Assisted Discovery of On-Chip Debug Interfaces

Joe Grand (@joegrand)

Agenda

Introduction
Inspiration / Other Art
Traditional HW RE Techniques
On-Chip Debug Interfaces
Design Requirements
Hardware
Firmware
Examples / Demonstration
Limitations
Future Work

Introduction

On-chip debug interfaces are a well-known

attack vector
-

Can provide chip-level control of a target device

Extract program code or data
Modify memory contents
Affect device operation on-the-fly
Gain insight into system operation

Inconvenient for vendor to remove functionality

-

Would prevent capability for legitimate personnel

Weak obfuscation instead (hidden or unmarked
signals/connectors)

May be password protected (if supported by device)

Introduction 2

Identifying OCD interfaces can sometimes be

difficult and/or time consuming

Goals

Create an easy-to-use tool to simplify the

process

Attract non-HW folks to HW hacking

Inspiration

Hunz's JTAG Finder

-

JTAGenum & RS232enum

-

http://elinux.org/JTAG_Finder

http://deadhacker.com/tools/

Cyber Fast Track

-

www.cft.usma.edu

Other Art

An Open JTAG Debugger (GoodFET), Travis

Goodspeed, DEFCON 17
-

http://defcon.org/html/links/dc-archives/dc-17archive.html#Goodspeed2

Blackbox JTAG Reverse Engineering, Felix

Domke, 26C3
-

http://events.ccc.de/congress/2009/Fahrplan/
attachments/1435_JTAG.pdf

Other Art 2

Forensic Imaging of Embedded Systems using

JTAG, Marcel Breeuwsma (NFI), Digital
Investigation Journal, March 2006
-

http://www.sciencedirect.com/science/article/pii/
S174228760600003X

HW Reverse Engineering

Information Gathering
-

Teardown
-

Product disassembly, component/subsystem ID

Interfaces
-

Protocol monitoring/decoding/emulation

Firmware
-

Obtaining data about the target by any means

Extract/modify/reprogram code or data

Chip-Level
-

Silicon die modification/data extraction

Identifying Interfaces: External

Accessible to the outside world

-

Device programming or final system test

Usually hidden or protected

-

Intended for engineers or manufacturers

Underneath batteries
Behind stickers/covers

May be a proprietary/non-standard connector

Identifying Interfaces: Internal

Test points or unpopulated pads

Silkscreen markings or notation
Easy-to-access locations

Identifying Interfaces: Internal 2

Familiar target or based on common pinouts

-

Often single- or double-row footprint

JTAG: www.jtagtest.com/pinouts/

www.blackhat.com/html/bh-us-10/bh-us-10-archives.html#Jack
www.nostarch.com/xboxfree

Identifying Interfaces: Internal 3

Can use PCB/design heuristics

-

Traces of similar function are grouped together (bus)

Test points usually placed on important/interesting

signals

Array of pull-up/pull-down resistors (to set static

state of pins)

http://elinux.org/images/d/d6/Jtag.pdf

Identifying Interfaces: Internal 4

More difficult to locate when available only on

component pads or tented vias

*** www.dd-wrt.com/wiki/index.php/JTAG_pinouts#Buffalo_WLA-G54C

Manually Determining Pin Function

Identify test points/connector & target device

Trace connections
-

Visually or w/ multimeter in continuity mode

Use data sheet to match pin number to function

For devices where pins aren't accessible (BGA),

remove device or use X-ray

Probe connections
-

Use oscilloscope or logic analyzer

Pull pins high or low, observe results, repeat
Logic state or number of pins can help to make
educated guesses

Manually Determining Pin Function 2

http://forum.xda-developers.com/wiki/WallabyJTAG

On-Chip Debug Interfaces

JTAG
UART

JTAG

Industry-standard interface (IEEE 1149.1)

-

Created for chip- and system-level testing

http://en.wikipedia.org/wiki/Joint_Test_Action_Group

Defines low-level functionality of finite state machine/

Test Access Port (TAP)

Provides a direct interface to hardware

-

Can "hijack" all pins on the device (Boundary scan/

test)

Can access other devices connected to target chip

Programming/debug interface (access to Flash, RAM)
Vendor-defined functions/test modes might be
available

JTAG 2

Multiple devices can be "chained" together for

communication to all via a single JTAG port
-

Even multiple dies within the same chip package

Different vendors may not play well together

Development environments abstract low-level

functionality from the user
-

Implementations are device- or family-specific

As long as we can locate the interface/pinout, let
other tools do the rest

JTAG: Architecture

Synchronous serial interface

TDI = Data In (to target device)

TDO = Data Out (from target device)
TMS = Test Mode Select
TCK = Test Clock
/TRST = Test Reset (optional for async reset)

Test Access Port (TAP) w/ Shift Registers

-

Instruction (>= 2 bit wide)

Data

Bypass (1 bit)
Boundary Scan (variable)
Device ID (32 bit) (optional)

JTAG: Architecture 2

JTAG: TAP Controller

*** State transitions occur on
rising edge of TCK based on
current state and value of TMS
*** TAP provides 4 major
operations: Reset, Run-Test,
Scan DR, Scan IR
*** Can move to Reset state
from any other state w/ TMS
high for 5x TCK
*** 3 primary steps in Scan:
Capture, Shift, Update
*** Data held in "shadow"
latch until Update state

JTAG: Instructions

Name
Required? Opcode
Description

BYPASS
Y
All 1s
Bypass on-chip system logic. Allows serial data to be transferred

from TDI to TDO without affecting operation of the IC.

