JTAGulator: Assisted discovery of on-chip debug interfaces

Global Events / Cybersecurity Books

Joe Grand @joegrand is an electrical engineer and hardware hacker. He runs Grand Idea Studio and specializes in the design of consumer and hobbyist embedded systems. He was a member of the legendary hacker group L0pht Heavy Industries and was a co-host of Discovery Channel’s Prototype This.

On-chip debug (OCD) interfaces can provide chip-level control of a target device and are a primary vector used by hackers to extract program code or data, modify memory contents, or affect device operation on-the-fly. Depending on the complexity of the target device, manually locating available OCD connections can be a difficult and time consuming task, sometimes requiring physical destruction or modification of the device.

Learning Objectives:

Joe will explain:

Questions and answers

Max, Concise Courses:
@30.00 Would you agree that JTAGulator would be a good training tool for people interested in digital forensics, and on that subject where is the best place to learn more, is it on YouTube?

Joe Grand:
Digital forensics is probably one of the most useful parts of the JTAGulator. I have taught some courses for various forensics institutes and government agencies that encouter devices that need to figure out a way to extract data from these devices in a forensically-safe manner and JTAG is one of those ways.

Most mobile phones will have some sort of test point on there that are JTAG specific and you have to find those in order to extract the information. So, yes digital forensics is a huge use of this device and it is a great training tool for digital forensic investigators. I actually teach a hardware hacking training course that is usually a two day course but I can break it down into one day depending on the skills of the students. I go through the whole process of reverse engineering circuit boards and what to look for, how to modify boards and board-level hacking. JTAGulator is one section of that training that I have just added in because now you have this automated way of doing things so yes it is definitely a useful tool for that.

I do have some videos on YouTube that explain some of the functionality of JTAGulator, so if you go to JTAGulator.com that’s going to bring you over to my website and there will be links there for some of the videos that I have made and I’ll make more as more functionality comes out.

If you are interested in any of my hardware hacking training you can go to the events section of my website that will list current public training events and I am happy to do private events as well.

Max, Concise Courses:
32:15 How may core developers are there on the project?

Joe Grand:
You’re looking at him! Just me! I should mention though that there was lots of prior art that inspired me to build JTAGulator. There was some work done a few years ago; sort of proof of concept, that ‘it is possible to brute force JTAG pins from a device’. That was by, I believe his hacker handle was Hans, from the Chaos Communication Congress, had done a presentation on that, and there are some other proof of concepts like Arduino based stuff but it didn’t have the functionality that I wanted and it didn’t have the proper input protection and target voltage settings and things like that but I figured I would make my own, that I could actually refer and recommend to people.

The development up to this point has been me. I did give out a bunch of prototypes to friends of mine that have been using it for JTAG, and I am hoping that they want to start adding some additional functionality for certain types of chips. I am happy for people to contribute, it just hasn’t happened yet.

Max, Concise Courses:
@33:34 Is it difficult to get the ‘root shell’ using JTAG?

Joe Grand:
That would be assuming that there is a UR interface or an Asynchronous serial interface like a serial port. So, that wouldn’t be a JTAG interface, it would be a seperate interface. Those are sometimes easier to manually identify because you would usually just have a TX Pin and an RX Pin for transmitting and receiving and a ground connection.

I did add support to the JTAGulator, that I didn’t give a demo of in this presentation, to do UR detection. What that basically does is, you hook up all your pins to test points and it will cycle through all the standard bot-rates (I think there are like 30 different bot-rates that the JTAGulator tries) and then it will send a ‘user defined string’ maybe as a carriage return or some control character. It will send that to the target device and if it gets a response back on what it thinks is the RX pin maybe that is a serial interface.

It is possible to do. Sometimes it is easy but if the connections are hidden it is harder but a lot of Linux based devices will have access to a root shell somewhere on the device itself, you just have to find it.

Max, Concise Courses:
@34:51 Could you talk about your RID Goggles – they look awesome….!

Joe Grand:
Totally separate topic! The RID Goggles! Yes, the Reflective Image Device Goggles. This was basically a concept that I came up with a bunch of years ago with a few friends of mine of a super low-cost heads-up display. We tried to license it out to some ski goggle manufacturers and action sport manufacturers, but at the time (this is like five or six years ago) they were a little bit scared of integrating technology in their devices whereas we were like, ‘it’s fine, it’s hardware!’ but these days electronics are everywhere in wearable’s but back then it was a little bit harder.

It is basically just a super-low cost way of displaying data on a lens where we are using just the lens itself as part of the reflective portion. Instead of having a separate display like a lot of heads-up displays will have, we are using the actual lens of the goggles to display and we are essentially just transmitting data in a mirrored format so that it would reflects back in your eyes. It’s really not that technical, it’s just really cheap and that was the goal. It hasn’t really gone anywhere yet but you could always use that for a poor-man’s Google Glasses of some sort!