JTAG
This article needs additional citations for verification. (November 2009) |
Joint Test Action Group (JTAG) is the common name for what was later standarized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was used initially for testing printed circuit boards using boundary scan.
Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
Overview
JTAG was an industry group formed in 1985 to develop a method to test populated circuit boards after manufacture. At the time, multi-layer boards and non-lead-frame ICs were becoming standard and connections were being made between ICs which were not available to probes. The majority of manufacturing and field faults in circuit boards were due to solder joints on the boards, imperfections in board connections, or the bonds and bond wires from IC pads to pin lead frames. JTAG was meant to provide a pins-out view from one IC pad to another so all these faults could be discovered.
The industry standard finally became an IEEE standard in 1990 as IEEE Std. 1149.1-1990[1] after many years of initial use. That same year Intel released the first processor with JTAG: the 80486 which led to quicker industry adoption by all manufacturers. In 1994, a supplement that contains a description of the boundary scan description language (BSDL) was added. Further refinements regarding the use of all-zeros for EXTEST, separating the use of SAMPLE from PRELOAD and better support for OBSERVE_ONLY cells were made and released in 2001[2]. Since 1990, this standard has been adopted by electronics companies all over the world. Boundary-scan is nowadays mostly synonymous with JTAG, but JTAG has essential uses beyond such manufacturing applications.
Debugging
Although it was originally designed for testing printed circuit board assemblies, today JTAG is also used for accessing sub-blocks of integrated circuits, making it an essential mechanism for debugging embedded systems which may not support any other debug-capable communications channel. On most systems, JTAG-based debugging is available from the very first instruction after CPU reset, letting it support development of early boot software which runs before anything is set up. A so-called in-circuit emulator (or more correctly, "JTAG adapter") uses JTAG as the transport mechanism to access on-chip debug modules inside the target CPU. Those modules let software developers debug the software of an embedded system directly at the machine instruction level when needed, or (more typically) in terms of high level language source code.
Debug support is for many software developers the main reason to be interested in JTAG. There are entire debugging architectures built up using JTAG, such as ARM Coresight and Nexus (plus vendor-specific ones that may not be documented except under NDA) helping move JTAG-centric debugging environments away from early processor-specific designs. Processors can normally be halted, single stepped, or let run freely. Code breakpoints are supported, both for code in RAM (often using a special machine instruction) and in ROM/flash. Data breakpoints are often available, as is bulk data download to RAM. Most designs support “halt mode debugging”, but some allow debuggers to access registers and data busses without needing to halt the core being debugged. Some toolchains can trigger debugger activity on complex hardware events, like a logic analyser programmed to ignore the first seven accesses to a register from one particular subroutine.
Storing Firmware
Besides debugging, another application of JTAG is allowing device programmer hardware to transfer data into internal non-volatile device memory (CPLDs). Some device programmers serve a double purpose for programming as well as debugging the device. In the case of FPGAs, volatile memory devices can also be programmed via the JTAG port normally during development work. In addition, newer parts, for instance Xilinx Virtex-5, have internal monitoring capability (temperature, voltage and current) accessible via the JTAG port.
JTAG programmers are also used to write software and data into flash memory. This is usually done using data bus access like the CPU would use, and is sometimes actually handled by a CPU, but in other cases memory chips have JTAG interfaces themselves. Some modern debug architectures, like ARM CoreSight and Nexus, provide internal and external bus master access without needing to halt and take over a CPU. In the worst case, it is usually possible to drive external bus signals using boundary scan support.
Boundary Scan Testing
In many ICs today, the pins used for external interfacing are linked together in a set called the Boundary Scan chain. By using JTAG to manipulate the scan chain's external interface (inputs and outputs to other chips) it is possible to test for certain faults, caused perhaps by bad soldering. By using JTAG to manipulate its internal interface (to on-chip registers), the combinational logic can be tested.
