Android Hardware Reverse Engineering

Hacking Android SoCs: Manipulating Internal Registers via JTAG Boundary Scan Explained

By Antigravity Research Published May 30, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unlocking Android SoCs with JTAG

Modern Android Systems-on-Chip (SoCs) are incredibly complex, integrating multiple CPU cores, GPUs, memory controllers, and a myriad of peripheral components onto a single die. Gaining low-level access to these intricate systems is paramount for hardware reverse engineering, security analysis, and advanced debugging. While JTAG (Joint Test Action Group), formally IEEE 1149.1, is widely known for its boundary scan capabilities – enabling the testing of interconnects on printed circuit boards – its true power for SoC exploration lies in its role as a versatile debug interface. This article will delve into how JTAG, particularly when combined with architectures like ARM’s CoreSight, can be leveraged to not only observe I/O pins but also to manipulate the internal registers of an Android SoC.

Understanding JTAG Fundamentals

JTAG defines a standard interface for communicating with integrated circuits. At its core, it uses a Test Access Port (TAP) controller, a state machine that orchestrates various operations. The TAP communicates via four mandatory signals and one optional signal:

  • TCK (Test Clock): Synchronizes data movement within the JTAG logic.
  • TMS (Test Mode Select): Controls the state transitions of the TAP controller.
  • TDI (Test Data In): Serial input for data and instructions shifted into the device.
  • TDO (Test Data Out): Serial output for data shifted out of the device.
  • TRST (Test Reset, optional): Asynchronously resets the TAP controller.

JTAG operations involve shifting data into either the Instruction Register (IR) or various Data Registers (DR). Instructions loaded into the IR dictate which data register will be selected for subsequent data shifts, allowing specific tests or debug operations to be performed.

JTAG Boundary Scan: Pin-Level Control

The original and perhaps most direct application of JTAG is boundary scan. Each digital I/O pin on a JTAG-compliant chip is surrounded by a Boundary Scan Cell (BSC). These cells can be configured to:

  • Observe: Read the current state of an input pin without affecting its function.
  • Control: Drive a specific logic level onto an output pin, overriding its normal function.
  • Bypass: Shorten the data path through the device for faster testing of other devices in the JTAG chain.

The primary instructions for boundary scan include:

  • EXTEST: Enables external testing, allowing control over output pins and observation of input pins.
  • SAMPLE/PRELOAD: Allows observation of pin states (SAMPLE) or loading of data into BSCs (PRELOAD) without affecting the normal operation of the device.

The structure and capabilities of a device’s boundary scan chain are typically described in a Boundary Scan Description Language (BSDL) file. These files are invaluable, providing a machine-readable format for the JTAG instruction set, pin mappings, and boundary register definitions. Unfortunately, for many proprietary Android SoCs, official BSDL files are not publicly available, making pin identification and custom instruction development a significant reverse engineering challenge.

The Bridge to Internal Registers: JTAG and ARM CoreSight

While boundary scan focuses on I/O pins, the true power for deep SoC manipulation comes from JTAG’s role as the transport layer for debug architectures like ARM’s CoreSight. CoreSight is a comprehensive debug and trace solution integrated into most modern ARM-based SoCs. It exposes various Debug Access Ports (DAPs) that allow external debuggers to interact with the CPU cores, memory, and peripheral subsystems.

Here’s how JTAG acts as the conduit:

  1. The JTAG TAP controller communicates with a Debug Port (DP), often a JTAG-DP (JTAG Debug Port) or SWJ-DP (Serial Wire JTAG Debug Port).
  2. The DP, in turn, provides access to multiple Access Ports (APs). These APs are responsible for accessing specific buses or memory regions within the SoC. Common APs include the AHB-AP (for ARM’s AMBA High-performance Bus) and APB-AP (for ARM’s Advanced Peripheral Bus).
  3. By selecting an appropriate AP, the debugger can then read from or write to memory-mapped registers belonging to the CPU (e.g., control registers, system registers), peripherals (e.g., GPIO controllers, timers, power management units), or even arbitrary memory locations.

This means that while JTAG boundary scan directly deals with physical pins, the JTAG interface as a whole provides the low-level serial communication necessary to traverse the CoreSight debug bus and interact with internal SoC components.

Practical Steps: Manipulating Registers via JTAG with OpenOCD

This section outlines a general approach using OpenOCD (Open On-Chip Debugger) to access internal SoC registers via JTAG.

1. Identifying JTAG Test Points

Finding the JTAG pins on an Android device’s PCB is the first critical step. Look for:

  • Unpopulated headers (e.g., 20-pin ARM JTAG, 10-pin JTAG/SWD).
  • Small test pads (often labeled with `TDI`, `TDO`, `TCK`, `TMS`, `TRST`, `GND`, `VCC`).
  • Clues from datasheets or public schematics for similar SoCs/boards.
  • Continuity testing with a multimeter from known test points to the SoC package if no clear labels are present.

2. Setting Up Your Hardware

You’ll need a JTAG adapter. Popular choices include:

  • FT2232H-based adapters: Such as the Bus Blaster or custom boards, supported by OpenOCD.
  • Segger J-Link: A widely used and powerful commercial debugger.
  • ST-Link/V2: Often used for STM32, but some versions can be adapted for generic JTAG.

