ejtag control register

Home Forums MIPS Insider ejtag control register

This topic contains 7 replies, has 4 voices, and was last updated by  Richard 2 years, 6 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
  • #64226


    I am working on ejtag. I want to do some memory accessing through this ejtag. I cant reuse the same tasks which were written for jtag. here i can see a control register, If i want to do any accessing i should program this ejtag control register. and i cant find any address for this register.




    The ejtag control register is accessed by sending TAP instruction 0x0A (5 bits in length) and then sending the appropriate 32 bits of data to the DR register. Appropriate in this case means that you should evaluate each bit in the control register and ensure that the bits you set will act according to your desired effect.

    A good value for reading the control register is 0x8004C000″.
    Bit 31 is set so that you do not accidentally clear the ROCC bit.
    Bit 18 is set so that you do not accidentally clear the PrAcc bit.
    Bits 15,14 are set to maintain the probe enable and probe trap condition.

    To access memory, you should follow the steps in section 4.6 of the MIPS EJTAG Specification. MD00047.



    Thank you.
    I went through the document.
    If i want to write/read the memory location first i should program the size, prnw bits in control register, by passing the 0xA tap instruction
    address by selecting the address register., .
    data by selecting data register(in case of write).
    But in read operation what should i do with the data register??



    Hi Rekha,

    Implementing an EJTAG probe driver is not a simple task.

    The most important concepts can be a little tricky to grasp at first…

    1) The EJTAG probe can emulate memory (dmseg 0xff200000..0x2fffff) only while the core is in debug mode and ECR.ProbEn == 1)

    2) The EJTAG probe can redirect debug exceptions into dmseg (0xff200200) if it also sets ECR.ProbTrap.

    3) Even with the above settings ONLY the PROCESSOR can initiate an access (fetch/load, or store) to dmseg.

    4) The EJTAG probe driver basically loops waiting for the processor to access to dmseg and then satisfying the access via read/write accesses to the EJTAG TAP data registers “CONTOL” (aka the ECR), “ADDRESS”, and “DATA”.

    Below is a simplified description of the TAP register access sequence that a probe driver goes through to satisfy every fetch/load (read) or store (write) access to dmseg.
    (Key: S=Select, R=Read, W=Write, C=CONTROL, A=ADDRESS, D=DATA)

    RC (write 0x8004c000 for a non-intrusive read, Error on Rocc reads as “1”, loop till PrAcc reads as “1”)
    RA (This is VAddr of processor access to dmseg. Monitor ADDRESS for debug mode reentry)
    R/WD (data you supply to a fetch/load (read from dmseg) or retrieve from a store access (write to dmseg.)
    WC (write 0x8000c000 (PrAcc = 0) to allow access to to complete“.)
    (less the initial SC*)

    To read even a single processor GPR would involve going through this sequence several times.

    Again, an EJTAG probe responds to processor accesses. It does not “force” them. The access type/size/address is information “about” a pending processor access dmseg. The probe does not (directly) control these access attributes. (The probe “controls” the processor by responding to fetches to dmseg with a sequence of MIPS instruction words which accomplish the desired debug task.)

    Below is a Tcl script which shows what a basic EJTAG probe driver might look like:


    # ====================================================================================
    # EJTAG Control register bit definitions and access masks.
    # ====================================================================================
    variable ecr_DM [expr 1 << 3]
    variable ecr_EjtagBrk [expr 1 << 12]
    variable ecr_ProbTrap [expr 1 << 14]
    variable ecr_ProbEn [expr 1 << 15]
    variable ecr_PrRst [expr 1 << 16]
    variable ecr_PrAcc [expr 1 << 18]
    variable ecr_PrRnW [expr 1 << 19]
    variable ecr_PerRst [expr 1 << 20]
    variable ecr_Rocc [expr 1 << 31]

    variable ecrReadM [format “0x%08x” [expr $ecr_Rocc | $ecr_ProbEn | $ecr_ProbTrap | $ecr_PrAcc]]
    variable ecrCompleteM [format “0x%08x” [expr $ecr_Rocc | $ecr_ProbEn | $ecr_ProbTrap]]
    variable ecrBreakM [format “0x%08x” [expr $ecr_Rocc | $ecr_ProbEn | $ecr_ProbTrap | $ecr_PrAcc | $ecr_EjtagBrk]]
    variable ecrAckResetM [format “0x%08x” [expr $ecr_ProbEn | $ecr_ProbTrap | $ecr_PrAcc]]

