#03 - How To Find The JTAG Interface - Hardware Hacking Tutorial
Vložit
- čas přidán 28. 03. 2020
- In this video I will introduce the JTAG interface, an interface that you can find on almost all of your IoT devices like routers, webcams, electronic toys, TV remotes and so on.
I will explain why this interface can be so useful in hardware hacking and how to find its position and pin-out using simple techniques like, for example, using a multi-meter or a cheap Jtagulator board. And when the pin-out is known, but the JTAG interface is not working, I will explain the reasons why this can happen and what to do to solve the issue.
*** What is the JTAG interface
JTAG is an industry standard, usually implemented in complex integrated circuits; this standard was issued for the first time in 1990, with the purpose to simplify the testing of PCB after manufacture.
It allowed controllability and observability of each bit of internal memory of each integrated circuit and allowed to check the integrity of each single trace connecting different integrated circuits in the PCB.
It allows reading and writing the flash memory content and, with later improvement to the standard, it can be used as a mean to do in-circuit debugging that means being able to run a debugger on the real firmware running on the real hardware.
*** Why JTAG interface is important in Hardware Hacking
- it allows to read and write the content of the EEPROM, so it can be used to dump the entire EEPROM content. It can also be used to restore the original firmware in case of bricking the device during our firmware modification trials.
- it allows to break into the boot cycle and use the JTAG interface as a mean to do "in circuit debugging" this means using a debugger with the real firmware on the real hardware
*** How to find the JTAG interface
To find the position of the JTAG interface we follow "the easiest path first" principle, this means that first of all we search on Internet to see if someone else has already done the job for us and has already found where is located the JTAG interface in our device.
We can start looking at the board searching for pins labeled with the names of the JTAG interface like TCK, TDI, TDO and TMS.
If we are not lucky in searching on Internet or in looking at labels on our board, finding the position of the JTAG interface it's not easy; one of the reasons is that there are no standardised connectors and pin-out; anyway there are few popular pin-outs, some of these pin-outs are available on the jtagtest website, link below.
If we don't find any JTAG pin label on our board, we start searching for pin headers arranged in a single row of 5 or 6 pins or in a double row of 10, 12, 14, or 20 pins.
When we have found the pin candidates we can use a multi-meter to find the possible pin-out because finding GND and VCC is easy, usually TMS and TDI have a pull-up resistor, TRST usually can have a pull up or a pull down resistor and TDO should be an high impedance input.
Once we have identified GND, VCC and taken pin resistance and voltage measurements we can compare what we have found with popular pin-out in the jtagtest website and, if we are lucky, we can identify the JTAG pinout using a simple multi-meter.
If we know the System On a Chip and if we have his data sheet we can locate the JTAG pins on the chip and then follow PCB traces to identify the connector, but this is usually very difficult for two possible reasons:
- often the System On a Chip is a SMD with pins below the package and it is impossible to identify them on the Printed Circuit Board
- when the System On a Chip has a package that shows his pin and is easy to identify the JTAG pins, it can be difficult to follow the traces on a multi-layer board and today, almost all boards are multi-layer.
The best and easy solution, once we have identified potential JTAG pin candidates, is to use Jtagulator, it has a lot of headers that we can attach to potential JTAG pin candidates, it can run some automatic scanning logic and identify the JTAG pinout.
-------------------------------
Links with additional Information
Channel’s Author: www.makemehack.com/2020/02/a-...
Channel’s Web Site: www.makemehack.com/
The sample router (Gemtek WVRTM-127ACN) on techinfodepot: en.techinfodepot.shoutwiki.com...
The sample router (Gemtek WVRTM-127ACN) reverse engineered on GitHub: github.com/digiampietro/hacki...
The JTagulator website: www.grandideastudio.com/jtagul...
TTL Serial Adapter (affiliate link): amzn.to/2vvzCYB
PuTTY, the terminal emulator: www.putty.org/
Bus Pirate: dangerousprototypes.com/docs/B...
Bus Bluster: dangerousprototypes.com/docs/B...
J-Link Debug Probes: www.segger.com/products/debug...
OpenOCD: openocd.org/
Website with popular JTAG pinout: www.jtagtest.com/pinouts/
Previous episode #02: • #02 - How To Find The ... - Věda a technologie
Didn't know a multimeter could be used to identify the different jtag pins, this is awesome, thank you.
I have a success rate of 1 out of 12 for decoding jtag interfaces. My success was a DVD player and when I got a command shell it was worth all the learning and effort. I do like your method of mapping the interface and trying to find a match. I have one in process now, and I will let you know how it goes.
i just watched the introduction and I wanted to thank you already
Hello Ramzi rabah hazila, thank you for your appreciation!.
