ARM JTAG Debugging principle
Open-jtag Development Group
1 Preface
This article mainly introduces the basic principles of ARM JTAG debugging.
The basic content includes the introduction of TAP (TEST ACCESS PORT) and Boundary-scan ARCHITECTURE,
On this basis, combined with ARM7TDMI, the JTAG debugging principle is introduced in detail.
This article is mainly summed up some of the previous period of experience, I hope to understand the ARM JTAG debugging users have some help.
My personal understanding of ARM JTAG is not very thorough, in the article, inevitably there will be biased and inaccurate places,
Want to master the JTAG debugging principle of the heroes do not shoot bricks, there are any problems raised, I will try to correct.
We also welcome friends who are interested in ARM JTAG debugging to Exchange learning.
2 IEEE Standard 1149.1-test Access Port and Boundary-scan Architecture
Since we're introducing JTAG debugging, let's start with the IEEE Jtag debug Standard.
JTAG is the abbreviation for the JOINT TEST ACTION GROUP. The IEEE 1149.1 standard was originally proposed by the JTAG organization, which was eventually approved and standardized by the IEEE.
Therefore, this IEEE 1149.1 standard is commonly known as the JTAG Debug standard.
In this next section, the basic architecture of TAP (TEST ACCESS PORT) and Boundary-scan ARCHITECTURE are briefly introduced.
Although not very comprehensive, it should be're far off to understand the fundamentals of JTAG.
If you want a more thorough understanding of how JTAG works, you can refer to the IEEE 1149.1 standard.
2-1 Boundary Scan
In JTAG debugging, Boundary Scan (Boundary-scan) is a very important concept.
The basic idea of boundary scan technology is to add a shift register unit to the input and output pin near the chip.
Because these shift register units are distributed across the boundaries of the chip (around), they are called Boundary scan registers (Boundary-scan register cell).
When the chip is in the debug state, these boundary scan registers can isolate the chip from the external input and output.
Through these boundary scan registers unit, can realize to the chip input and output signal observation and the control.
For the input pin of the chip, the signal (data) can be loaded into the pin by the boundary Scan Register unit connected with it;
For the output pin of the chip, the output signal on the pin can also be "captured" by the boundary scan register connected to it.
Under normal operating conditions, these boundary scan registers are transparent to the chip, so normal operation will not be affected.
In this way, the boundary Scan register provides a convenient way to observe and control the chips that need to be debugged.
In addition, the boundary Scan (shift) register units on the chip input and output pins can be connected to each other, forming a boundary scan chain around the chip (Boundary-scan Chain).
The typical chip provides several independent boundary scan chains for complete testing functions.
The boundary scan chain can be serial input and output, through the corresponding clock signal and control signal, it is convenient to observe and control the chip in the debugging state.
By using the boundary scan chain, the input and output of the chip can be observed and controlled.
The next question is: How do you manage and use these boundary scan chains?
The control of the boundary scan chain is mainly done through the TAP (Test Access Port) controller.
In the next section, let's take a look at how TAP works.
2-2 TAP (TEST ACCESS PORT)
In the previous section, we have briefly introduced the boundary scan chain, but also understand that the general chip will provide several boundary scan chain, for the complete testing function.
Below, I'll step through how to implement the control and access to the scan chain.
In the IEEE 1149.1 standard, registers are divided into two main categories:
Data register (dr-data register) and instruction register (ir-instruction register).
The boundary scan chain is an important part of the data register.
The boundary scan chain is used to realize the observation and control of the input and output of the chip. And the instruction register is used to control the data registers,
For example: In all boundary scan chains provided by the chip, select a specified boundary scan chain as the current target scan chain and as an Access object.
Let's start with TAP (Test Access Port).
Tap is a universal port that provides access to all data registers (DR) and instruction registers (IR) provided by the chip.
The control of the entire tap is done through the TAP controller.
The TAP consists of 5 signal interfaces, TCK, TMS, TDI, TDO, and TRST:
4 of them are the input signal interface and the other 1 are the output signal interface.
In general, we see the Development Board has a JTAG interface, the main signal interface of the JTAG interface is these 5.
Below, I first introduce this 5 interface signal and its function separately.
Test clock Input (TCK) TCK provides a separate, basic clock signal for the tap operation, all of which are driven by this clock signal.
TCK is mandatory in the IEEE 1149.1 standard.
The Test Mode Selection Input (TMS) TMS signal is used to control the conversion of the TAP state machine.
The TMS signal allows you to control the switching of taps between different states. The TMS signal is valid on the rising edge of TCK.
