Professional Documents
Culture Documents
Jtagulator Slides
Jtagulator Slides
Agenda
Introduction
Inspiration / Other Art
Traditional HW RE Techniques
On-Chip Debug Interfaces
Design Requirements
Hardware
Firmware
Examples / Demonstration
Limitations
Future Work
Introduction
Introduction 2
Goals
Inspiration
http://elinux.org/JTAG_Finder
http://deadhacker.com/tools/
www.cft.usma.edu
Other Art
http://defcon.org/html/links/dc-archives/dc-17archive.html#Goodspeed2
http://events.ccc.de/congress/2009/Fahrplan/
attachments/1435_JTAG.pdf
Other Art 2
http://www.sciencedirect.com/science/article/pii/
S174228760600003X
HW Reverse Engineering
Information Gathering
-
Teardown
-
Interfaces
-
Protocol monitoring/decoding/emulation
Firmware
-
Chip-Level
-
Underneath batteries
Behind stickers/covers
www.blackhat.com/html/bh-us-10/bh-us-10-archives.html#Jack
www.nostarch.com/xboxfree
http://elinux.org/images/d/d6/Jtag.pdf
*** www.dd-wrt.com/wiki/index.php/JTAG_pinouts#Buffalo_WLA-G54C
Probe connections
-
http://forum.xda-developers.com/wiki/WallabyJTAG
JTAG
UART
JTAG
http://en.wikipedia.org/wiki/Joint_Test_Action_Group
JTAG 2
JTAG: Architecture
Bypass (1 bit)
Boundary Scan (variable)
Device ID (32 bit) (optional)
JTAG: Architecture 2
JTAG: Instructions
Name
Required? Opcode
Description
BYPASS
Y
All 1s
Bypass on-chip system logic. Allows serial data to be transferred
SAMPRE
Y
Varies
Used for controlling (preload) or observing (sample) the signals at
EXTEST
Y
All 0s
Places the IC in external boundary test mode. Used to test device
INTEST
N
Varies
Used for static testing of internal device logic in a single-step
RUNBIST
N
Varies
Places the IC in a self-test mode and selects a user-specified data
register to be enabled.
CLAMP
N
Varies
Sets the IC outputs to logic levels as defined in the boundary scan
HIGHZ
N
Varies
Sets all IC outputs to a disabled (high impedance) state. Enables
IDCODE
N
Varies
Enables the 32-bit device identification register. Does not affect
USERCODE
N
Varies
Places user-defined information into the 32-bit device
JTAG: Protection
Implementation specific
Security fuse physically blown prior to release
-
Ex.: TI MSP430
JTAG: HW Tools
RIFF Box
-
H-JTAG
-
www.jtagbox.com
www.hjtag.com/en/
http://dangerousprototypes.com/docs/Bus_Blaster
ftp://www.keith-koep.com/pub/arm-tools/jtag/
jtag05_sch.pdf
JTAG: SW Tools
http://openocd.sourceforge.net
www.urjtag.org
UART
UART 2
UART 3
Mark (Idle)
Space
Bit width
= ~8.7uS
Hardware
Design Requirements
Open source/hackable/expandable
Simple command-based interface
Proper input protection
Adjustable target voltage
Off-the-shelf components
Hand solderable (if desired)
Block Diagram
Status Indicator
WP59EGW
Host PC
USB Mini-B
Serial-to-USB
EEPROM
2 (I2C)
FT232RL
24LC512
MCU
Parallax Propeller
1.2V - 3.3V
~13mV/step
D/A
24
1 (PWM)
Voltage Level
Translator
Voltage Level
Translator
Voltage Level
Translator
TXS0108EPWR
