Android Hardware Reverse Engineering

No JTAG? No Problem! SWD Debugging on Locked Android Devices

By Antigravity Research Published May 30, 2026 ⏱️ 10 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

The Android Debugging Conundrum: When JTAG Fails, SWD Prevails

For reverse engineers and security researchers, gaining low-level access to Android devices is paramount. While JTAG (Joint Test Action Group) has historically been the go-to interface for hardware debugging, it’s increasingly absent or disabled on modern Android devices, especially those with locked bootloaders. Manufacturers often omit JTAG headers or fuse them off to enhance security and prevent tampering. This article explores an alternative and often more accessible debugging interface: Serial Wire Debug (SWD). We’ll delve into how to locate SWD pins, set up your hardware, configure OpenOCD, and perform basic debugging operations even on seemingly impenetrable devices.

Understanding Serial Wire Debug (SWD)

SWD is a two-pin debugging interface developed by ARM, offering a streamlined alternative to the more complex JTAG protocol. While JTAG uses a minimum of four pins (TDI, TDO, TCK, TMS) plus an optional TRST, SWD simplifies this to just two signals: SWDIO (Serial Wire Debug Input/Output) and SWCLK (Serial Wire Clock). This reduction in pin count makes it ideal for devices with tight board space and simplifies routing.

SWD vs. JTAG: Key Differences

  • Pin Count: SWD uses 2 pins (+ optional SWO, GND, VCC) vs. JTAG’s 4-5 pins.
  • Protocol: SWD is serial and uses a custom ARM protocol; JTAG is a parallel scan chain protocol.
  • Speed: SWD can often achieve higher clock frequencies due to fewer signals and reduced signal integrity issues.
  • Footprint: SWD requires less board space, making it a more common choice for compact embedded systems, including modern SoCs found in Android devices.

Despite its simplicity, SWD provides full access to the ARM CoreSight debug components, allowing for CPU halt, step, memory access, and register inspection – essentially all the core debugging capabilities of JTAG.

Locating SWD Test Points on Android Hardware

The primary challenge with modern Android devices is not the lack of debug capabilities within the SoC, but rather the absence of easily accessible debug ports. Identifying SWD pins typically involves a mix of research, visual inspection, and electrical testing.

1. Research and Documentation (The Holy Grail)

If you’re incredibly lucky, you might find leaked schematics, board views, or service manuals for your target device. These documents will explicitly label test points and headers, making pin identification trivial. However, for most consumer Android devices, this information is proprietary and guarded.

2. Visual Inspection and Board Exploration

Carefully examine the device’s PCB under magnification. Look for:

  • Unpopulated Headers: Small, unpopulated 2-pin, 4-pin, or 6-pin headers are prime candidates for debug interfaces.
  • Test Points (T_POINTS): Tiny circular pads, often unlabeled or labeled with generic codes like ‘TPxx’. These are frequently used during manufacturing for testing.
  • Clustered Vias/Pads: A cluster of 2-5 vias or pads near the main System-on-Chip (SoC) often indicates potential debug interfaces.
  • Common Patterns: Some manufacturers follow specific patterns for debug headers (e.g., Qualcomm often has specific layouts for their JTAG/SWD test points).

Remember that SWD requires at least SWDIO, SWCLK, GND, and often VCC (for level shifting/powering the debug interface itself). An optional SWO (Serial Wire Output) pin provides trace capabilities.

3. Electrical Identification with a Multimeter and Oscilloscope

Once you’ve identified candidate pins, you’ll need to confirm their function:

  1. Ground (GND): Easily identified by continuity with the metal shielding or known ground planes.
  2. Power (VCC): Look for a stable voltage (e.g., 1.8V, 2.8V, 3.3V) when the device is powered on.
  3. SWDIO and SWCLK: These are the trickiest.
    • SWCLK: Will typically show a clock signal (square wave) when the debugger attempts to connect.
    • SWDIO: A bidirectional data line. It might show some activity during boot or when the debugger attempts communication.

Start with a multimeter to find GND and VCC. Then, use an oscilloscope to probe suspected SWDIO/SWCLK lines while powering on the device or attempting to connect a debugger. Look for pulsed activity. Sometimes, the SoC will momentarily enable SWD during boot, offering a brief window for detection.

