JTAG :- Joint Test Action Group

Creativity 17th December

What is JTAG?

JTAG, or Joint Test Action Group, is a standardized interface primarily used for testing, debugging, and programming electronic devices like integrated circuits and printed circuit boards. It enables efficient access to and control of internal circuitry for tasks such as boundary scan testing, real-time debugging, and programming microcontrollers.

How to Identify JTAG?

  • Checking documentation.
  • Inspecting for a specific pin pattern.
  • Searching online for relevant information.
  • Using JTAG detection tools.
  • Testing pins with probes.
  • Employing reverse engineering if necessary.

Identifying JTAG: Method 1

Objective:

Utilizing microcontroller pins and a Digital Multimeter (DMM) for JTAG identification.

Description:

In this laboratory session, we will explore the process of deciphering a microcontroller datasheet to locate JTAG pinouts and perform a conductivity test using a Digital Multimeter (DMM).

Location:

<lab-dir>/device-jtag-lab-1

Steps:

  1. Identify the name printed on the microcontroller and search for its correct datasheet.
  2. Access the datasheet: Datasheet Link.
  3. Navigate to page 3 of the datasheet to locate the JTAG pins.
  4. Identify clusters of pinouts or headers on the board and number them for reference.
  5. Prepare the multimeter setup by connecting the black wire to Com and the red wire to VΩmA.
  6. Set the DMM to conductivity mode and test pins for continuity.
  7. If the DMM emits a beep, it indicates a direct connection between the board and microcontroller pin.

Identifying JTAG: Method 2

Objective:

Implementing automated JTAG pin scanning and identification utilizing JtagEnum on Arduino.

Description:

In this session, we will use JtagEnum to scan and identify JTAG pinouts. More details: JtagEnum Project.

Setup:

  • Arduino microcontroller programmed with JtagEnum code
  • Diva IoT Board
  • Male-Female Jumper wires

Steps:

  1. Plug in the Arduino.
  2. Connect the Arduino to the DIVA board using male-to-female jumper wires.
  3. Connect the JtagEnum board to your PC.
  4. Initiate the JTAG scan on the serial communication by typing 'S'.
  5. The scan runs continuously and prints "FOUND!" upon identifying JTAG pins.

Identifying JTAG: Method 3

Objective:

Utilize Jtagulator for automated JTAG pin scanning and identification.

Description:

We will use Jtagulator, an open-source hardware tool, to identify JTAG pinouts. More details: Jtagulator Project.

Setup:

  • Jtagulator
  • Diva 2.0 IoT board
  • Jumper wires

Steps:

  1. Connect the Jtagulator to the unknown pins using female-to-female jumper wires.
  2. Open the terminal and type sudo minicom -D /dev/ttyUSB0 -b 115200.
  3. Press 'h' for the menu, then press 'j' for JTAG pin identification.
  4. Type 'v' to set the voltage level to 3.3V.
  5. Type 'i', specify the starting and ending channels, and press spacebar to initiate the scan.
  6. For BYPASS Scan, press 'v' to specify the voltage, then press 'b' to start the scan.

Accessing Microcontroller Peripherals via the Debug Interface

Objective:

Utilize the SWD port to access GPIOs of an ARM Cortex-M4 microcontroller and generate a LED pattern.

Description:

Students will be introduced to OpenOCD and microcontroller memory mapping.

Location:

<lab-dir>/device-jtag-lab-4

Setup:

  • Diva 2.0 IoT board
  • Expliot SWD adapter
  • Jumper wires

Steps:

  1. Obtain the datasheet of STM32F411RE: Datasheet Link.
  2. Perform a conductivity test to identify the LED pins.
  3. Utilize the datasheet to obtain the memory map of the port.
  4. Identify the SWD port and connect the Expliot Nano SWD adapter:
    • Connect the TCK pin on the DIVA board to pin 5 on Nano.
    • Connect the TMS pin on the DIVA board to both pin 3 and pin 4 on Nano.
    • Connect the GND on the DIVA board to any GND on the Expliot Nano.
  5. Launch openOCD using: openocd -f <exploit_nano_swd.cfg> -f target/stm32f4x.cfg.
  6. Open a new terminal and run telnet: telnet localhost 4444.
  7. Halt the controller and extract port data.
  8. Execute step operations on openOCD until the LED array changes state.
  9. Compare extracted data to identify the bits responsible for LED state changes using:
    • vbindiff file1 file2
  10. Verify findings by writing into the identified memory location:
    • mwh 0x40020814 0xFFFF
  11. Write an openOCD script to display a LED running pattern:
    • loop i 0 16 { sleep 100; mwh 0x40020814 [expr 0b1 << $i]}