I've been looking for you forever. You didn't have to share your knowledge but you did and that is incredibly generous. I... and others like me are very grateful.
Dear Ing. di Giampietro, I've bumped in this video looking for how the mass production devices are programmed. I found an incredibly well explained video and interesting channel that I'll explore deeper for sure. Thank you very much for it !
I played with hacking the SB5100 series modems using a parallel to JTAG interface. I was merely following a tutorial, but now I have a much better understanding of A) How cool it was for the guy to have found the pins to get at the hardware and B) the fact that he wrote his own firmware is freakin awesome. Thanks for the video, both instructional and fun
I am so glad I stumbled onto your channel! This is the BEST information and presentation of that information I've ever found. I've shared your content with serval of my friends and have subscribed for more. Thank you so much for this priceless content you are making and for sharing your very deep knowledge!
Excellent work! I was looking for info on the JTAG interface for a specific router and came across this video. Although irrelevant to what I was originally looking for, I stayed and watched it through. Very good presentation and detailed. I must say I learned something new today. Thank you sir. Greetings from a fellow engineer. Keep up the good work!
Hello Μανούσος Πουλινάκης, thank you for your compliment and for your encouraging appreciation and support.
I just discover your channel ! You remind me one of my BEST teacher when I was in college. Your explanation are very clear and structured. Thank you very much, subscribed + ring bell ;-)
I watched the full video several times. Its like a college JTAG class. GRACIAS!
Thanks bro finally someone who isn't posting malware or fake stuff, you deserve my subscribe!
Loved the video, Valerio! I learned a bunch of things. Thank you.
I’ve ordered a Jtagulator to solder its components myself and I’m looking forward to putting these lessons to practice
Instablaster...
A part all passive components and some mosfet and interface Ic , it doesn't the controller IC P8X32A-Q44 require programming? or is ready to use once purchased ?, Thank you
This video is excellent! Using the multimeter resistance and voltage measurement method, I managed to successfully deduce the JTAG pinout of a Samsung SPH-A700 cell phone by doing this on that phone along with a Samsung SPH-A880 that already had a known JTAG pinout (Since the A880 is very similar in terms of hardware to the A700).
Amazing content and amazing channel. Thank you so much for all the hard work you put into it. I'm learning a lot!
Hello Luis A. Gomez, thank you for your appreciation and glad you enjoyed it.
Subscribed instantly and liked immediately. Great content. Keep it coming.
close your eyes and imagine count dracula is teaching you. Best accent ever 💯 10/10 👏🏻 👏🏻👏🏻👏🏻
If Count Dracala was Italian.
I like to close my eyes and listen to you @TheSevonne, TEACHING YOUR KNOLODGE IN ITALIAN as much as he does in English. I hope you learned a thing or two from this page. I know I have. I been JTAGING (AVR) for years and I didn't know how to find the JTAG points with a multimeter.
Amazing video! Very helpful! Subscribed right away! :)
Keep it coming, i love your videos!
Greetings from Northern Italy ;)
Thank you very much for explaining so very clearly.
Nice work 👍👍
first video I've watched and I already love the channel!
Thanks Valerio for doing this in English. (So many indian videos I can't understand) Your english is clear :)
Thank you again. Very nice explanation. You should have been my lecturer.
after a long time i found some thing interesting to learn further. thanks a lot.
Thank you Sir, truly appreciate, beautifully explained, memory stacks, layers mode select
Hardware hacking friend! I hope you are well. Thanks for the inspiration to take apart all my electronics!! Please create new content ❤️❤️❤️
Very good, it's is extremely helpful.
Thank's for sharing!
great channel, very useful information..well explained.
Thanks for the great content :) very helpful and well structured tutorial
Very good explanation. Thanks.
Glad I found you! Thank you for sharing.
Hello Friendly Hardware Hacking Neighbor!!! I absolutely LOVE your videos. I love your accent too, sometimes it's hard to understand but I am able to if I concentrate. I like to tinker with electronics stuff and I don't remember how I came across your videos but I am fascinated. I am already tearing apart old routers and wifi extenders and mini spy-cams. I am waiting for my FTDI from amazon and can't wait to use some of the tools you are showing me to hack into some of these things. Thank you SO MUCH for taking the time to make these videos! I have a question please...? For a beginner what would you recommend as for products on your list to purchase where a noob could get into this without spending a fortune. Like, those debug probes are expensive, do I need that right away or will it be ok to start out with the JTagulator and go from there? I look forward to hearing back from you and once again, THANK YOU!