SAMPRE
Y
Varies
Used for controlling (preload) or observing (sample) the signals at

device pins. Enables the boundary scan register.

EXTEST
Y
All 0s
Places the IC in external boundary test mode. Used to test device

interconnections. Enables the boundary scan register.

INTEST
N
Varies
Used for static testing of internal device logic in a single-step

mode. Enables the boundary scan register.

RUNBIST
N
Varies
Places the IC in a self-test mode and selects a user-specified data

register to be enabled.

CLAMP

N
Varies
Sets the IC outputs to logic levels as defined in the boundary scan

register. Enables the bypass register.

HIGHZ

N
Varies
Sets all IC outputs to a disabled (high impedance) state. Enables

the bypass register.

IDCODE
N
Varies
Enables the 32-bit device identification register. Does not affect

operation of the IC.

USERCODE
N
Varies
Places user-defined information into the 32-bit device

identification register. Does not affect operation of the IC.

JTAG: Protection

Implementation specific
Security fuse physically blown prior to release
-

Could be repaired w/ silicon die attack

Password required to enable functionality

-

Ex.: Flash erased after n attempts (so perform n-1),

then reset and continue

May allow BYPASS, but prevent higher level

functionality
-

Ex.: TI MSP430

JTAG: HW Tools

RIFF Box
-

H-JTAG
-

www.jtagbox.com

www.hjtag.com/en/

Bus Blaster (open source)

-

http://dangerousprototypes.com/docs/Bus_Blaster

Wiggler or compatible (parallel port)

-

ftp://www.keith-koep.com/pub/arm-tools/jtag/
jtag05_sch.pdf

JTAG: SW Tools

OpenOCD (Open On-Chip Debugger)

-

http://openocd.sourceforge.net

UrJTAG (Universal JTAG Library)

-

www.urjtag.org

UART

Universal Asynchronous Receiver/Transmitter

-

No external clock needed

Data bits sent LSB first (D0)
NRZ (Non-Return-To-Zero) coding
Transfer speed (bits/second) = 1 / bit width
http://en.wikipedia.org/wiki/Asynchronous_serial_
communication

*** Start bit + Data bits + Parity (optional) + Stop bit(s)

UART 2

Asynchronous serial interface

TXD = Transmit data (to target device)
RXD = Receive data (from target device)
DTR, DSR, RTS, CTS, RI, DCD = Control signals
(uncommon for modern implementations)

Many embedded systems use UART as debug

output/console

UART 3
Mark (Idle)

Space
Bit width
= ~8.7uS

Hardware

Design Requirements

Open source/hackable/expandable
Simple command-based interface
Proper input protection
Adjustable target voltage
Off-the-shelf components
Hand solderable (if desired)

Block Diagram
Status Indicator
WP59EGW

Host PC
USB Mini-B

Serial-to-USB

EEPROM
2 (I2C)

FT232RL

24LC512
MCU
Parallax Propeller

1.2V - 3.3V
~13mV/step

D/A

24
1 (PWM)

Voltage Level
Translator

Voltage Level
Translator

Voltage Level
Translator

TXS0108EPWR

TXS0108EPWR

TXS0108EPWR

AD8655

Input Protection
Circuitry
USB
5V

Power Switch

LDO
3.3V

MIC2025-2YM

LD1117S33TR
Target Device

Development

PCB

Input protection

Target I/F (24 channels)

Level translation

Propeller
*** 2x5 headers compatible w/ Bus Pirate probes,
http://dangerousprototypes.com/docs/Bus_Pirate

