This is a topic about jtag. So first thing first. What the heck on earth is jtag?
Jtag is a protocol designed in somewhere 1980's middle to overcome the bed of
nails issue.
Okay the next obvious question is "okay quack jtag is a protocol, SO?"
So? ugh, so it lets you have lot low level access. Which a software doesn't
let you reach because of some ring and other DMA and other clocking restrictions.
Okay this gives birth to the very next question "What on earth is bed of nails?"
aah well, life is not a bed of roses like wise in electronics also there are no
bed of roses. there used to be something called as bed of nails.
Okay fish, it doesnt answer what i asked, "What on earth is bed of nails?"
back in time untill JTAG became a standard, all chipsets after fabrication were
made to pass over nail like needle aka bed of nails. and its main purpose is to
check if the circuit is okay and also if botched up which nail is not conducting.
What is jtag? "Look quack, you got me super uber confused. explain properly!"
Well jtag was designed with the sole purpose of testing the circuit but then it
was adopted as an industry standard to check and debug cpu/ram/buses etc etc et
al and also lately used to debug softwares also.
Okay, so you said its about circuit check and now debugging board and cpu and
ram and other peripherals and bus and now even software?
Now let me speak and you read. Do we have ourselves
forged out a deal? So. Jtag is a protocol, its not longer used as a bed of
nails but used to debug circuits and programs. the full form of jtag is
joint task action group. there are many kinds/types of jtag for different kind
and architecture. jtag is mostly used for embedded archicture viz mips and arm.
but its also used in other architecture yes it includes x86 and also x86_64.
Before it was coined as jtag in europe it was popularly till today known as
JETAG which stands for Joint European Task Action Group, but eventually as time
passed away, E got dropped and it became popular as JTAG or Joint Task Action
Group.
Now the current trend is IJTAG or Internal JTAG which is mostly used to debug
DDR memory and also to clock them. ;-) Welcome to NWO, New World Order.
What does it debug? Every cpu when manufactured will mention the debug ports/pins
in the datasheets. Some are pin like your intel/amd cpu which have pins. a few of
these pins are the debug pins and they allow you a direct access to your DMA and
other essential components expecially buses. But now we have bga and pbga cpu and
tbga (teflon for those harsh zones like acid bowl/boilers etc) bga cpu. bga means
ball grid array and pga is pin grid array. there are many types of bga and pga
which is beyond the scope of this document.
What is the main use of jtag?
Jtag binds itself with TAP or Test Access Point for SoC (system on chip) and or,
SIP (system in package) or POP (Package on Package).
the arm cpu on blackberry playbook is a SOC of type POP and inside the chip there
is SIP. There are more than one cpu inside like cortex-m3 is inside the main cpu
chip and on top of that there is the ram package.
Why this process so successful? because we can accomodate many integrated circuits
inside the package. to control this there is EMbedded TAP Controller aka EMTAPC.
Why this is so important? Using EMCTAP the space is reduced, footprint is reduced,
many components can be packaged into the package. reducing the purpose of glueing
more components into the board aka solder and also yet allow access to the TAP.
Now what are these debug pins/pads? For pga its called debug pins and for bga its
called pads. How are they connected? the process of connecting is called mating.
How its done is using either pins which stands in a male/female socked and combined
to connect with male female. i.e. Female Sockets onboard binds with Male Pins from
emulator and Male Pins onboard hooked up using female sockets from the emulator. So,
there is no homosexuality and no retardism straight fornification with no bull
fecal matter business. Am i clear? And are you still reading? then please do so.
There debug pins/pads are labelled as :
TDI - > Test Data In.
TDO - > Test Data Out.
TMS - > Test Mode Select.
TCK - > Test ClocK.
GND - > Ground.
PWR - > Power.
These are the fundamental jtag pins/pads and its constant across all architectures.
Other additional pins/pads are:
TRST - > Test ReSeT (test pin)
CS -> Chip Select (mostly for RAM)
Now the purpose of each pins/pads are configured in the shift register as Parallel
In & Parallel Out. This process is called capture process since signals are captured
in this process. And there is this parallel unload operation called unload. in
simple english capture is read and unload is write.
Data gets routed/shifted through serial registers or shift register in serial mode
from a dedicated input pin called as TDI and the terminating data pin in called
TDO. test clock is fed in via another dedicated device input pin hence called TCK,
and the mode of operation is controlling register is called TMS and GND is ground
as usual.
