

Reverse engineering AT32UC3A's JTAG

Pierre Surply

Introduction

Overview

TAP Controlle

Scan Chair

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion

### Reverse engineering AT32UC3A's JTAG LSE Summer Week 2014

Pierre Surply

EPITA 2016

Jul 19, 2014

Pierre Surply (EPITA 2016)

Reverse engineering AT32UC3A's JTAG

Jul 19, 2014 1 / 72



### **On-Chip Debug**

Reverse engineering AT32UC3A's JTAG

Pierre Surply

Introduction

Overview

TAP Controller

Scan Chair

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion



Figure: AVR Dragon

avr32gdbproxy -e "avrdragon" -a ":4242"

Pierre Surply (EPITA 2016)

Reverse engineering AT32UC3A's JTAG



Reverse engineering AT32UC3A's JTAG

Pierre Surply

Introduction

#### Overview

TAP Controller

Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion

- Join Test Action Group
- Published in April 1990
  - IEEE 1149.1
- Standard Test Access Port and Boundary-Scan Architecture



### JTAG pins

Reverse engineering AT32UC3A's JTAG

Pierre Surply

Introduction

#### Overview

TAP Controller

Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion

- TCK : Test Clock
- TMS : Test Mode Select
- TDI : Test Data Input
- TD0 : Test Data Output
- TRST : Test Reset





Pierre Surply

Introduction

#### Overview

TAP Controller

Scan Chair

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion

- Instruction Registers
- Data Registers:

Registers

- IDCODE
- BYPASS
- BSR

LSE Security System

### JTAG Block Diagram



6 / 72

| S | -        |
|---|----------|
|   | Garantil |
|   | System   |

### Shift Register

| engineering<br>AT32UC3A's<br>JTAG |      |    |          |         |           |      |  |
|-----------------------------------|------|----|----------|---------|-----------|------|--|
| Pierre Surply                     |      |    |          |         |           |      |  |
| Introduction                      |      |    |          |         |           |      |  |
| Overview                          |      |    | r –      | r       | 1         | 1    |  |
| TAP<br>Controller                 | 1001 | X4 | ХЗ       | X2      | X1        |      |  |
| Scan Chain                        |      |    |          |         |           |      |  |
| Boundary<br>Scan                  |      |    |          |         |           |      |  |
| UC3 JTAG                          |      | F  | igure: S | hift Re | gister (1 | 1/5) |  |
| Reverse<br>engineering            |      |    |          |         |           |      |  |
| Conclusion                        |      |    |          |         |           |      |  |
|                                   |      |    |          |         |           |      |  |
|                                   |      |    |          |         |           |      |  |

| <b>IS</b> | E                 |
|-----------|-------------------|
|           | Securit<br>System |

### Shift Register

| Reverse<br>engineering<br>AT32UC3A's<br>JTAG |                                                                                            |
|----------------------------------------------|--------------------------------------------------------------------------------------------|
| Pierre Surply                                |                                                                                            |
| Introduction                                 |                                                                                            |
| Overview                                     |                                                                                            |
| TAP<br>Controller                            | $100 \xrightarrow{\text{TDI}} 1 \qquad X4 \qquad X3 \qquad X2 \xrightarrow{\text{TDO}} X1$ |
| Scan Chain                                   |                                                                                            |
| Boundary<br>Scan                             |                                                                                            |
| UC3 JTAG                                     | Figure: Shift Register (2/5)                                                               |
| Reverse<br>engineering                       |                                                                                            |
| Conclusion                                   |                                                                                            |

| <b>IS</b> | =                 |
|-----------|-------------------|
|           | Securit<br>System |

# Shift Register

| Reverse<br>engineering<br>AT32UC3A's<br>JTAG |    |   |          |         |           |      |      |  |
|----------------------------------------------|----|---|----------|---------|-----------|------|------|--|
| Pierre Surply                                |    |   |          |         |           |      |      |  |
| Introduction                                 |    |   |          |         |           |      |      |  |
| Overview                                     |    |   |          | r       | 1         | 1    |      |  |
| TAP<br>Controller                            | 10 | o | 1        | X4      | ХЗ        |      | X2X1 |  |
| Scan Chain                                   |    |   |          |         |           | ]    |      |  |
| Boundary<br>Scan                             |    |   |          |         |           |      |      |  |
| UC3 JTAG                                     |    | F | igure: S | hift Re | gister (3 | 3/5) |      |  |
| Reverse<br>engineering                       |    |   |          |         |           |      |      |  |
| Conclusion                                   |    |   |          |         |           |      |      |  |
|                                              |    |   |          |         |           |      |      |  |

| S |          |
|---|----------|
|   | Security |
|   | - System |

| Shift | Register |
|-------|----------|
|-------|----------|



| S |        |
|---|--------|
|   | Gammit |
|   | System |





Reverse

# TAP Controller State Machine



Introduction

Overview

#### TAP Controller

Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion



- DR: Data Register
- IR: Instruction Register

Pierre Surply (EPITA 2016)

