Infused With Fresh- New JTAG Energy

Download (PPT, 399KB)


store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html

JTAG

Joint Test Action Group – Daisy-chained JTAG (IEEE 1149.1)

The TRST pin is an optional active-low reset to the test logic – usually asynchronous, but sometimes synchronous, depending on the chip. If the pin is not available, the test logic can be reset by switching to the reset state synchronously, using TCK and TMS. Note that resetting test logic doesn’t necessarily imply resetting anything else. There are generally some processor-specific JTAG operations which can reset all or part of the chip being debugged.

Joint Test Action Group – Daisy-chained JTAG (IEEE 1149.1)

Faster TCK frequencies are most useful when JTAG is used to transfer lots of data, such as when storing a program executable into flash memory.

Joint Test Action Group – Daisy-chained JTAG (IEEE 1149.1)

Clocking changes on TMS steps through a standardized JTAG state machine. The JTAG state machine can reset, access an instruction register, or access data selected by the instruction register.

Joint Test Action Group – Daisy-chained JTAG (IEEE 1149.1)

JTAG platforms often add signals to the handful defined by the IEEE 1149.1 specification. A System Reset (SRST) signal is quite common, letting debuggers reset the whole system, not just the parts with JTAG support. Sometimes there are event signals used to trigger activity by the host or by the device being monitored through JTAG; or, perhaps, additional control lines.

Joint Test Action Group – Daisy-chained JTAG (IEEE 1149.1)

Even though few consumer products provide an explicit JTAG port connector, the connections are often available on the printed Circuit Board as a remnant from development prototype|prototyping and/or production. When exploited, these connections often provide the most viable means for reverse engineering.

Joint Test Action Group – Reduced pin count JTAG (IEEE 1149.7)

Reduced pin count JTAG uses only two wires, a clock wire and a data wire. This is defined as part of the IEEE 1149.7 standard. The connector pins are

Joint Test Action Group – Reduced pin count JTAG (IEEE 1149.7)

[ www.corelis.com/education/Major-Benefits-of-IEEE-1149.7.htm%5D The star topology enables some parts of the system to be powered down, whilst others can still be accessed over JTAG; a daisy chain requires all JTAG interfaces to be powered. Other two-wire interfaces exist, such as Serial Wire Debug.

Joint Test Action Group – JTAG IEEE Std 1149.1 (boundary scan) instructions

This allows JTAG hosts to identify the size and, at least partially, contents of the scan chain to which they are connected

Joint Test Action Group – JTAG IEEE Std 1149.1 (boundary scan) instructions

The IEEE 1149.1 (JTAG) standard describes a number of instructions to support boundary scan applications. Some of these instructions are mandatory, but TAPs used for debug instead of boundary scan testing sometimes provide minimal or no support for these instructions. Those mandatory instructions operate on the Boundary Scan Register (BSR) defined in the boundary scan description language|BSDL file, and include:

Joint Test Action Group – JTAG facilities

This debug TAP exposes several standard instructions, and a few specifically designed for hardware-assisted debugging, where a software tool (the debugger) uses JTAG to communicate with a system being debugged:

Joint Test Action Group – JTAG facilities

* HALT and RESTART, ARM11-specific instructions to halt and restart the CPU. Halting it puts the core into the Debug Mode, where the ITR can be used to execute instructions, including using the DCC to transfer data between the debug (JTAG) host and the CPU.

Joint Test Action Group – JTAG facilities

That model resembles the model used in other ARM cores. Non-ARM systems generally have similar capabilities, perhaps implemented using the Nexus (standard)|Nexus protocols on top of JTAG, or other vendor-specific schemes.

Joint Test Action Group – JTAG facilities

(ARM takes the four standard JTAG signals and adds the optional TRST, plus the RTCK signal used for adaptive clocking.) Also, the newer cores have updated trace support.

Joint Test Action Group – JTAG connectors

Production boards may omit the headers; or when space is tight, just provide JTAG signal access using test points.