This process of scanning the pins for data feed out (capture) and feed in (unload)
is called boundary scan cells, and these replaces the olden days "Bed Of Nails."
Using jtag what all hardware defects/errors are scanned?
Using the signals sent and received and prior information database check/matching
is done to evaluate this criteria :->
Scan Cell -> Driver -> Bond/Bind Wire(s) -> Legs/Pads/Balls/Pins -> Solder quality & correctness -> Interconnect Solder i.e. between layers -> Legs/Pads/Balls/Pins -> Bond/Bind Wire -> Driver -> Scan Cell
So TDI & TDO & TCK & TMS & TRST forms the TAP or Test Access Point. The TAP forms
the boundary scan and when the machine is one it forms the finite state machine
or STM. It must have n>=2 Registers and or n-bit registers for holding current
instructions where n must be greater than 2 and is usually in hexadecimal, and
1-bit register again in hex as bypass register aka Bypass. And a 32-bit
identification register (Ident) which contains the corresponding CPU match in
the database.
TDI and TDO and a hold section forms the IR or Instruction Register. So what
the heck is IR? There are some decoding logic between the two sections which
depends on the width of the register and the number of different instructions.
The control signals originate from the TAP controller or EMTAPC and its because
of either shift-in/shift-out through the IR shift secrion of the register or
the hold section which is also known as update operation. It can also capture
certained hard coded values into the shift section of the IR register. Why is
it so important? because the Memory TAP contains the RSA signature private key
which is hardwired in the efuse which is read in the memory and stored untill
the hash check is done and then wiped clean from the memory.
The IR code must be *MINIMUM* 2 bits long and contains four (4) mandatory
instructions, namely Bypass, Sample, Preload, Extest. But their maximum value
is never predefined. During capture mode it has to be 01 as the IR or 0x01
pattern and its universal for all architectures. and its MANDATORY to have
0x01 as the IR pattern as capture mode.
There are other instructions like Intest, Idcode, runbist, clamp, highz (HiZ),
flush and store and many more and also a few private instructions, which are
never documented.
TDI-to-TDO bypass instructions is captured during boundary scan and this is
known as chip-to-chip interconnect and it does the initial check and its
called test-the-tester.
so TAP can be tablularized as
1. TMS 2. TCK 3. TRST*
- TAP -
ClockDR, ShiftDR, UpdateDR, Reset*, Select, ClockIR, ShiftIR, UpdateIR, Enable.
*TRST is the optional terminal/pin/pad and reset is an optional instruction,
normally used to reboot the device.
The IR is of 32 bits and its broken into
4 bits -> version
16 bits -> part number viz. cpu/device code
11 bits -> jedec number (manufacturer code)
1 bits -> lsb (least significant bit)
-------------------------------
| 4| 16 | 11 |1
-------------------------------
Now BR or boundary scan register! What it does it is it reads the I/O signals
from the I/O ports and tristate ports. Tristate ports are 0,1,Z. 0 & 1 = Current,
and Z = ground.
The order is directly related to physical adjacency or connections or which pin
is connected to which pin and its selected by Extest, sample, preload and intest.
After IR state the BR state is on hold by the CS because the RAM is on the same
shared bus. and here clamp instruction is passed via the pin multiplexer. if
there are no multiplexer then system bus is directly accessed. This is known as
preload instructions.
THE RSA KEYS USED TO SIGN BOOTROM IS EXECUTED FROM HERE SINCE ITS STORED IN AN NVRAM.
There are private or undocumented registers and instructions which are never ever
documented for confidential reasons. which is why TI never gives away the NDA
materials because it contains this private instructions somewhere and w/o knowing
its a gamble. And the boundary scans reads inputs as signals from these pins and
then finally read from the test pins.
The test pins are connected to other pins/pads and this is called networking and
this networking is called a bus or logic gates. typically each signal can use
anywhere from 20-400 logic gates connected in a network called network bus.
This is not the tcp/ip network protocol this is the I/O connection bus.
There are different kind of bus, viz. usb, pci. pcie, serial, parallel, isa, vxi,
pcmcia etc. These buses are wires or electrical pads/pins connected to each
other which forms a network bus.
