Electronic circuits and devices are getting smaller and exponentially more complex. When they were large, they can be tested them with test probes on the bottom of the board. There were issues with such method but still it was a way. Today, components are mounted on both sides of a circuit board, hence no place of attachment are left for the test equipment.
Joint Test Action Group (JTAG) is a commonly used synonym for the IEEE standard 1149.1, which describes a methodology for testing and debugging integrated circuits, i.e. hardware on printed circuit boards. The most prominent method, which was first implemented in the JTAG working group, is the boundary scan test according to IEEE 1149.1. With the addition of additional methods, the terms are no longer synonymous, while the description language retained the original name from the IEEE Working Group with Boundary Scan Description Language.
The purpose of the method is to test integrated circuits (ICs) for function while they are already in their working environment, for example soldered on a circuit board. For this purpose, a JTAG-capable device has IC components that are completely separated during normal operation and thus do not interfere with the function of the component. Only by activating the JTAG function on a specific pin, the Test Mode Select Input, can the hardware system be influenced and thus controlled with the help of these additional components. JTAG’s interface to the outside world is implemented as a shift register. A JTAG component essentially consists of the following parts:
- The Test Access Port (TAP) with the control lines, generally also called the JTAG port or JTAG interface.
- The TAP controller, a state machine that controls the test logic.
- Two shift registers, the “Instruction Register” (IR) and the “Data Register” (DR).
- Test Access Port
The Test Access Port (TAP) consists of five control lines:
- Test Data Input (TDI). Serial Input of shift registers.
- Test Data Output (TDO). Serial output of the shift registers.
- Test Clock (TCK). The clock signal for the entire test logic.
- Test Mode Select (TMS). This controls the state machine of the TAP controller.
- Test Reset (TRST). Reset the test logic. This line is optional, as a reset can also be triggered via the TAP controller.
Image: JTAG Debugging the ESP32, by mcuoneclipse.com
Method described here: https://mcuoneclipse.com/2019/10/20/jtag-debugging-the-esp32-with-ft2232-and-openocd/
There can be multiple TAPs on a hardware system that are daisy-chained together. This is known as the “JTAG chain”. Effectively, this usually results in a series connection of the shift registers of the TAPs involved, but other circuit patterns are also defined in the JTAG standard. The TAP controllers of the individual TAPs run in parallel.
Meanwhile, JTAG is increasingly used to configure FPGAs and CPLDs as well as for programming and debugging microcontrollers. Parallel programmable memories, such as flash memory, which are directly connected to an IC with a JTAG port, can therefore be reprogrammed in the installed state because the IC for the memory chip can emulate a programming device. The Serial Vector Format (SVF) is often used to exchange such programming data.
Because of the direct hardware access via JTAG, the interface is suitable for circumventing security measures. Therefore, the term JTAG is often used – and not always with a uniform definition – in the context of the hacker scene. Gamers speak of a jtagged XBox when modding techniques have been used to run content on a game console without a manufacturer’s signature. In the hardware context, JTAG is used interchangeably with debugging, which can be misleading in the software field.
In particular, JTAG can be used to explore the boot process of devices with the aim of interrupting it and gaining control of the device through code injection. To prevent this access, ICs often do not mark the JTAG ports as such or actively obfuscate them. Other safety measures include subsequent masking of the pins, a housing that covers the JTAG pins, or fuses in the JTAG connections that are destroyed after the tests are completed. Access to JTAG ports can therefore be difficult, but is possible in virtually any case with the appropriate effort.
Access to hardware via JTAG ports could only be prevented if the access itself had encryption or authentication. Various drafts have been submitted, but there are no standards and only a few implementations.