8/14/2021 JTAG - Wikipedia

JTAG
JTAG (named after the Joint Test Action Group which codified it) is an industry standard for
verifying designs and testing printed circuit boards after manufacture.

JTAG implements standards for on-chip instrumentation in electronic design automation (EDA) as a
complementary tool to digital simulation.[1] It specifies the use of a dedicated debug port
implementing a serial communications interface for low-overhead access without requiring direct
external access to the system address and data buses. The interface connects to an on-chip Test Access
Port (TAP) that implements a stateful protocol to access a set of test registers that present chip logic
levels and device capabilities of various parts.

The Joint Test Action Group formed in 1985 to develop a method of verifying designs and testing
printed circuit boards after manufacture. In 1990 the Institute of Electrical and Electronics Engineers
codified the results of the effort in IEEE Standard 1149.1-1990, entitled Standard Test Access Port
and Boundary-Scan Architecture.

The JTAG standards have been extended by many semiconductor chip manufacturers with specialized
variants to provide vendor-specific features.[2]

Contents
History
Debugging
Storing firmware
Boundary scan testing
Electrical characteristics
Daisy-chained JTAG (IEEE 1149.1)
Reduced pin count JTAG (IEEE 1149.7)
Communications model
Primitives
JTAG IEEE Std 1149.1 (boundary scan) instructions
Boundary scan register
Example: ARM11 debug TAP
JTAG facilities
Halt mode debugging
Monitor mode debugging
Common extensions
Uses
Client support
Connectors

https://en.wikipedia.org/wiki/JTAG 1/16
8/14/2021 JTAG - Wikipedia

Adapter hardware
Software development
Similar interface standards
See also
References
External links

History
In the 1980s, multi-layer circuit boards and integrated circuits (ICs) using ball grid array and similar
mounting technologies were becoming standard, and connections were being made between ICs that
were not available to probes. The majority of manufacturing and field faults in circuit boards were due
to poor solder joints on the boards, imperfections among board connections, or the bonds and bond
wires from IC pads to pin lead frames. The Joint Test Action Group (JTAG) was formed in 1985 to
provide a pins-out view from one IC pad to another so these faults could be discovered.

The industry standard became an IEEE standard in 1990 as IEEE Std. 1149.1-1990[3] after many years
of initial use. In the same year, Intel released their first processor with JTAG (the 80486) which led to
quicker industry adoption by all manufacturers. In 1994, a supplement that contains a description of
the boundary scan description language (BSDL) was added. Further refinements regarding the use of
all-zeros for EXTEST, separating the use of SAMPLE from PRELOAD and better implementation for
OBSERVE_ONLY cells were made and released in 2001.[4] Since 1990, this standard has been
adopted by electronics companies around the world. Boundary scan is now mostly synonymous with
JTAG, but JTAG has essential uses beyond such manufacturing applications.

Debugging

Although JTAG's early applications targeted board level testing, here the JTAG standard was designed
to assist with device, board, and system testing, diagnosis, and fault isolation. Today JTAG is used as
the primary means of accessing sub-blocks of integrated circuits, making it an essential mechanism
for debugging embedded systems which might not have any other debug-capable communications
channel. On most systems, JTAG-based debugging is available from the very first instruction after
CPU reset, letting it assist with development of early boot software which runs before anything is set
up. An in-circuit emulator (or, more correctly, a "JTAG adapter") uses JTAG as the transport
mechanism to access on-chip debug modules inside the target CPU. Those modules let software
developers debug the software of an embedded system directly at the machine instruction level when
needed, or (more typically) in terms of high level language source code.

System software debug support is for many software developers the main reason to be interested in
JTAG. Many silicon architectures such as PowerPC, MIPS, ARM, x86 built an entire software debug,
instruction tracing, and data tracing infrastructure around the basic JTAG protocol. Frequently
individual silicon vendors however only implement parts of these extensions. Some examples are
ARM CoreSight and Nexus as well as Intel's BTS (Branch Trace Storage), LBR (Last Branch Record),
and IPT (Intel Processor Trace) implementations. There are many other such silicon vendor-specific
extensions that may not be documented except under NDA. The adoption of the JTAG standard
helped move JTAG-centric debugging environments away from early processor-specific designs.
Processors can normally be halted, single stepped, or let run freely. One can set code breakpoints,

https://en.wikipedia.org/wiki/JTAG 2/16
8/14/2021 JTAG - Wikipedia

both for code in RAM (often using a special machine instruction) and in ROM/flash. Data breakpoints
are often available, as is bulk data download to RAM. Most designs have "halt mode debugging", but
some allow debuggers to access registers and data buses without needing to halt the core being
debugged. Some toolchains can use ARM Embedded Trace Macrocell (ETM) modules, or equivalent
implementations in other architectures to trigger debugger (or tracing) activity on complex hardware
events, like a logic analyzer programmed to ignore the first seven accesses to a register from one
particular subroutine.

Sometimes FPGA developers also use JTAG to develop debugging tools.[5] The same JTAG techniques
used to debug software running inside a CPU can help debug other digital design blocks inside an
FPGA. For example, custom JTAG instructions can be provided to allow reading registers built from
arbitrary sets of signals inside the FPGA, providing visibility for behaviors which are invisible to
boundary scan operations. Similarly, writing such registers could provide controllability which is not
otherwise available.