In both cases (external and internal), this testing is done with the IC after it is mounted on the circuit card and possibly while in a functioning system. When combined with built-in self-test (BIST), the JTAG scan chain enables a low overhead, embedded solution to testing an IC for certain static faults (shorts, opens, and logic errors). The scan chain mechanism does not generally help diagnose or test for timing, temperature or other dynamic operational errors that may occur. Test cases are often provided in standardized formats such as SVF, or its binary sibling XSVF, and used in production tests. The ability to perform such testing on finished boards is an essential part of Design For Test in today's products, increasing the number of faults that can be found before products ship to customers.
Electrical characteristics
A JTAG interface is a special four/five-pin interface added to a chip, designed so that multiple chips on a board can have their JTAG lines daisy-chained together if specific conditions are met[3], and a test probe need only connect to a single "JTAG port" to have access to all chips on a circuit board. The connector pins are
- TDI (Test Data In)
- TDO (Test Data Out)
- TCK (Test Clock)
- TMS (Test Mode Select)
- TRST (Test Reset) optional.
Test reset signal is not shown in the image.
Since only one data line is available, the protocol is necessarily serial. The clock input is at the TCK pin. Configuration is performed by manipulating a state machine one bit at a time through a TMS pin. One bit of data is transferred in and out per TCK clock pulse at the TDI and TDO pins, respectively. Different instruction modes can be loaded to read the chip ID, sample input pins, drive (or float) output pins, manipulate chip functions, or bypass (pipe TDI to TDO to logically shorten chains of multiple chips). The operating frequency of TCK varies depending on all chips in the chain (lowest speed must be used), but it is typically 10-100 MHz (100-10 ns per bit).
The TRST pin is an optional active-low reset to the test logic - usually asynchronous, but sometimes synchronous, depending on the chip. If the pin is not available, the test logic can be reset by switching to the reset state synchronously, using TCK and TMS. Note that resetting test logic doesn't necessarily imply resetting anything else. There are generally some processor-specific JTAG operations which can reset all or part of the chip being debugged.
As with any clocked signal, data presented to TDI must be valid for some chip-specific Setup time before and Hold time after the relevant (here, rising) clock edge. TDO data is valid for some chip-specific time after the falling edge of TCK. In short, there are some constraints on signal timings.
TCK frequencies vary based on chip, board, and adapter capabilities and state. One chip might support a 40 MHz JTAG clock, but only if it's using a 200 MHz clock for non-JTAG operations; and it might need to use a much slower clock when it's in a low power mode. Accordingly, some JTAG adapters support adaptive clocking using an RTCK (Return TCK) signal. Faster TCK frequencies are most useful when JTAG is used to transfer lots of data, such as when storing a system image into NAND flash.
JTAG platforms often add additional signals to the handful defined by the IEEE 1149.1 specification. A System Reset (SRST) signal is quite common, letting debuggers reset the whole system not just the parts with JTAG support. Sometimes there are event signals used to trigger activity by the host or by the device being monitored through JTAG; or additional control lines.
Even though few consumer products provide an explicit JTAG port connector, the connections are very often available on the printed circuit board as a remnant from development prototyping and/or production. When exploited, these connections often provide an excellent means for reverse engineering.
Communications Model
In JTAG, devices expose one or more test access ports (TAPs). The picture above shows three TAPs, which might be individual chips or might be modules inside one chip. A daisy chain of taps is called a scan chain, or (loosely) a target. Scan chains can be arbitrarily long, but in practice twenty TAPs is unusually long.
To use JTAG, a host is connected to the target's JTAG signals (TMS, TCK, TDI, TDO, etc) through some kind of JTAG adapter, which may need to handle issues like level shifting and galvanic isolation. The adapter connects to the host using some interface such as USB, PCI, Ethernet, and so forth.
Primitives
The host communicates with the TAPs by manipulating TMS and TDI in conjunction with TCK, then reading results through TDO (which is the only standard host-side input). TMS/TDI/TCK output transitions create the basic JTAG communication primitive on which higher layer protocols build:
- State switching ... All TAPs are in the same state, and that state changes on TCK transitions. This JTAG state machine is part of the JTAG spec, and includes sixteen states. There are six “stable states” where keeping TMS stable prevents the state from changing. In all other states, TCK always changes that state. In addition, asserting TRST forces entry to one of those stable states (Test_Logic_Reset), in a slightly quicker way than the alternative of holding TMS high and cycling TCK five times.
