JTAG Simplified

So the other day, I explored the JTAG bus interface which is frequently found in CPLDs/FPGAs and is most of the times the sole method of programming and debugging them. It is a powerful interface and very easy to use. I intend to write about the interface and the protocol used for documentation purposes and knowledge sharing.

JTAG (Joint Test Action Group) started primarily as a debugging interface for CPLDs or more commonly boundary scan testing, which is explained later. The simplest implementation of the JTAG interface requires 4 signal wires, primarily

  1. TDO (Test Data Out) – This is output signal from the target in response to the test query.
  2. TDI (Test Data In) – This is the input signal for the target carrying the test query.
  3. TCK (Test Clock) – This is the synchronization clock signal
  4. TMS (Test-Mode Select) – This controls the TAP state, explained later.

Signals Explained

  1. TCK –  is the JTAG clock signal. The other JTAG signals (TDI, TDO, TMS) are synchronous to TCK. So TCK has to toggle for anything to happen (usually things happen on TCK’s rising edge).
  2. TMS – Inside each JTAG IC, there is a JTAG TAP controller. The TAP controller is mainly a state machine with 16 states. TMS is the signal that controls the TAP controller. The TAP state diagram can be easily found in data-sheets of several JTAG ICs.The little numbers (“0” or “1”) close to each arrow are the value of TMS to change state. So for example, if a TAP controller is at state “Select DR-Scan” and TMS is “0” and TCK toggles, the state changes to “Capture-DR”.
  3. TDI and TDO – These signals carry the query and its response respectively. Referring to the TAP state diagram, Shift-DR and Shift-IR are the states where the query is generally pushed and Shift-DR is the state where the response is collected.

The TDI and TDO are daisy-chained. That is, with the Shift-DR size equal to 1-bit, data sent through the TDI starts coming back through the TDO after one clock pulse. Hence, when a response is to be collected from Shift-DR, clock pulses are sent to receive the response on the TDO. For example, if the Shift-DR size is 32 bits, 32 pulses are sent to completely receive the response of the JTAG query.

Registers

Each JTAG IC has one instruction register (IR) and multiple data registers (DR). Each instruction to the IR selects a different data register whose value is shifted out as explained above. For example, a 8-bit IR can select up to 256 DR, if available.

The length of each DR and IR registers can be found from the .bsdl file of the specific JTAG IC.

Instructions

The IR registers take in specific intructions which are listed in the .bsdl file of the JTAG IC. The most common of them grabbed from a .bsdl file are

attribute INSTRUCTION_LENGTH of EP1C3T100 : entity is 10;

attribute INSTRUCTION_OPCODE of EP1C3T100 : entity is

  "BYPASS            (1111111111), "&

  "EXTEST            (0000000000), "&

  "SAMPLE            (0000000101), "&

  "IDCODE            (0000000110), "&

  "USERCODE          (0000000111), "&

  "CLAMP             (0000001010), "&

  "HIGHZ             (0000001011), "&

  "CONFIG_IO            (0000001101)";

attribute INSTRUCTION_CAPTURE of EP1C3T100 : entity is "0101010101";

attribute IDCODE_REGISTER of EP1C3T100 : entity is

  "0000"&               --4-bit Version

  "0010000010000001"&   --16-bit Part Number (hex 2081)

  "00001101110"&        --11-bit Manufacturer's Identity

  "1";                  --Mandatory LSB

attribute BOUNDARY_LENGTH of EP1C3T100 : entity is 339;

Querying the JTAG Chain

Whenever the JTAG IC powers up it may end in any TAP state. Hence, it is mandatory to get it to a known state. One such method which is guaranteed to toggle the TAP state to Test-Logic-Reset is to hold TMS high for five clock cycles.

  1. Set TMS high.
  2. Send minimum of five clock cycles.
  3. Set TMS low.

1. Count number of ICs on the JTAG chain

One important IR value is the “all-ones” value. For the CPU that would be 11111 and for the FPGA, that’s 1111111111. This value corresponds to the mandatory IR instruction called BYPASS. In bypass mode, the TAP controller DR register is always a single flip-flop which does nothing besides delaying the TDI input by one clock cycle before outputting to TDO.

One interesting way to use this BYPASS mode is to count the number of ICs that are present in the JTAG chain.
If each JTAG IC delays the TDI-TDO chain by one clock, we can send some data and check by how long it is delayed. That gives us the number of ICs in the chain.