Joint Test Action Group – JTAG connectors

Some common pinouts[http://www.jtagtest.com/pinouts/ JTAG Pinouts] lists a few JTAG-only header layouts that have widespread tool support. for pin headers are:

Joint Test Action Group – JTAG connectors

* MIPS EJTAG (2×7 pin) used for MIPS Technologies|MIPS based systems

Joint Test Action Group – JTAG connectors

* 2×5 pin Atmel AVR|AVR extends Altera JTAG with SRST (and in some cases TRST and an event output)

Joint Test Action Group – JTAG connectors

* MIPI Debug Architecture|MIPI10-/20-connectors (1.27mm 050) for JTAG, cJTAG and SWD

Joint Test Action Group – JTAG connectors

The connector usually provides the board-under-test’s logic supply voltage so that the JTAG adapters will use the appropriate logic levels

Joint Test Action Group – JTAG connectors

A recent trend is to have development boards integrate a USB interface to JTAG, where a second channel is used for a serial port

Joint Test Action Group – JTAG adapter hardware

There are both dumb adapters, where the host decides and performs all JTAG operations; and smart ones, where some of that work is performed inside the adapter, often driven by a microcontroller

Joint Test Action Group – JTAG adapter hardware

Serial port adapters also exist, and are similarly declining in usefulness. They generally involve either slower bitbanging than a parallel port, or a microcontroller translating some command protocol to JTAG operations. Such serial adapters are also not fast, but their command protocols could generally be reused on top of higher speed links.

Joint Test Action Group – JTAG adapter hardware

With all JTAG adapters, software support is a basic concern. Many vendors do not publish the protocols used by their JTAG adapter hardware, limiting their customers to the tool chains supported by those vendors. This is a particular issue for smart adapters, some of which embed significant amounts of knowledge about how to interact with specific CPUs.

Joint Test Action Group – JTAG for software development

Most development environments for embedded software include JTAG support. There are, broadly speaking, three sources of such software:

Joint Test Action Group – JTAG for software development

The JTAG adapters themselves are not free, although sometimes they are bundled with development boards.

Joint Test Action Group – JTAG for software development

JTAG adapters are sometimes sold along with support bundles.

Atmel AVR – JTAG

The Joint Test Action Group (JTAG) feature provides access to on-chip debugging functionality while the chip is running in the target system. JTAG allows accessing internal memory and registers, setting breakpoints on code, and single-stepping execution to observe system behaviour.

Atmel AVR – JTAG

# The JTAGICE 3 is the latest member of the JTAGICE family (JTAGICE mkIII). It supports JTAG, aWire, SPI, and PDI interfaces.

Atmel AVR – JTAG

# The JTAGICE mkII replaces the JTAGICE and is similarly priced. The JTAGICE mkII interfaces to the PC via USB, and supports both JTAG and the newer debugWIRE interface. Numerous third-party clones of the Atmel JTAGICE mkII device started shipping after Atmel released the communication protocol.

Atmel AVR – JTAG

# The AVR Dragon is a low-cost (approximately $50) substitute for the JTAGICE mkII for certain target parts. The AVR Dragon provides in-system serial programming, high-voltage serial programming and parallel programming, as well as JTAG or debugWIRE emulation for parts with 32KB of program memory or less. ATMEL changed the debugging feature of AVR Dragon with the latest firmware of AVR Studio 4 – AVR Studio 5 and now it supports devices over 32KB of program memory.

Atmel AVR – JTAG

# The JTAGICE adapter interfaces to the PC via a standard serial port. Although the JTAGICE adapter has been declared End-of-life (product)|end-of-life by Atmel, it is still supported in AVR Studio and other tools.

Atmel AVR – JTAG

JTAG can also be used to perform a boundary scan test,[http://atmel.com/dyn/corporate/view_detail.asp?ref=FileName=JTEGICE.htmlSEC_NAME=product JTAGICE Press Release, 2004.] which tests the electrical connections between AVRs and other boundary scan capable chips in a system. Boundary scan is well-suited for a production line, while the hobbyist is probably better off testing with a multimeter or oscilloscope.

Atmel AVR – JTAGICE mkI

The JTAG In Circuit Emulator (JTAGICE) debugging tool supports on-chip debugging (OCD) of AVRs with a JTAG interface. The original JTAGICE mkI uses an RS-232 interface to a PC and can only program AVR’s with a JTAG interface. The JTAGICE mkI is no longer in production, however it has been replaced by the JTAGICE mkII.