Status

USB
Op-Amp/DAC

Assembly Drawing

Schematic: Main
To Host
USB Mini B

COL1
L1

UX60-MB-5S8

220R@100MHz
PIL102

OSCO
OSCI
TEST

PIP103

PIC102

PIP105

PIC101

COC1
C1
0.01uF

NLUSBDMPIU1016
USBDM
16

USBDM

NLUSBDPPIU1015
USBDP
15

USBDP

19
PIU1019

RESET

PIR102

COR1
R1

23
PIU1023
22
PIU1022

CBUS0
CBUS1
13
PIU1013 CBUS2
14
PIU1014 CBUS3
12
PIU1012 CBUS4

10k

PIR101
COU3
U3

VUSB

5V0

MIC2025-2YM
7

PIU307

PIU301

3
PIU303

IN

OUT
OUT

6
8
PIU308

EN
GND

FLG

GND
GND
GND
AGND

4
VCCIO
17
PIU1017 3V3OUT
PIU104

COC3
C3
0.1uF

PIU306

TXD
RXD
RTS
CTS
DTR
DSR
DCD
RI

PIC302
PIC301

COSW1
SW1

SPST

PIU1027
PISW102

1
PIU101
5
PIU105
3
PIU103
11
PIU1011
2
PIU102
9
PIU109
10
PIU1010
6
PIU106

COC2
C2

PISW101

PIQ103

0.01uF

PIC202

PIC201

PIQ102

PIR202

COR2
R2
10k

PIR201

PIQ10

COQ1
Q1
2N3904

21

18
PIU1018
7
25
PIU1025

PIU208

PIU2018

COY1
Y1
5.0MHz
3V3

COU4
U4
24LC512-I/SN
1
2
3
PIU403
6
PIU406
7
PIU407
PIU401
PIU402

PIU404

E0
E1
E2
SCL
WC

3V3

VCC
SDA

8
VDD
18
VDD
30
PIU2030 VDD
40
PIU2040 VDD

PIU107

2
PIU302

PIR302

COR3
R3

PIU408

PIR402

10k

PIR301

5
PIU405

COR4
R4
10k

28

PIU2028

PIR602
PIR601
PID103

PIR501
PID101

29

PIU2029

NLPROPRX
PROPRX
NLPROPTX
PROPTX
NLPROPSDA
PROPSDA
NLPROPSCL
PROPSCL
NLLEDR
LEDR
NLLEDG
LEDG
NLDACOUT
DACOUT

PIR401

PIR502

470

PIY10
PIY102

NL#RES
aRES

GND

COR5
R5

COU2
U2
PROPELLER (P8X32A-Q44)

3V3

PIU1021

PIP104

28
27
26
PIU1026
PIU1028

POTXSOE
TXSOE
COR6
R6
270

Red

COD1
D1
WP59EGW

COC4
C4
1000pF

Green

PIU507

PIU502

PID102

COR7 18k
R7

PIR902
PIR901

PIR702

COR8
R8

PIR701

8.2k

PIR802

COR9
R9
100k

RES

38
37
PIU2037
36
PIU2036
35
PIU2035
34
PIU2034
33
PIU2033
32
PIU2032
31
PIU2031

P31
P30
P29
P28
P27
P26
P25
P24

PIU2038

COC5
C5
470pF

PIC502
PIC501

PIU501

BOE

POP02300000
P[23...0]
41
42
43
PIU2043
44
PIU2044
1
PIU201
2
PIU202
3
PIU203
4
PIU204

NLP0
P0
NLP1
P1
NLP2
P2
NLP3
P3
NLP4
P4
NLP5
P5
NLP6
P6
NLP7
P7

9
10
11
PIU2011
12
PIU2012
13
PIU2013
14
PIU2014
15
PIU2015
16
PIU2016

NLP8
P8
NLP9
P9
NLP10
P10
NLP11
P11
NLP12
P12
NLP13
P13
NLP14
P14
NLP15
P15

19
20
21
PIU2021
22
PIU2022
23
PIU2023
24
PIU2024
25
PIU2025
26
PIU2026

NLP16
P16
NLP17
P17
NLP18
P18
NLP19
P19
NLP20
P20
NLP21
P21
NLP22
P22
NLP23
P23

P0
P1
P2
P3
P4
P5
P6
P7

PIU2041

P8
P9
P10
P11
P12
P13
P14
P15

PIU209

P16
P17
P18
P19
P20
P21
P22
P23

PIU2019

PIU2042

PIU2010

PIU2020

VADJ

PIU506

3
PIU503

PIR801

PIU508

XO

5
PIU205 VSS
17
PIU2017 VSS
27
PIU2027 VSS
39
PIU2039 VSS

5V0

PIC402
PIC401

XI

PIU207

6
PIU206

PIL101

PIP102

PIU504

PIU505

PIP101

COU1
U1
FT232RL
20
PIU1020 VCC

1
2
3
4
5

VUSB

COP1
P1

COU5
U5
AD8655ARZ

0-3.3V @ 256 steps

~13mV/step
~150mA max. Iout

NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESS
OTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.

