{"id":13540193,"url":"https://github.com/cyphunk/jtagenum","last_synced_at":"2025-04-12T21:23:50.278Z","repository":{"id":872104,"uuid":"612594","full_name":"cyphunk/JTAGenum","owner":"cyphunk","description":"Given an Arduino compatible microcontroller or Raspberry PI (experimental), JTAGenum scans pins[] for basic JTAG functionality and can be used to enumerate the Instruction Register for undocumented instructions. Props to JTAG scanner and Arduinull which came before JTAGenum and forwhich much of the code and logic is based on.  Feel free to branch and modify religiously (readme, credits, whatever)","archived":false,"fork":false,"pushed_at":"2023-10-30T08:40:07.000Z","size":141,"stargazers_count":742,"open_issues_count":12,"forks_count":105,"subscribers_count":40,"default_branch":"master","last_synced_at":"2025-04-04T00:47:48.717Z","etag":null,"topics":["arduino","jtag","raspberrypi"],"latest_commit_sha":null,"homepage":"http://deadhacker.com/tools","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyphunk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2010-04-15T21:11:25.000Z","updated_at":"2025-03-28T06:50:05.000Z","dependencies_parsed_at":"2024-01-07T13:05:01.469Z","dependency_job_id":"959810f9-f982-4096-8a63-48f907c2204f","html_url":"https://github.com/cyphunk/JTAGenum","commit_stats":{"total_commits":80,"total_committers":11,"mean_commits":"7.2727272727272725","dds":"0.32499999999999996","last_synced_commit":"5f15cb7ee64bbe766398598a3c144e915f06f167"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyphunk%2FJTAGenum","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyphunk%2FJTAGenum/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyphunk%2FJTAGenum/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyphunk%2FJTAGenum/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyphunk","download_url":"https://codeload.github.com/cyphunk/JTAGenum/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248633022,"owners_count":21136789,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arduino","jtag","raspberrypi"],"created_at":"2024-08-01T09:01:42.454Z","updated_at":"2025-04-12T21:23:50.247Z","avatar_url":"https://github.com/cyphunk.png","language":"C++","funding_links":[],"categories":["\u003ca id=\"04102345243a4bcaec83f703afff6cb3\"\u003e\u003c/a\u003e硬件设备\u0026\u0026USB\u0026树莓派"],"sub_categories":["\u003ca id=\"77c39a0ad266ad42ab8157ba4b3d874a\"\u003e\u003c/a\u003e树莓派\u0026\u0026RaspberryPi"],"readme":"About JTAGenum\n==============\n\nJTAGenum is an open source Arduino ``JTAGenum.ino`` or RaspbberyPi \n``JTAGenum.sh`` (experimental) scanner. This code was built with three primary \ngoals:\n\n1. Given a large set of pins on a device determine which are JTAG lines\n2. Enumerate the Instruction Register to find undocumented functionality\n3. be easy to build and apply\n\nJTAGenum is a more Arduino'y fork of \n[Arduinull](https://github.com/zoobab/arduinull) by Sébastien Bourdeauducq \n(lekernel), which is inspired by Benedikt Heinz's \n[JTAG scanner](https://elinux.org/JTAG_Finder).\nJTAGenum also includes instruction scanning functionality best described\nby Felix Domke (tmbinc) in his \n[26c3 paper](http://events.ccc.de/congress/2009/Fahrplan/attachments/1435_JTAG.pdf).\nThe initial version of this branch was built for personal research and while\nworking on various projects at [Recurity Labs](https://recurity-labs.com/).\n\nPlease feel free to contact me with any questions, problems, targets or\nupdates. I would be more than happy if you fork and take the code in\nwhatever direction you choose.\n\nLinks\n=====\n\n* Embedded Analysis wiki: http://github.com/cyphunk/JTAGenum/wiki\n* JTAGenum blog post: http://deadhacker.com/2010/02/03/jtag-enumeration/\n* JTAGenum video tutorial \"Ghetto Tools for Embedded Analysis REcon 2011\":\n  https://www.youtube.com/watch?v=ZmBfahwV3ss\n\nAuthors and code branches\n=========================\n\n* cyphunk  http://github.com/cyphunk/JTAGenum/\n* jal2     http://github.com/jal2/JTAGenum/\n* zoobab   http://hackerspace.be/JTAG_pinout_detector\n* z1Y2x    https://github.com/z1Y2x/JTAGenum/\n\nSimilar tools or branches:\n\n* gremwell's https://github.com/gremwell/go-jtagenum (RaspberryPi go rewrite + improvements)\n* joegrands's http://www.grandideastudio.com/jtagulator/ (purpose built hardware with improvements and added voltage range)\n* szymonh's https://github.com/szymonh/SWDscan (arduino based SWD finder)\n* szymonh's https://github.com/szymonh/JTAGscan (arduino based with logic similar to jtagulator) \n* dxa4481's https://github.com/dxa4481/inputProtectionShield (1.8-5v voltage shifting shield)\n* dipusone's https://github.com/dipusone/inputShieldProtection (fork of dxa4481's shield)\n* commercial products MiracleBox, JTAGfinder, EasyJtag (GUI based, some limitations) \n\nHardware\n========\n\nJTAGenum has been tested on the following hardware:\n\n* RaspberryPi (3.3V) with mixed results\n* standard Arduino (5V)\n* Arduino on Teensy (3.3V) (http://www.pjrc.com/teensy/index.html)\n* Arduino on Texas Instruments Tiva C / Stellaris (3.3V) (https://github.com/cyphunk/JTAGenum/issues/4)\n* Arduino on STM32 Bluepill board (3.3V) (https://wiki.stm32duino.com/index.php?title=Blue_Pill and http://www.zoobab.com/bluepill-arduinoide)\n\nWhen picking your micro-controller platform consider two issues: \n\n1. How many pins do you want to check on your target. \n2. what voltage level does your target device require.  \n\nConcerning voltage RaspberryPi's I/O operate at 3.3v, many Arduinos \nwork at 5 volts. Some are switchable but even those that are not could \nbe modified. Alternatively voltage shifting Arduino shields or \nvoltage shifting gadgets can be used. See the Voltage Shifting Appendix \ndiscussion on the Embedded Analysis wiki for more details.\nhttps://github.com/cyphunk/JTAGenum/wiki/Embedded-Analysis#Voltage_Shifting\n\nWhen connecting the micro-controller to the pins of your target one\nthing to be aware of is possible cross-talk between wires. The \nloopback check function in JTAGenum cab help you determine which wires\nmay produce cross talk. \n\nUsage\n=====\n\nFor use on **Raspberry Pi** use and consult the ``JTAGenum.sh``. The \nRaspberry Pi pins being used for scanning should be specified inside the script\nfile. This script is experimental and only provides the functions for finding JTAG. \nTo use the script should be *sourc'ed* on the console the user should execute\nthe desired scan. See the comments in the header of the script for further details.\n\nFor use on a **Arduino** the ``JTAGenum.ino`` sketch is loaded. The Arduino pins \nbeing used for scanning should first be specified at the top of the sketch. This\nis all that is required for basic JTAG scanning functionality. Once the \ncorrect JTAG pins on the target have been determined they can be specified in \nthe script and along with the defining the proper IR_LENGTH the user can then\nexecute the search for hidden instructions or print the boundary scan register.\n\nBefore loading the sketch first define the pins[] and pinnames[] arrays. After\nloadin the sketch open a serial console at baud of 115200 to access the \nuser interface.  Sending a h to the console will print usage information that \ndescribes each function. Each function is enacted by sending the defined one \ncharacter code:\n\n**v \u003e verbose**\n\nToggles verbose output. At times verbose might present too much\ninformation or without it too little.\n\n**l \u003e loopback check**\n\nFind loopback pairs that will generate false-positives for other\ntests. After running you should remove any loopback pairs from your\npins[]/pinnames[]. Looback pairs are found by sending a predetermined\npattern[] to all possible pins while checking all pins for matching\noutput.  Because the JTAG clock (TCK) and state (TMS) pins are NOT\nbeing stimulated the input/output pairs where the pattern is found\nrepresent loopbacks. NOTE: you should probably run this once with\nand without internal pull-up resistors set (r) to avoid problems\nof cross-talk which is discussed in detail later.\n\n**s \u003e scan**\n\nThis routine is used to check all possible pins and find JTAG  clock,\nstate, input and output pins lines (TCK,TMS,TDI,TDO). This is done\nby setting the JTAG state (TMS) into Shift_IR mode and then sending\npattern[] to TDI and checking for it on TDO while clocking TCK.\nThis check is run for every possible pin combination and it is\nimportant that you remove loopback pins before running. While this\nscan is meant to determine all of the JTAG pins required it is\npossible that the  TMS pin found is incorrect.  This depends on if\nthe target uses the bypass register by default (described later).\nIf an IDCODE register is present then bypass mode is not the default\nand you can assume that the pin this scan defines as TMS is correct.\nOtherwise, only the TCK, TDI and TDO pins can be determined.  NOTE:\nrun with pull-ups on (r) as any cross-talk might result in\nfalse-positives.\n\n**y \u003e brute force IR search**\n\nThis will set the instruction register (IR) to all possible values\nand check the output. This can be used to find undocumented\ninstructions and examine their results via the data register (DR).\nTo run this scan you should have already determined the 4 JTAG pins\nand define pins[] as such: [0]=TCK [1]=TMS [2]=TDO [3]=TDI.  NOTE:\nrun with pull-ups on (r) as any cross-talk might result in\nfalse-positives.\n\n**x \u003e boundary scan**\n\nThis will return the state of all the pins on the target.  Actually\nit is not just the pins but the contents of the scan/sample register.