OpenRisc-59-jtag_tap模块分析

引言

“知其然，还要知其所以然”，在搭建好ORPSoC的仿真环境和调试环境之后，我们有必要对仿真和调试系统中扮演重要角色的jtag_tap模块和adv_dbg_if模块进行进一步的分析，以了解其工作机制。
本小节就来分析advanced debug system中的tap_top模块。

1，from SPI to JTAG

在分析JTAG的具体实现之前，我们先了解一下JTAGF的基本知识。

A、JTAG协议的本质与SPI协议并没有什么不同，它等于一个复杂的SS状态机+变长的MOSI和MISO数据移位操作。不过所谓的变长，都是事先约定好的。 
B、JTAG协议是一个同步通讯协议，它是全双工的。它的通讯原则是“以物易物”——即你如果想得到某些东西，你必须先给与相同长度的内容；你如果只是想发送一些数据，也会自动获取相同长度的内容，至于交换的内容是否有意义，这是另外一回事了。
C、JTAG协议无论多么复杂，实际上只有4根线起作用（有时候还有两根鸡肋的nSRST和TRST），他们分别是TMS、TCK、TDI和TDO，他们分别对应SPI协议里面的SS、SCK、MOSI和MISO。在本质上，他们并没有什么不同。即便是ARM的JTAG那么多的引脚，实际上起作用JTAG的也就这4根线而已。 
D、JTAG的数据操作都是基于移位寄存器的。
E、如果JTAG协议在某个下载仿真协议中只是用来发送控制信息和少量的数据，而大量的数据传输是通过额外的其它引脚进行的，即便这个协议被称为JTAG仿真其本质也早已超过JTAG了，严格来说，不应该称之为JTAG。因为JTAG协议中就只有4根线（有时候也算上nSRST和TRST）而已。典型的如NEXUS协议。

这里面重点理解的是“以物易物”，这个概念，下面是SPI的工作机制以及one-to-one和one-to-many的组织。如下图所示：

2，jtag_tap

1>architecture

TAP（test access port）的作用是提供adv_dbg_if模块和外部JTAG cable之间的桥梁作用，负责将jtag cable传来的数据传给tap支持的所有device，并将来自device的数据shift out到tdo上。下面是adv_debug_sys系统硬件部分的结构：


jtag_tap一共支持4个chain（相当于SPI中SPI总线上挂有4个device），其中IDCODEchain在jtag_tap模块内部，其它3个在外部，如上图所示。

2>tap fsm

IEEE 1149.1中定义了FSM，所以几乎所有的JTAG模块都会实现相同的FSM。如下所示：


说明：整个状态机分为三个部分：信道选择部分、数据信道和指令信道。所谓的信道选择，就是图中最顶上由四个状态组成的矩形，分别对应着四个状态：
a，JTAG TAP状态机复位状态
顾名思义，就是进入该状态，将导致整个硬件TAP控制器复位，所有的寄存器都将被初始化。在TCK的上升沿，TMS为低电平时，进入下一个状态；否则保持不变。
b，JTAG TAP的Run-Test/Idle状态
其实就是“开工”和“休息”的选择分支点。在TCK的上升沿，TMS的高电平将导致状态切换，进入数据信道的通讯状态；否则保持不变。
c，JTAG TAP的Select-DR Scan状态
Select DR Scan，就是当我们在该状态下，TCK的上升沿读取到了TMS的低电平将直接进入数据信道的操作子状态机；在TCK的上升沿读取到了TMS的高电平，将切换到指令信道的通讯状态。
d，JTAG TAP的Select-IR Scan状态
Select-IR Scan，就是当我们在该状态下，TCK的上升沿读取到了TMS的低电平将直接进入指令信道的操作状态机；在TCK的上升沿读取到了TMS的高电平，将重新回到JTAG的复位状态。
数据信道和指令信道对应着两个子状态机，从本质上数据和指令并没有任何不同，只是习惯上，指令的长度固定为4个二进制位（***R32的JTAG是5个），而数据则随着不同的指令选择了不同长度的指令寄存器，这个就需要具体查阅相关的协议说明了，比如JTAG IDCODE的长度固定为32位，而***R32的复位指令却有5位。下面，只就常见的几个状态进行解释（以数据信道为例）。