If there is a short circuit then its calculation formula is ceil [log base 2 (N)],
where ceil is ceiling value or current passing through as bits. So if its a usb bus?
where there are 5 wires then there can be ceil (log base 2 [127*5]) bits.
If you failed in math dont even try to understand this mathematical calculations,
jtag is not your cup of tea and if someone wishes to help me calculate the exact
value then more than welcome.
The TCK value is somewhere between 10 MHz to 25 MHz. MHz = Mega Hertz.
Hertz = Cycles/Oscillations.
In ARM JTAG? First SRAM is initialized which is why this process is called as CAR,
or Cache-As-Ram. This SRAM initilizes the system RAM via bus logic I/O and the
signal is O_Enab or Output Enable.
Okay enough, Bull Fecal matter having being said. Now you may either continue
to read further or press the eject button and criticize or rant about blackberry.
Feel free to be my guest.
Next topic is BSDL, which stands for Boundary-Scan Description Language.
BSDL is a subset of VHSIC Hardware Description Language where VHSIC = Very
High System In Chip.
If you dont understand logic? Dont read from here on. This is highly logical. Now,
if you are illogical this is not the piece you should be reading. Get off and go
rant or criticize me. You have a PHD in being a two face, be my guest.
BSDL transforms these machine state 0's and 1's signals into human readable
0's and 1's bits. If you are one of those 10 types who (dont)understand binary
math and have failed in math, dont read this. i will not take/make any effort to
explain you anything either in 01/10 math or in english. thank you.
This pattern generation is called ATPG or automatic test pattern generation and
its done by the EMTAPC called ATE (Automatic Test Equipment).
To understand this 0's and 1's normally take 7-8 weeks to understand the full
pattern documented and private ones.
Elements of BSDL are :
#1. Entity Description -> This identifies the device and its serial number or
model number or a family number.
#2. Generic Parameter -> This deals with other non important information
example packaging and sub family et al.
#3. Logical Port Description -> This deals with the description of logical
ports such as I/O (both system and TAP) pins and denotes their state or
(de)muxed state eg I,O,I/O,Z etc etc.
#4. Use Statements -> Some IEEE standard found on packaging and datasheet and
on package bodies is denoted here.
#5. Pin mappings (vref) -> This shows how the pins are mapped and which pins
bear which number and et al and also their string and (de)muxed value.
#6. Scan Port Identification -> This port shows the TAP identification as which
port is connected to which.
#7. Instruction Register Description -> It identifies the device-dependent
characteristics of IR.
#8. Register Access Description -> This shows which register is connected
between TDI and TDO.
#9. Boundary Register Description -> This contains the list of boundary cells,
along with information regarding the cell type and associated control.
If you havent understood BSDL, then forget it. Dont read the next paragraph and
thats it BSDL ends here, and now HSDL.
HSDL stands for Hierarchial Scan Definition Language and why is it so important?
TI or Texas instruments designed this subset of BSDL and uses it in all OMAP
chips including OMAP4430 which is in blackberry playbook.
HSDL is a patented technology from TI and its main use :
#1. is to test the bus interconnect.
#2. board description along with dynamic and reconfigurable architecture.
#3. ease of use and risk reduction and verification during and improvement
during interactive design and debug.
BSDL and HSDL combine to form the UUT or unit under test description.
Components of HSDL are as follows:
#1. Entity description -> Talks about the board and its version and make and
model number. starts with entity statement and ends with end statement.
#2. Generic Parameter -> Talks to the board and its components and shows the
cpu package used.
#3. Logical Port Description -> Logical I/O (system and TAP pins) and denotes
the nature viz input, output, bidirectional and so on, eg I,O,I/O,Z etc.
#4. Use Statement -> External definition found on package and bodies which is
tattoed mostly.
#5. Pin Mapping -> Logical signals of physical pins of a particular entity
with (de)muxing or (de)multiplexing.
#6. Scan Port Identification -> Defines entity's TAP with signal and sometimes
values in exponential (IF YOU FAILED IN MATH DONT WASTE YOUR AND MY TIME, THANKS)
#7. Member Description - > Shows what other modules are present along with the
main pins. viz daughter cards and sub-assemblies.
#8. Bus Composition -> Shows the bus composition eg modules buses, member
module buses, member device buses and member device test registers.
#9. Path Description -> Netlist of TAP signals on the board or the scan paths.
