Android Hardware Reverse Engineering

SWD Debugging Android Bootloaders: Your First Step-by-Step Setup Guide

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unlocking the Android Boot Process with SWD

The Android bootloader is the first piece of software that runs on an Android device after power-on, responsible for initializing hardware, verifying firmware integrity, and eventually loading the Android kernel. Understanding and debugging this critical phase is invaluable for security research, custom ROM development, and advanced hardware troubleshooting. Serial Wire Debug (SWD), a two-wire debug interface, offers a powerful, low-level gateway into the device’s CPU, allowing you to halt execution, inspect memory, set breakpoints, and step through code at the earliest stages of boot.

This guide provides a comprehensive, step-by-step approach to setting up an SWD debugging environment for Android bootloaders. We’ll cover everything from identifying debug pins on your hardware to configuring OpenOCD and GDB for deep-dive analysis.

Prerequisites: Tools and Knowledge

Hardware Requirements:

  • Target Android Device: An older or development board device is recommended for your first attempt, as it often has easier access to test points.
  • SWD Debugger: J-Link (SEGGER) or ST-Link/V2/V3 are common choices. J-Link is generally more versatile but ST-Link is often cheaper and good for basic Cortex-M/A debugging.
  • Soldering Equipment: Fine-tip soldering iron, solder wire, flux, desoldering braid (for potential mistakes), and thin enamel wires.
  • Multimeter: For continuity checks and voltage measurements.
  • USB-to-Serial Adapter (Optional but Recommended): For simultaneous UART console access, which can provide valuable boot log information.

Software Requirements:

  • OpenOCD (Open On-Chip Debugger): This software acts as an intermediary between your debugger hardware and GDB.
  • GNU Debugger (GDB): The command-line debugger client.
  • Toolchain: An ARM-specific cross-compilation toolchain (e.g., arm-none-eabi-gdb or aarch64-linux-gnu-gdb, depending on your bootloader’s architecture).
  • Operating System: Linux (preferred for ease of setup) or Windows/macOS with appropriate driver installations.

Identifying SWD Pins on Your Device

The most challenging part of SWD debugging often begins with locating the correct debug pads on your device’s Printed Circuit Board (PCB). Modern Android devices rarely expose dedicated debug headers, requiring careful examination and sometimes component removal.

Techniques for Pin Identification:

  1. Visual Inspection: Look for clusters of small, unpopulated pads (test points) near the main SoC or memory chips. Common SWD signals include SWDIO (data), SWCLK (clock), GND (ground), and sometimes nRESET or VCC.
  2. Schematics/Board Views: If you’re lucky enough to find official or leaked schematics or board view files for your device, these will explicitly label the SWD pins.
  3. Continuity Testing with Multimeter:
    • GND: This is the easiest to find. Any large copper pour, USB shield, or battery negative terminal is typically ground.
    • VCC: The voltage supply for the SoC, usually around 1.8V or 3.3V. Look for pads connected to voltage regulators or power lines near the SoC.
    • SWDIO/SWCLK: These are trickier. They often connect directly to the SoC. You can sometimes infer their location by looking for pairs of pads with similar routing patterns. Some advanced techniques involve probing for activity during boot or using tools like a logic analyzer if you can find known clock/data lines.
    • Trial and Error (with caution): If you have a cluster of 4-6 suspicious pads, you might try connecting and testing them in various configurations. Always ensure you connect GND first and measure voltages before connecting the debugger’s VCC/VTref line to avoid damage.

Once identified, solder thin enamel-coated wires (typically 30-32 AWG) to these test points. Keep the wires as short as possible to minimize signal integrity issues.

Hardware Setup: Connecting Your Debugger

With the SWD pins identified and wired, it’s time to connect your debugger. Most debuggers will have standard pinouts. For example, a J-Link 20-pin connector will typically have:

  • Pin 1: VCC / VTref (Target Reference Voltage)
  • Pin 4: nRESET
  • Pin 7: SWDIO
  • Pin 9: SWCLK
  • Pin 19: GND

Crucial Step: Connect the debugger’s VTref (Target Reference Voltage) pin to your device’s VCC (the power rail for the SoC, which OpenOCD will use to determine logic levels). Do NOT power your device through the debugger unless explicitly stated by the debugger’s manual and you are certain of the voltage compatibility. It’s generally safer to power the Android device separately and connect only the signal and GND wires, plus VTref.

Software Setup: OpenOCD and GDB Configuration

1. Install OpenOCD and GDB

On Linux, you can typically install them via your package manager:

sudo apt update sudo apt install openocd gdb-multiarch

For other OS, refer to official documentation for installation.

