Android Hardware Reverse Engineering

Mastering OpenOCD: Setting Up JTAG Boundary Scan for Android SoC Hardware Analysis

By Antigravity Research Published May 29, 2026 ⏱️ 5 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to JTAG and Android SoCs

The Power of JTAG in Hardware Debugging

Joint Test Action Group (JTAG), standardized as IEEE 1149.1, is a crucial technology initially designed for boundary scan testing of printed circuit boards (PCBs). It allows engineers to test interconnects between integrated circuits (ICs) without needing physical access to every pin. At its core, JTAG provides a Test Access Port (TAP) interface, consisting of four or five pins: Test Data Input (TDI), Test Data Output (TDO), Test Clock (TCK), Test Mode Select (TMS), and an optional Test Reset (TRST).

For complex SoCs, JTAG extends beyond simple board testing. Its boundary scan capability enables the manipulation and observation of I/O pin states directly from the JTAG chain, independent of the CPU’s execution state. This means you can drive a specific pin high or low, or read its current state, even if the CPU is halted, in reset, or executing unknown code. This low-level access is invaluable for diagnosing hardware issues, verifying connections, and, critically, for hardware reverse engineering.

Why Android SoCs Present Unique Challenges

Android System-on-Chips (SoCs) are highly integrated, complex devices featuring multiple processing units, intricate power management, and vast arrays of peripherals, all packed into dense BGA (Ball Grid Array) packages. Reverse engineering or even simple hardware debugging on these platforms presents unique challenges:

  • Lack of Documentation: Comprehensive schematics and datasheets are rarely publicly available for consumer-grade Android devices.
  • Dense Packaging: BGA packages make direct probing of individual pins extremely difficult, if not impossible, without specialized equipment.
  • Security Features: Modern SoCs employ sophisticated security features like trusted boot, secure boot, and code signing, often locking down traditional software debugging interfaces.
  • Proprietary Bootloaders: Initial boot stages are usually proprietary and can be difficult to inspect or modify.

JTAG boundary scan offers a powerful method to bypass many of these software-level protections and gain insight into the hardware’s operational state, providing a crucial entry point for deep-level analysis and reverse engineering.

Prerequisites: Tools of the Trade

Hardware Requirements

To embark on JTAG boundary scan for an Android SoC, you’ll need the following hardware:

  • JTAG Debugger: A reliable JTAG adapter is essential. Popular choices include FT2232H-based adapters (e.g., Bus Blaster, Olimex ARM-USB-TINY-H), Segger J-Link, or ST-Link. For this guide, we’ll primarily reference FT2232H-based adapters due to their versatility and good OpenOCD support.
  • Target Android SoC Device: An old Android phone, tablet, or a development board with an accessible SoC. Accessibility often means either exposed JTAG test points or the ability to solder fine wires to SoC pins.
  • Fine-Pitch Soldering Equipment: If JTAG test points are not readily available, you’ll need a good soldering iron with a fine tip, flux, and thin magnet wire (e.g., 30 AWG) to connect to the SoC pins directly.
  • Multimeter/Oscilloscope: Extremely helpful for identifying JTAG pins, verifying connections, and observing pin states.
  • Power Supply: A stable power supply for your target device.

Software Requirements

  • OpenOCD: Open On-Chip Debugger is an open-source tool that provides debugging, in-system programming, and boundary scan features for embedded target devices. It supports a wide range of JTAG adapters and targets. You’ll need to compile it from source or install a pre-built package.
  • Operating System: Linux is generally preferred for OpenOCD development and often simplifies driver installation for JTAG adapters (e.g., `libusb`).

Locating JTAG Test Points on Android SoCs

The Hunt for TAPs

Identifying the JTAG Test Access Port (TAP) pins on an Android SoC is often the most challenging initial step due to the lack of documentation. The standard JTAG pins are:

  • TDI (Test Data Input): Data input to the JTAG scan chain.
  • TDO (Test Data Output): Data output from the JTAG scan chain.
  • TCK (Test Clock): Clock signal for the JTAG operations.
  • TMS (Test Mode Select): Controls the state machine of the JTAG TAP controller.
  • TRST (Test Reset, optional): Asynchronous reset for the JTAG logic. Highly recommended to connect if available.
  • VCC/GND: Power and ground for the JTAG interface.

Methods for locating these pins:

  • Schematics/Datasheets: If you’re fortunate enough to find them (e.g., for development boards or older, well-documented devices), they will explicitly label the JTAG pins.
  • Visual Inspection: Look for groups of small, unpopulated pads or test points near the SoC, often labeled with JTAG pin names.
  • Continuity Testing: Use a multimeter in continuity mode. With the device powered off, check for continuity between known SoC balls (if decapped) or expected test points and various pads. TCK often goes through a resistor, and TMS might be pulled up/down.
  • X-ray Analysis: For BGA packages, X-ray imaging can reveal internal routing to identify potential JTAG pins if the package balls are obscured.
  • Known Device Documentation: Communities and existing reverse engineering projects for similar SoCs might have already documented JTAG pinouts.

Always ensure the target SoC is powered correctly before connecting and attempting JTAG operations. Incorrect voltage levels or powering sequences can damage the device or your adapter.

Connecting Your JTAG Adapter

Once you’ve identified the JTAG pins, connect your adapter as follows. This is a generic mapping for an FT2232H-based adapter (e.g., using channel A for JTAG):

FT2232H (JTAG)  --  Android SoC
---------------------------------------
ADBUS0 (TCK)    --  TCK
ADBUS1 (TDI)    --  TDI
ADBUS2 (TDO)    --  TDO
ADBUS3 (TMS)    --  TMS
ADBUS4 (TRST)   --  TRST (if available)
ADBUS5 (SRST)   --  SRST (System Reset, if used by SoC)
GND             --  GND
VREF            --  Target VCC (for voltage translation, usually 1.8V/3.3V)

Confirm the voltage levels of your target’s JTAG interface. Modern Android SoCs typically use 1.8V or 3.3V for their JTAG I/O. Your JTAG adapter should support these voltage levels.

Configuring OpenOCD for Boundary Scan

Basic OpenOCD Setup

OpenOCD requires a configuration file (`.cfg`) to define the JTAG adapter, target SoC, and various operational parameters. Here’s an example for an FT2232H adapter and a generic ARMv7-A target, which is common for older Android SoCs:

# android_soc.cfg


# Configure the JTAG interface (FT2232H)

source [find interface/ftdi/ft2232h.cfg]

ftdi_device_desc

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android SoC #Boundary Scan #Hardware Reverse Engineering #JTAG #OpenOCD

Related Technical Guides

Android SoC Bootloader RE: A JTAG Deep Dive Lab

May 29, 2026

Craft Your Own I2C Tools: Native NDK Binaries for Android Hardware Analysis

May 29, 2026

Fault Injection on Tensor SoCs: Glitching Hardware to Compromise Secure Boot and TEE

May 29, 2026