With JTAG we can control the execution of the firmware stop the execution, inspect the memory, configure breakpoints, execute the code step-by-step, etc.
As we can see, the JTAG interface is perfect for inspecting the execution of the firmware, find vulnerabilities and exploit the device. Because the JTAG interface is very convenient for the development and production of the hardware! Developers use the JTAG interface to debug the firmware running on the device.
Also, the JTAG interface is used as a tool for programming and testing the device in production. However, some manufacturers may adopt countermeasures to make it difficult to use the JTAG interface in the final product, including:.
Other manufacturers go further and completely disable the JTAG interface through some fuses internal bits of the chip that, once programmed, can no longer be changed. Even so, it is still possible to re-enable the JTAG interface with techniques such as a silicon die attack. After all, security is always a matter of how much time, knowledge and resources you have, right? Finding the JTAG interface signals and their pinout can be quite laborious!
But before you start, do some research. Maybe someone else has already identified the JTAG interface of your device and published on the Internet. The pins of the JTAG interface may be hidden under some other component like a capacitor or a battery. Pay attention to the different standards of JTAG connectors 2x10, 2x8, 2x7, 2x5, etc.
Download the datasheet of the processor to identify the JTAG pins and test with a multimeter, oscilloscope or logic analyzer. A brute-force tool like JTAGulator can also be very useful! Therefore, the process of identifying the JTAG interface can take some time and will require a lot of patience! There are several JTAG adapters available on the market, some quite expensive for professional use and others more accessible, some of which are open hardware:.
This is my setup:. To communicate with the JTAG interface, there are several software options, many of which are proprietary. The project has been around for many years, connects easily to GDB and has a very comprehensive support of JTAG adapters and hardware devices. UrJTAG is a newer tool, simpler but with a more friendly interface.
Visual inspection can help to identify the flash memory chip. Searching the Internet for information about the hardware platform or products with similar hardware can also help, as well as the documentation of the chip SoC, processor, etc. If you have access to a command line terminal on the device, look in the bootloader or the operating system logs for any message regarding the model and address space of the flash memory.
Today, JTAG provides the access mechanism for a variety of different system operations. Just some of the benefits provided by JTAG are:. Reuse through the product life cycle. The simple access mechanism provided by the JTAG TAP can be used at all stages of the product lifecycle—from benchtop prototype debugging to high volume manufacturing and even in the field.
Test point reduction. Independent observation and control. Boundary-scan tests operate independently of the system logic, meaning they can be used to diagnose systems that may not operate functionally. JTAG has seen continuous development and new applications are frequently being discovered. Additional standards have been developed to address AC-coupled testing, reduced pin counts, and control of test instruments embedded within ICs.
JTAG testing usually begins by checking the underlying infrastructure to ensure that all devices are connected and test capabilities are operational. Test patterns are used to exercise the instruction register and boundary-scan register for comparison against expected lengths and values.
If present, device ID codes can also be read and compared against expected values to ensure that the correct component has been placed. After verifying that the scan chain is working properly, test patterns can be used to verify interconnectivity between system components.
Nets that involve three or more boundary-scan pins represent a special case, called a bus wire, where additional patterns can be used to isolate faults to a specific pin, as shown in Figure 2. During a buswire test, boundary-scan driver pins are tested one at a time to ensure that all possible opens are tested.
Figure 2. A buswire test can be used to diagnose open faults at the pin level. Additionally, tests for AC-coupled signals can be integrated with interconnect and buswire tests in systems with IEEE Special tests can also be used to check pull-up and pull-down resistors, ensuring that resistors are present in the assembled system in addition to testing the nets for open and short faults.
To accomplish this, resistors are tested by first driving the signal to a state opposite the pulled value. The net is then tri-stated, allowing the resistor to pull the signal back to the original state. Finally, the signal is sampled and the value is compared to the expected pulled value.
The first way, connection testing see next section gives good test coverage, particularly for short circuit faults. Where two JTAG enabled pins are meant to be connected the test will make sure one pin can be controlled by the other. Where enabled pins are not meant to be connected they are tested for short circuit faults by driving one pin and checking that these values are not read on the other pins.
XJTAG will automatically generate the vectors required to run a connection test based on the netlist of a board and JTAG information for the enabled devices. In order to add this open circuit coverage it is necessary to communicate with the peripheral device from boundary scan on the enabled device. If communication can be verified, there cannot be an open circuit fault.
This type of testing can be very simple, for example lighting an LED and asking an operator to verify it has activated, or more complex, for example writing data into the memory array of a RAM and reading it back. The library files contain models for all types of non-JTAG devices from simple resistors and buffers to complex memory devices such as DDR3. Because boundary scan disconnects the control of the pins on JTAG devices from their functionality the same model can be used irrespective of the JTAG device controlling a peripheral.
Most boards already contain JTAG headers for programming or debug so there are no extra design requirements. In order to run any boundary scan based testing it is necessary to have some information about the implementation of JTAG on the enabled devices on a board. Not at all. One of the key benefits to boundary scan testing is that the only test hardware required is a JTAG controller.
0コメント