JTAG

Mathias Gottschlag edited this page Jun 16, 2013 · 1 revision

These are some random notes about JTAG for the VideoCore. JTAG might provide another way to observe/modify software running on the pi.

Things we don't know

  • Is there a JTAG debug port?
  • Is there some other way to access memory from the JTAG port?
  • And how does all of this work?

Because of the limited number of registers, it is likely that there is no debug port, or that the debug port has to be enabled by software.

JTAG instructions

The instruction register is 22 bits long. However, many instructions seem to repeat every 8 bytes, for example IDCODE (which is instruction 6) is also found on 14, 22, etc. Only parts of the instruction space have been scanned yet, so it might be possible that there are other devices on the jtag chain (very unlikely, because this would result in additional cycles for all register operations) or there might be areas in the instruction space which look totally different (unlikely, the first ~64k have been scanned and all look similar, and some higher bits have been tested as well).

A quick scan of the data register sizes resulted in the following information. A length of 4096+ means that the algorithm which has been used to determine the length has timed out, so the register is likely not implemented.

Number Length Access Notes
0 1 RW The only register which does not seem to repeat every 8 registers.
1 1 RO Ignores input (TDI). The content seems to depend on the value which has been written into #0 somehow.
2 4096+
3 4096+
4 4096+
5 155 RO Weird length, might be related to boundary scan. The only value I saw is 0xff00.
6 32 RO IDCODE, 0x4270817f
7 1 RW BYPASS
8, 16, 24, ... 155 RW Weird length, weird content. Some registers are read-only (e.g. 8), some are read-write (e.g. 32). The value seems to change over time, so these might be boundary scan registers. Example values are: 00B0000000000000000100000140000055555005, 030550000002A8AAAAAA2AAAA99AAA92AAFFCAEA, 03BAAAAAAAA2A8AAAAAB2AAAA9CAAA82FFFFDAAF, ...