JTAG Simplified

So the other day, I explored the JTAG bus interface which is frequently found in CPLDs/FPGAs and is most of the times the sole method of programming and debugging them. It is a powerful interface and very easy to use. I intend to write about the interface and the protocol used for documentation purposes and knowledge sharing.

JTAG (Joint Test Action Group) started primarily as a debugging interface for CPLDs or more commonly boundary scan testing, which is explained later. The simplest implementation of the JTAG interface requires 4 signal wires, primarily

  1. TDO (Test Data Out) – This is output signal from the target in response to the test query.
  2. TDI (Test Data In) – This is the input signal for the target carrying the test query.
  3. TCK (Test Clock) – This is the synchronization clock signal
  4. TMS (Test-Mode Select) – This controls the TAP state, explained later.

Signals Explained

  1. TCK –  is the JTAG clock signal. The other JTAG signals (TDI, TDO, TMS) are synchronous to TCK. So TCK has to toggle for anything to happen (usually things happen on TCK’s rising edge).
  2. TMS – Inside each JTAG IC, there is a JTAG TAP controller. The TAP controller is mainly a state machine with 16 states. TMS is the signal that controls the TAP controller. The TAP state diagram can be easily found in data-sheets of several JTAG ICs.The little numbers (“0” or “1”) close to each arrow are the value of TMS to change state. So for example, if a TAP controller is at state “Select DR-Scan” and TMS is “0” and TCK toggles, the state changes to “Capture-DR”.
  3. TDI and TDO – These signals carry the query and its response respectively. Referring to the TAP state diagram, Shift-DR and Shift-IR are the states where the query is generally pushed and Shift-DR is the state where the response is collected.

The TDI and TDO are daisy-chained. That is, with the Shift-DR size equal to 1-bit, data sent through the TDI starts coming back through the TDO after one clock pulse. Hence, when a response is to be collected from Shift-DR, clock pulses are sent to receive the response on the TDO. For example, if the Shift-DR size is 32 bits, 32 pulses are sent to completely receive the response of the JTAG query.

Registers

Each JTAG IC has one instruction register (IR) and multiple data registers (DR). Each instruction to the IR selects a different data register whose value is shifted out as explained above. For example, a 8-bit IR can select up to 256 DR, if available.

The length of each DR and IR registers can be found from the .bsdl file of the specific JTAG IC.

Instructions

The IR registers take in specific intructions which are listed in the .bsdl file of the JTAG IC. The most common of them grabbed from a .bsdl file are

attribute INSTRUCTION_LENGTH of EP1C3T100 : entity is 10;

attribute INSTRUCTION_OPCODE of EP1C3T100 : entity is

  "BYPASS            (1111111111), "&

  "EXTEST            (0000000000), "&

  "SAMPLE            (0000000101), "&

  "IDCODE            (0000000110), "&

  "USERCODE          (0000000111), "&

  "CLAMP             (0000001010), "&

  "HIGHZ             (0000001011), "&

  "CONFIG_IO            (0000001101)";

attribute INSTRUCTION_CAPTURE of EP1C3T100 : entity is "0101010101";

attribute IDCODE_REGISTER of EP1C3T100 : entity is

  "0000"&               --4-bit Version

  "0010000010000001"&   --16-bit Part Number (hex 2081)

  "00001101110"&        --11-bit Manufacturer's Identity

  "1";                  --Mandatory LSB

attribute BOUNDARY_LENGTH of EP1C3T100 : entity is 339;

Querying the JTAG Chain

Whenever the JTAG IC powers up it may end in any TAP state. Hence, it is mandatory to get it to a known state. One such method which is guaranteed to toggle the TAP state to Test-Logic-Reset is to hold TMS high for five clock cycles.

  1. Set TMS high.
  2. Send minimum of five clock cycles.
  3. Set TMS low.

1. Count number of ICs on the JTAG chain

One important IR value is the “all-ones” value. For the CPU that would be 11111 and for the FPGA, that’s 1111111111. This value corresponds to the mandatory IR instruction called BYPASS. In bypass mode, the TAP controller DR register is always a single flip-flop which does nothing besides delaying the TDI input by one clock cycle before outputting to TDO.

