探秘JTAG
0赞在边界扫描模式下(Boundary-Scan Mode),ISE的iMPACT是 如何把后缀为.bit的配置信息传输到FPGA器 件中呢?
先引用两段ISE Help中相关概念的描述,让大家对bitstream和.bit这两个基本概念理解得更透彻一些。
bitstream
A bitstream is a stream of data that contains location information for logic on a device, that is, the placement of configurable logic blocks (CLBs), input/output blocks (IOBs), tristate buffers (TBUFs), pins, and routing elements. The bitstream also includes empty placeholders that are filled with the logical states sent by the device during a readback. Only the memory elements, such as flip-flops, RAMs, and CLB outputs, are mapped to these placeholders, because their contents are likely to change from one state to another. When downloaded to a device, a bitstream configures the logic of a device and programs the device so that the states of that device can be read back. A bitstream file has a .bit extension.
BIT file
A bit file is a bitstream file which contains location information for logic on a device. When downloaded to a device, a bitstream configures the logic of a device and programs the device so that the states of that device can be read back.
A bit file and bitstream file have a .bitextension.
这里的bitstream就是指下载配置用的bit数据流, 下载配置的数据就存储在.bit文件中。这个.bit文 件中除了有专门用于配置FPGA的数据外,肯定还需要有一些保存工程相关信息的数据。因此,不是说FPGA的配置数据有多大,这个相应的.bit文件就 只有那么大。另外,是不是我们使用的FPGA资源有多大,相应的需要下载到FPGA中的.bit文件的相关配置流也就那么大呢?答 案是否定的,即便是FPGA中不使用的逻辑资源,也都还是需要在进行配置的。举个例子,如图1所示的特权同学目前正在使用的Virtex系列的XCV100,它需要的下载配置bits是781216bit。因此,我们每次生成的.bit文 件里肯定都有FPGA配置所需要的781216bit的 数据。加上前面所提的其它的信息,我们的.bit文件肯定要比它大一些。
图1
特权同学的一个名为api500_48in的 工程,其相应的.bit文件在UltraEdit-32中 看到总共有781824bit的数据。扣除我们的XCV100所需要的781216bit配置数据,有608bit是 头信息,即608/8=76 Byte,换算为16进 制为4CH。也就是说,从这个.bit文件 的00H-4BH地址的数据都为工程相关信息,而不是FPGA器 件配置数据。
图2是api500_48in这个工程起始地址的一些数据,我们可以看到00H-4BH地址的数据包含了工程信息、器件信息、日期时间、还有一些 可能是固定的文件信息。
图2
IEEE1149.1(JTAG)只使用了4个管脚,但是对嵌入式开 发调试(不仅是FPGA)带来了极大的便利。下面看看ISE Help中对这四 个管脚的描述。
The Test Access Port
The JTAG Test Access Port (TAP) contains four pins that drive the circuit blocks and control the operations specified. The TAP facilitates the serial loading and unloading of instructions and data. The four pins of the TAP are: TMS, TCK, TDI and TDO. The function of each TAP pin is as follows:
TCK- this pin is the JTAG test clock. It sequences the TAP controller as well as all of the JTAG registers.
TMS- this pin is the mode input signal to the TAP Controller. The TAP controller is a 16-state FSM that provides the control logic for JTAG. The state of TMS at the rising edge of TCK determines the sequence of states for the TAP controller. TMS has an internal pull-up resistor on it to provide a logic 1 to the system if the pin is not driven.
TDI- this pin is the serial data input to all JTAG instruction and data registers. The state of the TAP controller as well as the particular instruction held in the instruction register determines which register is fed by TDI for a specific operation. TDI has an internal pull-up resistor on it to provide a logic 1 to the system if the pin is not driven. TDI is sampled into the JTAG registers on the rising edge of TCK.
TDO- this pin is the serial data output for all JTAG instruction and data registers. The state of the TAP controller as well as the particular instruction held in the instruction register determines which register feeds TDO for a specific operation. Only one register (instruction or data) is allowed to be the active connection between TDI and TDO for any given operation. TDO changes state on the
falling edge of TCK and is only active during the shifting of data through the device. This pin is three-stated at all other times.
而这四个管脚如何配合起来完成JTAG数据的传输呢?特权同学对这个问题也很感兴趣,于是翻了好多器件文档,终于在cyclone II的器件手册中找到了平时不太注意的《14. IEEE 1149.1 (JTAG) Boundary-Scan Testing for Cyclone II Devices》章 节。
时钟TCK的 每个上升沿锁存数据,上文所述的TAP控制器有16个 不同的状态,TMS的值控制着当前的状态变化。如图3所 示。上电伊始,TAP处于TEST_LOGIC/RESET状 态,然后每个TCK上升沿锁存到的TMS值 相应的决定着TAP控制器的下一个状态。后缀_IR和_DR分别指指令寄存器和数据寄存器。
图3
下面列举一个简单的ISE的iMAPCT读取器件ID的例子。操作完成后iMAPCT的信息框出现下列信息。
// *** BATCH CMD : ReadIdcode -p 1
Maximum TCK operating frequency for this device chain: 2000000.
Validating chain...
Boundary-scan chain validated successfully.
'1': IDCODE is '00100000011000010100000010010011'
'1': IDCODE is '20614093' (in hex).
'1': : Manufacturer's ID =Xilinx xcv100, Version : 2
说明iMAPCT读取到的ID为16进制的20614093。对应的特权同学采样到这次JTAG传输TCK/TMCS/TDO的波形。整个传 输波形如图4所示,放大后分别如图5/图6/图7/图8/图9所示。
图4
图5
图6
图7
图8
图9
根据每个TCK来采样数据对应如表1/表2/表3/表4所 示。
表1
|
TCK |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
|
TMS |
1 |
1 |
1 |
1 |
1 |
0 |
1 |
1 |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
1 |
|
TDO |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
0 |
1 |
1 |
1 |
1 |
表2
|
TCK |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
|
TMS |
0 |
1 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
|
TDO |
1 |
1 |
1 |
1 |
1 |
1 |
0 |
0 |
1 |
0 |
0 |
1 |
0 |
0 |
0 |
0 |
表3
|
TCK |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
|
TMS |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
|
TDO |
0 |
0 |
1 |
0 |
1 |
0 |
0 |
0 |
0 |
1 |
1 |
0 |
0 |
0 |
0 |
0 |
表4
|
TCK |
48 |
49 |
50 |
51 |
|
|
|
|
|
|
|
|
|
|
|
|
|
TMS |
0 |
0 |
0 |
1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
TDO |
0 |
1 |
0 |
0 |
|
|
|
|
|
|
|
|
|
|
|
|
根据TMS和TCK的关系可以找到在红色部分的数据处于SHIFT_DR状态, 最后一个位处于EXIT_DR状态,这就是TDO送给iMAPCT的ID code。用小端格式转换这些二进制码得到的ID正好是16进制的20614093。这个ID也 和Virtex官方datasheet给出 的是一致的,如图10所示。
图10
特权同学捕获了JTAG模式下载的数据 流,在TDI传输FPGA的配置数据流之前 有一大长串的其他命令控制,都有TMS控制不同的状态,具体的特权同学也没那个心思一个一个琢磨,希望有空拿个JTAG标准协议研究研究。不过特权同学还是用肉眼定位到了数据流部分,而且开始的一长串数据和图2的开始数据FF FF FF FF AA 99 55 66 30 00 80 01
时吻合的。
