A hardware and software collaborative protection method and system for vehicle-mounted T-BOX JTAG interface
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- M2MOTIVE TECH INC
- Filing Date
- 2026-03-12
- Publication Date
- 2026-06-19
AI Technical Summary
In existing technologies, the JTAG interface is not protected after vehicle mass production, becoming a high-risk entry point for physical attacks, which may threaten the confidentiality, integrity and availability of vehicle data. Moreover, existing protection measures cannot meet regulatory requirements or flexibly address the different security and maintenance needs at each stage of R&D, mass production and operation.
A controllable physical isolation circuit is added between the T-BOX's MCU and the external JTAG interface. Combined with software control, dynamic management of JTAG interface access permissions is achieved, including a first-level software controllable switch and a second-level hardware physical isolation, to meet security requirements at different stages.
It achieves deep defense, blocks unauthorized physical access, flexibly responds to needs at different stages, meets compliance requirements, reduces attack costs, and is easy to implement.
Smart Images

Figure CN122241784A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of automotive electronic information technology security, specifically to an information security protection method and system for the JTAG debugging interface of the T-BOX onboard telematics processor in intelligent connected vehicles. Background Technology
[0002] As a key hub for communication between the vehicle and external networks (such as 4G / 5G and vehicle networking platforms), the T-BOX is the first line of defense for the vehicle's network security, and its own security is of paramount importance.
[0003] The JTAG interface is a commonly used debugging and testing interface for microcontroller units and is indispensable during the development phase. However, after mass production and delivery of vehicles, if the JTAG interface is not protected, it may become a high-risk entry point for physical attacks. Attackers can access the JTAG interface to directly read MCU memory, extract firmware, inject malicious code, or perform reverse engineering, seriously threatening the confidentiality, integrity, and availability of vehicle data, and may even use it as a springboard to attack other critical electronic control units in the vehicle.
[0004] Current industry-standard JTAG protection methods have several limitations: physically removing header pins or using blind via designs only increases the difficulty of detection and cannot cope with high-level reverse engineering; electronic fuse locking is irreversible and cannot support legitimate after-sales debugging needs; and relying solely on the MCU's internal software disabling function may fail in some product versions where this function is not enabled or under certain attack methods (such as attempting to reactivate it through boundary scans). Therefore, there is an urgent need for a comprehensive protection solution that can meet mandatory regulatory requirements while flexibly addressing different security and maintenance needs at each stage of R&D, mass production, and operation. Summary of the Invention
[0005] The purpose of this technical solution is to overcome the shortcomings of existing technologies and provide a hardware-software co-operation method and system for protecting the JTAG interface of an in-vehicle T-BOX. This method adds a controllable physical isolation layer to the hardware link and combines it with software control of the MCU to achieve dynamic and reliable management of JTAG interface access permissions, effectively balancing the needs of mass production security and after-sales maintenance.
[0006] To achieve the above objectives, the present invention adopts the following technical solution: A hardware-software collaborative protection system for the JTAG interface of an in-vehicle T-BOX is based on the addition of at least one controllable physical isolation circuit between the T-BOX's MCU and the external JTAG interface. This circuit can selectively connect or disconnect the physical path of the JTAG signal between the MCU and the JTAG interface according to the control signal output by the MCU.
[0007] Preferably, the system includes two levels of protection: 1. First-level protection (software-controllable switch): This consists of a switching circuit (such as a MOSFET, analog switch, etc.) controlled by a general-purpose I / O pin of the MCU. The protection software running on the MCU can dynamically control the opening and closing of this switch based on the vehicle status (such as R&D, mass production, maintenance) or received remote authorization commands. In mass production mode, the MCU controls the switch to open, physically blocking the JTAG signal; when authorized maintenance is required, the MCU can control the switch to temporarily close.