2. Configure OpenOCD

OpenOCD requires a configuration file (e.g., openocd.cfg) that specifies your debugger interface and the target CPU. This configuration is highly dependent on your specific debugger and SoC. Here’s a generic example for a J-Link connected to an ARM Cortex-A processor (common for Android):

# openocd.cfg interface jlink interface_speed 4000 # Maximize speed if possible, or lower for stability # Target configuration source [find target/at91samdXX.cfg] # This is a placeholder. You need to find the correct config for your SoC! # For generic Cortex-A: # source [find target/cortex_a.cfg] # For modern AArch64 systems: # source [find target/aarch64-linux.cfg] # If your target is Cortex-A, you might need to specify the core: # set _TARGETNAME cortex_a set _ENDIAN little set _CPUTAPID 0xXXXXXXXX # Replace with your SoC's JTAG/SWD IDCODE. Can be discovered with 'jtag_init' or 'swd_init' command. init reset_config srst_only # If you have a separate nRESET line. Otherwise, use 'srst_and_init' or 'none' # If the bootloader runs in AArch64 and switches to AArch32 # armv8a disable_cache # Useful for early bootloader debugging gdb_port 3333 telnet_port 4444 tcl_port 6666 # Initial halt and continue to allow GDB connection if the bootloader starts too fast reset init sleep 100 armv8a_config_mode AArch64 # Or AArch32 if applicable halt

Important: The target/*.cfg line is crucial. You’ll need to find the correct configuration file for your specific SoC. Common SoC vendors like Qualcomm, MediaTek, Exynos (Samsung), and Rockchip often have community-contributed or official OpenOCD scripts. If not, you might have to create a custom one based on cortex_a.cfg or aarch64-linux.cfg and specify the correct CPU IDCODE (`_CPUTAPID`). You can often discover the IDCODE by running OpenOCD with a generic configuration (e.g., `interface jlink; target/cortex_a.cfg`) and checking its output. If the chip is ARMv8-A, you might need to start in AArch64 mode and handle the transition to AArch32.

3. Run OpenOCD

Open a terminal and execute OpenOCD with your configuration file:

openocd -f openocd.cfg

If successful, OpenOCD will initialize, connect to your debugger, and report that it’s waiting for GDB connections on port 3333.

4. Connect GDB

Open another terminal and start GDB. Load any available bootloader firmware image (ELF format is ideal) to get symbols:

aarch64-linux-gnu-gdb # Or arm-none-eabi-gdb (for 32-bit bootloaders) (gdb) file /path/to/your/bootloader.elf (gdb) target remote localhost:3333

You should see GDB connect to OpenOCD. The bootloader might be halted at its entry point, depending on your OpenOCD configuration.

Debugging the Bootloader: Your First Steps

Now you’re connected. Here are some fundamental GDB commands:

  • monitor reset: Resets the target device (via OpenOCD).
  • monitor halt: Halts the CPU immediately.
  • c / continue: Continues execution.
  • si / stepi: Steps a single instruction.
  • b *0xXXXXXXXX: Set a breakpoint at a specific memory address (e.g., the bootloader entry point).
  • info registers: Displays the current CPU register values.
  • x/i $pc: Disassembles the instruction at the program counter.
  • x/16wx 0xXXXXXXXX: Examines 16 words (4 bytes each) in hexadecimal format at a given address.
  • set $pc = 0xXXXXXXXX: Changes the program counter to a new address (use with extreme caution!).

Debugging Workflow Example:

  1. Connect GDB.
  2. monitor reset to restart the device.
  3. If configured to halt on reset, examine info registers and x/i $pc to see where execution begins.
  4. Set a breakpoint at a known bootloader function (e.g., bl_main if symbols are available, or a known address in the initial bootloader stage).
  5. c to continue execution until the breakpoint is hit.
  6. Step through code with si, inspect registers, and memory to understand the boot flow.

Troubleshooting Common Issues


  • Android Mobile Specs & Compare Directory

    Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

    Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Bootloader #Hardware Reverse Engineering #OpenOCD #SWD Debugging

Related Technical Guides

DIY eMMC Rework: Safely Desoldering & Reading NAND Flash Chips from Android Boards

May 29, 2026

Chemical Delidding Secrets: Safely Decapping Android SoCs Without Damaging the Die

May 29, 2026

From Waves to Keys: An End-to-End Workflow for Android EM-Field Cryptographic Extraction

May 29, 2026