\nThis should be a rather large register and is defined in the code\nby SCAN_LEN+100. You can check your targets documentation and specify\nthis or just leave it as a large number (currently 1800). To run\nthis scan you should have already determined the 4 JTAG pins and\ndefine pins[] as such: [0]=TCK [1]=TMS [2]=TDO [3]=TDI.  NOTE: run\nwith pull-ups on (r) as any cross-talk might result in false-positives.\n\n**i \u003e idcode scan**\n\nThe JTAG standards specify that if an idcode register is present\nit should be set as the default data register (DR) and attached to\noutput (TDO) by default. Meaning, regardless of the state of the\nJTAG chip (set with TMS line) and regardless of input being sent\nto the chip (TDI) by clocking the chip (TCK) it should return the\ncontents of the idcode to the output (TDO). Hence, this routine\niterates through all possible TCK,TDO pairs of pins and prints the\noutput when it changes (we assume an idcode will not be all 0s or\n1s). You should examine the documentation of your target(s) to see\nif the idcode matches. NOTE: run with pull-ups on (r) as any\ncross-talk might result in false-positives.\n\n**b \u003e shift_bypass**\n\nBroken atm (need to add TCK enumeration). The JTAG standards specify\nthat if and idcode register is NOT present on the chip then the\nbypass register (length of 1) should be the default DR. Essentially\nthis means what is sent to the input (TDI) should come out on the\noutput (TDI) with a one clock delay (TCK). It is important that you\nremove loopbacks before running this test otherwise the loopback\npins will look like valid JTAG lines. NOTE: run with pull-ups on\n(r) as any cross-talk might result in false-positives.\n\n**r \u003e set pull-up resistors \u0026 cross-talk**\n\nIf like me the cables you use to connect between JTAGenum to your\ntargets are flimsy or uninsulated you might run into issues of\ncross-talk whereby when one pin is transmitting a nearby pin picks\nup the transmission even though they are not connected. To avoid\nthis you can turn on the internal pull-up resistors which will force\nthe pin to a default state. If for some reason you continue to have\nsporadic issues run the following in sequence to check if the problem\nis the cable, target or other:\n\n1. Disconnect the cables between your target and JTAGenum. Disconnected them\n   entirely from JTAGenum as well.\n\n2. Run a loopback check (l) with pull-ups off. In this state the pins are in\n   open mode and might fluctuate.  Youll notice that as you move the\n   microcontroller around, turn lights on and off or move other devices close\n   to or away from it that the results change.\n\n3. Turn on pull-ups (r) and run the test again. The results should now be\n   consistent. If they arent, then let me know.\n\n4. Now attach your cables to JTAGenum but not the target. Run steps 2 and 3\n   again. Step 2 will give you a feel for how much inconsistency the cable may\n   add. If the loopback check results in actual pattern matches then your cable\n   has cross-talk. Step 3 should still result in a consistent state of either\n   all high (1s) or all low (0s) and if it doesnt then your cross-talk issues\n   are such that all JTAGenum tests are going to be buggy at best. Feel free to\n   give me an email and I will happily try to help solve the problem.\n\nA bit about JTAG\n================\n\nBasic understanding of how JTAG works will be helpful when using\nJTAGenum. There are 4 lines/pins: TDO=output, TDI=input, TCK=clock,\nTMS=state machine control.  Say you want to read the ID of the chip.\nFirst you would send the IDCODE instruction to the instruction\nregister (IR). The JTAG controller then places the actual id code\nvalue of the chip in a data register which you could then read out.\nYou would think that it would be enough to have one input line going\nto the IR and one output coming from the DR but JTAG also supports\nwriting to the DR. As apposed to adding another input line specific\nto the DR instead JTAG works by moving the input and output lines\nbetween IR and DR. The TMS line is used to switch TDI/TDO to IR\nwhen you want to place an instruction and back to DR when you want\nto read or write data. With all operations, be it state change (TMS)\nreading (TDI) or writing (TDO), the clock line must be cycled once\n(TCK) for every bit or change. This was a brutal and drastic\nsimplification but with that understood reading the Usage section\nshould be comprehensible.\n\nFor a more detailed discussion of JTAG see \nhttps://github.com/cyphunk/JTAGenum/wiki\n\nTODO\n====\n\n1. upload pictures of the hardware setups\n2. add ESP32 support\n4. BusPirate bitbang support\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyphunk%2Fjtagenum","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyphunk%2Fjtagenum","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyphunk%2Fjtagenum/lists"}