OpenOCD - Beyond Simple Software Debugging

Similar documents
Raspberry Pi debugging with JTAG

Using the XC9500/XL/XV JTAG Boundary Scan Interface

Overview of BDM nc. The IEEE JTAG specification is also recommended reading for those unfamiliar with JTAG. 1.2 Overview of BDM Before the intr

12. IEEE (JTAG) Boundary-Scan Testing for the Cyclone III Device Family

Ilmenau, 9 Dec 2016 Testing and programming PCBA s. 1 JTAG Technologies

Section 24. Programming and Diagnostics

XJTAG DFT Assistant for

18 Nov 2015 Testing and Programming PCBA s. 1 JTAG Technologies

Section 24. Programming and Diagnostics

7 Nov 2017 Testing and programming PCBA s

TMS320C6000: Board Design for JTAG

XJTAG DFT Assistant for

XJTAG DFT Assistant for

XJTAG DFT Assistant for

Tools to Debug Dead Boards

16 Dec Testing and Programming PCBA s. 1 JTAG Technologies

3. Configuration and Testing

A Briefing on IEEE Standard Test Access Port And Boundary-Scan Architecture ( AKA JTAG )

Comparing JTAG, SPI, and I2C

Chapter 19 IEEE Test Access Port (JTAG)

A Primer: ARM Trace. Including: ETM, ETB and Serial Wire Viewer, JTAG and SWD V 2.1

Using IEEE Boundary Scan (JTAG) With Cypress Ultra37000 CPLDs

the Boundary Scan perspective

Saving time & money with JTAG

UNIT IV CMOS TESTING. EC2354_Unit IV 1

On-Chip Instrumentation and In-Silicon Debug Tools for SoC Dr. Neal Stollon HDL Dynamics

Configuring FLASHlogic Devices

Remote programming. On-Board Computer

BTW03 DESIGN CONSIDERATIONS IN USING AS A BACKPLANE TEST BUS International Test Conference. Pete Collins

Testing Sequential Logic. CPE/EE 428/528 VLSI Design II Intro to Testing (Part 2) Testing Sequential Logic (cont d) Testing Sequential Logic (cont d)

Remote Diagnostics and Upgrades

Enhanced JTAG to test interconnects in a SoC

How to overcome/avoid High Frequency Effects on Debug Interfaces Trace Port Design Guidelines

Unit V Design for Testability

of Boundary Scan techniques.

ADC Peripheral in Microcontrollers. Petr Cesak, Jan Fischer, Jaroslav Roztocil

In-System Programmability Guidelines

DSTREAM ARM. System and Interface Design Reference. Version 4.4. Copyright ARM. All rights reserved. ARM DUI 0499E (ID091611)

BSDL Validation: A Case Study

BABAR IFR TDC Board (ITB): system design

Training JTAG Interface

Virtex-II Pro and VxWorks for Embedded Solutions. Systems Engineering Group

Digital Integrated Circuits Lecture 19: Design for Testability

K.T. Tim Cheng 07_dft, v Testability

Lecture 17: Introduction to Design For Testability (DFT) & Manufacturing Test

AN1775 APPLICATION NOTE

11. JTAG Boundary-Scan Testing in Stratix V Devices

Keysight Technologies x1149 Boundary Scan Analyzer. Technical Overview

JRC ( JTAG Route Controller ) Data Sheet

Subjects. o JTAG Technologies (Rik Doorneweert, Area Manager) o JTAG Technologies B.V. activities o Introduction to (classic) Boundary Scan

SignalTap Plus System Analyzer

Embest Emlink for ARM Cortex-M3. User Manual

SAU510-USB ISO PLUS v.2 JTAG Emulator. User s Guide 2013.

