The Many Faces of JTAG

Wouldn’t it be great if there were just one standard for attaching to, programming, and debugging hardware?  If you could just plug in and everything would just work? Dream on, dreamer! But of course we hobbyists aren’t the only people to suffer from multiple standards. Industry has the same problems, writ large. In response to the proliferation of smart devices — microcontrollers, sensors, and their friends — on any given PCB makes it difficult to test them all, much less their function as a system.

The Joint Test Action Group (JTAG) got together in the mid-80s to make automated testing of circuit boards a standardized process. A JTAG port can be found on almost any piece of consumer electronics with enough brains to warrant it, and it’s also a tremendously useful entry point for debugging your own work and hacking into other’s. You’re going to need to use JTAG someday.

Implemented right, it’s a very cool system that lets you test any compliant IC on the board all from a single connector. It’s mostly used by hackers for its ability to run and halt individual processors, and put them in debugging modes, inspecting their memory states, etc. Essentially every microcontroller responds to JTAG commands, and it’s an incredibly widespread and powerful standard. A victory for rationality and standardization!

The connector pinout was, of course, left up to the manufacturer. The horror!

Five Signals

In principle, JTAG uses five signal lines. They form a chain starting at the debugger, where one device’s output is the next device’s input, until the result is returned back to the debugger.

JTAG, as imagined by Vindicator CC BY 2.5
  • Test Data In (TDI) is the input from the debugger
  • Test Data Out (TDO) is the return end of the chain
  • Test Clock (TCK) clocks this data along synchronously, similarly to SPI
  • Test Mode Select (TMS) lets the devices know that they’re being debugged — it’s a global chip select
  • Test Reset (TRST) is an optional signal that resets all devices in the chain

There are other signals as well, but they’re not standard and are mostly individual device resets. If you’re programming ARM chips, you’ll probably also encounter Serial Wire Debug (SWD) which is a two-wire simplification of JTAG where the TMS line is used for bidirectional data transfer (SWDIO) and the clock clocks (SWDCLK).

One Thousand Configurations

With only five signals, or a two-signal subset of these, you’d think that there were a limited number of possible pinouts. That would be naïve. You will commonly be presented with twenty-pin, fourteen-pin, and ten-pin versions of JTAG ports. Naturally, there are sub-varieties within each pin-count. Here’s a taxonomy of the ones that I’ve encountered. There must be others.

The madness started with ARM, when they decided to carry five signals on a twenty-pin connector. (To be fair, they added a few extra signal lines, and many redundant grounds.) This is also the only twenty-pin connector that I’ve seen, and it’s a good bet to start out with this pinout if you see two rows of ten pins. The two MIPS JTAG versions can also come in twenty-pin housings, but since they only use fourteen of them, they also appear in fourteen-pin versions.

Which brings us to the first level of JTAG hell: fourteen pins. In addition to the ARM-14 pinout and the aforementioned MIPS variants, there’s also Xilinx and TI’s MSP430 JTAG layout in fourteen pins. Boo! There’s going to be some trial and error here. If there’s an MSP430 chip (or you’re using [Travis Goodspeed]’s GoodFET, then the TI version is most likely. If you see a Xilinx FPGA, that’s a solid bet. If it’s a router, bet on the MIPS layout first, but if there’s an ARM chip prominently in play you might want to try ARM-14.

Which brings us into the pit of despair: the ten-pin headers. The good news here is the Alterra ByteBlaster and AVR pinouts match, and are maybe the most common layout of all. When I see a ten-pin header, I start here. Unfortunately, Freescale/Lattice semiconductor also has its own ten-pin JTAG, and it’s different, so that’s your next port of call.

Even that’s no guarantee though: my Lattice FRDM-KL25Z dev board has both ten-pin JTAG and SWD ports, where neither of the two correspond to any JTAG layout that I know, but at least they’re described in the datasheet. All of the other minor JTAG variants seem to be ten pins as well, so if you find a ten-pin header that’s not Alterra or Lattice, you’re in the deep end of the pool.

Which One Is It?

All of these connectors are, of course, symmetric. Once you’ve got a pin count and some good guesses, test them out. You should be able to figure out the grounded pins very easily with a continuity tester. Does it match any of the standards? If yes, you can figure out the orientation, and you’re on your way. If you know the chip manufacturer, start off with their JTAG version first, naturally. If you can trace known JTAG lines out from the IC, do so.

But then there are times when the connector is entirely non-standard, either because they designers don’t want you using it or they use a custom testing jig and don’t care. In these cases, it’s time to start playing the brute-force lottery. Take a wild guess at which pins are which, and see if you get a response. Repeat. And repeat. And repeat.

jtagulator_imageBut if you’re a hacker, the words “brute force” make you instantly think “automation”, right? Among other devices, [Joe Grand]’s JTAGulator might be able to work out the pins for you.

It works by testing the JTAG chain, and when the pins are set up right, it’ll get a response. From this, it can figure out how many chips are in the chain, because each chip is essentially a one-bit shift register. Next it will ask for each chip’s ID code. When it starts getting sensible answers, you’ve won. Read [Joe]’s slides from his DEFCON talk (PDF) on the matter if you want to learn more.

Get Physical

So far, we’ve only concerned ourselves with the signals that the JTAG pins carry. Without trying to obfuscate things, there are two choices of pin-pitch that are commonly used: the wide 0.1″ pitch and a smaller 0.05″ spacing. I’ve only ever seen ten-pin JTAG headers in the thin version, and they’re more common than the 0.1″ version. Before you even get to worry about programming the board, you’re going to need an adapter. And besides the pin-spacing issue, there’s also gender. You’re going to need more adapters.

And then there’s obfuscation. Vendors who don’t want you using their JTAG interfaces once the hardware is in the wild will disguise them in every way possible. Even getting a probe on the right copper pads can be hard work.

Building Your Own

But what about designing JTAG into your own work? Which pinout should you choose? I default to the AVR/Alterra pinout in 0.1″ spacing whenever possible. One reason is that it leaves plenty of room for routing on home-etched boards, and the other is that it’s easy to drill for headers or leave bare copper pads for pogo pins.

For a pin jig on 0.1″ spacings, I’ll just jam the pogo pins into the end of a cable connector and try to steady my hands on the table while pressing enter on my laptop with the other, all the while playing the tuba with my toes. The pins will wiggle in the slots and I’ll curse. Reasonable people will resort to programming jigs, and there’s an app for that.

If you don’t have steady hands, and can’t be bothered with a test fixture, look into Tag-Connect. Tag-Connect is a simple idea: adding registration pins (and optionally locking tabs) in a non-symmetric configuration around a 0.05″ JTAG pattern. The registration pins make it easy to hold the pogo pins in place, and the locking clips give you your hands back. Instead of populating a header on every board you produce, you just need to expose copper pads and drill a few holes. It’s a brilliant system, and it’s been picked up by TI, Microchip, and others. A DIY version of Tag-Connect in 0.1″ pitch is on my short list of programmer connectors to standardize around.

JTAG: Love It or Loathe It

Love it or loathe it, you’re going to need to use JTAG some day, whether for your own designs and standardization purposes, for programming a dev board, or hacking into some appliance. It’s surprising that something so apparently simple as connecting up five signal lines can lead to such complication. The good news is that once you’re over this first hurdle, JTAG is actually reasonably well standardized at the protocol level. But that’s a topic for another time.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *