Pentium ® ITP Secrets Page updated on: Wed August 9 2000 You can reach me at
michael.lerman@bigfoot.com
What is here?
If you are looking for information about the ITP (In Target Probe) port of the Pentium ® (P6 architecture), you arrived to the right place. This information is kept secret by Intel. It is given only under NDA (Non Disclosure Agreement) to some ICE (In Circuit Emulator) vendors. Apparently there is no other way to get this information from Intel. Never mind ! I did some reverse engineering to get that and I want to share it with the entire world. A quick description of the basic operations of the ITP JTAG port is given in Chapter 6 of "Pentium ® II Processor Developer’s Manual" (doc #243502-001). This actually describes the instructions of the JTAG port defined in the standard IEEE 1149.1. The ICE operations is based on private instructions which can be found here. All what we learn from there is that the instruction register size is 6 bits.
Instruction 010010 - 12 hex
This is the most commonly used instruction for the ICE ITP. Instruction 12 allows access to a register with a variable lenght. I found that this register can be 3, 4, 5, 8 or even 9 bytes large. Let's call this register "the Processor Opcode Command register" or the POC register. The POC register is used to send the command, the address and the data in case of a write operation. The strange point is that the POC register is sent through the TAP controller MSB (Most Significant Bit) first when usually the TAP registers are sent LSB (Least Significant Bit) first like the (IR) Instruction Register.
Following this post, DaveMN sent me some opcode decoded:
66: opcode override
B8: MOV EAX, const32
A3: MOV [const32], EAX
They appear in the code below.
Instruction 010011 - 13 hex
Instruction 13 reads a register A. This is a fixed size 32 bit register. Unlike the POC register the data register is transmitted LSB first.
Instruction 010100 - 14 hex
Instruction 14 accesses to another 32 bit register B. This instruction is similar to instruction 13.
Instruction 101110 - 2e hex
Instruction 2e is not associated to any register. It is executed before getting the read data in the data register.
Instruction 101111 - 2f hex
Instruction 2f also, is not associated to any register. It is executed after getting the read data in the data register.
Please check the following sequences. They speak by themselves.
1: Byte IO Write
The following code, commands the CPU to perform a byte IO write at a specified address.
void itp_out8(unsigned int address, unsigned char data)
{
unsigned long msb, lsb;
itp_enter_probe_mode_w_dbreq();
msb=0x43eb0000L;
lsb=address;
lsb<<=16;
lsb|=0x0000ba66L;
itp_write_POC(msb, lsb, 8); /* write address */
lsb=data;
lsb<<=16;
lsb|=0x0000b866L;
itp_write_POC(msb, lsb, 8); /* write data */
msb=0x43ebee00L;
itp_write_POC(msb, lsb, 3);
}
2: Word IO Write
The following code, commands the CPU to perform a word IO write at a specified address.
void itp_out16(unsigned int address, unsigned int data)
{
unsigned long msb, lsb;
itp_enter_probe_mode_w_dbreq();
msb=0x43eb0000L;
lsb=address;
lsb<<=16;
lsb|=0x0000ba66L;
itp_write_POC(msb, lsb, 8); /* write address */
lsb=data;
lsb<<=16;
lsb|=0x0000b866L;
itp_write_POC(msb, lsb, 8); /* write data */
msb=0x43ebef00L;
itp_write_POC(msb, lsb, 3);
}
3: Dword IO Write
The following code, commands the CPU to perform a dword IO write at a specified address.
void itp_out32(unsigned int address, unsigned long data)
{
unsigned long msb, lsb;
itp_enter_probe_mode_w_dbreq();
msb=0x43eb0000L;
lsb=address;
lsb<<=16;
lsb|=0x0000ba66L;
itp_write_POC(msb, lsb, 8); /* write address */
msb&=0xffff0000L; /* clear add */
lsb=data;
lsb>>=16;
msb|=lsb;
lsb=data;
lsb<<=16;
lsb|=0x0000b866L;
itp_write_POC(msb, lsb, 8); /* write data */
msb=0x43ebef66L;
itp_write_POC(msb, lsb, 4);
}
4: Byte IO Read
The following code, commands the CPU to perform a byte IO read at a specified address.