5V0
VUSB

PIC801
PIC802

VUSB

C8
COC8

4.7uF

PIC902
PIC901

5V0
C9
COC9

0.1uF

PIC10 1
PIC10 2

5V0
C10
COC10

4.7uF

PIC1 02
PIC1 01

3V3
C11
COC11
0.1uF

PIC1202
PIC1201

3V3
C12
COC12
0.1uF

PIC1302
PIC1301

3V3
C13
COC13
0.1uF

PIC1402
PIC1401

U6
COU6
LD1117S33

3V3
C14
COC14

0.1uF

PIC1502
PIC1501

C15
COC15
0.1uF

PIC602
PIC601

PIU603

VIN

C6
COC6
0.1uF
1
PIU601

GND

VO
VO

3V3
2
4
PIU604
PIU602

PIC701
PIC702

C7
COC7
10uF

TITLE

DaTE

JTAGulator: Main
FILENaME

SIZE

DRaWN BY

Schematic: Target Interface

Diode limiters for input protection
Vf must be < 0.5V to prevent damage to level translators

POTXSOE
TXSOE

PIR10 2
PIR10 1

COU7
U7
NUP4302MR6

VCCA <= VCCB

VCCA range: 1.2V to 3.6V
VCCB range: 1.7V to 5.5V

COR10
R10
10k

COU9
U9
TXS0108EPWR

3V3
19

POP02300000
P[23...0]
NLP0
P0
NLP1
P1
NLP2
P2
NLP3
P3
NLP4
P4
NLP5
P5
NLP6
P6
NLP7
P7

PIU702

PIU9019

VCCB

10
PIU9010

OE

20
PIU9020
18
PIU9018
17
PIU9017
16
PIU9016
15
PIU9015
14
PIU9014
13
PIU9013

12
PIU9012

VADJ

VCCA

B1
B2
B3
B4
B5
B6
B7
B8

A1
A2
A3
A4
A5
A6
A7
A8
GND

PIU701

3
PIU703

PIU902

19
PIU12019
10

NLP8
P8
NLP9
P9
NLP10
P10
NLP11
P11
NLP12
P12
NLP13
P13
NLP14
P14

OE

20
18
PIU12018
17
PIU12017
16
PIU12016
15
PIU12015
14
PIU12014
13
PIU12013
12
PIU12012

B1
B2
B3
B4
B5
B6
B7
B8

PIU12020

NLP15
P15

VCCB

PIU12010

VCCA

PIU802

I/O1

I/O4

PIU706

PIU801

I/O2

I/O3

4
PIU704

COU10
U10
NUP4302MR6

VADJ
2
PIU1202

2
1

3
PIU803

VADJ
5

GND

VCC

PIU805

I/O1

I/O4

PIU806

I/O2

I/O3

4
PIU804

To Target

PIU1001

PIU1003

COU11
U11
NUP4302MR6

VADJ

GND

VCC

PIU1005

PIU1102

I/O1

I/O4

PIU1006

PIU1101

I/O2

I/O3

PIU1004

PIU1103

1
3

GND

PIU12011

PIU1105

I/O1

I/O4

PIU1106

I/O2

I/O3

PIU1104

VADJ
2

PIU1301

3
PIU1303

PIU1502

1
3
4
PIU1504
5
PIU1505
6
PIU1506
7
PIU1507
8
PIU1508
9
PIU1509

I/O1
I/O2

VADJ
5
PIU1305
6

COU14
U14
NUP4302MR6
2
PIU1402 GND
VCC
1

I/O4

PIU1306

PIU1401

I/O3

4
PIU1304

3
PIU1403

I/O1
I/O2

8
PIR1108

COR12
R12
1K
1
2
PIR1202
3
PIR1203
4
PIR1204
5
PIR1205
6
PIR1206
7
PIR1207
8
PIR1208
PIR1201

I/O3

4
PIU1404

Red
Yellow
Blue
Grey
Black

Brown
Orange VADJ
Green
Purple
White

COP8
P8
961210-6404-AR
NLCH8
CH8
PIP801 1
2 PIP802NLCH9
CH9
PIP803 3
PIP804
4
NLCH10PIP805
NLCH11
CH10
CH11
6 PIP806NLCH13
NLCH12PIP807 5
CH12
CH13
8 PIP808NLCH15
NLCH14PIP809 7
CH14
CH15
9 10 PIP8010

PIP301
PIP302
PIP303
PIP304
PIP305

1
2
3
4
5

Red
Yellow
Blue
Grey
Black

Brown
Orange VADJ
Green
Purple
White

COP9
P9
961210-6404-AR
NLCH16
CH16
PIP901 1
2 PIP902
NLCH17
CH17
PIP903 3
4 PIP904
NLCH18PIP905
NLCH19
CH18
CH19
6 PIP906
NLCH20PIP907 5
NLCH21
CH20
CH21
8 PIP908
NLCH22PIP909 7
NLCH23
CH22
CH23
9 10 PIP9010