Atmel AVR – JTAGICE mkII

The JTAGICE mkII debugging tool supports on-chip debugging (OCD) of AVRs with SPI, JTAG, PDI, and debugWIRE interfaces. The debugWire interface enables debugging using only one pin (the Reset pin), allowing debugging of applications running on low pin-count microcontrollers.

Atmel AVR – JTAGICE mkII

The JTAGICE mkII connects using USB, but there is an alternate connection via a serial port, which requires using a separate power supply. In addition to JTAG, the mkII supports ISP programming (using 6-pin or 10-pin adapters). Both the USB and serial links use a variant of the STK500 protocol.

Atmel AVR – JTAGICE3

The JTAGICE3 updates the mkII with more advanced debugging capabilities and faster programming. It connects via USB and supports the JTAG, aWire, SPI, and PDI interfaces.[http://www.atmel.com/tools/JTAGICE3.aspx JTAGICE3 Product Page] The kit includes several adapters for use with most interface pinouts.

JTAG

‘Joint Test Action Group’ (‘JTAG’) is the common name for the Institute of Electrical and Electronics Engineers|IEEE 1149.1 ‘Standard Test Access Port and Boundary-Scan Architecture’. It was initially devised by electronic engineers for testing printed circuit boards using boundary scan and is still widely used for this application.

JTAG

Today, JTAG is also widely used for Integrated circuit|IC debug ports. In the embedded processor market, essentially all modern processors implement JTAG when they have enough pins. Embedded systems development relies on debuggers communicating with chips with JTAG to perform operations like Stepping (debugging)|single stepping and breakpointing.

JTAG – Overview

JTAG was meant to provide a pins-out view from one IC pad to another so all these faults could be discovered.

JTAG – Overview

Boundary-scan is now mostly synonymous with JTAG, but JTAG has essential uses beyond such manufacturing applications.

JTAG – Debugging

An in-circuit emulator (or, more correctly, a JTAG adapter) uses JTAG as the transport mechanism to access on-chip debug modules inside the target Central processing unit|CPU

JTAG – Debugging

The adoption of the JTAG standard helped move JTAG-centric debugging environments away from early processor-specific designs

JTAG – Debugging

For example, custom JTAG instructions can be provided to allow reading registers built from arbitrary sets of signals inside the FPGA, providing visibility for behaviors which are invisible to boundary scan operations

JTAG – Storing firmware

In addition, internal monitoring capabilities (temperature, voltage and current) may be accessible via the JTAG port.

JTAG – Storing firmware

JTAG programmers are also used to write software and data into flash memory. This is usually done using data bus access like the CPU would use, and is sometimes actually handled by a CPU, but in other cases memory chips have JTAG interfaces themselves. Some modern debug architectures provide internal and external bus master access without needing to halt and take over a CPU. In the worst case, it is usually possible to drive external bus signals using the boundary scan facility.

JTAG – Storing firmware

Using a serial UART port and bootloader to upload firmware to Flash makes this debug cycle quite slow and possibly expensive in terms of tools; installing firmware into Flash (or SRAM instead of Flash) via JTAG is an intermediate solution between these extremes.

JTAG – Boundary scan testing

In many ICs today, all the pins that connect to electronic logic are linked together in a set called the Boundary Scan chain. By using JTAG to manipulate the chip’s external interface (inputs and outputs to other chips) it is possible to test for certain faults, caused mainly by manufacturing problems. By using JTAG to manipulate its internal interface (to on-chip registers), the combinational logic can be tested.

JTAG – Boundary scan testing

When combined with built-in self-test (Built-in self-test|BIST), the JTAG scan chain enables a low overhead, embedded solution to testing an IC for certain static faults (shorts, opens, and logic errors)

JTAG – Electrical characteristics

In either case a test probe need only connect to a single JTAG port to have access to all chips on a circuit board.

JTAG – Daisy-chained JTAG (IEEE 1149.1)

Faster TCK frequencies are most useful when JTAG is used to transfer lots of data, such as when storing a program executable into flash memory.

JTAG – Reduced pin count JTAG (IEEE 1149.7)

[http://www.corelis.com/education/Major-Benefits-of-IEEE-1149.7.htm] The star topology enables some parts of the system to be powered down, whilst others can still be accessed over JTAG; a daisy chain requires all JTAG interfaces to be powered. Other two-wire interfaces exist, such as Serial Wire Debug.

