Joint Test Action Group

from Wikipedia, the free encyclopedia

Joint Test Action Group ( JTAG for short ) is a frequently used synonym for the IEEE standard 1149.1, which describes a methodology for testing and debugging integrated circuits, i.e. hardware on printed circuit boards. The most prominent and at the same time first implemented in the JTAG working group is the boundary scan test according to IEEE 1149.1. By adding more procedures (1149.1–1149.8) the terms are no longer synonymous, while the description language of the IEEE working group with Boundary Scan Description Language kept the original name.

The purpose of the method is to test integrated circuits (ICs) for function while they are already in their working environment, for example soldered on a circuit board. For this purpose, a JTAG-capable device has IC components that are completely separated during normal operation and therefore do not interfere with the function of the component. Only by activating the JTAG function on a certain pin, the Test Mode Select Input , can the hardware system be influenced and controlled with the help of these additional components. The interface from JTAG to the outside world is implemented as a shift register .

Motivation and Development

At the end of the 1970s, the degree of integration of microelectronics had increased so much (contemporary complex ICs are Intel 4004 , Intel 8008 or Zilog Z80 ) that ICs with thousands of flip-flops or registers worked in one chip. The states of these internal flip-flops are no longer accessible in an IC. The demand arose (initially the IC manufacturer himself) that to test the structure of a complex component, its gates and lines should be controllable, and to test the function, the states (of all registers and flip-flops) should be observable. In 1977 Eichelberger published a solution approach called Scan-Path , in which each flip-flop in the IC receives an additional multiplexer (transfer gate) at the input. In this way, all flip-flops of the IC can now optionally be connected together to form a long shift register , via which every state of each flip-flop can be observed and controlled from the outside.

The JTAG standard was created through a merger of semiconductor manufacturers in 1985/86. A standard was drawn up that was recorded in the IEEE 1149.1–1990 standard. With the revision of IEEE 1149.1–1994, the Boundary Scan Description Language is part of the standard. The current version of the standard is 1149.1-2001 IEEE standard test access port and boundary-scan architecture .

functionality

construction

A JTAG component essentially consists of the following parts:

  • The Test Access Port (TAP) with the control lines, generally also called JTAG port or JTAG interface .
  • The TAP controller , a state machine that controls the test logic.
  • Two shift registers, the "Instruction Register" (IR) and the "Data Register" (DR).

Test access port

Example of a JTAG chain

The Test Access Port (TAP) consists of five control lines:

  1. Test Data Input ( TDI ). Serial input of the shift register.
  2. Test Data Output ( TDO ). Serial output of the shift register.
  3. Test Clock ( TCK ). The clock signal for the entire test logic.
  4. Test Mode Select ( TMS ). This controls the state machine of the TAP controller.
  5. Test reset ( TRST ). Reset the test logic. This line is optional because a reset can also be triggered via the TAP controller.

Wiring in the overall circuit

A hardware system can have several TAPs that are linked to one another. This is known as the "JTAG chain". As a rule, the shift registers of the TAPs involved are connected in series, although other circuit patterns are also defined in the JTAG standard. The TAP controllers of the individual TAPs run in parallel.

TAP controller

State diagram of a JTAG TAP controller. The ones and zeros denote the state of the TMS line, which determines the state to which the next TCK will jump.

The TAP controller is a state machine that is clocked by TCK and controlled by the TMS line . The TMS line determines the subsequent state to which the next cycle will jump. The TAP controller has six stable states, that is, states in which several clocks can remain. These six states are “Test Logic Reset”, “Run Test / Idle”, “Shift-DR” and “Shift-IR” as well as “Pause-DR” and “Pause-IR”. In the “Test Logic Reset” state, the test logic is reset, “Run Test / Idle” is used as an idle state or for waiting times. The two “shift” states shift the DR or IR shift register. The two "pause" states serve to interrupt shift operations. From all other states, the next cycle jumps to another state. When running through, certain control functions are triggered.

register

Diagram of a JTAG test access port with the data registers usually available.

An IC with a JTAG port has two registers on the outside, the instruction register (IR) and the data register (DR). The data register stands for a group of different registers that are involved in the transmission of user data.

In the case of a shift operation, the TDI input is "shifted" into the first bit of the shift register, the last bit of the shift register is "shifted out" to the TDO output. If several TAPs are connected in series in a JTAG chain, information intended for a specific TAP must be shifted through the shift registers of the other TAPs. Which of the two registers (IR or DR) is shifted depends on whether the TAP controller is in the DR or the IR branch.

The instruction register

When a shift operation occurs through the data registers (DR, see below), the value of the instruction register (IR) indicates through which of the data registers the shift operation takes place. Due to the interconnection of the shift registers, the instruction registers of all modules in a JTAG chain can only be written together.

The IR has no fixed length, but must be at least 2 bits in size. With some microcontrollers it is 4 bits (e.g. ARM , Maxim / Dallas DS4550, Renesas SH microcontrollers), with others 5 bits (e.g. Freescale MPC5554) or 8 bits (e.g. Infineon C166) .

Certain values ​​of the IR can be interpreted as a command by the TAP when the shift operation is completed. When reading out, the instruction register is often used as a status register.