PIP401
PIP402
PIP403
PIP404
PIP405

1
2
3
4
5

Red
Yellow
Blue
Grey
Black

COP5
P5
TE 282834-5
CH14
CH15
CH16
CH17
CH18

PIU1406

1
2
3
4
5

COP4
P4
TE 282834-5
CH9
CH10
CH11
CH12
CH13

VADJ
5
PIU1405

I/O4

PIP201
PIP202
PIP203
PIP204
PIP205

COP3
P3
TE 282834-5

16
15
PIR12015
14
PIR12014
13
PIR12013
12
PIR12012
11
PIR12011
10
PIR12010
9
PIR1209

COU13
U13
NUP4302MR6
2
PIU1302 GND
VCC

CH0
CH1
CH2
CH3

CH4
CH5
CH6
CH7
CH8

PIR12016

11

1
PIR1101
2
PIR1102
3
PIR1103
4
PIR1104
5
PIR1105
6
PIR1106
7
PIR1107

VADJ

VCC

Brown
Orange VADJ
Green
Purple
White

COP7
P7
961210-6404-AR
NLCH0
CH0
PIP701 1
2 PIP702NLCH1
CH1
PIP703 3
4 PIP704NLCH3
NLCH2
CH2 PIP705
CH3
6 PIP706NLCH5
NLCH4 PIP707 5
CH4
CH5
8 PIP708NLCH7
NLCH6 PIP709 7
CH6
CH7
9 10 PIP7010

TE 282834-5

GND

Compatible w/ Bus Pirate 3.x probe/interface cable

COP2
P2

COR11
R11
1K

1
3
PIU1203
4
PIU1204
5
PIU1205
6
PIU1206
7
PIU1207
8
PIU1208
9
PIU1209
PIU1201

GND

9
PIR1109

11

PIU9011

3V3

NLP16
P16
NLP17
P17
NLP18
P18
NLP19
P19
NLP20
P20
NLP21
P21
NLP22
P22
NLP23
P23

PIU705

9
PIU909

A1
A2
A3
A4
A5
A6
A7
A8

COU15
U15
TXS0108EPWR
19
PIU15019 VCCB
VCCA
10
PIU15010 OE
20
PIU15020 B1
A1
18
PIU15018 B2
A2
17
PIU15017 B3
A3
16
PIU15016 B4
A4
15
PIU15015 B5
A5
14
PIU15014 B6
A6
13
PIU15013 B7
A7
12
PIU15012 B8
A8

VCC

16
PIR11016
15
PIR11015
14
PIR11014
13
PIR11013
12
PIR11012
11
PIR11011
10
PIR11010

3V3

GND

1
PIU901
3
PIU903
4
PIU904
5
PIU905
6
PIU906
7
PIU907
8
PIU908

PIU1002

COU12
U12
TXS0108EPWR

COU8
U8
NUP4302MR6

VADJ

PIP501
PIP502
PIP503
PIP504
PIP505

COR13
R13
1K
16
15
14
PIR13014
13
PIR13013
12
PIR13012
11
PIR13011
10
PIR13010
9
PIR1309

1
2
3
PIR1303
4
PIR1304
5
PIR1305
6
PIR1306
7
PIR1307
8
PIR1308

PIU1501

PIR13016

PIR1301

PIU1503

PIR13015

PIR1302

1
2
3
4
5

COP6
P6
TE 282834-5
CH19
CH20
CH21
CH22
CH23

PIP601
PIP602
PIP603
PIP604

PIP605

1
2
3
4
5

11

PIU15011

NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESS
OTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.

3V3

3V3

3V3

VADJ

VADJ

PIC1702
PIC1701

PIC1802
PIC1801

PIC1902
PIC1901

PIC20 2
PIC20 1

PIC2102
PIC2101

C17
COC17

0.1uF

C18
COC18

0.1uF

C19
COC19
0.1uF

C20
COC20
0.1uF

VADJ
C21
COC21
0.1uF

PIC2 02
PIC2 01

C22
COC22
0.1uF
TITLE

JTAGulator: Target Interface

Propeller/Core

Completely custom, ground up design

8 independent cogs @ 20 MIPS each
Code in Spin, ASM, or C

*** INFORMATION: www.parallax.com/propeller/

*** DISCUSSION FORUMS: http://forums.parallax.com
*** OBJECT EXCHANGE: http://obex.parallax.com

Propeller/Core 2

Clock: DC to 128MHz (80MHz recommended)

Global (hub) memory: 32KB RAM, 32KB ROM
Cog memory: 2KB RAM each
GPIO: 32 @ 40mA sink/source per pin
Program code loaded from external EEPROM on
power-up

Propeller/Core 3

Propeller/Core 4

Standard development using Propeller Tool &

Parallax Serial Terminal (Windows)

Programmable via serial interface (usually in

conjunction w/ USB-to-serial IC)

Propeller/Core 5

USB Interface

Allows for Propeller programming & UI

Powers JTAGulator from bus (5V)
FT232RL USB-to-Serial UART
-

Entire USB protocol handled on-chip

Host will recognize as a virtual serial port (Windows,
OS X, Linux)

