Design and implementation of an IEEE 1149.7-compliant cJTAG Controller for Debug and Trace Probe by Cabral, Carlos Javier
Copyright
by
Carlos Javier Cabral
2012
The Report Committee for Carlos Javier Cabral
certifies that this is the approved version of the following report:
Design and Implementation of an IEEE
1149.7-Compliant cJTAG Controller for Debug and
Trace Probe
APPROVED BY
SUPERVISING COMMITTEE:
Nur Touba, Supervisor
Mark McDermott
Design and Implementation of an IEEE
1149.7-Compliant cJTAG Controller for Debug and
Trace Probe
by
Carlos Javier Cabral, B.S.E.E., B.A.
REPORT
Presented to the Faculty of the Graduate School of
The University of Texas at Austin
in Partial Fulfillment
of the Requirements
for the Degree of
MASTER OF SCIENCE IN ENGINEERING
THE UNIVERSITY OF TEXAS AT AUSTIN
December 2012
Dedicated to my wife Hilda and daughters Carolina and Leila.
Design and Implementation of an IEEE
1149.7-Compliant cJTAG Controller for Debug and
Trace Probe
Carlos Javier Cabral, M.S.E.
The University of Texas at Austin, 2012
Supervisor: Nur Touba
Debugging and testing today’s complex processors and embedded sys-
tems provides many challenges. A Debug and Trace Probe with a standard
interface to Target Systems (TS) can be used to debug and test both hardware
and software components in complex systems. With a debug and trace probe
information regarding the operation of the system can be obtained and ana-
lyzed to understand how the system is functioning and where problems may
lie. This report presents an IEEE 1149.7-compliant cJTAG Controller design
and implmentation for use in a Debug and Trace System (DTS).
v
Table of Contents
Abstract v
List of Tables viii
List of Figures ix
Chapter 1. Introduction 1
1.1 Design of cJTAG Controller for Wyvern Debug and Trace Hard-
ware Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2. IEEE 1149.7 Standard Overview 4
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 IEEE 1149.7 Organization . . . . . . . . . . . . . . . . . . . . 5
2.3 Class T0 - Legacy Compliance . . . . . . . . . . . . . . . . . . 8
2.4 Class T1 - Commands and Registers . . . . . . . . . . . . . . . 9
2.5 Class T2 - Super Bypass Scan Formats . . . . . . . . . . . . . 11
2.6 Class T3 - Star-4 Topology and Direct Addressability . . . . . 12
2.7 Class T4 - 2-Pin Scan Formats . . . . . . . . . . . . . . . . . . 13
2.8 Class T5 - Non-Scan Data Transfers . . . . . . . . . . . . . . . 15
Chapter 3. Architecture 16
3.1 Signals and Interfaces . . . . . . . . . . . . . . . . . . . . . . . 17
3.1.1 Clocks and Reset Interface . . . . . . . . . . . . . . . . 17
3.1.2 Input and Output FIFO Interface . . . . . . . . . . . . 18
3.1.3 TAP.7 (cJTAG) Interface . . . . . . . . . . . . . . . . . 18
3.1.4 Mode and Status Registers Interface . . . . . . . . . . . 19
3.2 Command Control Block . . . . . . . . . . . . . . . . . . . . . 21
3.2.1 GOTO TLR Command . . . . . . . . . . . . . . . . . . 23
3.2.2 GOTO RTI Command . . . . . . . . . . . . . . . . . . . 24
vi
3.2.3 SEND IR Command . . . . . . . . . . . . . . . . . . . . 24
3.2.4 SEND DR Command . . . . . . . . . . . . . . . . . . . 26
3.2.5 RAW JTAG Command . . . . . . . . . . . . . . . . . . 26
3.2.6 SEND ZBS Command . . . . . . . . . . . . . . . . . . . 27
3.2.7 SEND ESCAPE Command . . . . . . . . . . . . . . . . 28
3.2.8 Command State Machine . . . . . . . . . . . . . . . . . 28
3.3 Extended Protocol Unit (EPU) . . . . . . . . . . . . . . . . . 30
3.3.1 Zero-bit-scans (ZBS) and Control Levels . . . . . . . . . 32
3.3.2 TAP.7 Global Registers . . . . . . . . . . . . . . . . . . 33
3.3.2.1 Exit Control Level Register (ECL) . . . . . . . 33
3.3.2.2 Suspend Register (SUSPEND) . . . . . . . . . . 34
3.3.2.3 ZBS Detect Inhibit Register (ZBSINH) . . . . . 34
3.3.2.4 Scan Format Enable (SCNFMT) . . . . . . . . 35
3.3.3 TAP.7 Command Generation . . . . . . . . . . . . . . . 35
3.4 Advanced Protocol Unit (APU) . . . . . . . . . . . . . . . . . 36
Chapter 4. Implementation 39
4.1 Verification and Simulation . . . . . . . . . . . . . . . . . . . . 39
4.2 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3 Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 5. Conclusion 44
5.1 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Bibliography 46
vii
List of Tables
3.1 Clock and Reset Interface . . . . . . . . . . . . . . . . . . . . 18
3.2 Input and Output FIFO Interface . . . . . . . . . . . . . . . . 19
3.3 cJTAG Interface . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.4 Mode and Status Registers Interface . . . . . . . . . . . . . . 21
3.5 cJTAG Commands . . . . . . . . . . . . . . . . . . . . . . . . 22
3.6 cJTAG Command Fields . . . . . . . . . . . . . . . . . . . . . 23
3.7 Command State Machine (CMDSM) State Descriptions . . . . 31
3.8 TAP.7 Global Control Registers . . . . . . . . . . . . . . . . . 33
3.9 ECL Register . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.10 SUSPEND Register . . . . . . . . . . . . . . . . . . . . . . . . 34
3.11 ZBSINH Register . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.12 SCNFMT Register . . . . . . . . . . . . . . . . . . . . . . . . 36
viii
List of Figures
1.1 System-Level Block Diagram . . . . . . . . . . . . . . . . . . . 2
2.1 Adaptation of 1149.1 to 1149.7 [6] . . . . . . . . . . . . . . . . 5
2.2 1149.7 Capability Classes and Operation [2] . . . . . . . . . . 7
2.3 Functional Units of 1149.7 Architecture [2] . . . . . . . . . . . 8
2.4 IEEE 1149.1 Scan Architectures [2] . . . . . . . . . . . . . . . 9
2.5 Zero-bit Scan Sequence A [2] . . . . . . . . . . . . . . . . . . . 10
2.6 Zero-bit Scan Sequence B [2] . . . . . . . . . . . . . . . . . . . 11
2.7 Star-4 Scan Topology [6] . . . . . . . . . . . . . . . . . . . . . 12
