GUIDE TO UNDERSTANDING JTAG FUSES AND SECURITY

A N I N T E R M E D I A T E L O O K A T T H E AV R J TA G I N T E R FA C E
AVRFREAKS.NET
SEP 2002

TABLE OF CONTENTS
Understanding JTAG fuses and Security .............................................................................................2 JTAG Nomenclature...............................................................................................................................2 JTAG Fuses and Security......................................................................................................................2 On-Chip Debugging ...............................................................................................................................3 Boundary-Scan.......................................................................................................................................4 JTAG Programming ...............................................................................................................................5 JTAG Security Roundup ........................................................................................................................5 JTAG Programming ...............................................................................................................................6

AN INTERMEDIATE LOOK AT THE AVR JTAG INTERFACE, AVRFREAKS.NET 1

Understanding JTAG fuses and Security

We will in this article take a closer look at the JTAG interface and how Fuses and Lockbits affect operation. If you are using, or planning to use the JTAG interface, you should definitely spend a couple of minutes reading this article! Note: This article is not intended for newbies. Readers should read and get an understanding of the JTAG section in the datasheet before reading this document.

Introduction
New megaAVR devices with more than 8KB of Flash, include a JTAG interface for Programming, Boundary Scan and On-chip Debugging. This article will take a peek at some of the features that are somewhat hidden, or difficult to find, in the datasheets.

JTAG Nomenclature
JTAG Programming, OCD, IEEE 1149.1 compliant, Boundary-Scan. It is easy to get confused and start mixing the terminology. To summarize the AVR JTAG interface is compliant with the IEEE 1149.1 Standard. Through this interface you have access to the following "services": Memory Programming Boundary Scan On-Chip Debug

When using the term "JTAG" we refer to the interface as such. When talking about a specific "service" we usually use the "service name". (e.g. JTAG Programming)

JTAG Fuses and Security

JTAG
Fuses The first source of confusion when looking at the JTAG interface is understanding the fuses, and how they affect the behavior of the device and/or JTAG interface. In addition; An IO control bit "JTD" is a available. Unlike the fuses this bit can be set at run-time allowing you to disable the JTAG / OCD functionality in software during program execution. So what is the difference between the JTAGEN and OCDEN fuse? What do they do, and what is the consequence of only programming one of them? To save you some time fine-reading the Datasheet, we here at AVRfreaks have compiled the following table and functional block diagram that should explain the relationship between these fuses and functionality. The block diagram below the table shows the relationship between the Fuses and JTD control bit. Note that setting either of the Lock bits LB1or LB2 will disable OCD. NOTE: In the following table we use "P" for programmed, and "U" for unprogrammed fuse.

AN INTERMEDIATE LOOK AT THE AVR JTAG INTERFACE, AVRFREAKS.NET 2

JTD U

JTAGEN OCDEN DESCRIPTION U U No JTAG programming, OCD or Boundary-Scan is possible No JTAG programming, OCD or Boundary-Scan is possible JTAG Programming and Boundary Scan is possible, OCD disabled OCD, JTAG Programming Enabled (Note 1) and Boundary-Scan is

No JTAG programming, OCD or Boundary-Scan is possible No JTAG programming, OCD or Boundary-Scan is possible No JTAG programming, OCD or Boundary-Scan is possible No JTAG programming, OCD or Boundary-Scan is possible

Note 1: Do not ship the device in this state, as it will consume more power, and is open for hacking :-)

JTAG

Security As shown in the figure and table, setting the correct fuses and keeping the device unlocked is essential to be able to access the on-chip OCD system. As shown, setting lock bits will disable the OCD system completely, while the JTAG Programming interface will continue to work the same way as the two other programming interfaces (HVPP and ISP). To disable JTAG Programming, either set appropriate Lock bits, or use the JTD bit or the JTAGEN fuse.