MIC2025 Power Distribution Switch

-

Internal current limiting, thermal shutdown

Let the FT232 enumerate first (@ < 100mA), then
enable system load

USB Interface 2

Adjustable Target Voltage

PWM from Propeller

-

Duty cycle corresponds to output voltage (VADJ)

Look-up table for values in 0.1V increments

AD8655 Low Noise, Precision CMOS Amplifier

-

Single supply, rail-to-rail

220mA output current (~150mA @ Vo = 1.2V-3.3V)
Voltage follower configuration to serve as DAC buffer

Level Translation

Allows 3.3V signals from Propeller to be

converted to VADJ (1.2V-3.3V)

Prevents potential damage due to over-voltage

on target device's unknown connections

TXS0108E Bidirectional Voltage-Level Translator

-

Designed for both open drain and push-pull interfaces

Automatic signal direction detection

Internal pull-up resistors (40k when driving low, 4k

when high)
High-Z outputs when OE low -> will not interfere with
target when not in use

Level Translation 2

Input Protection

Prevent high voltages/spikes on unknown pins

from damaging JTAGulator

Diode limiter clamps input if needed

Vf must be < 0.5V to protect TXS0108Es

Input Protection 2

NUP4302MR6 Schottky Diode Array

-

Vf @ 1mA = 0.2V typ., 0.35V max.

Vf @ 10mA = 0.25V typ., 0.45V max.
Alternate: SD103ASDM

Bill-of-Materials

JTAGulator
Bill-of-Materials
HW B, Document 1.0, April 19, 2013
Item
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

Quantity Reference
2
C1, C2
C3, C6, C9, C11, C12, C13, C14, C15,
14
C17, C18, C19, C20, C21, C22
1
C4
1
C5
1
C7
2
C8, C10
1
D1
1
L1
1
P1
5
P2, P3, P4, P5, P6
3
P7, P8, P9
1
Q1
5
R1, R2, R3, R4, R10
1
R5
1
R6
1
R7
1
R8
1
R9
3
R11, R12, R13
1
SW1
1
U1
1
U2
1
U3
1
U4
1
U5
1
U6
6
U7, U8, U10, U11, U13, U14
3
U9, U12, U15
1
Y1
1
PCB

Manufacturer
Kemet

Manuf. Part #
C1206C103K5RACTU

Distributor
Digi-Key

Distrib. Part #
399-1234-1-ND

Description
Capacitor, 0.01uF ceramic, 10%, 50V, X7R, 1206

Kemet
Yageo
Yageo
Kemet
Kemet
Kingbright
TDK
Hirose Electric
TE Connectivity
3M
Fairchild
Any
Any
Any
Any
Any
Any
Bourns
C&K
FTDI
Parallax
Micrel
Microchip
Analog Devices
ST Microelectronics
ON Semiconductor
Texas Instruments
ECS
Any

C1206C104K5RACTU
CC1206KRX7R9BB102
CC1206KRX7R9BB471
T491A106M016AS
T491A475K016AT
WP59EGW
MPZ2012S221A
UX60-MB-5S8
282834-5
961210-6404-AR
MMBT3904
Any
Any
Any
Any
Any
Any
4816P-1-102LF
KSC201JLFS
FT232RL-REEL
P8X32A-Q44
MIC2025-2YM
24LC512-I/SN
AD8655ARZ
LD1117S33CTR
NUP4302MR6T1G
TXS0108EPWR
ECS-50-18-4XEN
JTAG B

Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
N/A

399-1249-1-ND
311-1170-1-ND
311-1167-1-ND
399-3687-1-ND
399-3697-1-ND
754-1232-ND
445-1568-1-ND
H2960CT-ND
A98336-ND
3M9460-ND
MMBT3904FSCT-ND
P10KECT-ND
P470ECT-ND
P270ECT-ND
P18.0KFCT-ND
P8.20KFCT-ND
P100KECT-ND
4816P-1-102LFCT-ND
401-1756-1-ND
768-1007-1-ND
P8X32A-Q44-ND
576-1058-ND
24LC512-I/SN-ND
AD8655ARZ-ND
497-1241-1-ND
NUP4302MR6T1GOSCT-ND
296-23011-1-ND
XC1738-ND
N/A