TXS0108EPWR
TXS0108EPWR
AD8655
Input Protection
Circuitry
USB
5V
Power Switch
LDO
3.3V
MIC2025-2YM
LD1117S33TR
Target Device
Development
PCB
Input protection
Level translation
Propeller
*** 2x5 headers compatible w/ Bus Pirate probes,
http://dangerousprototypes.com/docs/Bus_Pirate
Status
USB
Op-Amp/DAC
Assembly Drawing
Schematic: Main
To Host
USB Mini B
COL1
L1
UX60-MB-5S8
220R@100MHz
PIL102
OSCO
OSCI
TEST
PIP103
PIC102
PIP105
PIC101
COC1
C1
0.01uF
NLUSBDMPIU1016
USBDM
16
USBDM
NLUSBDPPIU1015
USBDP
15
USBDP
19
PIU1019
RESET
PIR102
COR1
R1
23
PIU1023
22
PIU1022
CBUS0
CBUS1
13
PIU1013 CBUS2
14
PIU1014 CBUS3
12
PIU1012 CBUS4
10k
PIR101
COU3
U3
VUSB
5V0
MIC2025-2YM
7
PIU307
PIU301
3
PIU303
IN
OUT
OUT
6
8
PIU308
EN
GND
FLG
GND
GND
GND
AGND
4
VCCIO
17
PIU1017 3V3OUT
PIU104
COC3
C3
0.1uF
PIU306
TXD
RXD
RTS
CTS
DTR
DSR
DCD
RI
PIC302
PIC301
COSW1
SW1
SPST
PIU1027
PISW102
1
PIU101
5
PIU105
3
PIU103
11
PIU1011
2
PIU102
9
PIU109
10
PIU1010
6
PIU106
COC2
C2
PISW101
PIQ103
0.01uF
PIC202
PIC201
PIQ102
PIR202
COR2
R2
10k
PIR201
PIQ10
COQ1
Q1
2N3904
21
18
PIU1018
7
25
PIU1025
PIU208
PIU2018
COY1
Y1
5.0MHz
3V3
COU4
U4
24LC512-I/SN
1
2
3
PIU403
6
PIU406
7
PIU407
PIU401
PIU402
PIU404
E0
E1
E2
SCL
WC
3V3
VCC
SDA
8
VDD
18
VDD
30
PIU2030 VDD
40
PIU2040 VDD
PIU107
2
PIU302
PIR302
COR3
R3
PIU408
PIR402
10k
PIR301
5
PIU405
COR4
R4
10k
28
PIU2028
PIR602
PIR601
PID103
PIR501
PID101
29
PIU2029
NLPROPRX
PROPRX
NLPROPTX
PROPTX
NLPROPSDA
PROPSDA
NLPROPSCL
PROPSCL
NLLEDR
LEDR
NLLEDG
LEDG
NLDACOUT
DACOUT
PIR401
PIR502
470
PIY10
PIY102
NL#RES
aRES
GND
COR5
R5
COU2
U2
PROPELLER (P8X32A-Q44)
3V3
PIU1021
PIP104
28
27
26
PIU1026
PIU1028
POTXSOE
TXSOE
COR6
R6
270
Red
COD1
D1
WP59EGW
COC4
C4
1000pF
Green
PIU507
PIU502
PID102
COR7 18k
R7
PIR902
PIR901
PIR702
COR8
R8
PIR701
8.2k
PIR802
COR9
R9
100k
RES
38
37
PIU2037
36
PIU2036
35
PIU2035
34
PIU2034
33
PIU2033
32
PIU2032
31
PIU2031
P31
P30
P29
P28
P27
P26
P25
P24
PIU2038
COC5
C5
470pF
PIC502
PIC501
PIU501
BOE
POP02300000
P[23...0]
41
42
43
PIU2043
44
PIU2044
1
PIU201
2
PIU202
3
PIU203
4
PIU204
NLP0
P0
NLP1
P1
NLP2
P2
NLP3
P3
NLP4
P4
NLP5
P5
NLP6
P6
NLP7
P7
9
10
11
PIU2011
12
PIU2012
13
PIU2013
14
PIU2014
15
PIU2015
16
PIU2016
NLP8
P8
NLP9
P9
NLP10
P10
NLP11
P11
NLP12
P12
NLP13
P13
NLP14
P14
NLP15
P15
19
20
21
PIU2021
22
PIU2022
23
PIU2023
24
PIU2024
25
PIU2025
26
PIU2026
NLP16
P16
NLP17
P17
NLP18
P18
NLP19
P19
NLP20
P20
NLP21
P21
NLP22
P22
NLP23
P23
P0
P1
P2
P3
P4
P5
P6
P7
PIU2041
P8
P9
P10
P11
P12
P13
P14
P15
PIU209
P16
P17
P18
P19
P20
P21
P22
P23
PIU2019
PIU2042
PIU2010
PIU2020
VADJ
PIU506
3
PIU503
PIR801
PIU508
XO
5
PIU205 VSS
17
PIU2017 VSS
27
PIU2027 VSS
39
PIU2039 VSS
5V0
PIC402
PIC401
XI
PIU207
6
PIU206
PIL101
PIP102
PIU504
PIU505
PIP101
COU1
U1
FT232RL
20
PIU1020 VCC
1
2
3
4
5
VUSB
COP1
P1
COU5
U5
AD8655ARZ
NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESS
OTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.
