How to do JTAG

Post Reply
Posts: 624
Joined: 08 Feb 2019, 12:25

How to do JTAG

Post by Go4IT » 10 Mar 2019, 15:04

In the base, JTAG is a serial "protocol". Multiple targets can be connected to a "scanchain" by connecting the serial out (TDO) to the serial in (TDI) of the next device. The start and end of the chain is made up by an tester device which is controlled by a PC. Each member has a shift register size which mades up his need, there is no predefined length for it, but at least 1 bit. By using a shared clock signal (TCK) for all devices, all do a shift operation on the rising edge of this signal. The bit on the TDI is sampled into the internal register and the last bit of this register is set on TDO. The clock has not to be synchronous with the members internal clock but could not exceed the maximum frequency of the device. So the slowest member of the chain gives the overall TCK.

The easiest way to play with JTAG devices is to use an Arduino, combined with an levelshifter (if not on the same voltage). Place a bit on the TDI of a device and clock it into using TCK. Then watch what you get from TDO. At reset, the JTAG standard requires the device to place it's JTAG-ID into the shift register, which is the instruction register (IR) and connect this register to TDI and TDO. So what you "clock out" (regardless of if you clock in anything) is the ID of the device, or if there are more in a chain, the IDs of all devices. You only need to know how many Bits the internal register uses. If not, there are some methods to estimate the size of the register. One is to clock in many zeros (e.g hundret or more), just to be shure the register is flooded. Then clock ones until you see the first one on the TDO. The number of clocks it uses is the length of the IR. Simple, eh? ;-) If you have only one device (either logically or physically), this is a convinient way to find out. If there are multiple devices in the chain, you must guess how long each one is.

The JTAG port of the device (called TAP, Test-Access-Port) provide two other signals, TMS and /TRST. With /TRST you can reset the TAP to it's initial state. This does not influence the Chip the JTAG-TAP is used, to do anything, it's only for the JTAG part. On TMS you can change the state of the internal statemachine (SM), which controls what the JTAG controller do next. For now, we just keep this signal high (1).

JTAG only enforces a few commands (instructions) to be known by every JTAG-enabled device. Over this, there could exist many many vendor specific commands. We will discuss this later.

First, build a small hardware you could controll from your PC interactively to play around with a JTAG device, e.g the OMAP-processor on the Radio mainboard or the Cyclone FPGA on the graphicsboard. But any other will do also. You just need to know which voltage level it uses (to not kill it) and where to connect which pin to. You can do this with your Segger J-Link commander software also, if you are not willing to create an own tool. It provides low-level commands to control the signals directly. But with a selfmade solution it's still more fun! ;-)

Then try to clock and look what you get out. Convert this to a hex number and do a lookup in the JTAG-ID database:
Don't worry if you do not find your device here. There are many devices not registered anywhere (vendor specific).

Post Reply