This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course. exploitation/index.html

Student ID: IoTE-728


The most interesting part of the Offensive IoT Exploitation course was the JTAG part. I did not have any device with JTAG capabilities, so I bought a MIPS Creator Ci40 IoT hub.


This board has a standard JTAG interface.


The full documentation of the board can be found here. The board comes with OpenWRT installed.


I downloaded the JTAGEnum from github. I uploaded the code to my Arduino. I opened the Serial Monitor with baud rate 115200 and pressed ‘h’. The help menu appeared.


The next step was to connect the Arduino and Mips Creator Ci40. I connected JTAG 1-3-5-7-9-11-13 to Arduino 8-7-6-5-4-3-2 and JTAG 10-12-14 to Arduino 11-10-9.

connect1 connect2

Then I pressed ‘s’ and Enter in the Serial Monitor of the Arduino. The scan started and several minutes I got the following result:


JTAGEnum found one possible pinout.

JTAG9 -> DIG4 -> TCK
JTAG7 -> DIG5 -> TMS
JTAG5 -> DIG6 -> TDO
JTAG3 -> DIG7 -> TDI

This is exactly the same as the one which can be found in the official document.