Extract Firmware using JTAG/SWD

If you found an active JTAG/SWD interface on a PCB it can be used to extract the firmware in some cases.

Requirements

Hardware

  1. Target Device

  2. JTAG/SWD Debugger ( like ST-Link, J-Link, or Bus Pirate.

  3. JTAG/SWD Header/Pinout (TCK, TMS, TDI, TDO for JTAG or SWDIO, SWCLK for SWD).

  4. Jumper Wires (to connect the debugger to the target device)

  5. Power Source

Software

  1. Debugger-Tools: Open On-Chip Debugger (OpenOCD) or JLINK-Commander software for communicating with the JTAG/SWD interface.

  2. Drivers: Drivers for your specific debugger (e.g., ST-Link or J-Link drivers).

Steps to Extract Firmware Over JTAG/SWD

1. Identify JTAG/SWD Pins

  • Locate the JTAG or SWD pins on the target device. These are often labeled as follows:

    • JTAG Pins:

      • TCK (Test Clock)

      • TMS (Test Mode Select)

      • TDI (Test Data In)

      • TDO (Test Data Out)

      • GND (Ground)

    • SWD Pins:

      • SWDIO (Serial Wire Data Input/Output)

      • SWCLK (Serial Wire Clock)

      • GND (Ground)

  • Consult the device datasheet or use tools like a multimeter or datasheets to map out the connections.

2. Connect the Debugger

  • Use jumper wires to connect the JTAG/SWD pins on the target device to the corresponding pins on the debugger:

    • For JTAG: Connect TCK, TMS, TDI, TDO, and GND. (sometimes also RESET is needed)

    • For SWD: Connect SWDIO, SWCLK, and GND.

  • Make sure the connections are secure to avoid communication failures.

3. Set Up Software and Dump firmware

  1. Install OpenOCD to manage communication between your debugger and the target device.

  2. GDB: Install GNU Debugger for low-level device control.

Configure OpenOCD

  • OpenOCD needs to be configured with the appropriate settings for your device. You can use pre-existing configuration files or create your own. For example:

  • Create a configuration file (my_device.cfg) that defines the target and interface:

    interface jlink
    transport select jtag
    source [find target/stm32f1x.cfg]  ; for an STM32 device, adapt for others
  • Then, launch OpenOCD with:

  • openocd -f interface/jlink.cfg -f target/my_device.cfg

If the connection is correct we should see an output like this:

Open On-Chip Debugger 0.11.0 (2024-10-07) 
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : J-Link V10 compiled Aug  3 2024 15:23:43
Info : Hardware version: 10.10
Info : VTarget = 3.300 V
Info : clock speed 1000 kHz
Info : JTAG tap: stm32f429x.cpu tap/device found: 0x2ba01477 (mfg: 0x23b, part: 0xba01, ver: 0x2)
Info : stm32f429x.cpu: hardware has 8 breakpoints, 4 watchpoints
Info : starting gdb server for stm32f429x.cpu on 3333
Info : Listening on port 4444 for telnet connections
Info : Listening on port 3333 for gdb connections

We can see that we have two options to interact with OpenOCD: telnet and gdb

Telnet:

  1. Connect to OpenOCD via Telnet:

Open a separate terminal and connect to the OpenOCD server:

telnet localhost 4444
  1. Successful connection output:

Once connected, you should see something like this:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
  1. Commands you can use via Telnet:

Here are a few example commands you might use via Telnet:

> reset halt                  # Reset and halt the target
> flash write_image erase firmware.bin 0x08000000  # Write firmware to flash memory
> mdw 0x08000000              # Read a memory word (32-bit) at the specified address
> mww 0x20000000 0x12345678   # Write a memory word (32-bit) to the specified address
> step                        # Step through the target's instructions
> resume                      # Continue execution

GDB:

# Launch GDB
arm-none-eabi-gdb

# Inside GDB, connect to OpenOCD via localhost on port 3333
(gdb) target remote localhost:3333

# Perform a reset and halt the target
(gdb) monitor reset halt

# Dump the firmware of the target
(gdb) dump binary memory <filename> <start-address> <end-address>
# example /Adjust the memory address range based on your target device’s memory map):
(gdb) dump binary memory firmware.bin 0x08000000 0x080FFFFF

# Continue execution
(gdb) continue

After dumping the firmware

=> Jump to the Analyze Firmware section

Resources

https://sergioprado.blog/2020-02-20-extracting-firmware-from-devices-using-jtag/ https://wrongbaud.github.io/posts/jtag-hdd/

Last updated