- Shifting ... Most parts of the JTAG state machine support two stable states used to transfer data. Each TAP has an instruction register (IR) and a data register (DR). The size of those registers varies between TAPs, and those registers are combined through TDI and TDO to form a large shift register. (The size of the DR is a function of the value in that TAP's current IR, and possibly of the value specified by a SCAN_N instruction.) There are three operations defined on that shift register:
- Capturing a temporary value ... entry to the Shift_IR stable state goes via the Capture_IR state, loading the shift register with a partially fixed value (not the current instruction). Entry to the Shift_DR stable state goes via the Capture_DR state, loading the value of the Data Register specified by the TAP's current IR.
- Shifting that value bit-by-bit, in either the Shift_IR or Shift_DR stable state; TCK transitions will shift the shift register one bit, from TDI towards TDO, exactly like a SPI mode 1 data transfer through a daisy chain of devices (with TMS=0 acting like the chip select signal, TDI as MOSI, etc).
- Updating IR or DR from the temporary value shifted in, on transition through the Update_IR or Update_DR state. Note that it is not possible to read (capture) a register without writing (updating) it, and vice versa. A common idiom adds flag bits to say whether the update should have side effects, or whether the hardware is ready to execute such side effects.
- Running ... One stable state is called Run_Test/Idle. The distinction is TAP-specific. Clocking TCK in the Idle state has no particular side effects, but clocking it in the Run_Test state may change system state. For example, some ARM9 cores support a debugging mode where TCK cycles in the Run_Test state drive the instruction pipeline.
So at a basic level, using JTAG involves reading and writing instructions and their associated data registers; and sometimes involves running a number of test cycles. Behind those registers is hardware that is not specified by JTAG, and which has its own states that will be affected by JTAG activities.
Most JTAG hosts use the shortest path between two states, perhaps constrained by quirks of the adapter. (For example, one adapter only handles paths whose lengths are multiples of seven bits.) Some layers built on top of JTAG monitor the state transitions, and use uncommon paths to trigger higher level operations. Some ARM cores use such sequences to enter and exit a two-wire (non-JTAG) SWD mode. A Zero Bit Scan (ZBS) sequence is used in IEEE 1149.7[4] to access advanced functionality such as switching TAPs into and out of scan chains, power management, and a different two-wire mode.
JTAG Instructions
Instruction register sizes tend to be small, perhaps four or seven bits wide. Except for BYPASS, all instruction opcodes are defined by the TAP implementor, as are their associated data registers; undefined instruction codes should not be used. Two key instructions are:
- The BYPASS instruction, opcode all ones regardless of the TAP's instruction register size, must be supported by all TAPs. It is associated with a single bit data register (also called BYPASS) which always reads as zero.
- The optional IDCODE instruction, with an implementor-defined opcode. IDCODE is associated with a 32-bit register (IDCODE). Its data uses a standardized format that includes an IEEE manufacturer code, a manufacturer part number, and a part version code. IDCODE is widely, but not universally, supported.
On exit from the RESET state, the instruction register is preloaded with either BYPASS or IDCODE. This allows JTAG hosts to identify the size and, at least partially, contents of the scan chain to which they are connected. (They can enter the RESET state then scan the Data Register until they read back the data they wrote. A BYPASS register has only a zero bit; while an IDCODE register is 32-bits and starts with a one. So the bits not written by the host can easily be mapped to TAPs.) Such identification is often used to sanity check manual configuration, since IDCODE is often unspecific. It could for example identify an ARM Cortex-M3 based microcontroller, without specifying the microcontroller vendor or model; or a particular FPGA, but not how it has been programmed.
A common idiom involves shifting BYPASS into the instruction registers of all TAPs except one, which receives some other instruction. That way all TAPs except one expose a single bit data register, and values can be selectively shifted into or out of that one TAP's data register without affecting any other TAP.
