JTAG 103: Hardware Debugging

Security Icon




Table of Contents

  1. Where We Left Off & What’s Ahead
  2. Meet the Target: Arduino Due
  3. Interfacing Devices for JTAG
  4. A Quick Look at the Shikra
  5. Connecting the Target Board to the Shikra
  6. OpenOCD
  7. Checking the Connection
  8. Starting OpenOCD
  9. Halting the Target Device
  10. Reading Register Values
  11. Final Thoughts

Where We Left Off & What’s Ahead

Previously, we covered the fundamentals of JTAG and how to spot its pins on a device. In this blog, we’re taking it a step further actually connecting to a target and interacting with it through its JTAG interface. Time to get practical.

Meet the Target: Arduino Due

For this hands-on demo, we’ll be using an Arduino Due as our target device. It’s a solid choice because it comes with a JTAG header already exposed on the board, making it beginner-friendly for learning how to interact with JTAG interfaces safely without risking expensive hardware. Plus, it’s based on the Atmel SAM3X8E ARM Cortex-M3 processor, which is well-supported by debugging tools.

JTAG diagram

Now that you’ve got your Arduino Due in front of you, it’s time to figure out where those JTAG pins are hiding. Remember what we covered in our earlier blogs — identifying JTAG headers is all about spotting those familiar labels: TCK, TMS, TDI, TDO, and GND.

On the Arduino Due, the JTAG header is conveniently marked on the board itself, usually near the processor or along the edge. Check the silkscreen labels and match the pin positions accordingly.

If you need a refresher on how to identify and map out JTAG pins, feel free to glance back at JTAG 101 and 102 we covered it there in detail.

Interfacing Devices for JTAG

To interact with those JTAG pins, you’ll need a hardware tool that can act as a bridge between your target device and your computer. There are a few popular options out there like the Shikra, Bus Pirate.These tools help you communicate with the target device’s debug interface and control it through your system.

For this blog, we’re going to stick with the Shikra. It’s reliable, simple to set up, and perfect for the kind of hands-on JTAG work we’re aiming to do.

A Quick Look at the Shikra

The Shikra is a compact, versatile tool made for hardware hacking. It acts as a bridge between your computer and the target’s debug interfaces like JTAG and UART. What makes it handy is that it supports a bunch of protocols out of the box and works well with tools like OpenOCD.

It connects via USB to your computer and exposes all the necessary pins to easily hook up with your target device.

JTAG diagram

Connecting the Target Board to the Shikra

Now that you’ve got your Arduino Due and your Shikra ready, it’s time to hook them up. Remember those JTAG pins you identified on the target board? That’s where the Shikra comes in.

Using jumper wires, you’ll connect the corresponding pins from your target device to the Shikra’s JTAG interface. Typically, the pins you need to match are:

  • TCK (Test Clock)
  • TMS (Test Mode Select)
  • TDI (Test Data In)
  • TDO (Test Data Out)
  • GND (Ground)
    •

Double-check your pinout diagram and make sure your connections are clean and secure. A loose wire can ruin your debugging session or make the interface unstable.

Once everything’s connected, plug the Shikra into your computer via USB. That’s your hardware setup done time to move to the software side.

OpenOCD

OpenOCD (Open On-Chip Debugger) is a powerful open-source software tool that provides debugging and programming capabilities for embedded systems. It allows you to interface with JTAG, SWD (Serial Wire Debug), and other hardware debugging protocols to communicate with microcontrollers and other embedded devices.

In the context of JTAG, OpenOCD acts as a bridge between the Shikra hardware debugger and your target device (the Arduino Due ). It provides the necessary control over the target device's memory, registers, and peripherals, allowing you to perform operations such as:

  • Reading and writing memory: You can directly access memory on the target device.
  • Stepping through code: It helps in setting breakpoints and stepping through the program, making it easier to debug.
  • Flashing firmware: You can upload and debug new firmware on your target device.

OpenOCD supports a variety of interface adapters (like Shikra) and works across different platforms, making it a go-to tool for hardware hackers, reverse engineers, and embedded systems developers.

Checking the Connection

With our Arduino Due wired up to the Shikra, and the Shikra plugged into your USB port, it’s time to make sure everything’s talking to each other.

Open up your terminal and run:

lsusb

This command lists all USB devices connected to your system.That’s your confirmation that the hardware connection is solid and you’re good to move forward.

JTAG diagram

Starting OpenOCD

With everything connected and confirmed, it’s time to launch OpenOCD and establish communication with our target device.

Use this command to start OpenOCD with the right config files for both the Shikra interface and the Arduino Due’s microcontroller (AT91SAM3X8E):


openocd -f
/usr/share/openocd/scripts/interface/shikra.cfg -f
/usr/share/openocd/scripts/target/at91sam3ax_8x.cfg

What this does:

This command tells OpenOCD which hardware interface (Shikra) and target device configuration (Arduino Due’s AT91SAM3X8E) to use for establishing a JTAG connection.

If everything’s good, you’ll see OpenOCD initialize and start probing the target confirming that your setup is working and the JTAG interface is live.

JTAG diagram

Once OpenOCD is up and running, it opens a telnet server by default on port 4444. You can connect to this session from another terminal window using:

JTAG diagram

This gives you direct access to the OpenOCD command line interface, where you can interact with your target device halting the CPU, reading memory, dumping flash, and more.

Halting the Target Device

Once you’re inside the telnet session, you can halt the target device’s CPU with a simple command:

halt

This stops the microcontroller right where it is, letting you inspect memory, registers, or upload your own firmware without the device running in the background. Super useful when you're about to dump memory or debug live.

JTAG diagram

Reading Register Values

With the target halted, you can peek into its register values using the reg command:

reg

This will list out the current state of all the CPU registers. It’s a great way to see what the device was doing at the moment you halted it, useful for debugging or reverse engineering what the firmware is up to .

JTAG diagram

Now that you’ve got control over the target via JTAG, there’s a lot more you can play around with. You can:

  • Dump memory regions
  • Write to specific memory addresses
  • Modify register values
  • Reset or step through the firmware execution

This is just scratching the surface of what’s possible. I’d highly recommend exploring OpenOCD’s command set and experimenting with different operations — see what you can uncover! The more you poke around, the more comfortable you’ll get navigating the hardware’s internals.

Final Thoughts

And there you have it a simple, hands-on walkthrough of setting up a JTAG connection using the Shikra, OpenOCD, and our Arduino Due as the target device. From identifying the JTAG pins to halting the CPU and reading register values, you’ve seen how hardware debugging takes shape in real-world scenarios.

But this is just the start. There’s a lot more you can do dumping memory, stepping through instructions, flashing firmware, and more. I’d highly recommend diving deeper, experimenting, and seeing what else you can pull off.

We’ll be covering more of that in the upcoming parts so stay tuned, keep hacking, and we’ll take this exploration even further together