JTAG – Communications model

In JTAG, devices expose one or more test access ports (TAPs). The picture above shows three TAPs, which might be individual chips or might be modules inside one chip. A daisy chain of TAPs is called a scan chain, or (loosely) a target. Scan chains can be arbitrarily long, but in practice twenty TAPs is unusually long.

JTAG – Communications model

To use JTAG, a host is connected to the target’s JTAG signals (TMS, TCK, TDI, TDO, etc.) through some kind of JTAG adapter, which may need to handle issues like level shifting and galvanic isolation. The adapter connects to the host using some interface such as USB, PCI, Ethernet, and so forth.

JTAG – Primitives

The host communicates with the TAPs by manipulating TMS and TDI in conjunction with TCK, and reading results through TDO (which is the only standard host-side input). TMS/TDI/TCK output transitions create the basic JTAG communication primitive on which higher layer protocols build:

JTAG – Primitives

This JTAG state machine is part of the JTAG spec, and includes sixteen states

JTAG – Primitives

* Shifting … Most parts of the JTAG state machine support two stable states used to transfer data. Each TAP has an instruction register (IR) and a data register (DR). The size of those registers varies between TAPs, and those registers are combined through TDI and TDO to form a large shift register. (The size of the DR is a function of the value in that TAP’s current IR, and possibly of the value specified by a SCAN_N instruction.) There are three operations defined on that shift register:

JTAG – Primitives

So at a basic level, using JTAG involves reading and writing instructions and their associated data registers; and sometimes involves running a number of test cycles. Behind those registers is hardware that is not specified by JTAG, and which has its own states that will be affected by JTAG activities.

JTAG – Primitives

Some ARM cores use such sequences to enter and exit a two-wire (non-JTAG) Serial Wire Debug|SWD mode

JTAG – Example: ARM11 debug TAP

The processor itself has extensive JTAG capability, similar to what is found in other CPU cores, and it is integrated into chips with even more extensive capabilities accessed through JTAG.

JTAG – Example: ARM11 debug TAP

So this is a non-trivial example, which is representative of a significant cross section of JTAG-enabled systems. In addition, it shows how control mechanisms are built using JTAG’s register read/write primitives, and how those combine to facilitate testing and debugging complex logic elements; CPUs are common, but FPGAs and Application-specific integrated circuit|ASICs include other complex elements which need to be debugged.

JTAG – Example: ARM11 debug TAP

However, a Texas Instruments document [http://wiki.davincidsp.com/images/9/90/Dbjtag_users_guide.pdf The User’s Guide to DBGJTAG] discussing a JTAG diagnostic tool presents this OMAP2420 scan chain example (and others).

JTAG – Example: ARM11 debug TAP

* The i.MX31 processor, which is similar, although its System JTAG boundary scan TAP,See i.MX35 (MCIMX35) Multimedia Applications Processor Reference Manual from the Freescale web site. Chapter 44 presents its Secure JTAG Controller (SJC). which is very different from ICEpick, and it includes a TAP for its DMA engine instead of a DSP and imaging engine.

JTAG – Example: ARM11 debug TAP

Those processors are both intended for use in wireless handsets such as cell phones, which is part of the reason they include TAP controllers which modify the JTAG scan chain: Debugging low power operation requires accessing chips when they are largely powered off, and thus when not all TAPs are operational. That scan chain modification is one subject of a forthcoming IEEE 1149.7 standard.

JTAG – Halt mode debugging

So for example a JTAG host might HALT the core, entering Debug Mode, and then read CPU registers using ITR and DCC. After saving processor state, it could write those registers with whatever values it needs, then execute arbitrary algorithms on the CPU, accessing memory and peripherals to help characterize the system state. After the debugger performs those operations, the state may be restored and execution continued using the RESTART instruction.

JTAG – Monitor mode debugging

Modern software is often too complex to work well with such a single threaded model. For example, a processor used to control a motor (perhaps one driving a saw blade) may not be able to safely enter halt mode … it may need to continue handling interrupts to ensure physical safety of people and/or machinery. Issuing a HALT instruction using JTAG might be dangerous.

JTAG – Common extensions

Microprocessor vendors have often defined their own core-specific debugging extensions. Such vendors include Infineon, MIPS with EJTAG, and more. If the vendor does not adopt a standard (such as the ones used by ARM processors; or Nexus), they need to define their own solution. If they support boundary scan, they generally build debugging over JTAG.