The IEEE 1149.1 (JTAG) standard describes a number of instructions to support boundary scan applications. Some of these instructions are "mandatory", but TAPs used for debug instead of boundary scan testing sometimes provide minimal or no support for these instructions. Those "mandatory" instructions operate on the Boundary Scan Register (BSR) defined in the BSDL file, and include:
- EXTEST for external testing, such as using pins to probe board-level behaviors
- PRELOAD loading pin output values before EXTEST (sometimes combined with SAMPLE)
- SAMPLE reading pin values into the boundary scan register
IEEE-defined "Optional" instructions include:
- CLAMP a variant of BYPASS which drives the output pins using the PRELOADed values
- HIGHZ deactivates the outputs of all pins
- INTEST for internal testing, such as using pins to probe on-chip behaviors
- RUNBIST places the chip in a self-test mode
- SCAN_N configures a scan path select register (SCREG) affecting the signals to which other boundary scan operations apply
- USERCODE returns a user-defined code, for example to identify which FPGA image is active
Devices may define more instructions, and those definitions should be part of a BSDL file provided by the manufacturer. They will often just be marked as PRIVATE.
Boundary Scan Register
Devices communicate to the world via a set of input and output pins. By themselves, these pins provide limited visibility into the workings of the device. However, devices that support boundary scan contain a shift-register cell for each signal pin of the device. These registers are connected in a dedicated path around the device's boundary (hence the name). The path creates a virtual access capability that circumvents the normal inputs and outputs, providing direct control of the device and detailed visibility for signals.[5]
The contents of the boundary scan register, including signal I/O capabilities, are usually described by the manufacturer using a part-specific BSDL file. These are used with design 'netlists' from CAD/EDA systems to develop tests used in board manufacturing. Commercial test systems will often cost several thousand dollars for a fully-fledged system, and include diagnostic options to accurately pin-point faults such as open circuits and shorts. They may also offer schematic or layout viewers to depict the fault in a graphical manner.
To provide the boundary scan capability, IC vendors add additional logic to each of their devices, including scan cells for each of the signal pins. These cells are then connected together to form the boundary scan shift register (BSR), which is connected to a TAP controller. These designs are parts of most Verilog or VHDL libraries. Overhead for this additional logic is minimal, and generally is well worth the price to enable efficient testing at the board level.
Example: ARM11 Debug TAP
A concrete example will help show the way JTAG works in real systems. The example here is the debug tap of an ARM11 processor, the ARM1136[6] core. The processor itself has extensive JTAG capability, not unlike what is found in other CPU cores, and it is integrated into chips with even more extensive capabilities accessed through JTAG. So this is a non-trivial example, which is representative of a significant cross section of JTAG-enabled systems.
Licensees of this core integrate it into chips, usually combining it with other TAPs as well as numerous peripherals and memory. (Peripherals and memory comprise the bulk of SoC designs; ARM cores don't take up much chip real estate.) One of those other TAPs will handle boundary scan testing for the whole chip; it is not supported by the debug tap. Examples of such chips include:
- The OMAP2420 includes a boundary scan TAP, the ARM1136 Debug TAP, an ETB11 trace buffer tap, a C55x DSP, and a tap for an ARM7TDMI-based imaging engine, with the boundary scan TAP ("ICEpick-B") having the ability to splice TAPs into and out of the JTAG scan chain.[7]
- The i.MX31 processor is similar, although its "System JTAG" boundary scan TAP[8] is very different from ICEpick, and it includes a TAP for its DMA engine instead of a DSP and imaging engine.
Those processors are both intended for use in wireless handsets such as cell phones, which is part of the reason they include TAP controllers which modify the JTAG scan chain: debugging low power operation requires accessing chips when they are largely powered off, and thus when not all TAPs are operational. That scan chain modification functionality is one subject of a forthcoming IEEE 1149.7[4] standard.
JTAG Facilities
This debug tap exposes several standard instructions, and a few specifically designed for hardware-assisted debugging, where a software tool (the "debugger") uses JTAG to communicate with a system being debugged:
- BYPASS, IDCODE ... standard instructions as described above
- EXTEST, INTEST ... standard instructions, but operating on the core instead of an external boundary scan chain. EXTEST is nominally for writing data to the core, INTEST is nominally for reading it; but two scan chains are exceptions to that rule.