Product Update. JTAG Issues and the Use of RT54SX Devices

Using Test Access Standards Across The Product Lifecycle

FPGA Design. Part I - Hardware Components. Thomas Lenzi

SµMMIT E & LXE/DXE JTAG Testability for the SJ02 Die

Ashling Product Brief APB219 v1.0.3, 12 th October 2018

Introduction to JTAG / boundary scan-based testing for 3D integrated systems. (C) GOEPEL Electronics -

TSIU03, SYSTEM DESIGN. How to Describe a HW Circuit

@DonAndrewBailey

Tutorial 11 ChipscopePro, ISE 10.1 and Xilinx Simulator on the Digilent Spartan-3E board

Design and analysis of microcontroller system using AMBA- Lite bus

Y. Tsiatouhas. VLSI Systems and Computer Architecture Lab. Boundary Scan (JTAG ) 2

Error connecting to the target: TMS320F28379D. 1 Error message on connecting the target.

Serial Peripheral Interface

CoLinkEx JTAG/SWD adapter USER MANUAL

ECE 372 Microcontroller Design

Using on-chip Test Pattern Compression for Full Scan SoC Designs

Section 24. Programming and Diagnostics

Data Acquisition Using LabVIEW

APPLICATION NOTE 4312 Getting Started with DeepCover Secure Microcontroller (MAXQ1850) EV KIT and the CrossWorks Compiler for the MAXQ30

How to Enable Debugging for FLEXSPI NOR Flash

Interfacing Analog to Digital Data Converters. A/D D/A Converter 1

EEM Digital Systems II

Laboratory Exercise 4

ontap BOUNDARY SCAN SOFTWARE PRODUCT FEATURES AND SCREEN TOUR FLYNN SYSTEMS CORP.

JTAG Boundary- ScanTesting

LED Array Board.

At-speed Testing of SOC ICs

CSE 352 Laboratory Assignment 3

Chenguang Guo, Lei Chen, and Yanlong Zhang

ARM JTAG Interface Specifications

CMOS Testing-2. Design for testability (DFT) Design and Test Flow: Old View Test was merely an afterthought. Specification. Design errors.

Device 1 Device 2 Device 3 Device 4

Scan. This is a sample of the first 15 pages of the Scan chapter.

XJTAG. Boundary Scan Tool. diagnosys.com

Model 7600 HD/SD Embedder/ Disembedder Data Pack

Document Part Number: Copyright 2010, Corelis Inc.

Design and Implementation of Timer, GPIO, and 7-segment Peripherals

Solutions to Embedded System Design Challenges Part II

INTEGRATED CIRCUITS. PZ macrocell CPLD. Product specification Supersedes data of 1997 Apr 28 IC27 Data Handbook.

Using the XSV Board Xchecker Interface

IEEE Standard (JTAG) in the Axcelerator Family

PZ5128C/PZ5128N 128 macrocell CPLD with enhanced clocking

2070 PROFINET MODULE

APPLICATION NOTE. XCR5128C: 128 Macrocell CPLD with Enhanced Clocking. Features. Description

CHAPTER 3 EXPERIMENTAL SETUP

Chapter 8 Design for Testability

Programmable Logic Design I

Transcription:

OpenOCD - Beyond Simple Software Debugging Oleksij Rempel o.rempel@pengutronix.de https://www.pengutronix.de

Why I use OpenOCD? Reverse engineering and for fun This is the main motivation behind this talk Debugging Testing 2/39

My reverse engineering rules Investigate public materials Standards Documentation Patterns Try to apply gained knowledge to similarly purposed systems New technology is expensive and vendors are trying to reuse as much as possible Assumptions are OK! 3/39

The target group Everyone who used OpenOCD for software debugging or reverse engineering Everyone who has time to use OpenOCD on unsupported or untested HW Everyone who is interested in exploring HW from JTAG perspective 4/39

History of JTAG 1986 - Philips forms Joint European Test Action Group 1990 - IEEE Standard 1149.11990 published JOURNAL OF ELECTRONIC TESTING: Theory and Applications, 2, 1125 (1991) 5/39

boundary scan 6/39

Boundary Scan 7/39

History Now 2018, 28 years later We are still using this technology but have no idea how to use it for the original purpose boundary scan! Let's go back to the roots!!! ;) 8/39

What is BSDL Boundary Scan Description Language 1149.1b-1994 Supplement to IEEE Std 1149.1-1990, IEEE standard test access port and boundary-scan architecture 1149.1-2001 IEEE standard test access port and boundary-scan architecture 9/39

