Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
docs:techref:hardware:port.jtag [2018/03/31 23:23] – ↷ Links adapted because of a move operation bobafetthotmaildocs:techref:hardware:port.jtag [2020/07/09 10:23] (current) – [Hairydairymaid] Add Github for source, remove thecshore cshoredaniel1
Line 4: Line 4:
   * -> [[docs:techref:hardware:port.jtag]] (this article)   * -> [[docs:techref:hardware:port.jtag]] (this article)
     * -> [[docs:techref:hardware:port.jtag.cables]] (homemade cables)     * -> [[docs:techref:hardware:port.jtag.cables]] (homemade cables)
-      * -> [[docs:techref:hardware:port.jtag.cable.buffered]] or [[docs:techref:hardware:port.jtag.cables#buffered]] + redirect from something.wiggler to this article +      * -> [[docs:techref:hardware:port.jtag.cable.buffered]] 
-      * -> [[docs:techref:hardware:port.jtag.cable.unbuffered]] or  [[docs:techref:hardware:port.jtag.cables#unbuffered]] +      * -> [[docs:techref:hardware:port.jtag.cable.unbuffered]]
     * -> [[docs:techref:hardware:port.jtag.utilization]]     * -> [[docs:techref:hardware:port.jtag.utilization]]
       * -> [[docs:guide-user:troubleshooting:generic.debrick]] there is content on utilizing JTAG  (link to it or from it, don't leave double content!)       * -> [[docs:guide-user:troubleshooting:generic.debrick]] there is content on utilizing JTAG  (link to it or from it, don't leave double content!)
-      * -> [[/toh/davolink/dv-201amr#jtag]] there is content on utilizing JTAG  (link to it or from it, don't leave double content! unless specific)+      * -> [[toh:davolink:dv-201amr#jtag]] there is content on utilizing JTAG  (link to it or from it, don't leave double content! unless specific)
  
   * [[https://forum.openwrt.org/viewtopic.php?id=34993|Debrick Routers with AR724x processors Using JTAG]]   * [[https://forum.openwrt.org/viewtopic.php?id=34993|Debrick Routers with AR724x processors Using JTAG]]
Line 21: Line 21:
 A JTAG port can be used without any software running on the IC itself, but the IC still has to be powered by a separate power supply. This means, you can solder a lonely SoC to a PCB, no Flash-Chip, no RAM; then connect to it via JTAG and interact with the SoC. Of course, on the PC itself, you should have some sort of software, to make this interaction with the hardware on the lowest level possible a bit more comfortable. A JTAG port can be used without any software running on the IC itself, but the IC still has to be powered by a separate power supply. This means, you can solder a lonely SoC to a PCB, no Flash-Chip, no RAM; then connect to it via JTAG and interact with the SoC. Of course, on the PC itself, you should have some sort of software, to make this interaction with the hardware on the lowest level possible a bit more comfortable.
  
-Of course, if there is a flash chips soldered onto the PCB, you could access this chip by programming the SoC via JTAG. It's one of those amazingly useful things that allows you to recover from pretty much anything that doesn't involve a hardware failure.+Of course, if there is a flash chip soldered onto the PCB, you could access this chip by programming the SoC via JTAG. It's one of those amazingly useful things that allows you to recover from pretty much anything that doesn't involve a hardware failure.
  
-The JTAG Automate is not a standardized system. Different SoCs/CPUs/ISAs have different JTAG automate behavior and reset sequence, most likely you will find ARM and MIPS CPUs, both having their standard to allow controlling the CPU behavior using JTAG.+The JTAG automate is not a standardized system. Different SoCs/CPUs/ISAs have different JTAG automate behavior and reset sequence, most likely you will find ARM and MIPS CPUs, both having their standard to allow controlling the CPU behavior using JTAG.
  
