Extract Firmware using JTAG/SWD
If you found an active JTAG/SWD interface on a PCB it can be used to extract the firmware in some cases.
Requirements
Hardware
Target Device
JTAG/SWD Debugger ( like ST-Link, J-Link, or Bus Pirate.
JTAG/SWD Header/Pinout (TCK, TMS, TDI, TDO for JTAG or SWDIO, SWCLK for SWD).
Jumper Wires (to connect the debugger to the target device)
Power Source
Software
Debugger-Tools: Open On-Chip Debugger (OpenOCD) or JLINK-Commander software for communicating with the JTAG/SWD interface.
Drivers: Drivers for your specific debugger (e.g., ST-Link or J-Link drivers).
Steps to Extract Firmware Over JTAG/SWD
1. Identify JTAG/SWD Pins
Locate the JTAG or SWD pins on the target device. These are often labeled as follows:
JTAG Pins:
TCK (Test Clock)
TMS (Test Mode Select)
TDI (Test Data In)
TDO (Test Data Out)
GND (Ground)
SWD Pins:
SWDIO (Serial Wire Data Input/Output)
SWCLK (Serial Wire Clock)
GND (Ground)
Consult the device datasheet or use tools like a multimeter or datasheets to map out the connections.
2. Connect the Debugger
Use jumper wires to connect the JTAG/SWD pins on the target device to the corresponding pins on the debugger:
For JTAG: Connect TCK, TMS, TDI, TDO, and GND. (sometimes also RESET is needed)
For SWD: Connect SWDIO, SWCLK, and GND.
Make sure the connections are secure to avoid communication failures.
3. Set Up Software and Dump firmware
Install OpenOCD to manage communication between your debugger and the target device.
GDB: Install GNU Debugger for low-level device control.
Configure OpenOCD
OpenOCD needs to be configured with the appropriate settings for your device. You can use pre-existing configuration files or create your own. For example:
Create a configuration file (
my_device.cfg
) that defines the target and interface:Then, launch OpenOCD with:
If the connection is correct we should see an output like this:
We can see that we have two options to interact with OpenOCD: telnet and gdb
Telnet:
Connect to OpenOCD via Telnet:
Open a separate terminal and connect to the OpenOCD server:
Successful connection output:
Once connected, you should see something like this:
Commands you can use via Telnet:
Here are a few example commands you might use via Telnet:
GDB:
After dumping the firmware
=> Jump to the Analyze Firmware section
Resources
https://sergioprado.blog/2020-02-20-extracting-firmware-from-devices-using-jtag/ https://wrongbaud.github.io/posts/jtag-hdd/
Last updated