5V0
VUSB
PIC801
PIC802
VUSB
C8
COC8
4.7uF
PIC902
PIC901
5V0
C9
COC9
0.1uF
PIC10 1
PIC10 2
5V0
C10
COC10
4.7uF
PIC1 02
PIC1 01
3V3
C11
COC11
0.1uF
PIC1202
PIC1201
3V3
C12
COC12
0.1uF
PIC1302
PIC1301
3V3
C13
COC13
0.1uF
PIC1402
PIC1401
U6
COU6
LD1117S33
3V3
C14
COC14
0.1uF
PIC1502
PIC1501
C15
COC15
0.1uF
PIC602
PIC601
PIU603
VIN
C6
COC6
0.1uF
1
PIU601
GND
VO
VO
3V3
2
4
PIU604
PIU602
PIC701
PIC702
C7
COC7
10uF
TITLE
DaTE
JTAGulator: Main
FILENaME
SIZE
DRaWN BY
POTXSOE
TXSOE
PIR10 2
PIR10 1
COU7
U7
NUP4302MR6
COR10
R10
10k
COU9
U9
TXS0108EPWR
3V3
19
POP02300000
P[23...0]
NLP0
P0
NLP1
P1
NLP2
P2
NLP3
P3
NLP4
P4
NLP5
P5
NLP6
P6
NLP7
P7
PIU702
PIU9019
VCCB
10
PIU9010
OE
20
PIU9020
18
PIU9018
17
PIU9017
16
PIU9016
15
PIU9015
14
PIU9014
13
PIU9013
12
PIU9012
VADJ
VCCA
B1
B2
B3
B4
B5
B6
B7
B8
A1
A2
A3
A4
A5
A6
A7
A8
GND
PIU701
3
PIU703
PIU902
19
PIU12019
10
NLP8
P8
NLP9
P9
NLP10
P10
NLP11
P11
NLP12
P12
NLP13
P13
NLP14
P14
OE
20
18
PIU12018
17
PIU12017
16
PIU12016
15
PIU12015
14
PIU12014
13
PIU12013
12
PIU12012
B1
B2
B3
B4
B5
B6
B7
B8
PIU12020
NLP15
P15
VCCB
PIU12010
VCCA
PIU802
I/O1
I/O4
PIU706
PIU801
I/O2
I/O3
4
PIU704
COU10
U10
NUP4302MR6
VADJ
2
PIU1202
2
1
3
PIU803
VADJ
5
GND
VCC
PIU805
I/O1
I/O4
PIU806
I/O2
I/O3
4
PIU804
To Target
PIU1001
PIU1003
COU11
U11
NUP4302MR6
VADJ
GND
VCC
PIU1005
PIU1102
I/O1
I/O4
PIU1006
PIU1101
I/O2
I/O3
PIU1004
PIU1103
1
3
GND
PIU12011
PIU1105
I/O1
I/O4
PIU1106
I/O2
I/O3
PIU1104
VADJ
2
PIU1301
3
PIU1303
PIU1502
1
3
4
PIU1504
5
PIU1505
6
PIU1506
7
PIU1507
8
PIU1508
9
PIU1509
I/O1
I/O2
VADJ
5
PIU1305
6
COU14
U14
NUP4302MR6
2
PIU1402 GND
VCC
1
I/O4
PIU1306
PIU1401
I/O3
4
PIU1304
3
PIU1403
I/O1
I/O2
8
PIR1108
COR12
R12
1K
1
2
PIR1202
3
PIR1203
4
PIR1204
5
PIR1205
6
PIR1206
7
PIR1207
8
PIR1208
PIR1201
I/O3
4
PIU1404
Red
Yellow
Blue
Grey
Black
Brown
Orange VADJ
Green
Purple
White
COP8
P8
961210-6404-AR
NLCH8
CH8
PIP801 1
2 PIP802NLCH9
CH9
PIP803 3
PIP804
4
NLCH10PIP805
NLCH11
CH10
CH11
6 PIP806NLCH13
NLCH12PIP807 5
CH12
CH13
8 PIP808NLCH15
NLCH14PIP809 7
CH14
CH15
9 10 PIP8010
PIP301
PIP302
PIP303
PIP304
PIP305
1
2
3
4
5
Red
Yellow
Blue
Grey
Black
Brown
Orange VADJ
