Part 2: Use an Arduino and JTAGenum to Automatically Detect Pins
Author: Shafeeque Olassery Kunnikkal | Category: Arduino, IoT, JTAGenum, Penetration Testing, STM32F411 | Leave a Comment
Overview
Now it’s time to automate discovery. We’ll use a tool called JTAGenum, which runs on an Arduino and probes the target’s pins to discover JTAG lines.
In this step, you’ll set up an Arduino board with the JTAGenum firmware and wire it to the STM32. This allows you to scan multiple GPIO pins and automatically detect which ones are connected to JTAG signals like TCK, TMS, TDI, TDO, and nTRST. Before running running JTAGenum, put the Black Pill into DFU mode.
Choosing the Right Arduino Board
To run JTAGenum, you’ll need an Arduino board with:
- Enough digital GPIO pins (at least 6–10)
- Logic level matching STM32’s 3.3V (to avoid damaging pins)
- Stable USB-to-serial interface for live interaction
Comparison of Popular Arduino Boards:
| Board | Logic Level | Suitability for STM32 | Notes |
|---|---|---|---|
| Nano | 5V | ⚠️ Needs level shifter | Small, easy to set up, but risky directly |
| Uno | 5V | ⚠️ Needs level shifter | Easy to flash, but needs care |
| Due | 3.3V | Perfect match | Many pins, safe for STM32 |
Recommendation:
Use an Arduino Due. It runs at 3.3V logic, which is electrically safe for direct connection to STM32F4 GPIOs, and has plenty of pins for full JTAG probing.
Connecting the Black Pill to Arduino (Any Order)
Candidate Pins on STM32 (Black Pill)
You likely do not have access to PA13 or PA14, the standard TMS/TCK lines — but you can still discover alternate JTAG mappings using brute-force scanning.
Use any 7 to 10 of these available pins on the Black Pill:
- PA15
- PB15
- PB14
- PB13
- PB12
- PB10
- PA12
- PA11
- PA10
- PA9
Example Wiring: STM32 ↔ Arduino Due
You can connect any STM32 pins to any Arduino pins D2–D11, in no particular order — JTAGenum will test all combinations.
| STM32 Pin | Arduino Due Pin |
|---|---|
| PA15 | D2 |
| PB15 | D3 |
| PB14 | D4 |
| PB13 | D5 |
| PB12 | D6 |
| PB10 | D7 |
| PA12 | D8 |
| PA11 | D9 |
| PA10 | D10 |
| PA9 | D11 |
| GND | GND |
Note: Only connect GND↔GND and signal pins, avoid VCC/3.3V unless you’re powering the STM32 from Arduino.
Flashing JTAGenum on Arduino Due
If you’re using an Arduino Due:
- Open the Arduino IDE.
- Load the
JTAGenum.inosketch. - Scroll to the section:
#elif defined(__SAM3X8E__) // Arduino Due byte pins[] = { 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 }; String pinnames[] = {"DIG_2", "DIG_3", "DIG_4", "DIG_5", "DIG_6", "DIG_7","DIG_8", "DIG_9", "DIG_107", "DIG_11"};
This ensures the code uses the right GPIOs for scanning.
- Connect the programming USB port (labeled “Programming”) on the Due.
- Select Arduino Due (Programming Port) in the Tools menu.
- Upload the sketch.
Logging Serial Output with PuTTY (Windows)
You’ll need to interact with JTAGenum via serial terminal. Here’s how to set up PuTTY for this:
Step-by-Step: Serial Logging in PuTTY
- Launch PuTTY
- Under Session:
- Set Connection type: Serial
- Serial line: COMx (replace with your Arduino COM port)
- Speed: 115200
- On the left, go to Logging:
- Session logging: All session output
- Log file name: e.g.,
C:\Users\YourName\Documents\jtagenum_log.txt - (Optional) Enable Always overwrite it to avoid appending old logs
- Return to Session and click Open
Starting the Scan
The PuTTY terminal should open.
Press s (lowercase) to start scanning.
You’ll see output like:
FOUND! ntrst:DIG_4 tck:DIG_6 tms:DIG_7 tdo:DIG_3 tdi:DIG_2 IR length: 34This means:
TDI= D2 = PA15TDO= D3 = PB3TCK= D6 = PB14TMS= D7 = PB15nTRST= D4 = PB4 (optional)
IR length: 34 is expected for STM32F4 devices — this confirms that the JTAG chain was successfully detected!
