From Exploitee.rs
Jump to navigationJump to search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."


JTAG, which stands for Joint Test Action Group, is a standardized interface and protocol primarily used for testing, debugging, and programming integrated circuits, particularly those found on printed circuit boards (PCBs). JTAG was originally developed for improving the efficiency of manufacturing test processes for complex electronic systems, but it has also found extensive use in development, debugging, and programming stages.


JTAG uses a serial communication interface to access and control various functions of a target device, such as microcontrollers, digital signal processors (DSPs), FPGAs, and other digital integrated circuits. The interface typically consists of four or more pins:

  • TCK (Test Clock): This pin provides the clock signal that synchronizes the data exchange between the tester (debugging or programming equipment) and the target device.
  • TMS (Test Mode Select): This pin controls the state transitions of the target device's internal test logic, allowing it to enter various test modes.
  • TDI (Test Data In): This pin is used to input test or programming data into the target device.
  • TDO (Test Data Out): This pin is used to output test results or readback data from the target device.

In addition to these core pins, JTAG interfaces often include optional pins like:

  • TRST (Test Reset): This pin provides a way to reset the target device's JTAG state machine and bring it back to a known state.
  • RTCK (Return Test Clock): This optional pin helps to adjust the timing of the test clock signal for devices that operate at different clock speeds.

JTAG States

JTAG operates through a state machine that guides the target device through various states and operations. The primary states are:

  • Test-Logic-Reset (TLR): This is the initial state when the JTAG interface is reset. The target device's internal logic is reset, and the JTAG state machine is prepared for further operations.
  • Run-Test/Idle (RTI): In this state, the target device is in an idle mode, waiting for further instructions.
  • Select-DR-Scan (SDR): This state is used to select the Data Register (DR) scan chain for data input and output.
  • Capture-DR (CDR): This state captures data from the selected DR scan chain.
  • Shift-DR (SDR): In this state, data is shifted into or out of the selected DR scan chain.
  • Exit1-DR (EDR1): This state prepares for transitioning out of the Shift-DR state.
  • Update-DR (UDR): The captured data is loaded into the target device's registers.

JTAG also includes similar states for accessing the Instruction Register (IR) scan chain, which allows selecting and executing different operations within the target device, such as debugging or programming operations.


Identifying JTAG pins using an oscilloscope or multimeter can be a bit challenging because JTAG operates at relatively high frequencies and involves complex signal patterns. However, with careful observation and understanding of the JTAG signal characteristics, you can attempt to identify the JTAG pins. Here's a basic approach you can follow:

  • Consult the Datasheet: If you have access to the datasheet or technical documentation of the device you're working with, it might provide information about the JTAG pinout and signal names.
  • Identify Power and Ground Pins: Begin by identifying the power and ground pins of the device. These pins are often marked on the device's package. Check for voltage levels and continuity using a multimeter to places like the metal shielding for an ethernet or USB header.
  • Search for JTAG Test Access Port (TAP) Pins: JTAG typically has four main pins: TCK, TMS, TDI, and TDO. These pins are part of the Test Access Port (TAP) controller. Look for pins that have fast switching patterns or clock-like signals when the device is powered on. These are likely to be TCK (clock) and TMS (mode select) pins.
  • Identify TDI and TDO Pins: The TDI pin (Test Data In) usually experiences data transitions when you interact with the JTAG interface. You can try sending test patterns or using a JTAG programmer to see if you can observe any signal changes on certain pins. Similarly, TDO (Test Data Out) might show some signal activity when you perform JTAG operations.
  • Look for Patterns and Relationships: Use an oscilloscope to monitor the signal patterns on potential TCK, TMS, TDI, and TDO pins. You might notice synchronous or sequential patterns that resemble JTAG operations, such as shifting in data. Also, TDO might show data that matches the TDI data you input.
  • Check for JTAG Header or Test Points: Some devices have dedicated JTAG headers or labeled test points for JTAG pins. These make identification much easier. Look for any labels or markings on the PCB that indicate JTAG-related pins.
  • Observe Signal Timing and Frequencies: JTAG operates at specific clock frequencies. If you're using an oscilloscope, try to identify pins that have signal patterns with the expected JTAG clock frequency.
  • Use Specialized Tools: There are specialized tools and probes designed for JTAG pin identification, such as JTAG debugging probes. These tools can help you locate JTAG pins more accurately.
    • JTAG Enum/JTAGulator: JTAG Enum is a sketch that can be used with an arduino and JTAGulator is a board created by joe grand which can be used to identify proper JTAG pins from a set of test points.