Green
Purple
White
COP9
P9
961210-6404-AR
NLCH16
CH16
PIP901 1
2 PIP902
NLCH17
CH17
PIP903 3
4 PIP904
NLCH18PIP905
NLCH19
CH18
CH19
6 PIP906
NLCH20PIP907 5
NLCH21
CH20
CH21
8 PIP908
NLCH22PIP909 7
NLCH23
CH22
CH23
9 10 PIP9010
PIP401
PIP402
PIP403
PIP404
PIP405
1
2
3
4
5
Red
Yellow
Blue
Grey
Black
COP5
P5
TE 282834-5
CH14
CH15
CH16
CH17
CH18
PIU1406
1
2
3
4
5
COP4
P4
TE 282834-5
CH9
CH10
CH11
CH12
CH13
VADJ
5
PIU1405
I/O4
PIP201
PIP202
PIP203
PIP204
PIP205
COP3
P3
TE 282834-5
16
15
PIR12015
14
PIR12014
13
PIR12013
12
PIR12012
11
PIR12011
10
PIR12010
9
PIR1209
COU13
U13
NUP4302MR6
2
PIU1302 GND
VCC
CH0
CH1
CH2
CH3
CH4
CH5
CH6
CH7
CH8
PIR12016
11
1
PIR1101
2
PIR1102
3
PIR1103
4
PIR1104
5
PIR1105
6
PIR1106
7
PIR1107
VADJ
VCC
Brown
Orange VADJ
Green
Purple
White
COP7
P7
961210-6404-AR
NLCH0
CH0
PIP701 1
2 PIP702NLCH1
CH1
PIP703 3
4 PIP704NLCH3
NLCH2
CH2 PIP705
CH3
6 PIP706NLCH5
NLCH4 PIP707 5
CH4
CH5
8 PIP708NLCH7
NLCH6 PIP709 7
CH6
CH7
9 10 PIP7010
TE 282834-5
GND
COP2
P2
COR11
R11
1K
1
3
PIU1203
4
PIU1204
5
PIU1205
6
PIU1206
7
PIU1207
8
PIU1208
9
PIU1209
PIU1201
GND
9
PIR1109
11
PIU9011
3V3
NLP16
P16
NLP17
P17
NLP18
P18
NLP19
P19
NLP20
P20
NLP21
P21
NLP22
P22
NLP23
P23
PIU705
9
PIU909
A1
A2
A3
A4
A5
A6
A7
A8
COU15
U15
TXS0108EPWR
19
PIU15019 VCCB
VCCA
10
PIU15010 OE
20
PIU15020 B1
A1
18
PIU15018 B2
A2
17
PIU15017 B3
A3
16
PIU15016 B4
A4
15
PIU15015 B5
A5
14
PIU15014 B6
A6
13
PIU15013 B7
A7
12
PIU15012 B8
A8
VCC
16
PIR11016
15
PIR11015
14
PIR11014
13
PIR11013
12
PIR11012
11
PIR11011
10
PIR11010
3V3
GND
1
PIU901
3
PIU903
4
PIU904
5
PIU905
6
PIU906
7
PIU907
8
PIU908
PIU1002
COU12
U12
TXS0108EPWR
COU8
U8
NUP4302MR6
VADJ
PIP501
PIP502
PIP503
PIP504
PIP505
COR13
R13
1K
16
15
14
PIR13014
13
PIR13013
12
PIR13012
11
PIR13011
10
PIR13010
9
PIR1309
1
2
3
PIR1303
4
PIR1304
5
PIR1305
6
PIR1306
7
PIR1307
8
PIR1308
PIU1501
PIR13016
PIR1301
PIU1503
PIR13015
PIR1302
1
2
3
4
5
COP6
P6
TE 282834-5
CH19
CH20
CH21
CH22
CH23
PIP601
PIP602
PIP603
PIP604
PIP605
1
2
3
4
5
11
PIU15011
NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESS
OTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.