 Finding JTAG connector on a PCB can be a little easier than finding the UART since most vendors leave those headers unpopulated after production. JTAG connectors are usually 12, 14, or 20-pins headers with one side of the connector having some signals at 3.3V and the other side being connected to GND. Finding JTAG connector on a PCB can be a little easier than finding the UART since most vendors leave those headers unpopulated after production. JTAG connectors are usually 12, 14, or 20-pins headers with one side of the connector having some signals at 3.3V and the other side being connected to GND.
Line 29: Line 29:
  
 ===== Identifying JTAG connector ===== ===== Identifying JTAG connector =====
-===== Headers =====+==== Headers ====
 There are two major JTAG header arrangements used in SOHO routers based on MIPS CPUs. One uses 12 pins and the other uses 14 pins. While not radically different, you should be familiar with both. Other JTAG pinouts can be found at [[http://www.jtagtest.com/pinouts/]]. There are two major JTAG header arrangements used in SOHO routers based on MIPS CPUs. One uses 12 pins and the other uses 14 pins. While not radically different, you should be familiar with both. Other JTAG pinouts can be found at [[http://www.jtagtest.com/pinouts/]].
  
-==== 10 Pin Header ====+=== 8 Pin Header - 1 row === 
 + 
 +{{  :media:doc:hardware:jst-sh-8-labelled.jpg?0x200|}} {{  :media:doc:hardware:jst-sh-8.jpg?0x200|}} Common in Thomson routers, but not elsewhere.  Specifically these are JST-SH-8, 1.0mm pitch.  If you want a tidy connection rather than soldering wires directly to the board, Sparkfun stocks [[https://www.sparkfun.com/products/10853|single cable/socket pairs]] (for their Arduino Mega Pro Mini), and [[http://www.ebay.co.uk/itm/181431004441|bags of 10 cable assemblies and sockets]] are cheap on eBay.  They still need to be hand-soldered as they don't take too kindly to hot air tools. 
 + 
 +<a2s> 
 +         #----# 
 +         |#--#|  
 +       ? |#--#| 1 
 +            | 
 +         |#--#
 +   nTRST |#--#| 2 
 +            | 
 +         |#--#
 +     TCK |#--#| 3 
 +            | 
 +         |#--#
 +     TMS |#--#| 4 
 +            | 
 +         |#--#
 +     GND |#--#| 5 
 +            | 
 +         |#--#
 +     TDO |#--#| 6 
 +            | 
 +         |#--#
 +     TDI |#--#| 7 
 +            | 
 +         |#--#
 +     GND |#--#| 8 
 +         #----# 
 +</a2s> 
 + 
 + 
 + 
 +=== 10 Pin Header ===
 Found in many Huawei routers: Found in many Huawei routers:
  
-|  TCK ^  1  ^  2  | GND | +<a2s> 
- TDO ^  3  ^  4  | VREF  +        #---------# 
- TMS ^   ^   nSRST +    TCK |#--# #--#| GND 
-   ^  7  ^  8  | nTRST | +      1 |#--# #--#| 2 
- TDI ^  9  ^  10  | GND |+                | 
 +    TDO |#--# #--#| VREF 
 +      3 |#--# #--#| 4 
 +                | 
 +    TMS |#--# #--#| nSRST 
 +      |#--# #--#| 6 
 +                
 +      |#--# #--#| nTRST 
 +      7 |#--# #--#| 8 
 +                | 
 +    TDI |#--# #--#| GND 
 +      9 |#--# #--#| 10 
 +        #---------# 
 +</a2s>
  
 It matches with the ALTERA ByteBlasterMV 10-pin cable, but without the nSRST, nTRST pins. It matches with the ALTERA ByteBlasterMV 10-pin cable, but without the nSRST, nTRST pins.
    
