JTAG 20-pin only 1 has data

Question

I'm trying to use a Saleaa Logic 8 to find data pins on a 20-pin header from a board with a Intel X Scale (ARMv5) PXA270 processor, but I can only find what looks to be data on pin 9, I've tried (I think) all the rest of the pins, is it possible to get JTAG debug data from a single pin? Is there a typical pinout for JTAG 20 pin to know where to look? I just have a rising edge trigger. I want to read the firmware with a Bus Pirate v3.6. Here's what I see:

Someone mentioned it might be something like serial, looks like this logic analyzer supports it:

with some options:

The decoded ASCII just says '255' for channel 0, which is pin 1, but nothing about pin 9, where the data seems to be:

Should I be using some other protocol besides async serial? Here's the whole 30 second capture:

As already explained, JTAG would normally be quiescent. Look at that one signal you have, it might be some sort of asynchronous serial (or not). Such would have nothing to do with JTAG per se, but could be co-located on a debug header. Or it's possible what you have isn't even a debug header. Note that this is typically not an effective way to "read the firmware" at least unless you achieve a high degree of control and as the software is probably not stored in the SoC - you probably want to learn about the software environment first, and perhaps go after any external flash chips. — Chris Stratton, May 05 '20 at 15:47
yes it takes seconds to find what the 20 pin jtag pinout is for arm (half of them are ground). it takes about the same number of seconds to find the standard jtag signals and what they do. and you should basically never use built in scope analyzer functions for these types of things, they rarely decode right and if you didnt already know how to decode the signals/protocol by looking you will just be mislead by that software. yes tdi/tdo one bit in one bit out. https://en.wikipedia.org/wiki/JTAG and a couple of control signals. — old_timer, May 06 '20 at 03:00
What is your actual goal here? What is the question. if you want to use jtag to debug code on that processor then $10-$20 in hardware and free software that you just download and use. You can examine the free software to understand the protocol and/or look at the documentation. Unclear what you are asking. — old_timer, May 06 '20 at 03:02
Your screen captures against the decoder are all either zoomed too wide or too narrow, try to get about 2 and a half bytes worth of transitions on the screen and then you might see something meaningful — Chris Stratton, May 06 '20 at 04:26
I am trying to make sure I'm hooking up the Bus Pirate to the right pins to analyze and not cook things. I already looked up the 20-pin pinout for the arm, but wasn't sure I have everything connected right to see the expected output. — batflaps, May 06 '20 at 19:45
So, hook it up with like 1k series resistors and see if you can enumerate the JTAG chain. If it works, you're done. If it fails, then you might need to take another guess at the pinout. — alex.forencich, May 06 '20 at 20:49
I got a JTAGulator and ran a bypass scan and the results were wildly inconsistent from scan to scan. At a minimum I was expecting to see a steady TCK to tell me it really is JTAG, but I can't find one. Is it possible there are still TDI/TDO on this header and a clock somewhere else? — batflaps, Jun 16 '20 at 23:48

score 1 · Answer 1 · answered May 04 '20 at 21:03

You can't use a scope or logic analyzer to look for JTAG interfaces. First, most of the pins are input pins, so you won't see anything on those pins electrically besides pull-up resistors. And you won't see anything on the output pins if the interface isn't being actively used, and in the vast majority of cases the interface is not used at all except maybe in the factory. To find jtag interfaces, you need to do some sort of active probing. Either take a guess at the pinout and try to enumerate the chain, or use some sort of active search. I think there might be arduino code or similar that can automate this. If you go that route, make sure to use proper protection and level translation circuitry.

I do see the pull ups happening, I added the picture showing the logic on pin 9. I will look into the arduino option. Is there anything discernible about the logic on pin 9? — batflaps, May 05 '20 at 15:47
If you're seeing something toggling, it's not JTAG. Could be some other debug signal of some sort, maybe a serial port. — alex.forencich, May 05 '20 at 16:23

JTAG 20-pin only 1 has data

1 Answers1