2.8 2-Pin OScan1 Packet Format [2] . . . . . . . . . . . . . . . . . 14
2.9 Star-2 Scan Topology [6] . . . . . . . . . . . . . . . . . . . . . 14
3.1 cJTAG High-Level Block Diagram . . . . . . . . . . . . . . . . 17
3.2 Command Register Definition for GOTO TLR and GOTO RTI 24
3.3 Command Register Definition for SEND IR and SEND DR . . 25
3.4 Command Register Definition for RAW JTAG . . . . . . . . . 27
3.5 Command Register Definition for SEND ZBS . . . . . . . . . 27
3.6 Command Register Definition for SEND ESCAPE . . . . . . . 28
3.7 Command State Machine . . . . . . . . . . . . . . . . . . . . . 29
3.8 TAP.7 Command Generation [2] . . . . . . . . . . . . . . . . . 37
4.1 GOTO TLR Sequence Simulation . . . . . . . . . . . . . . . . 40
4.2 GOTO RTI Sequence Simulation . . . . . . . . . . . . . . . . 40
4.3 SEND ZBS Sequence Simulation . . . . . . . . . . . . . . . . . 41
4.4 Timing Report . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.5 Area Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
ix
Chapter 1
Introduction
Following Moore’s law, the scale of IC’s in the semiconductor industry
has doubled every 18 months such that devices in today’s computers and elec-
tronic appliances contain many millions of transistors [7]. Contributing to the
complexity of today’s products are multi-core and multi-chip devices. These
products are becoming more difficult to debug and test. In addition, as the
hardware becomes more complex, so too does the software that accompanies
these embedded systems. Debug and Trace Systems (DTS) are used to help
debug and test both hardware and software [5].
1.1 Design of cJTAG Controller for Wyvern Debug and
Trace Hardware Probe
The subject of this paper is the design and implmentation of an IEEE
1149.7 cJTAG Controller to be used in a DTS probe. The Wyvern Debug and
Trace Hardware Probe is a hardware system from Freescale Semiconductor
that provides a run-control platform that facilitates debug, trace analysis and
testing of Target Systems (TS) [4]. Although the Wyvern platform supports
various interfaces and trace mechanisms, the focus of the cJTAG Controller
is the serial JTAG debug interface used in the probetip that connects to the
1
TS. The cJTAG Controller is implemented in an FPGA inside the Wyvern
probe and interfaces with the firmware through a pair of FIFO’s. The firmware
sends commands to the cJTAG Controller through an input FIFO. The cJTAG
Controller reads the specified commands from the FIFO and carries out the
operation. Write data to be transferred to the TS is similarly communicated
through the input FIFO. An output FIFO is used to make read data available
to the firmware. When the cJTAG Controller receives read data from the TS,
it writes it to the output FIFO which the firmware accesses to read the data.
A high-level diagram of the FIFOs and cJTAG Controller within the Wyvern
platform can be seen in Figure X.
The IEEE 1149.7 Compliant JTAG Controller (cJTAG Controller) serves
as the Debug and Test System (DTS) link between firmware on the Wyvern
Debug and Trace Hardware Probe and the Target System (TS) connected to
the JTAG interface of the probetip. The high-level block diagram of the sys-
tem in Figure 1.1 shows how the cJTAG Controller is integrated in the overall
system.
Wyvern Mainboard
EthernetHost Freescale
MPC8572
CPU
cJTAG
Controller
(FPGA)
Debug and Test System (DTS)
Customer
Target
Target System (TS)
cJTAG
Pro
bet
ip
Figure 1.1: System-Level Block Diagram
2
Although the cJTAG Controller was designed to be a generic IEEE
1149.7-compliant cJTAG Controller, it was initially developed to interface with
a specific Freescale product. As such, it’s level of support of the IEEE 1149.7
standard is specifically linked to the level of support of the Target System.
Since the TS supports up to the T3 class of the IEEE 1149.7 standard, so too
does the cJTAG Controller design being presented here. However, in order to
facilitate future enhancements, the architecture of the cJTAG Controller was
designed and partitioned to allow for an easy upgrade path to higher levels of
support classes.
3
Chapter 2
IEEE 1149.7 Standard Overview
2.1 Introduction
The IEEE 1149.7 standard is a specification that improves upon the
IEEE 1149.1 standard, commonly referred to as JTAG (Joint Test Action
Group), for testing and debugging chips on boards. The purpose of 1149.7 is
to meet an expanding set of challenges facing debug and test systems while
preserving the hardware and software investments of the community currently
using the 1149.1 standard [2]. As such, 1149.7 builds upon 1149.1 and is
a superset rather than a replacement for JTAG. In fact, one can leverage
existing 1149.1 intellectual property and introduce 1149.7 support through
the introduction of adapters. Figure 2.1 illustrates how an 1149.7 adapter can
be used to provide an upgrade path from 1149.1 to 1149.7.
The 1149.7 standard uses the same pins from the 1149.1 standard, but
renames them to TCKC, TMSC, TDIC and TDOC in order to indicate that
there is additional 1149.7 functionality associated with them. While adopting
the 1149.1 architecture, the 1149.7 standard offers reduced pins and enhanced
functionality. The reduced pin count refers to reducing the number of pins in
some modes from the 1149.1 standard four pins (TCK, TMS, TDI and TDO)
4
Figure 2.1: Adaptation of 1149.1 to 1149.7 [6]
to two pins (TCKC and TMSC). Because of this feature, the 1149.7 standard
is sometimes referred to as Compact JTAG, or cJTAG. In addition to the
reduction of pins, enhanced functionality includes the support of multiple on-
chip embedded TAP controllers, support for star topologies, and additional
scan formats that improve efficiency while transferring non-scan data.