a，Capture DR状态
JTAG协议是基于移位寄存器的，其通讯具有“以物易物”的特性，在我们进入真正的数据传输之前，需要告知JTAG“准备通讯了哦？你有没有东西要给我哈？”，于是Capture DR就是一个给JTAG机会将需要传达给我们的数据放入指定的移位寄存器中的状态。
b，Shift DR状态
这个状态就是通过TDI和TDO进行数据传输的状态。需要说明的是，即便进入了该状态，TMS上的电平在TCK的上升沿也是会被读取的，从图中看到，一旦在TMS上读取到高电平，系统就会跳出Shift DR状态
如果此时数据没有传输完成，造成的后果是不确定的。请大家注意，我所说的是不确定，而不是“很严重”：同样是因为移位寄存的传输特性，有时候并不要求一定要将所有的数据都完整的进行传输，比如在***R32中，针对SAB的数据操作，往往只需要进行最关键的部分，详细地内容可以参照相关的数据手册；
但有的时候，数据的不完整传输则会导致很严重的后果，这取决于具体的JTAG通讯协议。所以，为了保险起见，一旦进入Shift DR状态，在发送最后一个数据之前，请保持TMS为低电平，当要发送最后一个数据时，应该将TMS设置为高电平，这样，当TCK跳变为上升沿时，系统既完成了最后一个数据的传输，也成功的退出了Shift DR状态。
c，Exit1 DR状态
该状态提供了我们一个在刚才输入的数据生效前，重新修改的机会。一般情况下，我们直接保持TMS的高电平，并在TCK的上升沿驱动TAP状态机，直接进入Update-DR状态。
d，Update-DR状态
顾名思义，就是使我们输入的数据生效——一般JTAG内部的动作就是触发一个锁存信号，将移位寄存器中的内容并行的读取到对应的寄存器中。Update-DR有两个出口，一个是，TMS的低电平对应Run-test/ Idle，还有一个是TMS的高电平对应的Select-DR Scan。这两个操作看似区别不大，但是意义非凡。前者往往会导致JTAG内部产生额外的时序（比如发生一个信号，表示完成了一个特定的周期操作，在***R的JTAG下载中有此实例）；后者则表示完成了一次数据操作，将进行下一个数据的操作，但是这些操作属于同一个操作周期。当然有些情况下，这两种方法是没有区别的。

3，RTL分析

jtag_tap是advanced debug system项目的一部分，整个advanced debug system我们之前已经介绍过，如有疑问请参考。jtag_tap模块包含两个RTL文件：tap_defines.v和tap_top.v两个文件。在了解了JTAG的一般知识之后，我们下面就分析jtag_tap的RTL。

1>tap_defines.v

首先，其内容如下：

// Define IDCODE Value
`define IDCODE_VALUE  32'h149511c3
// 0001             version
// 0100100101010001 part number (IQ)
// 00011100001      manufacturer id (flextronics)
// 1                required by standard

// Length of the Instruction register
`define	IR_LENGTH	4

// Supported Instructions
`define EXTEST          4'b0000
`define SAMPLE_PRELOAD  4'b0001
`define IDCODE          4'b0010
`define DEBUG           4'b1000
`define MBIST           4'b1001
`define BYPASS          4'b1111

文件包含三部分内容，IDCODE，IR_LENGTH，和instruction定义。a，一般情况下，每个jtag device对应唯一的一个IDCODE，就像人的名字一样，这个名字用来jtag chain建立的时候‘点名’用的。jtag chain初始化时，读取所有的device的IDCODE，和BSDL文件中的IDCODE比较，获得device name，显示出来。
b，IR_LENGTH是一个非常重要的变量。上面我们在介绍JTAG时，说过，JTAG是基于shift register的总线，所以这个shift register长度的重要性不言而喻。IR_LENGTH的值不是随便设置的，而是根据其对应的jtag具体实现来决定的。大多jtag tap的IR_LENGTH都是4（bit），当然也有不是4的。比如我用的ML501的板子上的4个jtag device的IR_LENGTH分别是10,8,8,12。
c，instruction就是操作jtag tap模块支持的指令，这个参数，不同的tap大不相同，具体支持什么指令，可从bsdl文件中获得。下面就是jtag_tap的bsdl文件：

-- This is a minimal BSDL file describing the particulars
-- of the OpenCores standard / native TAP.  It is designed
-- only to be used by the adv_jtag_bridge program.  This
-- file almost certainly lacks key entries and attributes
-- required by other JTAG / BSDL systems.
--
-- by Nathan Yawn (nathan.yawn@opencores.org)
-- Copyright: This file is released into the public domain.
--

entity OC_TAP is

attribute INSTRUCTION_LENGTH of OC_TAP : entity is 4;

attribute INSTRUCTION_OPCODE of OC_TAP : entity is
        "EXTEST            (0000)," &
        "SAMPLE_PRELOAD    (0001)," &
        "IDCODE            (0010)," &
        "MBIST             (1001)," &
        "DEBUG             (1000)," &
        "BYPASS            (1111),";

attribute IDCODE_REGISTER of OC_TAP : entity is
	"0001" &	-- version
	"0100100101010001" &	-- part number
	"00011100001" &	-- manufacturer (flextronics)
	"1";		-- required by 1149.1

end OC_TAP;

2>tap_top.v

这个文件是jtag_tap模块的具体逻辑实现文件。

a，接口定义

// Top module
module tap_top(
                // JTAG pads
                tms_pad_i, 
                tck_pad_i, 
                trstn_pad_i, 
                tdi_pad_i, 
                tdo_pad_o, 
                tdo_padoe_o,

                // TAP states
				test_logic_reset_o,
				run_test_idle_o,
                shift_dr_o,
                pause_dr_o, 
                update_dr_o,
                capture_dr_o,
                
                // Select signals for boundary scan or mbist
                extest_select_o, 
                sample_preload_select_o,
                mbist_select_o,
                debug_select_o,
                