[0008] 2. Second-level protection (hardware physical isolation): This is connected in series with the first-level circuit and uses physically removable components (such as surface-mount resistors, 0-ohm resistors, or diodes). In the final mass production stage, removing this component permanently cuts off the JTAG path, providing a deeper level of protection. Users can choose to use the first level alone, the second level alone, or a combination of both, depending on their security strategy.
[0009] The JTAG signals that need to be cut off are at least one of the standard forced signals, including Test Clock (TCK), Test Mode Selection (TMS), Test Data Input (TDI), and Test Data Output (TDO). According to the JTAG protocol, the absence of any forced signal will cause the entire JTAG function to fail.
[0010] Furthermore, the MCU's software control logic can be linked with higher-level security mechanisms. For example, the instruction to disconnect the JTAG path will only be executed after the MCU has successfully completed secure boot verification; or, the JTAG path will only be temporarily opened after receiving an authorization instruction from a Remote Trusted Service Platform (TSP) and verifying it through the MCU's built-in security module.
[0011] This technical solution also provides a protection method for the above-mentioned system, mainly including: At least one level of controllable physical isolation circuit is set between the MCU of T-BOX and the external JTAG interface; During the production or deployment phase of T-BOX, the MCU outputs a control signal to the controllable physical isolation circuit, controlling it to cut off at least one standard forced JTAG signal physical path between the MCU and the JTAG interface, thereby achieving JTAG interface access blocking.
[0012] Preferably, the method further includes a maintenance mode: when legitimate debugging or maintenance is required, the MCU, after passing security verification, outputs an enable control signal to the controllable physical isolation circuit to control it to temporarily restore the disconnected JTAG signal path; after maintenance is completed, the control signal is output again to disconnect the path.
[0013] The beneficial effects of this technical solution are as follows: 1. Defense in Depth: Through physical hardware isolation, it fundamentally prevents unauthorized physical access via the JTAG interface. Even if an attacker gains access to the device and finds the interface, they will be unable to establish effective communication.
[0014] 2. Flexible and controllable: The software-controlled first-level protection meets the needs of different stages throughout the product lifecycle (R&D debugging, small-batch verification, mass production locking, and after-sales authorized maintenance), avoiding the operational difficulties caused by "one-size-fits-all" protection.
[0015] 3. Strong compliance: This solution directly responds to the requirements of standards such as GB / T408562021 regarding "debugging interface access control" and "minimizing exposure", providing vehicle manufacturers with a clear technical path for compliance.
[0016] 4. Enhanced Deception: For T-BOXs that do not have the internal JTAG disabling function of the MCU or are password protected, the physical isolation layer added by this solution can effectively confuse attackers, causing them to misjudge the problem as a fault in the JTAG interface or the MCU itself, thus abandoning the attack and increasing the cost of attack.
[0017] 5. Low cost and easy to implement: All components used are common electronic components. There is no need to modify the MCU core architecture. Only a small amount of circuitry needs to be added during PCB design to achieve a significant improvement in protection. Attached Figure Description
[0018] Figure 1 This is a schematic diagram of the overall system architecture of this technical solution; Figure 2 Example circuit for a first-stage controllable physical isolation circuit Figure 1 Discrete components are used; Figure 3 Example circuit for a first-stage controllable physical isolation circuit Figure 2 It uses an analog switch chip; Figure 4 This is an example circuit diagram for the second-stage physical isolation circuit, using removable resistors.
[0019] The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and, together with the description, serve to explain the principles of the invention. It is obvious that the drawings described below are merely some embodiments of the invention, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort. Detailed Implementation
[0020] The present technical solution will be further described in detail below with reference to the accompanying drawings and specific embodiments.
[0021] like Figure 1 As shown, the protection system of this technical solution mainly consists of three parts: an MCU, a JTAG interface (connector or test point), and a protection circuit module disposed therebetween. The protection circuit module includes a first-level circuit (software switch) and a second-level circuit (hardware path).
[0022] JTAG Signal Description: The mandatory JTAG standard signals include TCK, TMS, TDI, and TDO. These signals are essential for the normal operation of JTAG; disabling any one of them is sufficient to disable JTAG. Optional signals such as TRST and RTCK do not affect basic functionality but can also be included in the disabling scope for enhanced protection.