- SCAN_N ... ARM instruction to select the numbered scan chain used with EXTEST or INTEST. There are six scan chains:
- 0 ... Device ID Register, 40 bits of read-only identification data
- 1 ... Debug Status and Control Register (DSCR), 32 bits used to operate the debug facilities
- 4 ... Instruction Transfer Register (ITR), 33 bits (instruction plus one status bit) used to execute processor instructions while in a special "Debug Mode" (see below)
- 5 ... Debug Communications Channel (DCC), 34 bits (one data word plus two status bits) used for bidirectional data transfer to the core. This is used both in debug mode, and possibly at runtime when talking to debugger-aware software.
- 6 ... Embedded Trace Module (ETM), 40 bits (7 bit address, one data word, and a r/w bit) used to control the operation of a passive instruction and data trace mechanism. This feeds either an on-chip Embedded Trace Buffer (ETB), or an external high speed trace data collection pod. Tracing supports passive debugging (examining execution history) and profiling for performance tuning.
- 7 ... debug module, 40 bits (7 bit address, one data word, and a r/w bit) used to access hardware breakpoints, watchpoints, and more. These can be written while the processor is running; it does not need to be in Debug Mode.
- HALT, RESTART ... ARM11-specific instructions to halt and restart the CPU. Halting it puts the core into the "Debug Mode", where the ITR can be used to execute instructions, including using the DCC to transfer data between the debug (JTAG) host and the CPU.
- ITRSEL ... ARM11-specific instruction to accelerate some operations with ITR.
That model resembles the model used in other ARM cores. Non-ARM systems generally have similar capabilities, perhaps implemented using the Nexus protocols on top of JTAG, or other vendor-specific schemes.
Older ARM7 and ARM9 cores include an EmbeddedICE module[9] which combines most of those faciilities, but has an awkward mechanism for instruction execution: the debugger must drive the CPU instruction pipeline, clock by clock, and directly access the data busses to read and write data to the CPU. The ARM11 uses the same model for trace support (ETM, ETB) as those older cores.
Newer ARM cores, such as the Cortex-A8, closely resemble this debug model, but build on a Debug Access Port (DAP) instead of direct CPU access. They are also decoupled from JTAG so they can be hosted over ARM's two-wire "SWD" interface instead of just the six-wire JTAG interface. (ARM takes the four standard JTAG signals and adds the optional TRST, plus the RTCK signal used for adaptive clocking.) Also, the newer cores have updated trace support.
Halt Mode Debugging
One basic way to debug software is to present a single threaded model, where the debugger periodically stops execution of the program and examines its state as exposed by register contents and memory (including peripheral controller registers). When interesting program events approach, a person may want to single step instructions (or lines of source code) to watch how a particular misbehavior happens.
So for example a JTAG host might HALT the core, entering Debug Mode, and then read CPU registers using ITR and DCC. After saving processor state, it could write those registers with whatever values it needs, then execute arbitrary algorithms on the CPU, accessing memory and peripherals to help characterize the system state. After the debugger performs those operations, the state may be restored and execution continued using the RESTART instruction.
Debug mode is also entered asynchronously by the debug module triggering a watchpoint or breakpoint, or by issuing a BKPT (breakpoint) instruction from the software being debugged. When it is not being used for instruction tracing, the ETM can also trigger entry to debug mode; it supports complex triggers sensitive to state and history, as well as the simple address comparisons exposed by the debug module. Asynchronous transitions to debug mode are detected by polling the DSCR register. This is how single stepping is implemented: HALT the core, set a temporary breakpoint at the next instruction or next high-level statement, RESTART, poll DSCR until you detect asynchronous entry to debug state, remove that temporary breakpoint, repeat.
Monitor Mode Debugging
Modern software is often too complex to work well with such a single threaded model. For example, a processor used to control a motor (perhaps one driving a saw blade) may not be able to safely enter halt mode ... it may need to continue handling interrupts to ensure physical safety of people and/or machinery. Issuing a HALT instruction using JTAG might be dangerous.
