#03 - How To Find The JTAG Interface - Hardware Hacking Tutorial

Показать описание

In this video I will introduce the JTAG interface, an interface that you can find on almost all of your IoT devices like routers, webcams, electronic toys, TV remotes and so on.
I will explain why this interface can be so useful in hardware hacking and how to find its position and pin-out using simple techniques like, for example, using a multi-meter or a cheap Jtagulator board. And when the pin-out is known, but the JTAG interface is not working, I will explain the reasons why this can happen and what to do to solve the issue.

*** What is the JTAG interface

JTAG is an industry standard, usually implemented in complex integrated circuits; this standard was issued for the first time in 1990, with the purpose to simplify the testing of PCB after manufacture.

It allowed controllability and observability of each bit of internal memory of each integrated circuit and allowed to check the integrity of each single trace connecting different integrated circuits in the PCB.

It allows reading and writing the flash memory content and, with later improvement to the standard, it can be used as a mean to do in-circuit debugging that means being able to run a debugger on the real firmware running on the real hardware.

*** Why JTAG interface is important in Hardware Hacking

- it allows to read and write the content of the EEPROM, so it can be used to dump the entire EEPROM content. It can also be used to restore the original firmware in case of bricking the device during our firmware modification trials.

- it allows to break into the boot cycle and use the JTAG interface as a mean to do "in circuit debugging" this means using a debugger with the real firmware on the real hardware

*** How to find the JTAG interface

To find the position of the JTAG interface we follow "the easiest path first" principle, this means that first of all we search on Internet to see if someone else has already done the job for us and has already found where is located the JTAG interface in our device.

We can start looking at the board searching for pins labeled with the names of the JTAG interface like TCK, TDI, TDO and TMS.

If we are not lucky in searching on Internet or in looking at labels on our board, finding the position of the JTAG interface it's not easy; one of the reasons is that there are no standardised connectors and pin-out; anyway there are few popular pin-outs, some of these pin-outs are available on the jtagtest website, link below.

If we don't find any JTAG pin label on our board, we start searching for pin headers arranged in a single row of 5 or 6 pins or in a double row of 10, 12, 14, or 20 pins.

When we have found the pin candidates we can use a multi-meter to find the possible pin-out because finding GND and VCC is easy, usually TMS and TDI have a pull-up resistor, TRST usually can have a pull up or a pull down resistor and TDO should be an high impedance input.

Once we have identified GND, VCC and taken pin resistance and voltage measurements we can compare what we have found with popular pin-out in the jtagtest website and, if we are lucky, we can identify the JTAG pinout using a simple multi-meter.

If we know the System On a Chip and if we have his data sheet we can locate the JTAG pins on the chip and then follow PCB traces to identify the connector, but this is usually very difficult for two possible reasons:

- often the System On a Chip is a SMD with pins below the package and it is impossible to identify them on the Printed Circuit Board

- when the System On a Chip has a package that shows his pin and is easy to identify the JTAG pins, it can be difficult to follow the traces on a multi-layer board and today, almost all boards are multi-layer.

The best and easy solution, once we have identified potential JTAG pin candidates, is to use Jtagulator, it has a lot of headers that we can attach to potential JTAG pin candidates, it can run some automatic scanning logic and identify the JTAG pinout.
-------------------------------
Links with additional Information

Рекомендации по теме

Комментарии

Didn't know a multimeter could be used to identify the different jtag pins, this is awesome, thank you.

Wolfen

i just watched the introduction and I wanted to thank you already

ramzirabahhazila

close your eyes and imagine count dracula is teaching you. Best accent ever 💯 10/10 👏🏻 👏🏻👏🏻👏🏻

TheSevonne

I've been looking for you forever. You didn't have to share your knowledge but you did and that is incredibly generous. I... and others like me are very grateful.

thecriticalpoint

I just discover your channel ! You remind me one of my BEST teacher when I was in college. Your explanation are very clear and structured. Thank you very much, subscribed + ring bell ;-)

gopherg

I have a success rate of 1 out of 12 for decoding jtag interfaces. My success was a DVD player and when I got a command shell it was worth all the learning and effort. I do like your method of mapping the interface and trying to find a match. I have one in process now, and I will let you know how it goes.

jeffgrundy

Dear Ing. di Giampietro, I've bumped in this video looking for how the mass production devices are programmed. I found an incredibly well explained video and interesting channel that I'll explore deeper for sure. Thank you very much for it !