On-Chip Debugging
The OCD is a feature for in-system debugging. Although this "emulation" interface lack some of the functionality offered by high end emulators (features like trace/triggers unlimited breakpoints, cycle counters...) it actually has some
AN INTERMEDIATE LOOK AT THE AVR JTAG INTERFACE, AVRFREAKS.NET 3

unique features not found in any other emulator: The most obvious advantage is that you actually are running the code on the device itself, so all electrical and timing characteristics are FOR REAL. No emulated behavior!

The main thing to remember is that the JTAG OCD is not an EMULATOR, it is the real thing. Which leads us to the JTAG ICE which actually is no ICE at all. It is a protocol converter/interface allowing AVR Studio to talk to the OCD interface inside the AVR. :-) One thing that you should be aware of is that when the AVR OCDEN fuse is programmed (OCD Enabled) some of the clock system is left running even though you put the AVR in sleep mode. So, if you experience high power consumption during SLEEP mode, make sure you are not running the device with the OCDEN programmed!

Boundary-Scan
Boundary-Scan is very efficient way of verifying that your device is soldered in correctly, and that inter connectivity to other devices is correct. There are a number of tools available today that will read your layout files and generate a complete test vector set to verify your design.

When JTAGEN fuse is programmed and JTD is not set, the Boundary Scan Chain is available. This chain include all (almost) physical pins on the device. This chain do not include the internal scan chain. The internal Scan Chain is part of the OCD system, and is not accessible unless OCD is enabled, and LB1 and LB2 is unprogrammed.

AN INTERMEDIATE LOOK AT THE AVR JTAG INTERFACE, AVRFREAKS.NET 4

JTAG Programming
The JTAG programming interface works much the same way as the two other programming interfaces. The same functionality and restrictions apply. The main thing to remember if you want to use the JTAG for programming is to set the Lock bits correctly. Setting the JTAGEN will not do you any good if you have disabled Further write or Read/write by programming the Lock Bits!

This table explains the relationship between JTAG Programming interface and the Lock Bits: NOTE: In the following table we use "P" for programmed, and "U" for unprogrammed fuse. LB LB2 LB1 DESCRIPTION mode 1 U U No memory lock features enabled. Further programming of the Flash and EEPROM is disabled in Parallel and SPI/JTAG Serial Programming mode. The Fuse bits are locked in both Serial and Parallel Programming mode. Readback is possible. Invalid Mode Further programming and verification of the Flash and EEPROM is disabled in Parallel and SPI/JTAG Serial Programming mode. The Fuse bits are locked in both Serial and Parallel Programming mode.

JTAG Security Roundup

We have now looked at the different services offered by the JTAG interface, and the final task is to take an analysis of the security of the JTAG implementation.

AN INTERMEDIATE LOOK AT THE AVR JTAG INTERFACE, AVRFREAKS.NET 5

Let's take a feature by feature approach.

JTAG Programming
The JTAG Programming interface is controlled by the same lock bits controlling all other programming interfaces. So it will be as secure as any of them.

On-Chip Debug

As Shown in the block diagram the only way to enabled OCD is to leave the lock bits off and then enabling both JTAGEN and OCDEN. In this state, the device is totally open anyway so the easiest way to steal code from it is to use any ISP programmer and dump out the code directly. With lock bits programmed, the OCD is disables ( regardless of LB mode ). So here the OCD is even more secure than the standard ISP interface where you can read out the memory contents in both LB mode 1 and 2.

Boundary Scan
This one is interesting, what if we could use the boundary scan chain to grab out info that we are not supposed to get hold of?! Luckily (unfortunately; depending who you are..), this is not possible. The Boundary Scan chain do not include any internal signal, only physical package pins. If the internal scan chain was accessible from the Boundary Scan interface, it would be possible to grab out the program counter and instruction word, thus stealing the contents of the flash array bypassing the lock bits! Luckily (for most..) this is not possible. The internal scan chain is part of the OCD interface, and thus only accessible when no memory lock bits are programmed.

Conclusion

Our conclusion is that the JTAG interface is safe. But as with all security features they require that they are activated to have any effect :-)

AN INTERMEDIATE LOOK AT THE AVR JTAG INTERFACE, AVRFREAKS.NET 6