-==== 12 Pin Header ====+=== 12 Pin Header ===
 Found in Linksys routers such as the WRT54G and WRT54GS, the 12-pin header has the following arrangement of JTAG signals and pins: Found in Linksys routers such as the WRT54G and WRT54GS, the 12-pin header has the following arrangement of JTAG signals and pins:
  
-|  nTRST ^  1  ^  2  | GND | + 
- TDI ^  3  ^  4  | GND  +<a2s> 
- TDO ^  5  ^  6  | GND | +         #---------# 
- TMS ^  7  ^  8  | GND | +   nTRST |#--# #--#| GND 
- TCK ^  9  ^  10  | GND | +       |#--# #--#| 2 
- nSRST ^  11  ^  12  | GND |+                 | 
 +     TDI |#--# #--#| GND 
 +       |#--# #--#| 4 
 +                 | 
 +     TDO |#--# #--#| GND 
 +       |#--# #--#| 6 
 +                 | 
 +     TMS |#--# #--#| GND 
 +       |#--# #--#| 8 
 +                 | 
 +     TCK |#--# #--#| GND 
 +       |#--# #--#| 10 
 +                 | 
 +   nSRST |#--# #--#| GND 
 +      11 |#--# #--#| 12 
 +         #---------# 
 +</a2s>
  
 Seems, this header is a truncated version of the full EJTAG header. Seems, this header is a truncated version of the full EJTAG header.
  
-==== 14 Pin Header ====+=== 14 Pin Header ===
 This header is fully MIPS EJTAG 2.6 compatible and described in the EJTAG 2.6 standard. Found in Edimax routers (and other brands that are Edimax clones), the 14-pin header has the following arrangement of JTAG signals and pins: This header is fully MIPS EJTAG 2.6 compatible and described in the EJTAG 2.6 standard. Found in Edimax routers (and other brands that are Edimax clones), the 14-pin header has the following arrangement of JTAG signals and pins:
  
-|  nTRST ^  1  ^  2  | GND | +<a2s> 
- TDI ^  3  ^  4  | GND | +         #---------# 
- TDO ^  5  ^  6  | GND | +   nTRST |#--# #--#| GND 
- TMS ^  7  ^  8  | GND | +       |#--# #--#| 2 
- TCK ^  9  ^  10  | GND | +                 | 
- nSRST ^  11  ^  12  | n/a | +     TDI |#--# #--#| GND 
- n/a ^  13  ^  14  | Vcc |+       |#--# #--#| 4 
 +                 | 
 +     TDO |#--# #--#| GND 
 +       |#--# #--#| 6 
 +                 | 
 +     TMS |#--# #--#| GND 
 +       |#--# #--#| 8 
 +                 | 
 +     TCK |#--# #--#| GND 
 +       |#--# #--#| 10 
 +                 | 
 +   nSRST |#--# #--#| n/a 
 +      11 |#--# #--#| 12 
 +                 | 
 +     n/a |#--# #--#| Vcc 
 +      13 |#--# #--#| 14 
 +         #---------# 
 +</a2s>
  
 A buffered cable such as the Wiggler requires an external Vcc voltage supply. The 14-pin header conveniently supplies this voltage on pin 14. The typical unbuffered cable, however, does not require an external voltage in order to function. Formally, the pin 14 is called VREF and used to indicate a JTAG signal levels: 5V, 3.3V or 2.5V. On the most devices this pin is tied to the device's Vcc and may be used to power a buffer IC chip (and to generate an appropriate levels as result). Note that the 12-pin JTAG header arrangement does not provide Vcc. A buffered cable such as the Wiggler requires an external Vcc voltage supply. The 14-pin header conveniently supplies this voltage on pin 14. The typical unbuffered cable, however, does not require an external voltage in order to function. Formally, the pin 14 is called VREF and used to indicate a JTAG signal levels: 5V, 3.3V or 2.5V. On the most devices this pin is tied to the device's Vcc and may be used to power a buffer IC chip (and to generate an appropriate levels as result). Note that the 12-pin JTAG header arrangement does not provide Vcc.
  
