1. I’ve never used JTAG or UART before. Where should I start?

Here are some helpful Wikipedia pages with detailed info on JTAG (Joint Test Action Group) and UART (Universal Asynchronous Receiver-Transmitter).
For a good understanding of how to use JTAGulator, watch the official video series. You can start with “JTAGulator: Introduction and Demonstration (Expanded)“.
You can also set up your Raspberry Pi Zero W using the documentation above to let you explore the various JTAGulator features.

2. Is there a community or place where I can ask questions?

You can reach out to the EXPLIoT support team or explore the JTAGulator channel on EXPLIoT Discord.

3. What’s a real-world example of JTAGulator in action?

It’s been used to recover bricked routers, extract firmware from IoT devices, and gain root access to locked-down embedded systems. See the JTAGulator YouTube Playlist and also search for ‘JTAGulator’ on YouTube to see other examples.

4. Can I use JTAGulator on locked or encrypted devices?

It can help identify interfaces, but accessing or extracting data depends on the device’s security implementation.

1. Do I need any special drivers to use JTAGulator?

No special drivers are needed on most systems. It uses a standard FTDI USB-to-Serial chip that’s supported on Windows, macOS, and Linux.

2. What kind of cable should I use to connect JTAGulator to my target device?

You can use female-to-female jumper wires or a Bus Pirate-compatible 2×5 cable for quick connection to headers.

3. Can I power my target board through JTAGulator?

No. JTAGulator does not supply power to the target. Your target device needs to be powered externally.

4. How do I know which pins on my board are test points?

Look for unpopulated headers or small, round gold pads near chips. These are often debug/test pins. JTAGulator helps identify their function.

1. What’s the difference between the ‘ID Code’ scan and ‘Bypass’ scan for JTAG?

The ID Code scan is faster and finds 3 out of 4 required pins. The Bypass scan is slower but gives a full JTAG pinout, including the reset pin (TRST) if it exists on the target.

2. What is the ‘UART passthrough’ mode?

Once TX/RX pins are found, this mode lets you interact with the target’s serial console directly from your terminal.

3. Can I capture live signals with JTAGulator?

Yes. It includes a simple logic analyzer mode (24 channels) using Sigrok software, great for observing GPIO state changes. See the Logic Analyzer wiki page for more information.

4. What is the ‘Pin Mapper (EXTEST Scan)’ feature used for?

It maps boundary scan bits to physical I/O pins — useful for identifying functions like LEDs or other peripherals during reverse engineering.

1. What can I do once I find a JTAG, SWD, or UART interface?

You can extract firmware, debug the system, gain console access, or interact with the bootloader.

2. Does it support UART pinout detection, too?

Yes. JTAGulator can help identify TX and RX pins and even pass data through once discovered.

3. Can I use JTAGulator with OpenOCD or other tools?

Yes. With the latest firmware, JTAGulator can interface with OpenOCD directly. See the OpenOCD wiki page for more information.

4. How many pins can I test at once?

You can connect up to 24 pins from your target device simultaneously.

5. Can JTAGulator help me recover bricked devices?

Sometimes! If the device exposes a debug interface and isn’t hardware-locked, JTAGulator can help identify it and enable recovery or flashing.

1. Where can I buy JTAGulator?

From the official EXPLIoT store: store.expliot.io

2. Do you provide guides or training for beginners?

For a good understanding of how to use JTAGulator, watch the YouTube JTAGulator Playlist and also search for ‘JTAGulator’ on YouTube to see other examples.

3. What if I run into issues?

Reach out to us at info@expliot.io — we’re happy to help.

1. The device powers on but I don’t see any output in my terminal. What should I check?

Ensure that the correct COM port and baud rate (115200) are set for the JTAGulator. See the Quick Start wiki page for more information.

2. My JTAGulator isn’t detecting anything.

JTAGulator strives to support as many target devices as possible, but there are a number of reasons the tool may not identify or communicate with your particular hardware: 

• Not all pins required for the desired interface are connected to the JTAGulator 

• Interface is not being properly enabled:
  1. Other pins may be required to put the target in the correct state
  2. There’s a security feature preventing access to the interface
  3. The interface is disabled in firmware 

• Interface is temporarily enabled: The interface might exist only for a brief period of time during the target’s boot sequence before you’re able to perform a scan 

• Interface is physically disconnected: Traces may have been cut or resistors removed between the target connector/test points and the rest of the system 

• No supported interface exists: The target chip does not use JTAG, SWD, or UART interfaces 

• Abnormal target behavior due to “fuzzing” unknown pins: The target may enter an unknown/unexpected state due to the manipulation of the target’s pins via the JTAGulator 

• Signaling mismatch:
  1. Incorrect target I/O voltage (VADJ) setting; The target’s signal levels may be different than its main system voltage
  2. Pull-up or pull-down resistors on target are too strong; Less than 4.7 kΩ may result in a signal voltage lower than what the JTAGulator’s input pins can recognize
  3. Target uses an SWD interface, which is prone to compatibility issues with the JTAGulator 

Double check your connections between the JTAGulator and target device. Ensure that there is a GND connection between the devices and that VADJ is not connected to the target. Additionally, be sure to read through the closed issues at our GitHub repository in case someone has already encountered and solved a similar problem. 

