# OpenOCD - Beyond Simple Software Debugging

Oleksij Rempel - o.rempel@pengutronix.de



https://www.pengutronix.de

## Why I use OpenOCD?

- Reverse engineering and for fun
  - This is the main motivation behind this talk
- Debugging
- Testing



## My reverse engineering rules

- Investigate public materials
  - Standards
  - Documentation
  - Patterns
- Try to apply gained knowledge to similarly purposed systems
  - New technology is expensive and vendors are trying to reuse as much as possible
- Assumptions are OK!



- Everyone who used OpenOCD for software debugging or reverse engineering
- Everyone who has time to use OpenOCD on unsupported or untested HW
- Everyone who is interested in exploring HW from JTAG perspective



# History of JTAG

- 1986 Philips forms Joint European Test Action Group
- 1990 IEEE Standard 1149.11990 published
- JOURNAL OF ELECTRONIC TESTING: Theory and Applications, 2, 1125 (1991)



#### boundary scan





## **Boundary Scan**







- Now 2018, 28 years later...
- We are still using this technology but have no idea how to use it for the original purpose – boundary scan!
- Let's go back to the roots!!! ;)



### What is **BSDL**

- Boundary Scan Description Language
- 1149.1b-1994 "Supplement to IEEE Std 1149.1-1990, IEEE standard test access port and boundary-scan architecture"
- 1149.1-2001 "IEEE standard test access port and boundary-scan architecture"



## BSDL Example 1

| * File Name      | : STM32F302 F       | 303_B_C_LQFP100.bsd                            | 7    |
|------------------|---------------------|------------------------------------------------|------|
|                  | : STMicroelec       |                                                | 3    |
| * Version        | : V1.0              |                                                | 7    |
| * Date           | : 13-August-2       | 015                                            | 7    |
| * Description    | : Boundary Sc       | an Description Language (BSDL) file for the    | *    |
| *                |                     | 303_B_C_LQFP100 Microcontrollers.              | *    |
| ***********      | ******              | ***************************************        | ***  |
| * THE PRESENT SC | OFTWARE WHICH IS FO | R GUIDANCE ONLY AIMS AT PROVIDING CUSTOMERS    | 7    |
| * WITH CODING IN | FORMATION REGARDIN  | G THEIR PRODUCTS IN ORDER FOR THEM TO SAVE TIM | E. * |
| * AS A RESULT, S | STMICROELECTRONICS  | SHALL NOT BE HELD LIABLE FOR ANY DIRECT,       | 7    |
|                  |                     | S WITH RESPECT TO ANY CLAIMS ARISING FROM THE  | *    |
|                  |                     | THE USE MADE BY CUSTOMERS OF THE CODING        | *    |
|                  |                     | CONNECTION WITH THEIR PRODUCTS.                | 2    |
|                  |                     | ***************************************        | ***  |
|                  | e has been syntaxed | checked and validated by:                      |      |
| *                |                     |                                                |      |
| * GOEPEL Syntax  | hecker Version 3.1  |                                                | 7    |
| ***************  | ***************     | ***************************************        | ***  |
|                  |                     |                                                |      |
|                  |                     |                                                |      |
|                  | 303_B_C_LQFP100 is  |                                                |      |
|                  |                     | lt device package selected.                    |      |
|                  |                     | "LQFP100_PACKAGE");                            |      |
|                  | eclares all the por | ts in the design.                              |      |
| port (           |                     |                                                |      |
| BOOTO            | : in bit;           |                                                |      |
| JTDI             | : in bit;           |                                                |      |
| JTMS             |                     |                                                |      |
| JTCK             |                     |                                                |      |
| JTRST<br>JTDO    | : out bit;          |                                                |      |
| NRST             | : in bit;           | modification to add COMPLIANCE PATTERNS        |      |
| ГСИИ             | : th bit;           | MOULT COLLON TO AND COMPLIANCE_PATTERNS        |      |
|                  |                     |                                                |      |



#### **BSDL Example 2**

attribute INSTRUCTION\_LENGTH of STM32F302\_F303\_B\_C\_LQFP100: entity is 5;

-- Specifies the boundary-scan instructions implemented in the design and their opcodes.