Storing firmware

JTAG allows device programmer hardware to transfer data into internal non-volatile device memory
(e.g. CPLDs). Some device programmers serve a double purpose for programming as well as
debugging the device. In the case of FPGAs, volatile memory devices can also be programmed via the
JTAG port, normally during development work. In addition, internal monitoring capabilities
(temperature, voltage and current) may be accessible via the JTAG port.

JTAG programmers are also used to write software and data into flash memory. This is usually done
using the same data bus access the CPU would use, and is sometimes handled by the CPU. In other
cases the memory chips themselves have JTAG interfaces. Some modern debug architectures provide
internal and external bus master access without needing to halt and take over a CPU. In the worst
case, it is usually possible to drive external bus signals using the boundary scan facility.

As a practical matter, when developing an embedded system, emulating the instruction store is the
fastest way to implement the "debug cycle" (edit, compile, download, test, and debug). This is because
the in-circuit emulator simulating an instruction store can be updated very quickly from the
development host via, say, USB. Using a serial UART port and bootloader to upload firmware to Flash
makes this debug cycle quite slow and possibly expensive in terms of tools; installing firmware into
Flash (or SRAM instead of Flash) via JTAG is an intermediate solution between these extremes.

Boundary scan testing

JTAG boundary scan technology provides access to many logic signals of a complex integrated circuit,
including the device pins. The signals are represented in the boundary scan register (BSR) accessible
via the TAP. This permits testing as well as controlling the states of the signals for testing and
debugging. Therefore, both software and hardware (manufacturing) faults may be located and an
operating device may be monitored.

When combined with built-in self-test (BIST), the JTAG scan chain enables a low overhead,
embedded solution to test an IC for certain static faults (shorts, opens, and logic errors). The scan
chain mechanism does not generally help diagnose or test for timing, temperature or other dynamic
operational errors that may occur. Test cases are often provided in standardized formats such as SVF,

https://en.wikipedia.org/wiki/JTAG 3/16
8/14/2021 JTAG - Wikipedia

or its binary sibling XSVF, and used in production tests. The ability to perform such testing on
finished boards is an essential part of Design For Test in today's products, increasing the number of
faults that can be found before products ship to customers.

Electrical characteristics
A JTAG interface is a special interface added to a chip. Depending on the version of JTAG, two, four,
or five pins are added. The four and five pin interfaces are designed so that multiple chips on a board
can have their JTAG lines daisy-chained together if specific conditions are met.[6] The two pin
interface is designed so that multiple chips can be connected in a star topology. In either case a test
probe need only connect to a single "JTAG port" to have access to all chips on a circuit board.

Daisy-chained JTAG (IEEE 1149.1)

The connector pins are:

1. TDI (Test Data In)

2. TDO (Test Data Out)
3. TCK (Test Clock)
4. TMS (Test Mode Select)
5. TRST (Test Reset) optional.

The TRST pin is an optional active-low reset to the test logic, usually asynchronous, but sometimes
synchronous, depending on the chip. If the pin is not available, the test logic can be reset by switching
to the reset state synchronously, using TCK and TMS. Note that resetting test logic doesn't necessarily
imply resetting anything else. There are generally some processor-specific JTAG operations which can
reset all or part of the chip being debugged.

Since only one data line is available, the protocol is serial. The clock input is at the TCK pin. One bit of
data is transferred in from TDI, and out to TDO per TCK rising clock edge. Different instructions can
be loaded. Instructions for typical ICs might read the chip ID, sample input pins, drive (or float)
output pins, manipulate chip functions, or bypass (pipe TDI to TDO to logically shorten chains of
multiple chips).

https://en.wikipedia.org/wiki/JTAG 4/16
8/14/2021 JTAG - Wikipedia

As with any clocked signal, data presented to TDI must be valid for some chip-specific Setup time
before and Hold time after the relevant (here, rising) clock edge. TDO data is valid for some chip-
specific time after the falling edge of TCK.

The maximum operating frequency of TCK varies depending on all chips in the chain (the lowest
speed must be used), but it is typically 10-100 MHz (100-10 ns per bit). Also TCK frequencies depend
on board layout and JTAG adapter capabilities and state. One chip might have a 40 MHz JTAG clock,
but only if it is using a 200  MHz clock for non-JTAG operations; and it might need to use a much
slower clock when it is in a low power mode. Accordingly, some JTAG adapters have adaptive
clocking using an RTCK (Return TCK) signal. Faster TCK frequencies are most useful when JTAG is
used to transfer much data, such as when storing a program executable into flash memory.

Clocking changes on TMS steps through a standardized JTAG state machine. The JTAG state machine
can reset, access an instruction register, or access data selected by the instruction register.

JTAG platforms often add signals to the handful defined by the IEEE 1149.1 specification. A System
Reset (SRST) signal is quite common, letting debuggers reset the whole system, not just the parts with
JTAG support. Sometimes there are event signals used to trigger activity by the host or by the device
being monitored through JTAG; or, perhaps, additional control lines.

Even though few consumer products provide an explicit JTAG port connector, the connections are
often available on the printed circuit board as a remnant from development prototyping and/or
production. When exploited, these connections often provide the most viable means for reverse
engineering.

Reduced pin count JTAG (IEEE 1149.7)

Reduced pin count JTAG uses only two wires, a clock wire and a
data wire. This is defined as part of the IEEE 1149.7 standard.[7]
The connector pins are:

1. TMSC (Test Serial Data) Example of JTAG with reduced pin

count
2. TCKC (Test Clock)

It is called cJTAG for compact JTAG.

