Difference between revisions of "JTAGulator: Find a Smartphone's JTAG interface"
Jump to navigation
Jump to search
Jostrowski (talk | contribs) |
Jostrowski (talk | contribs) |
||
| Line 15: | Line 15: | ||
Open the smartphone and remove the mainboard: | Open the smartphone and remove the mainboard: | ||
< | |||
File:HTC open.jpg| | <div><ul> | ||
File:HTC mainboard.jpg|Mainboard removed | <li style="display: inline-block;"> [[File:HTC open.jpg|thumb|none|300px|HTC M7 without back cover]] </li> | ||
File:HTC mainboardBack.jpg|Backside of mainboard | <li style="display: inline-block;"> [[File:HTC mainboard.jpg|thumb|none|300px|Mainboard removed]] </li> | ||
</ | <li style="display: inline-block;"> [[File:HTC mainboardBack.jpg|thumb|none|300px|Backside of mainboard]] </li> | ||
</ul></div> | |||
People on the internet hinted that the JTAG interface is on the back on the mainboard. So I connected the JTAGulator to them. First I tried to use a temporary approach using needles and clay. But that did not work very well, since the needles were not in tight contact with the pcb. That is why I soldered wires to the pins. | |||
<div><ul> | |||
<li style="display: inline-block;"> [[File:HTC needleProbes.jpg|thumb|none|300px|Needle approach]] </li> | |||
<li style="display: inline-block;"> [[File:HTC probes.jpg|thumb|none|300px|Better solution: soldering]] </li> | |||
</ul></div> | |||
After I connected the pins to the JTAGulator and the mainboard to power, I scanned via the '''IDcode Scan'''. | |||
JTAG> i | |||
Enter starting channel [0]: | |||
Enter ending channel [7]: | |||
Possible permutations: 336 | |||
Bring channels LOW between each permutation? [Y/n]: | |||
Enter length of time for channels to remain LOW (in ms, 1 - 1000) [100]: 10 | |||
Enter length of time after channels return HIGH before proceeding (in ms, 1 - 1 | |||
Press spacebar to begin (any other key to abort)... | |||
JTAGulating! Press any key to abort... | |||
---------------------------------------------- | |||
TDI: N/A | |||
TDO: 1 | |||
TCK: 4 | |||
TMS: 6 | |||
Device ID #7: 1111 1111111011111111 11111111111 1 (0xFFEFFFFF) | |||
Device ID #10: 1111 1111111111111111 01111111111 1 (0xFFFFF7FF) | |||
-- | |||
TDI: N/A | |||
TDO: 2 | |||
TCK: 0 | |||
TMS: 6 | |||
TRST#: 4 | |||
-- | |||
TDI: N/A | |||
TDO: 2 | |||
TCK: 1 | |||
TMS: 0 | |||
Device ID #5: 1011 1111111111111111 11111111111 1 (0xBFFFFFFF) | |||
Device ID #6: 1010 1010101011111111 11111111111 1 (0xAAAFFFFF) | |||
Device ID #7: 0101 0101010101010101 01010101010 1 (0x55555555) | |||
Device ID #9: 0101 0101010101010101 01010101010 1 (0x55555555) | |||
Device ID #11: 0101 0101010101010101 01010101010 1 (0x55555555) | |||
Device ID #13: 0101 0101010101010101 01010101010 1 (0x55555555) | |||
Device ID #15: 0101 0101010101010101 01010101010 1 (0x55555555) | |||
TRST#: 4 | |||
TRST#: 6 | |||
-- | |||
TDI: N/A | |||
TDO: 2 | |||
TCK: 1 | |||
TMS: 4 | |||
Device ID #16: 1111 1111111111111111 11101111111 1 (0xFFFFFEFF) | |||
TRST#: 3 | |||
TRST#: 5 | |||
--- | |||
TDI: N/A | |||
TDO: 3 | |||
TCK: 4 | |||
TMS: 1 | |||
Device ID #1: 0000 1101011110000000 00100011011 1 (0x0D780237) | |||
TRST#: 2 | |||
TRST#: 5 | |||
TRST#: 6 | |||
TRST#: 7 | |||
. | |||
. | |||
. | |||
The JTAGulator list all potential JTAG pinouts. Via the device ID you can easily spot real JTAG interfaces. Device IDs are usually very distinct and "random", not like (0xFFEFFFFF), (0xBFFFFFFF) or (0x55555555). The last entry looks very promising (0x0D780237). | |||
Then I started a '''BYPASS scan''' on that specific pin configuration to find out the TDI line. | |||
JTAG> b | |||
Enter starting channel [0]: 0 | |||
Enter ending channel [7]: 7 | |||
Are any pins already known? [Y/n]: | |||
Enter X for any unknown pin. | |||
Enter TDI pin [0]: x | |||
Enter TDO pin [6]: 3 | |||
Enter TCK pin [5]: 4 | |||
Enter TMS pin [3]: 1 | |||
Possible permutations: 5 | |||
Bring channels LOW between each permutation? [Y/n]: | |||
Enter length of time for channels to remain LOW (in ms, 1 - 1000) [10]: | |||
Enter length of time after channels return HIGH before proceeding (in ms, 1 - 1 | |||
Press spacebar to begin (any other key to abort)... | |||
JTAGulating! Press any key to abort... | |||
- | |||
TDI: 2 | |||
TDO: 3 | |||
TCK: 4 | |||
TMS: 1 | |||
TRST#: 5 | |||
TRST#: 6 | |||
Number of devices detected: 2 | |||
---- | |||
BYPASS scan complete. | |||
Let's test the JTAG interface using the JTAG echo command. The JTAGulator will send a random string on the TDI line and will receive the same string on the TDO line if it is a valid JTAG device. | |||
JTAG> t | |||
Enter TDI pin [2]: | |||
Enter TDO pin [3]: | |||
Enter TCK pin [4]: | |||
Enter TMS pin [1]: | |||
Number of devices detected: 2 | |||
Pattern in to TDI: 10000110100110111110011010011000 | |||
Pattern out from TDO: 10000110100110111110011010011000 | |||
Match! | |||
We found the JTAG pinout! :) | |||
== Used Hardware == | == Used Hardware == | ||
Revision as of 13:37, 16 November 2019
Summary
This will show how to find a JTAG interface on a Smartphone (HTC M7).