Tip: JTAGenum brute-forces all combinations — so don’t worry about wiring order. It figures it out.
Tip for Analysis:
Watch for lines with FOUND! and IR length > 0 — that’s a confirmed JTAG match.
Safety Precautions
When working with electronics, especially when connecting different devices, safety is paramount to prevent damage to your hardware. Here are a couple of crucial precautions to keep in mind:
Establish a Common Ground
It’s critically important to ensure a common ground connection between your Arduino Due and the target STM32 device. Think of ground as the zero-voltage reference point in your circuit. If the two devices don’t share the same ground, they won’t have a consistent reference for their voltage signals. This can lead to erratic behavior, incorrect readings, or even permanent damage to one or both devices as current tries to find an alternate, potentially damaging, path. Always connect the GND pin of your Arduino to a GND pin on your STM32 before making any other connections.
Consider Current-Limiting Resistors
While the Arduino Due’s 3.3V logic is generally safe for STM32 GPIOs, it’s a good practice to briefly consider the benefits of using current-limiting resistors on your probing lines, particularly when working with unknown or potentially sensitive pins. A small resistor (e.g., 100-470 ohms) in series with your data lines can act as a fuse, limiting the current if an accidental short circuit or a voltage mismatch occurs. This extra layer of protection can significantly reduce the risk of damage to your microcontroller’s delicate input/output pins, especially during initial exploration or troubleshooting.
Troubleshooting Tips
Even with careful setup, you might encounter issues when trying to automatically detect JTAG pins. This section covers some common problems and provides guidance on how to troubleshoot them.
1. Incorrect Wiring
- Symptom: No detection, inconsistent results, or unexpected behavior.
- Solution: The most frequent cause of problems is incorrect wiring.
- Double-check every connection: Carefully review your wiring diagram and compare it against your physical setup. Ensure that each pin from the Arduino Due is connected to the correct corresponding pin on the STM32 (e.g., TCK to TCK, TMS to TMS, etc.).
- Verify common ground: Confirm that the ground (GND) of your Arduino Due is securely connected to a ground pin on your STM32. A missing or poor ground connection is a common culprit for communication failures.
- Check for loose connections: Ensure all wires are firmly seated in their respective headers or breadboard points.
2. Serial Communication Problems
- Symptom: No output in the serial terminal (PuTTY), garbled text, or connection errors.
- Solution: Issues with the serial connection between your computer and the Arduino Due can prevent you from interacting with JTAGenum or seeing its output.
- Verify COM Port: Make sure you have selected the correct COM port for your Arduino Due in PuTTY (or your chosen serial terminal). You can usually find this in your computer’s Device Manager.
- Check Baud Rate: Ensure that the baud rate in your serial terminal matches the baud rate configured in the JTAGenum firmware (commonly 115200).
- Install Drivers: Confirm that the necessary USB serial drivers for your Arduino Due are correctly installed on your computer.
- Close other serial monitors: Ensure no other applications (like the Arduino IDE’s Serial Monitor) are currently using the same COM port.
3. False Positives or Inconclusive Results
- Symptom: JTAGenum reports pins that don’t seem to be JTAG, or the scan doesn’t identify all expected pins.
- Solution: This can sometimes happen due to electrical noise or unexpected pin states.
- Re-run the scan: Sometimes, simply re-running the JTAGenum scan multiple times can help confirm results or reveal inconsistencies.
- Minimize environmental noise: Try to reduce electrical noise in your workspace. This might involve moving away from power supplies, motors, or other noisy electronics.
- Isolate the target: If possible, disconnect other peripherals from the STM32 during the scan to ensure only the JTAGenum is influencing the pins.
4. Cross-Talk
- Symptom: Intermittent errors, unexpected data on seemingly unrelated pins, or difficulty in getting stable results.
- Solution: Cross-talk occurs when signals on one wire induce unwanted signals on adjacent wires. This is more common with long, unshielded wires or when many wires are bundled closely together.
- Shorten wires: Use the shortest possible wires for your connections.
- Separate sensitive lines: Try to keep the JTAG data lines (TDI, TDO, TMS, TCK) physically separated from each other and from other noisy signals as much as possible.
- Twisted pairs: For very sensitive applications, using twisted pair wires (though less common for simple JTAG probing) can help reduce cross-talk.
End of Part 2
Coming up in Part 3:
- How to interpret JTAGenum logs
- How to confirm real JTAG mappings
- Final working pin configurations for the Black Pill