2. Identify ICs on the JTAG Chain

The IDCODE instruction is used to identify ICs on the JTAG chain. The IDCODE instruction is automatically executed once the TAP state is forced to Test-Logic-Reset i.e the IDCODE data register appears on the TDO line. It is usually 32-bits long.

  1. Go to Test-Logic-Reset.
  2. Go to Shift-DR.
  3. Shift out 32 bits of data onto the TDO line by passing 32 clock pulses. LSB comes out first.

Similarly, other instruction can be passed to the IR and response read from the Shift-DR TAP state.

Boundary Scan Testing

This was the primary purpose of the JTAG interface when it was launched. In the boundary scan mode, the DR chain goes through each IO block and can read or hijack each pin.

Boundary-scan can be used even while a device is otherwise running. So for example, using JTAG on an FPGA, you can tell the status of each pin while the FPGA is running. The SAMPLE instruction is used in running a boundary scan. The .bsdl file lists the size of the boundary scan chain and the various pad configurations. In the .bsdl above, the length is 339 bits listed in the last line. Each pin use an IO pad on the IC die. Some IO pads use one, two or three bits from the chain (depending if the pin is input only, output with tri-state, or both). Also some registers correspond to IO pads that may not be bounded (they exists on the IC die but are not accessible externally). Which explains why a 100 pins device can have a 339 bits boundary-scan chain.

attribute BOUNDARY_REGISTER of EP1C3T100 : entity is

  --BSC group 0 for I/O pin 100

  "0   (BC_1, IO100, input, X)," &

  "1   (BC_1, *, control, 1)," &

  "2   (BC_1, IO100, output3, X, 1, 1, Z)," &

  --BSC group 1 for I/O pin 99

  "3   (BC_1, IO99, input, X)," &

  "4   (BC_1, *, control, 1)," &

  "5   (BC_1, IO99, output3, X, 4, 1, Z)," &

  ...

  ...

  ...

  --BSC group 112 for I/O pin 1

  "336 (BC_1, IO1, input, X)," &

  "337 (BC_1, *, control, 1)," &

  "338 (BC_1, IO1, output3, X, 337, 1, Z)" ;

This lists all the 339 bits of the chain, and what they do.
For example, bit 3 is the one that tells us what is the value on pin 99.

Querying the boundary scan chain is straightforward.

  • Go to Shift-IR state.
  • Shift in SAMPLE instruction with TMS low.
  • Go to Exit1-IR.
  • Go to Shift-DR.
  • In our case, the data register is 339 bits long, Read the contents of the Shift-DR over TDO by sending 339 clock pulses with TMS low.

Using the JTAG interface, is pretty simple. It is basically a serial interface with a ‘cool’ name. You shift out a query and shift in the response. Knowledge of this interface is essential as its use is increasing day by day. Almost every microprocessor now uses it as a primary hardware debugging interface.

JTAG Simplified的更多相关文章

  1. JTAG 引脚自动识别 JTAG Finder, JTAG Pinout Tool, JTAG Pin Finder, JTAG pinout detector, JTAGULATOR, Easy-JTAG, JTAG Enumeration

    JTAG Finder Figuring out the JTAG Pinouts on a Device is usually the most time-consuming and frustra ...

  2. SWD and JTAG selection mechanism

    SWD and JTAG selection mechanism SWJ-DP enables either an SWD or JTAG protocol to be used on the deb ...

  3. Design Patterns Simplified - Part 3 (Simple Factory)【设计模式简述--第三部分(简单工厂)】

    原文链接:http://www.c-sharpcorner.com/UploadFile/19b1bd/design-patterns-simplified-part3-factory/ Design ...

  4. STM32C8T6 JTAG使用到PB3|PB4|PA13|PA14|PB15端口做普通IO时,需禁止JTAG!

    GPIO_InitTypeDef GPIO_InitStructure; RCC_APB2PeriphClockCmd(RCC_APB2Periph_GPIOB|RCC_APB2Periph_GPIO ...

  5. STM32用JLINK 烧写程序时出现NO Cortex-m device found in JTAG chain现象和解决方案

    现象 CPU: STM32107VC 用JLINK 烧写程序时出现NO Cortex-m device found in JTAG chain 如图无法查找到硬件就是CPU 提示1:NO Cortex ...

