JTAG
Sometimes when you have no idea what's the pinout of the JTAG port, you have to find a way to correctly identify each of the JTAG pins. There are few ways to do that, one of them is by "bruteforcing" the pins for IDCODE
or BYPASS
JTAG commands.
There are several tools and ways to enumerate JTAG pins. Here are few:
- Probing pin voltage, resistence to VCC and GND (TODO)
- Searching with Joe Grand's JTAGulator (TODO)
- Using an Arduino Pro Micro
- Using an Raspberry Pi Pico
Searching JTAG pins with Raspberry PI Pico
- Raspberry Pi Pico: https://github.com/racerxdl/JTAGscan made by szymonh adapted to RP2040 by racerxdl
How does it work?
JTAGscan iterates over all defined pins (currently for RP2040, the first 16 pins) searching for TMS, TCK, TDO and TDI.
It has two approaches:
- Try reading
IDCODE
- Only requires TMS, TCK and TDO so it's faster. Unfortunately not all devices supportIDCODE
command (although most of them do). This doesn't find the TDI pin. - Shifting bits in
BYPASS
mode. This can find all pins, but it is slower (since not only you have one more pin to iterate over, but also need to shift "enough" bits through the JTAG Chain).
Hardware suggestions
Any raspberry pi pico board should work fine for scanning JTAG ports. Make sure you check the VCC of the target to see if it is 3.3V. Being other voltage level will require a level-shifter to avoid damage.
It is also recommended to use series 33 Ohm resistors in series with every tested pin to avoid short circuiting if some pin you're testing is an output.
Programming the PiPico
- Go to
Releases
and download thejtagscan-xxxx.zip
- Extract the zip file for the
uf2
file - Plug your raspberry pi pico in the USB port while pressing the BOOT button (to enable bootloader)
- A new "disk" should appear in your machine. Drag the
uf2
file to the disk - The raspberry pi pico should reboot and be recognized as a usb-serial converter
Using
Open the detected serial port in your favorite serial terminal application (for example, PuTTY)
Hit the key h
to show the help.
+-------------------------------+
| JTAGscan Jtag Pinout Finder |
+-------------------------------+
a - Automatically find all pins
i - IDCODE search for pins
b - BYPASS search for pins
t - TDI-only BYPASS search
m - set pin mask, current: 0xFFFF
d - set debug level: 1
c - half cycle us, current: 32
h - print this help
+-------------------------------+
Hit a
for scan the JTAG pins. This will do first a IDCODE
scan and then a BYPASS
scan. Depending on how many pins are in pin mask
field (you can change it by using m
) it should take a while. When successfully, the scanner will stop with a message like this one:
Automatically searching
+-- Starting with IDCODE scan --+
| TCK | TMS | TDO | IDCODE |
+-------------------------------+
| 2 | 3 | 0 | cba00477 |
+----------- SUCCESS -----------+
TCK, TMS, and TDO found.
+-- BYPASS searching, just TDI -+
| TCK | TMS | TDO | TDI | Width |
+-------------------------------+
| 2 | 3 | 0 | 1 | 31 |
+----------- SUCCESS -----------+
JTAGEnum with Arduino or Raspberry Pi
JTAGenum is an open source Arduino JTAGenum.ino or RaspbberyPi JTAGenum.sh (experimental) scanner. This code was built with three primary goals:
- Given a large set of pins on a device determine which are JTAG lines
- Enumerate the Instruction Register to find undocumented functionality
⚠️ JTAG and device must share the same ground.
Software Connection Set up:
- Download the INO sketch from the github
- Open the Arduino IDE and Load the downloaded JTAGEnum sketch
- Choose the correct Serial Port and Board
- Compile and Upload the sketch
- Open the Serial Monitor
- Set the correct baud rate
- Enter the command to scan ("s")
Arduino PIN Layout
- Digital PIN 2(Black)
- Digital PIN 3(White)
- Digital PIN 4(Grey)
- Digital PIN 5(Maroon)
- Digital PIN 6(Blue)
- GND - GREEN