One interesting way to use this BYPASS mode is to count the number of ICs that are present in the JTAG chain.
If each JTAG IC delays the TDI-TDO chain by one clock, we can send some data and check by how long it is delayed. That gives us the number of ICs in the chain.

2. Identify ICs on the JTAG Chain

The IDCODE instruction is used to identify ICs on the JTAG chain. The IDCODE instruction is automatically executed once the TAP state is forced to Test-Logic-Reset i.e the IDCODE data register appears on the TDO line. It is usually 32-bits long.

  1. Go to Test-Logic-Reset.
  2. Go to Shift-DR.
  3. Shift out 32 bits of data onto the TDO line by passing 32 clock pulses. LSB comes out first.

Similarly, other instruction can be passed to the IR and response read from the Shift-DR TAP state.

Boundary Scan Testing

This was the primary purpose of the JTAG interface when it was launched. In the boundary scan mode, the DR chain goes through each IO block and can read or hijack each pin.

Boundary-scan can be used even while a device is otherwise running. So for example, using JTAG on an FPGA, you can tell the status of each pin while the FPGA is running. The SAMPLE instruction is used in running a boundary scan. The .bsdl file lists the size of the boundary scan chain and the various pad configurations. In the .bsdl above, the length is 339 bits listed in the last line. Each pin use an IO pad on the IC die. Some IO pads use one, two or three bits from the chain (depending if the pin is input only, output with tri-state, or both). Also some registers correspond to IO pads that may not be bounded (they exists on the IC die but are not accessible externally). Which explains why a 100 pins device can have a 339 bits boundary-scan chain.

attribute BOUNDARY_REGISTER of EP1C3T100 : entity is

  --BSC group 0 for I/O pin 100

  "0   (BC_1, IO100, input, X)," &

  "1   (BC_1, *, control, 1)," &

  "2   (BC_1, IO100, output3, X, 1, 1, Z)," &

  --BSC group 1 for I/O pin 99

  "3   (BC_1, IO99, input, X)," &

  "4   (BC_1, *, control, 1)," &

  "5   (BC_1, IO99, output3, X, 4, 1, Z)," &

  ...

  ...

  ...

  --BSC group 112 for I/O pin 1

  "336 (BC_1, IO1, input, X)," &

  "337 (BC_1, *, control, 1)," &

  "338 (BC_1, IO1, output3, X, 337, 1, Z)" ;

This lists all the 339 bits of the chain, and what they do.
For example, bit 3 is the one that tells us what is the value on pin 99.

Querying the boundary scan chain is straightforward.

  • Go to Shift-IR state.
  • Shift in SAMPLE instruction with TMS low.
  • Go to Exit1-IR.
  • Go to Shift-DR.
  • In our case, the data register is 339 bits long, Read the contents of the Shift-DR over TDO by sending 339 clock pulses with TMS low.

Using the JTAG interface, is pretty simple. It is basically a serial interface with a ‘cool’ name. You shift out a query and shift in the response. Knowledge of this interface is essential as its use is increasing day by day. Almost every microprocessor now uses it as a primary hardware debugging interface.

JTAG Simplified的更多相关文章

  1. JTAG 引脚自动识别 JTAG Finder, JTAG Pinout Tool, JTAG Pin Finder, JTAG pinout detector, JTAGULATOR, Easy-JTAG, JTAG Enumeration

    JTAG Finder Figuring out the JTAG Pinouts on a Device is usually the most time-consuming and frustra ...

  2. SWD and JTAG selection mechanism

    SWD and JTAG selection mechanism SWJ-DP enables either an SWD or JTAG protocol to be used on the deb ...

  3. Design Patterns Simplified - Part 3 (Simple Factory)【设计模式简述--第三部分(简单工厂)】

    原文链接:http://www.c-sharpcorner.com/UploadFile/19b1bd/design-patterns-simplified-part3-factory/ Design ...