Connect your JTAG adapter’s signals (TCK, TMS, TDI, TDO, VCC, GND, and optional TRST) to the identified test points on your target Android device. Ensure proper voltage levels (e.g., 1.8V, 3.3V) and power the target device.

3. Configuring OpenOCD

OpenOCD requires a configuration file (`.cfg`) to define your JTAG adapter, target SoC, and debug interface. A typical configuration for an ARM Cortex-A based SoC might look like this (simplified):

# interface configuration (e.g., for FT2232H)finterface ftdi# set the adapter speedadapter_khz 10000# JTAG scan chain parametersjtag_rclk 0# tell OpenOCD about the target SoC and its CoreSight componentssource [find target/stm32f4x.cfg] # Example, replace with your SoC's target config# For generic ARM Cortex-A:set CHIPNAME your_soc_name# DAP definition: This is where JTAG connects to the debug porttransport select jtag# This is crucial for accessing internal registers: a CoreSight Debug Port (DP) and Access Ports (AP)set _TARGETNAME $_CHIPNAME.cpu0# Example for a Cortex-A, adjust based on your SoC's architecture and CoreSight setup$_TARGETNAME configure -endian little -dbgbase 0x80000000# This configures the ARM Debug Access Port and its attached APs.target create $_TARGETNAME cortex_a -chain-position $_TARGETNAME# Optionally, configure reset and work areasreset_config srst_only# You might need to add specific CoreSight component configurations based on your SoC

4. Connecting and Scanning the JTAG Chain

Run OpenOCD with your configuration file:

openocd -f your_config.cfg

If successful, OpenOCD will start, and you can connect to its telnet interface from another terminal:

telnet localhost 4444

Inside the OpenOCD telnet console, perform initial checks:

> jtag_khz 5000  # Adjust speed if necessary> jtag arp_init  # Initialize JTAG scan chain> scan_chain     # Display detected JTAG devices

You should see output similar to:

IR length: 4Id: 0x4BA00477 (ARM Ltd. - Cortex-A7)

This indicates successful detection of the CPU’s JTAG IDCODE.

5. Accessing and Manipulating Internal Registers via DAP

With the JTAG chain established and the target device (CPU/DAP) recognized, you can now interact with internal registers. This is primarily done through the Debug Access Port (DAP) that JTAG provides access to.

First, select your target and halt the CPU if you intend to read/write core registers directly or access memory without interference:

> targets         # List available targets (e.g., $_CHIPNAME.cpu0)> target $_CHIPNAME.cpu0> halt            # Halt the CPU

Now, you can use OpenOCD commands to read and write memory-mapped registers or CPU core registers:

  • Reading a Peripheral Register: Assume a peripheral register is at memory address `0x12345000`.
    • > mdw 0x12345000 1   # Memory Display Word: read 1 word (32-bit) from address 0x123450000x12345000: 0x0000beef
  • Writing to a Peripheral Register: To set the register at `0x12345000` to `0xdeadbeef`.
    • > mww 0x12345000 0xdeadbeef # Memory Write Word: write 0xdeadbeef to 0x12345000
  • Reading a CPU Core Register: For example, reading the value of general-purpose register R0.
    • > reg r0          # Display value of register R0 (after halting the CPU)r0 (/32): 0x12345678
  • Writing to a CPU Core Register: To set R0 to `0xfeedface`.
    • > reg r0 0xfeedface # Set R0 to 0xfeedface

After performing operations, you can resume the CPU:

> resume          # Resume CPU execution

These commands leverage JTAG to communicate with the CoreSight DAP, which then accesses the target’s internal buses and registers. By strategically reading and modifying these registers, you can alter device behavior, bypass security mechanisms (if not properly protected), or gain deeper insights into the SoC’s operation.

Challenges and Limitations

  • Fused JTAG: Many production Android devices have JTAG physically or digitally disabled (e.g., eFuses blown) to prevent unauthorized access.
  • Custom Implementations: Some SoC vendors implement non-standard JTAG or debug interfaces, making initial identification and configuration difficult.
  • Lack of Documentation: The absence of public datasheets, BSDL files, and debug documentation for proprietary SoCs means significant effort in reverse engineering the JTAG chain and register maps.
  • Power Management: Keeping the target device powered and stable during JTAG operations can be challenging, especially for mobile devices.
  • Signal Integrity: Long or noisy JTAG connections can lead to unstable communication.

Conclusion

JTAG boundary scan, while powerful for board-level testing, serves as a foundational gateway for far more intrusive and insightful reverse engineering on Android SoCs. By understanding how JTAG interfaces with sophisticated debug architectures like ARM CoreSight, researchers and engineers can gain unparalleled access to internal CPU and peripheral registers. This capability unlocks a new dimension for security analysis, exploit development, and hardware debugging, offering a window into the otherwise opaque operations of complex mobile platforms, albeit often requiring considerable expertise and persistence to overcome the inherent challenges.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Hacking #CoreSight #Hardware Debugging #JTAG #SoC Reverse Engineering

Related Technical Guides

Uncovering Vulnerabilities: Security Analysis of Android WiFi/BT SPI Flash Firmware

May 30, 2026

eMMC Chip-Off Masterclass: Step-by-Step Data Recovery from Android Devices

May 30, 2026

PMIC Register Dumping & Analysis Lab: Uncovering Hidden Power States in Android Devices

May 29, 2026