←back to thread

The hidden JTAG in a Qualcomm/Snapdragon device’s USB port

(www.linaro.org)
242 points denysvitali | 2 comments | 30 Jun 25 18:34 UTC | HN request time: 0s | source
Show context
mmastrac ◴[30 Jun 25 19:11 UTC] No.44426797[source]
This is a much better experience than the previous Qualcomm debug experience, which was a hand-rolled set of read/write/execute primitives exposed over USB. It was hilariously undersecured, allowing a few of us to continually get root on various Qualcomm models.

In seriousness, these debug ports are seriously lacking in most mobile chipsets. MediaTek still has the old-style approach in many of their devices, requiring some incantations which expose serial over USB, but not in the way you think -- it's serial over USB pins!

I've done tonnes of work with mobile chipsets and security and this seems like they've finally started down the road to making this functionality accessible. Don't be surprised if you don't see this supported out of the box in most places, though. Most OEMs will certainly disable this once they've adapted their bootloaders to it. The big G doesn't like debuggability in end user devices.

replies(8): >>44426943 #>>44427019 #>>44427872 #>>44429675 #>>44429832 #>>44430190 #>>44432815 #>>44439367 #
IAmLiterallyAB ◴[30 Jun 25 19:36 UTC] No.44427019[source]
Google exposes serial Serial over the SBU pins on all the Pixel devices
replies(1): >>44427685 #
twojacobtwo ◴[30 Jun 25 20:47 UTC] No.44427685[source]
What are the effective implications of this?
replies(1): >>44427978 #
bri3d ◴[30 Jun 25 21:18 UTC] No.44427978[source]
It's just a UART; you can use the UART to debug the device in various ways.

On Pixel devices, the UART is not configured or brought up by default in locked production mode (as things should be), but by unlocking the device and then using `fastboot oem uart enable` you can flip the bits to turn it on. On early Pixel devices it was on the headphone jack and on newer ones it's on the SBU pins.

By default I think it's still configured as the kernel console in the kernel command line, so once it's enabled it will show the kernel debug output and present a TTY. But of course you can subsequently configure it to do whatever you'd want a UART for: kgdb for kernel-debugging, earlier stuff in the bootloader, and so on.

So, the implications are just: there's a convenient debugging interface available to you that turns on if you unlock the device and ask for it.

On Chromebook devices there's a more complicated and fancy debugging system where the SBU pins can be muxed to the security processor's USB host interface by presenting a debug cable called a SuzyQ, which presents a whole suite of debugging facilities. This used to be used quite frequently for unbricking purposes.

replies(1): >>44428668 #
1. Tharre ◴[30 Jun 25 22:36 UTC] No.44428668[source]
On the newer pixel phones (starting with the ones containing the titan chip) you can also mux the SBU pins to the security chip USB interface with "fastboot oem citadel suzyq".

And BTW, the SuzyQ cable is nothing more then two pull up resistors and a USB hub connected to the normal usb D+/D- pins on one port and the SBU pins on the 2nd port. Nothing fancy about it, people have even made their own (minus the hub) by soldering some wires and resistors to a usb-c breakout board. Google has also published the schematics for it:

https://www.chromium.org/chromium-os/ccd/951-00273-01_201806...

replies(1): >>44438849 #
2. IAmLiterallyAB ◴[01 Jul 25 23:23 UTC] No.44438849[source]
Been wanting to play with the citadel interface. Last time I looked at it there was 0 public information, but that was years ago. And if there still isn't, then it'll be a good excuse to RE

Also, the titan chip has been around since the Pixel 3 I believe, so "newer" might be a strong word :)