Hi All,
Contrary to popular believes, JTAG on Dragonboard seems to be operational. There is one catch - you need dongle worth thousands of USD for now :(
I decided to write this post so maybe someone will help me to get it working on something cheaper. Short summary of my research below.
@Peter - perhaps you could take a look and give some hints?
1) You need to solder JTAG connector to test points like that: http://rlyeh.eu/d/dragonboard_jtag.jpg (I suggest to protect test points as they're rather fragile and small).
There is JTAG connector on the bottom, but I'm against using it because: - There are 4 DNI resistors (i.e. not installed) that have to be short. I don't know their location. - It requires fancy connector that is hard to get, and then you need some converter to standard 20-pin jtag cable.
At least you need to solder: TDI, TDO, TMS, TCK, GND, VREF (VREG_L5_1P8) and TRST. I also wired SRST_N to RST pin of standard JTAG connector (but it's probably not needed)
WARNING: you need dongle that is able to work/adapt to 1.8V.
2) There are 3 chips on JTAG chain, with software it's possible to disable some or all of them.
Commands for OpenOCD: jtag newtap apq dap -expected-id 0x5ba00477 -irlen 4 <- This is ARM jtag newtap auto1 un1 -expected-id 0x000016dd -irlen 5 <- This is something (crypto processor?) jtag newtap auto2 un2 -expected-id 0x007060e1 -irlen 11 <- This is Hexagon core
Commands for Trace32: Sum of length of all IR registers : 20. Number of JTAG devices (BYPASS registers) : 3. IDCODE of device 1 is : 0x007060e1 (QUALCOMM, QUALCOMM) SYS.CONFIG.DRPOST 0. SYS.CONFIG.DRPRE 2. SYS.CONFIG.IRPOST 0. SYS.CONFIG.IRPRE 9. (IRWIDTH 11.) IDCODE of device 2 is : 0x000016dd (Certicom Corporation, <unknown name>) SYS.CONFIG.DRPOST 1. SYS.CONFIG.DRPRE 1. SYS.CONFIG.IRPOST 11. SYS.CONFIG.IRPRE 4. (IRWIDTH 5.) IDCODE of device 3 is : 0x5ba00477 (ARM Ltd., ARM JTAG-DP DAP) SYS.CONFIG.DRPOST 2. SYS.CONFIG.DRPRE 0. SYS.CONFIG.IRPOST 16. SYS.CONFIG.IRPRE 0. (IRWIDTH 4.) <- This is ARM
3) Device configuration - single core for now: Commands for OpenOCD (they don't work though): target create apq aarch64 -chain-position apq.dap -dbgbase 0x80050000 -ctibase 0x80058000 -coreid 0
Commands for Trace32: SYStem.CPU CORTEXA53 SYStem.CONFIG CORENUMBER 1. SYStem.CONFIG.COREDEBUG.Base 0x80050000 SYStem.CONFIG.BMC.Base 0x80051000 SYStem.CONFIG.CTI.Base 0x80058000 SYStem.CONFIG.ETM.Base 0x8005c000 sys.option enreset off ;<-I'm not sure if this is needed for anything else than probe SYStem.Mode Attach
4) Results: - With Trace32, it is possible to attach, stop CPU. It's even possible to halt it in Secure mode (at least it looks like that). Some parts of memory (and system registers) are not accessible - probably ones that are Secure.
- With OpenOCD (branch made by Peter Griffin), JTAG chain is visible properly, but probing of CPU fails:
-------------- LOG Debug: 271 328 openocd.c:150 handle_init_command(): Examining targets... Debug: 272 328 target.c:1417 target_call_event_callbacks(): target event 21 (examine-start) Debug: 273 328 arm_adi_v5.c:647 ahbap_debugport_init(): Debug: 274 329 arm_adi_v5.c:688 ahbap_debugport_init(): DAP: wait CDBGPWRUPACK Debug: 275 329 arm_adi_v5.h:391 dap_dp_poll_register(): DAP: poll 4, mask 0x0820000000, value 0x20000000 Debug: 276 329 arm_adi_v5.c:695 ahbap_debugport_init(): DAP: wait CSYSPWRUPACK Debug: 277 329 arm_adi_v5.h:391 dap_dp_poll_register(): DAP: poll 4, mask 0x0880000000, value 0x80000000 Debug: 278 433 arm_adi_v5.h:404 dap_dp_poll_register(): DAP: poll 4 timeout Debug: 279 433 openocd.c:152 handle_init_command(): target examination failed -------------- END of LOG
I've also attached diag data from Trace that can be useful for someone (I think I missed few DAP entries, but all CPUs are probably there).
Best Regards, Mateusz