Howto to spy JTAGICE 


I set the jtag clock to 10 through "jtagice". If I
remember well then the jtag clock was set to 100
microseconds.

When I repeated some of the commands again then
the jtag clock was changed to approximately 420
microseconds. Why this is I don't know but this
was very welcome.
Anyway here are some results of the spy tool.


Dumping into a file.

To catch the results I did it as root with to
disable the extra <CR> :

	# stty -F /dev/ttySxx speed 115200 -igncr inlcr

And as user :

	$ cat /dev/ttySxx > <result.txt>



Analysis.

Feeding AVR instructions.

It seems that the On Chip Debug system must be fed with 
AVR instructions. One example that I know of is the
ARM7TDMI. Atmel amongst others produces the AT91M40800
which is based on the ARM7TDMI core.

In that case you can disassemble this as a user with 
(thanks to Theodore Roth who gave me these hints :-) ) :

	$ printf "\x<byte>\x<byte>" > foo.bin

or if it already exists then stick it after the previous
one with :

	$ printf "\x<hi_byte>\x<lo_byte>" >> foo.bin

Where <hi_byte> and <lo_byte> represents the ascii hex byte
array you see in the output. Note : don't forget the "\x".

You can check this with :

	od -h foo.bin

Be aware that this will be showed in little/big endian. 



Disassembly

In order to find out what AVR instruction this is, then you
need it to disassemble with :

	avr-elf-objdump --target=binary --architecture=avr:5 foo.bin

I had to do this for the ATmega16.



Now the most important thing :

The jtag instruction sequence which is needed to dump avr instructions
into the target is :

goto JTAG Instruction Register	: jtag instruction 0xA
goto JTAG DATA register 	: avr instruction into pipeline

The AVR instruction is sent in big endian : you can see this in the
output of the spy tool. You have to take into account of this.


Two extra features :

jtag instruction 1 <0x.. 0x.. 0x.. 0x..> 	--> jtag id

--------------------------------------------------------------------------
input :
jtag instruction reg	= <0xC> 		--> set debug mode 
jtag data reg		= <0xC>

output :
-

--------------------------------------------------------------------------
input :
jtag instruction reg	= <0xB> 		--> get break status
jtag data reg		= <0x9>

output :
jtag data reg		= <0x2000>

--------------------------------------------------------------------------
input :
jtag instruction reg	= <0x5> 		-->leave program status
jtag data reg		= <0x33>
jtag data reg		= <0x04>
jtag data reg		= <0x0000>

output :
jtag data reg		= <0x2000>

--------------------------------------------------------------------------
input :
jtag instruction reg	= <0xA> 		--> feed instruction into pipeline
jtag data reg		= <AVR opcode>
