Introduction to SWD and Android SoCs

In the realm of embedded systems and mobile device security, the ability to directly interact with a System-on-Chip (SoC) at a low level is invaluable. Serial Wire Debug (SWD), a two-pin debug interface (SWDIO and SWCLK) developed by ARM, provides this critical access. It’s a reduced pin-count alternative to JTAG, widely adopted across Cortex-M, Cortex-R, and increasingly, Cortex-A architectures, including those found in Android devices. While primarily designed for developers to debug firmware, SWD becomes a powerful tool for reverse engineers seeking to understand proprietary hardware, extract firmware, or bypass security mechanisms on production Android SoCs.

On consumer Android devices, these debug interfaces are typically disabled or obscured to prevent unauthorized access. However, test points (TPs) for SWD are often present on the PCB during manufacturing and sometimes remain physically accessible, even if electrically disabled by fuses or software. Our goal is to locate, identify, and exploit these hidden SWD ports to gain control over the SoC.

Prerequisites and Tools

Before embarking on this reverse engineering journey, gather the following essential tools:

• Android Device: An old phone or tablet, preferably one that is no longer in use, as physical damage is possible.
• J-Link/ST-Link Debugger: A hardware debugger compatible with SWD (e.g., Segger J-Link EDU, ST-Link v2/v3).
• Logic Analyzer: A multi-channel logic analyzer (e.g., Saleae Logic, Open Bench Logic Sniffer) to identify signal patterns.
• Digital Multimeter: For continuity and voltage checks.
• Soldering Station: With a fine-tip iron, flux, and fine-gauge enamel wire (30-AWG or similar).
• Magnifying Glass/Microscope: For inspecting tiny PCB traces and test points.
• Computer: Running Linux (recommended) with OpenOCD installed.

# Install OpenOCD on Ubuntu/Debiansudo apt update sudo apt install openocd

Disassembly and Initial Inspection

The first step is a careful and non-destructive disassembly of your target Android device. Refer to online guides (e.g., iFixit) for your specific model. Once opened, locate the main PCB and identify the System-on-Chip (SoC). This is typically the largest chip, often with heat shielding or thermal paste, and will usually have ‘Qualcomm’, ‘MediaTek’, ‘Samsung Exynos’, or ‘Rockchip’ branding.

Around the SoC, or sometimes near the Power Management IC (PMIC), look for clusters of small, unpopulated pads or vias. These are common locations for test points. They might be unmarked, or sometimes have subtle silkscreen labels like ‘TPxx’, ‘SWD’, ‘JTAG’, ‘DEBUG’, ‘DI’, ‘CLK’, ‘DO’, ‘TMS’, ‘TCK’, ‘TDO’, ‘TDI’, ‘GND’, ‘VCC’.

Identifying Potential SWD Pins

Multimeter Probing

With the device powered off and battery disconnected, use your multimeter to perform initial checks:

1. Ground (GND): Use continuity mode to find common ground points near the SoC. Many test pads will be ground.
2. Voltage (VCC/VTREF): Carefully connect the battery, power on the device, and use voltage mode to identify pins that carry stable voltage (typically 1.8V or 3.3V) which could be for target voltage reference (VTREF) or VCC. Disconnect battery immediately after testing.
3. Floating Pins: Many data lines will appear floating or have very high impedance when the device is off.

Logic Analyzer for Signal Identification

This is where the magic happens. Solder fine wires to several promising test points around the SoC, including any identified GND and potential VTREF/VCC. Connect these wires to your logic analyzer inputs.

Now, power on the Android device. Observe the signals on your logic analyzer. You are looking for:

• SWCLK (Serial Wire Clock): A periodic clock signal, typically in the MHz range, often bursty during boot or specific operations. It will have a consistent square wave pattern.
• SWDIO (Serial Wire Data Input/Output): A bidirectional data line that changes synchronously with SWCLK. It will show varying data patterns, especially during device boot-up as the SoC initializes.

The SWDIO line often exhibits distinct patterns during the ARM Debug Access Port (DAP) initialization sequence. Look for clock bursts on one pin and corresponding data activity on another. Once you identify these two lines (and confirm GND and VCC/VTREF), you have likely found your SWD port.

Connecting and Configuring OpenOCD

Soldering and Hardware Setup

Once SWDIO, SWCLK, GND, and ideally VTREF (target voltage reference, required by most debuggers) are identified, carefully solder your fine-gauge wires to these test points. Connect these wires to your J-Link or ST-Link debugger as follows:

• Android GND to Debugger GND
• Android SWCLK to Debugger SWCLK
• Android SWDIO to Debugger SWDIO
• Android VTREF (if available and needed by debugger) to Debugger VTREF (or VCC_TARGET)

Ensure your debugger is powered and connected to your computer via USB.

OpenOCD Configuration

OpenOCD (Open On-Chip Debugger) is the standard software tool for interacting with debug probes. You’ll need an OpenOCD configuration file. For an Android SoC, you’re usually dealing with an ARM Cortex-A core. Create a file named `android_swd.cfg`:

# Specify your debugger interfaceinterface jlink# Or for ST-Link: # interface stlink# stlink_serial <YOUR_SERIAL_HERE> (optional, if multiple ST-Links)jlink speed auto# Select SWD transporttransport select swd# Define target - a generic Cortex-A core is a good starting pointset _CHIPNAME cortex_aset _TARGETNAME $_CHIPNAME.0target create $_TARGETNAME cortex_a -chain-position $_TARGETNAME# Optionally specify a reset type, e.g., srst_only, trst_and_srst# reset_config srst_only# To enable communication from the OpenOCD servertelnet_port 4444gdb_port 3333

Save this file. Now, run OpenOCD from your terminal:

openocd -f android_swd.cfg

If successful, OpenOCD will initialize your debugger and attempt to connect to the target. You should see output indicating that a target was found (e.g.,