JTAG is the abbreviation of Joint Test Action Group and is a common name in IEEE Standard 1149.1 called Standard Test Access Port and Boundary Scan Structure. This standard is used to verify the functionality of printed circuit boards designed and tested.
In 1990, JTAG was officially standardized by IEEE's 1149.1-1990 document. In 1994, a supplementary document was added to explain the boundary scan description language (BSDL). Since then, this standard has been widely adopted by electronics companies worldwide. Boundary scan has become almost synonymous with JTAG.
When designing printed circuit boards, it is currently mainly used to test the sub-blocks of integrated circuits, and also provides a debugging mechanism that is useful in embedded systems, providing a convenient "backdoor" in the system. When using some debugging tools like the in-circuit simulator, JTAG is used as the signal transmission mechanism, so that the programmer can read the debugging module integrated on the CPU via JTAG. The debug module allows programmers to debug software in embedded systems.
PC control JTAG: Connect the PC's printing port or USB or network port with a JTAG cable. The easiest is to connect the print port [1].
TMS: Inside each chip containing JTAG, there will be a JTAG TAP controller. The TAP controller is a state machine with 16 states, and TMS is the control signal for this thing. When TMS connects all chips together, the TAP state transition of all chips is consistent. The following is a schematic diagram of the TAP controller:
Change the value of TMS, the state will jump. If it remains high for 5 cycles, it will jump back to test-logic-rest, which is usually used to synchronize the TAP controller;
Usually the two most important states are Shift-DR and Shift-IR, which are used in conjunction with TDI and TDO.
IR: Command register, you can write a value to this register to inform JTAG to do something. Each TAP has only one IR register and the length is fixed.
DR: TAP can have multiple DR registers, similar to IR registers, each IR value will select a different DR register.
The JTAG interface is a special 4/5 pin interface connected to the chip, so many chips on the circuit board can connect their JTAG pins through Daisy Chain, and the integrated circuit only needs to be connected To a "JTAG port" you can access all integrated circuits on a printed circuit board. These connection pins are:
TDI (Test Data Entry)
TDO (Test Data Output)
TCK (Test Clock)
TMS (test mode selection)
TRST (Test Reset) is optional.
Because there is only one data line, it is necessary for the communication protocol to be serial transmission like other SPI, like SPI. The clock is input from the TCK pin. Configuration is achieved by operating one bit at a time through the TMS pin in the form of a state machine. Each bit of data is transferred into or out of the TDI and TDO pins under each TCK clock pulse. You can read the chip identification by loading different command modes, sample the input pins, drive (or float) the output pins, manipulate the chip functions, or bypass (connect TDI and TDO to logically short multiple Chip link). The working frequency of TCK varies with different chips, but it usually works at 10-100MHz (10-100ns per bit).
When performing boundary scan in an integrated circuit, the processed signal is between different functional modules of the same IC, not between different ICs.
The TRST pin is an optional reset switch that is effectively low relative to the logic under test—usually asynchronous, but sometimes also synchronous, depending on the chip. If this pin is not defined, the logic to be tested can be reset by the synchronous clock input reset command.
Despite this, very few consumer products provide external JTAG port interfaces, but as residues of development samples, these interfaces are very common on printed circuit boards. After research and development, these interfaces often provide a very good way for reverse engineering.
JTAG is also an international standard test protocol (IEEE 1149.1 compatible), which is mainly used for in-chip testing. Most advanced devices today support the JTAG protocol, such as DSP, FPGA, ARM, and some single-chip devices. The standard JTAG interface is 4-wire:
TMS, TCK, TDI, and TDO are the mode selection, clock, data input, and data output lines, respectively. The related JTAG pins are defined as: TCK is the test clock input; TDI is the test data input, the data is input to the JTAG interface through the TDI pin; TDO is the test data output, and the data is output from the JTAG interface through the TDO pin; TMS is the test mode selection , TMS is used to set the JTAG interface in a certain test mode; TRST is the test reset, input pin, low level is effective. GND
TI also defines an interface called SBW-JTAG, which is used to realize the JTAG interface by using pins on a chip with fewer pins. It has only two wires, SBWTCK and SBWTDIO. In actual use, it is generally connected through four lines, VCC, SBWTCK, SBWTDIO, and GND, so that the connection can be easily achieved without occupying a large number of pins.
