JTAG Simplified

So the other day, I explored the JTAG bus interface which is frequently found in CPLDs/FPGAs and is most of the times the sole method of programming and debugging them. It is a powerful interface and very easy to use. I intend to write about the interface and the protocol used for documentation purposes and knowledge sharing.

JTAG (Joint Test Action Group) started primarily as a debugging interface for CPLDs or more commonly boundary scan testing, which is explained later. The simplest implementation of the JTAG interface requires 4 signal wires, primarily

  1. TDO (Test Data Out) – This is output signal from the target in response to the test query.
  2. TDI (Test Data In) – This is the input signal for the target carrying the test query.
  3. TCK (Test Clock) – This is the synchronization clock signal
  4. TMS (Test-Mode Select) – This controls the TAP state, explained later.

Signals Explained

  1. TCK –  is the JTAG clock signal. The other JTAG signals (TDI, TDO, TMS) are synchronous to TCK. So TCK has to toggle for anything to happen (usually things happen on TCK’s rising edge).
  2. TMS – Inside each JTAG IC, there is a JTAG TAP controller. The TAP controller is mainly a state machine with 16 states. TMS is the signal that controls the TAP controller. The TAP state diagram can be easily found in data-sheets of several JTAG ICs.The little numbers (“0” or “1”) close to each arrow are the value of TMS to change state. So for example, if a TAP controller is at state “Select DR-Scan” and TMS is “0” and TCK toggles, the state changes to “Capture-DR”.
  3. TDI and TDO – These signals carry the query and its response respectively. Referring to the TAP state diagram, Shift-DR and Shift-IR are the states where the query is generally pushed and Shift-DR is the state where the response is collected.

The TDI and TDO are daisy-chained. That is, with the Shift-DR size equal to 1-bit, data sent through the TDI starts coming back through the TDO after one clock pulse. Hence, when a response is to be collected from Shift-DR, clock pulses are sent to receive the response on the TDO. For example, if the Shift-DR size is 32 bits, 32 pulses are sent to completely receive the response of the JTAG query.

Registers

Each JTAG IC has one instruction register (IR) and multiple data registers (DR). Each instruction to the IR selects a different data register whose value is shifted out as explained above. For example, a 8-bit IR can select up to 256 DR, if available.

The length of each DR and IR registers can be found from the .bsdl file of the specific JTAG IC.

Instructions

The IR registers take in specific intructions which are listed in the .bsdl file of the JTAG IC. The most common of them grabbed from a .bsdl file are

attribute INSTRUCTION_LENGTH of EP1C3T100 : entity is 10;

attribute INSTRUCTION_OPCODE of EP1C3T100 : entity is

  "BYPASS            (1111111111), "&

  "EXTEST            (0000000000), "&

  "SAMPLE            (0000000101), "&

  "IDCODE            (0000000110), "&

  "USERCODE          (0000000111), "&

  "CLAMP             (0000001010), "&

  "HIGHZ             (0000001011), "&

  "CONFIG_IO            (0000001101)";

attribute INSTRUCTION_CAPTURE of EP1C3T100 : entity is "0101010101";

attribute IDCODE_REGISTER of EP1C3T100 : entity is

  "0000"&               --4-bit Version

  "0010000010000001"&   --16-bit Part Number (hex 2081)

  "00001101110"&        --11-bit Manufacturer's Identity

  "1";                  --Mandatory LSB

attribute BOUNDARY_LENGTH of EP1C3T100 : entity is 339;

Querying the JTAG Chain

Whenever the JTAG IC powers up it may end in any TAP state. Hence, it is mandatory to get it to a known state. One such method which is guaranteed to toggle the TAP state to Test-Logic-Reset is to hold TMS high for five clock cycles.

  1. Set TMS high.
  2. Send minimum of five clock cycles.
  3. Set TMS low.

1. Count number of ICs on the JTAG chain

One important IR value is the “all-ones” value. For the CPU that would be 11111 and for the FPGA, that’s 1111111111. This value corresponds to the mandatory IR instruction called BYPASS. In bypass mode, the TAP controller DR register is always a single flip-flop which does nothing besides delaying the TDI input by one clock cycle before outputting to TDO.

