JTAG 102: JTAG Pin Identification
Introduction to JTAG and Its Pinout
In the previous blog, we explored what JTAG is and how it enables low-level access for testing, debugging, and programming chips. Now that we understand how JTAG works conceptually—with its boundary scan logic and daisy-chained devices—it's time to get hands-on.
JTAG operates through a set of dedicated pins that form the interface between your debugging tool and the target device. These standard pins are:
- TDI (Test Data In): Used to input data into the device.
- TDO (Test Data Out): Outputs data from the device.
- TCK (Test Clock): Synchronizes the data transfer.
- TMS (Test Mode Select): Controls the state machine for test operations.
- TRST (Test Reset): An optional pin to reset the test logic.
In this blog, we’ll focus on how to locate these pins on a device, which is often the trickiest part of using JTAG in practice—especially when they’re not labeled or documented.
Spotting JTAG Pins on a PCB
JTAG headers come in various forms 5, 6, 10, 12, 14, or even 20 pins depending on the manufacturer and device. The most common are 10-pin (2x5) and 20-pin (2x10) configurations, often located near the main processor or memory. These carry standard signals like TDI, TDO, TCK, TMS, and GND.
While some PCBs have silkscreen labels, many leave the headers unmarked, appearing as uniform rows of test points. Once you know what to look for, identifying potential JTAG interfaces becomes much easier even at a glance.
Check Docs, Teardowns & Datasheets
Before poking around the board, do a quick online search. Teardowns, schematics, or hacker forums might already have the JTAG pinout mapped. FCC filings for popular devices can also provide helpful PCB images.
Identify the main chip and grab its datasheet it usually lists supported debug interfaces and pin configurations. Knowing what the chip uses (like JTAG or SWD) gives you a clearer idea of what to look for on the board. A bit of research can save a lot of guesswork.
Identifying JTAG Pinouts with JTAGulator
When dealing with unknown or undocumented hardware, identifying JTAG or UART pins manually can be time-consuming and frustrating. This is where the JTAGulator comes in a powerful tool designed specifically to automate the process of locating debug interfaces like UART and JTAG on embedded systems.
What is JTAGulator?
JTAGulator is a hardware tool created by Joe Grand (aka @GrandIdeaStudio) that helps you identify the pinout of JTAG and UART interfaces by scanning combinations of test points or header pins. It comes equipped with 24 general-purpose I/O channels, which can be connected to different pins on the target device.
This tool is particularly useful when:
- You don't have access to the device’s datasheet or schematic.
- The device uses proprietary or undocumented debug ports.
- Silkscreen labels are missing or intentionally obfuscated.
Once connected properly, the JTAGulator uses logical patterns to analyze pin behavior and identify valid UART or JTAG interfaces.
Connecting a Target System to the JTAGulator
Before diving in, make sure you have a target device with accessible JTAG pins—this could be a development board, a router, or any embedded device you’re comfortable experimenting with. So you’ve got your JTAGulator and a target device ready. Now it’s time to connect them together properly. The process is simple
- Set your multimeter to continuity mode (diode symbol with sound).
- Touch the black probe to a known ground point, like the metal casing of a USB port or a large ground pad.
- Use the red probe to test all pins in the suspected header.
- Any pin that beeps or reads near 0 ohms is likely GND.
- Use jumper wires to connect some of these IO pins to the suspected JTAG pins on your target.
- You don’t need to use all 24—usually, 4 to 6 connections is enough for JTAG.
1.Power the Target Separately
The JTAGulator doesn’t provide power to the device you're trying to test. So make sure your target board is already powered through USB, battery, or its regular power adapter.
Don’t try powering the board from the JTAGulator—it’s not meant for that.
Before making any connections, make sure your target system is powered off. This helps avoid any accidental shorts or damage.
2. Connect GND First
Connect one of the GND pins from the JTAGulator to the ground pin on your target board. A common ground is necessary for stable communication.
Identify GND Pins (Continuity Mode)
3. Attach JTAGulator I/O Pins
JTAGulator has 24 labeled I/O pins (IO0 to IO23). These are the pins you’ll use to connect to the unknown header or test points on your target.
It’s okay if you don’t know which target pin is TCK, TDI, etc. That’s the whole point—the JTAGulator will figure it out for you.
4. Avoid Connecting GND to I/O Pins
When selecting channels during a scan, make sure none of the JTAGulator’s I/O pins are connected to a ground pin on the target device. Doing so can interfere with the scanning process or lead to inaccurate results.
5. Power On the Target Device
Once everything is connected, you can power on your target device. Now the JTAGulator is ready to scan and detect any valid JTAG connections.
6. Connect JTAGulator to Your Computer
Plug the JTAGulator into your computer using a USB cable. It should show up as a serial device (e.g., /dev/ttyUSB0 on Linux ).
Use Picocom or PuTTY for Serial Communication
To interact with the JTAGulator once it’s connected, you can use serial communication tools like Picocom (Linux/macOS) or PuTTY.
Since we’re using Picocom here, open a terminal and run the following command to start the session:
sudo picocom -b 115200 /dev/ttyUSB0
This sets the baud rate to 115200 and opens the USB device port. Once connected, you’ll be able to send commands to the JTAGulator and see the output in real time.
Once you're connected to the JTAGulator using a serial console tool like Picocom , you'll see a simple terminal window waiting for your input. The first thing you'll want to do is type h this displays a help menu listing all the available commands you can run.
Common JTAGulator Commands
| Command | Function |
|---|---|
| H | Displays help menu |
| J | Starts a JTAG scan |
| U | Starts a UART scan |
| G | Manual GPIO control |
| S | SWD scan (for ARM targets) |
| V | Set I/O voltage |
| I | Displays version info |
Once you hit J on your JTAGulator, you’re entering the JTAG scan mode. The tool will now try to figure out which pins on your target device are used for JTAG communication. You’ll be prompted to select which channels (IO pins) to testjust make sure none of those are connected to ground.
IDCODE vs BYPASS Scan
- IDCODE Scan: Sends a command to check if the connected pins return valid chip ID(s).
Helps confirm a working JTAG connection.
Does not identify TDI pin.
- BYPASS Scan: Shifts bits through the chip’s bypass register.
Identifies all required JTAG pins (TDI, TDO, TCK, TMS).
Useful when multiple chips are daisy-chained.
Together, these scans help you validate your JTAG pinout before jumping into debugging or programming.
Pinning It All Together
Figuring out JTAG pinouts might feel a bit like solving a puzzle, but tools like the JTAGulator make that process a whole lot smoother. Whether you're working with a 10-pin, 20-pin, or even an unlabeled header, the combination of scanning methods IDCODE and BYPASS gives you a reliable way to validate your connections before diving deeper.
Now that you know how to spot and test these pins, you're one step closer to unlocking the internals of your target device. In the next blog, we’ll explore how to actually connect and communicate through JTAG once the pinout is known. Time to get ready for some hands-on debugging and firmware interaction!