JTAG Knock-Knock

In my opinion, the most appropriate name for this project is JTAG Hello World because it implements the IEEE 1149.1 basic standard. From which the minimum set of functions was used. JTAG was implemented using bit-banging technology. This allowed the entire project to be executed on an Arduino board with a minimal number of additional components. A similar project can be found at https://github.com/alexforencich/ftjrev.

Hardware
See BUILD INSTRUCTIONS for more information. The device has an Altera USB Blaster-compatible JTAG connector.

Software

All software is an Arduino script. A terminal such as Putty or Serial USB Terminal for Android can be used to display the information. The block diagram of the code is shown below.

The flowchart shows the algorithm of the function 'm' (Monitor), which corresponds to the function Input probing in the project ftjrev.

TAP state machine

SAMPLE

The easiest way to understand how the algorithm works is by looking at the diagram of the TAP state machine. The figure below shows the algorithm of work of the SAMPLE command.

Once passed the blue path, we enter the code of the SAMPLE command in the instruction register. After that, the boundary-scan register will be set as the data register. In the future, we do not need to constantly enter the SAMPLE command code in the instruction register, it will remain there until it is overwritten by another instruction or is reset by entering RESET state.

After that we can constantly move along the green circle, in meanwhile, reading the state of the pins from the boundary-scan register. In accordance with the Standard, upon exiting the Capture-DR state, data on the state of the pins is transferred to the boundary-scan register, which can then be read in the Shift-DR state.

EXTEST

The algorithm of work of the EXTEST command is very similar to the algorithm for working with SAMPLE, but with some exceptions.

First of all, it is crucial to remember that working with an EXTEST command without knowing the electronic schematic is not safe. Using EXTEST allows you to set the pin to state 0 or 1, while this pin can be connected to the output pin of another chip, as a result we can get significant currents through these pins. It is unlikely that this will lead to an instant failure, but you should not leave the system in this state for a long time.

As in the case of SAMPLE, at the beginning, we need to enter the EXTEST command code in the instruction register, this is shown with the yellow path in the figure below.

Here comes the other thing, in accordance with the Standard, the pin levels are set to the state, which is defined with the boundary-scan register on the falling edge of the TCK in Update-DR state. But when we just entered the EXTEST command code into the instruction register (presumably in the Update-IR state), the state of the pins should already be determined by the contents of the boundary-scan register. So before entering the EXTEST command into the instruction register, it is highly advised to initialize the boundary-scan register with a safe value using the PRELOAD command, which will keep all the pins in the Z-state. Its code usually matches the code of the SAMPLE command.

It sounds too confusing, but the pseudocode of initializing EXTEST looks pretty simple:

j_Any_Reset_RunIdle();
j_SetIR(SAMPLE, INSTRLN);
j_GetDR(dr2, BOUNDLN);
j_SetDR(dr2, BOUNDLN);
j_SetIR(EXTEST, INSTRLN);

In this case, we assume that the value stored in the dr2 array after executing the SAMPLE instruction contains the safe value for the boundary-scan register.

In the future, we can move along the red path reading the status of the pins and controlling them as shown...

Follow the white rabbit.
MorriganR • 07/05/2020 at 11:25 • 0 comments

Good things first, the device is ideal for the scenario described in the first log of the project. This device is an ideal choice, when it is necessary to determine which pin of the FPGA is connected to a contact pad reached by Probe Pin on the PCB. For this case, the speed of the JTAG interface software emulation is enough. The only drawback in this case is that we get the bit number in the Boundary Scan Register, which must be converted to the pin name with the BSDL file.

The way of working of EXTEST, EXTEST_PULSE, EXTEST_TRAIN commands suggest that the Boundary Scan Register will be initialized with a sufficiently large number of test vectors, followed by a comparison of the results. Since JTAG software emulation is used, the speed of operation is much lower than the max permissible, which is usually about 10 MHz.

It should also be noted that the limited Atmega328p memory capacity makes introduction of some new features impossible.

If the project is going to be developed in the future, the hardware would be implemented on STLINK-V3. There are few reasons why. Firstly, it is very affordable and costs less than 10 USD, secondly, it contains a powerful microcontroller STM32F723 .
Wake up, Neo... The Matrix has you...
MorriganR • 06/14/2020 at 11:35 • 0 comments
As noted above, the EXTEST instruction is not safe if you do not have the electronic schematic. For example, some unused pins can be connected to ground. Forced change of the state of such pins to 0 or 1, using the EXTEST command, can lead to the significant current flow. As a result the power consumed by the board under study from the power source can change. A similar situation can be observed when trying to control the state of the pins connected to the output pins of other chips or clock sources. An analysis of the power consumed by the board, in combination with the EXTEST command, will provide us with the additional information.

The circuit shown in the figure below was assembled in order to measure the current consumed by the board. It includes a shunt resistor and an INA180A3 current-sense amplifier.

All components were mounted directly on the Arduino Nano board with the exception of the shunt resistor.

The shunt resistor was placed on the power cable. This does not comply with TI's recommendations for incorporating the INA180, but in order to verify the concept we will consider this acceptable.

The Microsoft Catapult V2 board was chosen as a test subject. Eight LEDs array is installed on the board, which are controlled by drivers via FPGA pins.

