$ sudo jtag
UrJTAG 0.10 #2017
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors
UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.
warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.
jtag> cable usbblaster
Connected to libftdi driver.
jtag> detect
IR length: 5
Chain length: 1
Device Id: 00110010011010011011010011000001 (0x3269B4C1)
Unknown manufacturer! (01001100000) (/usr/local/share/urjtag/MANUFACTURERS)
jtag> discover
Detecting IR length ... 5
Detecting DR length for IR 11111 ... 1
Detecting DR length for IR 00000 ... 573
Detecting DR length for IR 00001 ... 573
Detecting DR length for IR 00010 ... 32
Detecting DR length for IR 00011 ... 32
Detecting DR length for IR 00100 ... warning: TDO seems to be stuck at 0 -1
Detecting DR length for IR 00101 ... 177
Detecting DR length for IR 00110 ... 19
Detecting DR length for IR 00111 ... 1
Detecting DR length for IR 01000 ... warning: TDO seems to be stuck at 0 -1
Detecting DR length for IR 01001 ... warning: TDO seems to be stuck at 0 -1
Detecting DR length for IR 01010 ... 1
Detecting DR length for IR 01011 ... 1
Detecting DR length for IR 01100 ... 1
Detecting DR length for IR 01101 ... 1
Detecting DR length for IR 01110 ... 1
Detecting DR length for IR 01111 ... 1
Detecting DR length for IR 10000 ... 1
Detecting DR length for IR 10001 ... 32
Detecting DR length for IR 10010 ... 32
Detecting DR length for IR 10011 ... 33
Detecting DR length for IR 10100 ... 33
Detecting DR length for IR 10101 ... 2
Detecting DR length for IR 10110 ... 1
Detecting DR length for IR 10111 ... 1
Detecting DR length for IR 11000 ... 1
Detecting DR length for IR 11001 ... 1
Detecting DR length for IR 11010 ... 1
Detecting DR length for IR 11011 ... 1
Detecting DR length for IR 11100 ... 1
Detecting DR length for IR 11101 ... 1
Detecting DR length for IR 11110 ... 1
jtag> help instruction
Usage: instruction INSTRUCTION
Usage: instruction length LENGTH
Usage: instruction INSTRUCTION CODE REGISTER
Change active INSTRUCTION for a part or declare new instruction.
INSTRUCTION instruction name (e.g. BYPASS)
LENGTH common instruction length
CODE instruction code (e.g. 11111)
REGISTER default data register for instruction (e.g. BR)
jtag> instruction length 5
jtag> help register
Usage: register NAME LENGTH
Define new data register with specified NAME and LENGTH.
NAME Data register name
LENGTH Data register length
jtag> # now we define the registers
jtag> # we dont know their names so we will number them instead, REG00, REG01, etc..
jtag>
jtag> register REG31 1
jtag> register REG00 573
jtag> register REG01 573
jtag> register REG02 32
jtag> register REG03 32
jtag> # instruction code 04 (00100) was -1 so we ignore
jtag> register REG05 177
jtag> register REG06 19
jtag> register REG07 1
jtag> # instruction code 08 (01000) was -1 so we ignore
jtag> # instruction code 09 (01001) was -1 so we ignore
jtag> register REG10 1
jtag> register REG11 1
jtag> register REG12 1
jtag> register REG13 1
jtag> register REG14 1
jtag> register REG15 1
jtag> register REG16 1
jtag> register REG17 32
jtag> register REG18 32
jtag> register REG19 33
jtag> register REG20 33
jtag> register REG21 1
jtag> register REG22 1
jtag> register REG23 1
jtag> register REG24 1
jtag> register REG25 1
jtag> register REG26 1
jtag> register REG27 1
jtag> register REG28 1
jtag> register REG29 1
jtag> register REG30 1
jtag>
jtag> # now we define a new instruction for selecting each register
jtag>
jtag> instruction SEL_REG31 11111 REG31
jtag> instruction SEL_REG00 00000 REG00
jtag> instruction SEL_REG01 00001 REG01
jtag> instruction SEL_REG02 00010 REG02
jtag> instruction SEL_REG03 00011 REG03
jtag> # there is no instruction code 04
jtag> instruction SEL_REG05 00101 REG05
jtag> instruction SEL_REG06 00110 REG06
jtag> instruction SEL_REG07 00000 REG07
jtag> # there is no instruction code 08
jtag> # there is no instruction code 09
jtag> instruction SEL_REG10 01010 REG10
jtag> instruction SEL_REG11 01011 REG11
jtag> instruction SEL_REG12 01100 REG12
jtag> instruction SEL_REG13 01101 REG13
jtag> instruction SEL_REG14 01110 REG14
jtag> instruction SEL_REG15 01111 REG15
jtag> instruction SEL_REG16 10000 REG16
jtag> instruction SEL_REG17 10001 REG17
jtag> instruction SEL_REG18 10010 REG18
jtag> instruction SEL_REG19 10011 REG19
jtag> instruction SEL_REG20 10100 REG20
jtag> instruction SEL_REG21 10101 REG21
jtag> instruction SEL_REG22 10110 REG22
jtag> instruction SEL_REG23 10111 REG23
jtag> instruction SEL_REG24 11000 REG24
jtag> instruction SEL_REG25 11001 REG25
jtag> instruction SEL_REG26 11010 REG26
jtag> instruction SEL_REG27 11011 REG27
jtag> instruction SEL_REG28 11100 REG28
jtag> instruction SEL_REG29 11101 REG29
jtag> instruction SEL_REG30 11110 REG30
jtag>
jtag> # now we can test our register and instruction declarations.