Jtag is a protocol designed in somewhere 1980's middle to overcome the bed of
nails issue.
Okay the next obvious question is "okay quack jtag is a protocol, SO?"
So? ugh, so it lets you have lot low level access. Which a software doesn't
let you reach because of some ring and other DMA and other clocking restrictions.
Okay this gives birth to the very next question "What on earth is bed of nails?"
aah well, life is not a bed of roses like wise in electronics also there are no
bed of roses. there used to be something called as bed of nails.
Okay fish, it doesnt answer what i asked, "What on earth is bed of nails?"
back in time untill JTAG became a standard, all chipsets after fabrication were
made to pass over nail like needle aka bed of nails. and its main purpose is to
check if the circuit is okay and also if botched up which nail is not conducting.
What is jtag? "Look quack, you got me super uber confused. explain properly!"
Well jtag was designed with the sole purpose of testing the circuit but then it
was adopted as an industry standard to check and debug cpu/ram/buses etc etc et
al and also lately used to debug softwares also.
Okay, so you said its about circuit check and now debugging board and cpu and
ram and other peripherals and bus and now even software?
Now let me speak and you read. Do we have ourselves
forged out a deal? So. Jtag is a protocol, its not longer used as a bed of
nails but used to debug circuits and programs. the full form of jtag is
joint task action group. there are many kinds/types of jtag for different kind
and architecture. jtag is mostly used for embedded archicture viz mips and arm.
but its also used in other architecture yes it includes x86 and also x86_64.
Before it was coined as jtag in europe it was popularly till today known as
JETAG which stands for Joint European Task Action Group, but eventually as time
passed away, E got dropped and it became popular as JTAG or Joint Task Action
Group.
Now the current trend is IJTAG or Internal JTAG which is mostly used to debug
DDR memory and also to clock them. ;-) Welcome to NWO, New World Order.
What does it debug? Every cpu when manufactured will mention the debug ports/pins
in the datasheets. Some are pin like your intel/amd cpu which have pins. a few of
these pins are the debug pins and they allow you a direct access to your DMA and
other essential components expecially buses. But now we have bga and pbga cpu and
tbga (teflon for those harsh zones like acid bowl/boilers etc) bga cpu. bga means
ball grid array and pga is pin grid array. there are many types of bga and pga
which is beyond the scope of this document.
What is the main use of jtag?
Jtag binds itself with TAP or Test Access Point for SoC (system on chip) and or,
SIP (system in package) or POP (Package on Package).
the arm cpu on blackberry playbook is a SOC of type POP and inside the chip there
is SIP. There are more than one cpu inside like cortex-m3 is inside the main cpu
chip and on top of that there is the ram package.
Why this process so successful? because we can accomodate many integrated circuits
inside the package. to control this there is EMbedded TAP Controller aka EMTAPC.
Why this is so important? Using EMCTAP the space is reduced, footprint is reduced,
many components can be packaged into the package. reducing the purpose of glueing
more components into the board aka solder and also yet allow access to the TAP.
Now what are these debug pins/pads? For pga its called debug pins and for bga its
called pads. How are they connected? the process of connecting is called mating.
How its done is using either pins which stands in a male/female socked and combined
to connect with male female. i.e. Female Sockets onboard binds with Male Pins from
emulator and Male Pins onboard hooked up using female sockets from the emulator. So,
there is no homosexuality and no retardism straight fornification with no bull
fecal matter business. Am i clear? And are you still reading? then please do so.
There debug pins/pads are labelled as :
TDI - > Test Data In.
TDO - > Test Data Out.
TMS - > Test Mode Select.
TCK - > Test ClocK.
GND - > Ground.
PWR - > Power.
These are the fundamental jtag pins/pads and its constant across all architectures.
Other additional pins/pads are:
TRST - > Test ReSeT (test pin)
CS -> Chip Select (mostly for RAM)
Now the purpose of each pins/pads are configured in the shift register as Parallel
In & Parallel Out. This process is called capture process since signals are captured
in this process. And there is this parallel unload operation called unload. in
simple english capture is read and unload is write.
Data gets routed/shifted through serial registers or shift register in serial mode
from a dedicated input pin called as TDI and the terminating data pin in called
TDO. test clock is fed in via another dedicated device input pin hence called TCK,
and the mode of operation is controlling register is called TMS and GND is ground
as usual.