Hardware Interfacing: Connecting Your Debugger

Required Tools

  • SWD Debugger: J-Link EDU/PRO, ST-Link v2/v3, or an OpenOCD-compatible FT2232H-based debugger (e.g., Olimex ARM-USB-TINY-H).
  • Fine-Gauge Wires: Kynar wire (30AWG) is excellent for delicate soldering.
  • Soldering Iron: With a very fine tip.
  • Flux: Essential for clean solder joints.
  • Magnifying Glass/Microscope: Highly recommended for precision soldering.
  • Multimeter: For continuity checks.

Connecting the Probe

Carefully solder the wires from your debugger to the identified SWD pads on the Android device. Ensure good mechanical and electrical connections. Common connections are:

  • SWDIO: To the debugger’s SWDIO pin
  • SWCLK: To the debugger’s SWCLK pin
  • GND: To the debugger’s GND pin (and device’s GND)
  • VTref (optional but recommended): Connect a voltage reference from the device (e.g., 1.8V or 3.3V logic VCC) to the debugger’s VTref pin. This allows the debugger to correctly sense the target’s logic levels.

Setting Up OpenOCD

Open On-Chip Debugger (OpenOCD) is a free and open-source tool that provides debugging, in-system programming, and boundary-scan testing for embedded systems. It acts as an intermediary between your debugger hardware and GDB.

1. Installation

On most Linux distributions, OpenOCD can be installed via the package manager:

sudo apt update sudo apt install openocd

For Windows or macOS, refer to the OpenOCD documentation for installation instructions.

2. OpenOCD Configuration

You’ll need an OpenOCD configuration file (`openocd.cfg`) that specifies your debugger interface and the target CPU. A generic setup for an ARM Cortex-A core commonly found in Android devices might look like this:

# interface/debugger.cfg - e.g., jlink.cfg, stlink.cfg, ft2232h.cfg # Adjust based on your specific debugger interface/jlink.cfg # Or for ST-Link: # interface/stlink-v2.cfg # Or for an FT2232H based debugger (adjust layout if needed): # interface/ftdi/jtag-lockstep.cfg # ftdi_vid_pid 0x0403 0x6010 # ftdi_layout_init 0x0008 0x000b # ftdi_layout_signal SWD_EN -data 0x0000 # ftdi_layout_signal nSRST -data 0x0010 # ftdi_layout_signal nTRST -data 0x0020  transport select swd  # Target configuration for a generic ARM Cortex-A target/arm_cortex_a.cfg  # Adjust working area (RAM) and target core parameters if known set _TARGETNAME arm_cortex_a # set _ENDIAN little set _CPUTAPID 0x4BA00477 # Example ARM Cortex-A IDCODE (often varies by specific SoC)  # Optional: For targets that require specific reset configuration # reset_config srst_only srst_nogate connect_assert_srst  # Configure GDB server gdb_port 3333 telnet_port 4444 tcl_port 6666  # Optionally set target voltage if your debugger doesn't auto-detect # adapter_khz 1000 # Max speed usually depends on cable length and target VCC

You will need to replace `interface/jlink.cfg` with the appropriate configuration for your specific debugger. The `target/arm_cortex_a.cfg` is a good starting point for Android SoCs, but some platforms might require more specific configurations (e.g., `target/stm32f4x.cfg` for an ST device, though less common in primary Android SoCs).

3. Running OpenOCD

Navigate to the directory containing your `openocd.cfg` file and run:

openocd -f openocd.cfg

If successful, OpenOCD will start, listen on the specified GDB port (3333), and indicate that it’s waiting for GDB connections. You should see output indicating successful connection to your debugger and recognition of the ARM core.

Debugging with GDB

Once OpenOCD is running, you can connect to it using an ARM-specific GDB client. For Android devices, you’ll typically use `arm-none-eabi-gdb` or the GDB provided with the Android NDK toolchain.

1. Connecting GDB

Open a new terminal and launch GDB:

arm-none-eabi-gdb

Inside GDB, connect to the OpenOCD server:

(gdb) target remote localhost:3333

If the connection is successful, GDB will attempt to read the target’s state.

