This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How JTAG take control of ARM core?

Note: This was originally posted on 29th July 2010 at http://forums.arm.com

Hello,

I have a question from customer regarding how to disable JTAG in their final product to prevent their application code from explosion from JTAG interface.

Since I am not familiar with JTAG debug module and ARM core interaction mechanism, I would like to know if there is any document talking about the JTAG debug detail procedure.

(1) We have a plan to disable the JTAG port during reset stage of the MCU, and enable it with the built-in ROM code in certain stage. I am not sure if it is workable, any attention needed?

(2) Is the system reset a must when entering JTAG debug mode? If not, please help explain the detail procedure on how JTAG take control of core.

Thanks a lot!

Ding Li over 12 years ago

Note: This was originally posted on 30th July 2010 at http://forums.arm.com

Which processor?
Are you referring to doing your own SoC design?
regards,
joseph

That 's a question form customer, which raise my personal interest. I would like to know the details on how the JTAG debug is working with interaction with ARM core, but still have difficluty to find some related documents on it.

Thanks!
Cancel
Vote up 0 Vote down

Cancel
Ding Li over 12 years ago

Note: This was originally posted on 5th August 2010 at http://forums.arm.com

Hi,
If it is only ARM Chip then knowledge of Debug arch is more than enough..
If you are talking from SoC point of view.. were you may hv zero, one or more other processor.. then you will need a special controller which uses Test Scan Cain to reach to all the programmable registers or processors debug ports in serial or parallel mannar. This is typically called ICE. This ICE is connected to JTAG. JTAG is a way to connect this SoC to outside world to the ARM/ARM Based SoC. In production devices typically this ICE is dissabled(using fuse) so that there will not be any 'insight' to outside world.

Regards,
Kedar Kulkarni
[font="Verdana"][color="#FF8C00"]One day all digial world will be in my ARMs[/color].[/font]

Thanks for your comments.

But I still have a concern: in production devices, the ICE will be disabled. Does that means there are no way to enable it again, and there is no way to control the device through JTAG port anymore.

I am still looking for a method to dynamically control the access of JTAG interface, by password, or something else. I am stiil not sure if it workable that we disable the JTAG interface in reset stage and enable it by ROM code in later stage.

Thanks!
Cancel
Vote up 0 Vote down

Cancel
Ding Li over 12 years ago

Note: This was originally posted on 5th August 2010 at http://forums.arm.com

It depends on the chip you use. Some microcontrollers has firmware protection features (on the system level) so you will need to check with your microcontroller providers/vendors on this. It is unlikely that you can enable it by ROM code, but you might be able to erase the whole flash and reprogram it.

Thanks, Joseph,

I still woudl like to know what will happen if I disable JTAG ports in power on reset stage in SOC design level, which is done by setting the default / reset function of TDI/TDO pins as GPIO.

Inside boot ROM code, I will enable the JTAG ports by software for certain conditions, for example flash content, or certain external pin status.

In this way, I may take control of the JTAG access by software. Will this solution work?

Thanks a lot!
Cancel
Vote up 0 Vote down

Cancel
Joseph Yiu over 12 years ago

Note: This was originally posted on 29th July 2010 at http://forums.arm.com

Which processor?
Are you referring to doing your own SoC design?
regards,
joseph
Cancel
Vote up 0 Vote down

Cancel
Joseph Yiu over 12 years ago

Note: This was originally posted on 2nd August 2010 at http://forums.arm.com

Older ARM cores (e.g. ARM7TDMI) has JTAG interface and the descriptions are covered in the
Technical Reference Manuals (TRM). For example, the ARM7TDMI-S TRM can be found in
[url="http://infocenter.arm.com/help/topic/com.arm.doc.ddi0234b/index.html"]http://infocenter.arm.com/help/topic/com.a...234b/index.html[/url]

Newer ARM cores use CoreSight debug architecture.
The document "CoreSight™ Technology System Design Guide" might be useful for you:
[url="http://infocenter.arm.com/help/topic/com.arm.doc.dgi0012d/index.html"]http://infocenter.arm.com/help/topic/com.a...012d/index.html[/url]
Cancel
Vote up 0 Vote down