unsigned char itp_in8(unsigned int address)
{
unsigned long msb, lsb;
unsigned char ret;
itp_enter_probe_mode_w_dbreq();
msb=0x43eb0000L;
lsb=address;
lsb<<=16;
lsb|=0x0000ba66L;
itp_write_POC(msb, lsb, 8); /* write address */
msb=0x43ebec00L;
itp_write_POC(msb, lsb, 3);
msb=0x43eb0071L;
lsb=0xb9000000L;
itp_write_POC(msb, lsb, 5);
msb=0x43eb320fL;
itp_write_POC(msb, lsb, 4);
jtag_send_instruction_in("011101"); /* instruction 0x2e */
ret=(unsigned char) itp_read32_any(0x13); /* data reg instruction 0x13 */
jtag_send_instruction_in("111101"); /* instruction 0x2f */
return ret;
}
5: Word IO Read
The following code, commands the CPU to perform a word IO read at a specified address.
unsigned int itp_in16(unsigned int address)
{
unsigned long msb, lsb;
unsigned int ret;
itp_enter_probe_mode_w_dbreq();
msb=0x43eb0000L;
lsb=address;
lsb<<=16;
lsb|=0x0000ba66L;
itp_write_POC(msb, lsb, 8); /* write address */
msb=0x43ebed00L;
itp_write_POC(msb, lsb, 3);
msb=0x43eb0071L;
lsb=0xb9000000L;
itp_write_POC(msb, lsb, 5);
msb=0x43eb320fL;
itp_write_POC(msb, lsb, 4);
jtag_send_instruction_in("011101"); /* instruction 0x2e */
ret=(unsigned int) itp_read32_any(0x13); /* data reg instruction 0x13 */
jtag_send_instruction_in("111101"); /* instruction 0x2f */
return ret;
}
6: Dword IO Read
The following code, commands the CPU to perform a dword IO read at a specified address.
unsigned long itp_in32(unsigned int address)
{
unsigned long msb, lsb;
unsigned long ret;
itp_enter_probe_mode_w_dbreq();
msb=0x43eb0000L;
lsb=address;
lsb<<=16;
lsb|=0x0000ba66L;
itp_write_POC(msb, lsb, 8); /* write address */
msb=0x43ebed66L;
itp_write_POC(msb, lsb, 4);
msb=0x43eb0071L;
lsb=0xb9000000L;
itp_write_POC(msb, lsb, 5);
msb=0x43eb320fL;
itp_write_POC(msb, lsb, 4);
jtag_send_instruction_in("011101"); /* instruction 0x2e */
ret=itp_read32_any(0x13); /* data reg instruction 0x13 */
jtag_send_instruction_in("111101"); /* instruction 0x2f */
return ret;
}
7: Dword Memory Write
The following code, commands the CPU to perform a dword memory write at a specified physical address.
void itp_MemoryWrite32(unsigned long add, unsigned long data)
{
unsigned long msb, middle, lsb;
itp_enter_probe_mode_w_dbreq();
msb=0x43eb0000L;
middle=data;
middle>>=16; /* msb of the data */
msb|=middle;
middle=data;
middle&=0x0000ffffL; /* lsb of the data */
middle<<=16; /* 66 is opcode override */
middle|=0x0000b866L; /* b8 is the opcode for MOV EAX,const32 (Thanks Dave)*/
lsb=0L;
itp_write_POC(msb, middle, lsb, 8); /* write data */
msb=0x43eb0000L;
middle=add;
middle>>=16; /* msb of the add */
msb|=middle;
middle=add;
middle&=0x0000ffffL; /* lsb of the add */
middle<<=16;
middle|=0x0000a366L; /* a3 is the opcode for MOV [const32], EAX (Thanks Dave)*/
lsb=0x67000000L;
itp_write_POC(msb, middle, lsb, 9);
}
8: Dword Memory Read
The following code, commands the CPU to perform a dword memory read at a specified physical address.
unsigned long itp_MemoryRead32(unsigned long add)
{
unsigned long msb, middle, lsb;
unsigned long ret;
itp_enter_probe_mode_w_dbreq();
msb=0x43eb0000L;
middle=add;
middle>>=16; /* msb of the add */
msb|=middle;
middle=add;
middle&=0x0000ffffL; /* lsb of the add */
middle<<=16;
middle|=0x0000a166L;
lsb=0x67000000L;
itp_write_POC(msb, middle, lsb, 9); /* write address */
msb=0x43eb0071L;
middle=0xb9000000L;
itp_write_POC(msb, middle, 0L, 5);
msb=0x43eb320fL;
itp_write_POC(msb, middle, 0L, 4);
jtag_send_instruction_in("011101"); /* instruction 0x2e */
ret=itp_read32_any(0x13); /* data reg instruction 0x13 */
jtag_send_instruction_in("111101"); /* instruction 0x2f */
return ret;
}
Other information coming soon...