jtag>
jtag> # first we select instruction code 02 (00010) and shift it in
jtag> # (we know from datasheet that instruction (00010) selects the IDCODE register)
jtag>
jtag> instruction SEL_REG02
jtag> shift ir
jtag>
jtag> # now we shift out its 32-bit data register
jtag>
jtag> shift dr
jtag>
jtag> # and view the data register
jtag>
jtag> dr
00110010011010011011010011000001 (0x3269B4C1)
jtag>
jtag> # we know that 0x3269b4c1 is the IDCODE for a TriMedia TM3260 CPU
jtag>
jtag> # from this we confirm instruction code 02 (00010) selects the IDCODE register
jtag>
jtag> # now we can look at the register(s) of 573 bits. We can guess from
jtag> # the very long length that this is the Boundary Scan Register (BSR)
jtag>
jtag> ins SEL_REG00
jtag> shift ir
jtag> shift dr
jtag> dr
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111 (0x00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF)
jtag>
jtag> # nothing meaningful scanned out there, so this must be the EXTEST instruction for
jtag> # the BSR, for writing to the register only
jtag>
jtag> # now we try the other instruction (code 00001) that manipulates that 573-bit register
jtag>
jtag> ins sel_REG01
jtag> shift ir
jtag> shift dr
jtag> dr
00010101101110110110110101101101101001101101100001101101101110101110110110
11011011011011011011011011011011011011011011011011111111011111111111011111
01011101101101101101101101000101101101101101101101101111011011011000101000
11110101110101111101100001101000011110101101100000001000000000001100000001
00110000110110110110110110100100100100110000100100110100000000100000000001
01010000010000011011011011011000011000000000011000000000000011000011010011
01110100000000000000000000000000000000000010100000000010110110100010110101
0010010000010010010010010101010010010010000010010010010 (0x00000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000005A920924AA490492)
jtag>
jtag> # JTAG instruction code 00001 must be the SAMPLE instruction for the BSR
jtag> # The bits shifted out are the boundary scan cell values (CPU I/O pin states)
jtag>
jtag> # If we shift out the data register again we will see some of the pin states change.
jtag> # these will be the CPU I/O pins to the main memory bus, PCI bus, etc:
jtag>
jtag> shift dr
jtag> dr
00010101101110110110110101101101101001101101100001101101101110101110110110
11011011011011011011011011011011011011011011011011111111011111111111011111
01011101101101101101101101000101101101101101101101101111011011011000101000
01000001110101111101100001101000011110101101100000001010100000001100000001
00110000110110110110110110100100100100110000100100100100000000100000000001
01010000010000011011011011011000011000000000011000000000000011000011010011
01110100000000000000000000000000000000000010100000000010110110100010110101
0010010000010010010010010101010010010010000010010010010 (0x00000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000005A920924AA490492)
jtag>
jtag> # study very closely! A few bit states have changed, e.g. spot the different
jtag> # bits at the beginning of the fourth line.
jtag>
jtag> # Those changed bits will be boundary scan cells storing state of the DRAM / PCI bus pins
jtag> # (ignore hexadecimal conversion: 0x5A920.. it is wrong)
jtag>
jtag> # One more example showing how to write to a JTAG register:
jtag>
jtag> # We know from Philips datasheet that instruction (10001) selects the DATAIN
jtag> # register of TriMedia JTAG controller
jtag>
jtag> ins SEL_REG17
jtag> shift ir
jtag> shift dr
jtag> dr
00000000000000000000000000000000 (0x00000000)
jtag>
jtag> # The DATAIN register has 0x00000000 in it, so we shift in a recognisable value:
jtag>
jtag> dr 0xcafebabe
11001010111111101011101010111110 (0xCAFEBABE)
jtag> shift dr
jtag> dr
00000000000000000000000000000000 (0x00000000)
jtag> shift dr
jtag> dr
11001010111111101011101010111110 (0xCAFEBABE)
jtag>
jtag> # We can try that again with another memorable value
jtag>
jtag> dr 0xbabeb00b
10111010101111101011000000001011 (0xBABEB00B)
jtag> shift dr
jtag> dr
11001010111111101011101010111110 (0xCAFEBABE)
jtag> shift dr
jtag> dr
10111010101111101011000000001011 (0xBABEB00B)
jtag>
jtag> # That example demonstrates how to write to a JTAG register
jtag>
Like this:
Like Loading...