                // TDO signal that is connected to TDI of sub-modules.
                tdi_o, 
                
                // TDI signals from sub-modules
                debug_tdo_i,    // from debug module
                bs_chain_tdo_i, // from Boundary Scan Chain
                mbist_tdo_i     // from Mbist Chain
              );

jtag_tap接口可分成5个部分：jtag信号，tap states信号，片选信号，tdi_o，以及从device来的数据信号。1》首先是jtag信号，除了我们常见的tms,tck,tdi,tdo之外还有两个鸡肋信号：trstn，tdo_oe，前者用来复位tap，后者用来使能tdo。其实这两个信号有没有都可以，tap的复位可以通过tms来实现，tdo使能也可不用。说到这里，有一个小问题，如果不用trstn信号，上电之后tap的状态是随机的，那么有没有一个固定的tms序列来实现tap的复位呢？答案就在本小节中，如果有疑问的话就找找看吧。2》其次是ap states信号，给device用的，指示tap的当前状态，device根据这个状态来完成某些操作。3》片选信号，这个就不用多说了。对于jtag_tap来说，片选信号时根据IR reg中的不同位来决定片选的。代码如下：

/**********************************************************************************
*                                                                                 *
*   Selecting active data register                                                *
*                                                                                 *
**********************************************************************************/
always @ (latched_jtag_ir)
begin
  extest_select           = 1'b0;
  sample_preload_select   = 1'b0;
  idcode_select           = 1'b0;
  mbist_select            = 1'b0;
  debug_select            = 1'b0;
  bypass_select           = 1'b0;

  case(latched_jtag_ir)    /* synthesis parallel_case */ 
    `EXTEST:            extest_select           = 1'b1;    // External test
    `SAMPLE_PRELOAD:    sample_preload_select   = 1'b1;    // Sample preload
    `IDCODE:            idcode_select           = 1'b1;    // ID Code
    `MBIST:             mbist_select            = 1'b1;    // Mbist test
    `DEBUG:             debug_select            = 1'b1;    // Debug
    `BYPASS:            bypass_select           = 1'b1;    // BYPASS
    default:            bypass_select           = 1'b1;    // BYPASS
  endcase
end

b，fsm

jtag_tap的核心就是tap controller的FSM了，常见的三段式风格：

/**********************************************************************************
*                                                                                 *
*   TAP State Machine: Fully JTAG compliant                                       *
*                                                                                 *
**********************************************************************************/
// Definition of machine state values.  We could one-hot encode this, and use 16
// registers, but this uses binary encoding for the minimum of 4 DFF's instead.
`define STATE_test_logic_reset 4'hF
`define STATE_run_test_idle    4'hC
`define STATE_select_dr_scan   4'h7
`define STATE_capture_dr       4'h6
`define STATE_shift_dr         4'h2
`define STATE_exit1_dr         4'h1
`define STATE_pause_dr         4'h3
`define STATE_exit2_dr         4'h0
`define STATE_update_dr        4'h5
`define STATE_select_ir_scan   4'h4
`define STATE_capture_ir       4'hE
`define STATE_shift_ir         4'hA
`define STATE_exit1_ir         4'h9
`define STATE_pause_ir         4'hB
`define STATE_exit2_ir         4'h8
`define STATE_update_ir        4'hD

reg [3:0] TAP_state = `STATE_test_logic_reset;  // current state of the TAP controller
reg [3:0] next_TAP_state;  // state TAP will take at next rising TCK, combinational signal

// sequential part of the FSM
always @ (posedge tck_pad_i or negedge trstn_pad_i)
begin
	if(trstn_pad_i == 0)
		TAP_state = `STATE_test_logic_reset;
	else
		TAP_state = next_TAP_state;
end

// Determination of next state; purely combinatorial
always @ (TAP_state or tms_pad_i)
begin
	case(TAP_state)
		`STATE_test_logic_reset:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_test_logic_reset; 
			else next_TAP_state = `STATE_run_test_idle;
			end
		`STATE_run_test_idle:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_select_dr_scan; 
			else next_TAP_state = `STATE_run_test_idle;
			end
		`STATE_select_dr_scan:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_select_ir_scan; 
			else next_TAP_state = `STATE_capture_dr;
			end
		`STATE_capture_dr:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_exit1_dr; 
			else next_TAP_state = `STATE_shift_dr;
			end
		`STATE_shift_dr:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_exit1_dr; 
			else next_TAP_state = `STATE_shift_dr;
			end
		`STATE_exit1_dr:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_update_dr; 
			else next_TAP_state = `STATE_pause_dr;
			end
		`STATE_pause_dr:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_exit2_dr; 
			else next_TAP_state = `STATE_pause_dr;
			end
		`STATE_exit2_dr:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_update_dr; 
			else next_TAP_state = `STATE_shift_dr;
			end
		`STATE_update_dr:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_select_dr_scan; 
			else next_TAP_state = `STATE_run_test_idle;
			end
		`STATE_select_ir_scan:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_test_logic_reset;
			else next_TAP_state = `STATE_capture_ir;
			end
		`STATE_capture_ir:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_exit1_ir; 
			else next_TAP_state = `STATE_shift_ir;
			end
		`STATE_shift_ir:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_exit1_ir; 
			else next_TAP_state = `STATE_shift_ir;
			end
		`STATE_exit1_ir:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_update_ir;
			else next_TAP_state = `STATE_pause_ir;
			end
		`STATE_pause_ir:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_exit2_ir;
			else next_TAP_state = `STATE_pause_ir;
			end
		`STATE_exit2_ir:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_update_ir;
			else next_TAP_state = `STATE_shift_ir;
			end
		`STATE_update_ir:
			begin
			if(tms_pad_i) next_TAP_state = `STATE_select_dr_scan;
			else next_TAP_state = `STATE_run_test_idle;
			end
		default: next_TAP_state = `STATE_test_logic_reset;  // can't actually happen
	endcase
end