JTAG was originally used to test the chip. The basic principle is to define a TAP (Test Access Port) within the device to test the internal nodes through a dedicated JTAG test tool. JTAG test allows multiple devices to be connected in series through the JTAG interface to form a JTAG chain, which can test each device separately. Today, the JTAG interface is also commonly used to implement ISP (In-System Programmable; online programming) to program FLASH and other devices.
The JTAG programming method is online programming. In the traditional production process, the chip is pre-programmed and then installed on the board. Therefore, the simplified process is to first fix the device to the circuit board and then use JTAG programming, which greatly speeds up the project. The JTAG interface can program all components inside the DSP chip.
In terms of hardware structure, the JTAG interface includes two parts: JTAG port and controller. Devices compatible with the JTAG interface can be microprocessors (MPUs), microcontrollers (MCUs), PLDs, CPLs, FPGAs, DSPs, ASICs, or other chips that conform to the IEEE1149.1 specification. The IEEE1149.1 standard specifies that each pin corresponding to a digital integrated circuit chip is provided with a shift register unit, called a boundary scan unit BSC. It connects the JTAG circuit with the core logic circuit, while isolating the core logic circuit and the chip pins. The boundary scan register BSR is composed of all the boundary scan cells of the integrated circuit. The boundary scan register circuit is only valid when JTAG testing is performed, and it is invalid when the integrated circuit is working normally, and does not affect the function of the integrated circuit.
Interpretation of JTAG interface
Generally speaking, JTAG is roughly divided into two categories, one is used to test the electrical characteristics of the chip and detect whether the chip has problems; the other is used for Debug; generally, these two modules are included in the CPU that supports JTAG.
A CPU with a JTAG Debug interface module, as long as the clock is normal, you can access the internal registers of the CPU and devices hanging on the CPU bus through the JTAG interface, such as FLASH, RAM, SOC (such as 4510B, 44Box, AT91M series) built-in module Registers, like UART, Timers, GPIO, etc.
The above is just the capabilities of the JTAG interface. To use these functions, you need the cooperation of the software. The specific functions are determined by the specific software.
For example, download the program to the RAM function. Anyone who knows SOC knows that to use external RAM, it is necessary to refer to the register description of SOC DataSheet, set the base address of RAM, bus width, access speed and so on. Some SOCs also require Remap to work properly. When running Firmware, these settings are done by Firmware's initialization program. However, if the JTAG interface is used, the relevant registers may still be at the power-on value, or even the wrong value, and the RAM cannot work properly, so the download must fail. To use it normally, we must first find a way to set up RAM. In ADW, it can be set through the Let command in the Console window, and in AXD, it can be set through the Set command in the Console window.
The following is a command sequence to set AT91M40800, turn off the interrupt, set CS0-CS3, and perform Remap, applicable to AXD (Debug with ADS)
setmem 0xfffff124, 0xFFFFFFFF, 32-close all interrupts
setmem 0xffe00000,0x0100253d,32-Set CS0
setmem 0xffe00004,0x02002021,32-Set CS1
setmem 0xffe00008,0x0300253d,32 ————Set CS2
setmem 0xffe0000C, 0x0400253d, 32-Set CS3
setmem 0xffe00020,1,32 ---Remap
If you want to use it in ADW (DEBUG with SDT), you should change to:
let 0xfffff124=0xFFFFFFFF-close all interrupts
let 0xffe00000=0x0100253d-set CS0
let 0xffe00004=0x02002021-set CS1
let 0xffe00008=0x0300253d-set CS2
let 0xffe0000C=0x0400253d-Set CS3
let 0xffe00020=1 ---Remap
For ease of use, you can save the above command as a file config.ini, enter ob config.ini in the Console window to execute.
The use of other debugs is similar, except that the format of the command and the command is different.
When setting RAM, the set registers and register values must be consistent with the settings of the program to be run. The target file generated by general compilation is in ELF format, or a similar format, and contains the target code running address, which is determined at Link time. Debug downloads the program to the specified address according to the address information in the ELF file. If the base address of the RAM is set to 0x10000000, and the start address of the firmware is specified at 0x02000000 during compilation, the target code will be downloaded to 0x02000000 when downloading, obviously the download will fail.