TMS is mandatory in the IEEE 1149.1 standard.
The Test data input (TDI) TDI is the interface for the inputs. All data that is to be entered into a particular register is entered serially via a single, single-input (TCK-driven) interface.
TDI is mandatory in the IEEE 1149.1 standard.
The Test data output (TDO) TDO is the interface for data outputs.
All data to be output from a particular register is a serial output (driven by TCK) via the TDO interface.
TDO is mandatory in the IEEE 1149.1 standard.
Test Reset Input (TRST) TRST can be used to reset (initialize) the TAP controller.
However, this signal interface is optional in the IEEE 1149.1 Standard and is not mandatory.
Because the TAP Controller can also be reset (initialized) via TMS.
In fact, the general process of accessing a data register (DR) via the TAP interface is:?
Through the instruction register (IR), select a data register that needs to be accessed; Connect the selected data register between the TDI and TDO;
Driven by TCK, the required data is entered into the selected data register via TDI;
The data in the selected data register is also read through the TDO.
Next, let's take a look at the TAP's state machine.
TAP's state machine 1 shows a total of 16 states. In the diagram, each hexagon represents a state, and the hexagon has the name and identification code of that state.
The arrows in the diagram represent all the possible state transitions within the TAP Controller.
The transitions for the state are controlled by TMS, so there is a marked TMS = 0 or TMS = 1 on each arrow.
Under TCK's drive, the conversion from the current state to the next state is determined by the TMS signal.
Assuming the current state of the TAP Controller is Select-dr-scan, under TCK's drive,
If the TMS = 0,tap Controller enters the CAPTURE-DR state;
If the TMS = 1,tap Controller enters the Select-ir-scan state.
This state machine seems very complex, in fact, the understanding will find this state machine is actually very straightforward, very simple.
Looking at Figure 1, we can see that in addition to the Test-logic Reset and Test-run/idle states, the other States are somewhat similar.
For example Select-dr-scan and Select-ir-scan correspond, CAPTURE-DR and Capture-ir correspond, SHIFT-DR and Shift-ir correspond, and so on.
In these corresponding states, DR indicates that Data register,ir represents instruction Register.
Remember what we said earlier, registers fall into two categories, data registers and instruction registers.
In fact, these states that identify the DR are used to access the data registers, and these states that identify the IR are used to access the instruction register.
Before we describe each state of the entire state machine in detail, let's first think about:
What do I need to do to see and control the input and output of the chip through the boundary scan chain?
If you need to capture the output on a pin of a chip, you first need to load the output of that pin into the register unit of the boundary scan chain,
The TDO is then output so that we can get the output signal on the corresponding pin from the TDO.
If a particular signal is to be loaded on a pin of the chip, the desired signal is first shifted through the TDI to the Register unit of the boundary scan chain connected to the corresponding PIN,
The value of the Register unit is then loaded into the corresponding chip pin.
Now, let's take a look at each state, what does that mean? What functions do you complete?
The TAP Controller automatically enters this state when the test-logic Reset system is power-up.
In this state, the logic circuit of the test part is all disabled to ensure the normal operation of the chip core logic circuit.
The TRST signal can also be reset to the test logic circuit, allowing the TAP Controller to enter the Test-logic reset state.
As we said before, TRST is an optional signal interface because of the "1" signal that adds 5 TCK pulse widths to the TMS continuously
The test logic circuit can also be reset to allow the TAP Controller to enter the Test-logic reset state.
As a result, there is no effect if the TRST signal is not provided.
In this state, if the TMS remains "1", the TAP Controller will remain in the Test-logic Reset state;
If the TMS changes from "1" to "0" (triggered on the rising edge of TCK), the TAP Controller enters the Run-test/idle state.
Run-test/idle This is an intermediate state of the TAP Controller between different operations.
The action in this state depends on the instruction in the current instruction register.
Some directives perform certain operations in that State, and some directives do not need to perform any action in that state.
In this state, if the TMS remains "0", the TAP Controller will remain in the Run-test/idle State;
If the TMS changes from "0" to "1" (triggered on the rising edge of TCK), the TAP Controller enters the Select-dr-scan state.
Select-dr-scan This is a temporary middle state.
If the TMS is "0" (triggered on the rising edge of TCK), the TAP Controller enters the CAPTURE-DR state, and subsequent series actions will use the data register as the object of operation;
If the TMS is "1" (triggered on the rising edge of TCK), the TAP Controller enters the Select-ir-scan state.
capture-dr When the TAP Controller is in this state, on the rising edge of TCK, the signal on the chip output pin will be "captured" to each unit of the corresponding data register.