// Outputs of state machine, pure combinatorial
always @ (TAP_state)
begin
	// Default everything to 0, keeps the case statement simple
	test_logic_reset = 1'b0;
	run_test_idle = 1'b0;
	select_dr_scan = 1'b0;
	capture_dr = 1'b0;
	shift_dr = 1'b0;
	exit1_dr = 1'b0;
	pause_dr = 1'b0;
	exit2_dr = 1'b0;
	update_dr = 1'b0;
	select_ir_scan = 1'b0;
	capture_ir = 1'b0;
	shift_ir = 1'b0;
	exit1_ir = 1'b0;
	pause_ir = 1'b0;
	exit2_ir = 1'b0;
	update_ir = 1'b0;

	case(TAP_state)
		`STATE_test_logic_reset: test_logic_reset = 1'b1;
		`STATE_run_test_idle:    run_test_idle = 1'b1;
		`STATE_select_dr_scan:   select_dr_scan = 1'b1;
		`STATE_capture_dr:       capture_dr = 1'b1;
		`STATE_shift_dr:         shift_dr = 1'b1;
		`STATE_exit1_dr:         exit1_dr = 1'b1;
		`STATE_pause_dr:         pause_dr = 1'b1;
		`STATE_exit2_dr:         exit2_dr = 1'b1;
		`STATE_update_dr:        update_dr = 1'b1;
		`STATE_select_ir_scan:   select_ir_scan = 1'b1;
		`STATE_capture_ir:       capture_ir = 1'b1;
		`STATE_shift_ir:         shift_ir = 1'b1;
		`STATE_exit1_ir:         exit1_ir = 1'b1;
		`STATE_pause_ir:         pause_ir = 1'b1;
		`STATE_exit2_ir:         exit2_ir = 1'b1;
		`STATE_update_ir:        update_ir = 1'b1;
		default: ;
	endcase
end

/**********************************************************************************
*                                                                                 *
*   End: TAP State Machine                                                        *
*                                                                                 *
**********************************************************************************/

c，shift reg

上面说过，JTAG的本质和SPI相同，都是基于shift register的，也就是“以物易物”的思想。那么，如何操作tap呢？通过向tap中写入相应的指令。那么如何将指令写入tap呢？向tap移入任何IR_LENGTH的支持的指令，tap就会移出等长的数据，这个数据没用，直接舍弃即可。整个过程非常简单，代码如下：

/**********************************************************************************
*                                                                                 *
*   jtag_ir:  JTAG Instruction Register                                           *
*                                                                                 *
**********************************************************************************/
reg [`IR_LENGTH-1:0]  jtag_ir;          // Instruction register
reg [`IR_LENGTH-1:0]  latched_jtag_ir; //, latched_jtag_ir_neg;
wire                  instruction_tdo;

always @ (posedge tck_pad_i or negedge trstn_pad_i)
begin
  if(trstn_pad_i == 0)
    jtag_ir[`IR_LENGTH-1:0] <= `IR_LENGTH'b0;
  else if (test_logic_reset == 1)
	jtag_ir[`IR_LENGTH-1:0] <= `IR_LENGTH'b0;
  else if(capture_ir)
    jtag_ir <= 4'b0101;          // This value is fixed for easier fault detection
  else if(shift_ir)
    jtag_ir[`IR_LENGTH-1:0] <= {tdi_pad_i, jtag_ir[`IR_LENGTH-1:1]};
end

assign instruction_tdo = jtag_ir[0];  // This is latched on a negative TCK edge after the output MUX

// Updating jtag_ir (Instruction Register)
// jtag_ir should be latched on FALLING EDGE of TCK when capture_ir == 1
always @ (negedge tck_pad_i or negedge trstn_pad_i)
begin
  if(trstn_pad_i == 0)
    latched_jtag_ir <= `IDCODE;   // IDCODE selected after reset
  else if (test_logic_reset)
    latched_jtag_ir <= `IDCODE;   // IDCODE selected after reset
  else if(update_ir)
    latched_jtag_ir <= jtag_ir;
end

/**********************************************************************************
*                                                                                 *
*   End: jtag_ir                                                                  *
*                                                                                 *
**********************************************************************************/