JTAG – Common extensions

OnCE includes a JTAG command which makes a TAP enter a special mode where the IR holds OnCE debugging commandsAN1817/D, MMC20xx M•CORE OnCE Port Communication and Control Sequences; Freescale Semiconductor, Inc.; 2004

JTAG – Common extensions

(However, trace data is too voluminous to use JTAG as more than a trace control channel.)

JTAG – Common extensions

Nexus (standard)|Nexus defines a processor debug infrastructure which is largely vendor-independent. One of its hardware interfaces is JTAG. It also defines a high speed auxiliary port interface, used for tracing and more. Nexus is used with some newer platforms, such as the Atmel AVR32 and Freescale MPC5500 series processors.

JTAG – Widespread uses

* Except for some of the very lowest end systems, essentially all embedded systems platforms have a JTAG port to support in-circuit debugging and firmware programming as well as for boundary scan testing:

JTAG – Widespread uses

** ARM architecture processors come with JTAG support, sometimes supporting a two-wire SWD variant or high speed tracing of traffic on instruction or data busses.

JTAG – Widespread uses

** Modern 8-bit and 16-bit Microcontroller chips, such as Atmel AVR and TI MSP430 chips, support JTAG programming and debugging. However, the very smallest chips may not have enough pins to spare (and thus tend to rely on proprietary single-wire programming interfaces); if the pin count is over 32, there is probably a JTAG option.

JTAG – Widespread uses

** Almost all FPGAs and CPLDs used today can be programmed via a JTAG port. A Standard Test and Programming Language is defined by JEDEC standard JESD-71 for JTAG programming of PLD’s.

JTAG – Widespread uses

** Many MIPS architecture|MIPS and PowerPC processors have JTAG support

JTAG – Widespread uses

** Intel Core, Xeon, Atom, and Quark processors all support JTAG probe mode with Intel specific extensions of JTAG using the so-called 60pin eXtended Debug Port [XDP]. Additionally the Quark processor supports more traditional 10pin connectors.

JTAG – Widespread uses

** Consumer products such as networking appliances and satellite television integrated receiver/decoders often use microprocessors which support JTAG, providing an alternate means to reload firmware if the existing bootloader has been corrupted in some manner.

JTAG – Widespread uses

*The Peripheral Component Interconnect|PCI bus connector standard contains optional JTAG signals on pins 1-5;[http://www.techfest.com/hardware/bus/pci.htm#4.10 PCI Local Bus Technical Summary, 4.10 JTAG/Boundary Scan Pins] PCI-Express contains JTAG signals on pins 5-9.[http://www.interfacebus.com/Design_PCI_Express_16x_PinOut.html PCI-Express 16x Connector Pin Out] A special JTAG card can be used to reflash a corrupt BIOS.

JTAG – Widespread uses

* Boundary scan testing and in-system (device) programming applications are sometimes programmed using the Serial Vector Format, a textual representation of JTAG operations using a simple syntax

JTAG – Widespread uses

* As mentioned, many boards include JTAG connectors, or just pads, to support manufacturing operations, where boundary scan testing helps verify board quality (identifying bad solder joints, etc.) and to initialize flash memory or FPGAs.

JTAG – Widespread uses

* JTAG can also support field updates and troubleshooting.

JTAG – Client support

The target’s JTAG interface is accessed using some JTAG-enabled application and some JTAG adapter hardware. There is a wide range of such hardware, optimized for purposes such as production testing, debugging high speed systems, low cost microcontroller development, and so on. In the same way, the software used to drive such hardware can be quite varied. Software developers mostly use JTAG for debugging and updating firmware.

JTAG – Client support

If you want to acquire a JTAG adapter, you first need to decide what systems it must support. Everything else follows from that, including your software options. Low-end adapters may cost less than $US 50 and have limited hardware and software support. High-end adapters can cost a hundred times as much, including software support, and have corresponding improvements in capability.

JTAG – Serial Wire Debug

On JTAG devices with SWD capability, the TMS and TCK are used as SWDIO and SWCLK signals, providing for dual-mode programmers.

Boundary scan – JTAG test operations

There are JTAG instructions to SAMPLE the data in that boundary scan register, or PRELOAD it with values.

For More Information, Visit:

store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html

store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html