Its been a while since we promised about a low cost JTAG hardware for hackers. Other priorities kept us away from working on this for a long time. At last, after a few days worth of coding and debugging, Chipmunk JTAG is now ready to roll. This is still a work in progress. There are more features that needs to be implemented, more debugging is to be done. But with the current feature set, it can program a XC9572XL CPLD breakout board with the help of a Perl script.
Chipmunk can do a few basic stuff like traverse through TAP states, select IR/DR registers, scan selected registers etc.. A simple command line interface is implemented just like many other Numato products so it is easy to interact with the hardware using any off the shelf serial terminal emulation program(Teraterm, Putty etc..). A few basic operation is that all Chipmunk does at this time, rest needs to be implemented in a script or app of some sort on the host machine .This is in contrast with DP’s bus pirate where you can send a whole svf file to the target by using XMODEM file transfer. We had no intention to make this a CPLD/FPGA programming tool rather we envisioned it to be a hackers tool which can be transformed to a programmer or a boundary scan test tool by writing scripts on the host. This makes Chipmunk JTAG a tool that can do pretty much any JTAG related task as long as you can write a script. The script can be written in any language that supports serial communication in some way. Using Chipmunk requires fairly good understanding about how JTAG works.
Chipmunk supports the following commands as of now.
echo on/off – Turn on/off echo. Turning off echo may be helpful when Chipmunk is used with a script
ver – Firmware version
reset – Force TAP to reset state
enddr state – Set ENDDR state
endir state – Set ENDIR state
r tck – Go to Run-Test/Idle state and run tck clock cycles
a tms – Advance state machine. Next state will depend on current state and the tms value. tms can be 0 or 1.
q – Query current TAP state
g state – Go to a particular state Currently only a limited number of states are supported by this command
i – Go to Shift-IR state
d – Go to Shift-DR state
s data – Scan selected register. During a scan the data will be written to the selected register and the data that is clocked out will be returned. This command can scan up to 32 bits at a time. Optional length parameter specifies the number of bits to clock in/out. If length is mentioned, it will be calculated from the data.
x data – Same functionality as s command except that this command will cause the TAP to exit from Shift-DR/Shift-IR state. enddir/endir commands will determine what state the TAP will be put after scanning the register. This command is usually used with the last chunk of data that is scanned.
Following are the states and corresponding numerical identifiers (excerpt from header file)
typedef enum _JTAG_STATE{
TL_RESET, // 0
RT_IDLE, // 1
SELECT_IR, // 2
CAPTURE_IR,// 3
SHIFT_IR,// 4
EXIT1_IR,// 5
PAUSE_IR,// 6
EXIT2_IR,// 7
UPDATE_IR,// 8
SELECT_DR,// 9
CAPTURE_DR,// a
SHIFT_DR,// b
EXIT1_DR,// c
PAUSE_DR,// d
EXIT2_DR,// e
UPDATE_DR,// f
UNKNOWN_STATE //10
}JTAG_STATE, *PTR_JTAG_STATE;
Here is a screenshot of reading Device ID from XC9572XL CPLD.
Schematics, PCB layout and other files can be downloaded here.