JTAG
Contents
Introduction
JTAG interface is useful in debugging some complicated issues with U-Boot, like this example here, during Linux kernel portage or for FPGA debugging with ChipScope.
Note: However, most of the usual debugging functionalities are provided from within Armadeus BSP without the need for a JTAG interface. You won't also need JTAG to reflash an Armadeus board, even if you bricked U-Boot; serial connection should be enough (see Bootstrap). |
Building a JTAG connector for APF27Dev board
First you need a decent JTAG connector. The description below produces a 20-pin male JTAG connectior with standard ARM pinout.
List of material and part numbers at Conrad:
- 2x20-pin header, 2.54mm pitch (Conrad: 741973)
- ATA/IDE cable (Conrad: 971742)
- 2x10-pin IDC low profile header, 2.54mm pitch (Conrad: 743534)
- 20-way flat cable, 1.27mm pitch (Conrad: 609463)
- 68 Ohm resistor
Assembling it all together:
- Solder the 40-pin header onto the J19 connector on the apf27dev board
- Cut off a ~10cm piece from the ATA cable with the 40pin plug at the end.
- Cut off ~10cm from 20-way flat cable
- Carefully attach the 20-pin header to the flat cable. The thing is easy to break and it requires some forcing. Better buy a spare piece in advance.
- Use a knife and a cutting pad and dissect the cable endings, ~3cm long. Dissect the whole width of the 20-way cable and only pins 40 to 31 on the 40-way ATA cable.
- Strip the cable endings
- Solder the two cables together, as specified below:
ARM JTAG 20-pin cable | apf27dev J19 40-pin cable |
---|---|
1 - VREF (+2.8v) | J9 pin 2 OR J19 pin 39 with a 68 ohm resistor inline |
2 - Vddh (+3.3v) | 39 |
3 - nTRST | 33 |
4, 6, 8, 10, 12, 14, 16, 18, 20 - Vss (ground) | 31, 34, 40 |
5 - TDI | 35 |
7 - TMS | 36 |
9 - TCK | 37 |
11 - RTCK | (optional) J22 pin 2 (TCK_OWIRE) |
13 –TDO | 38 |
15 – nSRST | (optional) wired to apf27 R76 on cpu side: http://www.armadeus.com/_downloads/apf27/hardware/apf27_V1.2_top_assembly.pdf |
JTAG Probe
The examples below are tested with Amontec JTAGkey adapter. It has a male 20-pin plug and a 20-way female-to-female cable which fits directly into the cable as described above. A cheaper solution would be to use the Amontec JTAGkey-Tiny and install a 20-pin female plug on the connector cable for APF27dev.
Configure the board for JTAG
If the APF27 board is equipped with FPGA, the FPGA chip MUST be powered before using JTAG. Indeed, at system power-up, FPGA is low powered by cutting down the VCCAUX and VCCINT supplies until some data is loaded to FPGA. The simplest way to activate the FPGA chip is to enable the U-Boot firmware_autoload feature. Under U-Boot, set the environment variable firmware_autoload to 1 and save the environment variables to enable the FPGA on reset:
BIOS> setenv firmware_autoload 1 BIOS> saveenv Saving Environment to NAND... Erasing Nand... Erasing at 0xe0000 -- 100% complete. Writing to Nand... done BIOS> reset ...
Install and configure OpenOCD to work with a jtagkey
Yet to be done. First it requires 2 libraries libusb and libftdi (libftd2xxx from ftdi). Download and install the latest libftdi: http://www.intra2net.com/en/developer/libftdi/download/libftdi-0.15.tar.gz
>./configure >make >sudo make install
then openocd: http://developer.berlios.de/projects/openocd
> ./bootstrap ... >./configure --enable-ft2232_libftdi ... >make ... >sudo make install ...
Basic tests show that cable works as expected. You can use the following configuration file with jtagkey and openocd.
telnet_port 4444
gdb_port 3333
# GDB can also flash my flash!
gdb_memory_map enable
gdb_flash_program enable
gdb_breakpoint_override hard
interface ft2232
ft2232_device_desc "Amontec JTAGkey"
ft2232_layout jtagkey
ft2232_vid_pid 0x0403 0xcff8
jtag_khz 6000
# The APF27 board has a IMX27 chip and one fpga spartan3 200k
#source [find board/apf27.cfg]
#source [find target/imx27.cfg]
reset_config trst_and_srst
set _CHIPNAME imx27
set _ENDIAN little
# The bs tap
set _BSTAPID 0x1b900f0f
jtag newtap $_CHIPNAME bs \
-irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_BSTAPID
# The CPU tap
set _CPUTAPID 0x07926121
jtag newtap $_CHIPNAME cpu \
-irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID
set _TARGETNAME [format "%s.cpu" $_CHIPNAME]
target create $_TARGETNAME arm926ejs \
-endian $_ENDIAN -chain-position $_TARGETNAME -variant arm926ejs
$_TARGETNAME configure \
-work-area-virt 0xffff4c00 -work-area-phys 0xffff4c00 \
-work-area-size 0x8000 -work-area-backup 1
arm7_9 dcc_downloads enable
#endof target/imx27.cfg
jtag newtap xc3s200a.fpga fpga \
-irlen 6 \
-irmask 0x3f \
-ircapture 0x9 \
-expected-id 0x2218093
$_TARGETNAME configure -event reset-init { apf27_init }
proc apf27_init { } {
# This setup puts RAM at 0xA0000000
# reset the board correctly
#reset run
#reset halt
# reset keeping fpga alive
soft_reset_halt
halt
mww 0x10000000 0x20040304
mww 0x10020000 0x00000000
mww 0x10000004 0xDFFBFCFB
mww 0x10020004 0xFFFFFFFF
sleep 100
# ========================================
# Configure DDR on CSD0 -- initial reset
# ========================================
mww 0x10027818 0x0000080F
mww 0xD8001010 0x0000000C
# ========================================
# Configure DDR on CSD0 -- wait 5000 cycle
# ========================================
mww 0x10027828 0x55555555
mww 0x10027830 0x55555555
mww 0x10027834 0x55555555
mww 0x10027838 0x00005005
mww 0x1002783C 0x15555555
mww 0xD8001004 0x00695728
mww 0xD8001000 0x92100000
mww 0xA0000F00 0x0
mww 0xD8001000 0xA2100000
mww 0xA0000F00 0x0
mww 0xA0000F00 0x0
mww 0xA0000F00 0x0
mww 0xA0000F00 0x0
mww 0xD8001000 0xA2100000
mww 0xA0000F00 0x0
mww 0xA0000F00 0x0
mww 0xA0000F00 0x0
mww 0xA0000F00 0x0
mww 0xD8001000 0xB2100000
mwb 0xA0000033 0xDA
mwb 0xA2000000 0x00
mww 0xD8001000 0x82126080
}
launch openocd with this config file and test the connection from a telnet terminal to send commands reset, soft_reset_halt, halt. Without the nSRST line wired to the board it is still possible to reset the apf27 with the reset button. ;-)
> openocd 6000 kHz dcc downloads are enabled Info : JTAG tap: imx27.bs tap/device found: 0x1b900f0f (Manufacturer: 0x787, Part: 0xb900, Version: 0x1) Info : JTAG Tap/device matched Info : JTAG tap: imx27.cpu tap/device found: 0x07926121 (Manufacturer: 0x090, Part: 0x7926, Version: 0x0) Info : JTAG Tap/device matched Info : JTAG tap: xc3s400a.fpga.fpga tap/device found: 0x02220093 (Manufacturer: 0x049, Part: 0x2220, Version: 0x0) Info : JTAG Tap/device matched Warn : no tcl port specified, using default port 6666 ...
