Do you even snarf?
If not, it might be because you haven’t mastered the basics of JTAG and learned how to dump, or snarf, the firmware of an embedded device. This JTAG primer will get you up to snuff on snarfing, and help you build your reverse engineering skills.
Whatever your motivation for diving into reverse engineering devices with microcontrollers, JTAG skills are a must, and [Sergio Prado]’s guide will get you going. He starts with a description and brief history of the Joint Test Action Group interface, from its humble beginnings as a PCB testing standard to the de facto standard for testing, debugging, and flashing firmware onto devices. He covers how to locate the JTAG pads – even when they’ve been purposely obfuscated – including the use of brute-force tools like the JTAGulator. Once you’ve got a connection, his tutorial helps you find the firmware in flash memory and snarf it up to a file for inspection, modification, or whatever else you have planned.
We always appreciate guides like these that cover the basics, since not everyone is in the same place in their hardware hacking journey. This puts us in the mood to crack something open and start looking for pins, if for no other reason than to get some practice.
[Thumbnail image source: LufSec]
https://www.crowdsupply.com/1bitsquared/glasgow
https://github.com/GlasgowEmbedded/glasgow
https://twitter.com/whitequark/status/1050881769870938117
Thank you! I’ll be digesting this one
For those who don’t know JTAGulator; it is just overpriced. Checkout JTAGenum project; which is ardino based – thus kinda free. Also check out FT2232H or FT232H (I’m not sure about differences) instead of pricey “hacker’s swiss army knife” gadgets that you’ll see around.
JTAGulator is over expensive, use JTAGenum on an arduino nano (3.3v):
https://github.com/cyphunk/JTAGenum
Are there any cheap JTAG adapters that can be ordered from AE/eBay? I’ve been doing some router RAM and flash upgrades and used my computer’s internal parallel port. It’s not very fun to open up my computer every time I need to write a new CFE.
OpenOCD support is being added to transform those cheap stlinkv2 flashers into JTAG dongles:
https://github.com/jeanthom/DirtyJTAG
There is urjtag support for the moment.
Otherwise a bluepill flashed with a usb-serial dongle will do as well, here with a wrt54g:
https://raw.githubusercontent.com/jeanthom/DirtyJTAG/master/docs/img/bluepill-wrt54g-jtag.jpg
I already have the ST-LINK V2 so this seems perfect. Thanks!
https://github.com/jeanthom/DirtyJTAG :-)
I like the flexibility of the FTDI FT2232H.
I’ve bought and used a few different boards including the MiniModule by FTDI themselves, but none seem well suited for JTAG and/or software debugging. For example they don’t have the right headers, level shifters, etc.
I ended up designing my own board based on that chip. It allows JTAG/SWD and SWO/UART at the same time. Compatible with OpenOCD.
The first version (v0.1) works well but I’m making small changes and will release v1.0 soon (all open source and KiCad).
https://github.com/diegoherranz/steppenprobe
If I find an easy way of selling this board (tindie, crowdsource) it shouldn’t be too expensive. Or anyone can just order it from JLCPCB, PCBWay or similar.
Never heard it called ‘snarfing’. Makes me wonder if someone is a thundercats fan.
Snarf was current for appropriating something pre-Thundercats.
There is even a wikipedia page about it! ;-)
https://en.wikipedia.org/wiki/Snarfing
https://www.fpga4fun.com/JTAG.html
:o)
Awesome. That site is a gem, well laid out, actual info, none of the pointless crap that gets it high in google searches… oh right, that’s why I’ve never seen it LOL
Nice to see an update, I was first exposed to JTAG in the early cygnal CPUs (now silage.com) and found it fast and reliable. Interested to see augmentations and of course any potential bugs or secondary issues, thanks for post :-)
A bit late to the reply party, but just wanted to say THANKS! Exactly what I’ve been looking for…I keep finding bits and pieces to this ever-changing world of embedded devices. Part of my issue is there always seems to be too big of a gap between these bits and pieces to make anything, let alone, everything come together.
It’s like bringing out a bin of Legos to build a car and finding that 75% of the Lego bricks required are missing the little nubbin buttons on top..
Yeah, I get UART, SPI, I2C and (in the words of Dave Jones- EEVBLOG) “Serial protocol rubbish”..
But JTAG? I’ve had probably a 1% success rate when trying to communicate with a device via the JTAG pins. It’s that missing bits and pieces thing..
Anywhoo, Thanks for posting this….
Looks like the page has been removed from the site you linked to. You can still find it on Sergio’s own site here https://sergioprado.blog/2020-02-20-extracting-firmware-from-devices-using-jtag/
Thanks, link updated.