  
-==== 16 Pin Header ====+=== 16 Pin Header ===
 Usually found in IBM 4XX powerpc platform, this layout is also known as JTAG RISCWATCH Usually found in IBM 4XX powerpc platform, this layout is also known as JTAG RISCWATCH
-|     TDO |  o  ^  1  ^  2  |  nc  | -  | 
-|     TDI |  i  ^  3  ^  4  |  i  | nTRST  | 
-|  HALTED |  o  ^  5  ^  6  |  p  | VREF  | 
-|     TCK |  i  ^  7  ^  8  |  nc  | -  | 
-|     TMS |  i  ^  9  ^  10  |  nc  | -  | 
-|    HALT |  i  ^  11  ^  12  |  p  | GND  | 
-|   nSRST |  od  ^  13  ^  14  |  k  | KEY  | 
-|       - |  nc  ^  15  ^  16  |  p  | GND  | 
  
-==== 20 Pin Header ====+<a2s> 
 +         #---------# 
 +     TDO |#--# #--#| - 
 +       1 |#--# #--#| 2 
 +                 | 
 +     TDI |#--# #--#| nTRST 
 +       3 |#--# #--#| 4 
 +                 | 
 +  HALTED |#--# #--#| VREF 
 +       5 |#--# #--#| 6 
 +                 | 
 +     TCK |#--# #--#| -  
 +       7 |#--# #--#| 8 
 +                 | 
 +     TMS |#--# #--#| -  
 +       9 |#--# #--#| 10 
 +                 | 
 +    HALT |#--# #--#| GND 
 +      11 |#--# #--#| 12 
 +                 | 
 +   nSRST |#--# #--#| KEY 
 +      13 |#--# #--#| 14 
 +                 | 
 +       - |#--# #--#| GND 
 +      15 |#--# #--#| 16 
 +         #---------# 
 +</a2s> 
 + 
 +=== 20 Pin Header ===
 Found in Comtrend routers: Found in Comtrend routers:
  
- nSRST? ^  1  ^  2  | GND | +<a2s> 
- TDI ^  3  ^  4  | GND | +         #---------# 
- TDO ^  5  ^  6  | GND | +   nTRST |#--# #--#| GND 
- TMS ^  7  ^  8  | GND | +       |#--# #--#| 2 
- TCK ^   ^  10  GND +                 | 
- nTRST? ^  11  ^  12  |GND  +     TDI |#--# #--#| GND 
- Vcc? ^  13  ^  14  Vcc +       |#--# #--#| 4 
-|  Vcc? ^  15  ^  16  | GND | +                 | 
- Vcc? ^  17  ^  18  | GND | +     TDO |#--# #--#| GND 
- Vcc? ^  19  ^  20  | GND |+       |#--# #--#| 6 
 +                 | 
 +     TMS |#--# #--#| GND 
 +       |#--# #--#| 8 
 +                 | 
 +     TCK |#--# #--#| GND 
 +       |#--# #--#| 10 
 +                 
 +   nSRST |#--# #--#| GND 
 +      11 |#--# #--#| 12 
 +                 | 
 +     Vcc |#--# #--#| ? 
 +      13 |#--# #--#| 14 
 +                 
 +     Vcc |#--# #--#| GND 
 +      15 |#--# #--#| 16 
 +                 | 
 +     Vcc |#--# #--#| GND 
 +      17 |#--# #--#| 18 
 +                 | 
 +     Vcc |#--# #--#| GND 
 +      19 |#--# #--#| 20 
 +         #---------# 
 +</a2s>
  
-Not fully verified, Vcc at the bottom left are guessed, nSRST and nTRST might be swapped. FIXME +Not fully verified, Vcc at the bottom left are by add smd 0ohm. FIXME
-==== 8 Pin Header - 1 row ====+
  
-{{  :media:doc:hardware:jst-sh-8-labelled.jpg?0x200|}} {{  :media:doc:hardware:jst-sh-8.jpg?0x200|}} Common in Thomson routers, but not elsewhere.  Specifically these are JST-SH-8, 1.0mm pitch.  If you want a tidy connection rather than soldering wires directly to the board, Sparkfun stocks [[https://www.sparkfun.com/products/10853|single cable/socket pairs]] (for their Arduino Mega Pro Mini), and [[http://www.ebay.co.uk/itm/181431004441|bags of 10 cable assemblies and sockets]] are cheap on eBay.  They still need to be hand-soldered as they don't take too kindly to hot air tools. 
  