ARM processors support an alternative debug mode, called Monitor Mode, to work with such situations. (This is distinct from the Secure Monitor Mode implemented as part of security extensions on newer ARM cores; it manages debug operations, not security transitions.) In those cases, breakpoints and watchpoints trigger a special kind of hardware exception, transferring control to a "debug monitor" running as part of the system software. This monitor will communicate with the debugger using the DCC, and could arrange for example to single step only a single process while other processes (and interrupt handlers) continue running.
Common extensions
Microprocessor vendors have often defined their own core-specific debugging extensions. Such vendors include Infineon, MIPS with EJTAG, and more. If the vendor does not adopt a standard (such as the ones used by ARM processors; or Nexus), they need to define their own solution. If they support boundary scan, they generally build debugging over JTAG.
Freescale has COP and OnCE (On-Chip Emulation). OnCE includes a JTAG command which makes a TAP enter a special mode where the IR holds OnCE debugging commands[10] for operations such as single stepping, breakpointing, and accessing registers or memory. It also defines EOnCE (Enhanced On-Chip Emulation)[11] presented as addressing real time concerns.
ARM has an extensive processor core debug architecture (CoreSight) that started with EmbeddedICE (a debug facility available on most ARM cores), and now includes many additional components such as an ETM (Embedded Trace Macrocell), with a high speed trace port, supporting multi-core and multithread tracing. Note that tracing is non-invasive; systems do not need to stop operating to be traced. (However, trace data is too voluminous to use JTAG as more than a trace control channel.)
Nexus defines a processor debug infrastructure which is largely vendor-independent. One of its hardware interfaces is JTAG. It also defines a high speed auxiliary port interface, used for tracing and more. Nexus is used with some newer platforms, such as the Atmel AVR32 and Freescale MPC5500 series processors.
Widespread uses
- Except for some of the very lowest end systems, essentially all embedded systems platforms have a JTAG port to support in-circuit debugging and firmware programming as well as for boundary scan testing:
- ARM Architecture processors come with JTAG support, sometimes supporting a two-wire "SWD" variant or high speed tracing of traffic on instruction or data busses. (This alone means most 32-bit processors in the world support JTAG.)
- Modern 8-bit and 16-bit Microcontroller chips, such as Atmel AVR and TI MSP430 chips, support JTAG programming and debugging. However, the very smallest chips may not have enough pins to spare (and thus tend to rely on proprietary single-wire programming interfaces); if the pin count is over 32, there is probably a JTAG option.
- Almost all FPGAs and CPLDs used today can be programmed via a JTAG port.
- Many MIPS and PowerPC processors have JTAG support too
- The PCI bus connector standard contains optional JTAG signals on pins 1-5[12]; PCI-Express contains JTAG signals on pins 5-9[13]. A special JTAG card can be used to reflash a corrupt BIOS.
- Boundary scan testing and in-system (device) programming applications are sometimes programmed using the Serial Vector Format, a textual representation of JTAG operations using a simple syntax. Other programming formats include 'JAM' and STAPL plus more recently the IEEE Std. 1532 defined format 'ISC' (short for In-System Configuration). ISC format is used in conjunction with enhanced BSDL models for programmable logic devices (i.e. FPGAs and CPLDs) that include addition ISC_<operation> instructions in addition to the basic bare minimum IEEE 1149.1 instructions. FPGA programming tools from Xilinx, Altera, Lattice, Cypress, Actel etc.. and will typically be able to export such files.
- As mentioned, many boards include JTAG connectors, or just pads, to support manufacturing operations, where boundary scan testing helps verify board quality (identifying bad solder joints, etc) and to initialize flash memory or FPGAs.
- JTAG can also support field updates and troubleshooting.
- Primarily of historical interest: Intel's Pentium processors supported a "probe mode"[14] supporting JTAG access for debuggers. For a long time, its documentation was withdrawn by Intel. Current x86 processors appear to use JTAG only for boundary scan.