  4. STM32C8T6 JTAG使用到PB3|PB4|PA13|PA14|PB15端口做普通IO时,需禁止JTAG!

    GPIO_InitTypeDef GPIO_InitStructure; RCC_APB2PeriphClockCmd(RCC_APB2Periph_GPIOB|RCC_APB2Periph_GPIO ...

  5. STM32用JLINK 烧写程序时出现NO Cortex-m device found in JTAG chain现象和解决方案

    现象 CPU: STM32107VC 用JLINK 烧写程序时出现NO Cortex-m device found in JTAG chain 如图无法查找到硬件就是CPU 提示1:NO Cortex ...

  6. 偶遇STM32 JTAG和SWD口(调试)被禁用无法下载,已经粗暴解决!

    处女座,为了板子走线美观,拉线方便,在项目量产前,还更改了原来外设的IO口,埋头苦干一天,移植ok,发现PB3一直不听使唤,好,加班检查代码,检查初始化,时钟,IO对应,然后试PCB板,是否短路,断路 ...

  7. Design Patterns Simplified - Part 2 (Singleton)【设计模式简述--第二部分(单例模式)】

    原文链接: http://www.c-sharpcorner.com/UploadFile/19b1bd/design-patterns-simplified-part-2-singleton/ De ...

  8. 【翻译】设计模式学习系列1---【Design Patterns Simplified: Part 1【设计模式简述:第一部分】】

    原文链接:http://www.c-sharpcorner.com/UploadFile/19b1bd/design-patterns-simplified-part1/ Design Pattern ...

  9. (转)小心FPGA的JTAG口(上电和下电顺序)

    同志们,根据ALTERA官方FAE(现场应用工程师)的强烈建议,请注意不要随意带电插拔你的JTAG下载接口,否则会损坏FPGA芯片的JTAG口信号管脚.现象:在排除了下载线的问题后,还是不能访问FPG ...

随机推荐

  1. json转化数组

    //json格式数据 $data = '[{ "F_ModuleId": "1", "F_ParentId": "0", ...

  2. ubuntu 开机自动挂载分区

    转载: http://blog.sina.com.cn/s/blog_142e95b170102vx2a.html 我的计算机是双硬盘,一个是windows系统,一个是Fedora和ubuntu系统. ...

  3. python3之模块urllib

    urllib是python内置的HTTP请求库,无需安装即可使用,它包含了4个模块: request:它是最基本的http请求模块,用来模拟发送请求 error:异常处理模块,如果出现错误可以捕获这些 ...

  4. python3之模板pycurl探测web服务质量

    1.pycurl简介 pycURL是libcurl多协议文件传输库的python接口,与urllib模块类似,PycURL可用于从python程序中获取由URL标识的对象,功能很强大,libcurl速 ...

  5. retrying模块的学习

    retrying模块的学习 我们在写爬虫的过程中,经常遇到爬取失败的情况,这个时候我们一般会通过try块去进行重试,但是每次都写那么一堆try块,真的是太麻烦,所以今天就来说一个比较pythonic的 ...

  6. springboot日志框架

    Spring Boot日志框架Spring Boot支持Java Util Logging,Log4j2,Lockback作为日志框架,如果你使用starters启动器,Spring Boot将使用L ...

  7. 【前端vue开发】vue开发输入姓名,电话,公司表单提交组件

    <template> <div id="parti-info"> <div> <span>您的姓名:</span> &l ...

  8. Java 基本语法---Java运算符

    Java 基本语法---Java运算符 0. 概述 Java中的运算符主要分为以下几种: 算术运算符 赋值运算符 关系运算符 逻辑运算符 条件运算符 位运算符 其他运算符 1. 算术运算符 操作符 描 ...

  9. win10编译caffe跑faster-rcnn(cuda7.5)

    2017年1月13日 15:46:04 github.com/Microsoft/caffe这版现在不算是BVLC/caffe的官方windows分支:官方windows分支是一个叫willyd的家伙 ...

  10. USING NHIBERNATE WITH MySQL

    In previous USING NHIBERNATE WITH SQLITE, we connect SQLITE with ORM framework NHibernate. One of th ...