[0023] The USB interface is the SOC's download and debugging interface. This interface achieves information security requirements through ADB access control and encryption. The connection between the SOC and MCU is generally an inner layer trace, and the communication protocol is custom-defined to meet information security requirements; Add circuits ① and ② between the MCU and JTAG to protect the security of the JTAG interface; Circuit ① is the first-level protection circuit, a switch path controlled by the MCU. During the mass production stage, the software is set to open to protect against unauthorized users from intruding into the JTAG interface. When there is a need for debugging and analysis, legitimate users can set ① to close via USB or TSP commands to meet the needs of legitimate users. Circuit ② is the second-level protection circuit, a hardware path, and serves as a secondary protection barrier. It can be removed directly during mass production. Due to the complexity of the motherboard circuitry and the large number of components, this path is difficult to detect. This part involves material removal, designed to increase the difficulty for attackers. Attackers generally assume that the JTAG interface is normally connected to the MCU. If access through the interface fails, they will assume that the interface is faulty or that the MCU is malfunctioning, and in this case, they will likely abandon their attack.
[0024] In practical solutions, you can choose to protect both ① and ② simultaneously, or you can choose to use either ① or ② alone to achieve the purpose of protection.
[0025] The connection between the MCU and ① is a control line, which controls the on / off state of circuit 1 by controlling the high and low levels. Bidirectional arrows represent signal lines, and unidirectional arrows represent control lines. Because control is unidirectional, unidirectional arrows are used, while signal lines can have different directions, hence the use of bidirectional arrows.
[0026] Not all MCUs support software-disabled JTAG. For MCUs that do have this feature, it's typically only available in mass-production versions. If unauthorized users obtain off-production products, this solution increases the difficulty of reverse engineering and tampering with the code. The software-enabled solution adds a controllable physical barrier.
[0027] This technical solution offers no protection for mass-produced products with JTAG disabled, as the JTAG function becomes unusable after the JTAG restriction takes effect. However, it provides protection for ECUs that are already in mass production but lack JTAG software protection, as well as ECUs that are in the development or small-batch production stages without JTAG software protection. Another scenario is that, for easier later maintenance, some mass-produced products choose to use JTAG password protection instead of disabling JTAG. In this case, authorized users can gain JTAG access by entering a password, increasing patent hardware protection, which is also effective for this type of product.
[0028] This solution avoids the problem of manufacturers relying solely on software to disable JTAG functionality without combining it with a secure boot verification mechanism, which could still allow it to be reactivated through boundary scans. A properly disabled MCU cannot be accessed again via JTAG, but once this disabling mechanism takes effect, further analysis is impossible. Generally, JTAG functionality is retained during R&D and small-batch production stages to facilitate fault location and analysis. This means that some vehicle models may not have JTAG disabled in their initial ECUs upon market launch. Some vehicle models protect the JTAG interface through JTAG password protection, rather than disabling JTAG. Unauthorized users might gain access to an ECU with JTAG enabled. In such cases, adding physical protection mechanisms greatly confuses and confuses unauthorized users, making them believe JTAG is inaccessible. Since the motherboard has a JTAG interface, attackers will prioritize using detection tools to attack it. However, due to the added physical channel isolation measures, the detection is actually unsuccessful, thus protecting the ECU.
[0029] One exception is when an attacker directly connects to the chip's JTAG pin. This is less likely to happen if a JTAG connector or test point is present.
[0030] The first-level protection circuit implementation is as follows: Figure 2 As shown: According to the JTAG signal specification, the JTAG function cannot be used if any of the standard forced signals is missing. The following is an implementation scheme for this part of the circuit, where any one or more JTAG forced signals can be connected to the signal lines, as shown in the example below: The JTAG_TCK signal is one of the standard forced signals and serves as the synchronization clock for JTAG communication. It is output from the emulator to the MCU. The circuit principle is as follows: The MCU_JTAG_ENABLE signal is the MCU output signal that enables JTAG. When MCU_JTAG_ENABLE is at a logic high level, transistor Q2 is turned on, and the gate of the MOSFET is pulled low. JTAG_TCK_CONN is the clock signal output from the emulator to the MCU. When JTAG_TCK_CONN is high, Q1 is turned on, and JTAG_TCK is pulled high. When JTAG_TCK_CONN is low, Q1 is turned off, and due to the presence of the body diode of Q1 and R2, JTAG_TCK is pulled low. In this way, the clock signal output by the emulator is synchronously transmitted to the MCU. When the MCU_JTAG_EMABLE signal is at a logic low level, transistor Q2 is turned off. JTAG_TCK_CONN is the clock signal output from the emulator to the MCU. Due to the isolation of Q1, JTAG_TCK remains at a low level, the JTAG physical channel is disconnected, and JTAG cannot be detected.
[0031] Another implementation of the first-level protection circuit is, for example... Figure 3 As shown: U1 is a signal switch IC. The MCU_JTAG_DISABLE signal is the signal output by the MCU to disable the JTAG function. When MCU_JTAG_DISABLE is at a logic high level, U1 is not turned on, the JTAG_TCK_CONN signal cannot be transmitted to the MCU, and JTAG_TCK is pulled low. In this way, the clock signal output by the emulator is synchronously transmitted to the MCU, the JTAG physical channel is disconnected, and JTAG cannot be detected.
[0032] When MCU_JTAG_DISABLE is at a logic low level, U1 is turned on, and the JTAG_TCK_CONN signal can be transmitted to the MCU through the switch, allowing the JTAG function to be used normally.
[0033] Second-level protection circuit implementation, for example Figure 4As shown: A surface-mount resistor R_isolate or diode D_isolate is connected in series in the signal path. In the final mass production version, this component is not soldered using the SMT process, or it is removed in the later stages of production, thus permanently disconnecting the signal path. This measure prevents attackers from bypassing this physical breakpoint even if they attempt to reconfigure the first-stage circuit through software vulnerabilities or other means. The circuit uses resistors or diodes as a physical isolation method. The signal direction is from JTAG_TCK_CONN to JTAG_TCK. When the resistor or diode is present, the signal is transmitted normally; when the resistor or diode is removed, the signal path is blocked. The difference between circuit ② and circuit ① is that circuit ① can be controlled by software to ensure its presence. For example, when mass production products require JTAG, a command to open JTAG can be issued remotely, and it can be closed remotely after use. However, circuit ②, once removed in the mass production stage, cannot be modified by software.
[0034] System workflow: 1. Research and development and small-batch production stage: The first-level circuit remains closed (or is controlled by debug mode), the second-level circuit components are retained, and the JTAG function is fully open to facilitate development and testing.
[0035] 2. Mass production stage: After the final software burning and functional testing are completed on the production line, the production terminal sends a "lock command" to the MCU through a specific protocol.
[0036] After receiving the instruction, the MCU sets the GPIO pin controlling the first-level protection circuit to the "disconnect" state (e.g., Figure 2 (high level in the middle).
[0037] For products requiring the highest level of safety, a second level of protection can be implemented simultaneously, namely physical removal (or non-welding).
[0038] After that, if an attacker directly connects to the JTAG interface, normal JTAG signal responses will not be detected.
[0039] 3. Authorization and maintenance phase: After-sales technicians can initiate a JTAG activation request by connecting the T-BOX's OBD or dedicated maintenance interface using diagnostic equipment.
[0040] The application may be uploaded to the cloud-based TSP platform via an encrypted link for identity and permission verification.
[0041] After successful verification, TSP sends an encrypted "temporary activation command" to T-BOX.