The data register

The data registers (DR) are those registers that are involved in the transmission of user data. On the hardware side, this is often a single shift register that takes on the task of the respective JTAG register. The instruction register determines which register is mapped to it. This can be understood as controlling a multiplexer that multiplexes the data registers on the TDO output. The IEEE 1149.1 standard prescribes certain registers that must be contained in all JTAG-capable blocks. These are the BYPASS, the IDCODES and the boundary scan registers.

The BYPASS register

This data register is a shift register with a width of one bit. The reason is that the data registers (DR) of all TAPs can only be read and written to at the same time, as with the IR. If only the data register of a single TAP in the JTAG chain is to be read or written, the BYPASS instruction is loaded via the IRs of all other TAPs so that this register is selected. This can minimize the latency of the scan chain, which is caused by the shifting process.

The IDCODES register

When a shift operation is started through this data register (DR), an identification number (manufacturer and product type) is loaded into the shift register, which is used to identify the TAP.

The boundary scan register

The individual memory cells of the boundary scan register (BSR) allow access to the logic circuits connected to the TAP. These can be circuits required for special scan tests or even entire in-circuit emulators . The exact meaning depends on the manufacturer. Similar to a programmable logic controller , the boundary scan register can be used to determine the voltage level of all outputs and read the voltage levels of all inputs. This is used for scan tests.

Further registers

In addition to the three mandatory data registers, additional registers can be defined that provide a debug or programming interface, for example. In the case of ARMv5 , for example, the TAP has three special registers that are addressed as data registers (DR).

In order to be able to use the JTAG port of an IC, it is necessary to know exactly its structure and the registers it contains. This is described in a BSDL file provided by the manufacturer .

Other uses

JTAG adapter for programming and debugging ARM microcontrollers

Meanwhile JTAG is also increasingly to configure FPGAs and CPLDs as well as for programming and debugging of microcontrollers used. Memory that can be programmed in parallel, such as flash memory that is connected directly to an IC with a JTAG port, can therefore be reprogrammed when it is installed because the IC can emulate a programming device for the memory chip. The Serial Vector Format (SVF) is often used to exchange such programming data.

JTAG and computer security

Because of the direct hardware access via JTAG, the interface is suitable for circumventing security measures. Therefore, the term JTAG is often used - and not always with a uniform definition - in the context of the hacker scene . Gamers speak of a jtagged XBox when modding techniques are used to allow content to run on a game console without a manufacturer's signature . In the hardware context, JTAG is used synonymously with debugging , which can be misleading in the software area.

JTAG can especially be used to explore the boot process of devices, with the aim of interrupting it and gaining control of the device through code injection . To prevent this access, the JTAG ports of ICs are often not marked as such or actively obfuscated. Further safety measures include subsequent masking of the pins, a housing that covers the JTAG pins or fuses in the JTAG connections that are destroyed after the test has been completed. Access to JTAG ports can therefore be more difficult, but is possible in practically every case with the corresponding effort.

Access to hardware via JTAG ports could only be prevented if the access itself had encryption or authentication . Various drafts have been submitted, but there are no standards and only a few implementations .

Extensions

The IEEE standard 1149.1 has since been given a number of extensions. These are:

  • 1149.4: IEEE Standard for a Mixed-Signal Test Bus , testing of analog circuits.
  • 1149.5: IEEE Standard for Module Test and Maintenance Bus (MTM-Bus) Protocol , was withdrawn in 2003.
  • 1149.6: IEEE Standard for Boundary-Scan Testing of Advanced Digital Networks , testing of differential signals , also with AC coupling.
  • 1149.7: IEEE Standard for Boundary-Scan Testing of Advanced Digital Networks , simplified test port with only two signals.

A further extension of the JTAG standard, especially for programming JTAG-compatible modules, was adopted under the designation IEEE Std 1532-2002: IEEE Standard for In-System Configuration of Programmable Devices . A block corresponding to this standard has certain additional registers which are provided for its programming.

See also

Individual evidence

  1. ^ Edward Eichelberger, Thomas Williams: A logic Design Structure for LSI Testability . In: Proceedings of the 14th Design Automation Conference . June 1977, pp. 462-468.
  2. IEEE OPAC: IEEE Std 1149.1-2001 IEEE standard test access port and boundary-scan architecture doi: 10.1109 / IEEESTD.2001.92950
  3. a b Senrio: JTAG Explained , September 28, 2016
  4. IEEE OPAC: IEEE Std 1149.4-1999: IEEE Standard for a Mixed-Signal Test Bus doi: 10.1109 / IEEESTD.2000.91314
  5. IEEE Std 1149.5-1995: IEEE Standard for Module Test and Maintenance Bus (MTM-Bus) Protocol ( Memento of the original dated February 9, 2009 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / standards.ieee.org
  6. IEEE OPAC: IEEE Std 1149.6-2003: IEEE Standard for Boundary-Scan Testing of Advanced Digital Networks doi: 10.1109 / IEEESTD.2003.94249
  7. IEEE OPAC: IEEE Std 1149.7-2009: IEEE Standard for Reduced-Pin and Enhanced-Functionality Test Access Port and Boundary-Scan Architecture doi: 10.1109 / IEEESTD.2010.5412866
  8. IEEE OPAC: IEEE Std 1532-2002: IEEE Standard for In-System Configuration of Programmable Devices doi: 10.1109 / IEEESTD.2003.94229

Web links

Commons : JTAG  - collection of images, videos and audio files