and from another terminal:
> telnet 127.0.0.1 4444 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Open On-Chip Debugger > reset JTAG tap: imx27.bs tap/device found: 0x1b900f0f (Manufacturer: 0x787, Part: 0xb900, Version: 0x1) JTAG Tap/device matched JTAG tap: imx27.cpu tap/device found: 0x07926121 (Manufacturer: 0x090, Part: 0x7926, Version: 0x0) JTAG Tap/device matched JTAG tap: xc3s400a.fpga.fpga tap/device found: 0x02220093 (Manufacturer: 0x049, Part: 0x2220, Version: 0x0) JTAG Tap/device matched > soft_reset_halt requesting target halt and executing a soft reset target state: halted target halted in ARM state due to debug-request, current mode: Supervisor cpsr: 0x000000d3 pc: 0x00000000 MMU: disabled, D-Cache: disabled, I-Cache: disabled > halt target state: halted target halted in ARM state due to debug-request, current mode: Supervisor cpsr: 0x200000d3 pc: 0xaff20bb8 MMU: disabled, D-Cache: disabled, I-Cache: enabled > reset init JTAG tap: imx27.bs tap/device found: 0x1b900f0f (Manufacturer: 0x787, Part: 0xb900, Version: 0x1) JTAG Tap/device matched JTAG tap: imx27.cpu tap/device found: 0x07926121 (Manufacturer: 0x090, Part: 0x7926, Version: 0x0) ...
Working with BDI2000
Firstly, check if your BDI2000 is rev C (see on the back of the probe, near the serial number). If your probe is A or B, it does not support target supply voltage less than 3.0 V. In this case, there might be a solution putting a serial resistor, see above Building a JTAG connector for APF27Dev board.
In addition, you can follow these drawings :
The BDI2000 probe comes with a firmware (bdiGDB) that make one able to connect directly GDB (GNU debugger) to the BDI2000 via ethernet. In the following example, we use a precompiled GDB from CodeSourcery. But any GDB configured for an ARM target might work.
You can use the following configuration file with BDI2000. It has been built like OpenOCD configuration file.
; bdiGDB configuration for ARMadeus APF27 board ; --------------------------------------------- ; Jonathan ILIAS-PILLET ; ; Many settings translated from OpenOCD's one, thanks to SSinyagin and Jorasse [INIT] ; to be done : memory map ;This setup puts RAM at 0xA0000000 ; reset the board correctly wm32 0x10000000 0x20040304 wm32 0x10020000 0x00000000 wm32 0x10000004 0xDFFBFCFB wm32 0x10020004 0xFFFFFFFF delay 100 ; ======================================== ; Configure DDR on CSD0 -- initial reset ; ======================================== wm32 0x10027818 0x0000080F wm32 0xD8001010 0x0000000C ; ======================================== ; Configure DDR on CSD0 -- wait 5000 cycle ; ======================================== wm32 0x10027828 0x55555555 wm32 0x10027830 0x55555555 wm32 0x10027834 0x55555555 wm32 0x10027838 0x00005005 wm32 0x1002783C 0x15555555 wm32 0xD8001004 0x00695728 wm32 0xD8001000 0x92100000 wm32 0xA0000F00 0x0 wm32 0xD8001000 0xA2100000 wm32 0xA0000F00 0x0 wm32 0xA0000F00 0x0 wm32 0xA0000F00 0x0 wm32 0xA0000F00 0x0 wm32 0xD8001000 0xB2100000 wm8 0xA0000033 0xDA wm8 0xA2000000 0x00 wm32 0xD8001000 0x82126080 [TARGET] CPUTYPE ARM926E ; processor core CLOCK 1 ; JTAG clock 1 = 16 MHz, 6 = 200KHz (last setting used only for testing) WAKEUP 200 ; millisecond to wait after a reset to let target start SCANPRED 1 6 ; JTAG chain starts with FGPA (spartan3), it has a 6 bits Instruction Register SCANSUCC 1 4 ; i.MX27 JTAG Controller, not used but present in the JTAG chain TRST OPENDRAIN ; pullup provided by iMX27 (§7.4 JTAG Controller Pin List) RESET NONE ENDIAN LITTLE ; memory model is little endian ;VECTOR CATCH 0x1f ; not used now BREAKMODE HARD ; hardware breakpoints ;BREAKMODE SOFT 0xDFFFDFFF ;SOFT or HARD, ARM / Thumb break code BDIMODE AGENT [HOST] DEBUGPORT 2001 ; TCP port to connect GDB to FORMAT ELF ; format of image files LOAD MANUAL ; load code manually after reset PROMPT APF27> [FLASH] ; to be done [REGS] FILE reg926e.def
You can also use the optionnal register file below :