If the TMS is "0" (triggered on the rising edge of TCK), the TAP Controller enters the SHIFT-DR state;
If the TMS is "1" (triggered on the rising edge of TCK), the TAP Controller enters the EXIT1-DR state.
SHIFT-DR In this state, the data registers that are driven by TCK, each clock cycle, are connected between the TDI and the TDO
A single bit of data will be received from the TDI while one data is output through the TDO.
If the TMS is "0" (triggered on the rising edge of TCK), the TAP Controller remains in the SHIFT-DR state;
If the TMS is "1" (triggered on the rising edge of TCK), the TAP Controller enters the EXIT1-DR state.
Assume that the current data register has a length of 4.
If the TMS remains at 0, after 4 TCK clock cycles, the original 4-bit data in the data register (typically the data captured in the CAPTURE-DR state) will be output from the TDO;
At the same time, each register unit in the data register will receive 4 new data from the TDI input separately.
update-dr in the UPDATE-DR state, driven by the TCK rising edge, data in the data register will be loaded onto the corresponding chip pin to drive the chip.
In this state, if the TMS is "0", the TAP Controller will return to the Run-test/idle state;
If the TMS is "1", the TAP Controller will enter the Select-dr-scan state.
Select-ir-scan This is a temporary middle state.
If the TMS is "0" (triggered on the rising edge of TCK), the TAP Controller enters the Capture-ir state, and subsequent series actions are taken as the Operation object with the instruction register;
If the TMS is "1" (triggered on the rising edge of TCK), the TAP Controller enters the test-logic Reset state.
Capture-ir When the TAP Controller is in this state, on the rising edge of TCK, a specific logical sequence will be loaded into the instruction register.
If the TMS is "0" (triggered on the rising edge of TCK), the TAP Controller enters the Shift-ir state;
If the TMS is "1" (triggered on the rising edge of TCK), the TAP Controller enters the Exit1-ir state.
Shift-ir In this state, driven by TCK, each clock cycle, the instruction register that is connected between the TDI and TDO will
Receives one bit of data from the TDI while outputting one data through the TDO.
If the TMS is "0" (triggered on the rising edge of TCK), the TAP Controller remains in the Shift-ir state;
If the TMS is "1" (triggered on the rising edge of TCK), the TAP Controller enters the Exit1-ir state.
Assume that the instruction register has a length of 4. If the TMS remains at 0, after 4 TCK clock cycles, the original 4bit length of the specified logic sequence in the instruction register
(a specific logical sequence captured in the Capture-ir state) is output from the TDO, which can be used to determine whether the operation is correct;
At the same time the instruction register will get a new 4bit long instruction from the TDI input.
Update-ir In this state, the new instruction entered in the Shift-ir state will be used to update the instruction register.
Having said so much, let's look at the general process of instruction register and data register access in order to create an intuitive concept.
1. The system is power up, the TAP Controller enters the test-logic Reset state, and then enters:
Run-test/idle select-dr-scan select-ir-scan capture-ir shift-ir exit1-ir Update-ir, and finally back to Run-Test/Idle state.
In the capture-ir state, a specific logical sequence is loaded into the instruction register, and then into the Shift-ir state.
In the shift-ir state, a specific instruction can be sent to the instruction register by the TCK driver.
Each instruction will determine a related data register.
And then from Shift-ir Exit1-ir Update-ir. In the Update-ir state, the instructions just entered into the instruction register are used to update the instruction register.
Finally, enter into the Run-test/idle state, the instruction takes effect, and the access to the instruction register is completed.
2. The data registers that are currently accessible are determined by the current directives in the instruction register.
To access the data registers selected by the command just now, you need to start with Run-test/idle and enter
Select-dr-scan capture-dr shift-dr exit1-dr update-dr, and finally back to Run-test/idle state.
In this process, the data registers selected by the current instruction are connected between the TDI and the TDO.
With TDI and TDO, new data can be loaded into the data register, and data in the data register can also be captured.
The specific process is as follows. In the CAPTURE-DR state, driven by TCK, the output signal on the chip pin is "captured" to the corresponding boundary Scan Register unit.
In this way, the output signal on the corresponding pin of the chip is recorded in the current data register.
The next step is to enter the SHIFT-DR state from the CAPTURE-DR.
In the SHIFT-DR state, the TCK driver, in each clock cycle, a new data can be entered through the TDI serial input to the data register,
At the same time, the data register can output a previously captured data through the TDO serial.
After the same clock cycle as the data register length, the input of the new signal and the output of the captured data can be completed.
