JTAG stands for Joint Test Action Group, which is an IEEE work group defining an electrical interface for integrated circuit testing and programming.

• → port.JTAG (this article)
  • → port.JTAG.cables (homemade cables)
    • → port.JTAG.cable.buffered or buffered + redirect from something.wiggler to this article
    • → port.JTAG.cable.unbuffered or unbuffered
  • → port.JTAG.utilization
    • → generic.debrick there is content on utilizing JTAG (link to it or from it, don't leave double content!)
    • → jtag there is content on utilizing JTAG (link to it or from it, don't leave double content! unless specific)

• Debrick Routers with AR724x processors Using JTAG

There is always a JTAG automate (JTAG logic) integrated into your SoC or CPU and usually this is connected to a JTAG header on the PCB. You can test and program the IC by issuing JTAG commands to it through the JTAG.

To do that, you need to connect the parallel port of your PC with the JTAG header on the PCB via a bought or a homemade "JTAG cable". You then run a special JTAG software on your PC, which allows you to comfortably control the JTAG automate and make it perform commands like reads and writes at arbitrary locations.

As already stated the primal intention of the JTAG automate is to test the IC itself. But of course it can additionally be utilized to recover a device if you erased the bootloader resident on the flash. Because, through the JTAG automate in the SoC, you can also write to the Flash Chip.

A JTAG port can be used without any software running on the IC itself, but the IC still has to be powered by a separate power supply. This means, you can solder a lonely SoC to a PCB, no Flash-Chip, no RAM; then connect to it via JTAG and interact with the SoC. Of course, on the PC itself, you should have some sort of software, to make this interaction with the hardware on the lowest level possible a bit more comfortable.

Of course, if there is a flash chips soldered onto the PCB, you could access this chip by programming the SoC via JTAG. It's one of those amazingly useful things that allows you to recover from pretty much anything that doesn't involve a hardware failure.

There is no one JTAG automate (← please rephrase)! Different SoCs/CPUs/ISAs have different JTAG automates behavior and reset sequence, most likely you will find ARM and MIPS CPUs, both having their standard to allow controlling the CPU behavior using JTAG.

Finding JTAG connector on a PCB can be a little easier than finding the UART since most vendors leave those headers unpopulated after production. JTAG connectors are usually 12, 14, or 20-pins headers with one side of the connector having some signals at 3.3V and the other side being connected to GND.

There are two major JTAG header arrangements used in SOHO routers based on MIPS CPUs. One uses 12 pins and the other uses 14 pins. While not radically different, you should be familiar with both. Other JTAG pinouts can be found at http://www.jtagtest.com/pinouts/.

Found in Linksys routers such as the WRT54G and WRT54GS, the 12-pin header has the following arrangement of JTAG signals and pins:

 nTRST  1   2 GND
 TDI    3   4 GND
 TDO    5   6 GND
 TMS    7   8 GND
 TCK    9  10 GND
 nSRST 11  12 GND

Seems, this header is a truncated version of the full EJTAG header.

This header is fully MIPS EJTAG 2.6 compatible and described in the EJTAG 2.6 standard. Found in Edimax routers (and other brands that are Edimax clones), the 14-pin header has the following arrangement of JTAG signals and pins:

 nTRST  1   2 GND
 TDI    3   4 GND
 TDO    5   6 GND
 TMS    7   8 GND
 TCK    9  10 GND
 nSRST 11  12 n/a
   n/a 13  14 Vcc

A buffered cable such as the Wiggler requires an external Vcc voltage supply. The 14-pin header conveniently supplies this voltage on pin 14. The typical unbuffered cable, however, does not require an external voltage in order to function. Formally, the pin 14 is called VREF and used to indicate a JTAG signal levels: 5V, 3.3V or 2.5V. On the most devices this pin is tied to the device's Vcc and may be used to power a buffer IC chip (and to generate an appropriate levels as result). Note that the 12-pin JTAG header arrangement does not provide Vcc.

→ Utils

The most famous software for JTAG is probably the Linksys De-Brick Utility by Hairydairymaid (aka Lightbulb). As of 12 September 2006 the most recent version is v4.8. You can download it from the OpenWrt site. Virtually everyone who uses this software opts for an unbuffered cable, and the software itself, by default, expects this type of cable to be used.

The Hairydairymaid de-brick utility is mainly with Linksys WRT54G and WRT54GS routers. It will not help you de-brick other routers that are not based on Broadcom CPUs (e.g. Edimax and its clones).

[Edit by hairydairymaid - the v4.5 debrick utility WILL and CAN operate on most any MIPS based cpu supporting EJTAG by using PrAcc routines (non-dma mode) - use the /nodma switch. It is not limited to WRT54G/GS units.]

Edit by DanielDickinson - I have An updated version of debrick on Google Docs

• Supports dma on bigendian CPU's (such as the BCM63xx)
• Supports reading and writing either bigendian or littleendian images files (little endian is what debrick does by default, bigendian is what dd if=/dev/mtdX will give you on a bigendian cpu)
• Includes a trivial endianness translator (a simple commandline filter)
• Adds support for the flash chip on various brcm96348 boards
• Adds support for 64k (and 128k) CFE such as the 64k CFE on various 96348GW-11 boards
• Fixes a bug in Wiggler cable support

'Edit by Johann Pascher - Timing on HairyDairyMaid's utility is not correct, he sets or reads all signal including the clock at the same time, this works in most cases but is not conform to the data sheets of EJTAG bus.
Some minor change on the very low level routines can solve this problem, so the result is that it is not critical how the cable is wired. I made some changes for my own use and some more to display the sates of the steatemachine for debugging. I Hope he reeds this and makes some corections on his tool in the future! link IP-Forum'

Another popular JTAG utility is a Openwince JTAG. Unfortunately, the development is stalled, but you can use a CVS snapshot fork with EJTAG driver implemented by Marek Michalkiewicz : jtag-0.6-cvs-20051228. One more snapshot with corrected Flash block mapping may be found there: http://star.oai.pp.ru/jtag/jtag-brecis-ok.zip. To access a Flash chip in 8-, 16- or 32-bit mode via EJTAG, use 0x1fc00000, 0x3fc00000 and 0x5fc00000 addresses respectively.

In late 2007, development of the openwince JTAG tools has been resumed in a new project named UrJTAG, including the patches mentioned above and added support for USB cables.

jtag> print
No. Manufacturer Part Stepping Instruction Register
---------------------------------------------------------------------------------------------
0 Lexra LX5280 1 BYPASS BR
Active bus:
*0: EJTAG compatible bus driver via PrAcc (JTAG part No. 0)
start: 0x00000000, length: 0x20000000, data width: 8 bit
start: 0x20000000, length: 0x20000000, data width: 16 bit
start: 0x40000000, length: 0x20000000, data width: 32 bit

Cleanup Required! This page or section needs cleanup. You can edit this page to fix wiki markup, redundant content or outdated information.

• http://downloads.openwrt.org/utils/ HairyDairyMaid_WRT54G_Debrick_Utility
• EJTAG at the Linux-MIPS Wiki
  • AR7 (oldwiki) some more on this subject
  • AR7 JTAG
• Two examples of successful Wiggler-style cable projects
• EJTAG Specification from MIPS Technologies, Inc. (free registration required, shitty corporate page doesn't work without JavaScript and deep shit; also, deep link is dead; also: WHY go though all this hoops?)
• Debrick example using OpenwinCE with EJTAG driver.
• Openwince JTAG, "Supported hardware" section for other types of the JTAG cables.
• K9SPUD JTAG another Wiggler schematic
• USB JTAG a budget USB JTAG adapter
• FREE JTAG Resources
• JTAG Pinouts
• http://www.armkits.com/Product/jtagcable.asp