The two wire interface reduced pressure on the number of pins, and devices can be connected in a star
topology.[8] The star topology enables some parts of the system to be powered down, while others can
still be accessed over JTAG; a daisy chain requires all JTAG interfaces to be powered. Other two-wire
interfaces exist, such as Serial Wire Debug.

Communications model
In JTAG, devices expose one or more test access ports (TAPs). The picture above shows three TAPs,
which might be individual chips or might be modules inside one chip. A daisy chain of TAPs is called a
scan chain, or (loosely) a target. Scan chains can be arbitrarily long, but in practice twenty TAPs is
unusually long.

https://en.wikipedia.org/wiki/JTAG 5/16
8/14/2021 JTAG - Wikipedia

To use JTAG, a host is connected to the target's JTAG signals (TMS, TCK, TDI, TDO, etc.) through
some kind of JTAG adapter, which may need to handle issues like level shifting and galvanic
isolation. The adapter connects to the host using some interface such as USB, PCI, Ethernet, and so
forth.

Primitives

The host communicates with the TAPs by manipulating TMS and TDI in conjunction with TCK, and
reading results through TDO (which is the only standard host-side input). TMS/TDI/TCK output
transitions create the basic JTAG communication primitive on which higher layer protocols build:

State switching ... All TAPs are in the same state, and that state changes on TCK transitions. This
JTAG state machine is part of the JTAG spec, and includes sixteen states. There are six "stable
states" where keeping TMS stable prevents the state from changing. In all other states, TCK
always changes that state. In addition, asserting TRST forces entry to one of those stable states
(Test_Logic_Reset), in a slightly quicker way than the alternative of holding TMS high and cycling
TCK five times.
Shifting ... Most parts of the JTAG state machine support two stable states used to transfer data.
Each TAP has an instruction register (IR) and a data register (DR). The size of those registers
varies between TAPs, and those registers are combined through TDI and TDO to form a large
shift register. (The size of the DR is a function of the value in that TAP's current IR, and possibly of
the value specified by a SCAN_N instruction.) There are three operations defined on that shift
register:
Capturing a temporary value
Entry to the Shift_IR stable state goes via the Capture_IR state, loading the shift register
with a partially fixed value (not the current instruction)
Entry to the Shift_DR stable state goes via the Capture_DR state, loading the value of the
Data Register specified by the TAP's current IR.
Shifting that value bit-by-bit, in either the Shift_IR or Shift_DR stable state; TCK transitions
shift the shift register one bit, from TDI towards TDO, exactly like a SPI mode 1 data transfer
through a daisy chain of devices (with TMS=0 acting like the chip select signal, TDI as MOSI,
etc.).
Updating IR or DR from the temporary value shifted in, on transition through the Update_IR or
Update_DR state. Note that it is not possible to read (capture) a register without writing
(updating) it, and vice versa. A common idiom adds flag bits to say whether the update should
have side effects, or whether the hardware is ready to execute such side effects.
Running ... One stable state is called Run_Test/Idle. The distinction is TAP-specific. Clocking TCK
in the Idle state has no particular side effects, but clocking it in the Run_Test state may change
system state. For example, some ARM9 cores support a debugging mode where TCK cycles in
the Run_Test state drive the instruction pipeline.

So at a basic level, using JTAG involves reading and writing instructions and their associated data
registers; and sometimes involves running a number of test cycles. Behind those registers is hardware
that is not specified by JTAG, and which has its own states that is affected by JTAG activities.

Most JTAG hosts use the shortest path between two states, perhaps constrained by quirks of the
adapter. (For example, one adapter only handles paths whose lengths are multiples of seven bits.)
Some layers built on top of JTAG monitor the state transitions, and use uncommon paths to trigger
higher level operations. Some ARM cores use such sequences to enter and exit a two-wire (non-JTAG)

https://en.wikipedia.org/wiki/JTAG 6/16
8/14/2021 JTAG - Wikipedia

SWD mode. A Zero Bit Scan (ZBS) sequence is used in IEEE 1149.7[7] to access advanced functionality
such as switching TAPs into and out of scan chains, power management, and a different two-wire
mode.

JTAG IEEE Std 1149.1 (boundary scan) instructions

Instruction register sizes tend to be small, perhaps four or seven bits wide. Except for BYPASS and
EXTEST, all instruction opcodes are defined by the TAP implementor, as are their associated data
registers; undefined instruction codes should not be used. Two key instructions are:

The BYPASS instruction, an opcode of all ones regardless of the TAP's instruction register size,
must be supported by all TAPs. The instruction selects a single bit data register (also called
BYPASS). The instruction allows this device to be bypassed (do nothing) while other devices in
the scan path are exercised.[4]
The optional IDCODE instruction, with an implementor-defined opcode. IDCODE is associated
with a 32-bit register (IDCODE). Its data uses a standardized format that includes a manufacturer
code (derived from the JEDEC Standard Manufacturer's Identification Code standard, JEP-106), a
part number assigned by the manufacturer, and a part version code. IDCODE is widely, but not
universally, supported.

