Android Hardware Reverse Engineering

Android RE Lab: Dumping Firmware & Secrets via JTAG Boundary Scan on Snapdragon/Exynos

By Antigravity Research Published May 29, 2026 ⏱️ 3 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to JTAG and Android SoC Reverse Engineering

JTAG, or Joint Test Action Group (IEEE 1149.1), is a standard interface primarily designed for in-circuit debugging and verification of printed circuit boards (PCBs) during manufacturing. However, for hardware reverse engineers, JTAG transforms into an indispensable tool, offering a low-level, direct portal into the heart of a System-on-Chip (SoC). On Android devices, especially those powered by complex Snapdragon or Exynos SoCs, JTAG provides a critical bypass to software-level security measures, enabling unprecedented access to internal memory, registers, and even direct CPU control. This guide delves into utilizing JTAG boundary scan capabilities to dump firmware, analyze secure boot processes, and potentially uncover sensitive secrets from Android SoCs.

Prerequisites: Setting Up Your Android RE Lab

Before diving into the intricate world of JTAG, ensure you have the necessary hardware and software:

Hardware Requirements:

  • Target Android Device: An Android smartphone or tablet, preferably a spare device. Devices with exposed JTAG test points or accessible traces simplify the process.
  • JTAG Debugger: A reliable JTAG adapter (e.g., Segger J-Link, Olimex ARM-USB-TINY-H, Bus Blaster v3 based on FT2232H, or Xilinx Platform Cable).
  • Soldering Equipment: Fine-tip soldering iron, thin magnet wire (30-32 AWG), solder paste/flux, desoldering braid.
  • Inspection Tools: Microscope (highly recommended for fine-pitch soldering), multimeter for continuity checks, logic analyzer (optional, for signal integrity verification).
  • Power Supply: Regulated DC power supply to power the target device, potentially separate from its battery.

Software Requirements:

  • OpenOCD (Open On-Chip Debugger): The open-source tool that interfaces with your JTAG debugger and the target SoC.
  • GNU GDB (GNU Debugger): For advanced debugging and breakpoint setting via OpenOCD.
  • Hex Editor/Disassembler: Tools like Ghidra or IDA Pro for analyzing dumped firmware.

Locating and Connecting to JTAG Test Access Port (TAP) Pins

The most challenging initial step is often identifying and connecting to the JTAG Test Access Port (TAP) pins on your target device’s PCB. Standard JTAG requires at least four signals:

  • TDI (Test Data In): Serial data input to the scan chain.
  • TDO (Test Data Out): Serial data output from the scan chain.
  • TCK (Test Clock): Clock signal for the JTAG state machine.
  • TMS (Test Mode Select): Controls the state transitions of the JTAG controller.
  • TRST (Test Reset): (Optional) Asynchronous reset for the JTAG controller.

Identification Methods:

  1. Schematics/Board Views: If leaked schematics or board view files are available for your device, these are the most straightforward way to pinpoint JTAG test points.
  2. Visual Inspection: Look for unpopulated 4 or 5-pin headers, small clusters of test pads, or vias near the SoC. JTAG pins often have associated pull-up/pull-down resistors.
  3. Continuity Testing: Using a multimeter in continuity mode, probe potential test points. Connect one probe to ground and look for the expected JTAG signals by tracing from the SoC’s package, or by identifying common voltage rails. A logic analyzer can help confirm TCK (clock activity) and TMS (state changes) during device boot.

Physical Connection:

Once identified, carefully solder thin wires to the JTAG pads/vias. Connect these wires to your JTAG debugger, ensuring correct pin mapping (TDI to TDI, TDO to TDO, etc.) and matching voltage levels (usually 1.8V or 3.3V for mobile SoCs). Ground connections are critical for stable operation.

Configuring OpenOCD for Snapdragon/Exynos SoCs

OpenOCD requires a configuration script (`.cfg`) tailored to your JTAG debugger and the target SoC architecture. Most Snapdragon and Exynos SoCs are ARM Cortex-A based (ARMv7-A or ARMv8-A).

# Example OpenOCD Configuration (generic for ARMv8-A Cortex-A) # Adjust 'interface' and 'ftdi' settings based on your specific JTAG adapter # For a Bus Blaster v3 (FT2232H) interface ftdi ftdi_device_desc

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reverse Engineering #Exynos #Firmware Dumping #JTAG #Snapdragon

Related Technical Guides

Hands-On: Dumping Mediatek Firmware via BROM Mode Vulnerabilities (Step-by-Step)

May 30, 2026

DIY BROM Tooling: Developing Custom Scripts to Automate MediaTek Bootrom Dumps

May 30, 2026

Hunting TrustZone Vulnerabilities: Fuzzing Trusted Applications (TAs) on Android Devices

May 29, 2026