上面的代码可分成三部分来看，指令移入，指令移出，指令生效。需要注意的地方有以下几点：首先，在移出之前，如果想读指令的话（进入 capture_ir状态），移出的将是0101。其次，从jtag cable移进来的数据放在jtag_ir寄存器里面，实际生效以后存放在latched_jtag_ir中。最后，移出的数据来自jtag_ir，而不是latched_jtag_ir。所以说latched_jtag_ir是送给device的，而从device来的数据是放在jtag_ir中的。但是，需要移出的数据暂时存放在instruction_tdo中，最终移到tap外面的数据（tdo）并不一定是instruction_tdo，还有其他很多来源。这个后面会看清楚。

d，read IDCODE

上面，我们解释过IDCODE的作用，那么怎么才能读到IDCODE呢，还是“以物易物”的思想，代码如下：

/**********************************************************************************
*                                                                                 *
*   idcode logic                                                                  *
*                                                                                 *
**********************************************************************************/
reg [31:0] idcode_reg;
wire        idcode_tdo;

always @ (posedge tck_pad_i or negedge trstn_pad_i)
begin
  if(trstn_pad_i == 0)
    idcode_reg <= `IDCODE_VALUE;   // IDCODE selected after reset
  else if (test_logic_reset)
    idcode_reg <= `IDCODE_VALUE;   // IDCODE selected after reset
  else if(idcode_select & capture_dr)
    idcode_reg <=  `IDCODE_VALUE;
  else if(idcode_select & shift_dr)
    idcode_reg <=  {tdi_pad_i, idcode_reg[31:1]};

end

assign idcode_tdo = idcode_reg[0];   // This is latched on a negative TCK edge after the output MUX

/**********************************************************************************
*                                                                                 *
*   End: idcode logic                                                             *
*                                                                                 *
**********************************************************************************/

读IDCODE的过程和写指令的过程相同，不同在于向tap写指令是不用关心tap移出的内容（0101），但读IDCODE，不用关心向tap移入的内容，关心的是tap移出的内容（IDCODE）。

e，bypass

adv_dbg_if在使用时，和他在一条jtag chain上的设备必须全部bypass，否则，数据就到不了adv_dbg_if，也就无法工作。这个很好理解，jtag chain，顾名思义，就是一条链，就好像打电话时的总机和分机。如果你想给某个分机打电话的话，那么总机肯定不能接，也就是总机bypass。jtag_tap 工作在bypass模式是时，一个耳朵进，一个耳朵出，唯一的影响是会造成1个cycle的延迟。代码如下：

/**********************************************************************************
*                                                                                 *
*   Bypass logic                                                                  *
*                                                                                 *
**********************************************************************************/
wire  bypassed_tdo;
reg   bypass_reg;  // This is a 1-bit register

always @ (posedge tck_pad_i or negedge trstn_pad_i)
begin
  if (trstn_pad_i == 0)
     bypass_reg <=  1'b0;
  else if (test_logic_reset == 1)
     bypass_reg <=  1'b0;
  else if (bypass_select & capture_dr)
    bypass_reg<= 1'b0;
  else if(bypass_select & shift_dr)
    bypass_reg<= tdi_pad_i;
end

assign bypassed_tdo = bypass_reg;   // This is latched on a negative TCK edge after the output MUX

/**********************************************************************************
*                                                                                 *
*   End: Bypass logic                                                             *
*                                                                                 *
**********************************************************************************/

f，mux output

tap扮演着多个device（分机）的总机的角色。当公司内部的分机有很多，但总机只有一个。所以总机需要有多路选择器的功能。代码如下：

/**********************************************************************************
*                                                                                 *
*   Multiplexing TDO data                                                         *
*                                                                                 *
**********************************************************************************/
reg tdo_mux_out;  // really just a wire

always @ (shift_ir or instruction_tdo or latched_jtag_ir or idcode_tdo or
          debug_tdo_i or bs_chain_tdo_i or mbist_tdo_i or bypassed_tdo or
			bs_chain_tdo_i)
begin
  if(shift_ir)
    tdo_mux_out = instruction_tdo;
  else
    begin
      case(latched_jtag_ir)    // synthesis parallel_case
        `IDCODE:            tdo_mux_out = idcode_tdo;       // Reading ID code
        `DEBUG:             tdo_mux_out = debug_tdo_i;      // Debug
        `SAMPLE_PRELOAD:    tdo_mux_out = bs_chain_tdo_i;   // Sampling/Preloading
        `EXTEST:            tdo_mux_out = bs_chain_tdo_i;   // External test
        `MBIST:             tdo_mux_out = mbist_tdo_i;      // Mbist test
        default:            tdo_mux_out = bypassed_tdo;     // BYPASS instruction
      endcase
    end
end

// TDO changes state at negative edge of TCK
always @ (negedge tck_pad_i)
begin
	tdo_pad_o = tdo_mux_out;
end

// Tristate control for tdo_pad_o pin
always @ (posedge tck_pad_i)
begin
  tdo_padoe_o <= shift_ir | shift_dr;
end
/**********************************************************************************
*                                                                                 *
*   End: Multiplexing TDO data                                                    *
*                                                                                 *
**********************************************************************************/