attribute INSTRUCTION\_OPCODE of STM32F302\_F303\_B\_C\_LQFP100: entity is
"BYPASS (11111)," &
"EXTEST (00000)," &
"SAMPLE (00010)," &
"PRELOAD (00010)," &
"IDCODE (00001)":

- -- Specifies the bit pattern that is loaded into the instruction register when the TAP controller
- -- passes through the Capture-IR state. The standard mandates that the two LSBs must be "01". The
- -- remaining bits are design specific.

attribute INSTRUCTION\_CAPTURE of STM32F302\_F303\_B\_C\_LQFP100: entity is "XXX01";

-- Specifies the bit pattern that is loaded into the DEVICE\_ID register during the IDCODE -- instruction when the TAP controller passes through the Capture-DR state.

attribute IDCODE\_REGISTER of STM32F302\_F303\_B\_C\_LQFP100: entity is "XXXX" & -- 4-bit version number "0110010000100010" & -- 16-bit part number "00000100000" & -- 11-bit identity of the manufacturer "1"; -- Required by IEEE Std 1149.1

-- This section specifies the test data register placed between TDI and TDO for each implemented -- instruction.

```
attribute REGISTER_ACCESS of STM32F302_F303_B_C_LQFP100: entity is
"BYPASS (BYPASS)," &
"BOUNDARY (EXTEST, SAMPLE, PRELOAD)," &
"DEVICE_ID (IDCODE)";
```



## BSDL Example 3

attribute BOUNDARY\_LENGTH of STM32F302\_F303\_B\_C\_LQFP100: entity is 250;

| TI | following list specifies the characteristics of each cell in the boundary scan register from | m |
|----|----------------------------------------------------------------------------------------------|---|
| TI | to TDO. The following is a description of the label fields:                                  |   |
|    | num : Is the cell number.                                                                    |   |
|    | cell : Is the cell type as defined by the standard.                                          |   |
|    | port : Is the design port name. Control cells do not have a port name.                       |   |
|    | function: Is the function of the cell as defined by the standard. Is one of input, output2,  | , |
|    | output3, bidir, control or controlr.                                                         |   |
|    | safe : Specifies the value that the BSR cell should be loaded with for safe operation        |   |
|    | when the software might otherwise choose a random value.                                     |   |
|    | ccell : The control cell number. Specifies the control cell that drives the output enable    | e |
|    | for this port.                                                                               |   |
|    | disval : Specifies the value that is loaded into the control cell to disable the output      |   |
|    | enable for the corresponding port.                                                           |   |
|    | rslt : Resulting state. Shows the state of the driver when it is disabled.                   |   |

attribute BOUNDARY REGISTER of STM32F302 F303 B C LOFP100: entity is

| <br>num | cell   | port | function | safe | [ccell | disval | rslt] |   |   |
|---------|--------|------|----------|------|--------|--------|-------|---|---|
| <br>    |        |      |          |      |        |        |       |   |   |
| <br>    |        |      |          |      |        |        |       |   |   |
| "249    | (BC_1, | *,   | CONTROL, | 1),  |        |        |       |   | & |
| "248    | (BC_1, | PE2, | OUTPUT3, | Х,   | 249,   | 1,     | Z),   | п | & |
| "247    | (BC_4, | PE2, | INPUT,   | X),  |        |        |       |   | & |
| "246    | (BC_1, | *,   | CONTROL, | 1),  |        |        |       |   | & |
| "245    | (BC_1, | PE3, | OUTPUT3, | х,   | 246,   | 1,     | Z),   |   | & |
| "244    | (BC_4, | PE3, | INPUT,   | X),  |        |        |       | п | & |
| "243    | (BC 1, | *,   | CONTROL, | 1),  |        |        |       |   | & |
| "242    | (BC_1, | PE4, | OUTPUT3, | Х,   | 243,   | 1,     | Z),   |   | & |
| "241    | (BC_4, | PE4, | INPUT,   | X),  |        |        |       | п | & |



### The road map

- How to get JTAG access on modern SoCs.
- Exploring diferent TAPs and seeking BS register
- Reading BSDL files.
- Unfriendly vendor and no BSDL file, trying to reverse engineer it.
- Practical example.
- Combine CPU and BS tests? Is it possible?