3V3
3V3
3V3
VADJ
VADJ
PIC1702
PIC1701
PIC1802
PIC1801
PIC1902
PIC1901
PIC20 2
PIC20 1
PIC2102
PIC2101
C17
COC17
0.1uF
C18
COC18
0.1uF
C19
COC19
0.1uF
C20
COC20
0.1uF
VADJ
C21
COC21
0.1uF
PIC2 02
PIC2 01
C22
COC22
0.1uF
TITLE
Propeller/Core
Propeller/Core 2
Propeller/Core 3
Propeller/Core 4
Propeller/Core 5
USB Interface
USB Interface 2
Level Translation
Level Translation 2
Input Protection
Input Protection 2
Bill-of-Materials
JTAGulator
Bill-of-Materials
HW B, Document 1.0, April 19, 2013
Item
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Quantity Reference
2
C1, C2
C3, C6, C9, C11, C12, C13, C14, C15,
14
C17, C18, C19, C20, C21, C22
1
C4
1
C5
1
C7
2
C8, C10
1
D1
1
L1
1
P1
5
P2, P3, P4, P5, P6
3
P7, P8, P9
1
Q1
5
R1, R2, R3, R4, R10
1
R5
1
R6
1
R7
1
R8
1
R9
3
R11, R12, R13
1
SW1
1
U1
1
U2
1
U3
1
U4
1
U5
1
U6
6
U7, U8, U10, U11, U13, U14
3
U9, U12, U15
1
Y1
1
PCB
Manufacturer
Kemet
Manuf. Part #
C1206C103K5RACTU
Distributor
Digi-Key
Distrib. Part #
399-1234-1-ND
Description
Capacitor, 0.01uF ceramic, 10%, 50V, X7R, 1206
Kemet
Yageo
Yageo
Kemet
Kemet
Kingbright
TDK
Hirose Electric
TE Connectivity
3M
Fairchild
Any
Any
Any
Any
Any
Any
Bourns
C&K
FTDI
Parallax
Micrel
Microchip
Analog Devices
ST Microelectronics
ON Semiconductor
Texas Instruments
ECS
Any
C1206C104K5RACTU
CC1206KRX7R9BB102
CC1206KRX7R9BB471
T491A106M016AS
T491A475K016AT
WP59EGW
MPZ2012S221A
UX60-MB-5S8
282834-5
961210-6404-AR
MMBT3904
Any
Any
Any
Any
Any
Any
4816P-1-102LF
KSC201JLFS
FT232RL-REEL
P8X32A-Q44
MIC2025-2YM
24LC512-I/SN
AD8655ARZ
LD1117S33CTR
NUP4302MR6T1G
TXS0108EPWR
ECS-50-18-4XEN
JTAG B
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
N/A
399-1249-1-ND
311-1170-1-ND
311-1167-1-ND
399-3687-1-ND
399-3697-1-ND
754-1232-ND
445-1568-1-ND
H2960CT-ND
A98336-ND
3M9460-ND
MMBT3904FSCT-ND
P10KECT-ND
P470ECT-ND
P270ECT-ND
P18.0KFCT-ND
P8.20KFCT-ND
P100KECT-ND
4816P-1-102LFCT-ND
401-1756-1-ND
768-1007-1-ND
P8X32A-Q44-ND
576-1058-ND
24LC512-I/SN-ND
AD8655ARZ-ND
497-1241-1-ND
NUP4302MR6T1GOSCT-ND
296-23011-1-ND
XC1738-ND
N/A
Firmware
Source Tree
Cogs
Propeller Resources
General Commands
JTAG Commands
IDCODE Scan
LSB
IDCODE Scan 2
http://www.jedec.org/standards-documents/
results/jep106
IDCODE Scan 3
BYPASS Scan
BYPASS Scan 2
BYPASS Scan 3
JTAG: Examples
DEFCON 17 Badge
ID = 0x01C0601D
www.bsdl.info/details.htm?sid=e82c74686c7522e
888ca59b002289d77
MSB
LSB
31...28
27...22
21...17
16...12
11...1
0
0000
000111
00000 (DSP56300)
00110
00000001110 (0x0E)
ID = 0x0471017F
https://github.com/notch/tjtag/blob/master/tjtag.c
MSB
LSB
Ver.
Part Number
|
Manufacturer ID
Fixed
31...28
27...12
11...1
0
0000
00010111111 (0xBF)
*** www.jtagtest.com/pinouts/wrt54
D-Link DWL-900AP+
ID = 0x1F0F0F0F
http://pdf1.alldatasheet.com/datasheet-pdf/view/
37744/SAMSUNG/S3C4510B.html (Appendix A)
*** www.jtagtest.com/pinouts/arm14
D-Link DWL-900AP+ 2
ID = 0x17437157
www.latticesemi.com/lit/docs/bsdl/mach4a3/
m4a032t8l_isc.bsm
Samsung SCH-i910
ID = 0x2E649013
http://docs.toradex.com/100197-colibri-arm-sompxa3xx-dm-vol-1.pdf (Table 9)
BlackBerry 7250
ID = 0x6003C0E1
VCC = 2.6V
MSB
LSB
Ver.
Part Number
|
Manufacturer ID
Fixed
31...28
27...12
11...1
0
0110
0000000000111100
00001110000 (0x70)
BlackBerry 7290
MSB
LSB
31...28
27
26...24
23...20
19...12
11...1
0
0000
0000
0 (ARM)
0 (ARM)
10000011
01010001
00011100101 (0xE5)
00011100101 (0xE5)
*** http://infocenter.arm.com/help/topic/com.arm.doc.dai0099c/
DAI0099C_core_type_rev_id.pdf
1
1
BlackBerry 7290 2
UART Commands
UART Scan
UART Scan 2
UART Scan 3
UART: Examples
Broadcom BCM4712
-
ID = 0x1471217F
https://github.com/notch/tjtag/blob/master/tjtag.c
UART: JP1 (TXD = 4, RXD = 6) @ 115200, 8N1
*** www.jtagtest.com/pinouts/wrt54
Scan Timing
IDCODE
-
BYPASS
-
~13.37 permutations/second
# of
Channels
4
8
16
24
IDCODE
Permutations
24
336
3360
12144
IDCODE
(mm:ss)
< 00:01
00:02
00:13
00:46
BYPASS
Permutations
24
1680
43680
255024
BYPASS
(mm:ss)
00:02
02:05
54:27
317:54
Scan Timing 2
UART
-
UART
Permutations
12
56
240
552
Time
(mm:ss)
00:12
00:57
4:04
9:22
Demonstration
Possible Limitations
Password protected
System expects defined reset sequence or pin setting
Non-standard configuration
Future Work
Other Uses
Get It
www.jtagulator.com
*** Schematics, source code, BOM, block diagram,
Gerber plots, photos, other engineering documentation
www.parallax.com
*** Assembled units, bare boards, accessories
A Poem
The End.