JTAG


JTAG is an industry standard for verifying designs of and testing printed circuit boards after manufacture.
JTAG implements standards for on-chip instrumentation in electronic design automation as a complementary tool to digital simulation. It specifies the use of a dedicated debug port implementing a serial communications interface for low-overhead access without requiring direct external access to the system address and data buses. The interface connects to an on-chip Test Access Port that implements a stateful protocol to access a set of test registers that present chip logic levels and device capabilities of various parts.
The Joint Test Action Group formed in 1985 to develop a method of verifying designs and testing printed circuit boards after manufacture. In 1990, the Institute of Electrical and Electronics Engineers codified the results of the effort in IEEE Standard 1149.1-1990, entitled Standard Test Access Port and Boundary-Scan Architecture.
The JTAG standards have been extended by multiple semiconductor chip manufacturers with specialized variants to provide vendor-specific features.

History

In the 1980s, multi-layer circuit boards and integrated circuits using ball grid array and similar mounting technologies were becoming standard, and connections were being made between ICs that were not available to probes. The majority of manufacturing and field faults in circuit boards were due to poor solder joints on the boards, imperfections among board connections, or the bonds and bond wires from IC pads to pin lead frames. The Joint Test Action Group was formed in 1985 to provide a pins-out view from one IC pad to another so these faults could be discovered.
The industry standard became an IEEE standard in 1990 as IEEE Std. 1149.1-1990 after years of initial use. In the same year, Intel released their first processor with JTAG, which led to quicker industry adoption by all manufacturers. In 1994, a supplement that contains a description of the boundary scan description language was added. Further refinements regarding the use of all-zeros for EXTEST, separating the use of SAMPLE from PRELOAD and better implementation for OBSERVE_ONLY cells were made and released in 2001. Since 1990, this standard has been adopted by electronics companies around the world. Boundary scan is now mostly synonymous with JTAG, but JTAG has essential uses beyond such manufacturing applications.
The 2013 revision of IEEE Std. 1149.1 has introduced a vast set of optional features, associated extensions to BSDL, and a new procedural description language based on Tcl.

Debugging

Although JTAG's early applications targeted board-level testing, here the JTAG standard was designed to assist with device, board, and system testing, diagnosis, and fault isolation. Today JTAG is used as the primary means of accessing sub-blocks of integrated circuits, making it an essential mechanism for debugging embedded systems which might not have any other debug-capable communications channel. On most systems, JTAG-based debugging is available from the very first instruction after CPU reset, letting it assist with development of early boot software which runs before anything is set up. An in-circuit emulator uses JTAG as the transport mechanism to access on-chip debug modules inside the target CPU. Those modules let software developers debug the software of an embedded system directly at the machine instruction level when needed, or in terms of high-level language source code.
System software debug support is for many software developers the main reason to be interested in JTAG. Multiple silicon architectures, such as PowerPC, MIPS, ARM, and x86, built an entire software debug, instruction tracing, and data tracing infrastructure around the basic JTAG protocol. Frequently, individual silicon vendors, however, only implement parts of these extensions. Some examples are ARM CoreSight and Nexus as well as Intel's BTS, LBR, and IPT implementations. There are a number of other such silicon vendor-specific extensions that may not be documented except under NDA. The adoption of the JTAG standard helped move JTAG-centric debugging environments away from early processor-specific designs. Processors can normally be halted, single stepped, or let run freely. One can set code breakpoints, both for code in RAM and in ROM/flash. Data breakpoints are often available, as is bulk data download to RAM. Most designs have halt mode debugging, but some allow debuggers to access registers and data buses without needing to halt the core being debugged. Some toolchains can use ARM Embedded Trace Macrocell modules, or equivalent implementations in other architectures, to trigger debugger activity on complex hardware events, like a logic analyzer programmed to ignore the first seven accesses to a register from one particular subroutine.
Sometimes FPGA developers also use JTAG to develop debugging tools. The same JTAG techniques used to debug software running inside a CPU can help debug other digital design blocks inside an FPGA. For example, custom JTAG instructions can be provided to allow reading registers built from arbitrary sets of signals inside the FPGA, providing visibility for behaviors that are invisible to boundary scan operations. Similarly, writing such registers could provide controllability that is not otherwise available.