# Exploring JTAG port

- In the perfect world, we would have a dedicated JTAG connector in accordance with some valid specification, working all the time from power on till power off.
- The reality is different:
  - In many cases JTAG pins are enabled by the SoC ROM, with some delay after power on (or power cycle)
  - The pins have JTAG functionality only limited time after some event
  - Many TAPs and DAPs with some differences from default or wellknown specifications

Welcome to the JTAG zoo!



## **Getting JTAG access**

- There are two states:
  - It just works!
  - Go with me, I'll show you how some vendors do it! :D



## Exploring JTAG port (time frames)



16/39

- Most of the Allwinner SoCs have JTAG multiplexed with SD card signals. It is not a secret, but not welldocumented
- This port can be used only within a short time frame:
  - Some X millisecs after power on JTAG gets enabled
  - X+Yms after power on this port is switched from JTAG to SD, so we have just a small window to access JTAG



- Remote controllable bench power supply and logic analyser are your friends
- Use adapter\_nsrst\_delay
- Increase adapter\_khz speed to fit to narrow time frame
- Add some pull-up resistor to the TDI line and measure it





1. no pull-ups, 2. pull-ups on 1,2,3,4

| 800   |                          |  |           | Saleae Lo | ogic 1.2.29 Beta - | [Connected] – [50, | 00 MHz Digital, 10 | 00,0 s] |              |  | Opt                        | ions 🔻 |
|-------|--------------------------|--|-----------|-----------|--------------------|--------------------|--------------------|---------|--------------|--|----------------------------|--------|
|       |                          |  |           |           |                    |                    |                    |         | 2 s : 460 ms |  | Annotations                | +      |
| oture | × .                      |  | 🗬 +3 ms 🚱 |           |                    |                    |                    |         |              |  | 🔻 🦿 🤇 Timing Marker Pair   |        |
|       | <b>\$</b> + <del>5</del> |  |           |           |                    |                    |                    |         |              |  | A1 - A2   = 0,4719400000 n |        |
|       | <b>\$</b> +F             |  |           |           |                    |                    |                    |         |              |  |                            |        |
|       | ¢ +5                     |  |           |           |                    |                    |                    |         |              |  |                            |        |
|       | ¢ ++                     |  |           |           |                    |                    |                    |         |              |  |                            |        |
|       | 🌣 ++                     |  |           |           |                    |                    |                    |         |              |  |                            |        |
|       |                          |  |           |           |                    |                    |                    |         |              |  |                            |        |

|  |                  |    |      |       |  |  |  |   |  |  |       | Annotations                         | +   |
|--|------------------|----|------|-------|--|--|--|---|--|--|-------|-------------------------------------|-----|
|  | <b>T</b>         | 15 | +5 🛺 | +6 ms |  |  |  |   |  |  | +9 ms | Timing Marker Pair                  | ▼ ☆ |
|  | <b>\$</b> +₹     |    |      |       |  |  |  |   |  |  |       | <u>A1</u> - <u>A2</u>   = 0,4787400 |     |
|  | <b>\$</b> +₹     |    |      | [     |  |  |  | [ |  |  |       |                                     |     |
|  | <b>\$</b> +₹     |    |      |       |  |  |  | 1 |  |  |       |                                     |     |
|  | ✿ + <sub>₹</sub> |    |      |       |  |  |  |   |  |  |       |                                     |     |
|  | <b>⇔</b> +£      |    |      |       |  |  |  |   |  |  |       |                                     |     |