benitolorenzopugliese

I am so glad I stumbled onto your channel! This is the BEST information and presentation of that information I've ever found. I've shared your content with serval of my friends and have subscribed for more. Thank you so much for this priceless content you are making and for sharing your very deep knowledge!

hiddentruth

I watched the full video several times. Its like a college JTAG class. GRACIAS!

jesussalcido

Thanks bro finally someone who isn't posting malware or fake stuff, you deserve my subscribe!

adelsaleh

Excellent work! I was looking for info on the JTAG interface for a specific router and came across this video. Although irrelevant to what I was originally looking for, I stayed and watched it through. Very good presentation and detailed. I must say I learned something new today. Thank you sir. Greetings from a fellow engineer. Keep up the good work!

manussos

I played with hacking the SB5100 series modems using a parallel to JTAG interface. I was merely following a tutorial, but now I have a much better understanding of A) How cool it was for the guy to have found the pins to get at the hardware and B) the fact that he wrote his own firmware is freakin awesome. Thanks for the video, both instructional and fun

zacharytaylor

Subscribed instantly and liked immediately. Great content. Keep it coming.

razorr

Thank you again. Very nice explanation. You should have been my lecturer.

fuzzs

Hardware hacking friend! I hope you are well. Thanks for the inspiration to take apart all my electronics!! Please create new content ❤️❤️❤️

fourtwizzy

after a long time i found some thing interesting to learn further. thanks a lot.

lodmania

Amazing video! Very helpful! Subscribed right away! :)
Keep it coming, i love your videos!
Greetings from Northern Italy ;)

eznAnze

Thanks Valerio for doing this in English. (So many indian videos I can't understand) Your english is clear :)

PenguinWhispererThe

Loved the video, Valerio! I learned a bunch of things. Thank you.

I’ve ordered a Jtagulator to solder its components myself and I’m looking forward to putting these lessons to practice

ddeda

This video is excellent! Using the multimeter resistance and voltage measurement method, I managed to successfully deduce the JTAG pinout of a Samsung SPH-A700 cell phone by doing this on that phone along with a Samsung SPH-A880 that already had a known JTAG pinout (Since the A880 is very similar in terms of hardware to the A700).

RareNogginStuff

#03 - How To Find The JTAG Interface - Hardware Hacking Tutorial

#03 - How To Find The JTAG Interface - Hardware Hacking Tutorial

🧠💪🏻 Spot the Difference Game | Can You Find 3 Differences? 《Easy》

How to find the Square Root of 3

How to find the sum of 3 numbers

Find out level 3 Toilet Discovery | Chapter 1

Goat Simulator 3 How To Find Herman Roshi - Simple Guide

ROBLOX *NEW* FIND THE POPPY PLAYTIME CHAPTER 3 MORPHS! (ALL MORPHS UNLOCKED!)

Find the Difference : Try to Find 3 Different Spots in 90 Seconds [Spot The Difference #356]

Emoji Puzzles | Find the odd one| 🤪3 level #braingames #riddles #puzzles #howgoodareyoureyes

3, 8, 18, 38, ?? , 158 || Find The Missing Number

Find the Vehicles 3 - The Kids' Picture Show

Find Top 3 Values in Excel (4 Ways) - Work XL

Far cry 3 : Find a Way to The Cave Under The House

Find the Key [Beta 3] (How to get all cards) [Full Walkthrough] Roblox Gameplay

Animals Collection Volume 3 - Find the Animals, Whales, Big Cats - The Kids' Picture Show (Lear...

【Spot the difference】Difficult🚨 Only genius can find 3 differences | Japanese Puzzle

【Spot The Difference Game】 Try to Find 3 Differences in 90 Seconds! | Find The Difference #198

Find Me In Paris - Season 3 Trailer (Official) | Hulu

Find the Key [Beta 3] [Full Walkthrough] Roblox Gameplay

How to Add AirPods 3 to Find My App? Link 3rd Gen AirPods with iCloud - Find My Apple - Find AirPods

【Find the Difference】 Can You Find The Difference?

Find Another Way into Attre Villa - Broken Flowers - The Witcher 3 Wild Hunt

How to Find Square Root of 3 by Long Division Method / Square Root of 3 / Long Division Method

The Witcher 3 Wild Hunt find SECRET CHEST in Novigrad

ROBLOX NEW FIND THE POPPY PLAYTIME CHAPTER 3 MORPHS! (ALL MORPHS UNLOCKED!)