On exit from the RESET state, the instruction register is preloaded with either BYPASS or IDCODE.
This allows JTAG hosts to identify the size and, at least partially, contents of the scan chain to which
they are connected. (They can enter the RESET state then scan the Data Register until they read back
the data they wrote. A BYPASS register has only a zero bit; while an IDCODE register is 32-bits and
starts with a one. So the bits not written by the host can easily be mapped to TAPs.) Such
identification is often used to sanity check manual configuration, since IDCODE is often unspecific. It
could for example identify an ARM Cortex-M3 based microcontroller, without specifying the
microcontroller vendor or model; or a particular FPGA, but not how it has been programmed.

A common idiom involves shifting BYPASS into the instruction registers of all TAPs except one, which
receives some other instruction. That way all TAPs except one expose a single bit data register, and
values can be selectively shifted into or out of that one TAP's data register without affecting any other
TAP.

The IEEE 1149.1 (JTAG) standard describes a number of instructions to support boundary scan
applications. Some of these instructions are "mandatory", but TAPs used for debug instead of
boundary scan testing sometimes provide minimal or no support for these instructions. Those
"mandatory" instructions operate on the Boundary Scan Register (BSR) defined in the BSDL file, and
include:

EXTEST for external testing, such as using pins to probe board-level behaviors
PRELOAD loading pin output values before EXTEST (sometimes combined with SAMPLE)
SAMPLE reading pin values into the boundary scan register

IEEE-defined "Optional" instructions include:

CLAMP a variant of BYPASS which drives the output pins using the PRELOADed values
HIGHZ deactivates the outputs of all pins
INTEST for internal testing, such as using pins to probe on-chip behaviors
RUNBIST places the chip in a self-test mode

https://en.wikipedia.org/wiki/JTAG 7/16
8/14/2021 JTAG - Wikipedia

USERCODE returns a user-defined code, for example to identify which FPGA image is active

Devices may define more instructions, and those definitions should be part of a BSDL file provided by
the manufacturer. They are often only marked as PRIVATE.

Boundary scan register

Devices communicate to the world via a set of input and output pins. By themselves, these pins
provide limited visibility into the workings of the device. However, devices that support boundary
scan contain a shift-register cell for each signal pin of the device. These registers are connected in a
dedicated path around the device's boundary (hence the name). The path creates a virtual access
capability that circumvents the normal inputs and outputs, providing direct control of the device and
detailed visibility for signals.[9]

The contents of the boundary scan register, including signal I/O capabilities, are usually described by
the manufacturer using a part-specific BSDL file. These are used with design 'netlists' from CAD/EDA
systems to develop tests used in board manufacturing. Commercial test systems often cost several
thousand dollars for a complete system, and include diagnostic options to pinpoint faults such as
open circuits and shorts. They may also offer schematic or layout viewers to depict the fault in a
graphical manner.

To enable boundary scanning, IC vendors add logic to each of their devices, including scan cells for
each of the signal pins. These cells are then connected together to form the boundary scan shift
register (BSR), which is connected to a TAP controller. These designs are parts of most Verilog or
VHDL libraries. Overhead for this additional logic is minimal, and generally is well worth the price to
enable efficient testing at the board level.

Example: ARM11 debug TAP

An example helps show the operation of JTAG in real systems. The example here is the debug TAP of
an ARM11 processor, the ARM1136[10] core. The processor itself has extensive JTAG capability,
similar to what is found in other CPU cores, and it is integrated into chips with even more extensive
capabilities accessed through JTAG.

This is a non-trivial example, which is representative of a significant cross section of JTAG-enabled

systems. In addition, it shows how control mechanisms are built using JTAG's register read/write
primitives, and how those combine to facilitate testing and debugging complex logic elements; CPUs
are common, but FPGAs and ASICs include other complex elements which need to be debugged.

Licensees of this core integrate it into chips, usually combining it with other TAPs as well as
numerous peripherals and memory. One of those other TAPs handles boundary scan testing for the
whole chip; it is not supported by the debug TAP. Examples of such chips include:

The OMAP2420, which includes a boundary scan TAP, the ARM1136 Debug TAP, an ETB11 trace
buffer TAP, a C55x DSP, and a TAP for an ARM7 TDMI-based imaging engine, with the boundary
scan TAP ("ICEpick-B") having the ability to splice TAPs into and out of the JTAG scan chain.[11]
The i.MX31 processor, which is similar, although its "System JTAG" boundary scan TAP,[12] which
is very different from ICEpick, and it includes a TAP for its DMA engine instead of a DSP and
imaging engine.

https://en.wikipedia.org/wiki/JTAG 8/16
8/14/2021 JTAG - Wikipedia

Those processors are both intended for use in wireless handsets such as cell phones, which is part of
the reason they include TAP controllers which modify the JTAG scan chain: Debugging low power
operation requires accessing chips when they are largely powered off, and thus when not all TAPs are
operational. That scan chain modification is one subject of a forthcoming IEEE 1149.7[7] standard.