[0042] The security module inside the T-BOX decrypts and verifies the command, then notifies the MCU's protection software to temporarily set the GPIO pin controlling the first-level circuit to the "conducting" state (e.g., ...). Figure 2 (The low level in the middle) can last for one power-on cycle or a specified duration.
[0043] Technicians can then use JTAG to perform authorized debugging. After the operation is completed, the device will automatically return to its locked state after restarting or a timeout.
[0044] Regarding the difference between "software switch" and "software disable": The "software switch" described in this technical solution controls the connection and disconnection of the hardware link, which belongs to physical layer protection. The "software disable JTAG" function inside the MCU is a logic layer configuration provided by the chip (such as setting a configuration bit). This technical solution is complementary to and reinforces the latter. This solution provides critical physical protection for products that do not have internal JTAG disabling enabled (such as some earlier versions).
[0045] For products that have already enabled internal JTAG disabling, this solution acts as an additional physical barrier to prevent attacks that bypass the logic disabling through potential chip vulnerabilities or unconventional means (such as circuit modification by focused ion beam).
[0046] like Figure 1 As shown, even if an attacker attempts to probe or influence the MCU's configuration registers through boundary scans or other means, the attack will fail because the external physical pathways have been cut off.
[0047] Motherboard layout considerations: JTAG connectors are typically located at the edge of the motherboard. This technical solution recommends placing the protection circuitry (especially the secondary circuitry used for one-time isolation) in an area away from the JTAG connector, close to the MCU chip, and surrounded by multiple layers of components. This layout significantly increases the difficulty for attackers to directly bridge the severed path using flying leads or microprobes. For BGA-packaged MCUs with unexposed pins, attackers have virtually no direct access to the chip's JTAG pins, making this solution even more effective.
[0048] Another embodiment of the present invention is a hardware and software collaborative protection system for a vehicle-mounted T-BOX JTAG interface, characterized in that it includes: a microcontroller unit (MCU), a JTAG interface, and at least one level of controllable physical isolation circuit disposed between the MCU and the JTAG interface; A controllable physical isolation circuit is used to selectively turn on or off at least one standard forced JTAG signal path between the MCU and the JTAG interface according to a control signal; The MCU is used to output a first control signal to the controllable physical isolation circuit after the T-BOX enters the mass production operation stage, so as to control it to cut off at least one standard forced JTAG signal path, thereby physically preventing unauthorized access to the MCU through the JTAG interface.
[0049] Preferably, the controllable physical isolation circuit is a first-level controllable physical isolation circuit, whose control terminal is connected to a general-purpose input / output pin of the MCU; the MCU controls the level of the general-purpose input / output pin through the protection software running on it to generate a first control signal or a second control signal to enable JTAG access.
[0050] Preferably, the first-stage controllable physical isolation circuit includes a switching device; the control terminal of the switching device receives the control signal output by the MCU, and its main path is connected in series between the JTAG pin of the MCU and the corresponding pin of the JTAG interface; when the control signal is the first control signal, the switching device is turned off, cutting off the corresponding JTAG signal path; when the control signal is the second control signal, the switching device is turned on, restoring the corresponding JTAG signal path.
[0051] Preferably, the switching device is a MOSFET, a transistor, or an integrated analog switch chip.
[0052] Preferably, it also includes a second-level controllable physical isolation circuit, which is connected in series with the first-level controllable physical isolation circuit on the same or multiple JTAG signal paths between the MCU and the JTAG interface; the second-level controllable physical isolation circuit is a one-time physically removable isolation device.
[0053] Preferably, the one-time physical removal isolation device is a surface mount resistor, surface mount capacitor, or surface mount diode. During the mass production stage of T-BOX, the corresponding JTAG signal path is permanently cut off by removing this device.
[0054] Preferably, the standard forced JTAG signal includes at least one of the following: test clock (TCK), test mode select (TMS), test data input (TDI), and test data output (TDO); cutting off any of these signal paths will cause the JTAG function to fail.
