Android Hardware Reverse Engineering

JTAG Boundary Scan for Android SoCs: A Practical Setup Guide for Hardware Reverse Engineers

By Antigravity Research Published May 30, 2026 ⏱️ 6 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unveiling Android SoC Secrets with JTAG Boundary Scan

The intricate world of Android System-on-Chips (SoCs) often presents a formidable challenge for hardware reverse engineers. Manufacturers employ various techniques to obscure internal functionalities, making traditional debugging difficult. This is where JTAG (Joint Test Action Group) with its boundary scan capabilities emerges as an indispensable tool. JTAG, standardized as IEEE 1149.1, provides a powerful serial interface primarily used for in-circuit testing and debugging. For hardware reverse engineering of Android SoCs, boundary scan extends its utility, allowing us to inspect and even manipulate the state of I/O pins directly at the chip’s periphery, often bypassing software-level protections.

This article serves as a practical guide to setting up and utilizing JTAG boundary scan for Android SoCs. We’ll cover the necessary hardware and software, detail the process of identifying elusive JTAG pins, and walk through basic boundary scan operations, empowering you to delve deeper into the hidden layers of Android device hardware.

The Power of Boundary Scan: Beyond Simple Debugging

While JTAG is widely known for debugging microcontrollers and processors, boundary scan specifically refers to a feature within the JTAG standard that allows for testing the interconnections between chips on a PCB. Each digital I/O pin on a compliant chip has a boundary scan cell, which can be configured to capture data from the pin, drive data onto the pin, or simply pass data through. This capability is revolutionary for reverse engineering:

  • Pinout Discovery: Identify the function of unknown pins on an SoC package.
  • Connectivity Testing: Verify traces between the SoC and other components.
  • State Manipulation: Force pins to specific states (high/low) to observe system behavior or interact with peripherals.
  • Bypassing Security: In some cases, boundary scan can expose or manipulate states that might allow bypassing bootloader security or similar mechanisms, especially during early boot phases.

Unlike traditional debugging that focuses on CPU registers and memory, boundary scan operates at the physical pin level, offering a unique perspective into the hardware’s operation.

Essential Hardware Setup

To embark on your JTAG boundary scan journey, you’ll need a few key pieces of hardware:

  • JTAG Debugger/Adapter: This is the core interface between your PC and the target SoC. Popular choices include:
    • FT2232H-based adapters: Highly versatile and supported by OpenOCD (e.g., Bus Blaster, custom breakout boards). These often provide multiple JTAG channels.
    • SEGGER J-Link: Professional-grade, but typically more focused on debugging than raw boundary scan for unknown targets.
    • Bus Pirate: A multi-purpose tool that can act as a rudimentary JTAG adapter.
  • Logic Analyzer: Crucial for identifying JTAG pins when no documentation is available. A multi-channel logic analyzer (e.g., Saleae Logic, Open Bench Logic Sniffer) can capture and decode potential JTAG sequences.
  • Soldering Equipment: Fine-tip soldering iron, flux, solder, and thin gauge wires (e.g., AWG30 Kynar wire) are essential for connecting to small test points or directly to SoC pins.
  • Multimeter: For continuity checks and voltage measurements.
  • Target Android Device: An old smartphone or tablet is ideal for initial experimentation.

Software Toolkit

Your software arsenal will primarily consist of open-source tools:

  • OpenOCD (Open On-Chip Debugger): The de facto standard for JTAG interaction. It supports a wide range of JTAG adapters and targets, providing a flexible command-line interface.
  • UrJTAG: An alternative to OpenOCD, sometimes preferred for its ability to auto-detect TAPs or for systems not well-supported by OpenOCD.
  • Custom Scripts (Python): For automating sequences, parsing output, and more complex boundary scan operations, Python with libraries like pyocd or direct socket communication to OpenOCD is invaluable.

Step-by-Step Guide: Identifying JTAG Pins on an Android SoC

The most challenging part of JTAG reverse engineering is often locating the JTAG test access port (TAP) pins (TCK, TMS, TDI, TDO, TRST, and optionally RTCK) on a densely packed PCB.

1. Visual Inspection & Schematics (If Available)

Start by visually inspecting the PCB for unpopulated headers, test pads, or vias near the SoC. Look for standard JTAG pin labels (e.g., TCK, TMS). If you have access to partial schematics or board views, this step becomes significantly easier.

2. Continuity Testing & Resistance Measurement

If you have a known JTAG pin on a similar SoC or a datasheet, you can use a multimeter in continuity mode to trace connections to test points. Measure resistance from suspect pads to ground and VCC; JTAG pins often have pull-up/pull-down resistors.

3. Logic Analyzer Assisted Pinout Discovery

This is often the most effective method when documentation is absent. Android SoCs typically initialize their JTAG TAPs during boot. Your goal is to capture this initialization sequence.

  1. Identify Potential Candidates: Look for groups of 4-6 small test pads or vias near the SoC. One is likely GND, another VCC (or VCC_IO).
  2. Connect Logic Analyzer: Attach several logic analyzer probes to these suspected pads. Also, connect probes to known power and ground points on the board.
  3. Power On Device & Capture: Start the logic analyzer capture just before powering on the Android device. Observe the captured waveforms.
  4. Look for JTAG Signatures:
    • TCK (Test Clock): A regular, oscillating clock signal.
    • TMS (Test Mode Select): Will toggle to specific patterns (e.g., 0b11111 for reset, 0b001 for Run-Test/Idle).
    • TDI (Test Data In): Data input, often driven by a JTAG master.
    • TDO (Test Data Out): Data output, changing in response to TCK and TDI.

    Many logic analyzer software packages have JTAG decoders that can help identify the signals once you’ve located TCK and TMS. Focus on identifying TCK first, then TMS toggling patterns.

Connecting Your JTAG Debugger

Once identified, carefully solder thin wires from your JTAG debugger to the respective test points on the Android device. Pay close attention to:

  • Ground (GND): Essential for a common reference.
  • VCC_REF (Target Voltage Reference): Connect this to the target’s I/O voltage (e.g., 1.8V or 3.3V) so the debugger knows the signal levels.
  • TCK, TMS, TDI, TDO, TRST (Test Reset): These are the primary JTAG signals. TRST is often optional but recommended for a clean reset.

Configuring OpenOCD for Boundary Scan

OpenOCD requires a configuration file (`.cfg`) to define the JTAG adapter and target. Here’s a basic example for an FT2232H-based adapter and a dummy TAP to get started:

# Minimal OpenOCD config for FT2232H for JTAG operationsinterface ftdi# Replace with your FTDI device description and VID/PID if differentftdi_device_desc

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android SoC #Boundary Scan #Hardware Reverse Engineering #JTAG #OpenOCD

Related Technical Guides

Exynos Secure Boot Internals: A Deep Dive into TrustZone and Signature Verification

May 30, 2026

Using Ghidra & IDA Pro for Exynos S-Boot Analysis: A Practical Reverse Engineering Guide

May 29, 2026

MTK Bootrom Lab: Dump & Dissect Your First MediaTek BROM Mode Forensics Experiment

May 30, 2026