2.2 IEEE 1149.7 Organization
The IEEE 1149.7 standard is defined by three types of operation de-
livered with six TAP.7 capability classes [2]. The term ”TAP.7” refers to a
TAP (Test Access Port) that provides 1149.7-specified behavior. The three
types of operation are legacy, extended and advanced while the six capability
classes are labeled T0-T5. The multiple capability classes allow for various
5
levels of compliance that can be adapted as appropriate for the target imple-
mentation. For example, if a specific product will not require non-scan data to
be transferred, which is introduced in class T5, it can instead conform to class
T0 through T4 compliance and utilize the enhanced features of those classes
which may be more useful for it’s intended application.
In legacy operation a TAP.7 supports 1149.1-compliant functionality.
Legacy operation is supported by all six capability classes and allows the 1149.7
standard to be adapted to existing IP at a low cost.
Extended operation is introduced in classes T1 through T3 and pro-
vides additional functionality through 1149.1-non-disruptive behavior. Zero-
bit-scans (ZBS) and escape sequences, which use the legacy 1149.1 protocol
but do not affect 1149.1 behavior, are used to introduce 1149.7 commands and
registers. Zero-bit-scans (ZBS) are performed by traversing the TAP state
machine through benign scan sequences. Similarly, escape sequences are com-
municated by controlling the TCK and TMS signals without disrupting 1149.1
functionality. These operations are described in more detail in the subsequent
sections describing the corresponding capability classes.
Advanced operation is introduced in classes T4 through T5 where scan
and non-scan sequences are supported using the reduced two-pin interface.
These operations are not compliant with the legacy 1149.1 protocol. Figure
2.2 shows the relationship between the 1149.7 capability classes and modes of
operation.
6
Figure 2.2: 1149.7 Capability Classes and Operation [2]
The 1149.7 standard is configurable based on capability classes and
is implemented using specific functional units that are introduced with these
classes. The primary functional units are: Reset and Selection Unit (RSU),
Extended Protocol Unit (EPU), and Advanced Protocol Unit (APU). Figure
2.3 shows an abstract view of the functional units in the 1149.7 architecture.
The RSU provides reset and TAP.7 clock control functions. It is an optional
unit for classes T0-T2, but is required for classes T3 and higher. The EPU
provides an IEEE 1149.1 interface for the T1-T3 TAP.7s. It is required for
classes T1 and above. The APU provides a T4-T5 TAP.7 interface that is either
narrow or wide, with the wide version providing an IEEE 1149.1 interface. It
is required for classes T4 and T5 [2].
7
Figure 2.3: Functional Units of 1149.7 Architecture [2]
2.3 Class T0 - Legacy Compliance
Class T0 is intended to provide backwards compatibility for 1149.1
IP. By adopting Class T0 compliance older IP’s developed with the 1149.1
protocol can be integrated with newer IP’s implementing 1149.7 functionality.
In addition, Class T0 formalizes the use of the 1149.1 protocol for chips with
multiple TAP’s which violates the IEEE 1149.1 standard. The IEEE 1149.7
defines the use of the 1149.1 protocol with chips that have multiple TAP’s
in various scan architectures. It is common now for many chips to contain
multiple cores and sub-blocks that contain individual TAP’s which are chained
together so that they can be accessible using the same chip TAP interface.
Figure 2.4 illustrates one of the variants of the 1149.1 standard which is now
formally defined in the 1149.7 standard.
8
Figure 2.4: IEEE 1149.1 Scan Architectures [2]
2.4 Class T1 - Commands and Registers
Class T1 inherits the T0 functionality as mandatory and introduces
key functions that serve as the foundation of the 1149.7 standard. The EPU
functional unit is introduced in this class. T1 provides extended operation
capability through the use of 1149.1-non-destructive sequences as a means to
access 1149.7 commands and registers. Zero-bit DR scan (ZBS) sequences are
used to enter defined control levels. Figures 2.5 and 2.6 illustrate the two
paths that accomplish a ZBS sequence.
It’s important to note that the ZBS sequences traverse the 1149.1 TAP
state machine DR path without going through the Shift-DR state. Avoiding
the Shift-DR state allows ZBS sequences to not disrupt normal 1149.1 system
behavior. The number of ZBS sequences establishes a ZBS count. When the
9
Figure 2.5: Zero-bit Scan Sequence A [2]
ZBS count reaches at least zero and the non-zero-bit DR scan is completed,
then the ZBS count is locked. The locked ZBS count specifies the control level.
At control level 2 1149.7 commands are recognized without the use of the TDI
and TDO pins by counting the number of TCK ticks in the Shift-DR state
for the two scans that immediately follow the completion of the ZBS scans
[6]. These commands allow access to 1149.7 registers that are used to control
1149.7 functionality.
10
Figure 2.6: Zero-bit Scan Sequence B [2]
2.5 Class T2 - Super Bypass Scan Formats
Class T2 is a superset of T1 and inherits all mandatory functions asso-
ciated with the T1 class. In addition, the T2 class introduces the concept of
”Super Bypass”. The ”Super Bypass” feature provides a one-bit chip bypass
for both IR and DR scans [2]. This can significantly shorten scan paths when
the Debug and Test System (DTS) is not interested in a particular chip-level
tap. In addition, the scan mode where the chip-level TAP is bypassed can be
configured to be active during startup to provide hot-plug connectivity since
it permits live connection or disconnection of the TAP.7 signals.
11
2.6 Class T3 - Star-4 Topology and Direct Addressabil-
ity
The T3 class inherits all of the T0-T2 mandatory features and intro-
duces a new Star-4 scan topology. The Star-4 topology allows a DTS to con-
nect directly to multiple chip-level TAP.7’s. Figure 2.7 illustrates a Star-4 scan
topology with four separate chip-level TAP.7s. The ”4” in the Star-4 topology
refers to the four required TAP signals. This is topology is also referred to as
Wide Star as opposed to the Narrow Star topology introduced in the T4 class
which utilizes the reduced two-pin interface.