Cancel
Joseph Yiu over 12 years ago

Note: This was originally posted on 5th August 2010 at http://forums.arm.com

It depends on the chip you use. Some microcontrollers has firmware protection features (on the system level) so you will need to check with your microcontroller providers/vendors on this. It is unlikely that you can enable it by ROM code, but you might be able to erase the whole flash and reprogram it.
Cancel
Vote up 0 Vote down

Cancel
Joseph Yiu over 12 years ago

Note: This was originally posted on 5th August 2010 at http://forums.arm.com

A few more things to check (assume you are doing a SoC design, and you asked this because you want to protect the firmware from being copied):

First you need to check what is connected to the JTAG ports. If the JTAG port is only used by the CPU for debug, that is technically possible to disable JTAG at reset and then enable it by some software. But, if the JTAG connection is also used by memory BIST or any chip production testing circuit, it would be a problem. As Kedar Kulkarni mentioned, JTAG is a test port, it can also be used for boundary scan test or other usages.

Secondly, you need to consider how to program up the chip in the first place. If the device is purely flash based and has no boot loader, the JTAG connection will not be enabled by software.

Third, what happen if the boot loader or flash memory got corrupted? or if something gone wrong (e.g. clock) that the processor is not running any code? Will you still be able to reprogram the chip?

By the way, if your chip has scan test ports, you also need to think about how to protect the firmware from being read out using scan tests.

Most ARM processor cores allow debug functionality to be disabled by a configuration signal rather than disabling the JTAG connection. For example, ARM7TDMI have a DBGEN (Debug Enable) pin wich might be more suitable for what you need.
Cancel
Vote up 0 Vote down

Cancel
Kedar Kulkarni over 12 years ago

Note: This was originally posted on 4th August 2010 at http://forums.arm.com

Hello,

I have a question from customer regarding how to disable JTAG in their final product to prevent their application code from explosion from JTAG interface.

Since I am not familiar with JTAG debug module and ARM core interaction mechanism, I would like to know if there is any document talking about the JTAG debug detail procedure.

(1) We have a plan to disable the JTAG port during reset stage of the MCU, and enable it with the built-in ROM code in certain stage. I am not sure if it is workable, any attention needed?

(2) Is the system reset a must when entering JTAG debug mode? If not, please help explain the detail procedure on how JTAG take control of core.

Thanks a lot!

Hi,
If it is only ARM Chip then knowledge of Debug arch is more than enough..
If you are talking from SoC point of view.. were you may hv zero, one or more other processor.. then you will need a special controller which uses Test Scan Cain to reach to all the programmable registers or processors debug ports in serial or parallel mannar. This is typically called ICE. This ICE is connected to JTAG. JTAG is a way to connect this SoC to outside world to the ARM/ARM Based SoC. In production devices typically this ICE is dissabled(using fuse) so that there will not be any 'insight' to outside world.

Regards,
Kedar Kulkarni
[font="Verdana"][color="#FF8C00"]One day all digial world will be in my ARMs[/color].[/font]
Cancel
Vote up 0 Vote down

Cancel
Kedar Kulkarni over 12 years ago

Note: This was originally posted on 5th August 2010 at http://forums.arm.com

Thanks for your comments.

But I still have a concern: in production devices, the ICE will be disabled. Does that means there are no way to enable it again, and there is no way to control the device through JTAG port anymore.

I am still looking for a method to dynamically control the access of JTAG interface, by password, or something else. I am stiil not sure if it workable that we disable the JTAG interface in reset stage and enable it by ROM code in later stage.

Thanks!

Joseph is right. JTAG is Test port and not debug port, It is just that ICE use it.
Production devices are ment to follow proper boot sequence to start working (Security purpose), hence they fuse ICE(remove it). What you are suggesting happens on 'test chip'(Chips manufactured b4 production chips for testing purpose) were debug(ICE) automatically gets enable after reset.
For 'Dynamic control Option' please check the hardware on which ur working or going to work.

Regards,
Kedar Kulkarni
[color="#FF8C00"][color="#008000"]One day all digial world will be in my ARMs[/color][/color].
Cancel
Vote up 0 Vote down

Cancel