RSS

Hardware Debugging for Reverse Engineers Part 2: JTAG, SSDs and Firmware Extrac

petee2 pts0 comments

Hardware Debugging for Reverse Engineers Part 2: JTAG, SSDs and Firmware Extraction | Wrongbaud's Blog<br>Wrongbaud's Blog<br>Hardware / Software Reverse Engineering

HOME CATEGORIES TAGS ARCHIVES ABOUT

Posts Hardware Debugging for Reverse Engineers Part 2: JTAG, SSDs and Firmware Extraction Post<br>Cancel

Hardware Debugging for Reverse Engineers Part 2: JTAG, SSDs and Firmware Extraction<br>Posted Apr 2, 2020 2020-04-02T08:06:31+08:00 by wrongbaud<br>Updated Jun 16 2022-06-17T07:35:47+08:00

Background<br>To follow up on my last post about SWD and hardware debugging, I wanted to do a deep dive into JTAG from a reverse-engineering perspective. The previous post received a lot of great feedback and it seems that people are interested in this topic, so I wanted to continue the series and expand upon another hardware debugging mechanism. For those who are unfamiliar, JTAG is a hardware level debugging mechanism that many embedded CPUs utilize, with this post I hope to explain how to approach JTAG from a reverse engineers perspective and provide some practical examples along the way.<br>Goals<br>With this post, I hope to do the following:<br>Explain how JTAG worksDemonstrate how to discover and utilize a JTAG port/interface on an unknown targetProvide an overview of some of the current OSS tools that can be used to interact with a JTAG interfaceUtilize JTAG to extract firmware and debug a targetAlso, before I give an overview, I wanted to point out a few great resources for learning about JTAG<br>Cyphunk’s Embedded Analysis PageFPGA4Fun JTAG OverviewBlackbox JTAG Reverse EngineeringBlog Updates (as of 2022):<br>Future blog posts and entries can be found here.If you are interested in learning more about reverse engineering check out my 5 day hardware hacking course, public and private offerings are available upon requestNever want to miss an update or blog post? Check out my mailing list for a quarterly newsletter about reverse engineering embedded devicesJTAG Overview<br>JTAG is a hardware interface that was developed to assist developers and testers with low level debugging. JTAG was originally developed for testing integrated circuits and more specifically, sampling IO pins on a target under test. This type of debugging interface allows engineers to test connections on PCBs without needing the probe the physical pin itself. The JTAG interface is controlled via the state machine outlined below:

One of the important things to remember about JTAG at this level is that it involves two registers, the instruction register, and the data register. To utilize these registers, the proper states in the above state machine must be entered using the following interface signals:<br>LineUsageTMSThis pin is used to navigate and control the JTAG state machineTDIInput pin, used to write data to the targetTDOOutput pin, Used to read data back out from the targetTCKUsed to determine when data is sampled for all inputs and outputsTRST (Optional)This pin can be used to reset the state machine to the starting state<br>The state machine is navigated using the TMS and TCK lines, while data is written to or read from via TDI and TDO respectively. TMS is sampled on the rising edge of TCK, meaning that the TMS line must be asserted before TCK is toggled to navigate through the state machine. Data is then shifted into the instruction register (IR) or data register (DR) depending on the state of the JTAG state machine. When an operation is completed (or after the update DR/IR phase) the resulting data can be shifted out of DR by entering the Shift-DR state. With these primitives in place, manufacturers can implement whatever features they wish over JTAG.<br>The JTAG standard treats IR and DR as shift registers, and due to this, multiple targets can be daisy-chained together.

In a nutshell, JTAG defines a state machine that is navigated with a minimum of 4 signals. With this state machine in place, end users can write and read from two shift registers, IR and DR.<br>JTAG Registers<br>JTAG utilizes two main registers, the instruction register, and the data register. The instruction register is used to determine what function the JTAG controller is about to carry out such as a memory read, or memory write for example. The data register is then used as an additional input to the instruction register, for the previous example, they may be used to provide an address to read from or write to. These registers can vary in size based on their function.<br>To write to a register one would perform the following steps, we’ll use the IR as an example:<br>Enter Test Logic Reset state (TLR) (This can be done by asserting the TMS line and cycling CLK 5 times)Enter Select IR Scan stateEnter Capture IR stateEnter Shift IR – This is where we load the data into IR from TDIEnter Exit IR stateEnter Update IR state – This stage “latches” the value into IR.Following this, if there were no data registers required, the operation would be performed, and the result (if any) would be loaded into the data register to be...

jtag state data register hardware reverse

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.