Reverse engineering AT32UC3A's JTAG

Jul 19, 2014 12 / 72





Introduction

Overview

#### TAP Controller

Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion



Figure: TAP Controller Example (1/13)





Figure: TAP Controller Example (2/13)





Figure: TAP Controller Example (3/13)





Figure: TAP Controller Example (4/13)





Figure: TAP Controller Example (5/13)





Figure: TAP Controller Example (6/13)





Figure: TAP Controller Example (7/13)





Figure: TAP Controller Example (8/13)





Figure: TAP Controller Example (9/13)





Figure: TAP Controller Example (10/13)





Figure: TAP Controller Example (11/13)





Figure: TAP Controller Example (12/13)





Figure: TAP Controller Example (13/13)



#### Daisy Chain



#### Pierre Surply



Overview

TAP Controlle

#### Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion



Figure: Daisy Chain



Reverse engineering AT32UC3A's JTAG

Pierre Surply

Introduction

Overview

TAP Controller

#### Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion





Shift TCK

Figure: BYPASS Register

Pierre Surply (EPITA 2016)

Reverse engineering AT32UC3A's JTAG

Jul 19, 2014 27 / 72





#### Pierre Surply

Introduction

Overview

TAP Controlle

#### Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion



Figure: BYPASS and Daisy Chain (1/3)





#### Pierre Surply

Introduction

Overview

TAP Controlle

#### Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion



Figure: BYPASS and Daisy Chain (2/3)





#### Pierre Surply

Introduction

Overview

TAP Controlle

#### Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion



Figure: BYPASS and Daisy Chain (3/3)



### Boundary Scan



Figure: Boundary Scan

Pierre Surply (EPITA 2016)

Reverse engineering AT32UC3A's JTAG



### Boundary Scan Instructions



- Pierre Surply
- Introduction
- Overview
- TAP Controlle
- Scan Chain

#### Boundary Scan

- UC3 JTAG
- Reverse engineering
- Conclusion

- EXTEST
- SAMPLE/PRELOAD
- INTEST



#### **Boundary Scan**

Reverse engineering AT32UC3A's JTAG

Pierre Surply

Introduction

Overview

TAP Controlle

Scan Chair

Boundary Scan

исз JTAG

Reverse engineering

Conclusion



Figure: Scan Cell



## Boundary Scan Description Language



- Pierre Surply
- Introduction
- Overview
- TAP Controller
- Scan Chain
- Boundary Scan
- UC3 JTAG
- Reverse engineering
- Conclusion

- Describes boundary scan layout for a specific integrated circuit
  - VHDL subset
  - Provided by manufacturer



### **UC3 JTAG Overview**



Pierre Surply

Introduction

Overview

TAP Controlle

Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion



Figure: UC3 JTAG Overview



# UC3 On-Chip Debug Overview



Watchpoints

Ownership

Trace

Memories and

nerinherals

. .

Data Trace


Reverse engineering AT32UC3A's JTAG

Security System

IS

Pierre Surply

Introduction

Overview

TAP Controller

Scan Chair

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion

| Slave                  | Address [35:32] | Description                                                                         |
|------------------------|-----------------|-------------------------------------------------------------------------------------|
| Unallocated            | 0x0             | Intentionally unallocated                                                           |
| OCD                    | 0x1             | OCD registers                                                                       |
| HSB                    | 0x4             | HSB memory space, as seen by the CPU                                                |
| HSB                    | 0x5             | Alternative mapping for HSB space, for compatibility with other 32-bit AVR devices. |
| Memory Service<br>Unit | 0x6             | Memory Service Unit registers                                                       |
| Reserved               | Other           | Unused                                                                              |

Figure: SAB Slaves

■ HSB: High Speed Bus



Security



Pierre Surply (EPITA 2016)

Reverse engineering AT32UC3A's JTAG

JTAG













Pierre Surply (EPITA 2016)









Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)

















Pierre Surply (EPITA 2016)









Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)





Pierre Surply (EPITA 2016)



# Daisy Chain length scanning





# OpenOCD Low Level JTAG Commands

Reverse engineering AT32UC3A's ITAG Pierre Surply irscan auto0.tap 0x1 drscan auto0.tap 512 0 -endstate DRPAUSE drscan auto0.tap 1 0 -enstate DRPAUSE Reverse engineering



## UC3 JTAG Analysis

Reverse engineering AT32UC3A's JTAG

Pierre Surply

Introductior

Overview

TAP Controlle

Scan Chair

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion



Figure: Bus Pirate as JTAG probe

Pierre Surply (EPITA 2016)