For testing we will need only a light-emitting diode LEDG[0], which is controlled by FPGA pin A11. All the information we need to control the state of this pin can be found in the BSDL file.
```
--BSC group 452 for I/O pin A11
 "1206  (BC_1, IOA11, input, X)," &
 "1207  (BC_1, *, control, 1)," &
 "1208  (BC_1, IOA11, output3, X, 1207, 1, Z)," &
```
From here everything is very simple, using the EXTEST command we are changing the state of A11, making sure that the LED is blinking, and in parallel measuring the current consumed by the board from the power source.

The oscillogram of this process is shown in the figure below. The first channel (DC coupled) of the oscilloscope is connected directly to pin A11 of the FPGA, and the second (AC coupled) to the output of INA180A3. To get a picture on the second channel as clean from noise as possible, it was required to use the function of averaging over 256 oscillograms. The total measurement time was about one minute. A similar picture is observed if the oscilloscope is synchronized with the falling edge of A11, the only difference being that the consumption current decreases. The waveform shows that the time, for which the consumed current stabilizes at a new level, is about 1ms.

That’s why, it is necessary to measure the current consumed by the board with a delay of at least 1ms. Similar measurements are presented in the figure below.

i0 - current consumed by the board in the state A11 = 0, LEDG is off.
i1 - current consumed by the board in state A11 = 1, LEDG is on.

As with the oscilloscope, the data are averaged over several measurements, in this case over 100 measurements. As the results show, the system confidently registers changes in the current consumption at the level of 1%.

Obviously, the sensitivity can be improved if the recommendations for including the INA180A3 are fully implemented. It can also negatively affect the accuracy of analog measurements, in case the Arduino Nano is powered from the phone.

P.S. Arduino sketch for this log is available at https://pastebin.com/P6MCjkSU .
Work algorithm
MorriganR • 05/01/2020 at 18:52 • 0 comments
This document describes the work algorithm of the JTAG Knock-Knock(Device). All experiments were performed with a G-Sync board containing an Intel Arria V GX . The first few steps do not describe the actual usage of the Device, instead they do explain preparatory steps.

Step 1

To actually start working, it is needed to determine the placement of the JTAG port on the board. First thought was about two connectors on the end of the board, that has 6 pins each, that is the one we are going to check. With a regular tester it is not difficult to determine which pins in connected to the ground. Unfortunately, it is not enough to deal with other pins. Since it is not the purpose of the Device, JTAGenum was used. Click on the link, in order to find detailed instructions on how to use it and the Arduino sketch code. Connect Arduino to the board to start searching for JTAG pins.

After just a few seconds of functioning we see the following result in the terminal:

The line we need is highlighted with white. That so conformity of JTAF signals and physical pins is found.
```
pin 1 - TMS
pin 2 - TDI
pin 4 - TDO
pin 5 - TCK
```
Step 2

Using the information from the previous step, it is possible to make a cable to connect USB Blaster easily. Now connect the USB Blaster to the board and make sure that the Quartus Programmer sees the FPGA installed on the board.

With Quartus Programmer it is important to delete the configuration stored in flash memory. If you carefully read the documentation on the Intel Arria V GX , you may notice that the BSDL file contains information, that is relevant only for the unconfigured FPGA chip. The warning is given at the beginning and end of the BSDL file .

Once again make sure that the flash memory is clean, that so the FPGA will remain unconfigured after the board starts.

Step 3

Find the BSDL file for the Altera Arria V GX chip, in order to know following information:
```
attribute INSTRUCTION_LENGTH of ARRIA_V_5AGXMA3DF31 : entity is 10;
attribute BOUNDARY_LENGTH of ARRIA_V_5AGXMA3DF31 : entity is 1488;
...
"SAMPLE (0000000101), "&
```
This info can be added directly to the Arduino Code of the Device or entered manually while using the Device with the command "s" - Set SAMPLE Code.

Step 4

As you can see on photos below Serial USB Terminal for Android is used, though you can use any Serial Terminal, such as PuTTY for Windows/macOS. The Arduino board is connected to the phone with an OTG cable, the speed is given here .

When everything is connected properly, the command "i" - Info will give us some basic information about the chips connected to the JTAG Chain and display them on the terminal. Check carefully that the received information matches expectations.

Step 5

At this point, you can try monitoring mode by entering the command "m" - Monitor

The terminal will show numbers of bits that change in the Boundary scan register. These can be bits that reflect the state of real chip pins, as well as bits of some internal states. It is almost impossible to work with such a flow of information, so it is necessary to block displaying of bits that change without externally affecting the board. This can be done with entering the lock mode using the command "b" - Block.

After a while, new lines will stop appearing on the screen, this usually takes from 5 to 20 seconds. Then we can see the bit numbers that have been added to the lock register by typing "l" - List in the terminal.

As a result, we have a list of over twenty Boundary scan register bits that are constantly changing. This list of bits can be divided into two groups. First one contain bits, in our case, it is 0, 2, 9, 12, 13, 14, 15, 17, 21, 22, for which the only information, that can be found in the BSDL file is this:
```
  "0     (BC_4, *, internal, X)," &
  "2     (BC_4, *, internal, X)," &
 "9 (BC_4, *,...
```
Read more »