ST AN4035 Application note

1 Introduction

The SPC56x family of devices has internal Flash used for code and data. The Nexus debug
interface can be used to program the Flash using the JTAG communication protocol through
the JTAG port. This allows programming of the internal Flash by an external tool.

This application note first addresses the JTAG and Nexus communication protocol. The
JTAG discussion includes the JTAG signals, TAP controller state machine, and the JTAG
controller. The explanation of Nexus includes the on-chip emulation (OnCE) module and the
Nexus read/write (R/W) access block.

Nexus/JTAG Flash programming supports the following products:

● SPC563Mxx

● SPC564Axx

● SPC560Dxx

● SPC560Bxx

● SPC560Cxx

● SPC560Pxx

● SPC56ELxx

AN4035

Application note

Flash programming through

Nexus/JTAG

January 2012 Doc ID 022669 Rev 1 1/41

www.st.com

Contents AN4035

Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 JTAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1 JTAG signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2 TAP controller state machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3 JTAG controller (JTAGC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.4 Modes of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.4.1 Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.4.2 Test mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.5 Enabling debug of a censored device . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.5.1 CENSOR_CTRL register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3 On-Chip Emulation (OnCE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.1 Enabling the OnCE TAP controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.2 OnCE register access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.3 OnCE command register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.3.1 Example of OnCE register write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.3.2 Example of OnCE register read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.4 OnCE status register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.5 Entering debug mode during reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.6 Enabling external debug mode and other initialization . . . . . . . . . . . . . . . 21

3.7 CPU Status and Control Scan Chain Register (CPUSCR) . . . . . . . . . . . 21

3.7.1 Instruction Register (IR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.7.2 Control State Register (CTL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.7.3 Program Counter Register (PC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.7.4 Write-Back Bus Register (WBBRlow, WBBRhigh) . . . . . . . . . . . . . . . . . 24

3.7.5 Machine State Register (MSR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.8 Single step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.9 Exit from debug mode to normal execution . . . . . . . . . . . . . . . . . . . . . . . 25

3.10 GPR access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.11 SPR access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.12 OnCE memory access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2/41 Doc ID 022669 Rev 1

AN4035 Contents

3.13 Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.13.1 Software breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.13.2 Instruction address hardware breakpoints . . . . . . . . . . . . . . . . . . . . . . . 27

4 Nexus Read/Write access block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.1 Nexus register access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.2 Single memory write access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.3 Burst block memory write access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.4 Single memory read access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.5 Burst block memory read access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5 System initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5.1 Internal SRAM initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5.2 Setting up the memory management unit . . . . . . . . . . . . . . . . . . . . . . . . 35

6 Creating the Flash programming tool . . . . . . . . . . . . . . . . . . . . . . . . . . 36

6.1 Flash programming drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

6.2 Tool requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

6.2.1 Debug and driver initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

6.2.2 FlashInit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

6.2.3 SetLock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

6.2.4 FlashErase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

6.2.5 FlashProgram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

6.2.6 Using other drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.3 Functional division of the external tool . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Doc ID 022669 Rev 1 3/41

List of tables AN4035

List of tables

Table 1. JTAG signal properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Table 2. JTAG instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Table 3. OnCE command register bit definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Table 4. e200z0 OnCE Register Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Table 5. RWCS field description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Table 6. Read/Write access status bit encoding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Table 7. JTAG Data Register (DR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Table 8. Nexus register index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4/41 Doc ID 022669 Rev 1

AN4035 List of figures

List of figures

Figure 1. TAP controller finite state machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Figure 2. JTAG controller block diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Figure 3. Enabling JTAG/Nexus port access on a censored device . . . . . . . . . . . . . . . . . . . . . . . . . 11

Figure 4. e200z OnCE block diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Figure 5. Steps for enabling the OnCE TAP controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 6. Signal transitions for enabling the OnCE TAP controller . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 7. OnCE command register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 8. DBCR0 register. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 9. Signal transitions for writing OCMD to select a write to DBCR0. . . . . . . . . . . . . . . . . . . . . 18

