Can CycloneIII FPGA lock JTAG?

littleshrimp

Can CycloneIII FPGA lock JTAG? [Copy link]

 

I recently disassembled a thermal imaging camera from BMW. The FPGA inside is ALTERA's EP3C25U256A7N. I want to try to reverse engineer the PCB and directly develop on this FPGA. The PCB seems to have reserved JTAG test points, but I wonder if the manufacturer of this FPGA may lock it before leaving the factory and not allow further development?

cruelfox

Having played with altera cyclone 1, 2, 3, and 4 generations, I have never heard of JTAG being locked.

tagetage

1 FPGA devices have three types of configuration download methods: active configuration method (AS), passive configuration method (PS) and the most commonly used (JTAG) configuration method.

AS mode (active serial configuration mode): Each time the FPGA device is powered on, it acts as a controller and guides the configuration operation process. It controls the external memory and initialization process, and actively sends a read data signal from the configuration device EPCS, thereby reading the EPCS data into the FPGA, and implementing the programming of the FPGA. The configuration data is sent to the FPGA through the DATA0 pin, and the configuration data is synchronized on the DCLK input, and 1 bit of data is transmitted in 1 clock cycle.

PS mode (passive serial configuration mode): The configuration process is controlled by an external computer or controller. It is completed through enhanced configuration devices (EPC16, EPC8, EPC4) and other configuration devices. EPCS is used as a control device, and the FPGA is used as a memory to write data into the FPGA to realize the programming of the FPGA. This mode can realize the online programming of the FPGA. When downloading the configuration, for Cyclone II devices, such as EP2C8, the JTAG download method corresponds to .sof, and the AS download method corresponds to .pof.

JTAG: JTAG is burned directly into the FPGA. Since it is SRAM, it needs to be reburned after power failure. AS is burned into the FPGA configuration chip and saved. It is written into the FPGA every time the power is turned on.

Generally, there should be two download modes on the Cyclone II development board, AS and JTAG.

AS is to download the .pof file to EPCS, while JTAG is to download the .sof file to the RAM in FPGA.

For the principle of JTAG, you can refer to "ARM JTAG Debugging Principles" written by the OPEN-JTAG development team. JTAG and BDM are similar. In fact, they embed the simulation function into the chip. You can develop by connecting a relatively simple debugging tool, saving the expensive simulator.

JTAG debugging uses the TCK, TMS, TDI, TDO and TRST pins. TRST is used to reset the TAP controller , which is not necessary. The TAP controller can also be reset on the TMS pin.

Test Clock Input (TCK)

TCK provides an independent, basic clock signal for TAP operation. All TAP operations are driven by this clock signal. TCK is mandatory in the IEEE 1149.1 standard.

Test Mode Selection Input (TMS)

The TMS signal is used to control the transition of the TAP state machine. Through the TMS signal, the TAP can be controlled to transition between different states. The TMS signal is valid on the rising edge of TCK. TMS is mandatory in the IEEE 1149.1 standard.

Test Data Input (TDI)

TDI is the interface for data input. All data to be input to a specific register is input serially one bit at a time through the TDI interface (driven by TCK). TDI is mandatory in the IEEE 1149.1 standard.

Test Data Output (TDO)

TDO is the interface for data output. All data to be output from a specific register is output serially one bit at a time through the TDO interface (driven by TCK). TDO is mandatory in the IEEE 1149.1 standard.

Test Reset Input (TRST)

TRST can be used to reset (initialize) the TAP Controller . However, this signal interface is optional in the IEEE 1149.1 standard and is not mandatory, because the TAP Controller can also be reset (initialized) through TMS.

When the FPGA is working normally, its configuration data is stored in SRAM and must be downloaded again when the power is turned on. In experimental systems, debugging is usually performed using a computer or controller, so PS can be used. In practical systems, in most cases, the FPGA must actively guide the configuration operation process. At this time, the FPGA will actively obtain configuration data from a peripheral dedicated storage chip, and the FPGA configuration information in this chip is burned into the .pof format file obtained by the design using an ordinary programmer.