4，jtag_tap的使用

要想使用jtag_tap，需要相应的驱动程序，才行。驱动的作用就是根据FSM的定义，以及命令格式，以及adv_dbg_if的实现，来操作jtag的4根线，达到某种目的。在adv_debug_sys的adv_jtag_bridge中的chain_commamds.c中有相关函数，代码如下：

//////////////////////////////////////////////////////////////////////
// Functions which operate on the JTAG TAP

/* Resets JTAG - Writes TRST=1, and TRST=0.  Sends 8 TMS to put the TAP
 * in test_logic_reset mode, for good measure.
 */
int tap_reset(void) {
  int i;
  int err = APP_ERR_NONE;

  debug("\nreset(");
  err |= jtag_write_bit(0);
  JTAG_RETRY_WAIT();
  /* In case we don't have TRST reset it manually */
  for(i = 0; i < 8; i++) err |= jtag_write_bit(TMS);
  err |= jtag_write_bit(TRST);  // if TRST not supported, this puts us in test logic/reset
  JTAG_RETRY_WAIT();
  err |= jtag_write_bit(0);  // run test / idle
  debug(")\n");

  // Reset data on current module/register selections
  current_chain = -1;

  // (this is only for the adv. debug i/f...bit of a kludge)
  for(i = 0; i < DBG_MAX_MODULES; i++)
    current_reg_idx[i] = -1;

  return err;
}

  // Set the IR with the DEBUG command, one way or the other
int tap_enable_debug_module(void)
{
  uint32_t data;
 int err = APP_ERR_NONE;

  if(global_altera_virtual_jtag) {
    /* Set for virtual IR shift */
    err |= tap_set_ir(vjtag_cmd_vir);  // This is the altera virtual IR scan command
    err |= jtag_write_bit(TMS); /* SELECT_DR SCAN */
    err |= jtag_write_bit(0); /* CAPTURE_DR */
    err |= jtag_write_bit(0); /* SHIFT_DR */
    
    /* Select debug scan chain in  virtual IR */
    data = (0x1<<ALT_VJTAG_IR_SIZE)|ALT_VJTAG_CMD_DEBUG;
    err |= jtag_write_stream(&data, (ALT_VJTAG_IR_SIZE+1), 1);  // EXIT1_DR
    err |= jtag_write_bit(TMS); /* UPDATE_DR */
    err |= jtag_write_bit(0); /* IDLE */ 

    // This is a command to set an altera device to the "virtual DR shift" command
    err |= tap_set_ir(vjtag_cmd_vdr);
  }
  else {
    /* select debug scan chain and stay in it forever */
    err |= tap_set_ir(global_jtag_cmd_debug);
  }

  return err;
}

/* Moves a value into the TAP instruction register (IR)
 * Includes adjustment for scan chain IR length.
 */
uint32_t *ir_chain = NULL;

int tap_set_ir(int ir) {
  int chain_size;
  int chain_size_words;
  int i;
  int startoffset, startshift;
  int err = APP_ERR_NONE;
  
  // Adjust desired IR with prefix, postfix bits to set other devices in the chain to BYPASS
  chain_size = global_IR_size + global_IR_prefix_bits + global_IR_postfix_bits;
  chain_size_words = (chain_size/32)+1;

  if(ir_chain == NULL)  { // We have no way to know in advance how many bits there are in the combined IR register
    ir_chain = (uint32_t *) malloc(chain_size_words * sizeof(uint32_t));
    if(ir_chain == NULL)
      return APP_ERR_MALLOC;
  }

  for(i = 0; i < chain_size_words; i++)
    ir_chain[i] = 0xFFFFFFFF;  // Set all other devices to BYPASS

  // Copy the IR value into the output stream
  startoffset = global_IR_postfix_bits/32;
  startshift = (global_IR_postfix_bits - (startoffset*32));
  ir_chain[startoffset] &= (ir << startshift);
  ir_chain[startoffset] |= ~(0xFFFFFFFF << startshift);  // Put the 1's back in the LSB positions
  ir_chain[startoffset] |= (0xFFFFFFFF << (startshift + global_IR_size));  // Put 1's back in MSB positions, if any 
  if((startshift + global_IR_size) > 32) { // Deal with spill into the next word
    ir_chain[startoffset+1] &= ir >> (32-startshift);
    ir_chain[startoffset+1] |= (0xFFFFFFFF << (global_IR_size - (32-startshift)));  // Put the 1's back in the MSB positions
  }

  // Do the actual JTAG transaction
  debug("Set IR 0x%X\n", ir);
  err |= jtag_write_bit(TMS); /* SELECT_DR SCAN */
  err |= jtag_write_bit(TMS); /* SELECT_IR SCAN */

  err |= jtag_write_bit(0); /* CAPTURE_IR */
  err |= jtag_write_bit(0); /* SHIFT_IR */   

  /* write data, EXIT1_IR */
  debug("Setting IR, size %i, IR_size = %i, pre_size = %i, post_size = %i, data 0x%X\n", chain_size, global_IR_size, global_IR_prefix_bits, global_IR_postfix_bits, ir);
  err |= cable_write_stream(ir_chain, chain_size, 1);  // Use cable_ call directly (not jtag_), so we don't add DR prefix bits
  debug("Done setting IR\n");

  err |= jtag_write_bit(TMS); /* UPDATE_IR */
  err |= jtag_write_bit(0); /* IDLE */  
  current_chain = -1;
  return err;
}

