Keywords: Embedded systems, ARM, STM32F4, SWD, JTAG, Debug Adapter You have been playing with your newly bought STM43F4-Discovery board for a while and got a good grasp of all its peripherals. Now you are planning to build your own custom PCB/Product based on ARM Cortex-M […]
Keywords: Embedded systems, ARM, Coresight, Debug, ITM, ETM, DWT, JTAG, SWD “A debugger is a computer program which may or may not be assisted by some hardware and is used to test and debug other Programs.” In the previous tutorial we presented a generalized overview of how […]
I have used JTAG for quite long time mostly for Debugging and Programming. Honestly speaking I never paid attention to how things works under the surface until one day i was asked in an interview “How JTAG and debuggers work?”…. and i had absolutely no answer. 🙂 So, in this tutorial we will present a very brief introduction to what JTAG is and how it works. For more details overview, one can refer to IEEE JTAG standard.
JTAG, Joint Test Action Group / association (a bunch of companies/folks dealing hardware) was formed in 1985 to recommend and develop a feasible solution to Test and verify complex & multilayer PCBs and internal Logic of Integrated Circuits (ICs). In both scenario hardware logic is so complex and dense that its almost impossible to access it via some DMM/Logic Analyzer/Scope probes. The group agreed and came up with few recommendations (based on SERIAL Protocol) describing how to perform Hardware Debugging. These recommendations were later standardized by Institute of Electrical and Electronics Engineers as IEEE-1149.1, IEEE Standard Test Access Port and Boundary-Scan Architecture. The latest JTAG version is IEEE 1149.7 at the time of writing this tutorial.
One of the interesting thing to note here is that the JTAG was never thought to be used for Software debugging and Programming. These facilities were later integrated as an add-on due to the flexibility of JTAG standard yet they are not a part of IEEE standard. We will come to this point i.e. how JTAG performs Software debugging and Programming later in this tutorial.
Note: One thing to remember, the dongle you connect to your host PC via USB/Parallel Port/RJ-45 is not JTAG itself. Its JTAG ADAPTER that generate appropriate signals in accordance to IEEE 1149.x standard.
On a broader level, the main components that inter-operate to implement IEEE 1149.x standard are JTAG dongle/Adapter, TAP controller, and boundary-scan circuitry. The following figure-1 shows main JTAG interface components.
As can be seen from Figure-1, the JTAG Adapter connects to host PC running some JTAG interface software via USB etc. and converts USB etc. commands to JTAG compliant Signals. The JTAG Adapter on the other end is connected to IC/PCB via JTAG Port (20-pins, 14-pins, even 10-pins). The port leads to TAP (Test Access Port). TAP is a state machine which decodes Electrical Signals from JTAG adapter and converts them to JTAG commands (actually directing data to appropriate predefined Registers).
Boundary-scan circuitry is basically test circuitry mounted between IC logic and output Pins. This circuitry to each pin can be considered as 1-bit register. A value (logic 1/0) written to Boundary-Scan circuitry will appear on corresponding output pin. Similarly a value read from the boundary-scan circuitry will give the exact logic value appearing on that pin set by internal logic or coming from externally connected logics.
The beauty of JTAG is that multiple device can be connected serially (daisy-chain) and can be controlled from single JTAG Adapter. This design design flexibility enable you not only to test internal IC logic but also to check/test PCB traces connecting multiple ICs on multi layer PCBs. Figure-2 shows how multiple devices are inter-connected to form daisy-chain.
1. JTAG Pins:
● Test Clock(TCK): Serial Clock Signal. A reference clock to set TAP State Machine and transfer data.
● Test Mode Select(TMS): TAP controller has various states (as explained later). This signal along with TCK determine the current and next state of TAP controller.
● (Serial) Test Data Input (TDI): This line writes data from JTAG Adapter to connected TAP registers 1 bit per clock cycle.