;Register definition for ARM926E ;=============================== ; ; name: user defined name of the register ; type: the type of the register ; GPR general purpose register ; CP15 CP15 register ; MM memory mapped register ; DMMx direct memory mapped register with offset ; x = 1..4 ; the base is defined in the configuration file ; e.g. DMM1 0x02200000 ; addr: the number, adddress or offset of the register ; size the size of the register (8,16 or 32) ; ;name type addr size ;------------------------------------------- ; ; ; CP15 Registers ; ; Register Numbers for 926E: ; +-------+-------+-------+-------+ ; | | | | | | | | | | | | | | | | | ; +-+-----+-+-----+-------+-------+ ; |-|opc_1|-|opc_2| CRm | nbr | ; +-+-----+-+-----+-------+-------+ ; ; id CP15 0x0000 32 ;ID code cache CP15 0x0100 32 ;Cache type tcm CP15 0x0200 32 ;TCM status control CP15 0x0001 32 ;Control ttb CP15 0x0002 32 ;Translation table base dac CP15 0x0003 32 ;Domain access control dfsr CP15 0x0005 32 ;Data fault status ifsr CP15 0x0105 32 ;Inst fault status far CP15 0x0006 32 ;Fault address ; fcsr CP15 0x000d 32 ;Fast context switch PID context CP15 0x010d 32 ;Context ID ;
Now, we want to connect GDB to the BDI probe. Here are the IP addresses choosen for the example :
- 192.168.5.1 is the host, where GDB runs
- 192.168.5.2 is the BDI2000's address
GDB command and its output should looks like this :
(gdb) target remote 192.168.5.2:2001 Remote debugging using 192.168.5.2:2001 0xaff20cb4 in ?? ()
Using OpenOCD
Now we can use OpenOCD / JTAG to boot a new U-Boot image:
- Reset the target manually
- Run OpenOCD
openocd -f openocd.cfg
- Start a telnet session from another terminal
telnet localhost 4444
- Halt the CPU and configure the DDRAM controler
> soft_reset_halt ... > reset init ...
- Load the U-Boot image to RAM
> load_image /home/{mydir}/armadeus/buildroot/project_build_armv5te/apf27/u-boot-1.3.4/u-boot-nand.bin 0xA0000000 ...
- Assert a breakpoint
> bp 0xa0000010 4 hw breakpoint added at address 0xa0000010
- Run U-Boot up to the breakpoint
> resume 0xa0000000 target state: halted target halted in ARM state due to breakpoint, current mode: Supervisor cpsr: 0x600000d3 pc: 0xa0000010 MMU: disabled, D-Cache: disabled, I-Cache: disabled
OpenOCD is operational...
Debugging U-Boot with OpenOCD and GDB on APF27
The booting procedure of apf27 is as follows:
- the NAND_SPL loader reads the u-boot image from NAND flash to 0xA0000000 (nand_spl/board/armadeus/apf27/start.S)
- The SPL loader gives control to the U-boot startup (cpu/arm926ejs/start.S)
- The startup code gives control to the board-specific initialization code (lowlevel_init in board/armadeus/apf27/lowlevel_init.S)
- The startup code relocates the image to its base address (TEXT_BASE=0xAFF00000)
- The startup code gives control to start_armboot() in lib_arm/board.c
- U-boot reads the environment and does its booting job.
If you plan to debug a new U-boot image with JTAG, you have to prevent it from resetting FPGA (GPIO port F). By default, the startup code resets the FPGA ports to their initial state, and that disconnects our JTAG adapter, because FPGA chip is part of the chain.
Comment out the following lines in the patched U-boot code in buildroot/project_build_armv5te/apf27/u-boot-1.3.4:
### cpu/arm926ejs/start.S lines 185-186 /* bl coloured_LED_init bl red_LED_on */ ### board/armadeus/apf27/lowlevel_init.S lines 113-126 /* PORTF */ /* writel( DR(PORTF), CFG_DR_F_VAL) writel( OCR1(PORTF), CFG_OCR1_F_VAL) writel( OCR2(PORTF), CFG_OCR2_F_VAL) writel( ICONFA1(PORTF), CFG_ICFA1_F_VAL) writel( ICONFA2(PORTF), CFG_ICFA2_F_VAL) writel( ICONFB1(PORTF), CFG_ICFB1_F_VAL) writel( ICONFB2(PORTF), CFG_ICFB2_F_VAL) writel( ICR1(PORTF), CFG_ICR1_F_VAL) writel( ICR2(PORTF), CFG_ICR2_F_VAL) writel( IMR(PORTF), CFG_IMR_F_VAL) writel( DDIR(PORTF), CFG_DDIR_F_VAL) writel( GPR(PORTF), CFG_GPR_F_VAL) writel( PUEN(PORTF), CFG_PUEN_F_VAL) writel( GIUS(PORTF), CFG_GIUS_F_VAL) */
Compile the new U-boot image. This example disables optimization and stores the build commands into a logfile. From Armadeus BSP root folder,
make u-boot-clean && (make OPTFLAGS=-O0 | tee loglog) && cp -v buildroot/binaries/apf27/apf27-u-boot.bin /tftpboot/
Reset the board and press any key to get U-Boot prompt in the serial console.