Storing firmware

JTAG allows device programmer hardware to transfer data into internal non-volatile device memory. Some device programmers serve a double purpose for programming as well as debugging the device. In the case of FPGAs, volatile memory devices can also be programmed via the JTAG port, normally during development work. In addition, internal monitoring capabilities may be accessible via the JTAG port.
JTAG programmers are also used to write software and data into flash memory. This is usually done using the same data bus access the CPU would use, and is sometimes handled by the CPU. In other cases the memory chips themselves have JTAG interfaces. Some modern debug architectures provide internal and external bus master access without needing to halt and take over a CPU. In the worst case, it is usually possible to drive external bus signals using the boundary scan facility.
As a practical matter, when developing an embedded system, emulating the instruction store is the fastest way to implement the debug cycle. This is because the in-circuit emulator simulating an instruction store can be updated very quickly from the development host via, say, USB. Using a serial UART port and bootloader to upload firmware to Flash makes this debug cycle quite slow and possibly expensive in terms of tools; installing firmware into Flash via JTAG is an intermediate solution between these extremes.

Boundary scan testing

JTAG boundary scan technology provides access to a number of logic signals of a complex integrated circuit, including the device pins. The signals are represented in the boundary scan register accessible via the TAP. This permits testing as well as controlling the states of the signals for testing and debugging. Therefore, both software and hardware faults may be located and an operating device may be monitored.
When combined with built-in self-test, the JTAG scan chain enables a low-overhead embedded solution to test an IC for certain static faults. The scan chain mechanism does not generally help diagnose or test for timing, temperature or other dynamic operational errors that may occur. Test cases are often provided in standardized formats such as SVF, or its binary sibling XSVF, and used in production tests. The ability to perform such testing on finished boards is an essential part of Design For Test in today's products, increasing the number of faults that can be found before products ship to customers.

Electrical characteristics

A JTAG interface is a special interface added to a chip. Depending on the version of JTAG, two, four, or five pins are added. The four and five-pin interfaces are designed so that multiple chips on a board can have their JTAG lines daisy-chained together if specific conditions are met. The two-pin interface is designed so that multiple chips can be connected in a star topology. In either case, a test probe need only connect to a single JTAG port to have access to all chips on a circuit board.

Daisy-chained JTAG (IEEE 1149.1)

The connector pins are:
  1. TDI
  2. TDO
  3. TCK
  4. TMS
  5. TRST optional.
The TRST pin is an optional active-low reset to the test logic, usually asynchronous, but sometimes synchronous, depending on the chip. If the pin is not available, the test logic can be reset by switching to the reset state synchronously, using TCK and TMS. Note that resetting test logic doesn't necessarily imply resetting anything else. There are generally some processor-specific JTAG operations that can reset all or part of the chip being debugged.
Since only one data line is available, the protocol is serial. The clock input is at the TCK pin. One bit of data is transferred in from TDI and out to TDO per TCK rising clock edge. Different instructions can be loaded. Instructions for typical ICs might read the chip ID, sample input pins, drive output pins, manipulate chip functions, or bypass.
As with any clocked signal, data presented to TDI must be valid for some chip-specific Setup time before and Hold time after the relevant clock edge. TDO data is valid for some chip-specific time after the falling edge of TCK.
The maximum operating frequency of TCK varies depending on all chips in the chain, but it is typically 10-100 MHz. Also, TCK frequencies depend on board layout and JTAG adapter capabilities and state. One chip might have a 40 MHz JTAG clock, but only if it is using a 200 MHz clock for non-JTAG operations; and it might need to use a much slower clock when it is in a low-power mode. Accordingly, some JTAG adapters have adaptive clocking using an RTCK signal. Faster TCK frequencies are most useful when JTAG is used to transfer large amounts of data, such as when storing a program executable into flash memory.
Clocking changes on TMS steps through a standardized JTAG state machine. The JTAG state machine can reset, access an instruction register, or access data selected by the instruction register.
JTAG platforms often add signals to the handful defined by the IEEE 1149.1 specification. A System Reset signal is quite common, letting debuggers reset the whole system, not just the parts with JTAG support. Sometimes, there are event signals used to trigger activity by the host or by the device being monitored through JTAG, or, perhaps, additional control lines.
Even though few consumer products provide an explicit JTAG port connector, the connections are often available on the printed circuit board as a remnant from development prototyping and/or production. When exploited, these connections often provide the most viable means for reverse engineering.