Requirements
- JTAGulator
- Smartphone (HTC M7)
For an overview of the JTAGulator: JTAGulator: Introduction
Finding the JTAG interface
Browsing the web is the best place to start. Some people already tried this and will leave some hints where the JTAG interface can be found.
Open the smartphone and remove the mainboard:
People on the internet hinted that the JTAG interface is on the back on the mainboard. So I connected the JTAGulator to them. First I tried to use a temporary approach using needles and clay. But that did not work very well, since the needles were not in tight contact with the pcb. That is why I soldered wires to the pins.
After I connected the pins to the JTAGulator and the mainboard to power, I scanned via the IDcode Scan.
JTAG> i
Enter starting channel [0]:
Enter ending channel [7]:
Possible permutations: 336
Bring channels LOW between each permutation? [Y/n]:
Enter length of time for channels to remain LOW (in ms, 1 - 1000) [100]: 10
Enter length of time after channels return HIGH before proceeding (in ms, 1 - 1
Press spacebar to begin (any other key to abort)...
JTAGulating! Press any key to abort...
----------------------------------------------
TDI: N/A
TDO: 1
TCK: 4
TMS: 6
Device ID #7: 1111 1111111011111111 11111111111 1 (0xFFEFFFFF)
Device ID #10: 1111 1111111111111111 01111111111 1 (0xFFFFF7FF)
--
TDI: N/A
TDO: 2
TCK: 0
TMS: 6
TRST#: 4
--
TDI: N/A
TDO: 2
TCK: 1
TMS: 0
Device ID #5: 1011 1111111111111111 11111111111 1 (0xBFFFFFFF)
Device ID #6: 1010 1010101011111111 11111111111 1 (0xAAAFFFFF)
Device ID #7: 0101 0101010101010101 01010101010 1 (0x55555555)
Device ID #9: 0101 0101010101010101 01010101010 1 (0x55555555)
Device ID #11: 0101 0101010101010101 01010101010 1 (0x55555555)
Device ID #13: 0101 0101010101010101 01010101010 1 (0x55555555)
Device ID #15: 0101 0101010101010101 01010101010 1 (0x55555555)
TRST#: 4
TRST#: 6
--
TDI: N/A
TDO: 2
TCK: 1
TMS: 4
Device ID #16: 1111 1111111111111111 11101111111 1 (0xFFFFFEFF)
TRST#: 3
TRST#: 5
---
TDI: N/A
TDO: 3
TCK: 4
TMS: 1
Device ID #1: 0000 1101011110000000 00100011011 1 (0x0D780237)
TRST#: 2
TRST#: 5
TRST#: 6
TRST#: 7
.
.
.
The JTAGulator list all potential JTAG pinouts. Via the device ID you can easily spot real JTAG interfaces. Device IDs are usually very distinct and "random", not like (0xFFEFFFFF), (0xBFFFFFFF) or (0x55555555). The last entry looks very promising (0x0D780237).
Then I started a BYPASS scan on that specific pin configuration to find out the TDI line.
JTAG> b
Enter starting channel [0]: 0
Enter ending channel [7]: 7
Are any pins already known? [Y/n]:
Enter X for any unknown pin.
Enter TDI pin [0]: x
Enter TDO pin [6]: 3
Enter TCK pin [5]: 4
Enter TMS pin [3]: 1
Possible permutations: 5
Bring channels LOW between each permutation? [Y/n]:
Enter length of time for channels to remain LOW (in ms, 1 - 1000) [10]:
Enter length of time after channels return HIGH before proceeding (in ms, 1 - 1
Press spacebar to begin (any other key to abort)...
JTAGulating! Press any key to abort...
-
TDI: 2
TDO: 3
TCK: 4
TMS: 1
TRST#: 5
TRST#: 6
Number of devices detected: 2
----
BYPASS scan complete.
Let's test the JTAG interface using the JTAG echo command. The JTAGulator will send a random string on the TDI line and will receive the same string on the TDO line if it is a valid JTAG device.
JTAG> t Enter TDI pin [2]: Enter TDO pin [3]: Enter TCK pin [4]: Enter TMS pin [1]: Number of devices detected: 2 Pattern in to TDI: 10000110100110111110011010011000 Pattern out from TDO: 10000110100110111110011010011000 Match!
We found the JTAG pinout! :)