Embedded Hacking with JTAG, OpenOCD, and GDB
If only there was a way to completely control a Microcontroller (MCU) or Microprosser (MPU) such that we could dump and restore memory, change register values, and access peripherals without the core being aware. Well, let us welcome you to one of the most common protocols: JTAG. In this course we will explore the capabilities and limitations of using JTAG to conduct your next penetration test or device audit.
Topics Covered during this course
Day 1 Introduction to JTAG, OpenOCD, and GDB
We will discuss the background and purpose of JTAG including viewing JTAG logic analyzer captures. Then we will demonstrate and detail the OpenOCD software architecture and how it is used. Lastly, we will cover the OG debugger -- GDB.
- Analyze JTAG logic analyzer captures.
- Write openOCD config file to connect to the target.
- Dump and restore memory to bypass a security check.
- Connect GDB to a running target without source
- Perform basic GDB commands and interactions like examine memory and single step.
Day 2 Applied JTAG Hacking
This day will focus on slightly more complex applications including uboot and Linux. We will discuss uboot and Linux memory management and boot sequences. We will also discuss different boot modes of a System-on-Chip which often includes a JTAG mode and when this can be used.
- Access peripherals via JTAG without involving the CPU core
- Extended OpenOCD with new adapters (this is instructor show, students optionally perform as it requires additional hardware)
- load applications from a processor booted directly into JTAG mode
- Examine and modify uboot from JTAG
- Examine and modify Linux from JTAG
- Arty Z7020 (NOT THE Z7010, please do not buy the Z7010) or the Pynq Z1 or Z2.
- MicroSD card up from 4GB to 32GB.
- MicroUSB cable
- A device capable of "burning" a microSD card (i.e. a microSD reader/writer)
- A laptop or desktop that can communicate via a serial terminal (teraTerm, serial, tio, picocom etc...) to the board.
- The host must run Ubuntu 20.04, either bare metal, or via VMWare. VirtualBox is not supported due to poor USB support neither is WSL.
- Students will be coding in Python and bash and various configuration languages
- Students will need a basic understanding of machine architecture, basic assembly, and understanding of memory mapped I/O
- We will be reviewing many things in C, but students will not need to code in C