4

JTAG, or Joint Test Action Group, is a standard for debugging. Many modern motherboards, both on mobile devices and on desktops and workstations have JTAG ports. They allow a CPU to be controlled like a puppet, primarily for debugging. I have heard conflicting information about the use of JTAG. On the one hand, I've heard that the JTAG ports have to be inserted, then the CPU reset for it to work. Is this true, or can JTAG be used while the system is powered on and running? If it can be used while the system is running, what mitigations are there to prevent it from being used as an attack vector to hijack a running system? I am specifically curious about the use of JTAG on modern server motherboards sporting Intel CPUs, not so much on mobile phones. I do know that you have to sign an NDA to access to tools required to use their JTAG port, but hopefully this question is not covered by such restrictions.

In other words, does JTAG support hotplugging to control a CPU like PCIe, or is it more like PCI where you have to plug it in and reboot the system with it inserted for debugging (and attacks) to work?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
forest
  • 64,616
  • 20
  • 206
  • 257
  • Which CPU line are you talking about exactly? There's some vulns in IoT intel chips https://github.com/syncsrc/jtagsploitation but if I knew the specific CPU line that would help me write a more specifc answer. – Daisetsu Apr 24 '16 at 03:52
  • Reading through https://github.com/syncsrc/jtagsploitation/blob/master/Hands-onJTAGforfunandrootshells.pdf at least makes it look like there's no specific vulnerability. It looks like they are using JTAG with the Raspi's full cooperation, and using it to escalate privileges. They call it an "exploit" but they're just permitting access to /etc/shadow with JTAG. That's not what I'm asking about at all, and certainly doesn't look like a vulnerability. That's expected behavior. I'm curious if there's a way to do that without rebooting the system (i.e. without its cooperation). – forest Apr 24 '16 at 04:24
  • Well, this is a bit more complicated than I was expecting. There's not a lot of info out there on this. It's more complicated than the normal jtag for SoC IoT stuff I've been playing with lately. – Daisetsu Apr 24 '16 at 04:31
  • Then do you at least know if JTAG can be hotplugged into a running SoC? – forest Apr 24 '16 at 04:34
  • Yes, I haven't had to restart a device to add a JTAG connection. – Daisetsu Apr 24 '16 at 04:43

1 Answers1

2

Actually, on modern processors JTAG access and the level of service that can be reached with JTAG is controlled by OTP fuses inside the SoC, or in case of Intel processors with patches to the CPU RTL.So on development systems, not fused, it is fully possible to attach to a running system with a JTAG system like T32. But in production systems I do not see a security issue.

juansolsona
  • 21
  • 2
  • I'm curious to see some references for this, like documentation that provides more detail and might explain how to check the state of thee OTP fuses. – forest Nov 27 '17 at 08:46