Efficient Black-box JTAG Discovery

Embedded devices represents the most widespread form of computing device in the world. Almost every consumer product manufactured in the last decades contains an embedded system, e.g., refrigerators, smart bulbs, activity trackers, smart watches and washing machines. This computing devices are also used in safety and security-critical systems, e.g., autonomous driving cars, cryptographic tokens, avionics, alarm systems. Often, manufacturers do not take much into consideration the attack surface offered by low level interfaces such as JTAG. In the last decade, JTAG port has been used by the research community to show a number of attacks and reverse engineering techniques. Therefore, finding and identifying the JTAG port of a device or a de-soldered integrated circuit (IC) can be the first step required for performing a successful attack. In this work we analyse the design of JTAG port and develop methods and algorithms aimed at searching the JTAG port. Specifically we will cover the following arguments: i) an introduction to the problem and related attacks; ii) a general description of the JTAG port and his functions; iii) the analysis of the problem and the naive solution; iv) an efficient algorithm based on 4-state GPIO; v) a randomized algorithm using the 4-states GPIO; vi) an overview on the problem and search methods used in PCBs; vii) the conclusions and the suggestions for a proficient use.