26C3 - 26C3 1.15

26th Chaos Communication Congress
Here be dragons

Speakers
Felix Domke
Schedule
Day Day 4 - 2009-12-30
Room Saal1
Start time 14:00
Duration 01:00
Info
ID 3670
Event type Lecture
Track Hacking
Language used for presentation English
Feedback

Blackbox JTAG Reverse Engineering

Discovering what the hardware architects try to hide from you

JTAG is an industry standard for accessing testmode functionality in almost any complex microchip. While the basics of JTAG are standardized, the exact implementation details are usually undocumented. Nevertheless, JTAG often allows you to interact with the chip very deeply, which makes it very interesting since it is often easily accessible thanks to the small pincount. This talk covers reverse engineering of JTAG interfaces when no or only limited documentation is available.

JTAG is an industry standard for accessing testmode functionality, and is available on almost any complex microchip. It is often for functional testing while doing wafer sort, during board production, product development and service. While the basics of JTAG are standardized, the exact implementation details are usually not available in public datasheets. Very often, even when signing a vendor NDA, only limited parts of JTAG will be documented (like boundary scan and the CPU debug interface). JTAG, however, often allows a much deeper interaction with the chip, and often, security is falsely established though obscurity by providing undocumented testmodes. JTAG isn't only available on CPUs, but also on a lot of other peripherals, which turns them into an interesting target if they provide busmaster access to a system bus.

In the talk, I will cover:

  • JTAG basics (electrical basics, the JTAG state diagram, boundary scan)
  • Finding JTAG pins out of a bunch of unmarked testpoints
  • Mapping the JTAG instruction space
  • Finding useful test modes and using them for profit