    # ====================================================================================
    # Emulate dmseg using the supplied sparse memory image (until second access to DEV.)
    # { { {comment}} …}
    # ====================================================================================
    lappend scan_help_list ” dmseg (scantarget: “$scantarget”, dmseglists:”
    proc dmseg { dmseglist } {

    variable ecr_Rocc
    variable ecr_PrAcc
    variable ecr_PrRnW
    variable ecrReadM
    variable ecrAckResetM
    variable ecrCompleteM

    set trys 10
    set servicedDEV 0
    array set dmsegarray $dmseglist

    devtapi {5 0x0c} ;# Send an EJTAGBOOT TAP instruction…

    for {set i 0} {$i < $trys} {incr i} {
    set ecr [tapControl $ecrReadM] <- Read CONTROL
    # puts “ecr: $ecr”
    # puts “ecr_Rocc: $ecr_Rocc”
    if {$ecr & $ecr_Rocc} { <- Monitor for reset
    puts “Target reset detected (EJTAG Control: $ecr) continuing…”
    tapControl $ecrAckResetM
    } else {
    if {$ecr & $ecr_PrAcc} { <- Wait for pending access to dmseg
    if {$i > 1} {
    puts “no access pending for [expr $i-1] read(s) of EJTAG Control register.”
    set addr [tapAddress [tapAddress 0]] <- Read address of dmseg access

    if { ($servicedDEV) && ($addr == 0xff200200) } { <- Detect exception in debug mode
    break ;# Stop processing accesses on second access to 0xff200200.
    } else {
    set servicedDEV 1

    if {$ecr & $ecr_PrRnW} {
    puts -nonewline “write to $addr: data accepted “
    set temp $dmsegarray($addr)
    set dmsegarray($addr)

      [lindex $temp 1]] <- Accept data from a processor store.
      puts “$dmsegarray($addr)”
      } else {
      puts “read of $addr: code/data $dmsegarray($addr)”
      tapData [lindex $dmsegarray($addr) 0] <- Supply data/instruction to processor load/fetch.
      set ecr [tapControl $ecrCompleteM] <- Complete access
      if {$ecr & $ecr_Rocc} {
      puts “Target reset detected (EJTAG Control: $ecr) continuing…”
      tapControl $ecrAckResetM
      } else {
      set i 0 ;# Access completed: reset the try counter.

      if {$i < $trys} {
      puts “Second access seen to debug exception vector .”
      return 1
      } else {
      puts “No processor access to dmseg seen in last $trys reads of the EJTAG Control register .”
      return 0


      Below is an example of the instruction words (supplied to the “dmseg” procedure above) that an EJTAG probe could use in response to accesses to dmseg in order to “read” cp0 DEPC from the target.

      # ====================================================================================
      # ReadDEPC:
      # ====================================================================================
      set ReadDEPC {
      0xff200000 {0xdeadbeef {CP0 DEPC} }

      0xff200200 {0x0000000F {sync} }
      0xff200204 {0x4001C000 {mfc0 $at,DEPC}}
      0xff200208 {0x3C03FF20 {lui $v1,0xFF20}}
      0xff20020c {0xAC610000 {sw $at,0x0000($v1)}}
      0xff200210 {0x34630200 {ori $v1,$v1,0x0200}}
      0xff200214 {0x00600008 {jr $v1}}
      0xff200218 {0x00000000 {nop}}

      I’ll let you digest that… I know it is a lot information )but hopefully it will halp you to better understand the EJTAG specification.

      I would also highly recommend you read the “Low-level EJTAG debug” application note:
      MD00959-2B-EJTAG-APP-01.00.pdf (Specifically the section on use of the example debugger script “scan.tcl”.)

      Regards, Scott.




      1) …(dmseg 0xff200000..0xff2fffff)…



      Thank u scottmccoy,
      While reading(load or fetch), data register is written with ‘deadbeef’. Is there any importance of writing this value or is it just a junk data?



      The “deadbeef” value is junk data that is easy to recognize.



      MD00959 seems to be off the grid. Can you post it somewhere?

    Viewing 8 posts - 1 through 8 (of 8 total)

    Forums are currently locked.