Design and Implementation of A Debugging System for OpenRISC Processor by Lian, Lihong et al.
Design and Implementation of A Debugging System 
for OpenRISC Processor 
 
Lihong Lian 
Dept. of Physics 
Xiamen University 
Xiamen, Fujian, China 
lhlian678@163.com 
Xiaochao Li * 
Dept. of Electronic Engineering 
Xiamen University 
Xiamen, Fujian, China 
leexcjeffrey@xmu.edu.cn 
Fen Xiao   
Dept. of Physics 
Xiamen University 
Xiamen, Fujian, China   
xiaofen@xmu.edu.cn 
Donghui Guo 
Dept. of Electronic Engineering 
Xiamen University 




Abstract—A gdb-based debugging system for OpenRISC1200 
Processor based on IEEE1149.1 JTAG interface is developed. 
Unlike usual gdb-based embedded debugging systems, this 
system uses the hardware debugging modules in OpenRISC1200 
Processor to extend GDB. Its debugging agent doesn’t work on 
the target but on the host computer, so it can work well without 
any target operating system support. In this paper, the system’s 
general frame design and realization of the main modules are 
explained in detail. It is verified by both FPGA prototype 
emulation and software simulation. It establishes a good 
foundation for further development on OpenRISC. 
Keywords-Debugging System; GDB; JTAG; OpenRISC1200 
Processor 
I. INTRODUCTION   
Today emdedded systems with 32-bit processors have been 
widely used in our daily lives.  OpenRISC1200 processor is an 
32/64-soft-core processor which is released by Opencores[1]. 
Compared with the senior processors which are popular in the 
market, this processor has a great cost advantage. Also the 
existing core can greatly accelerate the speed of design.  At 
present, the information of OpenRISC1200 is mainly 
concentrated on the processor-based applications such as 
shown in [2-4]. But with the increasing complexity of chip 
design, the debugging process becomes more important during 
the development of embedded systems. So it is necessary to 
study the debugging systems. 
Remote debugging is a basic debugging pattern for the 
embedded systems. It consists of a cross debugger and a 
debugging agent. The GNU debugger⎯gdb is an extremely 
powerful source_level debugger. Its remote debugging 
function is attractive for the advantages of dynamic, real-time, 
convenience and so on.  So it is often used to develop the gdb-
based embedded system debuggers. The debugging agent 
usually contains two forms: gdbserver and gdbstub. In many 
traditional debugging methods of the embedded systems, the 
agent is designed to run on the target. In that case, the 
debugging systems can’t work without a target operating 
system. So it can’t meet full debugging cases such as the 
bootloader debugging process. To solve this problem, this 
debugging system discussed in this paper uses the incircuit-
debugger which is based on JTAG boundary scan architecture 
and the built-in debugging module of the OpenRISC1200 
processor. The agent can run on the host computer and the 
debugging system works well. 
The remainder of this paper is organized as follows: In 
Section 2 we present the overall framework of this debugging 
system. In the following two sections we discuss the hardware 
and software design. In Section 5 we build the test system 
under which the debug system is verified. Finally we conclude 
the work in Section 6. 
II. DEBUGGING SYSTEM FRAMEWORK 
Cross-debugging is a common method of debugging for 
the embedded systems. Debugger running on the host system 
debugs cores on the target through a debug agreement (such as 
JTAG agreement). The practical framework of the gdb-based 
debugging system which is designed for OR1200 processor is 
shown in figure.1. It consists of two parts: the hardware and 
software. The part of hardware includes JTAG cable and 
debugging interface. OR1200 debugging interface is composed 
by built-in debugging unit and external JTAG debugging 
interface. The built-in debugging unit (OR1200_du) provides 
an interface for the external JTAG debugging interface 
connecting to CPU. While the external JTAG debugging 
interface provides an interface for OR1200 connecting to 
GDB, including TAP controller, command registers and data 
registers. The top-level module (dbg_top) of the external 
JTAG debugging interface connects to the top-level module of 
OR1200 (OR1200_top). So signals from OR1200_top are 
eventually sent to OR1200_du and implemented by software. 
The part of software includes GDB, debugging agent server 
and JTAG agreement. In a word the cooperation of hardware 
and software composes the working environment of the 
debugging system. 
In this system, first, users run JP1 program to establish the 
communication between the host computer and the target. JP1 
is a proprietary JTAG protocol. It is very simple, and its 
biggest advantage is that no special HW is needed. Then the 
debugging program is downloaded to the target through the 
JTAG cable. When meeting certain trigger condition, the CPU 
halts the program and does breakpoints, single-step and other 
relevant debugging on the program. 
 
Figure 1.  The chart of the debugging system architecture 
A. JTAG AGREEMENT AND TAP CONTROLLER 
JTAG (Joint Test Action Group) is an international 
standard test protocol (IEEE 1149.1-compatible [5]), which 
can be used for not only internal testing of chips, but also 
online debugging. The JTAG interface consists of five pins: 
TMS, TCK, TDI, TDO, TRST, respectively, for model 
selection, clock, data input, data output and TAP controller 
resetting. 
TAP controller is a 16-state finite state machine whose 
state-transition is controlled by the TMS signal. It is 
implemented in both dbg-top and JP1. The state-transition 
diagram is shown in figure 2. From it we can see two main 
paths control the operation based on the data registers and the 
instruction registers. The IR path starts at Select-IR-Scan. The 
new value is shifted-in the instruction registers from TDI at the 
time on the entries to Shift-IR. The old value of the instruction 
registers is shifted-out on TDO on the exits from Shift-IR. In 
Update-IR, the new instruction is updated to the current 
command. In the DR path, the data registers are selected 
according to the current command.  The new value is shifted-
in the selected data registers from the TDI at the time on the 
entries to Shift-DR. The old value of the data registers is 
shifted-out on TDO on the exits from Shift-DR. In Update-DR 
the value from the selected data registers is applied. 
 
Figure 2.  The state shifting chart of the TAP controller 
B. INSTRUCTIONS AND INSTRUCTION REGISTER  
In JTAG operation, there are private and public 
instructions. Private instructions are documented by the chip 
manufacturers and available for general users, but not for 
public instructions. As shown in table 1. OR1200 
microprocessor uses 4-encoding method to achieve the 
EXTEST, SAMPLE_PRELOAD, IDCODE, CHAIN_SELEC 
T, INTEST ， CLAMP ， CLAMPZ, HIGHZ ， DEBUG, 
BYPASS instructions. 













CHAIN_SELECT is used to select a specific chain. As 
shown in table 2, OR1200 microprocessor also uses 4-
encoding method to achieve the GLOBAL_BS_CHAIN, 
RISC_DEBUG_CHAIN, REHISTER_SCAN_CHAIN, WISH 
BONE_SCAN_CHAIN, RISC_TEST_CHAIN, TRACE_TES 
T_CHAIN chains. In fact, from dbg_top we can find that only 
REHISTER_SCAN_CHAIN, RISC_DEBUG_CHAIN, WISH 
BONE_SCAN_CHAIN are realized. 
TABLE II.  SCAN CHAIN CODING 








C. EXTERNAL DEBUGGING MODULE 
Debugging module is the key module of JTAG interface. 
When the RISC_DEBUG_CHAIN and DEBUG are selected, 
we can complete the OR1200 microprocessor debugging 
operation through writing/reading data registers. The register 
definition of RISC_DEBUG_SCAN_CHAIN is shown in table 
3. 
TABLE III.  THE REGISTER DEFINITION OF RISC_DEBUG_CHAIN 