● (Serial) Test Data Output (TDO): This line reads data from connected TAP registers to JTAG Adapter 1 bit per clock cycle.
● Test Reset (nTRST): This is actually an optional signal and used to reset TAP state machine. This is the only asynchronous JTAG signal.
2. JTAG Registers:
A device that meets the JTAG standard contains one instruction register (IR) and a number of test data registers (DR). The instruction register is required to be at least two bits long, and is used to control test functionality. The data registers are specific to a particular device, but the standard demands at least two register, a one-bit long bypass register, and a boundary-scan register .
Each Data Register is responsible for implementing various JTAG functionalities. If you want to perform any of standard Test, data needs to be directed IN/OUT of the corresponding data register (DR). For this purpose, IEEE 1149.x has specified various compulsory and optional instructions. Writing appropriate instruction to instruction register (IR) will direct the data IN/OUT from particular data register (DR). In other words each data register (DR) can be selected via pre-specified instruction which needs to be written to instruction register (IR) prior to writing to the desired data register (DR). The following figure shows JTAG registers .
Following are few Mandatory Data Registers in JTAG Standard.
● Boundary Scan Register (BSR): This is the main JTAG register whose bits are connected to IO pins of the Package i.e. one bit per IO pin plus other bits for internal Logics.
● Bypass Register (BYPASS): This register is exactly 1-bit in length and is used to connect TDI and TDO lines together thus bypassing boundary-scan cells. This is useful when you have a number of devices connected in daisy-chain and you want to skip few devices in middle to directly reach target device.
● IDCODES: This register identify device to JTAG Software or on daisy-chain. Normally this register is not used for common use.
3. JTAG Instructions:
There are two type of instruction in JTAG Standard i.e. Mandatory Instructions and Optional Instructions. Mandatory instructions must be implemented in order to be JTAG compliant. Optional instructions are left on designer’s decision/requirements. The following table summarizes both Mandatory instructions and Optional instructions.
|EXTEST||Mandatory||All Zeros: 00… *|
|BYPASS||Mandatory||All Ones: 11… *|
|SAMPLE / PRELOAD||Mandatory||Designer Specific|
|INTEST||Optional||– do –|
|RUNBIST||Optional||– do –|
|CLAMP||Optional||– do –|
|IDCODE||Optional||– do –|
|USERCODE||Optional||– do –|
|HIGHZ||Optional||– do –|
* : The length of Instruction register and data register is left to designer comfort as stated here.
Following is brief description of most important and commonly used JTAG instructions.
● EXTEST: This instruction causes TDI and TDO lines to be connected to both sides of BSR shift register. On each TCK clock cycle, 1 bit is shifted from TDI to BSR register and 1 bit is shifted and placed on TDO line. At the end the bits from TDI line appears on corresponding PINs and value read from TDO lines are previous values at the corresponding Pins.
EXTEST instruction is mainly used to test external Logics like verifying trace on PCB. e.g. Let’s say PCB traces connect two JTAG compliant devices ‘A’ and ‘B’. Using EXTEST a defined bits pattern is placed on corresponding pin bits in BSR register. On the other side, the device ‘B’ pins are read using EXTEXT instruciton. If the bit patterns matched, the traces connectivity is verified.
● BYPASS: This instruction causes TDI and TDO lines to be connected to both sides of 1-bit BYPASS register thus skipping all that boundary scan cells. This instruciton is used to skip a specific device in daisy-chain.
● IDCODE: This instruction causes TDI and TDO lines to be connected to both sides of IDCODE register.
● INTEST: This instruction is similar to EXTEST except as name suggests EXTEST is used to test external logic while INTEST is used to test internal core logic signals of a device.
4. TAP Controller:
So far we briefly discussed JTAG standard, its registers, instructions etc. We stated at the start of this tutorial that one of the main JTAG component is TAP controller. So where this TAP controller comes into action? Well to be really honest, TAP is the heart of all logics implementing JTAG standards. Its a state machine (a machine which has various states and at a time it exists in only one state) that puts device into various state i.e. for boundary-scan for external test etc. as per IEEE JTAG standard instructions. The following figure shows state diagram of TAP controller.