  6. 偶遇STM32 JTAG和SWD口(调试)被禁用无法下载,已经粗暴解决!

    处女座,为了板子走线美观,拉线方便,在项目量产前,还更改了原来外设的IO口,埋头苦干一天,移植ok,发现PB3一直不听使唤,好,加班检查代码,检查初始化,时钟,IO对应,然后试PCB板,是否短路,断路 ...

  7. Design Patterns Simplified - Part 2 (Singleton)【设计模式简述--第二部分(单例模式)】

    原文链接: http://www.c-sharpcorner.com/UploadFile/19b1bd/design-patterns-simplified-part-2-singleton/ De ...

  8. 【翻译】设计模式学习系列1---【Design Patterns Simplified: Part 1【设计模式简述:第一部分】】

    原文链接:http://www.c-sharpcorner.com/UploadFile/19b1bd/design-patterns-simplified-part1/ Design Pattern ...

  9. (转)小心FPGA的JTAG口(上电和下电顺序)

    同志们,根据ALTERA官方FAE(现场应用工程师)的强烈建议,请注意不要随意带电插拔你的JTAG下载接口,否则会损坏FPGA芯片的JTAG口信号管脚.现象:在排除了下载线的问题后,还是不能访问FPG ...

随机推荐

  1. 【转】如何评价 Apple 新推出的编程语言 Swift?

    如何评价 Apple 新推出的编程语言 Swift? 原文地址:http://www.zhihu.com/question/24002984 评价:如果你会Objective-C,你不需要去看它.   ...

  2. Shell命令行中特殊字符与其转义详解(去除特殊含义)

    特殊符号及其转义 大家都知道在一个shell命令是由命令名和它的参数组成的, 比如 cat testfile, 其中cat是命令名, testfile是参数. shell将参数testfile传递给c ...

  3. 【密码学】RSA算法过程-求解密钥

    1.密钥的计算获取过程 密钥的计算过程为:首先选择两个质数p和q,令n=p*q. 令k=ϕ(n)=(p−1)(q−1),原理见2的分析 选择任意整数d,保证其与k互质 取整数e,使得[de]k=[1] ...

  4. scrapy入门二(分页抓取文章入库)

    分页抓取博客园新闻,先从列表里分析下一页按钮 相关代码: # -*- coding: utf-8 -*- import scrapy from cnblogs.items import Article ...

  5. 测试开发之前端——No1.HTML和HTML5

    学习之前,让我们先来了解一下HTML. 它的英文全称是:Hyper Text Markup Language,中文通常被称为超文本标记语言,HTML是Internet中用于编写网页的主要语言,HTML ...

  6. 移动端经常出现的兼容问题,谈谈移动端应用或者wap站的一些优化技巧和心得

    移动端经常出现的兼容问题,谈谈移动端应用或者wap站的一些优化技巧和心得 1.        安卓浏览器看背景图片,有些设备会模糊. 因为手机分辨率太小,如果按照分辨率来显示网页,字会非常小,安卓手机 ...

  7. NodeJS学习:环境变量

    简介 环境变量(environment variables) 不属于 NodeJS 范畴,它是操作系统用于设定执行环境的参数.会在程序运行时传递给应用程序. NodeJS 获取环境变量,是通过 glo ...

  8. ORM,DAO,MVC,POJO

    1.ORM 对象关系映射(Object Relational Mapping,简称ORM)是一种为了解决面向对象与关系数据库存在的互不匹配的现象的技术. 简单的说,ORM是通过使用描述对象和数据库之间 ...

  9. 025 Spark中的广播变量原理以及测试(共享变量是spark中第二个抽象)

    一:来源 1.说明 为啥要有这个广播变量呢. 一些常亮在Driver中定义,然后Task在Executor上执行. 如果,有多个任务在执行,每个任务需要,就会造成浪费. 二:共享变量的官网 1.官网 ...

  10. 本机Tomcat启动myeclipse,用Jmeter录制脚本端口冲突解决办法

    今天用jmeter 录制脚本与已经启动的Tomcat端口冲突,无法启动工作台的http代理服务器, 如果两个的端口一样,则http代理服务器启动就会提示端口被占用 所以先把Tomcat端口和http代 ...