JTAG to the mainboard
Posted: 10 Mar 2019, 10:25
In this thread i will explain what i have learned about the JTAG interface of the mainboard. I applies to FX, NX and MCA units.
First thing i was looking for as i started with reverse engineering the board is a debug port. JTAG is always a good one to find because most MPUs provide sich an interface. And i soon found the place and connections of it on the orange service port connector on the bottom of the mainboard, which is accessible without disassembling the unti:
Here is the pinout i determined for it, by trace the wires from the OMAP, measure it out using my DSO and, of course, try and error testing:
To connect it use my Segger J-Link interface. Because the OMAP has an ARM9 MPU inside, i choose this one and could connect to it right from the start using the default values: The JTAG specification says that a TAP will place it's ID into the data register on reset. The OMAP JTAG chain has 50 bits and consists of three devices. There are techniques to determine the IR lenght, but it leaves some guessing. Segger seems to do a good job, but only find the ARM CPU part, the others are unknown.
The IRprint is just what shifts out of the TDO pin until the shift-in pattern arrives there. This pattern is a sequence of bits the Segger shifts into TDI until it discovers it on TDO. The number of clockcycles needed equals the number of Bits in the chain. The IRprint is the hex notation of the IR chain bits after reset. Uh, reset here does not necessarilly mean the system or chip reset, the TAP has it's own reset (TRST) which only resets the test logic.
The hard part is to find out how much devices are inside a chain and on which position. I guess the J-Link software looks for known IDs inside the IRprint, found the ARM and therefore knows that some other device is in front and after the chain position of the CPU. That are the "unknown" ones. I already lookup up the ID in the public lists, but they are not registered anywhere. I will crawl the TI docs of the OMAP5912 maybe it brings light to this...
First thing i was looking for as i started with reverse engineering the board is a debug port. JTAG is always a good one to find because most MPUs provide sich an interface. And i soon found the place and connections of it on the orange service port connector on the bottom of the mainboard, which is accessible without disassembling the unti:
Here is the pinout i determined for it, by trace the wires from the OMAP, measure it out using my DSO and, of course, try and error testing:
To connect it use my Segger J-Link interface. Because the OMAP has an ARM9 MPU inside, i choose this one and could connect to it right from the start using the default values: The JTAG specification says that a TAP will place it's ID into the data register on reset. The OMAP JTAG chain has 50 bits and consists of three devices. There are techniques to determine the IR lenght, but it leaves some guessing. Segger seems to do a good job, but only find the ARM CPU part, the others are unknown.
The IRprint is just what shifts out of the TDO pin until the shift-in pattern arrives there. This pattern is a sequence of bits the Segger shifts into TDI until it discovers it on TDO. The number of clockcycles needed equals the number of Bits in the chain. The IRprint is the hex notation of the IR chain bits after reset. Uh, reset here does not necessarilly mean the system or chip reset, the TAP has it's own reset (TRST) which only resets the test logic.
The hard part is to find out how much devices are inside a chain and on which position. I guess the J-Link software looks for known IDs inside the IRprint, found the ARM and therefore knows that some other device is in front and after the chain position of the CPU. That are the "unknown" ones. I already lookup up the ID in the public lists, but they are not registered anywhere. I will crawl the TI docs of the OMAP5912 maybe it brings light to this...