The Newbie’s Guide To JTAG

Do you even snarf?

If not, it might be because you haven’t mastered the basics of JTAG and learned how to dump, or snarf, the firmware of an embedded device. This JTAG primer will get you up to snuff on snarfing, and help you build your reverse engineering skills.

Whatever your motivation for diving into reverse engineering devices with microcontrollers, JTAG skills are a must, and [Sergio Prado]’s guide will get you going. He starts with a description and brief history of the Joint Test Action Group interface, from its humble beginnings as a PCB testing standard to the de facto standard for testing, debugging, and flashing firmware onto devices. He covers how to locate the JTAG pads – even when they’ve been purposely obfuscated – including the use of brute-force tools like the JTAGulator. Once you’ve got a connection, his tutorial helps you find the firmware in flash memory and snarf it up to a file for inspection, modification, or whatever else you have planned.

We always appreciate guides like these that cover the basics, since not everyone is in the same place in their hardware hacking journey. This puts us in the mood to crack something open and start looking for pins, if for no other reason than to get some practice.

[Thumbnail image source: LufSec]

18 thoughts on “The Newbie’s Guide To JTAG

  1. For those who don’t know JTAGulator; it is just overpriced. Checkout JTAGenum project; which is ardino based – thus kinda free. Also check out FT2232H or FT232H (I’m not sure about differences) instead of pricey “hacker’s swiss army knife” gadgets that you’ll see around.

  2. Are there any cheap JTAG adapters that can be ordered from AE/eBay? I’ve been doing some router RAM and flash upgrades and used my computer’s internal parallel port. It’s not very fun to open up my computer every time I need to write a new CFE.

    1. I like the flexibility of the FTDI FT2232H.
      I’ve bought and used a few different boards including the MiniModule by FTDI themselves, but none seem well suited for JTAG and/or software debugging. For example they don’t have the right headers, level shifters, etc.

      I ended up designing my own board based on that chip. It allows JTAG/SWD and SWO/UART at the same time. Compatible with OpenOCD.

      The first version (v0.1) works well but I’m making small changes and will release v1.0 soon (all open source and KiCad).

      If I find an easy way of selling this board (tindie, crowdsource) it shouldn’t be too expensive. Or anyone can just order it from JLCPCB, PCBWay or similar.

  3. A bit late to the reply party, but just wanted to say THANKS! Exactly what I’ve been looking for…I keep finding bits and pieces to this ever-changing world of embedded devices. Part of my issue is there always seems to be too big of a gap between these bits and pieces to make anything, let alone, everything come together.

    It’s like bringing out a bin of Legos to build a car and finding that 75% of the Lego bricks required are missing the little nubbin buttons on top..

    Yeah, I get UART, SPI, I2C and (in the words of Dave Jones- EEVBLOG) “Serial protocol rubbish”..

    But JTAG? I’ve had probably a 1% success rate when trying to communicate with a device via the JTAG pins. It’s that missing bits and pieces thing..

    Anywhoo, Thanks for posting this….

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.