Figure 10. Signal transitions for writing DBCR0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Figure 11. Signal transitions for writing OCMD to select a read from DBCR0 . . . . . . . . . . . . . . . . . . . 19

Figure 12. Signal transitions for reading DBCR0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 13. OnCE status register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Figure 14. Signal transitions of reading the OnCE status register . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Figure 15. OnCE control register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Figure 16. Debug Status Register (DBSR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 17. CPU status and control scan chain register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Figure 18. Control State Register (CTL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Figure 19. Read/Write Access Control/Status Register (RWCS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure 20. Read/Write access data register (RWD). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Figure 21. Read/Write access address register (RWA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Doc ID 022669 Rev 1 5/41

JTAG AN4035

2 JTAG

JTAG is a serial communication protocol developed by the Joint Test Access Group.
Originally developed for boundary scan, JTAG is also used for communication with the
Nexus debug interface (NDI) on the SPC560x devices.

2.1 JTAG signals

The JTAG port of the SPC56x devices consists of the TCK, TDI, TDO, TMS and JCOMP
pins. TDI, TDO, TMS, and TCK are compliant with the IEEE 1149.1-2001 standard and are
shared with the NDI through the test access port (TAP) interface. See Ta bl e 1 for signal
properties.

Table 1. JTAG signal properties

Name I/O Function

TCK I Test Clock

TDI I Test Data In

TDO O Test Data Out

TMS I Test Mode Select

JCOMP I JTAG Compliancy

The JCOMP pin assertion allows to put the JTAGC in reset state.

2.2 TAP controller state machine

The TAP controller state machine controls the JTAG logic. The TAP controller state machine
is a 16-state finite state machine (FSM) as shown in Figure 1. The TCK and TMS signals
control transition between states of the FSM. These two signals control whether an
instruction register scan or data register scan is performed. Both the TDI and TMS inputs
are sampled on the rising edge of TCK while the TDO output changes on the falling edge of
TCK. The value shown next to each state of the state machine in Figure 2 is the value of
TMS required on the rising edge of TCK to transition to the connected state. Five rising
edges of TCK with TMS at logic 1 guarantee entry into the TEST LOGIC RESET state.

6/41 Doc ID 022669 Rev 1

AN4035 JTAG

Figure 1. TAP controller finite state machine

7(67/2*,&
5(6(7





5817(67,'/ (





6(/(&7'56&$1



&$3785('5



6+ ,)7'5



(;,7' 5





6(/(&7,56&$1





&$3785(,5



6+ ,)7,5







(;,7,5









3$8 6 ('5







(;,7'5



83'$7('5





Doc ID 022669 Rev 1 7/41

3$86(,5





(;,7,5



83'$7(,5







JTAG AN4035

2.3 JTAG controller (JTAGC)

The JTAGC provides the means to test chip functionality and connectivity while remaining
transparent to system logic when not in TEST mode. Testing is performed via a boundary
scan technique, as defined in the IEEE 1149.1-2001 standard. In addition, instructions can
be executed in order to allow the Test Access Port (TAP) to be shared with other modules on
the MCU. All data input to and output from the JTAGC is communicated in serial format. A
block diagram of the JTAGC is shown in Figure 3.

Figure 2. JTAG controller block diagram

JCOMP

Test Access Port (TAP)

TMS

TCK

Controller

TDI

.

.

.
.

.
.
.

.

1-Bit Bypass Register

32-Bit Device Identification Register

Boundary Scan Register

TEST_CTRL Register

CENSOR_CTRL Register

5-Bit TAP Instruction Decoder

5-Bit TAP Instruction Register

2.4 Modes of operation

TDO

Access to the JTAGC data registers is done by loading the instruction register with any of
the JTAGC instructions while the JTAGC is enabled. Instructions are shifted in via the select­IR-scan path and loaded in the update-IR state. At this point, all data register access is
performed via the select-DR-scan path.
The select-DR-scan path is used to read or write the register data by shifting in the data
(LSB first) during the shift-DR state. When reading a register, the register value is loaded
into the shifter during the capture-DR state. When writing a register, the value is loaded from

8/41 Doc ID 022669 Rev 1

AN4035 JTAG

the shifter to the register during the update-DR state. When reading a register, there is no
requirement to shift out the entire register contents. Shifting can be terminated after fetching
the required number of bits.