Valerio Thank you. I will have to watch your video a few more times but the information is good
Very interesting and detailed information
God bless you dude. These videos contain the most solid information i have ever found. I will be studying these very much😊
Hi Harrison, thank you for your appreciation an support!
Very nice information Sir
Hi and thanks for your awesome videos. Can you recommend a different JTAG programmer? Bus Blaster seems currently out of stock.
Great Video!
Thank you very much for the detailed information. I just subscribe to your channel.
Salute sir very knowledgeable video
Molto interessante, Bravo!
Hy Kimg, take this 👑, you had dropped it
you are fantastic man! thanks a lot!
Excellent, completely excellent.
Thank you! So cool 😎
Buona sera!
AWESOME EXPLANATION
Many many best this vedio in youtube warld , i m very impressed. God bless you sir 🙏 . How much price JTag NT4.0
Signore grazie mille . Stavo cercando una spiegazione cosi simplice. ..
Grazie dei complimenti!
Bel video Valerio, grazie mille.
يا اخي تستاهل جنة ، شكرا
thankyou for this more tutorial to come please.
Thanks for sharing!
Thank you for the video. I have question how did you find locate the reference vcc pin to check against the header, the steps were not clear to me?
AMAZING...thanks a lot
thanks a lot ...keep on please
Thank you very much for such a detailed video. Really appreciate the hard work you have put in to explain these concepts. Looking forward to learn more.
Hope you are safe and sound in Italy amidst this pandemic time. May God bless and keep you and your family safe. Greetings from India 🙏🏼. Subscribed 🙂
Hello Zubin Bhathena, thank you for your appreciation and support. I and my family are safe, we stay at home, we try to anyway enjoy our time at home. Now the situation in Italy is slightly improving, in the last days we had decreasing number of deaths, of hospitalised peoples and of patients in intensive care.
Best thanks from 🇨🇭
Video interessante, complimenti.
è sempre bello sentire di tanto in tanto un italiano, in questa piattaforma prevalentemente popolata da nativi anglofoni
Estoy de acuerdo, pero no solamente leen los los anglos, esto, tambien los latinos.
First of all, thanks a lot! I have a question for you: at 18:40, how did you hook up the headers to these spots? these were not classical pads as we often see in JTAG/UART?
(subscribed, big kudos)
Hi Omer, thank you for your appreciation and for your question.
The pads are for a surface mount 2x5, 2.54mm pitch connector (like this one: www.aliexpress.com/i/32915471614.html ), I didn't have that connector available, so I replaced it with a couple of PTH (not SMD!) female headers soldering them in an "unusual way".
@@MakeMeHack thanks!! really appreciate this! Wish you all the best
fantastic-fantastic-fantastic
Nice
Hello CA. Bohol, thank you again!.
Благодарю за видео 👍👍👍
Maestro! Quanto avrei voluto averla come maestro fin dall infanzia per imparare ste cose!!posso aiutarla con l inglese se lei m aiuta con l hacking!
thank you !
Thank you.
On some boards there are no pads for JTAG or UART. In which case you can scrape the trace lines and attach 0.1mm wire. You need a microscope for this but it works well.
if you have good eyes you dont need a microscope i have precise eyes because i am young but i understand some people have difficulties with soldering it, you need a fine tip not specialy a microscope
PCBite kit with 2x SP200 and 4x SP10 probes might work for getting to those small pins.
Great, thanks a lot. 👍🏼🇧🇷
AWESOME
thank you
Grazie!
Fantastico graziee
Thank you very much 🙂 ,Valerio..... Your video is excellent and full of knowledge.....
Can i ask some question about JTAG [i search in google but i cannot find the exact answer]....
1) is JTagulator's function only to find the pin corresponding to JTAG? or can it be use as like of "BUS PIRATE/SHIKRA"?
2) Can i use the same "JTAG debug probe" for different ic like "AMD","ARM"....etc [i dont wnat to buy multiple Jtag probes for each ic type]?
3) Can you recommend me some good Jtag debug probe which cost around $20-$40?..... because JTagulator is costly for me
Hi Nongin, thank you for your appreciation and your question!
1. my understanding is that JTagulator's function is only to find the corresponding JTAG pin and not to be used as a "JTag probe";
2. an excellent and low-cost probe, in my opinion, is the Segger J-Link Edu mini, it is perfect for ARM-based chips, but works also with other architectures, and it is supported by the excellent Segger software. It's not open-source hardware or open-source software, but it can be used for non-commercial purposes with free of charge Segger software. It costs around 17/30 dollars. There are also very cheap, pirated clones, but I don't recommend them because you are never sure that they will work. Another low-cost probe is Bus Bluster, to be used with OpenOCD. or Bus Pirate. Bus Pirate is, perhaps more versatile but it is very slow.
