JTAGulator Finds Debug Interfaces

jtagulator

[Joe Grand] has come up with a tool which we think will be useful to anyone trying to hack a physical device: The JTAGulator. We touched on the JTAGulator briefly during our DEF CON coverage, but it really deserves a more in-depth feature. The JTAGulator is a way to discover On Chip Debug (OCD) interfaces on unfamiliar hardware.

Open any cell phone, router, or just about any moderately complex device today, and you’ll find test points. Quite often at least a few of these test points are the common JTAG / IEEE 1149.1 interface.

JTAG interfaces have 5 basic pins: TDI (Test Data In), TDO (Test Data Out), TCK (Test Clock), and TMS (Test Mode Select), /TRST (Test Reset) (optional).

If you’re looking at a PCB with many test points, which ones are the JTAG pins? Also which test points are which signals? Sometimes the PCB manufacturer will give clues on the silk screen. Other times you’re on your own. [Joe] designed the JTAGulator to help find these pins.

The idea is simple: Connect the JTAGulator to the test points on the PCB under test, issue a few commands via a serial terminal, and let the JTAGulator do the rest. It performs a brute force approach on every permutation of pins, issuing basic JTAG commands – either IDCODE or BYPASS, and looking for a response. If any valid responses are received, the JTAGulator displays the found interface’s pinout.

[Joe] used a Parallax Propeller as the core of his design. He added input protection, selectable voltage (1.2V to  3.3V) and bus pirate compatible headers. The JTAGulator can also identify and test serial UART pinouts to determine if any serial ports exist. If JTAG and serial aren’t enough, the JTAGulator is completely open source, released under the CC BY 3.0 US license. You can add any interface you want.  Though [Joe] has plans to add more of the common interfaces in the future.

24 thoughts on “JTAGulator Finds Debug Interfaces

    1. I just used my day job as an excuse to submit quotes for a full panel. Will keep you all posted (in the event you care) but I won’t be able to share specific numbers, sadly.

  1. I wish I could easily get something like this. Currently of limited funds but would be willing to pay $20-$30. I have no means of building one myself (right now, no time, money, tools. etc). I have two jtag ports I need to access, one for a broken (?) printer control board and one for an old IR network interface. The later I want to re-purpose as a network-able IR beamer but need to reverse engineer it first.

    1. Expensive? No. Not at all. Given a BOM cost of $60 + $20 PCB (well, $20 – markup) I’m impressed it’s that cheap.

      If they’re using a US based fabrication house (and it would follow, a US based assembly house) then $160 assembled or $20 for a PCB are surprisingly cheap.

      Even if one were to scale up (while maintaining good QC and using non-gray market parts) and move the fab. and assy. to China, India or Vietnam it would be difficult to meet the $160 price point and make a profit.

      One thing I have learned well over the past couple of years is that electronics manufacturing in North America can be cost competitive with Asia when holding the Asian factories to the same standards as one would expect from domestic production. However, if you’re willing to cut corners and can accept a fairly high number of failures of deployed units, then Asian manufacturing is hard to beat.

      All of this, of course, depends upon the process involved; PCBs that require machine assembly, impedance control, micro-BGA, etc. will, for the most part, be more cost effective to fab. and assemble in North America and sometimes even domestically. An Asian vendor may give you a better quote but by the time you factor in trips across the Pacific to check up on their process, production delays, QC problems, wastage, re-use of parts from said wastage leading to more QC issues, vendors trying to use knock-off parts, etc. it nearly always pays off to keep the manufacturing where you can keep an eye on it; Mexico City or even SoCal, South Bay, etc.

      The two exceptions (in my experience) would be 1) if you have clout and really good relationships with vendors in Asia and 2) if you’re boards can be stuffed by hand.

      All of this is from my own experience so feel free to disagree. In fact, if you know of some great vendors and want to pass along an introduction, please do!

      1. Except that here there is not impedance control, there is not micro-BGA, there is nothing that _requires_ machine assembly… $20/board for a couple hundred two-layer boards is pretty up-there, they’re not that huge nor complex. And it’s not that complicated of a board, really, that it deserves a $80 retail markup.

        Hell… I could probably redo the board so it doesn’t waste so much costly board area for the logo and stuff, and do the population by hand, and sell these for $100, which includes some profit for assembly. The author himself says the BOM cost is only $50 (plus PCB). Who wants one? :D

  2. This board can be cost reduced down to below $20 if one is willing to
    cut a few corners. The majority of the parts are dealing with level
    translating, protections and USB.

    Most of that could be absorbed into a single microcontroller if you find
    one that have 5V tolerant and runs on separate VIO supplies. This would
    cuts down on PCB aize/complexity and BOM.

    This board identifies JTAG pins, but doesn’t go beyond that. i.e.
    programming, debugging etc. So you would want to add some OpenOCD driver
    support for it to be worth while.

Leave a Reply to tekkieneetCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.