Introduction: Unlocking Android SoCs with Custom JTAG

Joint Test Action Group (JTAG), standardized as IEEE 1149.1, is an essential interface for debugging, testing, and programming embedded systems, particularly System-on-Chips (SoCs). While commercial JTAG adapters are readily available, specialized scenarios, especially in Android SoC reverse engineering, often demand custom solutions. This guide delves into the practical aspects of building your own JTAG adapter, tailored for the unique challenges of modern Android devices, from identifying elusive test points to managing varying voltage levels.

Android SoCs often feature complex boot sequences, secure boot mechanisms, and deeply embedded components that are difficult to access through conventional software methods. JTAG provides a low-level, hardware-centric access point, allowing for boundary scan operations, memory inspection, and even code execution bypassing higher-level firmware protections. A custom adapter offers unparalleled flexibility, cost-effectiveness, and the ability to adapt to non-standard JTAG pinouts or voltage requirements often encountered in consumer electronics.

Understanding JTAG Fundamentals

At its core, JTAG operates via a Test Access Port (TAP) controller, which uses four mandatory signals and one optional signal:

• TCK (Test Clock): Synchronizes the internal state machine.
• TMS (Test Mode Select): Controls the TAP controller’s state transitions.
• TDI (Test Data In): Serial data input for instructions and data.
• TDO (Test Data Out): Serial data output from the scan chain.
• TRST (Test Reset): Optional asynchronous reset for the TAP controller.

The boundary scan chain allows sequential data shifting into and out of the SoC’s internal registers, enabling control and observation of internal signals without physical probing of individual pins.

Choosing the Right Brain: The FT2232H

The FTDI FT2232H is a versatile USB-to-UART/FIFO/JTAG/SPI/I2C converter IC, making it an excellent candidate for the heart of our custom JTAG adapter. Its dual multi-protocol synchronous serial engine (MPSSE) allows for bit-banging JTAG protocols at high speeds (up to 30MHz TCK). Modules based on the FT2232H, such as the CJMCU-2232H or various breakout boards, simplify the PCB design significantly.

Essential Components List

• FT2232H Breakout Board: The core of the adapter.
• Bidirectional Voltage Level Shifters (e.g., TXB0108, SN74LVCC3245A): Crucial for interfacing 3.3V/5V FT2232H with potentially 1.8V or 1.2V Android SoC JTAG lines.
• Resistors (10kΩ pull-ups/pull-downs): For JTAG signals like TMS, TDI, and TRST to ensure stable states.
• Capacitors (0.1µF, 10µF): For power supply decoupling.
• JTAG Connector (e.g., 20-pin ARM standard, or custom header): For connecting to the target SoC.
• Prototyping Board (Perfboard or custom PCB): To assemble components.
• USB Mini-B/Micro-B Cable: For connecting to host PC.
• Fine-gauge hook-up wire and soldering equipment.

Schematic Design and Assembly

The primary challenge in JTAG interfacing with Android SoCs is voltage matching. Most modern SoCs operate at low core voltages (e.g., 1.2V, 1.8V), while the FT2232H typically operates at 3.3V. Directly connecting these can damage the SoC. Bidirectional level shifters are indispensable.

Wiring Diagram (Conceptual)

FT2232H Module               Voltage Level Shifter      Android SoC JTAG Header (Target)       (3.3V I/O)                   (VCCA=1.8V, VCCB=3.3V)   (1.8V I/O)TCK (ADBUS0)  --> A1 <--> B1 --> TCK (JTAG_CLK)TMS (ADBUS1)  --> A2 <--> B2 --> TMS (JTAG_MODE)TDI (ADBUS2)  --> A3 <--> B3 --> TDI (JTAG_DATA_IN)TDO (ADBUS3)  <-- A4 <--> B4 <-- TDO (JTAG_DATA_OUT)TRST (ADBUS4) --> A5 <--> B5 --> TRST (JTAG_RESET)GND           ----------------------------------> GNDVCCA (1.8V)  <-- (From Target SoC)      (Power from Target for Level Shifter)VCCB (3.3V)  <-- (From FT2232H 3.3V Output)

Physical Assembly Steps:

1. Mount the FT2232H Module: Solder the FT2232H breakout board onto your perfboard. Ensure good power and ground connections.
2. Integrate Level Shifters: Place the chosen bidirectional level shifter ICs. Connect their low-voltage side (e.g., VCCA) to the target SoC’s JTAG supply voltage (often available near the JTAG pads), and their high-voltage side (VCCB) to the FT2232H’s 3.3V output.
3. Wire JTAG Signals: Connect the JTAG signals (TCK, TMS, TDI, TDO, TRST) from the FT2232H (typically ADBUS0-4 for channel A) to the high-voltage side of the level shifters. Then, connect the low-voltage side of the shifters to your chosen JTAG connector.
4. Add Pull-up/Pull-down Resistors: It’s good practice to add 10kΩ pull-up resistors to TMS and TRST on the target side of the level shifter, and a pull-down resistor to TDO if the target doesn’t actively drive it when not in JTAG mode.
5. Power Supply: The FT2232H will be powered by USB. Ensure the level shifter receives its VCCA from the target’s VCC_JTAG to correctly match the logic levels.

Software Setup and OpenOCD Configuration

Once the hardware is assembled, the next step is to configure your host PC and OpenOCD (Open On-Chip Debugger).

1. FTDI Drivers

Install the necessary FTDI D2XX drivers for your operating system. For Linux, ensure that the `libftdi` library is installed and that your user has permissions to access USB devices (e.g., via udev rules).

# Example udev rule for Linux (create in /etc/udev/rules.d/)SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6010", MODE="0666", GROUP="plugdev"

2. OpenOCD Installation

Download and compile OpenOCD from source, or install it via your distribution’s package manager. Ensure it’s compiled with FTDI support.

3. OpenOCD Configuration Script

Create a custom OpenOCD configuration file (e.g., android_soc_adapter.cfg). This file will define your FT2232H adapter and how it connects to the target.

# Adapter configuration for FT2232Hinterface ftdi# FT2232H device configuration. Adjust serial if you have multiple.ftdi_device_desc "FT2232H"ftdi_vid_pid 0x0403 0x6010# Channel A for JTAGftdi_channel 0ftdi_layout_init 0x0008 0x000bftdi_layout_signal nTRST -data 0x0010 -noe ftdi_layout_signal nSRST -data 0x0020 -noe# JTAG speed and reset configurationadapter_khz 10000 # 10 MHz JTAG clockjtag_speed 0 # Auto-negotiate or fixed speedjtag_ntrst_delay 100jtag_nsrst_delay 100# Target specific configuration (example for a generic ARMv7/v8)set _TARGETNAME arm.cpu_jtag_vref 1.8 # Set JTAG voltage reference to 1.8V if applicableset _CHIPNAME android_soc_target# Specify the TAP you're trying to connect to (will vary by SoC)# If the SoC has multiple TAPs, you'll need to chain them.# This is a placeholder; actual IDCODE and IR length must be found via reverse engineering.# If the core is identified, OpenOCD might find it automatically.# For instance:jtag newtap $_CHIPNAME cpu -irlen 4 -expected-id 0xXXXXXXXX# You'll need to find the correct JTAG IDCODE for your specific SoC.target create $_TARGETNAME armv7a -chain-position $_CHIPNAME.cpu -variant cortex-a -endian little -ap-0 0xXXXXXXXX # Example APB base address

Finding the correct JTAG IDCODE and IR length often requires datasheet analysis, experimenting with different IR lengths, or using a JTAG enumerator. For Android SoCs, these details are rarely publicly available and might necessitate physical probing with an oscilloscope or logic analyzer to identify the TAP architecture.

Testing and Validation

With the hardware built and software configured, it’s time to test.

openocd -f android_soc_adapter.cfg

Look for output indicating successful JTAG chain detection and IDCODE reading. If errors occur:

• `JTAG scan chain interrogation failed`: Check wiring, level shifters, and power to the target SoC. Ensure target is powered on.
• `TRST/SRST line state`: Verify pull-up/pull-down resistors and proper level shifting for reset lines.
• Incorrect IDCODE: Double-check target JTAG pinout and try different irlen values in OpenOCD.

Once you establish a stable JTAG connection, you can issue commands:

# From OpenOCD command line or telnet (port 4444)targetsinitresetinittargetsinitflash probe 0# Dump memorymdw 0xXXXXXXXX 0x100 # Read 0x100 words from address 0xXXXXXXXX

Practical Applications in Android SoC RE

A custom JTAG adapter opens up several avenues for Android SoC reverse engineering:

• Bootloader Bypass: Gain control before the main OS boots to dump early boot stages or modify boot parameters.
• Firmware Extraction: Dump NAND/eMMC flash contents directly for offline analysis, bypassing OS-level protections.
• Live Debugging: Attach GDB to running processes or kernel code for dynamic analysis, understanding execution flow, and identifying vulnerabilities.
• Hardware Analysis: Use boundary scan to identify unknown pins, test internal logic, or verify component functionality.

By building and configuring your own JTAG adapter, you gain an unparalleled low-level insight into Android SoCs, essential for deep-dive security research, vulnerability discovery, and understanding proprietary hardware designs.