Launch OpenOCD (we assume the JTAG adapter is already connected). It should report finding of 3 devices:
openocd -f apf27-openocd.cfg
Figure out which address to use for the first breakpoint. The build process has created the file u-boot.map which lists all the addresses of all global symbols. In this example, the address of start_armboot() is 0xaff01630:
[root@lab0 u-boot-1.3.4]# grep start_armboot u-boot.map lib_arm/libarm.a(board.o) cpu/arm926ejs/start.o (start_armboot) 0x00000000aff01630 start_armboot
Telnet to the OpenOCD console and install the breakpoint at the address of interest. It is important to issue "halt" and "resume":
[root@lab0 armadeus]# telnet localhost 4444 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Open On-Chip Debugger > halt target state: halted target halted in ARM state due to debug-request, current mode: Supervisor cpsr: 0x000000d3 pc: 0xaff20c4c MMU: disabled, D-Cache: disabled, I-Cache: enabled > bp 0xaff01630 4 hw breakpoint added at address 0xaff01630 > resume
Now the original u-boot image continues to function. Load our test image into the memory and launch it:
BIOS> setenv ipaddr 192.168.1.5; setenv serverip 192.168.1.40; tftpboot 0xA0000000 apf27-u-boot.bin; go 0xA0000000 FEC ETHERNET: Link is up - 100/Full TFTP from server 192.168.1.40; our IP address is 192.168.1.5 Filename 'apf27-u-boot.bin'. Load address: 0xa0000000 Loading: ########################### done Bytes transferred = 392232 (5fc28 hex) ## Starting application at 0xA0000000 ...
Here our breakpoint should fire, and the following should be seen in OpenOCD telnet session:
target state: halted target halted in ARM state due to breakpoint, current mode: Supervisor cpsr: 0x200000d3 pc: 0xaff01630 MMU: disabled, D-Cache: disabled, I-Cache: enabled
Remove the breakpoint. Note that there is a very limited number of hardware breakpoints (3?) and you can't set up too many of them.
rbp 0xaff01630
Now we can launch GDB or its graphical interface DDD and connect it to our paused bootloader:
ddd --debugger buildroot/build_armv5te/staging_dir/usr/bin/arm-linux-gdb
In GDB command window, load the symbol table and connect to OpenOCD:
(gdb) add-symbol-file u-boot 0xaff00000 add symbol table from file "u-boot" at .text_addr = 0xaff00000 (gdb) target remote localhost:3333 start_armboot () at board.c:304 /home/armadeus-be/buildroot/project_build_armv5te/apf27/u-boot-1.3.4/lib_arm/board.c:304:8383:beg:0xaff01630
The DDD code display window should show the start_armboot() entry point. Now you can follow with the debugging as usual.
Hint: in order to get back to start_armboot(), you don't have to reset the board. Disconnect GDB from OpenOCD, then in OpenOCD telnet window, set the program counter back to the start address of start_armboot(), and then re-attach GDB.
Troubleshooting
- TRST does not stop the CPU
Most probably the FPGA chip went offline during the U-Boot initialization and didn't come online.
- FPGA chip is not visible when OpenOCD detects the TAPs.
FPGA chip is in low power mode at startup. Load some data in the fpga to enable it in jtag chain.
- From Bootstrap mode FPGA and CPU are not accessible.
Yes, be sure to remove the bootstrap jumper to be able to use jtag. There is a small hardware modification to fix it but this change will disable the low power features.