Next, enter into the UPDATE-DR state via the EXIT1-DR state.
In the UPDATE-DR state, new data in the data register is loaded into the chip pin connected to each register unit of the data register.
Finally, go back to the Run-test/idle state and complete the access to the data register.
The general process of accessing data registers via TAP is described above.
Does it still feel very abstract? Let's look at a more intuitive example.
Now assuming that the TAP Controller is now in the Run-test/idle state, the command register has successfully written a new instruction that designates a 6-length boundary scan chain.
Let's take a look at the actual how to access this boundary scan chain.
Figure 2 shows the test chip and its boundary scan chain with a length of 6 selected by the current instruction.
As can be seen from Figure 2, the currently selected boundary scan chain consists of 6 boundary scan shift register units and is connected between the TDI and the TDO.
The TCK clock signal is connected to each boundary scan shift register unit.
Each clock cycle can drive the data of the boundary scan chain by moving one bit in the direction of the TDI to the TDO, so that
The new data can be entered via the TDI, and the data of the boundary scan chain can be output by a TDO.
After 6 clock cycles, the data in the boundary scan chain can be completely updated, and the 6-bit data captured in the boundary scan chain can be removed through the TDO.
Figure 3 shows the access process for the boundary scan chain.
Figure 3.1 shows the initialization state of the chip and the boundary scan chain, in the test state, the external input and output of the chip is isolated, the input and output of the chip can be observed and controlled by the corresponding boundary scan chain.
In Figure 3.1, the data for each shift register unit in the scan chain is indeterminate, so the data sequence in the entire scan chain is XXXXXX, as indicated by X in the graph.
The data sequence to be input from the TDI to the test chip is: 101010. at the same time from the TDO to get the status of the chip corresponding PIN.
The TAP controller now enters the CAPTURE-DR state from the Run-test/idle state through the Select-dr-scan State,
In the CAPTURE-DR state, the signal state on the chip pin is captured to the corresponding boundary-scan shift register unit, driven by a TCK clock.
As shown in 3.2. As we can see from figure 3.2, after entering the capture-dr State,
After a TCK clock cycle, the data sequence in the scan chain now becomes: 111000.
After the data capture is complete, it enters the SHIFT-DR state from the CAPTURE-DR state.
In the SHIFT-DR state, we will pass the new data series (101010) through the TDI input to the boundary scan chain through 6 TCK clock cycles;
At the same time, the data sequence (111000) captured in the boundary scan chain is passed through the TDO output.
After entering the SHIFT-DR state, each time a TCK clock is driven, the boundary scan chain outputs one data from the TDO, and a new data is received from the TDI.
Figure 3.3 shows the change of the scan chain after 1 TCK clock cycles in the SHIFT-DR state.
Figure 3.4 shows the change of the scan chain after 2 TCK clock cycles in the SHIFT-DR state.
At this point, the scan chain has obtained two bits of new data from the TDI serial, and two bits of data are also serially output from the TDO.
The process continues with the TCK clock drive.
Figure 3.5 shows the scan chain after 6 TCK clock cycles.
As we can see from figure 3.5, the boundary scan chain already contains a new data sequence: 101010.
At the TDO end, after 6 TCK clocks are driven, a sequence of data captured in the CAPTURE-DR state is also received: 111000.
To date, although the scan chain contains a new data series: 101010, the status on the pin of the test chip remains as follows: 111000.
Next, the signal status on the corresponding pin of the test chip needs to be updated.
To implement the update, the TAP Controller goes from the SHIFT-DR state, through the EXIT1-DR state, into the UPDATE-DR state.
In the UPDATE-DR state, after a period of TCK clock Drive, a new data sequence in the boundary scan chain will be loaded onto the corresponding pin of the test chip, as shown in 3.6.
As can be seen from figure 3.6, the state of the test chip has been updated and the status sequence on the corresponding pin has changed from 111000 to 101010.
Finally, from the UPDATE-DR state back to the Run-test/idle state, complete the access to the selected boundary scan chain.
After reading the above example, the state machine of the TAP Controller should probably understand it?
There should also be an intuitive concept of how to access the boundary scan chain, right?
Although the above example simply shows how to access the boundary scan chain, the access process for other data registers and instruction registers is similar.
To achieve access to the instruction register , the TAP Controller must go through a different sequence of states:
Run-test/idle
Select-dr-scan
Select-ir-scan
Capture-ir
Shift-ir
Exit1-ir
Update-ir
Run-test/idle.
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . .. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
TwentyOne
Oct-2004
ARM JTAG Debugging principle