Reverse engineering AT32UC3A's JTAG

Jul 19, 2014 66 / 72



# UC3 JTAG Data Register Length

#### Reverse engineering AT32UC3A's JTAG

Pierre Surply

Introduction

Overview

TAP Controller

Scan Chair

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion

| )pcode: Le | ength |
|------------|-------|
|------------|-------|

| 0x0:           | 1   | 0x8: | 1 |
|----------------|-----|------|---|
| 0x1:           | 32  | 0x9: | 1 |
| 0x2:           | 224 | Oxa: | 1 |
| 0x3:           | 224 | Oxb: | 1 |
| 0x4:           | 224 | Oxc: | 5 |
| 0x5:           | 1   | Oxd: | 1 |
| 0x6:           | 1   | Oxe: | 1 |
| 0 <b>∵</b> 7 · | 1   | Ovf· | 1 |

| 0x10: | 34 | 0x18: | 4 |
|-------|----|-------|---|
| 0x11: | 35 | 0x19: | 1 |
| 0x12: | 34 | Ox1a: | 1 |
| 0x13: | 1  | Ox1b: | 1 |
| 0x14: | 34 | Ox1c: | 1 |
| 0x15: | 39 | Ox1d: | 0 |
| 0x16: | 1  | Ox1e: | 1 |
| 0x17  | 16 | 0x1f  | 1 |



# UC3 JTAG Data Register Length

Reverse engineering AT32UC3A's ITAG

Pierre Surply

Reverse engineering

| -    |     | U    |   |       |    |
|------|-----|------|---|-------|----|
| 0x0: | 1   | 0x8: | 1 | 0x10: | 34 |
| 0x1: | 32  | 0x9: | 1 | 0x11: | 35 |
| 0x2: | 224 | Oxa: | 1 | 0x12: | 34 |
| 0x3: | 224 | Oxb: | 1 | 0x13: | 1  |
| 0x4: | 224 | Oxc: | 5 | 0x14: | 34 |
| 0x5: | 1   | Oxd: | 1 | 0x15: | 39 |

0x6: 1 Oxe: 1 0x16: 1 Ox1e: 0x7: 1 Oxf: 1 0x17: 16 0x1f: 1

- BYPASS, CLAMP, CHIP\_ERASE
- IDCODE

Opcode: Length

- Boundary Scan
- AVR\_RESET, SYNC
- Service Access Bus

???

0x18: 4

0x19: 1 0x1a: 1

1

1

0

1

0x1b:

0x1c:

0x1d:



#### Instruction 0x18

Reverse engineering AT32UC3A's JTAG

Pierre Surp

Reverse engineering Present in BSDL file but not in datasheet

| at | tribute INSTRUCTION_OPCODE | of UC3A3256-BGA : entity is | s |
|----|----------------------------|-----------------------------|---|
|    | PRIVATEO                   | ( 10011 ), " &              |   |
| "  | PRIVATE1                   | ( 01100 ), " &              |   |
| "  | BYPASS                     | ( 11111 ), " &              |   |
| "  | CLAMP                      | ( 00110 ), " &              |   |
| "  | EXTEST                     | ( 00011 ), " &              |   |
| "  | IDCODE                     | ( 00001 ), " &              |   |
| "  | INTEST                     | ( 00100 ), " &              |   |
| "  | PRIVATE2                   | ( 11001 ), " &              |   |
| "  | PRIVATE3                   | ( 11010 ), " &              |   |
| "  | PRIVATE4                   | ( 11011 ), " &              |   |
| "  | PRIVATE5                   | ( 10001 ), " &              |   |
| "  | PRIVATE6                   | ( 10010 ), " &              |   |
| "  | PRIVATE7                   | ( 10000 ), " &              |   |
| "  | PRELOAD                    | ( 00010 ), " &              |   |
| "  | SAMPLE                     | ( 00010 ), " &              |   |
| "  | PRIVATE8                   | ( 10111 ), " &              |   |
| "  | PRIVATE9                   | ( 11000 ) ";                |   |
|    |                            |                             |   |

#### • Strange behaviour when Data Register is set to 1 or 2

Pierre Surply (EPITA 2016)



Reverse

# Nexus (IEEE-ISTO 5001-2003)



Scan Chain

Boundary Scan

UC3 JTAG

Reverse engineering

Conclusion



Figure: AUX+JTAG based debugger

Pierre Surply (EPITA 2016)



References

- Pierre Surply
- Introduction
- Overview
- TAP Controller
- Scan Chair
- Boundary Scan
- UC3 JTAG
- Reverse engineering
- Conclusion

- http://www.fpga4fun.com/JTAG.html
- http://www.elinux.org/JTAG\_Finder
- http://events.ccc.de/congress/2009/Fahrplan/events/3670.en.html



Contact

- Pierre Surply
- Introduction
- Overview
- TAP Controlle
- Scan Chain
- Boundary Scan
- UC3 JTAG
- Reverse engineering
- Conclusion

- Git: git.psurply.com/uc3jtag
- IRC: Ptishell@irc.rezosup.org
- Mail: surply@lse.epita.fr
- Twitter: @Ptishell