Joint Test Action Group

From Wikipedia, the free encyclopedia

Joint Test Action Group (JTAG) is the usual name used for the IEEE 1149.1 standard entitled Standard Test Access Port and Boundary-Scan Architecture for test access ports used for testing printed circuit boards using boundary scan.

JTAG was standardized in 1990 as the IEEE Std. 1149.1-1990. In 1994, a supplement that contains a description of the boundary scan description language (BSDL) was added. Since then, this standard has been adopted by electronics companies all over the world. Boundary-scan is nowadays mostly synonymous with JTAG.

While designed for printed circuit boards, it is nowadays primarily used for testing sub-blocks of integrated circuits, and is also useful as a mechanism for debugging embedded systems, providing a convenient "back door" into the system. When used as a debugging tool, an in-circuit emulator which in turn uses JTAG as the transport mechanism enables a programmer to access an on-chip debug module which is integrated into the CPU via JTAG. The debug module enables the programmer to debug the software of an embedded system.

Contents

[edit] Electrical characteristics

A JTAG interface is a special four/five-pin interface added to a chip, designed so that multiple chips on a board can have their JTAG lines daisy-chained together, and a test probe need only connect to a single "JTAG port" to have access to all chips on a circuit board. The connector pins are

  1. TDI (Test Data In)
  2. TDO (Test Data Out)
  3. TCK (Test Clock)
  4. TMS (Test Mode Select)
  5. TRST (Test ReSeT) optional.
Example of JTAG chain

Since only one data line is available, the protocol is necessarily serial like SPI. The clock input is at the TCK pin. Configuration is performed by manipulating a state machine one bit at a time through a TMS pin. One bit of data is transferred in and out per TCK clock pulse at the TDI and TDO pins, respectively. Different instruction modes can be loaded to read the chip ID, sample input pins, drive (or float) output pins, manipulate chip functions, or bypass (pipe TDI to TDO to logically shorten chains of multiple chips). The operating frequency of TCK varies depending on the chip, but it is typically 10-100 MHz (100-10ns per bit).

When performing boundary scan on integrated circuits, the signals manipulated are between different functional blocks of the chip, rather than between different chips.

The TRST pin is an optional active-low reset to the test logic - usually asynchronous, but sometimes synchronous, depending on the chip. If the pin is not available, the test logic can be reset by clocking in a reset instruction synchronously.

Data presented to TDI must be valid for some chip-specific Setup time before and Hold time after the rising edge of TCK. TDO data is valid for some chip-specific time after the falling edge of TCK. This can be seen e.g. with the JTAG timing diagram of the DS4550 chip (http://pdfserv.maxim-ic.com/en/ds/DS4550.pdf).

Even though few consumer products provide an explicit JTAG port connector, the connections are very often available on the printed circuit board as a remnant from development prototyping. When exploited, these connections often provide an excellent means for reverse engineering.

[edit] Test pins

Devices communicate to the world via a set of I/O pins. By themselves, these pins provide limited visibility into the workings of the device. However, devices that support boundary scan contain a shift-register cell for each signal pin of the device. These registers are connected in a dedicated path around the device's boundary (hence the name), as shown in Figure 1. The path creates a virtual access capability that circumvents the normal inputs and provides direct control of the device and detailed visibility at its outputs.[1]

During testing, I/O signals enter and leave the chip through the boundary-scan cells. The boundary-scan cells can be configured to support external testing for interconnection between chips or internal testing for logic within the chip.

To provide the boundary scan capability, IC vendors add additional logic to each of their devices, including scan registers for each of the signal pins, a dedicated scan path connecting these registers, four or five additional pins, and control circuitry. The overhead for this additional logic is minimal and generally well worth the price to have efficient testing at the board level...

[edit] Common extensions

Manufacturer's extensions: Infineon, MIPS EJTAG, Freescale COP, ARM ETM (Embedded Trace Macrocell), OnCE etc.

[edit] Widespread uses

  • A large proportion of high end embedded systems have a JTAG port[citation needed].
  • The PCI bus connector contains JTAG pins. A special JTAG card can be used to reflash a corrupt BIOS.
  • Almost all FPGAs and CPLDs used today can be programmed via the JTAG port.

[edit] Client software

The JTAG interface is accessed using some JTAG-enabled application.

[edit] Free software

[edit] Security vulnerability

Security researcher Barnaby Jack has announced discovery of vulnerabilities in the ARM- and XScale-based embedded systems through their use of JTAG. He claims that embedded devices often leave the JTAG interface enabled for diagnostic purposes, allowing his as-yet unspecified technique to attack live devices, like network routers or portable consumer products, that are attached to a network.[2] Jack plans to discuss this vulnerability at the CanSecWest 2007 security conference[2][3] in mid-April in Vancouver.[4]

[edit] References

  1. ^ Oshana, Rob. "Introduction to JTAG", Embedded Systems Design, October 29, 2002. Retrieved on April 5, 2007.
  2. ^ a b McMillan, Robert. "New class of attack targets embedded devices", Infoworld, IDG News Service, April 5, 2007. Retrieved on April 5, 2007.
  3. ^ "Presentations". CanSecWest 2007. Retrieved on April 5, 2007.
  4. ^ Home page. CanSecWest 2007. Retrieved on April 5, 2007.

[edit] External links