(E)JTAG in general
Most of modern MIPS SOCs support JTAG (IEEE 1149.1). The MIPS EJTAG is a proprietary extension which utilizes widely used IEEE JTAG pins for debug functions. EJTAG provides: run control, single-step execution, breakpoints on both data and instructions, real-time trace (optional) and direct memory access.
The EJTAG prior v2.6 was not documented, however many SOCs still use it. The v2.6 is fully documented and available on the MIPS site (free registration required). The IMPCODE register contains EJTAGver field, so software should read it to distinguish EJTAG version.
MIPS EJTAG has two modes, one is "DMA" mode where the JTAG can cause CPU bus cycles directly, the other "PrAcc" is where the JTAG interface is used to respond to CPU memory accesses in a special range of memory (DMSEG, 0xFF200000) and you have to write little bits of MIPS code to do what you want and emulate that memory on the host side. All systems support PrAcc mode by nature. The DMA mode is optional and not as widely supported as the normal mode. The presence of DMA mode is noted in the IMPCODE register.
EJTAG utilizes 5-pin interface defined in IEEE 1149.1 JTAG specification for off-chip communications. These signals (TDI, TDO, TMS, TCK and nTRST) forms a Test Access Port (TAP).
EJTAG specification 1.5.2 and 2.0 call for dual row male male header with 0.05"x0.05" spacing
EJTAG 2.5 and later defines a dual row 14-pin male header (mechanical connector) with 0.1"x0.1" spacing to attach a JTAG probe. 3M part number 2414-600UB is recommended.
nTRST 1 2 GND TDI 3 4 GND TDO 5 6 GND TMS 7 8 GND TCK 9 10 GND nSRST 11 12 -key DINT 13 14 VCC
DINT pin is used to raise Debug Interrupt. Many chips has no this pin.
nTRST is a "TAP Reset" signal and it's active level is "0" (the first "n" indicates negative logic). This signal resets TAP controller independently from the CPU logic. To conform to MIPS EJTAG specifications this pin should be pulled to the ground via resistor ~1KOhm to keep TAP in reset state w/o probe attached. If probe does not control this pin, you need just to feed logical "1" to nTRST pin or pull this to the +VCC via ~300Ohm resistor.
nSRST is a "system reset" signal and acts like conventional "Reset' button. Does not reset TAP controller. nSRST often resets a SoC peripherals (i.e. DRAM controller) too. nSRST is optional.
There is a page at the OpenWrt Wiki that discusses JTAG cables. Specifically, how one Wiggler-style buffered cable can be used for both ADM5120-based routers (e.g. Edimax) and Broadcom-based routers (e.g. Linksys). Most of the discussion centers on difficulties that can arise when using a Wiggler-style cable with the Linksys de-brick utility, but the cable information is applicable to Edimax (ADM5120) devices as well.
In general, the state of EJTAG software is pretty bad.
- Successful debrick experience http://midge.vlad.org.ua/forum/viewtopic.php?t=121
- OpenOCD open source debugger with target to replace Macraigor OCDemon. Supports only ARM processors now.
The openwince jtag software can be used to re-flash, but that project is a shambles. If you dig around enough through the patches and discussions there you can find enough to make it work. The UrJTAG project (openwince fork) integrates most of this patches.
- PEEDI is a hardware JTAG emulator and Flash Programmer with built-in support for GNU gdb
jtag> cable ppdev /dev/parport0 WIGGLER Initializing Macraigor Wiggler JTAG Cable on ppdev port /dev/parport0 jtag> detect IR length: 5 Chain length: 1 Device Id: 00000000000000000000000000000001 Unknown manufacturer! chain.c(110) Part 0 without active instruction chain.c(133) Part 0 without active instruction chain.c(110) Part 0 without active instruction
It seems, it's a real ID for this processor, other JTAG ulilities (i.e. detect subrotine from the wrt54g-debrick) returns the same value...
IMPCODE identification works:
jtag> instruction length 5 jtag> register IMP 32 jtag> instruction IMPCODE 00011 IMP jtag> instruction IMPCODE jtag> shift ir jtag> shift dr jtag> dr 01000001010000000100000000000000
31:29 EJTAGver 010 Version 2.6 28 R4k/R3k 0 R4k 24 DINTsup 1 supported 22:21 ASIDsize 10 8-bit ASID 16 MIPS16e 0 not supported 14 NoDMA 1 No EJTAG DMA support 0 MIPS32/64 0 MIPS32
EJTAG CONTROL register:
jtag> instruction length 5 jtag> register ECR 32 jtag> instruction CONTROL 01010 ECR jtag> instruction CONTROL jtag> shift ir jtag> shift dr jtag> dr 10000000011000000000000000000000
CPU Reset via PrRst bit in the CONTROL EJTAG register works.
- IDT 32434 User Manual. Chapter 18 describes EJTAG system
- JTAG at hardware-hacking.com
- JTAG @freelabs.com
- MIPS Whitepaper: Non-intrusive On-chip Debug Hardware Accelerates Development for MIPS RISC Processors
- MIPS On-Chip Debug Hardware