One interesting way to use this BYPASS mode is to count the number of ICs that are present in the JTAG chain.
If each JTAG IC delays the TDI-TDO chain by one clock, we can send some data and check by how long it is delayed. That gives us the number of ICs in the chain.

2. Identify ICs on the JTAG Chain

The IDCODE instruction is used to identify ICs on the JTAG chain. The IDCODE instruction is automatically executed once the TAP state is forced to Test-Logic-Reset i.e the IDCODE data register appears on the TDO line. It is usually 32-bits long.

  1. Go to Test-Logic-Reset.
  2. Go to Shift-DR.
  3. Shift out 32 bits of data onto the TDO line by passing 32 clock pulses. LSB comes out first.

Similarly, other instruction can be passed to the IR and response read from the Shift-DR TAP state.

Boundary Scan Testing

This was the primary purpose of the JTAG interface when it was launched. In the boundary scan mode, the DR chain goes through each IO block and can read or hijack each pin.

Boundary-scan can be used even while a device is otherwise running. So for example, using JTAG on an FPGA, you can tell the status of each pin while the FPGA is running. The SAMPLE instruction is used in running a boundary scan. The .bsdl file lists the size of the boundary scan chain and the various pad configurations. In the .bsdl above, the length is 339 bits listed in the last line. Each pin use an IO pad on the IC die. Some IO pads use one, two or three bits from the chain (depending if the pin is input only, output with tri-state, or both). Also some registers correspond to IO pads that may not be bounded (they exists on the IC die but are not accessible externally). Which explains why a 100 pins device can have a 339 bits boundary-scan chain.

attribute BOUNDARY_REGISTER of EP1C3T100 : entity is

  --BSC group 0 for I/O pin 100

  "0   (BC_1, IO100, input, X)," &

  "1   (BC_1, *, control, 1)," &

  "2   (BC_1, IO100, output3, X, 1, 1, Z)," &

  --BSC group 1 for I/O pin 99

  "3   (BC_1, IO99, input, X)," &

  "4   (BC_1, *, control, 1)," &

  "5   (BC_1, IO99, output3, X, 4, 1, Z)," &

  ...

  ...

  ...

  --BSC group 112 for I/O pin 1

  "336 (BC_1, IO1, input, X)," &

  "337 (BC_1, *, control, 1)," &

  "338 (BC_1, IO1, output3, X, 337, 1, Z)" ;

This lists all the 339 bits of the chain, and what they do.
For example, bit 3 is the one that tells us what is the value on pin 99.

Querying the boundary scan chain is straightforward.

  • Go to Shift-IR state.
  • Shift in SAMPLE instruction with TMS low.
  • Go to Exit1-IR.
  • Go to Shift-DR.
  • In our case, the data register is 339 bits long, Read the contents of the Shift-DR over TDO by sending 339 clock pulses with TMS low.

Using the JTAG interface, is pretty simple. It is basically a serial interface with a ‘cool’ name. You shift out a query and shift in the response. Knowledge of this interface is essential as its use is increasing day by day. Almost every microprocessor now uses it as a primary hardware debugging interface.

JTAG Simplified的更多相关文章

  1. JTAG 引脚自动识别 JTAG Finder, JTAG Pinout Tool, JTAG Pin Finder, JTAG pinout detector, JTAGULATOR, Easy-JTAG, JTAG Enumeration

    JTAG Finder Figuring out the JTAG Pinouts on a Device is usually the most time-consuming and frustra ...

  2. SWD and JTAG selection mechanism

    SWD and JTAG selection mechanism SWJ-DP enables either an SWD or JTAG protocol to be used on the deb ...

  3. Design Patterns Simplified - Part 3 (Simple Factory)【设计模式简述--第三部分(简单工厂)】

    原文链接:http://www.c-sharpcorner.com/UploadFile/19b1bd/design-patterns-simplified-part3-factory/ Design ...

  4. STM32C8T6 JTAG使用到PB3|PB4|PA13|PA14|PB15端口做普通IO时,需禁止JTAG!

    GPIO_InitTypeDef GPIO_InitStructure; RCC_APB2PeriphClockCmd(RCC_APB2Periph_GPIOB|RCC_APB2Periph_GPIO ...

