Android Hardware Reverse Engineering

Your First JTAG Boundary Scan: Debugging an Android Device Step-by-Step with Low-Cost Tools

By Antigravity Research Published May 29, 2026 ⏱️ 5 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unlocking Android’s Hardware Secrets with JTAG

The Joint Test Action Group (JTAG) standard, formally IEEE 1149.1, is a powerful interface primarily designed for testing printed circuit boards (PCBs) after manufacture. However, its true potential extends far beyond production lines, offering a crucial lifeline for hardware reverse engineers and low-level debuggers. For Android devices, where System-on-Chips (SoCs) are increasingly complex and opaque, JTAG provides an unparalleled window into the hardware’s inner workings. This article will guide you through performing your first JTAG boundary scan on an Android device using readily available, low-cost tools, helping you diagnose hardware issues or delve into the SoC’s architecture.

While JTAG is often associated with expensive professional debugging probes, we’ll demonstrate how you can achieve significant insights with budget-friendly alternatives like a Raspberry Pi or an FT2232H-based adapter and the versatile OpenOCD software.

The Power of Boundary Scan

At its core, JTAG enables you to communicate with and control the Boundary Scan Register (BSR) within a compliant chip. The BSR is a shift register composed of cells placed at each digital I/O pin of the device. This allows you to:

  • Observe Pin States: Read the logic level of any input pin without needing physical access to the trace.
  • Control Pin States: Drive any output pin to a specific logic level, overriding the chip’s internal logic.
  • Verify Connectivity: Test for shorts, opens, and correct component placement on the board.
  • Identify Devices: Read the unique IDCODE of each JTAG-compliant device in the scan chain.

For Android SoCs, boundary scan can be invaluable for tasks such as:

  • Confirming if a particular GPIO line is active or stuck.
  • Testing the integrity of memory connections.
  • Debugging issues with peripherals that might not be initializing correctly.
  • Gaining initial hardware intelligence before diving into firmware.

The ability to manipulate and observe pins externally, even when the SoC’s internal CPU isn’t running or is locked, makes boundary scan a foundational technique in hardware reverse engineering.

Tools of the Trade: Budget-Friendly JTAG Setup

To get started, you’ll need a few essential items:

  1. Target Android Device: An older Android smartphone or tablet is ideal. Look for devices with accessible test points or known JTAG layouts. Sometimes, devices with MediaTek, Allwinner, or older Qualcomm SoCs are more forgiving for JTAG access.
  2. JTAG Adapter:
    • Raspberry Pi (any model): A fantastic, low-cost JTAG programmer. You’ll use its GPIO pins for bit-banging JTAG signals.
    • FT2232H-based Adapter: Devices like the Olimex ARM-USB-TINY-H, Bus Pirate, or even cheap FT2232H breakout boards can be configured as JTAG probes. These often offer better signal integrity and speed than a Raspberry Pi.
  3. Software:
    • OpenOCD (Open On-Chip Debugger): The open-source powerhouse for JTAG and SWD debugging.
    • Telnet Client: For interacting with OpenOCD’s command-line interface.
  4. Cables & Connectors: Fine-gauge wires, soldering iron with a fine tip, flux, multimeter, and potentially a microscope if your test points are tiny.

Step 1: Identifying JTAG Test Points on Your Android Device

This is often the most challenging step. Modern Android devices rarely expose JTAG through readily available headers. You’ll likely need to locate unpopulated test pads:

1.1 Disassembly and Visual Inspection

Carefully disassemble your Android device. Look for groups of small, unpopulated pads, often located near the SoC itself or around the edge of the PCB. JTAG typically requires 4-5 core signals:

  • TCK (Test Clock): The clock signal for the JTAG state machine.
  • TMS (Test Mode Select): Controls the JTAG state machine transitions.
  • TDI (Test Data In): Data input to the JTAG scan chain.
  • TDO (Test Data Out): Data output from the JTAG scan chain.
  • TRST (Test Reset, optional): Resets the JTAG logic.
  • GND: Ground connection.
  • VREF: Reference voltage (connect to the target’s VCC_IO, e.g., 1.8V or 3.3V).

1.2 Leveraging Schematics or Board Views (If Available)

If you can find service manuals or leaked schematics for your device, they will explicitly label JTAG test points (e.g., JTDI, JTDO). This is the gold standard.

1.3 Using a Multimeter

Without schematics, you can use a multimeter in continuity mode or resistance mode to identify potential candidates:

  • Look for pads connected to GND.
  • Look for pads connected to a stable voltage (VREF).
  • The JTAG signals themselves will typically be floating or pulled high/low through resistors. You might find series resistors of around 33-100 ohms if the JTAG signals are exposed directly from the SoC.

Sometimes, these points are labelled as ‘SWDIO’/’SWCLK’ if the device also supports Serial Wire Debug (SWD), which can often share some pins with JTAG.

Step 2: Wiring Up Your Low-Cost JTAG Adapter

Once you’ve identified the JTAG test points, you’ll need to carefully solder fine wires to them and connect them to your adapter.

2.1 Raspberry Pi as a JTAG Probe

For a Raspberry Pi, you’ll use specific GPIO pins for JTAG bit-banging. A common configuration mapping is:

Raspberry Pi GPIO (BCM) | JTAG Signal | Pin on 40-pin header
---------------------------------------------------------------------
GPIO 25                   | TCK         | Pin 22
GPIO 24                   | TMS         | Pin 18
GPIO 23                   | TDI         | Pin 16
GPIO 22                   | TDO         | Pin 15
GND                       | GND         | Pin 6, 9, 14, 20, 25, 30, 34, 39
VREF                      | Target VCC  | Connect to target's IO voltage

Important: Ensure the target device’s VCC_IO (VREF) is connected to a stable voltage derived from the *target device itself*, not from the Raspberry Pi. This prevents voltage mismatches.

2.2 FT2232H-based Adapter

These adapters typically have clearly labeled JTAG pins (TDI, TDO, TCK, TMS). Connect them directly, along with GND and VREF, making sure voltage levels are compatible (e.g., using a level shifter if necessary, though many FT2232H boards support 1.8V/3.3V).

Step 3: Setting Up OpenOCD for Your Target

OpenOCD is available in most Linux distribution repositories.

sudo apt update
sudo apt install openocd

Next, you’ll create an OpenOCD configuration file (e.g., `openocd_android.cfg`). This file tells OpenOCD about your JTAG adapter and the target device.

# openocd_android.cfg


# 1. Interface Configuration (choose one)
# For Raspberry Pi:
source [find interface/rpi_swd.cfg]
# Adjust speed. Lower speed is safer for initial connection.
adapter_khz 1000


# For an FT2232H-based adapter (e.g., Olimex ARM-USB-TINY-H or generic FT2232H)
# source [find interface/ftdi/olimex-arm-usb-tiny-h.cfg]
# Or for a generic FT2232H breakout board (you might need to adjust channels)
# source [find interface/ftdi/ft2232.cfg]
# ftdi_device_desc

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android #Debugging #Hardware Reverse Engineering #JTAG #OpenOCD

Related Technical Guides

Reverse Engineering Lab: Exploiting Locked Android Bootloaders via SWD

May 30, 2026

DRAM Sniffing on Android: A Step-by-Step Guide to Extracting Runtime Data

May 29, 2026

DIY eMMC Chip-Off Lab: Setting Up Your Workspace for Android Data Extraction

May 30, 2026