3. You can use the above probes to interact with the JTag interface; to automatically identify JTag pinout a cheap alternative to JTagulator is to use an Arduino board with the freely available JTAGenum software, but you have to pay attention because JTagulator does voltage conversion (3.3V 5V) and input protection, Arduino does not. So, maybe, you have to use some 3.3V based Arduino and, maybe, you have to use some low-value resistors to protect inputs.
@@MakeMeHack Thank You very much 🙂
@@MakeMeHack I've recently found this... which might give us a cheap Arduino-based JTAGulator alternative. github.com/dxa4481/inputProtectionShield
This accent is awesome!
Valeu!
Super
Hello Joshgun Kerimli, thank you for your appreciation.
very good video tho!
Hello by7vfyvtu vyuvt6ft6, thank you for your appreciation!.
Grazie! Greetings from Russia)
25:58 I would think in this case, you could simply replace the SOC with a new SOC chip which doesn't have the fuse blown?
"My name is Velerio Di Giampietro. But everybody calls me Giampetro."
The JTAGulator is very old (and expensive).
Is it still supported?
Is it still updated with new features?
Is it still worth buying?
what if I have the datasheet for the processor and it shows which pins are TDI, TDO, TCK and TMS? I don't need to use JTagulator right?
Hello Sir, I have utilized the JTAGulator and have identified all but one pin. TDI is showing N/A but others are showing as: TD0: 3, TCK: 0, TMS: 1, TRST: 7. I'm using channels 0-7. Device ID is showing 0x502BF17F. How would you advise to discern TDI? Thank you so much for your video tutorials.
Great video! thanks for sharing your knowledge and time. BTW. In general I'd recommend to make videos not longer than 15 minutes if possible. Long video can be discouraging to watch, 15 minutes is optimal time for a video. liveoverflow youtuber had a huge success with video not longar than 15 minutes.
Hi MarKac, thank you for your support and your suggestion. My original goal was to have shorter videos, about 15/20 minutes, of self-contained espisode with arguments introduced and resolved within the same episode. I am still learning how to plan an episode that is both self-contained and shorter, because you are right that longer videos can be discouraging to watch.
@@MakeMeHack I have to disagree with MarKac, when a individual is interested in this type of information as it's hard to come by it really doesn't matter on how long an episode is this subject is really helpful, I would devote some time to watch and learn some techniques. I subscribed as well of course, thank you for your time and effort to share you knowledge, take care.
Hi,@@ducky0069thank you for your support and for your opinion!
Learning By Yourself Is Sometimes Best.
Teacher..how to read ECU data ? Please make video about it 🙏🙏
Thank you.
I hope you are alive 🙏
I just got a bus pirate 3.6a and, I'm wanting to connect to a device using JTAG. The available pins on it are:
TDO,TDI,TMS,TCK,GND,RESET
Do I just connect it the same named pin, as from the bus pirate to the device? (Like TDO - TDO, TDI - TDI...etc etc for all of them). Years ago, I used uart but, I'm not seeing those connections on the board I'm trying to mess around with. I just can't seem to find a guide / tutorial that explains how to set it up, for newbs.
em controlador embarcado de laptop com interface jtag, como o nuvoton 288/388 e funciona mec1609, 16xx ???
Damn I wish I was like this guy and thought the jtagulator was cheap
Does a mini body camera (no wifi) have aa jtag? I just want to hack into the firmware in order to try and change the recording mode. Somehow its hardwired to record 3 minute increments only and no option for continous recording.
Is there a open-source tool you can download free to use with a jtag interface?
works gj
How are you sir!
How to usb dongle protection software bypass by using Reverse Engineer ?
Hello ARYAN SUPPORT, thank you for your comment. Unfortunately, I have not been involved yet in this kind of reverse engineering, so I cannot help.
Italians are the best hackers ever!
Hi How are you Sir i need to know can i jag EchoLife huawei Router Model HG8546M with Rt 809h programmer
please explain me Thanks
so funny thank you to share know how
Sir how can I copy a program from Gd32f150c8t6 arm giga device
Salve per le centraline Blu&me delle auto mi sa dire qualcosa?
Hello.
How I may connect with you?
Hi. I wanna hack a TV box with NAGRA OS and I don't know how can I find JTAG pinout. The processor is a STI7141BKWB and can't find pinout in datasheet. In this case, why can I found this pinout?