[0055] Preferably, the protection software running on the MCU receives authorization commands from the T-BOX internal security module or from the remote trusted service platform (TSP) via the vehicle network. Only after verifying the legality of the authorization command will it output a second control signal to temporarily activate the first-level controllable physical isolation circuit and enable JTAG access.
[0056] The above description is only a preferred embodiment of the present technical solution and does not limit the patent scope of the present technical solution. Any equivalent structural or procedural transformations made using the contents of the present technical solution specification and drawings, or direct or indirect applications in other related technical fields, are similarly included within the patent protection scope of the present technical solution.
Claims
1. A hardware and software collaborative protection system for a vehicle-mounted T-BOX JTAG interface, characterized in that, include: A microcontroller unit (MCU), a JTAG interface, and at least one level of controllable physical isolation circuit disposed between the MCU and the JTAG interface; The controllable physical isolation circuit is used to selectively turn on or off at least one standard forced JTAG signal path between the MCU and the JTAG interface according to the control signal; The MCU is used to output a first control signal to the controllable physical isolation circuit after the T-BOX enters the mass production operation stage, so as to control it to cut off the at least one standard forced JTAG signal path, thereby physically preventing unauthorized access to the MCU through the JTAG interface.
2. The system according to claim 1, characterized in that, The controllable physical isolation circuit is a first-level controllable physical isolation circuit, and its control terminal is connected to a general-purpose input / output pin of the MCU. The MCU controls the level of the general-purpose input / output pin through the protection software running on it to generate the first control signal or a second control signal for enabling JTAG access.
3. The system according to claim 2, characterized in that, The first-stage controllable physical isolation circuit includes a switching device; the control terminal of the switching device receives the control signal output by the MCU, and its main path is connected in series between the JTAG pin of the MCU and the corresponding pin of the JTAG interface; when the control signal is the first control signal, the switching device is turned off, cutting off the corresponding JTAG signal path; when the control signal is the second control signal, the switching device is turned on, restoring the corresponding JTAG signal path.
4. The system according to claim 3, characterized in that, The switching device is a MOSFET, a transistor, or an integrated analog switch chip.
5. The system according to claim 1, characterized in that, It also includes a second-level controllable physical isolation circuit, which is connected in series with the first-level controllable physical isolation circuit on the same or multiple JTAG signal paths between the MCU and the JTAG interface; the second-level controllable physical isolation circuit is a one-time physically removable isolation device.
6. The system according to claim 5, characterized in that, The one-time physical removal isolation device is a surface mount resistor, surface mount capacitor, or surface mount diode. During the mass production stage of T-BOX, the corresponding JTAG signal path is permanently cut off by removing this device.
7. The system according to any one of claims 1 to 6, characterized in that, The standard forced JTAG signals include at least one of the following: Test Clock (TCK), Test Mode Selection (TMS), Test Data Input (TDI), and Test Data Output (TDO); cutting off any of these signal paths will cause the JTAG function to fail.
8. The system according to claim 2, characterized in that, The protection software running on the MCU receives authorization commands from the T-BOX internal security module or from the remote trusted service platform (TSP) via the vehicle network. Only after verifying the validity of the authorization command will it output the second control signal to temporarily activate the first-level controllable physical isolation circuit and enable JTAG access permissions.
9. A method for protecting the vehicle-mounted T-BOX JTAG interface applied to the system described in any one of claims 1-8, characterized in that, include: At least one level of controllable physical isolation circuit is set between the MCU of T-BOX and the external JTAG interface; During the production or deployment phase of T-BOX, the MCU outputs a control signal to the controllable physical isolation circuit, controlling it to cut off at least one standard forced JTAG signal physical path between the MCU and the JTAG interface, thereby achieving JTAG interface access blocking.
10. The method according to claim 9, characterized in that, The method also includes a maintenance mode: when legitimate debugging or maintenance is required, the MCU, after passing security verification, outputs an enable control signal to the controllable physical isolation circuit to temporarily restore the disconnected JTAG signal path; after maintenance is completed, the control signal is output again to disconnect the path.