Capacitor, 0.1uF ceramic, 10%, 50V, X7R, 1206

Capacitor, 1000pF ceramic, 10%, 50V, X7R, 1206
Capacitor, 470pF ceramic, 10%, 50V, X7R, 1206
Capacitor, 10uF tantalum, 20%, 16V, size A
Capacitor, 4.7uF tantalum, 10%, 16V, size A
LED, Red/Green Bi-Color, T-1 3/4 (5mm)
Inductor, Ferrite Bead, 220R@100MHz, 3A, 0805
Connector, Mini-USB, 5-pin, SMT w/ PCB mount
Connector, Terminal Block, 5-pin, side entry, 0.1 P
Header, Dual row, Vertical header, 2x5-pin, 0.1 P
Transistor, NPN, 40V, 200mA, SOT23-3
Resistor, 10k, 5%, 1/4W, 1206
Resistor, 470 ohm, 5%, 1/4W, 1206
Resistor, 270 ohm, 5%, 1/4W, 1206
Resistor, 18k, 1%, 1/4W, 1206
Resistor, 8.2k, 1%, 1/4W, 1206
Resistor, 100k, 5%, 1/4W, 1206
Resistor, Array, 8 isolated, 1k, 2%, 1/6W, SOIC16
Switch, SPST, Momentary, 120gf, 6.2 x 6.2mm, J-Lead
IC, USB-to-UART Bridge, SSOP28
IC, Microcontroller, Propeller, LQFP44
IC, Power Distribution Switch, Single-channel, SOIC8
IC, Memory, Serial EEPROM, 64KB, SOIC8
IC, Op. Amp., CMOS, Rail-to-rail, 220mA Iout, SOIC8
IC, Voltage Regulator, LDO, 3.3V@800mA, SOT223
IC, Schottky Diode Array, 4 channel, TSOP6
IC, Level Translator, Bi-directional, TSSOP20
Crystal, 5.0MHz, 18pF, HC49/US
PCB, Fabrication

All components from Digi-Key

Total cost per unit = $50.73

Firmware

Source Tree

Cogs

Spin Interpreter (Cog 0)

Parallax Serial Terminal (ser)
Real Random (rr)
JDCogSerial (uart)

Propeller Resources

General Commands

Set target system voltage (V) (1.2V-3.3V)

Read all channels (R)
Write all channels (W)
Print available commands (H)

JTAG Commands

Identify JTAG pinout via IDCODE scan (I)

Identify JTAG pinout via BYPASS scan (B)
Get Device IDs (D) (w/ known pinout)
Test BYPASS (T) (w/ known pinout)

IDCODE Scan

32-bit Device ID (if available) is in the DR on

TAP reset or IC power-up
-

Otherwise, TAP will reset to BYPASS (LSB = 0)

Can simply enter Shift-DR state and clock out on TDO
TDI not required/used during IDCODE acquisition

LSB

IDCODE Scan 2

Device ID values vary with part/family/vendor

-

Locate in data sheets, BSDL files, reference code,

etc.

Manufacturer ID provided by JEDEC

-

Each manufacturer assigned a unique identifier

http://www.jedec.org/standards-documents/
results/jep106

Can use to help validate that proper IDCODE was

retrieved

IDCODE Scan 3

Ask user for number of channels to use

For every possible pin permutation (except TDI)
-

Set unused channels to output high (in case of any

active low reset pins)

Configure JTAG pins to use on the Propeller

Reset the TAP
Try to get the Device ID by reading the DR
If Device ID is 0xFFFFFFFF or if bit 0 != 1, ignore
Otherwise, display potentially valid JTAG pinout

BYPASS Scan

In BYPASS, data shifted into TDI is received on

TDO delayed by one clock cycle

BYPASS Scan 2

Can determine how many devices (if any)

are in the chain via "blind interrogation"
-

Force device(s) into BYPASS (IR of all 1s)

Send 1s to fill DRs
Send a 0 and count until it is output on TDO

BYPASS Scan 3

Ask user for number of channels to use

For every possible pin permutation
-

Set unused channels to output high (in case of any

active low reset pins)

Configure JTAG pins to use on the Propeller

Reset the TAP
Perform blind interrogation
If number of detected devices > 0, display potentially
valid JTAG pinout

JTAG: Examples

DEFCON 17 Badge

Freescale MC56F8006 Digital Signal Controller

-

ID = 0x01C0601D
www.bsdl.info/details.htm?sid=e82c74686c7522e
888ca59b002289d77

MSB
LSB

Ver. Design Center Core Number | Chip Derivative | Manufacturer ID Fixed

31...28
27...22
21...17
16...12
11...1
0
0000

000111

00000 (DSP56300)

00110

00000001110 (0x0E)

Linksys WRT54G v1.1

Broadcom BCM4702 (also contains BCM4306)

-

ID = 0x0471017F
https://github.com/notch/tjtag/blob/master/tjtag.c

MSB
LSB

Ver.
Part Number
|
Manufacturer ID
Fixed

31...28
27...12
11...1
0
0000

0100011100010000 (BCM4702 rev. 1)

00010111111 (0xBF)

*** www.jtagtest.com/pinouts/wrt54

D-Link DWL-900AP+

Samsung S3C4510B01-QER0 CPU (ARM7TDMI)

-

ID = 0x1F0F0F0F
http://pdf1.alldatasheet.com/datasheet-pdf/view/
37744/SAMSUNG/S3C4510B.html (Appendix A)