-|      ? ^  1  ^ +==== JTAG pinout scan ==== 
-|  nTRST ^  2  ^ +We can detect the pinout using a microcontroller like Arduino with specific software for this purpose. There are several implementations, probably JTAGenum is the best one.
-|    TCK ^  3  ^ +
-|    TMS ^  4  ^ +
-|    GND ^  5  ^ +
-|    TDO ^  6  ^ +
-|    TDI ^  7  ^ +
-|    GND ^  8  ^+
  
 +=== JTAGenum ===
 +[[https://github.com/cyphunk/JTAGenum|JTAGenum]] is opensource and runs over an Arduino board. It can find the JTAG pinout among a large amount of pins. The drawback is the **5V** signal voltage level on most Arduino boards, whereas most routers use a **3.3V** signal voltage levels. Therefore a level shift converter is required to wire the original Arduino with the test points at the router. Otherwise, there are some Arduino-compatible boards (like WeMos D1 for instance) built upon the famous ESP8266 which runs itself and the whole board at **3.3V**, so you are ready to go on scanning JTAG headers of common consumer networking equipment.
  
 ===== JTAG software ===== ===== JTAG software =====
Line 113: Line 230:
 ==== Hairydairymaid ==== ==== Hairydairymaid ====
 The most famous software for JTAG is probably the Linksys De-Brick Utility by Hairydairymaid (aka Lightbulb). As of 12 September 2006 the most recent version is v4.8. Virtually everyone who uses this software opts for an unbuffered cable, and the software itself, by default, expects this type of cable to be used. The most famous software for JTAG is probably the Linksys De-Brick Utility by Hairydairymaid (aka Lightbulb). As of 12 September 2006 the most recent version is v4.8. Virtually everyone who uses this software opts for an unbuffered cable, and the software itself, by default, expects this type of cable to be used.
 +
 +There is source code available on GitHub at [[https://github.com/etmatrix/debrick_buspirate]].  The Github repo is likely the most stable source (the cshore site will not be hosting it any longer, as it was only added back for lack of another source).
  
 The utility CAN operate on most any MIPS based cpu supporting EJTAG by using PrAcc routines (non-dma mode) - use the /nodma switch. It is not limited to WRT54G/GS units. The utility CAN operate on most any MIPS based cpu supporting EJTAG by using PrAcc routines (non-dma mode) - use the /nodma switch. It is not limited to WRT54G/GS units.
  
-If you don't have a PC with parallel port but instead own a [[http://en.wikipedia.org/wiki/Raspberry_Pi|Raspberry Pi]], you can use a [[https://github.com/oxplot/tjtag-pi|Raspberry Pi version]] of this software instead which uses [[http://elinux.org/RPi_Low-level_peripherals#General_Purpose_Input.2FOutput_.28GPIO.29|the onboard GPIO pins]] to drive the JTAG lines.+If you don't have a PC with parallel port but instead own a [[wp>Raspberry_Pi|Raspberry Pi]], you can use a [[https://github.com/oxplot/tjtag-pi|Raspberry Pi version]] of this software instead which uses [[http://elinux.org/RPi_Low-level_peripherals#General_Purpose_Input.2FOutput_.28GPIO.29|the onboard GPIO pins]] to drive the JTAG lines.
  