JTAG facilities

This debug TAP exposes several standard instructions, and a few specifically designed for hardware-
assisted debugging, where a software tool (the "debugger") uses JTAG to communicate with a system
being debugged:

BYPASS and IDCODE, standard instructions as described above

EXTEST, INTEST, standard instructions, but operating on the core instead of an external boundary
scan chain. EXTEST is nominally for writing data to the core, INTEST is nominally for reading it; but
two scan chains are exceptions to that rule.
SCAN_N ARM instruction to select the numbered scan chain used with EXTEST or INTEST. There
are six scan chains:
0 - Device ID Register, 40 bits of read-only identification data
1 - Debug Status and Control Register (DSCR), 32 bits used to operate the debug facilities
4 - Instruction Transfer Register (ITR), 33 bits (32 instruction plus one status bit) used to
execute processor instructions while in a special "Debug Mode" (see below)
5 - Debug Communications Channel (DCC), 34 bits (one long data word plus two status bits)
used for bidirectional data transfer to the core. This is used both in debug mode, and possibly
at runtime when talking to debugger-aware software.
6 - Embedded Trace Module (ETM), 40 bits (7 bit address, one 32-bit long data word, and a
R/W bit) used to control the operation of a passive instruction and data trace mechanism. This
feeds either an on-chip Embedded Trace Buffer (ETB), or an external high speed trace data
collection pod. Tracing supports passive debugging (examining execution history) and profiling
for performance tuning.
7 - debug module, 40 bits (7 bit address, one 32-bit long data word, and a R/W bit) used to
access hardware breakpoints, watchpoints, and more. These can be written while the
processor is running; it does not need to be in Debug Mode.
HALT and RESTART, ARM11-specific instructions to halt and restart the CPU. Halting it puts the
core into the "Debug Mode", where the ITR can be used to execute instructions, including using
the DCC to transfer data between the debug (JTAG) host and the CPU.
ITRSEL, ARM11-specific instruction to accelerate some operations with ITR.

That model resembles the model used in other ARM cores. Non-ARM systems generally have similar
capabilities, perhaps implemented using the Nexus protocols on top of JTAG, or other vendor-specific
schemes.

Older ARM7 and ARM9 cores include an EmbeddedICE module[13] which combines most of those
facilities, but has an awkward mechanism for instruction execution: the debugger must drive the CPU
instruction pipeline, clock by clock, and directly access the data buses to read and write data to the
CPU. The ARM11 uses the same model for trace support (ETM, ETB) as those older cores.

Newer ARM Cortex cores closely resemble this debug model, but build on a Debug Access Port (DAP)
instead of direct CPU access. In this architecture (named CoreSight Technology), core and JTAG
module is completely independent. They are also decoupled from JTAG so they can be hosted over
https://en.wikipedia.org/wiki/JTAG 9/16
8/14/2021 JTAG - Wikipedia

ARM's two-wire SWD interface (see below) instead of just the six-wire JTAG interface. (ARM takes
the four standard JTAG signals and adds the optional TRST, plus the RTCK signal used for adaptive
clocking.) The CoreSight JTAG-DP is asynchronous to the core clocks, and does not implement
RTCK.[14] Also, the newer cores have updated trace support.

Halt mode debugging

One basic way to debug software is to present a single threaded model, where the debugger
periodically stops execution of the program and examines its state as exposed by register contents and
memory (including peripheral controller registers). When interesting program events approach, a
person may want to single step instructions (or lines of source code) to watch how a particular
misbehavior happens.

So for example a JTAG host might HALT the core, entering Debug Mode, and then read CPU registers
using ITR and DCC. After saving processor state, it could write those registers with whatever values it
needs, then execute arbitrary algorithms on the CPU, accessing memory and peripherals to help
characterize the system state. After the debugger performs those operations, the state may be restored
and execution continued using the RESTART instruction.

Debug mode is also entered asynchronously by the debug module triggering a watchpoint or
breakpoint, or by issuing a BKPT (breakpoint) instruction from the software being debugged. When it
is not being used for instruction tracing, the ETM can also trigger entry to debug mode; it supports
complex triggers sensitive to state and history, as well as the simple address comparisons exposed by
the debug module. Asynchronous transitions to debug mode are detected by polling the DSCR
register. This is how single stepping is implemented: HALT the core, set a temporary breakpoint at
the next instruction or next high-level statement, RESTART, poll DSCR until you detect asynchronous
entry to debug state, remove that temporary breakpoint, repeat.

Monitor mode debugging

Modern software is often too complex to work well with such a single threaded model. For example, a
processor used to control a motor (perhaps one driving a saw blade) may not be able to safely enter
halt mode; it may need to continue handling interrupts to ensure physical safety of people and/or
machinery. Issuing a HALT instruction using JTAG might be dangerous.

ARM processors support an alternative debug mode, called Monitor Mode, to work with such
situations. (This is distinct from the Secure Monitor Mode implemented as part of security extensions
on newer ARM cores; it manages debug operations, not security transitions.) In those cases,
breakpoints and watchpoints trigger a special kind of hardware exception, transferring control to a
"debug monitor" running as part of the system software. This monitor communicates with the
debugger using the DCC, and could arrange for example to single step only a single process while
other processes (and interrupt handlers) continue running.

Common extensions
Microprocessor vendors have often defined their own core-specific debugging extensions. Such
vendors include Infineon, MIPS with EJTAG, and more. If the vendor does not adopt a standard (such
as the ones used by ARM processors; or Nexus), they need to define their own solution. If they
support boundary scan, they generally build debugging over JTAG.

https://en.wikipedia.org/wiki/JTAG 10/16
8/14/2021 JTAG - Wikipedia

Freescale has COP and OnCE (On-Chip Emulation). OnCE includes a JTAG command which makes a
TAP enter a special mode where the IR holds OnCE debugging commands[15] for operations such as
single stepping, breakpointing, and accessing registers or memory. It also defines EOnCE (Enhanced
On-Chip Emulation)[16] presented as addressing real time concerns.