  5. STM32用JLINK 烧写程序时出现NO Cortex-m device found in JTAG chain现象和解决方案

    现象 CPU: STM32107VC 用JLINK 烧写程序时出现NO Cortex-m device found in JTAG chain 如图无法查找到硬件就是CPU 提示1:NO Cortex ...

  6. 偶遇STM32 JTAG和SWD口(调试)被禁用无法下载,已经粗暴解决!

    处女座,为了板子走线美观,拉线方便,在项目量产前,还更改了原来外设的IO口,埋头苦干一天,移植ok,发现PB3一直不听使唤,好,加班检查代码,检查初始化,时钟,IO对应,然后试PCB板,是否短路,断路 ...

  7. Design Patterns Simplified - Part 2 (Singleton)【设计模式简述--第二部分(单例模式)】

    原文链接: http://www.c-sharpcorner.com/UploadFile/19b1bd/design-patterns-simplified-part-2-singleton/ De ...

  8. 【翻译】设计模式学习系列1---【Design Patterns Simplified: Part 1【设计模式简述:第一部分】】

    原文链接:http://www.c-sharpcorner.com/UploadFile/19b1bd/design-patterns-simplified-part1/ Design Pattern ...

  9. (转)小心FPGA的JTAG口(上电和下电顺序)

    同志们,根据ALTERA官方FAE(现场应用工程师)的强烈建议,请注意不要随意带电插拔你的JTAG下载接口,否则会损坏FPGA芯片的JTAG口信号管脚.现象:在排除了下载线的问题后,还是不能访问FPG ...

随机推荐

  1. JQuery对CheckBox的一些相关操作

    一.通过选择器选取CheckBox: 1.给CheckBox设置一个id属性,通过id选择器选取: <input type="checkbox" name="myB ...

  2. 使用Docx4j创建word文档

    原文标题:Creating Word documents with Docx4j 原文链接:http://blog.iprofs.nl/2012/09/06/creating-word-documen ...

  3. SANS社区帐号邮件激活问题

    注册时,密码需要数字,大写字母,小写字母,符号10位以上才能注册成功    吐槽:谁来爆破一下这种强度的密码,哈哈. 在我的文章中,有 计算机取证 分类,里面的一篇文章 Virtual Worksta ...

  4. python3之Splash

    Splash是一个javascript渲染服务.它是一个带有HTTP API的轻量级Web浏览器,使用Twisted和QT5在Python 3中实现.QT反应器用于使服务完全异步,允许通过QT主循环利 ...

  5. springMVC版本和jdk版本不匹配造成的问题

    一个简单的例子项目,使用springMVC的版本是3.2,jdk的版本是1.7,使用的是注解的处理器适配器和处理器映射器.spring的xml配置文件中单独配置每个handler,可以正常的使用,如果 ...

  6. Android 中关于 【Cursor】 类的介绍

    转自(http://www.cnblogs.com/TerryBlog/archive/2010/07/05/1771459.html) 使用过 SQLite 数据库的童鞋对 Cursor 应该不陌生 ...

  7. MVC控制器使用总结

    一.新手入门 1.特性 [AuthorizeFilter]  用于权限过滤 [HttpGet] [HttpPost] 2.参数 GET获取 [HttpGet] ) { return Json(&quo ...

  8. Linux命令执行顺序— ||和&&和; 比较

    Linux命令执行顺序— ||和&&和; command1 && command2: &&左边的command1执行成功(返回0表示成功)后,& ...

  9. bzoj 1143

    求最长反链裸题 补充一点知识.. 链                  :    D 中的一个子集 C   满足 C 是全序集  及C中所有元素都可以比较大小 反链              :   ...

  10. 学习字典才联想到要和 JSP 说再见了

    最开始只是想让页面能够映射出我的字典值,然而却发现了更大的问题. 假如你自己做一个 demo ,需要前台页面映射出字典数据你会怎么做呢?大致的思路应该是有的,准备字典,准备数据,然后将两部分进行映射. ...