Dedicated configuration devices: EPC-type memory

Common configuration devices: EPC1, EPC2, EPC4, EPC8, EPC1441 (now it seems to have been phased out), etc. For Cyclone II series devices, ALTERA also provides configuration devices for AS mode, EPCS series. For example, EPCS1 and EPCS4 configuration devices are also serially configured. Note that they are only applicable to the cyclone series.

littleshrimp

cruelfox posted on 2021-9-13 11:53 I have played with altera cyclone 1, 2, 3, 4 generations, and have never heard of JTAG being locked.

Cyclone doesn't have efuse like Xilinx FPGA, right?

ou513

I've played with Cyclone 4, and I've never heard of locking JTAG. However, this mass-produced product only needs to burn the configuration chip flash, so it's normal that there is no reserved JTAG interface.

littleshrimp

tagetage published on 2021-9-13 12:59 1 There are three types of configuration download methods for FPGA devices: active configuration method (AS), passive configuration method (PS) and the most commonly used (JTAG) configuration method. ...

Thanks

littleshrimp

ou513 posted on 2021-9-13 13:35 I have played with cyclone 4, and I have never heard of locking JTAG. However, this mass-produced product only needs to burn the configuration chip flash, and there is no reserved JTAG interface, which is very positive...

This board has some test points reserved. Looking at the 2*5 arrangement on the right, it seems that JTAG is more likely. If I can develop it again, I will try to reverse engineer the PCB and use it directly.

Components are hard to buy now. A board-to-board connector costs dozens of dollars. The EP3C25U256A7N is ridiculously expensive, with the spot price on the website being over 1,000.

IC爬虫

I'm curious about which model of thermal imaging camera you used?

littleshrimp

IC Crawler published on 2021-9-13 15:04 I am curious about which model of thermal imaging camera you used?

The entire FLIR EX series seems to use this sensor, and the low pixel count is limited by software. There is also the FLIR ETS320.

wsmysyn

littleshrimp

wsmysyn published on 2021-9-13 16:05

It seems that I really don't know how it is achieved. Is it physically disabled or disabled during the current firmware runtime?

wsmysyn

littleshrimp posted on 2021-9-13 17:10 It seems that I really don’t know how to achieve physical disabling or current firmware runtime disabling

I haven't found this, and I haven't seen any settings in Quartus. It's described in the ds of Cyclone III.

I didn't see this description in the cyclone IV ds

If there is no OTP control inside, it is probably that the software changes the JTAG to a normal IO, similar to how the microcontroller changes the SWD interface to IO.

Maybe it's not for protection, but just for IO expansion? I might need to ask someone from Altera what it means.

littleshrimp

wsmysyn posted on 2021-9-13 17:29 I haven't found this either, and I haven't seen any settings on Quartus. It's described in the ds of Cyclone III, and in the ds of Cyclone IV...

I just tested it and it looks like the JTAG test point is on the back FLASH. I guess this idea is out of the question.

wsmysyn

littleshrimp posted on 2021-9-13 18:41 I just tested it and it looks like the JTAG test point is on the back FLASH. I think this idea is going to be a failure.

Now that I have the circuit, can I modify it myself to connect the jtag port?

littleshrimp

wsmysyn posted on 2021-9-13 19:09 Now that the circuit is ready, can I modify it myself and connect the JTAG port?

If there is no corresponding test point, it is very difficult to fly the JTAG line under the BGA.

IC爬虫

littleshrimp posted on 2021-9-13 16:01 The entire FLIR EX series seems to use this sensor, and the low pixel is limited by software. There is also FLIR ETS320.

FLIR devices cost thousands of dollars. Did you buy this second-hand from somewhere?

littleshrimp

IC Crawler published on 2021-9-13 19:59 FLIR devices cost thousands of dollars. Did you buy this second-hand from somewhere?

I bought it on Xianyu

wsmysyn

littleshrimp posted on 2021-9-13 19:52 It is very difficult to fly out the JTAG line under the BGA without a corresponding test point

Oh, I thought you had a circuit layout to re-layout.