2.4.1 Reset

The JTAGC is placed in reset when the TAP controller state machine is in the TEST-LOGIC­RESET state.
The TEST-LOGIC-RESET state is entered upon the assertion of the power-on reset signal,
negation of JCOMP, or through TAP controller state machine transitions controlled by TMS.
Asserting power-on reset or negating JCOMP results in asynchronous entry into the reset
state. While in reset, the following actions occur:

● The TAP controller is forced into the test-logic-reset state, thereby disabling the test

logic and allowing normal operation of the on-chip system logic to continue unhindered.

● The instruction register is loaded with the IDCODE instruction.

In addition, execution of EXTEST instruction results in assertion of the internal system reset.

2.4.2 Test mode

Several TEST modes are supported, as well as a bypass mode and they are entered using
the following instructions:

● EXTEST

● SAMPLE

● SAMPLE/PRELOAD

Each instruction defines the set of data registers that can operate and interact with the on­chip system logic while the instruction is current. Only one test data register path is enabled
to shift data between TDI and TDO for each instruction.

Following the test modes available:

1. BYPASS mode

When no test operation is required, the BYPASS instruction can be loaded to place the
JTAGC into bypass mode. While in bypass mode, the single-bit bypass shift register is
used to provide a minimum-length serial path to shift data between TDI and TDO.

2. TAP Sharing Mode

There are three selectable auxiliary TAP controllers that share the TAP with the JTAGC.
Selectable TAP controllers include:

- Nexus port controller (NPC)

- On Chip Emulator (ONCE) controller

- TCU controller

The instructions required to grant ownership of the TAP to the auxiliary TAP controllers are
ACCESS_AUX_TAP_NPC, ACCESS_AUX_TAP_ONCE, ACCESS_AUX_TAP_TCU.
Instruction opcodes for each instruction are shown in Tab l e 2.

When the access instruction for an auxiliary TAP is loaded, control of the JTAG pins is
transferred to the selected TAP controller. Any data input via TDI and TMS is passed to the
selected TAP controller, and any TDO output from the selected TAP controller is sent back to
the JTAGC to be output on the pins. The JTAGC regains control of the JTAG port during the
UPDATE-DR state if the PAUSE-DR state was entered. Auxiliary TAP controllers are held in
RUN-TEST/IDLE while they are inactive.

Doc ID 022669 Rev 1 9/41

JTAG AN4035

Table 2. JTAG instructions

Instruction Code[4:0] Instruction summary

IDCODE 00001

SAMPLE/PRELOAD 00010

SAMPLE 00011

EXTEST 00100

ACCESS_AUX_TAP_TCU 10000

ACCESS_AUX_TAP_ONCE 10001

ACCESS_AUX_TAP_NPC 10010

Reserved 10010 -

BYPASS 11111

Selects device identification
register for shift

Selects boundary scan register
for shifting, sampling, and

preloading without disturbing
functional operation

Selects boundary scan register
for shifting and sampling without

disturbing functional operation

Selects boundary scan register
while applying preloaded values
to

output pins and asserting
functional reset

Grants the TCU ownership of
the TAP

Grants the PLATFORM
ownership of the TAP

Grants the Nexus port controller
(NPC) ownership of the TAP

Selects bypass register for data
operations

00101

Factory Debug Reserved

Reserved All other codes

00110
01010

2.5 Enabling debug of a censored device

When a device is in a censored state, the debug port (JTAG/Nexus) is disabled and only
JTAG BSDL commands can be used. Access to the Nexus/JTAG clients on a censored
device requires inputting the proper password into the JTAG Censorship Control Register
during reset.

When the debug port is enabled on a censored device, it is enabled only until the next reset.

Figure 3 shows the logic that enables access to Nexus clients in a censored device using

the JTAG port.

Intended for factory debug only

Decoded to select bypass
register

10/41 Doc ID 022669 Rev 1

AN4035 JTAG

Figure 3. Enabling JTAG/Nexus port access on a censored device

Censored Flash Array

64-bit Password

Compare

JTAG Port Controller

CENSOR_CTRL register

Enable/disable

Other Nexus Clients

•eDMA

• e200z3 processor
.
.
.