In ShiftDR state, according to the modes of writing/reading 
that registers request, the data from mainframe are 74-bit 
packaged and shifted-in from TDI. Also the data read from 
OR1200 CPU in previous cycle are shifted-out on TDO. In 
UpdateDR state, the informations from the data registers are 
added to the appropriate pins of the chip and decoded by the 
JTAG interface. Then the control signals are working for 
debugging operation. 
In JTAG interface, six 32-bit debugging registers are 
defined. They are used to control the working status of RISC 
and Dbg_trace. Respectively, RISCOP is used to enable 
breakpoints and stop the operation of OR1200 processor; 
MODER is used to choose the trace mode to execute; TSEL is 
used to set the trigger trace of breakpoints and watchpoints; 
QSEL is used to set qualifications of trace; RECSEL is used to 
read the value of PC and so on. 
D. BUILD-IN DEBUGGING MODULE 
In OpenRISC, the debugging unit is selected by setting the 
DUP of the special purpose register (URP). It is composed by 
the debugging registers and helps the external debugging 
interface to complete debugging. Debugging registers include 
eight pairs of 32-bit debugging value registers (DVR0-7) and 
debugging control registers (DCR0-7). DVR is used to set the 
addresses and data value of watchpoints and breakpoints. The 
low 8-bit of DCR is used to fetch, load and storage the 
effective addresses and data. DMR1 and DMR2 are debugging 
mode registers For DMR1, the low 20-bit is used to produce 
hardware breakpoint conditions. 22-bit and 23-bit are used 
respectively for single-step (ST) and Jump-debug (BT); DMR2 
is used to realize the combination of watchpoints and counters. 
Each match of the watchpoints to debugging watchpoint 
counting registers (DWCR0 or DWCR1) makes the counter be 
increased by 1. When the times of match reach the default 
value, a breakpoint is generated. Debugging stop register (DSR) 
is used to set abnormal situations which happened to suspend 
the implementations of processor. Debugging reason register 
(DRR) is used to note the reasons of the flow stopping. 
III. SOFTWARE ARCHITECTURE  
A. JTAG AGREEMENT SUPPORT  
The host debugger is mainly used to visit and handle the 
source-file and symbol-table. Then the debugging requests are 
formed and sent to JTAG debugging agent server. Due to 
open-source and powerful features, GDB is used as the host 
debugger in this design. In GDB debugging, firstly, all the 
target agreements supported are abstracted as debugging goals 
(target). Also a few of key concepts are defined. Target_structs 
is an array which is used to store all the targets: Target_opts is 
a structure which is used to record all the characteristics and 
the operation of each target; Target_stack is a target stack 
which is used to point to the current target; Dummy_target is 
the bottom of the stack. The target in dummy_target is pushed 
into target_stack when GDB is initialized. During debugging, 
GDB uses “target” to adopt different debug modes. And the 
accomplishment of debugging on the target system relies on 
the realization of functions defined in target_opt. The flow 
chart of the achievement of JTAG agreement support on 
OR1200 is shown in figure 3. 
 
Figure 3.  The main flow chart of JTAG achieve for GDB 
As shown in figure 3, all remote debugging of GDB is 
defined in Remote-xxx. For OR1200, firstly simulate, jtag and 
dummy agreements are defined in remote-or1k.c. Secondly, 
or1k_jtag_ops which contains operation of JTAG agreement is 
initialized in _initialize_remote_or1k. The or1k_jtag_ops is 
pushed into target_structs by calling add_target in target.c. Till 
now the JTAG target is loaded successfully. When target 
command is running, push_target is called to push 
or1k_jtag_ops into target_stack. Meanwhile update_current_ 
target is called to update the current_target. And finally, GDB 
completes the corresponding debugging tasks through carring 
out the functions which target_ops points to. 
B. DEBUGGING AGENT SERVER IMPLEMENTATION  
The debugging agent server is the simplified intermediate 
software. On one hand, it builds the connection and 
communication with the host GDB. On the other hand, it 
monitors the process of target programs. JP1, which is 
mentioned above, is the core of the software. It is used to build 
debugging agent server. The main flow chart of JP1 is shown 
in figure 4. 
 