ARM has an extensive processor core debug architecture (CoreSight) that started with EmbeddedICE
(a debug facility available on most ARM cores), and now includes many additional components such
as an ETM (Embedded Trace Macrocell), with a high speed trace port, supporting multi-core and
multithread tracing. Note that tracing is non-invasive; systems do not need to stop operating to be
traced. (However, trace data is too voluminous to use JTAG as more than a trace control channel.)

Nexus defines a processor debug infrastructure which is largely vendor-independent. One of its
hardware interfaces is JTAG. It also defines a high speed auxiliary port interface, used for tracing and
more. Nexus is used with some newer platforms, such as the Atmel AVR32 and Freescale MPC5500
series processors.

Uses
Except for some of the very lowest end systems, essentially all embedded systems platforms
have a JTAG port to support in-circuit debugging and firmware programming as well as for
boundary scan testing:
ARM architecture processors come with JTAG support, sometimes supporting a two-wire
"SWD" variant or high speed tracing of traffic on instruction or data busses.
Modern 8-bit and 16-bit microcontroller chips, such as Atmel AVR and TI MSP430 chips,
support JTAG programming and debugging. However, the very smallest chips may not have
enough pins to spare (and thus tend to rely on proprietary single-wire programming
interfaces); if the pin count is over 32, there is probably a JTAG option.
Almost all FPGAs and CPLDs used today can be programmed via a JTAG port. A Standard
Test and Programming Language is defined by JEDEC standard JESD-71 for JTAG
programming of PLD's.
Many MIPS and PowerPC processors have JTAG support
Intel Core, Xeon, Atom, and Quark processors all support JTAG probe mode with Intel specific
extensions of JTAG using the so-called 60-pin eXtended Debug Port [XDP]. Additionally the
Quark processor supports more traditional 10-pin connectors.
Consumer products such as networking appliances and satellite television integrated
receiver/decoders often use microprocessors which support JTAG, providing an alternate
means to reload firmware if the existing bootloader has been corrupted in some manner.
The PCI bus connector standard contains optional JTAG signals on pins 1–5;[17] PCI Express
contains JTAG signals on pins 5–9.[18] A special JTAG card can be used to reflash a corrupt
BIOS.
Boundary scan testing and in-system (device) programming applications are sometimes
programmed using the Serial Vector Format, a textual representation of JTAG operations using a
simple syntax. Other programming formats include 'JAM' and STAPL plus more recently the IEEE
Std. 1532 defined format 'ISC' (short for In-System Configuration). ISC format is used in
conjunction with enhanced BSDL models for programmable logic devices (i.e. FPGAs and
CPLDs) that include addition ISC_<operation> instructions in addition to the basic bare minimum
IEEE 1149.1 instructions. FPGA programming tools from Xilinx, Altera, Lattice, Cypress, Actel,
etc. typically are able to export such files.
As mentioned, many boards include JTAG connectors, or just pads, to support manufacturing
operations, where boundary scan testing helps verify board quality (identifying bad solder joints,
https://en.wikipedia.org/wiki/JTAG 11/16
8/14/2021 JTAG - Wikipedia

etc.) and to initialize flash memory or FPGAs.

JTAG can also support field updates and troubleshooting.

Client support
The target's JTAG interface is accessed using some JTAG-enabled application and some JTAG
adapter hardware. There is a wide range of such hardware, optimized for purposes such as production
testing, debugging high speed systems, low cost microcontroller development, and so on. In the same
way, the software used to drive such hardware can be quite varied. Software developers mostly use
JTAG for debugging and updating firmware.

Connectors

There are no official standards for JTAG adapter physical

connectors. Development boards usually include a header to
support preferred development tools; in some cases they include
multiple such headers, because they need to support multiple
such tools. For example, a microcontroller, FPGA, and ARM
application processor rarely share tools, so a development board
using all of those components might have three or more headers.
Production boards may omit the headers, or when space is
limited may provide JTAG signal access using test points.
A Netgear FVS336G firewall with a
14 pin JTAG header at lower left.
Some common pinouts[19] for 2.54  mm (0.100  in) pin headers
are:

ARM 2×10 pin (or sometimes the older 2×7), used by almost
all ARM based systems
MIPS EJTAG (2×7 pin) used for MIPS based systems
2×5 pin Altera ByteBlaster-compatible JTAG extended by
many vendors
2×5 pin AVR extends Altera JTAG with SRST (and in some
cases TRST and an event output)
2×7 pin Texas Instruments used with DSPs and ARM-based
products such as OMAP
A Netgear DG632 ADSL modem
8 pin (single row) generic PLD JTAG compatible with many with an 8 pin JTAG header at
Lattice ispDOWNLOAD cables location "5".
MIPI10-/20-connectors (1.27 mm 050") for JTAG, cJTAG and
SWD

Those connectors tend to include more than just the four standardized signals (TMS, TCK, TDI,
TDO). Usually reset signals are provided, one or both of TRST (TAP reset) and SRST (system reset).
The connector usually provides the board-under-test's logic supply voltage so that the JTAG adapters
use the appropriate logic levels. The board voltage may also serve as a "board present" debugger
input. Other event input or output signals may be provided, or general purpose I/O (GPIO) lines, to
support more complex debugging architectures.

https://en.wikipedia.org/wiki/JTAG 12/16
8/14/2021 JTAG - Wikipedia

Higher end products frequently use dense connectors (frequently 38-pin MICTOR connectors) to
support high-speed tracing in conjunction with JTAG operations. A recent trend is to have
development boards integrate a USB interface to JTAG, where a second channel is used for a serial
port. (Smaller boards can also be powered through USB. Since modern PCs tend to omit serial ports,
such integrated debug links can significantly reduce clutter for developers.) Production boards often
rely on bed-of-nails connections to test points for testing and programming.