Figure 2.7: Star-4 Scan Topology [6]
The Star-4 scan topology offers shorter and more efficient scan shifts
since chip-level TAPs that are not of interest can be excluded without external
glue logic. In order for this topology to work the DTS needs to be able to
directly address a specific TAP.7 and park the rest of the TAP.7s in either the
12
Pause-IR or Pause-DR states. Direct addressability is accomplished through
escape sequences and Scan Selection Directives (SSD). The RSU functional
block is mandatory in this class since it’s responsible for generating the escape
sequences. Escape sequences are created by counting the number of TMSC
edges while TCKC is held high. The edge count determines what action will
be taken.
2.7 Class T4 - 2-Pin Scan Formats
The T4 class introduced 1149.7 functionality that corresponds to Ad-
vanced operation. The T4 class inherits all lower capability class mandatory
features and requires the APU functional unit to manage the additional fea-
tures. The main innovation introduced with the T4 class is the reduced 2-pin
interface. With the 2-pin scan interface only the TCKC and TMSC pins are
used. In this reduced pin interface the TMSC pin is bi-directional since it
carries both traditional TDI data from the DTS to the Target System (TS)
as well as traditional TDO data from the TS to the DTS. With the T4 class
additional scan formats are used to packetize scan data onto just two pins,
TCKC and TMSC. With the 2-pin interface data is transferred in both direc-
tions, from the DTS to the TS and from the TS to the DTS. An image of one
of the scan formats can be seen in Figure 2.8.
Also, with the 2-pin interface a new Star-2 scan topology can be ac-
complished. In this topology the DTS connects to multiple chip-level TAP.7s,
but it does so with only the two pins. This topology is also referred to as
13
Figure 2.8: 2-Pin OScan1 Packet Format [2]
Narrow Star scan topology. A high-level view of the Star-2 scan topology is
show in Figure 2.9.
Figure 2.9: Star-2 Scan Topology [6]
14
2.8 Class T5 - Non-Scan Data Transfers
The T5 class further expands on the T4 advanced capabilities by in-
troducing the ability to transfer non-data information. Through additional
scan formats non-scan data such as background instrumentation data and/or
custom protocol data can be transferred. These new formats can be useful for
logging purposes and for improving applications debug.
15
Chapter 3
Architecture
The cJTAG Controller is responsible for taking commands from firmware
via two software-accessible FIFO’s and translating the commands into TAP.7
scan accesses on the cJTAG pins. The cJTAG Controller follows a similar
organizational structure as that described in the 1149.7 specification by im-
plementing sub-blocks that serve the same, or similar, functions as the EPU
and APU functional units. Figure 3.1 is a high-level block diagram of the
cJTAG Controller that shows how the design is organized.
During normal operation software initiates cJTAG transactions by writ-
ing to the FIFO Data Register in the FPGA which in turn writes commands
and data to the input FIFO. These commands are taken from the Input FIFO
and communicated to the EPU and APU blocks. If the command is for an
escape sequence, the Command Control block will mask the TCKC signal by
holding it high while the TMSC signal transitions to generate the specified
number of edges. All non-escape sequence commands will be processed by
the EPU and APU blocks. The EPU updates the cJTAG Controller’s copy of
1149.7 Global registers when they are addressed by the scan sequence. The
APU block receives the scan sequence from the Command Control block and
16
Co
mm
an
d C
on
tro
l
Input FIFO
Output FIFO APU
Command and
Write Data
TAP.7 Global
Class-Specific
Registers
EPU
FPGA JTAG
Mode and Status
Registers
cJTAG Controller
cJTAG
Interface
FPGA (DTS)
TS
Read Data
JTAG
Interface
TAP State Machine
Protocol
Converter Mux
Figure 3.1: cJTAG High-Level Block Diagram
is responsible for serializing the scan sequence, or bypassing the serialization,
based on the settings specified in the TAP.7 Global Class-Specific registers.
The cJTAG Controller accumulates data shifted in from the TS and writes it
to the output FIFO from where firmware will read the data.
3.1 Signals and Interfaces
3.1.1 Clocks and Reset Interface
The cJTAG Controller receives a global clock and reset signal from
the Global Clock Control unit. The Global Clock Control unit on the FPGA
generates a debug clock based on configuration registers that select a base
17
clock and multiplier factor. The reset signal for the cJTAG Controller is
synchronous to the debug clock. Table 3.1 lists the Clock and Reset interface
for the cJTAG Controller.
Table 3.1: Clock and Reset Interface
Signal I/O Description
debug clock I Global Debug Clock
reset I Synchronous Reset
3.1.2 Input and Output FIFO Interface
The FIFO interface between the cJTAG Controller and the Input and
Output FIFO’s consists of the signals listed in Table 3.2. The cJTAG Con-
troller continues to read commands and data from the Input FIFO by asserting
the in fifo rd signal while the Input FIFO indicates that the FIFO is not empty
through the de-assertion of the in fifo ef signal.
Similarly, the cJTAG Controller writes read data that it receives from
the Target System TDO signal to the Output FIFO by asserting the out fifo wr
signal. As long as the Output FIFO doesn’t assert the out fifo af flag indicating
that it’s almost full, the cJTAG Controller will continue to write data to the
Output FIFO when it’s available.
3.1.3 TAP.7 (cJTAG) Interface
The cJTAG Controller supports the mandatory TAP.7 interface signals
as defined by the IEEE 1149.7 standard. The TAP.7 interface signals sup-
18
Table 3.2: Input and Output FIFO Interface
Signal I/O Description
in fifo ef I Input FIFO Empty Flag
in fifo rd O Input FIFO Read
in fifo data I Input FIFO Data
out fifo af I Output FIFO Almost Full Flag
out fifo wr O Output FIFO Write
out fifo data O Output FIFO Data
ported by the cJTAG Controller are summarized in Table 3.3. The TCKC
signal may be gated by the Command Control block depending on whether
an escape sequence is being transmitted. The TMSC signal is used to se-
quence the TAP state machine. However, in the advanced protocol mode of
the TAP.7 specification it will also be used to transmit TDI data and receive
TDO data from the Target System. With the standard protocol the TDI and
TDO signals will be used to send instructions and data to the Target System
and receive data from the Target System. The TRST signal will be used to
assert a reset condition.