| Start      |              |           |        |       |  |      |  |  |  |  |       |
|------------|--------------|-----------|--------|-------|--|------|--|--|--|--|-------|
| Start      | × 1          |           | +5 🐺 🦉 | +6 ms |  |      |  |  |  |  | +9 ms |
| 00 Vcc     | ¢ +5         |           |        |       |  |      |  |  |  |  |       |
| 01 D0/TDI  | ¢ +7         |           |        |       |  |      |  |  |  |  |       |
| 02 D1/TMS  | ¢ +f         |           |        |       |  |      |  |  |  |  |       |
| 03 D2/TCK  | <b>\$</b> +7 |           |        |       |  |      |  |  |  |  |       |
| 04 CMD/TD0 | ¢ +5         |           |        |       |  |      |  |  |  |  |       |
|            | "-           | PW O      | N      |       |  |      |  |  |  |  |       |
|            |              | PW O<br>J |        |       |  | ~8ms |  |  |  |  |       |
|            |              |           |        |       |  |      |  |  |  |  |       |
|            |              |           |        |       |  |      |  |  |  |  |       |
|            |              |           |        |       |  |      |  |  |  |  |       |
|            |              |           |        |       |  |      |  |  |  |  |       |
|            |              |           |        |       |  |      |  |  |  |  |       |
|            |              |           |        |       |  |      |  |  |  |  |       |
|            |              |           |        |       |  |      |  |  |  |  |       |



## Exploring JTAG port (Open Sesame)





## Exploring JTAG port (Open Sesame)

 Nicely documented JTAG/ICSP interfaces made by Microchip for PIC32xx series

FIGURE 7-1: ENTERING ENHANCED ICSP<sup>™</sup> MODE







# Exploring the internals



- Let's assume we got access to the SoC, what can we explore?
- TAP test access port
- Typical instructions provided by a TAP:
  - IDCODE
  - Boundary scan
  - Bypass



## Exploring the internals

- The times they are a-changin', after 28 years internals are a bit more complicated
- Let's take as example STM32 and do following steps:
  - Find the right TAP
  - Find the right Instruction
  - Find the right Bits



## Find the right TAP





#### Find the right Instruction

attribute INSTRUCTION\_LENGTH of STM32F302\_F303\_B\_C\_LQFP100: entity is 5;

-- Specifies the boundary-scan instructions implemented in the design and their opcodes.

attribute INSTRUCTION\_OPCODE of STM32F302\_F303\_B\_C\_LQFP100: entity is "BYPASS (11111)," & "EXTEST (00000)," & "SAMPLE (00010)," & "PRELOAD (00010)," &

"IDCODE (00001)";

-- Specifies the bit pattern that is loaded into the instruction register when the TAP controller -- passes through the Capture-IR state. The standard mandates that the two LSBs must be "01". The -- remaining bits are design specific.

attribute INSTRUCTION\_CAPTURE of STM32F302\_F303\_B\_C\_LQFP100: entity is "XXX01";

Specifies the bit pattern that is loaded into the DEVICE\_ID register during the IDCODE
instruction when the TAP controller passes through the Capture-DR state.

attribute IDCODE\_REGISTER of STM32F302\_F303\_B\_C\_LQFP100: entity is "XXXX" & -- 4-bit version number "0110010000100010" & -- 16-bit part number "00000100000" & -- 11-bit identity of the manufacturer "1"; -- Required by IEEE Std 1149.1

-- This section specifies the test data register placed between TDI and TDO for each implemented -- instruction.

```
attribute REGISTER_ACCESS of STM32F302_F303_B_C_LQFP100: entity is
"BYPASS (BYPASS)," &
"BOUNDARY (EXTEST, SAMPLE, PRELOAD)," &
"DEVICE_ID (IDCODE)";
```