Adapter hardware

Adapter hardware varies widely. When not integrated into a development board, it involves a short
cable to attach to a JTAG connector on the target board; a connection to the debugging host, such as a
USB, PCI, or Ethernet link; and enough electronics to adapt the two communications domains (and
sometimes provide galvanic isolation). A separate power supply may be needed. There are both
"dumb" adapters, where the host decides and performs all JTAG operations; and "smart" ones, where
some of that work is performed inside the adapter, often driven by a microcontroller. The "smart"
adapters eliminate link latencies for operation sequences that may involve polling for status changes
between steps, and may accordingly offer faster throughput.

As of 2018, adapters with a USB link from the host are the most common approach. Higher end
products often support Ethernet, with the advantage that the debug host can be quite remote.
Adapters which support high speed trace ports generally include several megabytes of trace buffer and
provide high speed links (USB or Ethernet) to get that data to the host.

Parallel port adapters are simple and inexpensive, but they are relatively slow because they use the
host CPU to change each bit ("bit banging"). They have declined in usefulness because most
computers in recent years don't have a parallel port. Driver support is also a problem, because pin
usage by adapters varied widely. Since the parallel port is based on 5V logic level, most adapters
lacked voltage translation support for 3.3V or 1.8V target voltages.

RS-232 serial port adapters also exist, and are similarly declining in usefulness. They generally
involve either slower bit banging than a parallel port, or a microcontroller translating some command
protocol to JTAG operations. Such serial adapters are also not fast, but their command protocols
could generally be reused on top of higher speed links.

With all JTAG adapters, software support is a basic concern. Many vendors do not publish the
protocols used by their JTAG adapter hardware, limiting their customers to the tool chains supported
by those vendors. This is a particular issue for "smart" adapters, some of which embed significant
amounts of knowledge about how to interact with specific CPUs.

Software development

Most development environments for embedded software include JTAG support. There are, broadly
speaking, three sources of such software:

Chip vendors may provide the tools, usually requiring a JTAG adapter they supply. Examples
include FPGA vendors such as Xilinx and Altera, Atmel for its AVR8 and AVR32 product lines, and
Texas Instruments for most of its DSP and micro products. Such tools tend to be highly featured,
and may be the only real option for highly specialized chips like FPGAs and DSPs. Lower end
software tools may be provided free of charge. The JTAG adapters themselves are not free,
although sometimes they are bundled with development boards.

https://en.wikipedia.org/wiki/JTAG 13/16
8/14/2021 JTAG - Wikipedia

Tool vendors may supply them, usually in conjunction with multiple chip vendors to provide cross-
platform development support. ARM-based products have a particularly rich third party market,
and a number of those vendors have expanded to non-ARM platforms like MIPS and PowerPC.
Tool vendors sometimes build products around free software like GCC and GDB, with GUI
support frequently using Eclipse. JTAG adapters are sometimes sold along with support bundles.
Open source tools exist. As noted above, GCC and GDB form the core of a good toolchain, and
there are GUI environments to support them.

All such software tends to include basic debugger support: stopping, halting, single stepping,
breakpoints, data structure browsing, and so on.
Commercial tools tend to provide tools like very
accurate simulators and trace analysis, which are not currently available as open source.

Similar interface standards

Serial Wire Debug (SWD) is an alternative 2-pin electrical interface that uses the same protocol. It
uses the existing GND connection. SWD uses an ARM CPU standard bi-directional wire protocol,
defined in the ARM Debug Interface v5.[20] This enables the debugger to become another AMBA bus
master for access to system memory and peripheral or debug registers. Data rate is up to 4 MB/s
at 50 MHz. SWD also has built-in error detection. On JTAG devices with SWD capability, the TMS
and TCK are used as SWDIO and SWCLK signals, providing for dual-mode programmers.

See also
Automated optical inspection
Automated x-ray inspection
In-circuit test
Acceptance testing

References
1. Neal Stollon (2011). On-Chip Instrumentation. Springer.
2. Randy Johnson, Steward Christie (Intel Corporation, 2009), JTAG 101—IEEE 1149.x and
Software Debug (http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/jta
g-101-ieee-1149x-paper.pdf)
3. Copies of IEEE 1149.1-1990 (http://standards.ieee.org/reading/ieee/std_public/description/testtec
h/1149.1-1990_desc.html) or its 2001 update may be bought from the IEEE.
4. "IEEE 1149.1-2001" (http://standards.ieee.org/reading/ieee/std_public/description/testtech/1149.1-
2001_desc.html).
5. Select the right FPGA debug method (http://www.embeddeddesignindia.co.in/ART_8800568419_
2800006_TA_d2d96055.HTM) Archived (https://web.archive.org/web/20100427145744/http://ww
w.embeddeddesignindia.co.in/ART_8800568419_2800006_TA_d2d96055.HTM) 27 April 2010 at
the Wayback Machine presents one of the models for such tools.
6. "FAQ: Under what conditions can I daisy-chain JTAG?" (http://www.jtagtest.com/faq/jtag-ieee-114
9-1/under-what-conditions-can-i-daisy-chain-jtag). www.jtagtest.com.
7. Texas Instruments is one adopter behind this standard, and has an IEEE 1149.7 wiki page (http://ti
expressdsp.com/wiki/index.php?title=IEEE_1149.7) Archived (https://web.archive.org/web/201404
06214032/http://tiexpressdsp.com/wiki/index.php?title=IEEE_1149.7) 6 April 2014 at the Wayback
Machine with more information.