3.1.4 Mode and Status Registers Interface
The FPGA contains a set of mode and status registers that are used to
control and monitor the FPGA hardware. There are only two signals that are
communicated between the cJTAG Controller on the FPGA and the mode and
status registers. This interface can be seen in Table 3.4. The cJTAG Controller
signals when the Input FIFO is empty and there are no more commands to
19
Table 3.3: cJTAG Interface
Signal I/O Description
TCKC O Test Clock
Generated by the cJTAG Controller and signaled
to the Target System.
TMSC O Test Mode Select
Used to sequence the TAP state machine. With
the advanced protocol with a narrow interface, the
test data to and from the Target System is also
serially communicated using the TMSC signal.
TDIC O Test Data In
Used to serially send test and debug instructions
and data to the Target System.
TDOC I Test Data Out
Used to serially receive test data from the Target
System.
TRST O Test Reset
Asynchronous reset signaled to the Target System.
process by asserting the debug done signal. A status register bit will be set
when this scenario occurs.
For timing purposes it may be beneficial to latch the TDO data received
from the Target System on the rising edge of TCK instead of the falling edge.
Software sets a bit in the mode register that is then output to the cJTAG
Controller via the tdo posedge signal to indicate which edge of TCK should
be used to latch the TDO data.
20
Table 3.4: Mode and Status Registers Interface
Signal I/O Description
debug done O Updates status register that the Input FIFO
is empty and the last command is done.
tdo posedge I Indicates that the cJTAG Controller should
latch the TDO data from the Target Sys-
tem on the rising edge of TCK instead of the
falling edge.
3.2 Command Control Block
The Command Control Block is the main block within the cJTAG
Controller. It is primarily responsible for managing the interface to the Input
and Output FIFO’s and generating JTAG scan sequences from the commands
received via the Input FIFO to the other functionals blocks. Additionally, it
is also responsible for updating the FIFO-related status fields in the Status
Register. Table 3.5 describes the supported commands. A more detailed
description of each command will be discussed in subsequent sections.
Each of the commands is 32-bits long and is composed of one or more
command fields. Table 3.6 summarizes the various command fields used to
create the cJTAG commands. Not every command field is applicable to every
command.
21
Table 3.5: cJTAG Commands
Command Description
GOTO TLR Transition the JTAG state machine to the Test-
Logic-Reset state.
GOTO RTI Transition the JTAG state machine from the Test-
Logic-Reset state to the Run-Test-Idle state.
SEND IR Issue a JTAG scan sequence to update the Instruc-
tion Register.
SEND DR Issue a JTAG scan sequence to update a Data Reg-
ister.
RAW JTAG Shift the JTAG state machine explicitly based on
the TMS and TDI information in the command.
SEND ZBS Issue one or more zero-bit-scan sequences.
SEND ESCAPE Issue a JTAG escape sequence by toggling the
TMS signal while holding the TCKC signal high.
22
Table 3.6: cJTAG Command Fields
Command Field Description
Identifies the type of command being issued.
000 GOTO TLR
001 GOTO RTI
COMMAND TYPE[2:0] 010 SEND IR
011 SEND DR
100 RAW JTAG
101 SEND ZBS
110 SEND ESCAPE
NO RTI When set, keep the TAP in the Update-IR
or Update-DR state rather than returning to
the Run-Test-Idle state.
IGNORE TDO When set, the logic will ignore data coming
into the TDO port from the target.
INITIAL COUNT[4:0] Indicates the number of bits to shift for the
first 32-bit word. The number of bits to shift
is the INITIAL COUNT + 1.
COUNT[21:0] Indicates the total number of bits to shift for
the command. The total number of bits to
shift is the COUNT + 1.
3.2.1 GOTO TLR Command
The GOTO TLR command transitions the Target System’s TAP state
machine to the Test-Logic-Reset state by holding the TMS signal high for
five consecutive TCK clock cycles. This command can be issued regardless of
the current state of the TAP state machine. The command definition for the
GOTO TLR command is shown in Figure 3.2.
23
31 29 28 0
Command Type[2:0]
Figure 3.2: Command Register Definition for GOTO TLR and GOTO RTI
3.2.2 GOTO RTI Command
The GOTO RTI command transitions the Target System’s TAP state
machine from the Test-Logic-Reset state to the Run-Test-Idle state by holding
the TMS signal low for one TCK clock cycle. This command requires that the
TAP state machine be in the Test-Logic-Reset state. The command definition
for the GOTO RTI command is shown in Figure 3.2.
3.2.3 SEND IR Command
The SEND IR command is used to issue a JTAG transaction to shift
data to update the Instruction Register in the Target System. Figure 3.3 shows
the command definition for the SEND IR and SEND DR commands. The
JTAG state machine must be in Run-Test-Idle state before a JTAG transaction
is started. When processing the SEND IR command the Command Control
block will first transition the JTAG state machine to the Shift-IR state. Then
it will continue to read shift data from the Input FIFO and shift it to the
Target System through the TDI signal. During this data shift, the Command
Control block will collect the shift data received on the TDO pin and write
it to the Output FIFO as long as the IGNORE TDO bit is not set for the
command.
24
31 29 28 27 26 22 21 0
Command Type[2:0] NoRTI
Ignore
TDO Initial Count[4:0] Count[21:0]
Figure 3.3: Command Register Definition for SEND IR and SEND DR
The Command Control block will shift the amount of data specified
by the INITIAL COUNT and COUNT fields. The INITIAL COUNT field
indicates the amount of bits to shift in the first data word is used to provide
an optimization for certain types of data shift instructions. For example, there
are certain cases where a data shift may contain a short 4-bit control sequence
followed by a large, aligned data transfer. By allowing the Command Control
block to shift the short control data sequence in the first word, software can
maintain the data alignment for the larger data sequence. If a shorter data
shift with the first word is not required, then a setting of 5’b11111 can be used
in which case all of the bits of the first data word will be sent.
After the amount of data specified by the INITIAL COUNT and COUNT
fields has been sent the Command Control block will then transition the JTAG
state machine to the Update-IR state. Additionally, if the NO RTI bit is not
set, the Command Control block will transition the JTAG state machine from
the Update-IR state to the Run-Test-Idle state.