All interrupts should be turned off before downloading the program through JTAG. This is the same as the reason for turning off interrupts when Firmware is initialized. When using the JTAG interface, the enable of each interrupt is unknown, especially if there is executable code in FLASH, some interrupts may be enabled. After downloading the code using JTAG, when it is to be executed, it may be interrupted because the initialization is not completed, resulting in a program exception. Therefore, you need to turn off the interrupt first, usually by setting the SOC interrupt control register.
Use JTAG to write Flash. In theory, all devices on the CPU bus can be accessed through JTAG, so it should be possible to write FLASH, but the FLASH writing method is very different from RAM, requiring special commands, and different FLASH erasure, different programming commands, and blocks The size and quantity are also different, it is difficult to provide this function. So generally Debug does not provide the function of writing Flash, or only supports a few types of Flash.
As far as I know today, for ARM, only the FlashPGM software provides the function of writing FLASH, but it is also very troublesome to use. Neither AXD nor ADW provide FLASH write function. The method of writing Flash can be to write a simple program for writing the FLASH of the target board, download it to the target board using the JTAG interface, and then install the target code to be burned into the BIN format, and then download it to the target board. (The address is different from the address of the FLASH program), and then run the downloaded FLASH program. Using this method, it seems to be faster than writing Flash with FlashPGM.
JTAG is a so-called boundary scan technology.
Boundary-scan testing was developed in the mid-1980s as a JTAG interface to solve PCB physical access problems. Such problems are caused by new packaging technologies leading to increasingly crowded circuit board assembly. Boundary scan embeds test circuits at the chip level to form a comprehensive board-level test protocol. With boundary scan—the industry standard IEEE 1149.1 since 1990—you can even test, debug, and program in-system devices on even the most complex assemblies, and diagnose hardware problems.
Advantages of boundary scan:
By providing IO access to the scan chain, the need for physical test points on the circuit board can be eliminated or greatly reduced, which will result in significant cost savings because the circuit board layout is simpler, the test fixture is cheaper, and the test system in the circuit Less time consuming, increased use of standard interfaces, and faster time to market. In addition to circuit board testing, boundary scan allows programming of almost all types of CPLDs and flash memories on the circuit board after PCB placement, regardless of size or package type. In-system programming can save costs and increase production by reducing equipment handling, simplifying inventory management, and integrating programming steps on the circuit board production line.
Boundary scan principle:
The IEEE 1149.1 standard specifies a four-wire serial interface (the fifth wire is optional). This interface is called the test access port (TAP) and is used to access complex integrated circuits (ICs) such as microprocessors and DSPs. , ASIC and CPLD. In addition to TAP, hybrid ICs also contain shift registers and state machines to perform boundary scan functions. The data input into the chip on the TDI (Test Data Input) lead is stored in the instruction register or a data register. Serial data leaves the chip from the TDO (Test Data Output) lead. The boundary scan logic is clocked by the signal on TCK (test clock), and the TMS (test mode selection) signal drives the state of the TAP controller. TRST (Test Reset) is optional. According to the instructions in the relevant data sheet, a 10KΩ pull-up resistor needs to be connected to the TRST, TDI, and TMS pins, and a 10KΩ pull-down resistor needs to be connected to the TCK.
Multiple ICs compatible with scanning functions can be serially interconnected on the PCB to form one or more scanning chains, each of which has its own TAP. Each scan chain provides electrical access, from the serial TAP interface to each lead on each IC that is part of the chain. During normal operation, the IC performs its intended function as if the boundary scan circuit did not exist. However, when the scan logic of the device is activated for testing or system programming, data can be transferred to the IC and read from the IC using the serial interface. This data can be used to activate the device core, send signals from the device leads to the PCB, read the PCB input leads and read the device output.
In the design of embedded systems, some high-end microprocessors are equipped with a JTAG interface, which is convenient for multi-target system testing, and can also achieve flash programming.