// This assumes we are in the IDLE state, and we want to be in the SHIFT_DR state.
int tap_set_shift_dr(void)
{
  int err = APP_ERR_NONE;

  err |= jtag_write_bit(TMS); /* SELECT_DR SCAN */
  err |= jtag_write_bit(0); /* CAPTURE_DR */
  err |= jtag_write_bit(0); /* SHIFT_DR */

  return err;
}

// This transitions from EXIT1 to IDLE.  It should be the last thing called
// in any debug unit transaction.
int tap_exit_to_idle(void)
{
  int err = APP_ERR_NONE;

  err |= jtag_write_bit(TMS); /* UPDATE_DR */
  err |= jtag_write_bit(0); /* IDLE */

  return err;
}

////////////////////////////////////////////////////////////////////
// Operations to read / write data over JTAG

/* Writes TCLK=0, TRST=1, TMS=bit1, TDI=bit0
   and    TCLK=1, TRST=1, TMS=bit1, TDI=bit0
*/
int jtag_write_bit(uint8_t packet) {
  debug("Wbit(%i)\n", packet);
  return cable_write_bit(packet);
}

int jtag_read_write_bit(uint8_t packet, uint8_t *in_bit) {
  int retval = cable_read_write_bit(packet, in_bit);
  debug("RWbit(%i,%i)", packet, *in_bit);
  return retval;
}

// This automatically adjusts for the DR length (other devices on scan chain)
// when the set_TMS flag is true.
int jtag_write_stream(uint32_t *out_data, int length_bits, unsigned char set_TMS)
{
  int i;
  int err = APP_ERR_NONE;

  if(!set_TMS)
    err |= cable_write_stream(out_data, length_bits, 0);
  else if(global_DR_prefix_bits == 0)
    err |= cable_write_stream(out_data, length_bits, 1);
  else {
    err |= cable_write_stream(out_data, length_bits, 0);
    // It could be faster to do a cable_write_stream for all the prefix bits (if >= 8 bits),
    // but we'd need a data array of unknown (and theoretically unlimited)
    // size to hold the 0 bits to write.  TODO:  alloc/realloc one.
    for(i = 0; i < (global_DR_prefix_bits-1); i++)
      err |= jtag_write_bit(0);
    err |= jtag_write_bit(TMS);
  }
  return err;
}

// When set_TMS is true, this function insures the written data is in the desired position (past prefix bits)
// before sending TMS.  When 'adjust' is true, this function insures that the data read in accounts for postfix
// bits (they are shifted through before the read starts).
int jtag_read_write_stream(uint32_t *out_data, uint32_t *in_data, int length_bits, unsigned char adjust, unsigned char set_TMS)
{
  int i;
  int err = APP_ERR_NONE;

  if(adjust && (global_DR_postfix_bits > 0)) {
    // It would be faster to do a cable_write_stream for all the postfix bits,
    // but we'd need a data array of unknown (and theoretically unlimited)
    // size to hold the '0' bits to write.
    for(i = 0; i < global_DR_postfix_bits; i++)
      err |= cable_write_bit(0);
  }

  // If there are both prefix and postfix bits, we may shift more bits than strictly necessary.
  // If we shifted out the data while burning through the postfix bits, these shifts could be subtracted
  // from the number of prefix shifts.  However, that way leads to madness.
  if(!set_TMS)
    err |= cable_read_write_stream(out_data, in_data, length_bits, 0);  
  else if(global_DR_prefix_bits == 0)
    err |= cable_read_write_stream(out_data, in_data, length_bits, 1);  
  else {
    err |= cable_read_write_stream(out_data, in_data, length_bits, 0); 
    // It would be faster to do a cable_write_stream for all the prefix bits,
    // but we'd need a data array of unknown (and theoretically unlimited)
    // size to hold the '0' bits to write.
    for(i = 0; i < (global_DR_prefix_bits-1); i++)
      err |= jtag_write_bit(0);
    err |= jtag_write_bit(TMS);
  }
  return err;
}

// This function attempts to determine the structure of the JTAG chain
// It can determine how many devices are present.
// If the devices support the IDCODE command, it will be read and stored.
// There is no way to automatically determine the length of the IR registers - 
// this must be read from a BSDL file, if IDCODE is supported.
// When IDCODE is not supported, IR length of the target device must be entered on the command line.