It’s important to note that the Command Control block will output a
wide JTAG sequence utilizing the TDI and TDO signals. The EPU Block will
use this interface directly to transition it’s TAP state machine and update the
Global TAP.7 registers. However, in the case where the cJTAG Controller is
25
configured to use the narrow, 2-pin interface, the APU will serialize the TMS,
TDI and TDO data using it’s protocol converter. In this case the TDI and
TDO pins will not be used and instead the output and input data will be sent
and received along with the TMS information using the TMSC pin. Section
3.4 describes the APU Block functionality in more detail.
3.2.4 SEND DR Command
The SEND DR command is very similar to the SEND IR command.
However, instead of sending Instruction Register data, the Command Control
block will send Data Register information. Instead of transitioning through the
Shift-IR and Update-IR states of the TAP state machine, the Command Con-
trol Block will transition through the Shift-DR and Update-DR states. The
command definition for the SEND DR command is the same as the command
definition for the SEND IR command and can be seen in Figure 3.3.
3.2.5 RAW JTAG Command
The RAW JTAG command is used to explicitly send JTAG sequences
to the Target System. Figure 3.4 shows the RAW JTAG command definition
as well as the TMS and TDI data partitioning in the RAW JTAG data that
will be read from the Input FIFO. The Command Control block receives 16
bits each of TMS and TDI data in each data word from the Input FIFO. One
bit of TMS and one bit of TDI data will be shifted out to the Target System
for each cycle of the total shift count specified in the COUNT field. It is
26
important for software to carefully manage use of the RAW JTAG command
to ensure that the TAP state machine ends up in a valid state before issuing
additional commands.
31 29 28 27 26 22 21 0
Command Type[2:0] IgnoreTDO Count[21:0]
31 16 15 0
TMS[15:0] TDI[15:0]
Figure 3.4: Command Register Definition for RAW JTAG
3.2.6 SEND ZBS Command
The SEND ZBS command is used to issue zero-bit DR scans (ZBS).
Figure 3.5 shows the SEND ZBS command definition. A zero-bit DR Scan
(ZBS) is a TAPC state sequence that begins with the Select-DR-Scan state
and ends with an exit from the Update-DR state without an intervening Shift-
DR state [2]. ZBS sequences are used by the cJTAG Controller to generate
TAP.7 commands through the use of the EPU Block. The EPU Block is
described in more detail in Section 3.3. The number of ZBS scan sequences is
specified by the COUNT field and cannot exceed seven.
31 29 28 27 3 2 0
Command Type[2:0] NoRTI Count[2:0]
Figure 3.5: Command Register Definition for SEND ZBS
27
3.2.7 SEND ESCAPE Command
The SEND ESCAPE command is used to issue escape sequences to the
Target System. Figure 3.6 shows the SEND ESCAPE command definition.
An escape sequence is created by counting the number of TMSC edges while
TCKC is held high. The edge count has a meaning and determines what
action will be taken. The number of TMSC edges to send is indicated by the
COUNT field. TMSC edge counts greater than or equal to eight have the same
meaning.
31 29 28 4 3 0
Command Type[2:0] Count[3:0]
Figure 3.6: Command Register Definition for SEND ESCAPE
3.2.8 Command State Machine
The Command Control block processes commands from the Input FIFO
by utilizing the Command State Machine (CMDSM). The CMDSM is de-
scribed in Figure 3.7 and Table 3.7. The CMDSM waits in the IDLE state
for new commands to be available in the Input FIFO. When a new com-
mand is available in the Input FIFO then the state machine transitions to
the READ CMD state and the cJTAG Controller asserts the read signal to
the Input FIFO. The state machine then transitions to the DECODE CMD
state where the new command is decoded. The CMDSM will then transition
into one of the other states depending on the command type. If the com-
28
mand is a SEND IR or SEND DR command, then the CMDSM transitions to
the PRE DATA state. The PRE DATA state is used to transition the Target
System’s TAP state machine to either the Shift-IR or Shift-DR states. After
the TAP state machine is transitioned to the Shift-IR or Shift-DR state, the
CMDSM transitions to the DATA state.
Idle
Pre-
Data
Data
Post-
Data
Wait for
new command
Decode
Cmd
Capture
Cmd
Read
Cmd
SEND_xR command
RAW_JTAG
commandTransition TAPto Shift xR state
Done transitioning
TAP to Shift xR state
Fetch and shift
RAW_JTAG or
xR data
Done
shifting
RAW_JTAG
data
Done shifting
xR data
Transition TAP
to final state
(TLR, RTI, or,
Update xR)
GOTO_TLR,
GOTO_RTI,
SEND_ZBS, or
SEND_ESCAPE
command
Done
trans-itioning
TAP
New command
available
Assert read
to Input FIFO
Capture new
command in
register
Figure 3.7: Command State Machine
The Instruction Register or Data Register data is shifted to the TS from
the DATA state. If a RAW JTAG command is received by the CMDSM in the
IDLE state, then it transitions to the DATA state directly since the Target
29
System’s TAP does not need to be transitioned to one of the Shift states. For
RAW JTAG commands in the DATA state the TMS and TDI information in
the command is shifted serially to the Target System. If the command doesn’t
indicate that the TDO information should be ignored, then the Output FIFO
will be written with the TDO shift data received from the Target System when
the CMDSM is in the DATA state. The RAW JTAG command is complete
once all of the TMS and TDI information is shifted to the Target System.
However, the SEND IR and SEND DR commands are not complete until the
Target System’s TAP state machine is transitioned to either the Update-DR,
Update-IR or Run-Test-Idle state. So, for these transactions, the CMDSM
will transition to the POST DATA state once all of the shift data has been
transferred.
The SEND ZBS and SEND ESCAPE commands don’t require data
shifts so they cause the CMDSM to transition to the POST DATA state di-
rectly from the IDLE state when they are received from the Input FIFO. In
the POST DATA state the CMDSM will transition the Target System’s TAP
state machine to the appropriate state before the command is complete.
3.3 Extended Protocol Unit (EPU)
The IEEE 1149.7 standard introduces the concept of control levels ac-
cessed via Zero-bit-scans (ZBS). The standard specifies seven control levels
that are used for various functions such as accessing optional TAP.7 scan paths
or forcing offline operation. However, the EPU in the cJTAG Controller is only
30
Table 3.7: Command State Machine (CMDSM) State Descriptions
State Description
IDLE No new command to process.
