SPY micro-architecture module

Dec21

In an earlier hacking experiment, the MMIO aperture of the 2Wire Ares was probed. The Ares is the TriMedia core CPU driving the 2Wire 270x, 3600 and 3800 models. The probing experiment uncovered a surprise module in the Ares: [1]

SPY M-ARC Module ID 0x0116 (Rev.0.0) of  4kB size with MMIO offset 0x04,1000

In the literature, ID 0×0116 is identified as the “SPY Micro-Architecture” module. It is for debugging. [2]

The SPY technology was introduced in a conference paper by Vermeulen, Oostdijk and Bouwman, research scientists at Philips Semiconductors.  Their paper, which was presented at the 2001 International Test Conference in Baltimore, is entitled Test and Debug Strategy of the PNX8525.  [3]

The PNX8525 (and the PNX8526) are very similar CPUs to the 2Wire Ares, and much is relevant to the 2Wire.

An excerpt from the Philips paper is duplicated below:

5. PNX8525 Design-for-Debug Strategy

The biggest obstacle for efficient debugging of prototype silicon is the limited internal observability of the chip in the application. Two complementary debug approaches to increase the internal observability were chosen for the PNX8525 design in order to facilitate debugging of prototype silicon.

  1. Real-time observability: this approach allows a limited set of internal signals to be monitored in real-time on chip pins, while the chip is in the application.
  2. Scan-based observability: this approach allows the complete state information to be observed, after the chip has been stopped.

Each of these two approaches requires additional debug hardware to be added to the design (Design-for-Debug), as discussed in the following sub-sections.

5.1 Real-time Observability (“SPY”)

Twelve digital chip pins were selected to conditionally output internal signals for debugging. Per module, the signals required for debugging were selected by the module designer and split into sets of size twelve. These sets were then connected to a standard multiplexer module, called spy, which was instantiated in each core. This standard spy multiplexer module is shown in Figure 7.

The spy multiplexer module is connected to the core’s internal module ID code to allow identification of a core at the top level. In order to obtain information on the timing relationship between the spy signals in a particular set, the global spy clock (spy_clk) can also be extended to, and selected as, a set of twelve spy signals.

The standard spy multiplexer module allows the designer of the IP module to connect several sets of twelve spy signals. The number of spy sets is a parameter of the RTL model of the spy multiplexer module. In each module, the module designer instantiated a spy multiplexer module with the required number of spy set connections for that module. The global spy address bus (spy_addr) enables the selection of a particular spy set connected to the spy multiplexer module.

At the top-level, all spy multiplexer module outputs are connected to a multiplexer tree, to multiplex the spy outputs of all core modules down to one set of twelve signals (see Figure 8). The core modules, each with their 12-bit spy output, the top-level spy tree module, and the debug module are shown. The spy aligners shown are used to add an individual programmable delay to each of the 12 spy signals.

This allows a possible difference in propagation delay between the individual spy signals to be compensated. This tuning is done visually using the debugger software and a logic analyzer connected to the spy output pins. The aligned spy signals are conditionally multiplexed onto the selected 12 chip pins or captured in either a MMIO or a JTAG register.


The spy micro-architecture is controlled from one of two registers inside the on-chip debug block. These registers can be accessed by selecting the PROGRAM_SPYCTRL instruction in the JTAG TAP controller or via the internal system bus.

5.2 Scan-based Observability

Four features were added to the design to implement the scan dump functionality. [....]

The authors of the paper go on to discuss the additional JTAG instructions which were added to the TAP controller to support the SPY micro-architecture. Three instructions were added to extend the debugging capabilities, and a further instruction was included to perform a system reset.

The UrJTAG tool has a function for discovering private JTAG instructions.  When the tool was deployed against the 2Wire Ares, a number of undocumented JTAG instructions of various bit lengths were discovered: [4]

Some of those instructions identified below are documented, but others are not:

jtag> print
 No. Manufacturer      Part    Stepping   Instruction       Register
---------------------------------------------------------------------
   0 2WIRE             ARES    Rev 4      SAMPLE/PRELOAD    BSR

jtag> discovery
Detecting IR length ... 5
Detecting DR length for IR 11111 ... 1
Detecting DR length for IR 00000 ... -1
Detecting DR length for IR 00001 ... 573
Detecting DR length for IR 00010 ... 32
Detecting DR length for IR 00011 ... 32
Detecting DR length for IR 00100 ... warning: TDO seems stuck at 0 -1
Detecting DR length for IR 00101 ... 177
Detecting DR length for IR 00110 ... 19
Detecting DR length for IR 00111 ... 1
Detecting DR length for IR 01000 ... warning: TDO seems stuck at 0 -1
Detecting DR length for IR 01001 ... warning: TDO seems stuck at 0 -1
Detecting DR length for IR 01010 ... 1
Detecting DR length for IR 01011 ... 1
Detecting DR length for IR 01100 ... 1
Detecting DR length for IR 01101 ... 1
Detecting DR length for IR 01110 ... 1
Detecting DR length for IR 01111 ... 1
Detecting DR length for IR 10000 ... 1
Detecting DR length for IR 10001 ... 32
Detecting DR length for IR 10010 ... 32
Detecting DR length for IR 10011 ... 33
Detecting DR length for IR 10100 ... 33
Detecting DR length for IR 10101 ... 2
Detecting DR length for IR 10110 ... 1
Detecting DR length for IR 10111 ... 1
Detecting DR length for IR 11000 ... 1
Detecting DR length for IR 11001 ... 1
Detecting DR length for IR 11010 ... 1
Detecting DR length for IR 11011 ... 1
Detecting DR length for IR 11100 ... 1
Detecting DR length for IR 11101 ... 1
Detecting DR length for IR 11110 ... 1
jtag>

The purpose of those ‘private’ JTAG  instructions remains unknown. Some will probably relate to the on-chip debugging facilities documented in this 2001 paper.

It may be possible to analyse the TAP interface traffic to determine the (closed-standard) JTAG debugging protocol used by the TriMedia core, and the instructions used in it.

The JTAG instruction (10000) reportedly for system reset was briefly examined in the 2Wire Ares but it did not function as expected.

[1] http://hackingbtbusinesshub.wordpress.com/2011/12/15/probing-the-mmio-aperture/

[2] https://docs.google.com/open?id=0B6wW18mYskvBZjRlNDY0YzMtNzQ2NS00YTg5LWE5NWMtZGI2ZDI2MWQ1ODVj

[3] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.125.1328&rep=rep1&type=pdf

[4] http://hackingbtbusinesshub.wordpress.com/2011/09/12/urjtag-reports-unknown-manufacturer/

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s