#define ALLOC_SIZE 64
#define MAX_DEVICES 1024
int jtag_enumerate_chain(uint32_t **id_array, int *num_devices)
{
  uint32_t invalid_code = 0x7f;  // Shift this out, we know we're done when we get it back
  const unsigned int done_code = 0x3f;  // invalid_code is altered, we keep this for comparison (minus the start bit)
  int devindex = 0;  // which device we are currently trying to detect
  uint32_t tempID;
  uint32_t temp_manuf_code;
  uint32_t temp_rest_code;
  uint8_t start_bit = 0;
  uint32_t *idcodes;
  int reallocs = 0;
  int err = APP_ERR_NONE;

  // Malloc a reasonable number of entries, we'll expand if we must.  Linked lists are overrated.
  idcodes = (uint32_t *) malloc(ALLOC_SIZE*sizeof(uint32_t));
  if(idcodes == NULL) { 
    printf("Failed to allocate memory for device ID codes!\n"); 
    return APP_ERR_MALLOC;
  }

  // Put in SHIFT-DR mode
  err |= jtag_write_bit(TMS); /* SELECT_DR SCAN */
  err |= jtag_write_bit(0); /* CAPTURE_DR */
  err |= jtag_write_bit(0); /* SHIFT_DR */

  printf("Enumerating JTAG chain...\n");

  // Putting a limit on the # of devices supported has the useful side effect
  // of insuring we still exit in error cases (we never get the 0x7f manuf. id)
  while(devindex < MAX_DEVICES) {
    // get 1 bit. 0 = BYPASS, 1 = start of IDCODE
    err |= jtag_read_write_bit(invalid_code&0x01, &start_bit);
    invalid_code >>= 1;

    if(start_bit == 0) {
      if(devindex >= (ALLOC_SIZE << reallocs)) {  // Enlarge the memory array if necessary, double the size each time
	idcodes = (uint32_t *) realloc(idcodes, (ALLOC_SIZE << ++reallocs)*sizeof(uint32_t));
	if(idcodes == NULL) { 
	  printf("Failed to allocate memory for device ID codes during enumeration!\n"); 
	  return APP_ERR_MALLOC;
	}
      }
      idcodes[devindex] = -1;
      devindex++;
    }
    else {
      // get 11 bit manufacturer code
      err |= jtag_read_write_stream(&invalid_code, &temp_manuf_code, 11, 0, 0);
      invalid_code >>= 11;
      
      if(temp_manuf_code != done_code) {
	// get 20 more bits, rest of ID
	err |= jtag_read_write_stream(&invalid_code, &temp_rest_code, 20, 0, 0);
	invalid_code >>= 20;
	tempID = (temp_rest_code << 12) | (temp_manuf_code << 1) | 0x01;
	if(devindex >= (ALLOC_SIZE << reallocs)) {  // Enlarge the memory array if necessary, double the size each time
	  idcodes = (uint32_t *) realloc(idcodes, (ALLOC_SIZE << ++reallocs)*sizeof(unsigned long));
	  if(idcodes == NULL) { 
	    printf("Failed to allocate memory for device ID codes during enumeration!\n"); 
	    return APP_ERR_MALLOC;
	  }
	}
	idcodes[devindex] = tempID;
	devindex++;
      } else {
	break;
      }
    }

    if(err)  // Don't try to keep probing if we get a comm. error
      return err;
  }

  if(devindex >= MAX_DEVICES)
    printf("WARNING: maximum supported devices on JTAG chain (%i) exceeded.\n", MAX_DEVICES);

  // Put in IDLE mode
  err |= jtag_write_bit(TMS); /* EXIT1_DR */
  err |= jtag_write_bit(TMS); /* UPDATE_DR */
  err |= jtag_write_bit(0); /* IDLE */ 

  *id_array = idcodes;
  *num_devices = devindex;

  return err;
}

int jtag_get_idcode(uint32_t cmd, uint32_t *idcode)
{
  uint32_t data_out = 0;
  int err = APP_ERR_NONE;
  unsigned char saveconfig = global_altera_virtual_jtag;
  global_altera_virtual_jtag = 0; // We want the actual IDCODE, not the virtual device IDCODE

  err |= tap_set_ir(cmd);
  err |= tap_set_shift_dr();
  err |= jtag_read_write_stream(&data_out, idcode, 32, 1, 1);       /* EXIT1_DR */

  if(err)
    printf("Error getting ID code!\n");

  // Put in IDLE mode
  err |= jtag_write_bit(TMS); /* UPDATE_DR */
  err |= jtag_write_bit(0); /* IDLE */ 

  global_altera_virtual_jtag = saveconfig;
  return err;
}

/////////////////////////////////////////////////////////////////
// Helper functions

/* counts retries and returns zero if we should abort */
/* TODO: dynamically adjust timings */
int retry_do() {
  int err = APP_ERR_NONE;

  if (soft_retry_no >= NUM_SOFT_RETRIES) {
      return 0;

      // *** TODO:  Add a 'hard retry', which re-initializes the cable, re-enumerates the bus, etc.

  } else { /* quick reset */
    if(err |= tap_reset()) {
      printf("Error %s while resetting for retry.\n", get_err_string(err)); 
      return 0;
    }

    // Put us back into DEBUG mode
    if(err |= tap_enable_debug_module()) {
      printf("Error %s enabling debug module during retry.\n", get_err_string(err)); 
      return 0;
    }

    soft_retry_no++;
    printf("Retry...\n");
  }

  return 1;
}

5，小结

本小节我们分析了advanced debug system中的jtag_tap模块的具体实现。用一句话来概括的话就是，JTAG就是类似SPI总线的一种总线，jtag_tap就相当于SPI总线的arbiter。