Client Support
The target's JTAG interface is accessed using some JTAG-enabled application and some JTAG adapter hardware. There is a wide range of such hardware, optimized for purposes such as production testing, debugging high speed systems, low cost microcontroller development, and so on. In the same way, the software used to drive such hardware can be quite varied. Software developers mostly use JTAG for debugging and updating firmware.
If you want to acquire a JTAG adapter, you first need to decide what systems it must support. Everything else follows from that, including your software options. Low-end adapters may cost less than $US 50 and have limited hardware and software support. High-end adapters can cost a hundred times as much, including software support, and have corresponding improvements in capability.
JTAG connectors
There are no official standards for JTAG adapter physical connectors. Development boards usually include a header to support preferred development tools; in some cases they include multiple such headers, because they need to support multiple such tools. For example, a microcontroller, FPGA, and ARM application processor will rarely share tools, so a development board using all of those components might have three or more headers. Production boards may omit the headers; or when space is tight, just provide JTAG signal access using test points.
Some common pinouts[15] for 2.54mm (0.1 inch) pin headers are:
- ARM 2x10 pin (or sometimes the older 2x7), used by almost all ARM based systems
- MIPS EJTAG (2x7 pin) used for MIPS based systems
- 2x5 pin Altera ByteBlaster-compatible JTAG extended by many vendors
- 2x5 pin AVR extends Altera JTAG with SRST (and in some cases TRST and an event output)
- 2x7 pin Texas Instruments used with DSPs and ARM-based products such as OMAP
- 8 pin (single row) generic PLD JTAG compatible with many Lattice ispDOWNLOAD cables
Those connectors tend to include more than just the four standardized signals (TMS, TCK, TDI, TDO). Usually reset signals are provided, one or both of TRST (TAP reset) and SRST (system reset). The board voltage is usually provided, so that JTAG adapters can level-shift their inputs and outputs; that may also serve as a "board present" debugger input. Event input or output signals may be provided, or general purpose I/O (GPIO) lines, to support more complex debugging architectures.
Higher end products frequently use dense connectors (frequently 38-pin Mictor connectors) to support high-speed tracing in conjunction with JTAG operations. A recent trend is to have development boards integrate a USB interface to JTAG, where a second channel is used for a serial port. (Smaller boards can also be powered through USB. Since modern PCs tend to omit serial ports, such integrated debug links can significantly reduce clutter for developers.) Production boards often rely on bed-of-nails connections to test points for testing and programming.
JTAG Adapter Hardware
Adapter hardware varies widely. When not integrated into a development board, it involves a short cable to attach to a JTAG connector on the target board; a connection to the debugging host, such as a USB, PCI, or Ethernet link; and enough electronics to adapt the two communications domains (and sometimes provide galvanic isolation). A separate power supply may be needed. There are both "dumb" adapters, where the host decides and performs all JTAG operations; and "smart" ones, where some of that work is performed inside the adapter, often driven by a microcontroller. The "smart" adapters eliminate link latencies for operation sequences that may involve polling for status changes between steps, and may accordingly offer faster throughput.
At this writing (summer 2009) adapters with full speed USB links are probably the most common approach, and new products often include high speed USB support. Higher end products often support Ethernet, with the advantage that the debug host can be quite remote. Adapters which support high speed trace ports generally include several megabytes of trace buffer and provide high speed links (USB or Ethernet) to get that data to the host.
PC Parallel port adapters can be easy to build by hand, but are declining in usefulness because newer computers no longer have parallel port hardware. Such adapters are inexpensive, but relatively slow because they the host CPU changed each bit by hand ("bit banging"). Driver support was also a problem, because the adapter electronics varied so widely.
Serial port adapters also exist, and are similarly declining in usefulness. They generally involve either slower bitbanging than a parallel port, or a microcontroller translating some command protocol to JTAG operations. Such serial adapters are also not fast, but their command protocols could generally be reused on top of higher speed links.
With all JTAG adapters, software support is a basic concern. Many vendors do not publish the protocols used by their JTAG adapter hardware, limiting their customers to the tool chains supported by those vendors. This is a particular issue for "smart" adapters, some of which embed significant amounts of knowledge about how to interact with specific CPUs.