2. Initial Debugging Steps

When you connect GDB, the CPU might already be running. It’s often useful to halt it immediately to gain control:

(gdb) monitor reset halt

This command instructs OpenOCD to issue a reset and then halt the CPU. Now you can use standard GDB commands:

  • `info registers`: Display the contents of all CPU registers.
  • `x/i $pc`: Disassemble the instruction at the program counter.
  • `break *0xADDRESS`: Set a breakpoint at a specific memory address.
  • `continue`: Resume execution.
  • `stepi`: Step a single instruction.
  • `step`: Step a single line of source code (if source is loaded).

3. Memory Access and Dumps

One of the most powerful uses of SWD is to dump memory regions, especially the bootloader or firmware. OpenOCD provides commands to read and write memory directly.

(gdb) monitor dump_image bootloader.bin 0x0 0x80000 (gdb) monitor flash dump_image firmware.bin 0xADDRESS 0xSIZE

The `dump_image` command saves a raw binary dump of a specified memory region. You’ll need to know the start address and size of the region you want to dump. For bootloaders, this often starts at address 0x0 or a known flash base address and extends for several kilobytes or megabytes.

4. Bypassing Security and Challenges

Debugging on locked Android devices presents significant challenges beyond simply finding SWD pins:

  • Secure Boot: Devices often implement secure boot, which verifies the integrity of firmware components during startup. Modifying bootloaders can brick the device.
  • TrustZone: ARM TrustZone creates a ‘secure world’ and a ‘normal world’. Standard debuggers often only have access to the normal world, making it difficult to debug trusted firmware (TF-A, TEE).
  • Debug Authentication: Some SoCs require a special authentication sequence or key to enable full debug access.

While SWD gives you a foothold, bypassing these advanced security features requires deep understanding of the specific SoC and its boot process. However, even with these limitations, SWD can be invaluable for analyzing early boot stages, dumping critical firmware components, and understanding device behavior before the full Android OS loads.

Practical Example: Dumping a Locked Bootloader

Let’s consider a scenario where you’ve identified SWD pins on an Android device with a locked bootloader, and you want to extract the first stage bootloader (FSBL) for analysis.

  1. Solder Connections: Solder SWDIO, SWCLK, GND, and VTref to your debugger.
  2. Power On Device: Connect the Android device’s power supply but do not power it on yet.
  3. Start OpenOCD: Execute openocd -f openocd.cfg in your terminal. Ensure it reports successful connection to the target.
  4. Connect GDB: In a separate terminal, run arm-none-eabi-gdb and connect with target remote localhost:3333.
  5. Power On Android Device and Halt: Power on the Android device. Immediately in GDB, issue monitor reset halt. The goal is to halt the CPU as early as possible, ideally before any debug protections kick in. You might need to experiment with timing, possibly even holding the reset line low until GDB is ready.
  6. Identify Bootloader Region: Based on SoC documentation (if available) or common ARM boot patterns, assume the FSBL starts at address 0x0 in the internal flash/ROM and has a size of 0x40000 bytes (256KB).
  7. Dump Image: Use the OpenOCD `dump_image` command via GDB:
(gdb) monitor dump_image fsbl_dump.bin 0x0 0x40000

This will save the first 256KB from the target’s memory space to `fsbl_dump.bin`. You can then analyze this binary using reverse engineering tools like Ghidra or IDA Pro.

Conclusion

While JTAG might be fading from the Android hardware reverse engineering landscape, SWD offers a powerful and often overlooked alternative. By understanding how to locate these elusive pins, set up OpenOCD, and utilize GDB, researchers can unlock a wealth of low-level access to otherwise locked-down Android devices. The journey might involve intricate soldering and careful electrical probing, but the insights gained into boot processes, firmware vulnerabilities, and system security are invaluable. Embracing SWD debugging is a crucial skill for anyone serious about dissecting modern embedded systems.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reverse Engineering #GDB #Hardware Hacking #OpenOCD #SWD Debugging

Related Technical Guides

From Raw Dump to Decrypted Data: Post-Acquisition Analysis of Android eMMC Memory

May 29, 2026

From Firmware to Function: Advanced Techniques for TrustZone Cryptographic Primitive Reverse Engineering

May 30, 2026

From Raw Dump to Filesystem: Reconstructing Android Data Post-eMMC Chip-Off

May 30, 2026