Part 3: Interpreting Results from JTAGenum and Confirming JTAG Pins
Author: Shafeeque Olassery Kunnikkal | Category: Arduino, IoT, JTAGenum, Penetration Testing, STM32F411 | Leave a Comment
Overview
Now that you’ve wired your STM32 Black Pill to an Arduino running JTAGenum and captured output via PuTTY, it’s time to make sense of the data. This part walks you through interpreting FOUND! lines, verifying the detected pins, and locking down a reliable JTAG configuration for future debugging.
Step 9: Understanding the Output Format
JTAGenum tries every possible combination of pins assigned to common JTAG roles: TDI, TDO, TMS, TCK, and nTRST. When a valid combination is found, it prints a line like:
FOUND! ntrst:DIG_4 tck:DIG_6 tms:DIG_7 tdo:DIG_3 tdi:DIG_2 IR length: 34
Here’s what it means:
- DIG_x refers to the Arduino digital pin number.
IR length: 34indicates the Instruction Register (IR) length detected on the JTAG scan chain — and confirms that a valid TAP controller responded.
IR lengths like 4, 5, or 34 are common on STM32 microcontrollers.
Reviewing Real Examples from Your Scan
Let’s break down some actual outputs observed from the Black Pill while in DFU mode:
Detected JTAG Configurations:
Example A:
FOUND! ntrst:DIG_4 tck:DIG_6 tms:DIG_7 tdo:DIG_3 tdi:DIG_2 IR length: 34
Example B:
FOUND! ntrst:DIG_5 tck:DIG_6 tms:DIG_7 tdo:DIG_3 tdi:DIG_2 IR length: 34
Example C:
FOUND! ntrst:DIG_8 tck:DIG_6 tms:DIG_7 tdo:DIG_3 tdi:DIG_2 IR length: 34
All three are valid. The only difference is the nTRST pin. This tells you:
TDI = D2TDO = D3TMS = D7TCK = D6nTRST = D4 or D5 or D8— possibly optional or floating
Tip: If you’re only using 4-wire JTAG (TCK, TMS, TDI, TDO), you can ignore nTRST. But including it can improve scan reliability.
Mapping Detected Pins Back to STM32
Let’s assume your earlier connections from Arduino to STM32 were:
| Arduino Pin | STM32 Pin |
|---|---|
| D2 | PA15 |
| D3 | PB3 |
| D4 | PB4 |
| D5 | PB13 |
| D6 | PB14 |
| D7 | PB15 |
| D8 | PA12 |
Then, based on the confirmed working detection:
- TDI = PA15
- TDO = PB3
- TMS = PB15
- TCK = PB14
- nTRST = PB4 or PB13 or PA12 (D4, D5, or D8)
Result: You’ve successfully mapped the JTAG pins without knowing them in advance — using only multimeter tests, brute-force probing, and observation.
Verifying JTAG Pins with Other Tools (Optional)
To confirm these pin assignments beyond JTAGenum:
- Use a debugger like Tigard, J-Link, or ST-Link wired to those pins.
- Use OpenOCD with a custom interface config using those exact pins.
- Perform a memory read or chip ID query to confirm real access.
Summary: Final Working JTAG Pin Mapping
| JTAG Signal | Arduino Pin | STM32 Pin |
|---|---|---|
| TDI | D2 | PA15 |
| TDO | D3 | PB3 |
| nTRST | D4/D5/D8 | PB4/PB13/PA12 |
| TCK | D6 | PB14 |
| TMS | D7 | PB15 |
This is a stable configuration to use with any JTAG tool or debugger for STM32F411CE.
Final Thoughts
- Even if the factory firmware disables JTAG, DFU mode preserves debug pin functionality.
- JTAGenum is a powerful tool that lets you discover pinouts with no documentation.
