Beruflich Dokumente
Kultur Dokumente
A N I N T E R M E D I A T E L O O K A T T H E AV R J TA G I N T E R FA C E
AVRFREAKS.NET
SEP 2002
TABLE OF CONTENTS
Understanding JTAG fuses and Security .............................................................................................2 JTAG Nomenclature...............................................................................................................................2 JTAG Fuses and Security......................................................................................................................2 On-Chip Debugging ...............................................................................................................................3 Boundary-Scan.......................................................................................................................................4 JTAG Programming ...............................................................................................................................5 JTAG Security Roundup ........................................................................................................................5 JTAG Programming ...............................................................................................................................6
Introduction
New megaAVR devices with more than 8KB of Flash, include a JTAG interface for Programming, Boundary Scan and On-chip Debugging. This article will take a peek at some of the features that are somewhat hidden, or difficult to find, in the datasheets.
JTAG Nomenclature
JTAG Programming, OCD, IEEE 1149.1 compliant, Boundary-Scan. It is easy to get confused and start mixing the terminology. To summarize the AVR JTAG interface is compliant with the IEEE 1149.1 Standard. Through this interface you have access to the following "services": Memory Programming Boundary Scan On-Chip Debug
When using the term "JTAG" we refer to the interface as such. When talking about a specific "service" we usually use the "service name". (e.g. JTAG Programming)
JTD U
JTAGEN OCDEN DESCRIPTION U U No JTAG programming, OCD or Boundary-Scan is possible No JTAG programming, OCD or Boundary-Scan is possible JTAG Programming and Boundary Scan is possible, OCD disabled OCD, JTAG Programming Enabled (Note 1) and Boundary-Scan is
No JTAG programming, OCD or Boundary-Scan is possible No JTAG programming, OCD or Boundary-Scan is possible No JTAG programming, OCD or Boundary-Scan is possible No JTAG programming, OCD or Boundary-Scan is possible
Note 1: Do not ship the device in this state, as it will consume more power, and is open for hacking :-)
JTAG
Security As shown in the figure and table, setting the correct fuses and keeping the device unlocked is essential to be able to access the on-chip OCD system. As shown, setting lock bits will disable the OCD system completely, while the JTAG Programming interface will continue to work the same way as the two other programming interfaces (HVPP and ISP). To disable JTAG Programming, either set appropriate Lock bits, or use the JTD bit or the JTAGEN fuse.
On-Chip Debugging
The OCD is a feature for in-system debugging. Although this "emulation" interface lack some of the functionality offered by high end emulators (features like trace/triggers unlimited breakpoints, cycle counters...) it actually has some
AN INTERMEDIATE LOOK AT THE AVR JTAG INTERFACE, AVRFREAKS.NET 3
unique features not found in any other emulator: The most obvious advantage is that you actually are running the code on the device itself, so all electrical and timing characteristics are FOR REAL. No emulated behavior!
The main thing to remember is that the JTAG OCD is not an EMULATOR, it is the real thing. Which leads us to the JTAG ICE which actually is no ICE at all. It is a protocol converter/interface allowing AVR Studio to talk to the OCD interface inside the AVR. :-) One thing that you should be aware of is that when the AVR OCDEN fuse is programmed (OCD Enabled) some of the clock system is left running even though you put the AVR in sleep mode. So, if you experience high power consumption during SLEEP mode, make sure you are not running the device with the OCDEN programmed!
Boundary-Scan
Boundary-Scan is very efficient way of verifying that your device is soldered in correctly, and that inter connectivity to other devices is correct. There are a number of tools available today that will read your layout files and generate a complete test vector set to verify your design.
When JTAGEN fuse is programmed and JTD is not set, the Boundary Scan Chain is available. This chain include all (almost) physical pins on the device. This chain do not include the internal scan chain. The internal Scan Chain is part of the OCD system, and is not accessible unless OCD is enabled, and LB1 and LB2 is unprogrammed.
JTAG Programming
The JTAG programming interface works much the same way as the two other programming interfaces. The same functionality and restrictions apply. The main thing to remember if you want to use the JTAG for programming is to set the Lock bits correctly. Setting the JTAGEN will not do you any good if you have disabled Further write or Read/write by programming the Lock Bits!
This table explains the relationship between JTAG Programming interface and the Lock Bits: NOTE: In the following table we use "P" for programmed, and "U" for unprogrammed fuse. LB LB2 LB1 DESCRIPTION mode 1 U U No memory lock features enabled. Further programming of the Flash and EEPROM is disabled in Parallel and SPI/JTAG Serial Programming mode. The Fuse bits are locked in both Serial and Parallel Programming mode. Readback is possible. Invalid Mode Further programming and verification of the Flash and EEPROM is disabled in Parallel and SPI/JTAG Serial Programming mode. The Fuse bits are locked in both Serial and Parallel Programming mode.
JTAG Programming
The JTAG Programming interface is controlled by the same lock bits controlling all other programming interfaces. So it will be as secure as any of them.
On-Chip Debug
As Shown in the block diagram the only way to enabled OCD is to leave the lock bits off and then enabling both JTAGEN and OCDEN. In this state, the device is totally open anyway so the easiest way to steal code from it is to use any ISP programmer and dump out the code directly. With lock bits programmed, the OCD is disables ( regardless of LB mode ). So here the OCD is even more secure than the standard ISP interface where you can read out the memory contents in both LB mode 1 and 2.
Boundary Scan
This one is interesting, what if we could use the boundary scan chain to grab out info that we are not supposed to get hold of?! Luckily (unfortunately; depending who you are..), this is not possible. The Boundary Scan chain do not include any internal signal, only physical package pins. If the internal scan chain was accessible from the Boundary Scan interface, it would be possible to grab out the program counter and instruction word, thus stealing the contents of the flash array bypassing the lock bits! Luckily (for most..) this is not possible. The internal scan chain is part of the OCD interface, and thus only accessible when no memory lock bits are programmed.
Conclusion
Our conclusion is that the JTAG interface is safe. But as with all security features they require that they are activated to have any effect :-)