This process of scanning the pins for data feed out (capture) and feed in (unload)
is called boundary scan cells, and these replaces the olden days "Bed Of Nails."
Using jtag what all hardware defects/errors are scanned?
Using the signals sent and received and prior information database check/matching
is done to evaluate this criteria :->
Scan Cell -> Driver -> Bond/Bind Wire(s) -> Legs/Pads/Balls/Pins -> Solder quality & correctness -> Interconnect Solder i.e. between layers -> Legs/Pads/Balls/Pins -> Bond/Bind Wire -> Driver -> Scan Cell
So TDI & TDO & TCK & TMS & TRST forms the TAP or Test Access Point. The TAP forms
the boundary scan and when the machine is one it forms the finite state machine
or STM. It must have n>=2 Registers and or n-bit registers for holding current
instructions where n must be greater than 2 and is usually in hexadecimal, and
1-bit register again in hex as bypass register aka Bypass. And a 32-bit
identification register (Ident) which contains the corresponding CPU match in
the database.
TDI and TDO and a hold section forms the IR or Instruction Register. So what
the heck is IR? There are some decoding logic between the two sections which
depends on the width of the register and the number of different instructions.
The control signals originate from the TAP controller or EMTAPC and its because
of either shift-in/shift-out through the IR shift secrion of the register or
the hold section which is also known as update operation. It can also capture
certained hard coded values into the shift section of the IR register. Why is
it so important? because the Memory TAP contains the RSA signature private key
which is hardwired in the efuse which is read in the memory and stored untill
the hash check is done and then wiped clean from the memory.
The IR code must be *MINIMUM* 2 bits long and contains four (4) mandatory
instructions, namely Bypass, Sample, Preload, Extest. But their maximum value
is never predefined. During capture mode it has to be 01 as the IR or 0x01
pattern and its universal for all architectures. and its MANDATORY to have
0x01 as the IR pattern as capture mode.
There are other instructions like Intest, Idcode, runbist, clamp, highz (HiZ),
flush and store and many more and also a few private instructions, which are
never documented.
TDI-to-TDO bypass instructions is captured during boundary scan and this is
known as chip-to-chip interconnect and it does the initial check and its
called test-the-tester.
so TAP can be tablularized as
1. TMS 2. TCK 3. TRST*
- TAP -
ClockDR, ShiftDR, UpdateDR, Reset*, Select, ClockIR, ShiftIR, UpdateIR, Enable.
*TRST is the optional terminal/pin/pad and reset is an optional instruction,
normally used to reboot the device.
The IR is of 32 bits and its broken into
4 bits -> version
16 bits -> part number viz. cpu/device code
11 bits -> jedec number (manufacturer code)
1 bits -> lsb (least significant bit)
-------------------------------
| 4| 16 | 11 |1
-------------------------------
Now BR or boundary scan register! What it does it is it reads the I/O signals
from the I/O ports and tristate ports. Tristate ports are 0,1,Z. 0 & 1 = Current,
and Z = ground.
The order is directly related to physical adjacency or connections or which pin
is connected to which pin and its selected by Extest, sample, preload and intest.
After IR state the BR state is on hold by the CS because the RAM is on the same
shared bus. and here clamp instruction is passed via the pin multiplexer. if
there are no multiplexer then system bus is directly accessed. This is known as
preload instructions.
THE RSA KEYS USED TO SIGN BOOTROM IS EXECUTED FROM HERE SINCE ITS STORED IN AN NVRAM.
There are private or undocumented registers and instructions which are never ever
documented for confidential reasons. which is why TI never gives away the NDA
materials because it contains this private instructions somewhere and w/o knowing
its a gamble. And the boundary scans reads inputs as signals from these pins and
then finally read from the test pins.
The test pins are connected to other pins/pads and this is called networking and
this networking is called a bus or logic gates. typically each signal can use
anywhere from 20-400 logic gates connected in a network called network bus.
This is not the tcp/ip network protocol this is the I/O connection bus.
There are different kind of bus, viz. usb, pci. pcie, serial, parallel, isa, vxi,
pcmcia etc. These buses are wires or electrical pads/pins connected to each
other which forms a network bus.
