There is always a JTAG automate (JTAG logic) integrated into your soc or cpu and usually this is connected to a JTAG header on the PCB. You can test and program the IC by issuing
JTAG commands to it through the JTAG.
To do that, you need to connect the parallel port of your PC with the JTAG header on the PCB via a bought or a homemade “JTAG cable”. You then run a special JTAG software on your PC, which allows you to comfortably control the JTAG automate and make it perform commands like reads and writes at arbitrary locations.
As already stated the primary intention of the JTAG automate is to test the IC itself. But of course it can additionally be utilized to recover a device if you erased the bootloader resident on the flash. Because, through the JTAG automate in the SoC, you can also write to the Flash Chip.
A JTAG port can be used without any software running on the IC itself, but the IC still has to be powered by a separate power supply. This means, you can solder a lonely SoC to a PCB, no Flash-Chip, no RAM; then connect to it via JTAG and interact with the SoC. Of course, on the PC itself, you should have some sort of software, to make this interaction with the hardware on the lowest level possible a bit more comfortable.
Of course, if there is a flash chips soldered onto the PCB, you could access this chip by programming the SoC via JTAG. It's one of those amazingly useful things that allows you to recover from pretty much anything that doesn't involve a hardware failure.
The JTAG Automate is not a standardized system. Different SoCs/CPUs/ISAs have different JTAG automate behavior and reset sequence, most likely you will find ARM and MIPS CPUs, both having their standard to allow controlling the CPU behavior using JTAG.
Finding JTAG connector on a PCB can be a little easier than finding the UART since most vendors leave those headers unpopulated after production. JTAG connectors are usually 12, 14, or 20-pins headers with one side of the connector having some signals at 3.3V and the other side being connected to GND.
There are two major JTAG header arrangements used in SOHO routers based on MIPS CPUs. One uses 12 pins and the other uses 14 pins. While not radically different, you should be familiar with both. Other JTAG pinouts can be found at http://www.jtagtest.com/pinouts/.
Found in many Huawei routers:
It matches with the ALTERA ByteBlasterMV 10-pin cable, but without the nSRST, nTRST pins.
Found in Linksys routers such as the WRT54G and WRT54GS, the 12-pin header has the following arrangement of JTAG signals and pins:
Seems, this header is a truncated version of the full EJTAG header.
This header is fully MIPS EJTAG 2.6 compatible and described in the EJTAG 2.6 standard. Found in Edimax routers (and other brands that are Edimax clones), the 14-pin header has the following arrangement of JTAG signals and pins:
A buffered cable such as the Wiggler requires an external Vcc voltage supply. The 14-pin header conveniently supplies this voltage on pin 14. The typical unbuffered cable, however, does not require an external voltage in order to function. Formally, the pin 14 is called VREF and used to indicate a JTAG signal levels: 5V, 3.3V or 2.5V. On the most devices this pin is tied to the device's Vcc and may be used to power a buffer IC chip (and to generate an appropriate levels as result). Note that the 12-pin JTAG header arrangement does not provide Vcc.
Usually found in IBM 4XX powerpc platform, this layout is also known as JTAG RISCWATCH
Found in Comtrend routers:
Not fully verified, Vcc at the bottom left are guessed, nSRST and nTRST might be swapped.
Common in Thomson routers, but not elsewhere. Specifically these are JST-SH-8, 1.0mm pitch. If you want a tidy connection rather than soldering wires directly to the board, Sparkfun stocks single cable/socket pairs (for their Arduino Mega Pro Mini), and bags of 10 cable assemblies and sockets are cheap on eBay. They still need to be hand-soldered as they don't take too kindly to hot air tools.
We can detect the pinout using a microcontroller like Arduino with specific software for this purpose. There are several implementations, probably JTAGenum is the best one.
JTAGenum is opensource and runs over an Arduino board. It can find the JTAG pinout among a large amount of pins. The drawback is the 5V signal voltage level on most Arduino boards, whereas most routers use a 3.3V signal voltage levels. Therefore a level shift converter is required to wire Arduino with the test points at the router.
The most famous software for JTAG is probably the Linksys De-Brick Utility by Hairydairymaid (aka Lightbulb). As of 12 September 2006 the most recent version is v4.8. Virtually everyone who uses this software opts for an unbuffered cable, and the software itself, by default, expects this type of cable to be used.
The utility CAN operate on most any MIPS based cpu supporting EJTAG by using PrAcc routines (non-dma mode) - use the /nodma switch. It is not limited to WRT54G/GS units.
Another popular JTAG utility is Openwince JTAG. But is no longer developed. In late 2007, development of the openwince JTAG tools has been resumed in a new project named UrJTAG, with improvements like support for USB cables.
jtag> print No. Manufacturer Part Stepping Instruction Register --------------------------------------------------------------------------------------------- 0 Lexra LX5280 1 BYPASS BR Active bus: *0: EJTAG compatible bus driver via PrAcc (JTAG part No. 0) start: 0x00000000, length: 0x20000000, data width: 8 bit start: 0x20000000, length: 0x20000000, data width: 16 bit start: 0x40000000, length: 0x20000000, data width: 32 bit
OpenOCD is more complex than Hairydairymaid or UrJTAG since it is mainly used for debugging. But it can be also used for debricking.