JTAG Hacks

Learn how to hack embedded devices with JTAG, OpenOCD, and GDB.

Training starting at

$1,800.00

with one of our subscriptions

Language

English

Embedded Hacking with JTAG, OpenOCD, and GDB

If only there was a way to completely control a Microcontroller (MCU) or Microprosser (MPU) such that we could dump and restore memory, change register values, and access peripherals without the core being aware. Well, let us welcome you to one of the most common protocols: JTAG. In this course we will explore the capabilities and limitations of using JTAG to conduct your next penetration test or device audit.

Topics Covered during this course

Day 1 Introduction to JTAG, OpenOCD, and GDB

Theory

We will discuss the background and purpose of JTAG including viewing JTAG logic analyzer captures. Then we will demonstrate and detail the OpenOCD software architecture and how it is used. Lastly, we will cover the OG debugger -- GDB.

Assignments
  • Analyze JTAG logic analyzer captures.
  • Write openOCD config file to connect to the target.
  • Dump and restore memory to bypass a security check.
  • Connect GDB to a running target without source
  • Perform basic GDB commands and interactions like examine memory and single step.

Day 2 Applied JTAG Hacking

Theory

This day will focus on slightly more complex applications including uboot and Linux. We will discuss uboot and Linux memory management and boot sequences. We will also discuss different boot modes of a System-on-Chip which often includes a JTAG mode and when this can be used.

Assignments
  • Access peripherals via JTAG without involving the CPU core
  • Extended OpenOCD with new adapters (this is instructor show, students optionally perform as it requires additional hardware)
  • load applications from a processor booted directly into JTAG mode
  • Examine and modify uboot from JTAG
  • Examine and modify Linux from JTAG

Class Requirements

  • Arty Z7020 (NOT THE Z7010, please do not buy the Z7010) or the Pynq Z1 or Z2.
  • MicroSD card up from 4GB to 32GB.
  • MicroUSB cable
  • A device capable of "burning" a microSD card (i.e. a microSD reader/writer)
  • A laptop or desktop that can communicate via a serial terminal (teraTerm, serial, tio, picocom etc...) to the board.
  • The host must run Ubuntu 20.04, either bare metal, or via VMWare. VirtualBox is not supported due to poor USB support neither is WSL.

Class Prerequisites

  • Students will be coding in Python and bash and various configuration languages
  • Students will need a basic understanding of machine architecture, basic assembly, and understanding of memory mapped I/O
  • We will be reviewing many things in C, but students will not need to code in C
Training by Josh Datko and Dmitry Nedospasov

Josh Datko is an embedded systems engineer, security researcher and former submarine officer. Josh is best known for his part in the NSA Playset, as well as his research into cryptocurrency wallets.

Dmitry is a hardware hacker, hardware design engineer, security researcher, speaker, and reverse-engineerer. Dmitry did his PhD in the field of IC security and PUFs.

Can't attend? All of our trainings are also available as a private classes for your company.

Access all of our classes and profesionally edited recordings.
All of our courses are also available as private trainings.
Courses are offered multiple times in different timezones.