Nexus client

TAP controller

64-bit Password

Debug/Calibration Tool

Access

The steps to enable the debug port on a censored device are as follows:

1. After the RSTOUT pin has is negated, hold the device in system reset state using a
debugger or other tool.

2. While the device is being held in system reset state shift the 64-bit password into the
CENSOR_CTRL register (via the JTAG port using the JTAG
ENABLE_CENSOR_CTRL instruction. The JTAG serial password is compared against
the serial boot flash password from the flash shadow block.

3. If there is a match the Nexus client TAP controller enters normal operation mode and
the DISNEX flag in the SIU_CCR register is negated (for the SPC56xB and SPC56xP
families the flag NXEN in the SSCM_STATUS register is negated) indicating Nexus is
enabled. Upon negation of reset the debug / calibration tool is able to access the device
via NEXUS port and JTAG. If the JTAG serial password does not match the serial boot
flash password or the serial boot flash password is an illegal password then the debug /
calibration tool is not able to access the device. After the debug port is enabled, the tool
can access the censored device and can erase and reprogram the shadow flash block
in order to uncensor the device.

Doc ID 022669 Rev 1 11/41

JTAG AN4035

Note: If the shadow flash block is erased without reprogramming a new valid password before a

reset, it contains an illegal password and the debug port is inaccessible.

4. Subsequent resets clear the JTAG censor password register and the Nexus client TAP
controller holds in reset again. Therefore, the tool must resend the JTAG serial
password, as described above, in order to enable the Nexus client TAP controller again.

2.5.1 CENSOR_CTRL register

The CENSOR_CTRL register is an shift register path from TDI to TDO selected when the
ENABLE_CENSOR_CTRL instruction is active. The CENSOR_CTRL register transfers its
value to a parallel hold register on the rising edge of TCK when the TAP controller state
machine is in the Update-DR state. The parallel hold register bits CENSOR_CTRL
correspond directly to the JTAGC output control internal signals jtag_censor_ctrl. The
jtag_censor_ctrl signals are used to control chip dependent censorship features. Once the
ENABLE_CENSOR_CTRL instruction is executed, jtag_censor_ctrl remains valid until a
JTAGC reset occurs.

12/41 Doc ID 022669 Rev 1

AN4035 On-Chip Emulation (OnCE)

3 On-Chip Emulation (OnCE)

From
JTAGC

TCK

TDI

All of the SPC56x devices possess a OnCE module for debug control of the Power
Architecture
including run-time control, register access, and memory access to all memory-mapped
regions including on-chip peripherals, as well as providing access to the Nexus2 & Nexus3
configuration registers. The OnCE module is controlled by the JTAG signals through the
OnCE TAP controller.

Figure 4. e200z OnCE block diagram

e200z0_TRST

{

e200z0_TMS

.

.

.

.

®

e200 core. The OnCE logic provides Nexus class 1 static debug capability

Test Access Port (TAP)

Controller

TDO Mux

Control

TAP Instruction Register
(OnCE OCMD)

Bypass Register

e200z0_TDO

External Data Register

(to JTAGC)

.

.

OnCE Mapped Debug Registers

Auxiliary Data Register

3.1 Enabling the OnCE TAP controller

Control of the OnCE module is obtained through the OnCE TAP controller. To enable the
OnCE TAP controller, the JTAGC must have control of the TAP and the
ACCESS_AUX_TAP_ONCE (0b10001) opcode must be loaded into the 5-bit JTAGC
instruction register with the JCOMP signal set to a logic 1.

The JTAGC instruction register is loaded by scanning in the appropriate bits on the TDI pin,
least significant bit (LSB) first, while in the SHIFT-IR state of the TAP controller state
machine. The last bit is shifted in with TMS set to a logical 1 causing transition from the
SHIFT-IR state to the EXIT1-IR state. Table 3-1 shows the steps required to enable the
OnCE TAP controller, assuming the TAP controller state machine is initially in the RUN-

Doc ID 022669 Rev 1 13/41