# Find the right Bits

| "154 | (BC_4, | PE7,  | INPUT,   | X), |                           |        |           | " & |
|------|--------|-------|----------|-----|---------------------------|--------|-----------|-----|
| "153 | (BC_1, | *,    | CONTROL, | 1), |                           |        |           | "&  |
| "152 | (BC_1, | PE8,  | OUTPUT3, | Х,  | 153,                      | 1,     | Z),       | "&  |
| "151 | (BC_4, | PE8,  | INPUT,   | X), |                           |        |           | " & |
| "150 | (BC_1, | *,    | CONTROL, | 1), |                           |        |           | " & |
| "149 | (BC_1, | PE9,  | OUTPUT3, | Х,  | 150,                      | 1,     | Z),       | "&  |
| "148 | (BC_4, | PE9,  | INPUT,   | X), |                           | 100000 | 600000000 | "&  |
| "147 | (BC_1, | *,    | CONTROL, | 1), |                           |        |           | " & |
| "146 | (BC_1, | PE10, | OUTPUT3, | Х,  | 147,                      | 1,     | Z),       | " & |
| "145 | (BC 4, | PE10, | INPUT,   | X), | 1.53                      | 100    | 13.07%    | " & |
| "144 | (BC_1, |       | CONTROL, |     |                           |        |           |     |
| "143 | (BC_1, | PE11, | OUTPUT3, | х,  | 144,                      |        | Z),       |     |
| "142 | (BC_4, | PE11, | INPUT,   | x), |                           |        |           | "&  |
| "141 | (BC_1, | *,    | CONTROL, | 1), |                           |        |           | " & |
| "140 | (BC_1, | PE12, | OUTPUT3, | х,  | 141,                      | 1,     | Z),       | " & |
| "139 | (BC_4, | PE12, | INPUT,   | X), |                           |        |           | " & |
| "138 | (BC_1, | *,    | CONTROL, | 1), |                           |        |           | " & |
| "137 | (BC_1, | PE13, | OUTPUT3, | Х,  | 138,                      | 1,     | Z),       | "&  |
| "136 | (BC_4, | PE13, | INPUT,   | X), |                           |        |           | " & |
| "135 | (BC_1, | *,    | CONTROL, | 1), |                           |        |           | " & |
| "134 | (BC_1, | PE14, | OUTPUT3, | Х,  | 135,                      | 1,     | Z),       | " & |
| "133 | (BC_4, | PE14, | INPUT,   | X), |                           |        |           | "&  |
| "132 | (BC_1, | *,    | CONTROL, | 1), |                           |        |           | " & |
| "131 | (BC_1, | PE15, | OUTPUT3, | Х,  | 132,                      | 1,     | Z),       | " & |
| "130 | (BC_4, | PE15, | INPUT,   | X), |                           |        |           | " & |
| "129 | (BC_1, | *,    | CONTROL, | 1), |                           |        |           | "&  |
| "128 | (BC_1, | PB10, | OUTPUT3, | х,  | 129,                      | 1,     | Z),       | "&  |
| "127 | (BC_4, | PB10, | INPUT,   | X), | 1000 1000 100 <b>1</b> 00 | 1000 C |           | " & |



# Exploring JTAG port (BS on STM32)

- Video demonstration of using JTAG boundary scan on STM32F3
- The bsr.tcl script by Paul Fertser
  - Init BS TAP
  - Scan for floating PADs
  - Scan for changed PADs after adding pull-up/down.
  - Test related control bits for given PAD. For example:
    - Bit 142 read input state
    - Bit 143 set output state
    - Bit 144 switch between input and output mode.



## Exploring JTAG port (BS on STM32)



#### Crazy idea:

#### What if we configure a pin from GPIO peripheral and test it with BS?







# Exploring JTAG port (GPIO + BS on STM32)

- Is it possible with JTAG BS to read a PAD which was configured by GPIO peripheral? Yes! At least on some SoCs
- Steps made in following video:
  - Start JTAG and halt CPU.
  - Enable CLK for GPIO controller.
  - Measure PAD with GPIO, then switch the PAD to output mode
  - Switch to the JTAG BS mode and read out PAD state



## Exploring JTAG port (GPIO + BS on STM32)



# Exploring JTAG port (GPIO + BS on PIC32)

- Same test on PIC32
- Suddenly it needed more work than expected
- PIC32xx has multiple taps but not connected in chain so BYPASS instruction is not applicable. We have here two vendor instructions: switch to MTAP and switch to ETAP
- The BS is available on MTAP



## Exploring JTAG port (GPIO + BS on PIC32)



36/39

# Exploring JTAG port (GPIO + BS on iMX6)

- Same test on iMX6
- BS is implemented on SJC TAP
- This was fast, the BS instruction is directly connected to reset controller. Executing BS will automatically put CPU in reset state
- BS should still be possible with correctly configured bootstrap pins (see the SoC manual)



# Exploring JTAG on iMX6

- Implemented and tested TAPs for iMX6:
  - MPCore, Cortex-A9
- Not implemented or not upstreamed parts:
  - Everything else :)



Figure 56-1. System JTAG Controller (SJC) Block Diagram



# Thank you!

#### Questions?



https://www.pengutronix.de