Playing with the JTAGulator

The JTAGulator is a tool designed by Joe Grand – the guy that used to make the DEFCON badges for years and was part of one of the first hackerspaces, Lopht. He did a Blackhat LV presentation on his newest open hardware, open source project called the JTAGulator. It’s purpose is to help you figure out the pins of a JTAG or UART device. This is normally an annoying and time consuming process.



JTAG (Joint Test Action Group) is just a name for a standard way of providing a debug interface to your hardware devices. What’s nice about it is with one interface, you can provide debugging capabilities to a variety of chips on your board. So if you have two microcontrollers, each of them can be separately accessed through one interface. Pretty cool.

Hackers have been using JTAG for years to reverse hardware. You might have seen them used when messing with router firmware to install DD-WRT or OpenWRT. For WRT supported routers, JTAG often gives you the ability to push a custom firmware onto a board or extra the firmware that is currently installed.

JTAG For Security

Of course with all of my projects, I add a security twist. JTAG lets me gain low level access to a device and see how it works. An interface may be able to dump an EEPROM which could contain the cryptographic keys that are securing another piece of memory on the chip. Or it could give me a serial console similar to a root terminal that lets me interact with a device like a computer. The point is, it’s a debuggable interface that I can use to exploit in a variety of ways to learn about how the device works.

You might wonder why these interfaces even exist on hardware since they give hackers the opportunity to access your hardware. Because JTAG is so useful for debugging, manufacturers actually use this interface the same way you would, to make sure the device is functioning properly. That’s why it’s highly likely you’ll find some kind of debug interface for your boards.

JTAGulator Setup

The JTAGulator connects to your computer using a micro-USB cable that shows up as a serial device. In Linux, that device will be something like /dev/ttyUSB0. It uses 115.2K baud 8N1. Once connected using something like minicom or gtkterm in Linux, you’ll see a prompt of available options. You can now start JTAGulating.

To connect the JTAGulator to a device, the board is designed to use the cables from a standard Bus Pirate board. You can either do that, or just use some aligator clips to connect to the pins. Either way, the board you’re working on is going to need to be have the JTAG leads broken out so you can connect something to them. In my little Asus router that I found, these pins are pretty easy to access. I just soldered some cables on to them, and added a bit of glue to make sure they kept. :)

Asus Router with wires near JTAG leads

Asus Router with wires near JTAG leads

From this point, your router should be connected to the JTAGulator, your JTAGulator connected to your computer, and you should have a console interface waiting for directions.

The first step is to set the voltage. It has a range of 1.2 to 3.3V and this is going to be important for you to figure out before hand. (If you don’t know how to figure out the voltage on your board, you can probably ask someone at Interlock to show you using a multimeter.) Then you can choose how you’d like to scan for JTAG. There are two options, one is more thorough and time consuming but I don’t have enough data to tell you which is better for which situation (feel free to chime in if you know). Either one will prompt you for which pins you’d like to test with, which should correspond to the pins you’ve connected on your JTAGulator. When you run it, it will attempt every possible combination of pins until it thinks it has found the right one. It also has a UART discovery mode.

This is not the first JTAG discovery product out there but it’s the first I’ve used. I mentioned that the project is open source so here is a link to Joe’s site to help you build your own board if you want, or if you’re like me, you can buy them from a company like Adafruit, too.

from on October 16th, 2013Comments0 Comments

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

from on August 5th, 2013Comments0 Comments

Can 3D-Printing and Computer Aided Design be of value in the Contemporary Urban Elementary School Curriculum?

The answer is a definitive YES!

During the past 4 weeks we tested this hypothesis as follows:

MacGyvrBot, a Personal Manufacturing Robot (also known as a table-top 3D-Printer) and Skip Meetze (both affiliated with INTERLOCK) volunteered to be part of the team teaching 4th, 5th and 6th Graders at School No. 52 in the Rochester City School District.  The 4 weeks of Tech Camp ran 3 mornings per week.  Michael Slade (another volunteer) and Susan Reuter (the teacher) rounded out the instructional team, and 20 students developed their skills at rapid prototyping while having fun learning some principles of physics.

America's Cup Toy Boat

The students each constructed an America’s Cup Toy Boat Kit (an STL file for the design can be downloaded at America’s Cup Toy Boat Kit by MacGyvrBot – Thingiverse) with soda straws and parts made on a Printrbot LC (Printrbot LC (v2) | printrbot).  Then they conducted a “shoebox regatta” where the sailboats were each sailed in a plastic shoebox half full of water.  The boats successfully (1) sailed on a reach (with wind from the side) (2) from one end of the box to the other, (3) without touching the side of the box, and (4) under the power of a student gently blowing through a straw from the side of the box.     This activity taught the students the basic principles of sailing while they developed confidence in their new skills of measuring materials (the straws) and assembling rapid prototypes (the boats) as MacGyvrBot chugged out the plastic parts right before their eyes.

Subsequently the students learned some basic skills in CAD using Tinkercad (Tinkercad – Mind to design in minutes) and Sketchup (SketchUp | 3D for Everyone).

At the end of the camp, students evaluated their experience by (anonymously) rating some of the lessons presented.

Student ratings

The Students’ ratings clearly show that using the 3D Printer and CAD are at the top of the list of things they would like to do again.

MacGyverBot in the classroom

A warning about Tinkercad:

There were special work-around requirements that we encountered for safely using the current version of Tinkercad with young students, and they will be further discussed in a later posting.  Tinkercad is resident on the internet cloud and not on the local computer, so continuous adult supervision is required (with an adult logged into the website) for Tinkercad to be safely used by kids (else the child’s access to sharing on the internet will be unsupervised).  Autodesk, the new owner of Tinkercad, is working on eliminating this requirement.

Parents and teachers, stay tuned… 

More about what we learned from participating in the Tech Camp will be discussed in later postings.  One of the neat things about rapid-prototyping in the classroom is the ease with which teachers, parents and designers can share their designs and ideas with each other.

from on August 2nd, 2013Comments0 Comments