https://en.wikipedia.org/wiki/JTAG 14/16
8/14/2021 JTAG - Wikipedia

8. "Major Benefits of IEEE 1149.7" (https://www.corelis.com/education/design-testability-tips-guidelin

es/major-benefits-ieee-1149-7/).
9. Oshana, Rob (29 October 2002). "Introduction to JTAG" (https://www.embedded.com/electronics-
blogs/beginner-s-corner/4024466/Introduction-to-JTAG). Embedded Systems Design. Retrieved
5 April 2007.
10. ARM1136JF-S and ARM1136J-S Technical Reference Manual (http://infocenter.arm.com/help/topi
c/com.arm.doc.ddi0211k/DDI0211K_arm1136_r1p5_trm.pdf) revision r1p5, ARM DDI 0211K.
Chapter 14 presents the Debug TAP. Other ARM11 cores present the same model through their
Debug TAPs.
11. Documentation for the OMAP2420 is not publicly available. However, a Texas Instruments
document The User's Guide to DBGJTAG (http://wiki.davincidsp.com/images/9/90/Dbjtag_users_
guide.pdf) discussing a JTAG diagnostic tool presents this OMAP2420 scan chain example (and
others).
12. See "i.MX35 (MCIMX35) Multimedia Applications Processor Reference Manual" from the
Freescale web site. Chapter 44 presents its "Secure JTAG Controller" (SJC).
13. ARM9EJ-S Technical Reference Manual (http://infocenter.arm.com/help/topic/com.arm.doc.ddi022
2b/DDI0222.pdf) revision r1p2. Appendix B "Debug in Depth" presents the EmbeddedICE-RT
module, as seen in the popular ARM926ejs core.
14. "CoreSight Components Technical Reference Manual: 2.3.2. Implementation specific details" (htt
p://infocenter.arm.com/help/topic/com.arm.doc.ddi0314h/Chdhbbjd.html#Chdihede).
infocenter.arm.com.
15. AN1817/D, "MMC20xx M•CORE OnCE Port Communication and Control Sequences"; Freescale
Semiconductor, Inc.; 2004. Not all processors support the same OnCE module.
16. AN2073 "Differences Between the EOnCE and OnCE Ports"; Freescale Semiconductor, Inc.;
2005.
17. "PCI Local Bus Technical Summary, 4.10 JTAG/Boundary Scan Pins" (https://web.archive.org/we
b/20061107201536/http://www.techfest.com/hardware/bus/pci.htm#4.10). Archived from the
original (http://www.techfest.com/hardware/bus/pci.htm#4.10) on 7 November 2006. Retrieved
13 July 2007.
18. "Serial PCI Express Bus 16x Pinout and PCIe Pin out Signal names" (http://www.interfacebus.co
m/Design_PCI_Express_16x_PinOut.html). www.interfacebus.com.
19. JTAG Pinouts (http://www.jtagtest.com/pinouts/) lists a few JTAG-only header layouts that have
widespread tool support.
20. "ARM Information Center" (http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ihi0031c/i
ndex.html). infocenter.arm.com. Retrieved 10 August 2017.

External links
IEEE Standard for Reduced-Pin and Enhanced-Functionality Test Access Port and Boundary-
Scan Architecture (http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5412866) The official
IEEE 1149.7 Standard.
JTAG 101 - IEEE 1149.x and Software Debug (http://www.intel.com/content/dam/www/public/us/e
n/documents/white-papers/jtag-101-ieee-1149x-paper.pdf) Intel whitepaper on JTAG usage in
system software debug across a wide range of architectures.
IEEE Std 1149.1 (JTAG) Testability Primer (http://www.ti.com/lit/an/ssya002c/ssya002c.pdf)
Includes a strong technical presentation about JTAG, with design-for-test chapters.
Boundary Scan / IEEE 1149 tutorial (https://www.electronics-notes.com/articles/test-methods/boun
dary-scan-jtag-ieee1149/what-is-boundary-scan-jtag.php) including details of variants of the IEEE
standard, BSDL, DFT, and other topics

https://en.wikipedia.org/wiki/JTAG 15/16
8/14/2021 JTAG - Wikipedia

JTAG Tutorial (http://www.corelis.com/education/JTAG_Tutorial.htm) Useful tutorials and

information on JTAG technology.
What is JTAG? (http://www.corelis.com/education/What-Is-JTAG.htm) Useful information on JTAG,
timeline, architecture and more.
JTAG Applications (http://www.corelis.com/education/JTAG-Applications.htm) JTAG for product
development, life cycle, testing, tools needed, and other topics.

Retrieved from "https://en.wikipedia.org/w/index.php?title=JTAG&oldid=1025425115"

This page was last edited on 27 May 2021, at 13:37 (UTC).

Text is available under the Creative Commons Attribution-ShareAlike License;

additional terms may apply. By using this
site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia
Foundation, Inc., a non-profit organization.

https://en.wikipedia.org/wiki/JTAG 16/16