JTAGulator HW Rev. B and earlier may have compatibility issues with certain target devices. This is caused by the JTAGulator’s front-end circuitry (level translators, diodes, and series resistors) affecting signal levels between the JTAGulator and target. Consider implementing the recommended hardware modifications if needed. 

3. Why do I get different responses for IDCODE Scan or BYPASS Scan on repeated tries?

The response you’re seeing is when the JTAGulator thinks it found a result (e.g, the data it sees matches the requirements of that particular scan). Since the JTAGulator enumerates though all possible pin permutations for a given set of channels and may be setting the state of pins whose function on the target are unknown, the system could respond in a way that fools the JTAGulator into thinking it’s found a possible pinout. The JTAGulator is an assistive tool and will sometimes require human intervention to determine proper results from a number of false positives.

4. BYPASS Scan successfully detects an interface, but JTAG Scan and IDCODE Scan don’t return anything.

It’s possible that the target device doesn’t contain an IDCODE, contains a non-compliant IDCODE, doesn’t load its IDCODE into the data register on TAP reset, or the JTAGulator can’t properly read the IDCODE. Both the JTAG Scan (which combines the IDCODE Scan and BYPASS Scan into a single command) and IDCODE Scan assumes that a valid IDCODE is in the data register, which is often the case, but not always. 

It’s also possible that the target has a security mechanism in place to prevent full access to its JTAG interface. In order for the target to remain compliant with the JTAG specification, it should still support the BYPASS command (which the JTAGulator uses during a BYPASS Scan) even if the remainder of its functionality is protected. 

5. After I start any scan, the JTAGulator immediately aborts.

The JTAGulator expects any command or input to be followed by a single CR or LF (sent by the terminal program when the Enter key is pressed). If the JTAGulator immediately aborts after starting a scan, this indicates that your terminal program is sending both bytes when the Enter key is pressed, which will cause the JTAGulator to interpret it as two separate key presses. Change your terminal settings to ensure only a single CR or LF is sent and try again.

6. During the JTAG Pin Mapper (EXTEST Scan), why do I sometimes see two different register bits detected on the same channel?

This may occur when the JTAGulator has found an I/O control line (output enable) for a particular I/O pin. Depending on the target chip’s internal I/O construction, setting the output enable high or low may cause its respective I/O pin to become enabled and be set high or low. In this case, you will need to do further experimentation on those pins to determine which register bit corresponds to the physical I/O pin and which register bit corresponds to the output enable. Typically, the control line is adjacent to the I/O pin in the Boundary Scan Register.

7. When the JTAGulator powers up, the LED turns YELLOW and there’s nothing displayed in the terminal program.

Beginning with  firmware version 1.4, the JTAGulator will wait until the user presses any key from within the terminal program before it sends the welcome header and command prompt. This ensures that the user doesn’t miss the information after successfully connecting to a host.

8. When the JTAGulator powers up, the LED turns YELLOW and then RED. There’s nothing displayed in the terminal program and it appears unresponsive.

This indicates that the JTAGulator is in a secondary operating mode (e.g., logic analyzer or OpenOCD) and is waiting for commands from the respective external software tool. These modes persist through JTAGulator resets, power cycles, and firmware updates. This behavior is required in order for the JTAGulator to remain in the desired mode while changing software applications and using the external software tools, some of which may reset the JTAGulator before, during, or after use. 

To exit and return to normal JTAGulator functionality, open your terminal program and press Ctrl-X. You will be presented with the command prompt (>) and the JTAGulator’s LED will turn GREEN.

9. I built my own JTAGulator and… 

While the JTAGulator is open source and intended for easy assembly, modification, and sharing, we unfortunately are unable to provide support for any JTAGulator unit not purchased from the EXPLIoT Store. Given the inconsistencies of build skill, component sourcing, and PCB fabrication quality, there are simply too many aspects that are out of our control. If you suspect a hardware issue, you can follow our functional test procedure and associated video to help identify the root cause.

10. It still doesn’t work!

If you’re unable to solve your problem after studying the available resources and believe you’ve found a bug in the JTAGulator, you may open a new issue in our GitHub repository.  

Please provide as much information as possible about your environment, such as:

• JTAGulator firmware version 
• Description of your target hardware 
• High-resolution photos showing connections/wiring 
• Screenshots or log files showing JTAGulator output 
• Operating system details 
• Version numbers of any accompanying software
• What steps you have already taken to troubleshoot/debug the issue