If there is a short circuit then its calculation formula is ceil [log base 2 (N)],
where ceil is ceiling value or current passing through as bits. So if its a usb bus?
where there are 5 wires then there can be ceil (log base 2 [127*5]) bits.
If you failed in math dont even try to understand this mathematical calculations,
jtag is not your cup of tea and if someone wishes to help me calculate the exact
value then more than welcome.
The TCK value is somewhere between 10 MHz to 25 MHz. MHz = Mega Hertz.
Hertz = Cycles/Oscillations.
In ARM JTAG? First SRAM is initialized which is why this process is called as CAR,
or Cache-As-Ram. This SRAM initilizes the system RAM via bus logic I/O and the
signal is O_Enab or Output Enable.
Okay enough, Bull Fecal matter having being said. Now you may either continue
to read further or press the eject button and criticize or rant about blackberry.
Feel free to be my guest.
Next topic is BSDL, which stands for Boundary-Scan Description Language.
BSDL is a subset of VHSIC Hardware Description Language where VHSIC = Very
High System In Chip.
If you dont understand logic? Dont read from here on. This is highly logical. Now,
if you are illogical this is not the piece you should be reading. Get off and go
rant or criticize me. You have a PHD in being a two face, be my guest.
BSDL transforms these machine state 0's and 1's signals into human readable
0's and 1's bits. If you are one of those 10 types who (dont)understand binary
math and have failed in math, dont read this. i will not take/make any effort to
explain you anything either in 01/10 math or in english. thank you.
This pattern generation is called ATPG or automatic test pattern generation and
its done by the EMTAPC called ATE (Automatic Test Equipment).
To understand this 0's and 1's normally take 7-8 weeks to understand the full
pattern documented and private ones.
Elements of BSDL are :
#1. Entity Description -> This identifies the device and its serial number or
model number or a family number.
#2. Generic Parameter -> This deals with other non important information
example packaging and sub family et al.
#3. Logical Port Description -> This deals with the description of logical
ports such as I/O (both system and TAP) pins and denotes their state or
(de)muxed state eg I,O,I/O,Z etc etc.
#4. Use Statements -> Some IEEE standard found on packaging and datasheet and
on package bodies is denoted here.
#5. Pin mappings (vref) -> This shows how the pins are mapped and which pins
bear which number and et al and also their string and (de)muxed value.
#6. Scan Port Identification -> This port shows the TAP identification as which
port is connected to which.
#7. Instruction Register Description -> It identifies the device-dependent
characteristics of IR.
#8. Register Access Description -> This shows which register is connected
between TDI and TDO.
#9. Boundary Register Description -> This contains the list of boundary cells,
along with information regarding the cell type and associated control.
If you havent understood BSDL, then forget it. Dont read the next paragraph and
thats it BSDL ends here, and now HSDL.
HSDL stands for Hierarchial Scan Definition Language and why is it so important?
TI or Texas instruments designed this subset of BSDL and uses it in all OMAP
chips including OMAP4430 which is in blackberry playbook.
HSDL is a patented technology from TI and its main use :
#1. is to test the bus interconnect.
#2. board description along with dynamic and reconfigurable architecture.
#3. ease of use and risk reduction and verification during and improvement
during interactive design and debug.
BSDL and HSDL combine to form the UUT or unit under test description.
Components of HSDL are as follows:
#1. Entity description -> Talks about the board and its version and make and
model number. starts with entity statement and ends with end statement.
#2. Generic Parameter -> Talks to the board and its components and shows the
cpu package used.
#3. Logical Port Description -> Logical I/O (system and TAP pins) and denotes
the nature viz input, output, bidirectional and so on, eg I,O,I/O,Z etc.
#4. Use Statement -> External definition found on package and bodies which is
tattoed mostly.
#5. Pin Mapping -> Logical signals of physical pins of a particular entity
with (de)muxing or (de)multiplexing.
#6. Scan Port Identification -> Defines entity's TAP with signal and sometimes
values in exponential (IF YOU FAILED IN MATH DONT WASTE YOUR AND MY TIME, THANKS)
#7. Member Description - > Shows what other modules are present along with the
main pins. viz daughter cards and sub-assemblies.
#8. Bus Composition -> Shows the bus composition eg modules buses, member
module buses, member device buses and member device test registers.
#9. Path Description -> Netlist of TAP signals on the board or the scan paths.
