# JTAG access ## Overview As detailed on the Schematic (released in the FCC documents), the Nabaztag:tag board breaks out the JTAG port. Let's see how to use it to access the CPU to be able to flash and debug some code ! ## Hardware ### JTAG probe: BusBlaster {{:dev:nab:v2:jtag:bbv3.jpg?200 |}}I think you can use any JTAG probe that's 3.3v compatible, if you have one. If you don't, I recommend the [BusBlaster v3](http://dangerousprototypes.com/docs/Bus_Blaster_v3_design_overview). It's a great board, versatile and cheap; oh ! and it's also open hardware and open source ! :-) One of the best features of the BusBlaster is you can reconfigure the CPLD to emulate any FT2232 JTAG probe. I think it comes pre-programmed with a JTAGkey buffer logic, which should work fine for this application. _Note_: My BusBlaster (a v4 !) uses a KT-link buffer logic, because I needed the SWD capabilities for another application. If the following steps don't work, try to reprogram the CPLD with a KT-link buffer and try again ! You also need some jumper wires (also called _Dupont wire_ sometimes) F/F to connect the BusBlaster to the Nabaztag ### Nabaztag:tag Well, of course you need a Nabaztag:tag ( a version 2 ). You also must be ready to open it. Grab a small flat screwdriver and remove the four screws on the base. You can also use a triangle screwdriver if you happen to have one, I don't. And this is about it. the JTAG header is on the top left corner of the board. Pinout is the following (top to bottom): ^ Nabaztag Pin ^ Function ^ BusBlaster pin ^ | 1 | 3.3v | VTG (or NC) | | 2 | Gnd | GND | | 3 | nTRST | TRST | | 4 | TDI | TDI | | 5 | TMS | TMS | | 6 | TCK | TCK | | 7 | TDO | TDO | | 8 | RESETN | TSRST | ## Software: OpenOCD ### Patch and compile OpenOCD The Nabaztag:tag uses a ML67Q4051 micro-controller which is not on the supported hardware list of OpenOCD. It's an ARM7TDMI variant, so I thought it should be possible to use it. I spent some time hacking code and I eventually ended up with a patch good enough to: - access the CPU registers, which means debug is possible ! - read and write the Internal flash - First version was slow as hell: 5 to 10 minutes to read/write the whole flash - Second version is much better: under 5 seconds. I had to write ARM assembler code to be run from RAM to write the Flash, which was a rather painful but interesting experience... So ! Download OpenOCD **0.8.0** from their website, or here (mirror): {{:dev:nab:v2:jtag:openocd-0.8.0.tar.gz|openocd 0.8.0}} Download the patch: {{:dev:nab:v2:jtag:openocd_0.8.0_oki.patch.gz|openocd_0.8.0_oki}} #### Prepare sudo aptitude install libtool autoconf automake libusb-1.0-0-dev gzip -d openocd_0.8.0_oki.patch.gz tar xzvf ./openocd-0.8.0.tar.gz #### Patch cd openocd-0.8.0/ patch -p1 < ../openocd_0.8.0_oki.patch #### Compile autoreconf -fi ./configure make When it's done, you should have a binary named **openocd** in the `src/` folder ### Usage Now that you have a patched version of OpenOCD capable of debugging the OKI chip, you need some configuration files. Here are mine: {{:dev:nab:v2:jtag:openocd_nab.tar.gz|openocd_nab}} _Note_: You might need to tweak them a little bit, especially the `interface/ftdi/dp_busblaster.cfg` to get you BusBlaster recognized by OpenOCD. I think I renamed my BusBlaster, and OpenOCD checks the name... Shoot me an email if ou need some help. Once you have the config files, just copy the openocd binary in the same folder and then it's as easy as: ./openocd -f nabaztagv2.cfg ## GDB I think you can use telnet to interact with OpenOCD, but I use GDB... Here are a few notes: ### Launch and connect arm-none-eabi-gdb or, if you have an .elf file to debug/flash arm-none-eabi-gdb ./path/to/file.elf Once in GDB tar ext :3333 The Nabaztag should have "frozen". you can (always) restart it with mon reset run ### Dump the flash mon reset init dump ihex memory dump.hex 0x08000000 0x08020000 # Get an hex file, useful for analyzing it dump binary memory dump.bin 0x08000000 0x08020000 # Get a bin file, useful for backup and restore _Note_: The files end up in the same folder as the openocd binary (or the folder from where you run it) ### Write an image mon reset init mon flash write_image erase ./dump.bin 0x08000000 _Note_: The files should be in the same folder as the openocd binary (or the folder from where you run it) ## Pictures {{.:jtag:nabjtag.jpg?250| BusBlaster connected to the Nabaztag, side view}} {{.:jtag:nabjtag_bottom.jpg?250| BusBlaster connected to the Nabaztag, bottom view}} ### Flash an elf file If you started GDB with an elf file (or if you loaded one), you can flash it on the Nabaztag by simply running: load ## Links * [BusBlaster wiki](http://dangerousprototypes.com/docs/Bus_Blaster) * [OpenOCD user guide](http://openocd.org/doc/html/)