READ CMD Read a new command from the Input FIFO.
CAPTURE CMD Register the new command.
DECODE CMD Decode the new command.
PRE DATA A new SEND IR or SEND DR command was re-
ceived so transitioning the TAP to either the Shift-
IR or Shift-DR state.
DATA Shifting scan data in the Shift-IR or Shift-DR
states for either a SEND IR or SEND DR com-
mand, or explicitly toggling the TMS and TDI
signals for a RAW JTAG command.
POST DATA Transition the TAP to either the TLR or RTI state
for either a GOTO TLR or GOTO RTI command.
Complete other commands by transitioning the
TAP to either the Update-IR, Update-DR or RTI
states as appropriate depending on the setting in
the ”NO RTI” command bit.
concerned with control level two since it is used to generate the TAP.7 com-
mands that update Global class-specific registers. The EPU needs to maintain
local copies of the global registers since these registers dictate how the TAP.7
system operates. For example, one of the global registers, SCNFMT, indicates
the scan format which is needed by the APU to determine how to serialize the
scan packets when it’s protocol converter is not bypassed. Other control level
functions are not applicable to the cJTAG Controller as it’s implemented as
part of a DTS.
31
3.3.1 Zero-bit-scans (ZBS) and Control Levels
The Extended Protocol Unit (EPU) adds functionality to the BYPASS
and IDCODE instructions. As described earlier, a zero-bit DR Scan (ZBS) is
a TAPC state sequence that begins with the Select-DR-Scan state and ends
with an exit from the Update-DR state without an intervening Shift-DR state.
ZBS are issued with the BYPASS and IDCODE instructions since this ZBS
sequence performs no real function with these instructions in a legacy sys-
tem. As the IEEE 1149.7 standard explains, ”these TAPC state sequences
depend on the ability of the IEEE 1149.1 BYPASS and IDCODE instructions
to tolerate the use of capture data as update data during ZBS sequences” [2].
Beginning with a ZBS count of zero, the ZBS count is incremented with each
consecutive occurrence of a ZBS. When a Shift-DR state occurs and the ZBS
count is greater than zero, the ZBS count is locked and a control level equal
to the ZBS count is activated.
Exiting a control level or using a Scan Selection Directive used for a
star scan topology clears the ZBS count. The IEEE 1149.7 standard explains
that a control level is exited when one of the following conditions occur [2]:
• The Select-IR TAP.7 state
• The Test-Logic-Reset TAP.7 state
• Certain TAP.7 controller commands
• An event that synchronizes the operation of the TAP.7 controllers
32
3.3.2 TAP.7 Global Registers
The EPU maintains a set of TAP.7 Global Registers since the infor-
mation contained in the Global Registers are needed by the EPU and APU
blocks to correctly drive scan sequences to the TS. The Global Registers are
updated through TAP.7 commands which are described in Section 3.3.3. A
list of the Global Registers supported by the EPU are listed in Table 3.8. All
other TAP.7 registers not listed in Table 3.8 are not supported by the EPU.
Table 3.8: TAP.7 Global Control Registers
Width Register Mnemonic Name
1 ECL Exit Control Level
1 SUSPEND Suspend
1 ZBSINH ZBS Detect Inhibit
5 SCNFMT Scan Format
3.3.2.1 Exit Control Level Register (ECL)
Storing this register zeroes the ZBS count and unlocks the control level.
This register is set using the Store Miscellaneous (STMC) command. Table
3.9 describes the ECL register.
Table 3.9: ECL Register
Value Description
1 Clear the ZBS count and unlock the control level.
0 Do not exit the control level.
33
3.3.2.2 Suspend Register (SUSPEND)
As opposed to TAP.1 registers which are accessed through IR and DR
scans, the TAP.7 registers are accessed via commands as described in Section
3.3.3. When accessing the Target System’s non-TAP.7 registers the System
Test Logic (STL) Path is used. However, when accessing TAP.7 registers, the
EPU Path is used. Setting the SUSPEND register suspends the use of control
levels. When this register is a logic 1, the ”System Path” (STL) is used. The
SUSPEND register is set with the Store Miscellaneous (STMC) command.
This register is cleared when 8 consecutive ZBSs are detected without the
locking of the ZBS count. Table 3.10 describes the SUSPEND register.
Table 3.10: SUSPEND Register
Value Description
1 Suspend use of control levels. Enables System Path.
0 Enable use of control levels.
3.3.2.3 ZBS Detect Inhibit Register (ZBSINH)
Storing to ZBSINH inhibits ZBS detection. The ZBSINH register is
set with the Store Miscellaneous (STMC) command. Table 3.11 describes the
ZBSINH register.
34
Table 3.11: ZBSINH Register
Value Description
1 Inhibit ZBS detection.
0 Enable ZBS detection.
3.3.2.4 Scan Format Enable (SCNFMT)
The SCNFMT register specifies the scan format to be used by the
cJTAG Controller. Table 3.12 describes all of the scan formats described by
the IEEE 1149.7 standard and specified through the SCNFMT register. More
information about all of the scan formats can be found in the IEEE 1149.7
standard. The SCNFMT register is set using the Store Scan Format (STFMT)
command. The register is read using Scan String (SCNS) command.
3.3.3 TAP.7 Command Generation
Control level two is used to generate TAP.7 commands. Although the
IEEE 1149.7 standard specifies two-part and three-part commands, the EPU
only supports two-part commands since the three-part commands are used
to access Local TAP.7 registers and the cJTAG Controller only instantiates
Global TAP.7 registers. Once control level two is locked, a TAP.7 command
is generated with two consecutive DR scans that are called Command Part
One (CP1) and Command Part Two (CP2). Each of these DR scans are
five bits long creating a 10-bit command. CP1 represents a 5-bit opcode and
CP2 represents an operand value. Figure 3.8 shows the scan sequence for
35
Table 3.12: SCNFMT Register
Value Description
00000 JScan0.
00001 JScan1.
00010 JScan2.
00011 JScan3.
00100 SScan0.
00101 SScan1.
00110 SScan2.
00111 SScan3.
01000 OScan0.
01001 OScan1.
01010 OScan2.
01011 OScan3.
01100 OScan4.
01101 OScan5.
01110 OScan6.
01111 OScan7.
10000 MScan.
10001-11111 Reserved.
generating commands. Note that the third DR scan used to generate three-
part commands is not supported by the cJTAG Controller’s EPU.
