JTAGulator: Find a Smartphone's JTAG interface

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

This will show how to find a JTAG interface on a Smartphone (HTC One M7 801n).

Requirements

  • JTAGulator
  • Smartphone (HTC M7)

For an overview of the JTAGulator: JTAGulator: Introduction

Finding the JTAG interface

Browsing the web for the JTAG pinout is the best place to start. Some people might have already tried this and will leave some hints where the JTAG interface can be found.

Open the smartphone and remove the mainboard:

  • HTC M7 without back cover
  • Mainboard removed
  • Backside of mainboard

People on the internet hinted that the JTAG interface is on the back on the mainboard. So I connected the JTAGulator to them. First I tried to use a temporary approach using needles and clay. But that did not work very well, since the needles were not in tight contact with the pcb. (Later I found out that the copper wire I used was isolated.. so that explains why it did not work that well) That is why I soldered wires to the pins.

  • Needle approach
  • Better solution: soldering

After I connected the pins to the JTAGulator and the mainboard to power, I scanned via the IDcode Scan.

JTAG> i                                                                         
Enter starting channel [0]:                                                     
Enter ending channel [7]:                                                       
Possible permutations: 336                                                      
                                                                                
Bring channels LOW between each permutation? [Y/n]:                             
Enter length of time for channels to remain LOW (in ms, 1 - 1000) [100]: 10     
Enter length of time after channels return HIGH before proceeding (in ms, 1 - 1 
Press spacebar to begin (any other key to abort)...                             
JTAGulating! Press any key to abort...                                          
----------------------------------------------                                                                                                    
TDI: N/A                                                                        
TDO: 1                                                                          
TCK: 4                                                                          
TMS: 6                                                                          
Device ID #7: 1111 1111111011111111 11111111111 1 (0xFFEFFFFF)                  
Device ID #10: 1111 1111111111111111 01111111111 1 (0xFFFFF7FF)                                                                                   
                                                                                
--                                                                              
TDI: N/A                                                                        
TDO: 2                                                                          
TCK: 0                                                                          
TMS: 6                                                                          
TRST#: 4                                                                        
                                                                                
--                                                                              
TDI: N/A                                                                        
TDO: 2                                                                          
TCK: 1                                                                          
TMS: 0                                                                          
Device ID #5: 1011 1111111111111111 11111111111 1 (0xBFFFFFFF)                  
Device ID #6: 1010 1010101011111111 11111111111 1 (0xAAAFFFFF)                  
Device ID #7: 0101 0101010101010101 01010101010 1 (0x55555555)                  
Device ID #9: 0101 0101010101010101 01010101010 1 (0x55555555)                  
Device ID #11: 0101 0101010101010101 01010101010 1 (0x55555555)                 
Device ID #13: 0101 0101010101010101 01010101010 1 (0x55555555)                 
Device ID #15: 0101 0101010101010101 01010101010 1 (0x55555555)                 
TRST#: 4                                                                        
TRST#: 6                                                                        
                                                                                
--                                                                              
TDI: N/A                                                                        
TDO: 2                                                                          
TCK: 1                                                                          
TMS: 4                                                                          
Device ID #16: 1111 1111111111111111 11101111111 1 (0xFFFFFEFF)                 
TRST#: 3                                                                        
TRST#: 5                                                                        
 --- 

TDI: N/A                                                                        
TDO: 3                                                                          
TCK: 4                                                                          
TMS: 1                                                                          
Device ID #1: 0000 1101011110000000 00100011011 1 (0x0D780237)                  
TRST#: 2                                                                        
TRST#: 5                                                                        
TRST#: 6                                                                        
TRST#: 7    
.
.
. 

The JTAGulator list all potential JTAG pinouts. Via the device ID you can easily spot real JTAG interfaces. Device IDs are usually very distinct and "random", not like (0xFFEFFFFF), (0xBFFFFFFF) or (0x55555555). The last entry looks very promising (0x0D780237).

Then I started a BYPASS scan on that specific pin configuration to find out the TDI line.

JTAG> b                                                                         
Enter starting channel [0]: 0                                                   
Enter ending channel [7]: 7                                                     
Are any pins already known? [Y/n]:                                              
Enter X for any unknown pin.                                                    
Enter TDI pin [0]: x                                                            
Enter TDO pin [6]: 3                                                            
Enter TCK pin [5]: 4                                                            
Enter TMS pin [3]: 1                                                            
Possible permutations: 5                                                        
                                                                                
Bring channels LOW between each permutation? [Y/n]:                             
Enter length of time for channels to remain LOW (in ms, 1 - 1000) [10]:         
Enter length of time after channels return HIGH before proceeding (in ms, 1 - 1 
Press spacebar to begin (any other key to abort)...                             
JTAGulating! Press any key to abort...                                          
-                                                                               
TDI: 2                                                                          
TDO: 3                                                                          
TCK: 4                                                                          
TMS: 1                                                                          
TRST#: 5                                                                        
TRST#: 6                                                                        
Number of devices detected: 2                                                   
----                                                                            
BYPASS scan complete.        

Let's test the JTAG interface using the JTAG echo command. The JTAGulator will send a random string on the TDI line and will receive the same string on the TDO line if it is a valid JTAG device.

JTAG> t                                                                         
Enter TDI pin [2]:                                                              
Enter TDO pin [3]:                                                              
Enter TCK pin [4]:                                                              
Enter TMS pin [1]:                                                              
Number of devices detected: 2                                                   
Pattern in to TDI:    10000110100110111110011010011000                          
Pattern out from TDO: 10000110100110111110011010011000                          
Match!  

We found the JTAG pinout! :)

HTC JTAGpinout.jpg

Which closely relates to the image found on the internet:

eff3d3586a82da36bd20c8e4088cdc37--html.jpg

  • RTCK
  • TMS
  • TDI
  • TDO
  • TCK
  • TRST
  • RST

Used Hardware

JTAGulator