Lets discuss TAP state machine diagram via EXTEST example. Let’s say we want to put EXTEST code into instruction register. So how can we do this? Lets say TAP controller is in reset state, the first top left state i.e. Test-Logic-Reset.
The state is controlled by TMS signal value on each TCK clock cycle. Lets say on the next clock cycle, the TMS line is pulled down (Logic-0). The TAP will get out of Reset state and will enter Run-Reset-Idle. It will stay there until the TMS line is pulled up (Logic-1). On next cycle (While TMS = 1), machine state will change to Select DR-Scan. This is the state where data is written to a Data Register selected by any of JTAG instructions. Now as we are want to write to instruction register (IR), the TMS line should remain high for one more cycle to get out of Select DR-Scan and enter Select IR-Scan. Now in order to write to IR, data from TDI line must be captured to instruction register IR. On 4th clock cycle, the TMS line is pulled down to enter Capture-IR machine state. Next state needs to be Shift-IR so that data is shifted from TDI line to IR register. so on 5th cycle, the TMS remain at Logic-0. Now in Shift-IR machine state, any Logic (0 or 1) on TDI line will be shifted to IR register bit by bit on each TCK clock cycle. In order to fill IR register, the TMS line should remain low for N number of clock cycles where N is the length of IR register. Once IR register is filled, the TMS line should remain high for two clock cycles to follow Exit-IR and then Update-IR machine states. Finally if data needs to be written to BSR (register used against EXTEST instruction), keep the TMS line high to follow machine state to fill BSR register. On the other hand if no data needs to be written to any data register, exit machine state by keep the TMS line at Logic-0 for remaing TCK clock cycles.
5. JTAG as Programmer:
As the JTAG can read/write all SoC pins and internal logic as a part of boundary-scan functionality thus it can read/write to entire memory space i.e. sending address on address lines and data on data lines. Memory devices (internal SRAM/Flash) are (internally) interfaced on Address and Data lines of SoC. Let’s say we want to program internal flash, there are two possible implementations:
- The JTAG reads a byte and its address from the executable code file (hex, elf, bin), set the internal address lines (interfaced with target memory) accordingly, set the data on data lines (interfaced with target memory) and finally set the Read/Write line for write operation. The target memory (flash in this case) simply takes the sent byte and write it internally on address as per the address lines bits.
- The above approach is simple but quite slow as flash memories normally write/read data in chunks not byte by byte. For this purpose the SoC internally contains a small piece of executable code called bootloader. The bootloader is placed by the manufacturer and can thought of as a firmware updater.
To program SoC, the JTAG read a chunk of data from executable code file (hex, elf, bin) and writes it to the internal SRAM (faster memory). It then invoke the bootloader code which takes the chuck of data from SRAM and writes it to the internal flash. The process is too and fro continued until all the code is written to the internal flash.
6. JTAG as Debugger:
Well this is highly architecture dependent topic but let me give a generalized overview of JTAG as debugger. The on-chip hardware contains debug logic which is interfaced with JTAG connector. The debug hardware is controlled by a set of registers which are specific to each SoC architecture/implementation. The processor debug operations like halt, continue, single-stepping, breakpoints, watchpoints etc. all are controlled by these debug registers. Now as we mentioned earlier that JTAG can write to the entire memory map, so in order to perform debug operations, all JTAG has to do is to write appropriate contents to appropriate debugging hardware register. And so JTAG can effectively be used for debugging operation. The only downside of JTAG is that its comparatively slow because of all the state machine steps it has to follow in order to read/write to the desired memory location.
We have the following tutorials discussing embedded system debugging in more details. The links are given bellow.
 – OpenOCD Thesis
 – JTAG Boundary Scan