3.4 Advanced Protocol Unit (APU)
The cJTAG Controller was designed to be used with systems that sup-
port the IEEE 1149.7 standard up to class T3. In standard systems an APU
block is responsible for converting parallel scan sequences into the advanced,
narrow format. Although the cJTAG Controller does not currently support
36
Figure 3.8: TAP.7 Command Generation [2]
classes above T3, an APU block is implemented in order to allow an easy path
for future enhancements to support higher classes.
The APU in the cJTAG Controller is responsible for driving the TAP.7
pins to the Target System. It receives a parallel scan sequence from the Com-
mand Control block and, in future implementations, may serialize the data
into a narrow, 2-pin scan sequence if the cJTAG Controller is using the Ad-
vanced protocol. If the Advanced protocol is not being utilized, then the APU
bypasses it’s internal protocol converter and connects the TAP interface from
the Command Control block directly to the TAP.7 interface. If the Advanced
protocol is active, then the protocol converter of the APU relies on the scan
37
format specified in the Global register set to determine how to serialize the
scan data. In the current cJTAG Controller implementation the APU is per-
manently bypassing the protocol converter.
38
Chapter 4
Implementation
The cJTAG Controller design was implemented in Verilog RTL. It was
compiled and tested using the Synopsys VCS tool. The cJTAG Controller was
synthesized using Synopsys Design Compiler using a 180 nm library.
4.1 Verification and Simulation
The design was verified using a Verilog testbench. The testbench gener-
ated stimulus modeling the Input and Output FIFO’s to send commands and
capture data. Synopsys DVE was used to review the output waveforms of the
simulations. Figures 4.1 through 4.3 show the output waveforms for various
simulations where commands were read from the Input FIFO and the JTAG
sequence to the EPU and APU blocks was generated. In Figure 4.1 one can
observe the Input FIFO interface as well as the JTAG interface to the EPU
block when the cJTAG Controller reads a GOTO TLR command. The wave-
form also shows the CMDSM state machine register output, cmdsm cs ff[2:0],
as well as the TAP state machine register output, tapsm cs ff[3:0]. In the
simulation output one can see the CMDSM state machine transition to the
POST DATA state where the appropriate scan sequence is sent on the TCK
39
and TMS ports.
Figure 4.1: GOTO TLR Sequence Simulation
In Figure 4.2 one can observe the cJTAG Controller reading a GOTO RTI
command from the Input FIFO. In this simulation the cJTAG Controller sends
TCK and TMS information for a single cycle in order to transition the TAP
state machine from the Test-Logic-Reset state to the Run-Test-Idle state.
Figure 4.2: GOTO RTI Sequence Simulation
Figure 4.3 shows the simulation output for a SEND ZBS command with
40
a COUNT value of two. In the waveform the TAP state machine transitions
through a ZBS sequence twice. Beginning in the RTI state the state machine
transitions through the Select-DR, Capture-DR, Exit1-DR and Update-DR
states twice. At the end of the sequence, since the NO RTI bit in the command
is not set, the cJTAG Controller further transitions the TAP state machine in
the EPU to the Run-Test-Idle state to complete the command.
Figure 4.3: SEND ZBS Sequence Simulation
4.2 Performance
The target frequency for the cJTAG Controller design is 100 MHz.
The debug clock provided to the cJTAG Controller can either be directly
driven from the processor’s local bus clock, or a multiplied version of the
processor’s local bus clock controlled from the FPGA’s Digital Clock Manager
(DCM). Figure 4.4 lists the output timing report after synthesizing the cJTAG
Controller. It can be seen in the report that the longest path is a flop-to-flop
path that meets the required arrival time for a 100 MHz clock by over 7 ns.
41
Figure 4.4: Timing Report
4.3 Size
Figure 4.5 shows the synthesis area report for the cJTAG Controller.
The report shows that the cJTAG Controller required 162 combinational cells
and 48 sequential cells.
42
Figure 4.5: Area Report
43
Chapter 5
Conclusion
5.1 Design
The cJTAG Controller was successfully designed and tested to meet
compliance with the IEEE 1149.7 standard. The design receives commands
from the software controlled Input FIFO and generates the corresponding scan
sequence via the TAP.7 interface.
5.2 Future Work
The cJTAG Controller was designed to be compliant up to class T3 of
the IEEE 1149.7 standard. Future work can be done to enhance the design
and make it compliant with higher class levels. The partitioning of the design
and allocation of EPU and APU blocks facilitates this future work. The EPU
can be enhanced with support for additional Global registers and the APU can
be enhanced to support additional scan formats, including the narrow, 2-pin
protocol.
The cJTAG Controller was tested through simulations using a Verilog
testbench. Additional work can be done to synthesize the design on the FPGA
in the actual Debug and Test Probe and test it using software driving the actual
44
FIFO’s on the FPGA.
45
Bibliography
[1] IEEE 1149.1-2001 Standard for Test Access Port and Boundary-Scan Ar-
chitecture. IEEE, 2001.
[2] IEEE 1149.7-2009 Standard for Reduced-Pin and Enhanced-Functionality
Test Access Port and Boundary-Scan Architecture. IEEE, 2009.
[3] IEEE Standard 1149.7 (web site). http://grouper.ieee.org/groups/
1149/7/, 2009.
[4] Ken Cecka and Mike Taylor. Wyvern Hardware Platform and Hardware
Specification. Freescale Semiconductor, 2011.
[5] Michael Lindahl, Greenhill Software. Debugging with Hardware Test Data.
ECN, 2005.
[6] Adam W. Ley. Doing More with Less - An IEEE 1149.7 Embedded Tu-
torial: Standard for Reduced-pin and Enhanced-functionality Test Ac-
cess Port and Boundary-Scan Architecture. International Test Conference,
2009.
[7] Laung-Terng Wang, Cheng-Wen Wu, and Xiaoqing Wen. VLSI Test Prin-
ciples and Architectures. Morgan Kaufmann Publishers, 2006.
46