 Downloads:\\ Downloads:\\
-  * [[https://docs.google.com/leaf?id=0B07LcVZMfvdkZTc1MDA5MjUtZTMzYy00OGQzLWE5MjAtODFiN2RkMTJmNDQ5&sort=name&layout=list&num=50|HairyDairyMaid_WRT54G_Debrick_Utility_v48~cshore2.zip]] 
-  * [[http://downloads.openwrt.org/utils/HairyDairyMaid_WRT54G_Debrick_Utility_v48.zip|HairyDairyMaid_WRT54G_Debrick_Utility_v48.zip]] 
   * {{:media:doc:hardware:zjtag-1.8.zip|}}   * {{:media:doc:hardware:zjtag-1.8.zip|}}
  
Line 146: Line 263:
 start: 0x40000000, length: 0x20000000, data width: 32 bit start: 0x40000000, length: 0x20000000, data width: 32 bit
 </code> </code>
 +
 ==== OpenOCD ==== ==== OpenOCD ====
 OpenOCD is more complex than Hairydairymaid or UrJTAG since it is mainly used for debugging. But it can be also used for debricking. OpenOCD is more complex than Hairydairymaid or UrJTAG since it is mainly used for debugging. But it can be also used for debricking.
  
-  * http://openocd.sourceforge.net/+  * [[http://openocd.sourceforge.net/]]
   * [[docs:guide-user:hardware:debrick.ath79.using.jtag|Debricking AR71xx]]   * [[docs:guide-user:hardware:debrick.ath79.using.jtag|Debricking AR71xx]]
 +
 ===== Links ===== ===== Links =====
 {{page>meta:infobox:cleanup&noheader&nofooter&noeditbtn}} {{page>meta:infobox:cleanup&noheader&nofooter&noeditbtn}}
-  * [[http://downloads.openwrt.org/utils/]] HairyDairyMaid_WRT54G_Debrick_Utility 
   * [[http://www.linux-mips.org/wiki/JTAG|EJTAG]] at the Linux-MIPS Wiki   * [[http://www.linux-mips.org/wiki/JTAG|EJTAG]] at the Linux-MIPS Wiki
-    * [[/oldwiki/target.AR7#JTAG|AR7 (oldwiki)]] some more on this subject 
-    * [[http://ar7.wikispaces.com/JTAG|AR7 JTAG]] 
-  * [[http://forum.amilda.org/viewtopic.php?id=43|Two examples]] of successful Wiggler-style cable projects 
-  * [[http://www.imgtec.com/mips/docs/ejtag/mips-ejtag-app-01.00.pdf|EJTAG Specification]] from MIPS Technologies, Inc. (Now a direct link to the pdf) 
-  * [[http://midge.vlad.org.ua/forum/viewtopic.php?t=121|Debrick example]] using OpenwinCE with EJTAG driver. 
   * [[http://openwince.sourceforge.net/jtag/|Openwince JTAG]], "Supported hardware" section for other types of the JTAG cables.   * [[http://openwince.sourceforge.net/jtag/|Openwince JTAG]], "Supported hardware" section for other types of the JTAG cables.
   * [[http://www.k9spud.com/jtag/|K9SPUD JTAG]] another Wiggler schematic   * [[http://www.k9spud.com/jtag/|K9SPUD JTAG]] another Wiggler schematic
Line 165: Line 278:
   * [[http://www.asset-intertech.com/products/free_resources.htm|FREE JTAG Resources]]   * [[http://www.asset-intertech.com/products/free_resources.htm|FREE JTAG Resources]]
   * [[http://www.jtagtest.com/pinouts/|JTAG Pinouts]]   * [[http://www.jtagtest.com/pinouts/|JTAG Pinouts]]
-  * http://www.armkits.com/Product/jtagcable.asp 
  
 +===== Devices =====
 +The list of related devices:
 +{{tagpage>jtag}}
  
-===== Tags ===== 
-[[meta:tags|How to add tags]] 
-{{tag>jtag debrick}} 
  • Last modified: 2018/03/31 23:23
  • by bobafetthotmail