMS) TMS controls the state machine. After each clock tick, the device’s JTAG TAP controller checks the voltage on the TMS pin. If the voltage is below a certain threshold, the signal is considered low and interpreted as 0, and if the voltage is above a certain threshold, the signal is considered high and interpreted as 1.

  • Test Data Input (TDI) The TDI is a pin that sends data to the chip through the scan cells. Each vendor is responsible for defining the communication protocol over this pin, as JTAG does not define this.

  • Test Data Output (TDO) The TDO is the pin that sends data from the chip.

  • Test reset input (TRST) Optional TRST resets the state machine to a known good state. Also, if TMS is held at 1 for five consecutive clock cycles, it causes a reset, just as the TRST pin would, so TRST is optional.

  • Sometimes you will be able to find these pins marked on the circuit board. In other cases, you may need to find them.

JTAG pin identification

The fastest but most expensive way to discover JTAG ports is to use JTAGulator , a device designed specifically for this purpose (although it can also discover UART pinouts ).

It has 24 channels that can be connected to board pins. It then performs a BF attack from all possible combinations by sending IDCODE and BYPASS boundary scan commands. If it receives a response, it displays the channel corresponding to each JTAG signal

A cheaper but much slower way to identify JTAG pins is to use JTAGenum loaded on an Arduino-compatible microcontroller.

Using JTAGenum , you first define the pins of the measuring device you will use for the enumeration. You will need to refer to the pin diagram of the device and then connect those pins to the test points on the target device.

A third way to identify JTAG pins is to check the PCB for one of the pins. In some cases, PCBs may conveniently provide a Tag-Connect interface, which is a clear indication that the board also has a JTAG connector. You can see what this interface looks like at https://www.tag-connect.com/info/. Also, checking the chipset datasheets on the PCB may reveal pin diagrams that indicate JTAG interfaces.

SDW

SWD is an ARM specific protocol designed for debugging.

The SWD interface requires two pins: the bidirectional signal SWDIO, which is the equivalent of the JTAG TDI and TDO pins and the clock, and SWCLK, which is the JTAG equivalent of TCK. Many devices support a Serial Wire or JTAG Debug Port (SWJ-DP), a combined JTAG and SWD interface that allows you to connect a SWD or JTAG probe to a target.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.