What if you forgot your credentials and lost access to the device? One possibility to regain access is to extract and change the firmware image. If you are a security researcher, you may want to extract the firmware of the device to look for vulnerabilities in the software.
And what if the device is very old and is no longer being manufactured or sold by the vendor? You may want to clone it, and extracting the firmware image will be essential in this process. As we can see, there are many situations that can motivate us to extract the firmware from an electronic device.
Many device manufacturers such as routers and cameras publish updated firmware images on their websites, so that customers can download and update the device.
In this case, the effort to extract the firmware is zero! We can identify and remove the memory chip from the board, solder it on another board and extract the firmware. It works, but can be quite painful and maybe a little risky there is a possibility of burning the memory chip during the extraction process. Likewise, with access to a command line terminal in the operating system serial, ssh, etc. As we can see, different techniques can be used to extract the firmware from a device, depending on the situation.
In this system, the PCB was designed with several test points to be connected to a test board. And this test board performed several checks on the connections and electronic components of the board.
As the complexity of a PCB increased, it started to get difficult and complicated to design a bed-of-nails for it. Over time, JTAG has become one of the most popular interfaces to test electronic circuits, getting other features like debugging and burning flash devices. The TAP interface implements a finite state machine 16 states that allows access to a group of registers IR , DR to instrument the chip. Through this state machine, it is possible to select an operation via the IR register Instruction Register and pass parameters or check the result via the DR register Data Register.
The size of the IR register and the number of instructions supported is defined by the chip manufacturer.
For example, a 5-bit IR register will support up to 32 instructions. Each instruction has its own DR Data Register , which has a variable size. In addition to the instructions defined by the standard, the chip manufacturer can implement other instructions as needed. As we can see in the line 29, the JTAG interface of this microcontroller supports up to 32 instructions 5 bits.
With JTAG we can control the execution of the firmware stop the execution, inspect the memory, configure breakpoints, execute the code step-by-step, etc. As we can see, the JTAG interface is perfect for inspecting the execution of the firmware, find vulnerabilities and exploit the device.
Looking to the future, industry activities to extend JTAG into 3D-IC testing, system-level testing, and high-speed testing are already underway, proving that the versatility and extensibility of JTAG is here to stay. Boundary-scan cells created using multiplexer and latch circuits are attached to each pin on the device. These cells, embedded in the device, can capture data from pin or core logic signals as well as force data onto pins.
Forced test data is serially shifted into the boundary-scan cells. All of this is controlled from a serial data path called the scan path or scan chain. Figure 3. Basic principles of an interconnect test. Because each pin can be individually controlled, boundary-scan eliminates a large number of test vectors that would normally needed to properly initialize sequential logic.
Using JTAG, tens or hundreds of test vectors may do the job that had previously required thousands. Boundary-scan enables shorter test times, higher test coverage, increased diagnostic capability, and lower capital equipment cost. The principles of interconnect test using boundary-scan components are illustrated in Figure 3. Two boundary-scan compliant devices are connected with four nets.
The first device includes four outputs that are driving the four inputs of the other with predefined values.
In this case, we assume that the circuit includes two faults: a short fault between Net2 and Net3, and an open fault on Net4. We will also assume that a short between two nets behaves as a wired-AND and an open fault behaves as a stuck-at-1 condition. To detect and isolate defects, the tester shifts the patterns shown in Figure 3 into the first boundary-scan register and applies these patterns to the inputs of the second device.
The standard accounts for the addition of device-specific instructions and registers that can be used to interact with additional IC capabilities. More recently, embedded IC instrumentation—from instruments that measure voltage and current to devices that can execute high-speed test on the chip—has used the JTAG TAP as the access mechanism, providing new visibility into the IC and further expanding the scope of JTAG testing.
The input values captured in the boundary-scan register of the second device are shifted out and compared to the expected values. In this case, the results, underlined and marked in red on Net2, Net3, and Net4, do not match the expected values and the tester tags these nets as faulty. If communication can be verified, there cannot be an open circuit fault. This type of testing can be very simple, for example lighting an LED and asking an operator to verify it has activated, or more complex, for example writing data into the memory array of a RAM and reading it back.
The library files contain models for all types of non-JTAG devices from simple resistors and buffers to complex memory devices such as DDR3. Because boundary scan disconnects the control of the pins on JTAG devices from their functionality the same model can be used irrespective of the JTAG device controlling a peripheral. Most boards already contain JTAG headers for programming or debug so there are no extra design requirements. In order to run any boundary scan based testing it is necessary to have some information about the implementation of JTAG on the enabled devices on a board.
Not at all. One of the key benefits to boundary scan testing is that the only test hardware required is a JTAG controller. Using boundary scan during board bring-up can remove uncertainties — hardware engineers can test prototype boards for manufacturing defects before system testing, and even before firmware is complete.
Test systems developed at this early stage of the product lifecycle can easily be reused, and extended for production. Each BGA device on a board imposes severe restrictions on the testing that can be done using traditional bed-of-nails or flying probe machines. The non-recurring engineering NRE costs of building test fixtures can be prohibitively high.
For boards with low production volumes it has always been difficult to justify the cost of test fixture development.
0コメント