BSDL Example 1 10/39

BSDL Example 2 11/39

BSDL Example 3 12/39

The road map How to get JTAG access on modern SoCs. Exploring diferent TAPs and seeking BS register Reading BSDL files. Unfriendly vendor and no BSDL file, trying to reverse engineer it. Practical example. Combine CPU and BS tests? Is it possible? 13/39

Exploring JTAG port In the perfect world, we would have a dedicated JTAG connector in accordance with some valid specification, working all the time from power on till power off. The reality is different: In many cases JTAG pins are enabled by the SoC ROM, with some delay after power on (or power cycle) The pins have JTAG functionality only limited time after some event Many TAPs and DAPs with some differences from default or wellknown specifications Welcome to the JTAG zoo! 14/39

Getting JTAG access There are two states: It just works! Go with me, I ll show you how some vendors do it! :D 15/39

Exploring JTAG port (time frames) 16/39

Exploring JTAG port (Allwinner JTAG/SD) Most of the Allwinner SoCs have JTAG multiplexed with SD card signals. It is not a secret, but not welldocumented This port can be used only within a short time frame: Some X millisecs after power on JTAG gets enabled X+Yms after power on this port is switched from JTAG to SD, so we have just a small window to access JTAG 17/39

Exploring JTAG port (Allwinner JTAG/SD) Remote controllable bench power supply and logic analyser are your friends Use adapter_nsrst_delay Increase adapter_khz speed to fit to narrow time frame Add some pull-up resistor to the TDI line and measure it 18/39

Exploring JTAG port (Allwinner JTAG/SD) 1. no pull-ups, 2. pull-ups on 1,2,3,4 19/39

Exploring JTAG port (Allwinner JTAG/SD) 20/39

Exploring JTAG port (Open Sesame) 21/39

Exploring JTAG port (Open Sesame) Nicely documented JTAG/ICSP interfaces made by Microchip for PIC32xx series 22/39

Exploring the internals 23/39

Exploring the internals Let s assume we got access to the SoC, what can we explore? TAP test access port Typical instructions provided by a TAP: IDCODE Boundary scan Bypass 24/39

Exploring the internals The times they are a-changin', after 28 years internals are a bit more complicated Let s take as example STM32 and do following steps: Find the right TAP Find the right Instruction Find the right Bits 25/39

Find the right TAP 26/39

Find the right Instruction 27/39

Find the right Bits 28/39

Exploring JTAG port (BS on STM32) Video demonstration of using JTAG boundary scan on STM32F3 The bsr.tcl script by Paul Fertser Init BS TAP Scan for floating PADs Scan for changed PADs after adding pull-up/down. Test related control bits for given PAD. For example: Bit 142 read input state Bit 143 set output state Bit 144 - switch between input and output mode. 29/39

Exploring JTAG port (BS on STM32) 30/39

Crazy idea: What if we configure a pin from GPIO peripheral and test it with BS? 31/39

32/39

Exploring JTAG port (GPIO + BS on STM32) Is it possible with JTAG BS to read a PAD which was configured by GPIO peripheral? Yes! At least on some SoCs Steps made in following video: Start JTAG and halt CPU. Enable CLK for GPIO controller. Measure PAD with GPIO, then switch the PAD to output mode Switch to the JTAG BS mode and read out PAD state 33/39

Exploring JTAG port (GPIO + BS on STM32) 34/39

Exploring JTAG port (GPIO + BS on PIC32) Same test on PIC32 Suddenly it needed more work than expected PIC32xx has multiple taps but not connected in chain so BYPASS instruction is not applicable. We have here two vendor instructions: switch to MTAP and switch to ETAP The BS is available on MTAP 35/39

Exploring JTAG port (GPIO + BS on PIC32) 36/39

Exploring JTAG port (GPIO + BS on imx6) Same test on imx6 BS is implemented on SJC TAP This was fast, the BS instruction is directly connected to reset controller. Executing BS will automatically put CPU in reset state BS should still be possible with correctly configured bootstrap pins (see the SoC manual) 37/39

Exploring JTAG on imx6 Implemented and tested TAPs for imx6: MPCore, Cortex-A9 Not implemented or not upstreamed parts: Everything else :) 38/39

Thank you! Questions? https://www.pengutronix.de

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback