1 00:00:01,890 --> 00:00:03,170 Hi, welcome back. 2 00:00:03,720 --> 00:00:07,440 In this lesson, we will talk about JTAG exploitation. 3 00:00:08,040 --> 00:00:16,830 JTAG stands for Joint Action Group, is an industry standard for verifying designs and testing printed 4 00:00:16,830 --> 00:00:19,320 circuit boards after manufacture. 5 00:00:20,460 --> 00:00:25,230 There is also an alternative to JTAG interface that is 6 00:00:25,230 --> 00:00:37,620 SWD (Serial Wired Debug) that has the same JTAG protocol on top. SWD uses an ARM CPU standard 7 00:00:37,620 --> 00:00:44,820 bidirectional wire protocol, defined in the ARM Debug interface version five. 8 00:00:47,370 --> 00:00:55,170 JTAG specifies the use of a dedicated debug port implementing a serial communications interface 9 00:00:55,710 --> 00:01:04,810 for low-overhead access without requiring direct external access to the system address and data buses. 10 00:01:05,520 --> 00:01:14,280 The interface connects to an on-chip Test Access Port (TAP) that implements a stateful 11 00:01:14,280 --> 00:01:22,710 protocol to access a set of test registers that present chip logic levels and device capabilities of 12 00:01:22,710 --> 00:01:24,080 various parts. 13 00:01:26,700 --> 00:01:35,310 Regarding accessing and using the interface, there are five signals that Test Access Ports uses: 14 00:01:35,910 --> 00:01:38,960 the TCK Test Clock port, 15 00:01:39,630 --> 00:01:42,050 TDI Test Data In 16 00:01:42,810 --> 00:01:53,610 TDO Test Data Out, TMS Test Mode Select, and an optional port TRST the Test Reset port 17 00:01:57,080 --> 00:02:06,740 The image shows a printed circuit board related to a router Linksys, showing the JTAG interface 18 00:02:06,950 --> 00:02:09,320 with 14 pins. 19 00:02:12,620 --> 00:02:21,800 Now let's see the steps to follow, to verify the security of the JTAG interface with respect, 20 00:02:21,800 --> 00:02:29,910 for example, to the possibility of extracting data directly from a device via the JTAG interface. 21 00:02:30,830 --> 00:02:42,110 The first step is to identify JTAG pinouts (TCK, TDO, TDI, TMS) on the printed 22 00:02:42,110 --> 00:02:48,230 circuit board of the Iot device. For the identification of the JTAG 23 00:02:48,230 --> 00:02:56,950 pinouts different tools can be used, among which the JTAGulator tool and the JTAGEnum Arduino based 24 00:02:56,950 --> 00:02:57,770 project. 25 00:02:58,550 --> 00:03:04,270 Consultation of the datasheet of device could also be useful for this activity. 26 00:03:05,240 --> 00:03:15,020 Then the second step is to connect the JTAG pinouts to PC via a USB-TTL converter interface, for example, 27 00:03:15,020 --> 00:03:19,850 the Attify badge or BusPirate or other similar. 28 00:03:22,390 --> 00:03:30,010 And here we can see a schematic connection of a development board with JTAG debug interface connected 29 00:03:30,010 --> 00:03:34,360 to an analysis PC through an Attify badge interface. 30 00:03:36,860 --> 00:03:45,350 The next step is to interact with the device from PC through JTAG interface communication, for example, 31 00:03:45,350 --> 00:03:58,900 using OpenOCD utility, openOCD stands for Open On-Chip Debugger. 32 00:03:59,120 --> 00:04:13,040 openocd command activates for interaction with the device two server sockets, one on Port 4444, 33 00:04:13,040 --> 00:04:21,890 to which you can connect with telnet, and one port on 3333 34 00:04:22,310 --> 00:04:26,540 to which you can interact via GDB. 35 00:04:32,080 --> 00:04:42,160 Through JTAG, it is possible to: debug binaries, dump firmware, write firmware. The slide shows 36 00:04:42,160 --> 00:04:53,020 some openocd commands, for example, the dump_image command that allows to dump size bytes 37 00:04:53,020 --> 00:04:53,490 of target 38 00:04:53,500 --> 00:05:03,810 memory starting at a specified address to a binary file, named filename in the usage example. 39 00:05:04,160 --> 00:05:17,200 Another command of openocd, is the mdw command that allows to display contents of address addr as 32 40 00:05:17,200 --> 00:05:18,820 bit words. 41 00:05:19,480 --> 00:05:26,980 For a complete list of commands, you can consult the user's guide section of the official site openocd 42 00:05:27,220 --> 00:05:28,790 dot org. 43 00:05:31,260 --> 00:05:34,770 OK, thank you for your attention bye.