There are a variety of simple JTAG cables, which are actually just a level conversion circuit and also play a protective role. The logic of JTAG is realized by software running on the PC, so in theory, any simple JTAG cable can support various application software, such as Debug. You can use the same JTAG cable to write Xilinx CPLD, AXD/ADW debug program. The key lies in software support. Most software does not provide setting functions, so it can only support a certain JTAG cable.
JTAG is a serial interface, using a simple JTAG cable for the print port, using the output of the print port with a latch feature, using software to generate JTAG timing through I/O. Determined by the JTAG standard, writing/reading a byte through JTAG requires a series of operations. According to my analysis, a simple JTAG cable is used, and a byte is output to the target board through the JTAG using the printing port. An average of 43 printing ports are required. /O, on my machine (P4 1.7G), I can perform about 660K I/O operations per second, so the download speed is about 660K/43, which is about 15K Byte/S. For other machines, the I/O speed is roughly The same, generally 600K ~ 800K.
Obviously, using a simple JTAG cable cannot increase the speed. There are roughly two ways to increase speed,
1. The embedded system is used to provide the JTAG interface, and the embedded system and the microcomputer are connected via USB/Ethernet, which requires the use of MCU.
2. Use CPLD/FPGA to provide JTAG interface, use EPP interface between CPLD/FPGA and microcomputer (general microcomputer printing port supports EPP mode), EPP interface completes data transmission between microcomputer and CPLD/FPGA, CPLD/FPGA completes JTAG timing.
I have implemented both methods. The first method can achieve a relatively high speed, and the actual measurement exceeds 200KByte/S (note: it is Byte, not Bit); but relatively speaking, the hardware is complicated and the manufacturing is relatively complicated. The second kind is relatively speaking, the download speed is slower, the fastest is 96KByte/S, but the circuit is simple, the manufacturing is convenient, and the speed can meet the needs. The second scheme also has a disadvantage, because the CPU will not be released during I/O operations, so when downloading the program, the microcomputer CPU appears very busy.
Because there is only one data line, it is necessary for the communication protocol to be serial transmission like other SPI, like SPI. The clock is input from the TCK pin. Configuration is achieved by operating one bit at a time through the TMS pin in the form of a state machine. Each bit of data is transferred into or out of the TDI and TDO pins under each TCK clock pulse. You can read the chip identification by loading different command modes, sample the input pins, drive (or float) the output pins, manipulate the chip functions, or bypass (connect TDI and TDO to logically short multiple Chip link). The working frequency of TCK varies with different chips, but it usually works at 10-100MHz (10-100ns per bit).
When performing boundary scan in an integrated circuit, the processed signal is between different functional modules of the same IC, not between different ICs.
The TRST pin is an optional reset switch that is effective with respect to the logic low level to be tested-usually asynchronous, but sometimes also synchronous, depending on the chip. If this pin is not defined, the logic to be tested can be reset by the synchronous clock input reset command.
Despite this, very few consumer products provide external JTAG port interfaces, but as a residue of development samples, these interfaces are very common on printed circuit boards. After research and development, these interfaces often provide a very good way for reverse engineering.
JTAG already has feet, usually four feet: TDI, TDO, TMS, TCK, and of course there is a reset pin TRST. The JTAG pins on the chip are actually dedicated.
TDI: Test data input, data is input to JTAG port through TDI;
TDO: test data output, data output from JTAG port through TDO;
TMS: test mode selection, used to set the JTAG port in a specific test mode;
TCK: test clock input;
TRST: test reset;
FPGA Spartan-3A Family 400K Gates 8064 Cells 667MHz 90nm Technology 1.2V 400-Pin FBGA
FPGA Spartan-3A Family 400K Gates 8064 Cells 770MHz 90nm Technology 1.2V 320-Pin FBGA
CPLD CoolRunner -II Family 6K Gates 256 Macro Cells 256MHz 0.18um Technology 1.8V 144-Pin TQFP
CPLD CoolRunner -II Family 6K Gates 256 Macro Cells 152MHz 0.18um Technology 1.8V 132-Pin CSBGA
FPGA Spartan-3A Family 400K Gates 8064 Cells 770MHz 90nm Technology 1.2V 320-Pin FBGA
Support