Figure 4.  The flow chart of jp1. 
For OR1200, firstly, JP1 calls jtag_cables of jp_io.c in 
jp_init_cable to define four-cable modes such as rtl_sim, vpi, 
xpc3 and xess, according to JTAG agreement and the method 
of communication between parallel port and JTAG cable. 
Users can also define one’s own cables. Such as re-
configuration of the four-pin of xpc3 makes the cable for our 
own use. Secondly, JP1 calls jtag_set_chain in jtag_init to set 
the scan_chains, according to the operation of TAP controller. 
In jtag_set_chain the pins of the state machine are set by 
calling jp1_write_jtag. At the same time, the instructions and 
data of target are read and wrote respectively by calling 
jtag_write_reg, jtag_read_reg. After comparing the value of 
the output and expected output, the jtag communication is 
verified. Then JP1 calls GetServerSocket to get 
communication protocol and establish TCP/IP connection. 
JTAGRequest, GDBRequest in HandleServerSocket are called 
to handle debugging processes. In GDBRequest, gdb_read is 
called to fetch the debug commands from target. And then 
parses are done in light of debug commands to achieve the 
debugging on the target. 
IV. IMPLEMENTATION 
In the hardware design of the debugging system, the 
debugging module described in Verilog is embedded in the 
OR1200 processor. It succeeds with Modelsim simulation and 
is verified by Xilinx FPGA emulation. Part of waveform of the 
external interface module simulation is given in figure 5. 
 
Figure 5.  The waveform of dbg_top simulation 
As shown in figure 5, When the system is reset, we set 
RISC_DEBUG_CHAIN and DEBUG as default. Then we 
control the TMS to let scan_chain step into ShiftDR. After 74-
cycle the data are completely shifted-in data registers 
(JTAG_DR_IN) from TDI. In UpdateDR, the data of 
JTAG_DR_IN are sent to processor through the pins of 
risc_addr_o and risc_data_o. Bp_i is the pin used for 
breakpoints inputting. The break debugging is realized by the 
signal sent from Bp_i to risc_stall_o. 
In software, OpenRISC1200 has a perfect development 
environment and operating system support. They provide a 
wealth of Toolchain which allows users to facilitate the core’s 
compiling, linking and debugging. Firstly, we download the 
gcc.3.4.4, binutils-2.16.1, gdb-5.3[6] for compiling, linking 
and debugging. Secondly, we amend the code of board.h and 
ram.ld to set the serial baud rate, stack size, memory map and 
so on to be compatible with the system. Then we connect the 
host computer and target with JTAG cable and run JP1 
program. Expected results should be presented at serial 
terminal before we can debug the program. After a series of 
debugging operation, the Serial Terminal displays “hello 
world” correctly. The feasibility of the entire system is 
completely verified. 
V. CONCLUSION 
In this paper, the principle of debugging system of OR1200 
processor is researched both on the hardware and the software. 
On the hardware, main interface modules are designed and 
verified. On the software, the GDB support of JTAG 
agreement and debugging agent server are achieved. 
Application which works on debugging system has made 
satisfactory results. With the open-source of the OpenRISC, 
this system is simple, universal and highly extensible. So it can 
provide a practical platform for the further development. 
ACKNOWLEDGMENT 
This work is supported by the Program for science and 
technology of Fujian Province (2005H088) and the Program 
for New Century Excellent Talents in University. 
REFERENCES 
 
[1] LIU Jun, GUO Li, ZHENG Dongfei, BAI Xuefei, “Comparison and 
Analysis of Open-Source 32-bit RISC Processor IP Core,” Chinese 
Journal of Eectron Devices, vol. 28, pp.850-854, Dec. 2005. 
[2] WANG Benfeng, RONG Mengtian, LIU Weidong, “Implementation of 
MP3 Decoder in Openrisc Developing System,” Computer Engineering,  
3rd ed., vol. 31, No.11, pp. 205-207, June 2005. 
[3] Liu Zhigang, He Qianhua, Li Tao, “An OpenRISC1200-based SoC 
Design of Speech Recognizer,” ELECTRONIC ENGNEER, vol. 31, 
No.2, pp.27-29, Feb.2005. 
[4] Muhammad Bilal, Shahid Masud, “Efficient Color Space Conversion 
using Custom Instruction in a RISC Processor,” IEEE International 
Symposium on Circuits and Systems, pp.1109-1112, May 2007. 
[5] IEEE Standard Test Access Port and Boundary-Scan Architecture(IEEE 
1149.1-2001), IEEE, June 2001. 
[6] http://opencores.org/browse.cgi/by_category.
 
