Fork: 0
0xRoM / PiPins
Transfer to URL with SHA Find file
Newer
Older
PiPins / jtag.txt
root on 18 Mar 2020 2 KB pin 1 marking
Raw Blame History 
		 1](2
		 3)(4
		 5)(6
TDI (Alt5)	 7)(8
		 9)(10
		11)(12
TMS (Alt4)	13)(14
TRST (Alt4)	15)(16	RTCK (Alt4)
		17)(18	TDO (Alt4)
		19)(20
		21)(22	TCK (Alt4)
		23)(24
		25)(26
		27)(28
TDO (Alt5)	29)(30
RTCK (Alt5)	31)(32	TMS (Alt5)
TCK (Alt5)	33)(34
		35)(36
TDI (Alt4)	37)(38
		39)(40

JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset.

JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger.

Connection:
	JTAG:
		TCK – 23
		TMS – 22
		TDI – 19
		TDO – 21
		SRST – 12
		GND – 20
	SWD:
		SWDIO – 18
		SWCLK – 22
		SRST – 12
		GND – 14

To Install openOCD:
git clone git://git.code.sf.net/p/openocd/code openocd
cd openocd/
./bootstrap
./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio
make & sudo make install

It will take some bit of time, so be patient.

JTAG:
The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG
openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg		
Now you can connect to gdb and debug the device.SWD: 
openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg
raspberrypi_swd.cfg is located in the git you downloaded earlier.
Now you can connect to gdb and debug the device.	

###########################################################

JTAGenum
In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device.

Installation:
git clone https://github.com/cyphunk/JTAGenum
cd JTAGenum
source JTAGenum.sh
scan

Pins to be used are  3 – 5 – 7 – 11 – 13 – 15 and common ground.

This will take a bit of time as the GPIO is quite slow.