This is an old revision of the document!


JTAG Reverse Engineering

Introduction

JTAG is a rather ubiquitous technology for debugging and testing circuit boards, integrated circuits, and embeded software. JTAG stands for Joint Test Action Group and the standard was initially developed to enable testing of assembled circuit boards. With the invention of surface mount components and the continual increase in complexity and desnity of circuit boards, the JTAG interface allowed for non-intrusive testing of all of a board's connections at a cost of 4 pins per chip and a single JTAG header on the board.

This application of JTAG is called 'boundary scan' and it allows the JTAG TAP (test access port) on the chip to take control of all of its IO pins. When multiple chips with JTAG TAPs are installed on a board, their JTAG interfaces can be daisy-chained into a JTAG scan chain. This enables a single test connector on the board to access all of the JTAG controllable I/O pins at he same time, allowing boundary scan software to check all of the connections in the board's netlist for any faults.

Later on, JTAG was extended to also access the interior of the chip as well. JTAG can be used on many chips for loading firmware and configuration information as well as debugging embedded software. This makes JTAG a very powerful tool for not only manufacture but also development of complex circuitry. With JTAG, a board can be tested and programmed in a sigle step during manufacture. The same JTAG port can also be used for development and debugging of device firmware.

The capabilities of the JTAG TAP also make it a very good tool for reverse-engineering PCBs. The ability to control the I/O pins of chips on a JTAG scan chain can be used not only to check a netlist, but also to reconstruct one. The JTAG TAP can also be used to download firmware and configuration information for disassembly and further reverse-engineering.