JTAG for Software Development
Most development environments for embedded software include JTAG support. There are, broadly speaking, three sources of such software:
- Chip Vendors may provide the tools, usually requiring a JTAG adapter they supply. Examples include FPGA vendors such as Xilinx and Altera, Atmel for its AVR8 and AVR32 product lines, and Texas Instruments for most of its DSP and micro products. Such tools tend to be highly featured, and may be the only real option for highly specialized chips like FPGAs and DSPs. Lower end software tools may be provided free of charge. The JTAG adapters themselves are not free, although sometimes they are bundled with development boards.
- Tool Vendors may supply them, usually in conjunction with multiple chip vendors to provide cross-platform development support. ARM-based products have a particularly rich third party market, and a number of those vendors have expanded to non-ARM platforms like MIPS and PowerPC. Tool vendors sometimes build products around free software like GCC and GDB, with GUI support frequently using Eclipse. JTAG adapters are sometimes sold along with support bundles.
- Open Source tools exist. As noted above, GCC and GDB form the core of a good toolchain, and there are GUI environments to support them. The OpenOCD project supports a GDB using number of JTAG adapters, notably inexpensive USB ones, and currently works best with ARM based systems.
All such software tends to include basic debugger support: stopping, halting, single stepping, breakpoints, data structure browsing, and so on. Commercial tools tend to provide tools like very accurate simulators and trace analysis, which are not currently available as open source.
See also
- AOI Automated optical inspection
- AXI Automated x-ray inspection
- ICT In-circuit test
- Functional testing (see Acceptance testing)
- Nexus 5001
- Non-JTAG hardware debug interfaces:
- Background Debug Mode interface
- Spy-Bi-Wire
- DebugWire on Atmel AVR
References
- ^ Copies of IEEE 1149.1-1990 or its 2001 update may be bought from the IEEE.
- ^ IEEE 1149.1-2001
- ^ FAQ: Under what conditions can I daisy-chain JTAG?
- ^ a b Texas Instruments is one mover behind this standard, and has an IEEE 1149.7 wiki page with more information.
- ^ Oshana, Rob (October 29, 2002). "Introduction to JTAG". Embedded Systems Design. Retrieved 2007-04-05.
- ^ ARM1136JF-S™ and ARM1136J-S™ Technical Reference Manual revision r1p5, ARM DDI 0211K. Chapter 14 presents the Debug TAP. Other ARM11 cores present the same model through their Debug TAPs.
- ^ Documentation for the OMAP2420 is not publicly available. However, a Texas Instruments document The User's Guide to DBGJTAG discussing a JTAG diagnostic tool presents this OMAP2420 scan chain example (and others).
- ^ See "i.MX35 (MCIMX35) Multimedia Applications Processor Reference Manual" from the Freescale web site. Chapter 44 presents its "Secure JTAG Controller" (SJC).
- ^ ARM9EJ-S Technical Reference Manual revision r1p2. Appendix B "Debug in Depth" presents the EmbeddedICE-RT module, as seen in the popular ARM926ejs core.
- ^ AN1817/D, "MMC20xx M•CORE OnCE Port Communication and Control Sequences"; Freescale Semiconductor, Inc.; 2004. Not all processors support the same OnCE module.
- ^ AN2073 "Differences Between the EOnCE and OnCE Ports"; Freescale Semiconductor, Inc.; 2005.
- ^ PCI Local Bus Technical Summary, 4.10 JTAG/Boundary Scan Pins
- ^ PCI-Express 16x Connector Pin Out
- ^ ICE Mode and the Pentium Processor
- ^ JTAG Pinouts lists a few JTAG-only header layouts that have widespread tool support.
External links
- IEEE Std 1149.1 (JTAG) Testability Primer Includes a strong technical presentation about JTAG, with design-for-test chapters.
- JTAG Tutorial and Boundary-Scan Applications
- A Brief Introduction to the JTAG Boundary Scan Interface
- Debugging with JTAG Introductory presentation for embedded Linux developers