Fork: 0
0xRoM / PiPins
Transfer to URL with SHA Find file
Newer
Older
PiPins / jtag.txt
root on 16 Mar 2020 2 KB visual tidying
Raw Blame History 
  1. 		 1)(2
  2. 		 3)(4
  3. 		 5)(6
  4. TDI (Alt5)	 7)(8
  5. 		 9)(10
  6. 		11)(12
  7. TMS (Alt4)	13)(14
  8. TRST (Alt4)	15)(16	RTCK (Alt4)
  9. 		17)(18	TDO (Alt4)
  10. 		19)(20
  11. 		21)(22	TCK (Alt4)
  12. 		23)(24
  13. 		25)(26
  14. 		27)(28
  15. TDO (Alt5)	29)(30
  16. RTCK (Alt5)	31)(32	TMS (Alt5)
  17. TCK (Alt5)	33)(34
  18. 		35)(36
  19. TDI (Alt4)	37)(38
  20. 		39)(40
  21.  
  22. JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesnt mandate a certain connection  it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset.
  23.  
  24. JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Lets talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger.
  25.  
  26. Connection:
  27. 	JTAG:
  28. 		TCK  23
  29. 		TMS  22
  30. 		TDI  19
  31. 		TDO  21
  32. 		SRST  12
  33. 		GND  20
  34. 	SWD:
  35. 		SWDIO  18
  36. 		SWCLK  22
  37. 		SRST  12
  38. 		GND  14
  39.  
  40. To Install openOCD:
  41. git clone git://git.code.sf.net/p/openocd/code openocd
  42. cd openocd/
  43. ./bootstrap
  44. ./configure enable-maintainer-mode enable-bcm2835gpio enable-sysfsgpio
  45. make & sudo make install
  46.  
  47. It will take some bit of time, so be patient.
  48.  
  49. JTAG:
  50. The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to its JTAG
  51. openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg		
  52. Now you can connect to gdb and debug the device.SWD: 
  53. openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg
  54. raspberrypi_swd.cfg is located in the git you downloaded earlier.
  55. Now you can connect to gdb and debug the device.	
  56.  
  57. ###########################################################
  58.  
  59. JTAGenum
  60. In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you dont have proper documentation of the target device.
  61.  
  62. Installation:
  63. git clone https://github.com/cyphunk/JTAGenum
  64. cd JTAGenum
  65. source JTAGenum.sh
  66. scan
  67.  
  68. Pins to be used are  3  5  7  11  13  15 and common ground.
  69.  
  70. This will take a bit of time as the GPIO is quite slow.
Buy Me A Coffee