*** www.jtagtest.com/pinouts/arm14

D-Link DWL-900AP+ 2

Lattice ispMACH iM4A3-32 CPLD (TQFP-48)

-

ID = 0x17437157
www.latticesemi.com/lit/docs/bsdl/mach4a3/
m4a032t8l_isc.bsm

Samsung SCH-i910

Marvell PXA312 (Intel XScale/ARM5)

-

ID = 0x2E649013
http://docs.toradex.com/100197-colibri-arm-sompxa3xx-dm-vol-1.pdf (Table 9)

TCK = 5 (Blue), TMS = 4 (Pink), TDI = 3 (Grey), TDO = 6

(Orange), GND = 8 (Black)

JTAG disabled when external power supplied or

phone is "on" via battery

BlackBerry 7250

Qualcomm MSM6500 chipset (ARM926EJ-S)

-

ID = 0x6003C0E1
VCC = 2.6V

MSB
LSB

Ver.
Part Number
|
Manufacturer ID
Fixed

31...28
27...12
11...1
0
0110

0000000000111100

00001110000 (0x70)

BlackBerry 7290

AD6529 "Hermes" DSP (ARM7TDMI)

AD6521 "Pegasus" Analog Baseband
-

IDs = 0x027831CB and 0x027B51CB

Unknown which ID is for which device
TDO1 = Only one device
TDO2 = Both devices in the chain

MSB
LSB

Ver. Core ID Capability | Family | Device Number | Manufacturer ID Fixed

31...28
27
26...24
23...20
19...12
11...1
0
0000
0000

0 (ARM)
0 (ARM)

010 (Reserved) 0111 (ARM7)

010 (Reserved) 0111 (ARM7)

10000011
01010001

00011100101 (0xE5)
00011100101 (0xE5)

*** http://infocenter.arm.com/help/topic/com.arm.doc.dai0099c/
DAI0099C_core_type_rev_id.pdf

1
1

BlackBerry 7290 2

UART Commands

Identify UART pinout (U)

UART pass through (P) (w/ known pinout)

UART Scan

Ask user for desired output string (up to 16

bytes)
Ask user for number of channels to use
For every possible pin permutation

Configure UART pins to use on the Propeller

Set baud rate
Send user string
Wait to receive data (20ms maximum per byte)
If any bytes received, display potentially valid UART
pinout and data (up to 16 bytes)

UART Scan 2

8 data bits, no parity, 1 stop bit (8N1)

Baud rates stored in look-up table
-

75, 110, 150, 300, 900, 1200, 1800, 2400, 3600,

4800, 7200, 9600, 14400, 19200, 28800, 31250,
38400, 57600, 76800, 115200, 153600, 230400,
250000, 307200

UART Scan 3

UART: Examples

Linksys WRT54G v2 rXH (w/ DD-WRT)

Broadcom BCM4712
-

ID = 0x1471217F
https://github.com/notch/tjtag/blob/master/tjtag.c
UART: JP1 (TXD = 4, RXD = 6) @ 115200, 8N1

*** www.jtagtest.com/pinouts/wrt54

Scan Timing

IDCODE
-

TDI ignored since we're only shifting data out of DR

~264 permutations/second

BYPASS
-

Many bits/permutation needed to account for

multiple devices in chain and varying IR lengths

~13.37 permutations/second

# of
Channels
4
8
16
24

IDCODE
Permutations
24
336
3360
12144

IDCODE
(mm:ss)
< 00:01
00:02
00:13
00:46

BYPASS
Permutations
24
1680
43680
255024

BYPASS
(mm:ss)
00:02
02:05
54:27
317:54

Scan Timing 2

UART
-

Only need to locate two pins (TXD/RXD)

24 baud rates/permutation
~1 permutation/second
# of
Channels
4
8
16
24

UART
Permutations
12
56
240
552

Time
(mm:ss)
00:12
00:57
4:04
9:22

Demonstration

Possible Limitations

Could cause target to behave abnormally due to

"fuzzing" unknown pins
OCD interface isn't being properly enabled

Password protected
System expects defined reset sequence or pin setting

OCD interface is physically disconnected

-

Non-standard configuration

Cut traces, missing jumpers/0 ohm resistors

No OCD interface exists

*** Additional reverse engineering will be necessary
to determine the problem or discover pinout

Future Work

Add support for other interfaces

-

TI Spy-Bi-Wire, ARM Serial Wire Debug,

Microchip ICSP, Atmel AVR ISP

Other Uses

Propeller development board

Logic analyzer
Inter-chip communication/probing ala Bus
Pirate or GoodFET
???

Get It

www.jtagulator.com
*** Schematics, source code, BOM, block diagram,
Gerber plots, photos, other engineering documentation

www.parallax.com
*** Assembled units, bare boards, accessories

A Poem

The End.