User Tools

Site Tools


JTAG access


As detailed on the Schematic (released in the FCC documents), the Nabaztag:tag board breaks out the JTAG port. Let's see how to use it to access the CPU to be able to flash and debug some code !


JTAG probe: BusBlaster

I think you can use any JTAG probe that's 3.3v compatible, if you have one. If you don't, I recommend the BusBlaster v3. It's a great board, versatile and cheap; oh ! and it's also open hardware and open source ! :-)

One of the best features of the BusBlaster is you can reconfigure the CPLD to emulate any FT2232 JTAG probe. I think it comes pre-programmed with a JTAGkey buffer logic, which should work fine for this application.

Note: My BusBlaster (a v4 !) uses a KT-link buffer logic, because I needed the SWD capabilities for another application. If the following steps don't work, try to reprogram the CPLD with a KT-link buffer and try again !

You also need some jumper wires (also called Dupont wire sometimes) F/F to connect the BusBlaster to the Nabaztag


Well, of course you need a Nabaztag:tag ( a version 2 ). You also must be ready to open it.

Grab a small flat screwdriver and remove the four screws on the base. You can also use a triangle screwdriver if you happen to have one, I don't.

And this is about it. the JTAG header is on the top left corner of the board.

Pinout is the following (top to bottom):

Nabaztag Pin Function BusBlaster pin 1 3.3v VTG (or NC) 2 Gnd GND 3 nTRST TRST 4 TDI TDI 5 TMS TMS 6 TCK TCK 7 TDO TDO 8 RESETN TSRST

Software: OpenOCD

Patch and compile OpenOCD

The Nabaztag:tag uses a ML67Q4051 micro-controller which is not on the supported hardware list of OpenOCD. It's an ARM7TDMI variant, so I thought it should be possible to use it. I spent some time hacking code and I eventually ended up with a patch good enough to:

  • access the CPU registers, which means debug is possible !
  • read and write the Internal flash
    • First version was slow as hell: 5 to 10 minutes to read/write the whole flash
    • Second version is much better: under 5 seconds. I had to write ARM assembler code to be run from RAM to write the Flash, which was a rather painful but interesting experience…

So ! Download OpenOCD 0.8.0 from their website, or here (mirror): openocd 0.8.0

Download the patch: openocd_0.8.0_oki


sudo aptitude install libtool autoconf automake libusb-1.0-0-dev

gzip -d openocd_0.8.0_oki.patch.gz
tar xzvf ./openocd-0.8.0.tar.gz


cd openocd-0.8.0/
patch -p1 < ../openocd_0.8.0_oki.patch


autoreconf -fi

When it's done, you should have a binary named openocd in the src/ folder


Now that you have a patched version of OpenOCD capable of debugging the OKI chip, you need some configuration files. Here are mine: openocd_nab

Note: You might need to tweak them a little bit, especially the interface/ftdi/dp_busblaster.cfg to get you BusBlaster recognized by OpenOCD. I think I renamed my BusBlaster, and OpenOCD checks the name… Shoot me an email if ou need some help.

Once you have the config files, just copy the openocd binary in the same folder and then it's as easy as:

./openocd -f nabaztagv2.cfg


I think you can use telnet to interact with OpenOCD, but I use GDB… Here are a few notes:

Launch and connect


or, if you have an .elf file to debug/flash

arm-none-eabi-gdb ./path/to/file.elf

Once in GDB

tar ext :3333

The Nabaztag should have “frozen”. you can (always) restart it with

mon reset run

Dump the flash

mon reset init
dump ihex memory dump.hex 0x08000000 0x08020000 # Get an hex file, useful for analyzing it 
dump binary memory dump.bin 0x08000000 0x08020000 # Get a bin file, useful for backup and restore

Note: The files end up in the same folder as the openocd binary (or the folder from where you run it)

Write an image

mon reset init
mon flash write_image erase ./dump.bin 0x08000000

Note: The files should be in the same folder as the openocd binary (or the folder from where you run it)


 BusBlaster connected to the Nabaztag, side view  BusBlaster connected to the Nabaztag, bottom view

Flash an elf file

If you started GDB with an elf file (or if you loaded one), you can flash it on the Nabaztag by simply running:

/home/share/www/ · Last modified: 2023/11/24 22:18 by redox