Huluic
Admin Panel...
Encyclopediav0

On-Chip Debugging

Last updated:

On-Chip Debugging

On-chip debugging (OCD) is a hardware-assisted debugging methodology for embedded systems and microcontrollers that utilizes dedicated circuitry integrated within the processor or system-on-a-chip (SoC) to enable external monitoring and control of program execution [1][3]. It is a critical technique in embedded systems development, collectively categorized alongside off-chip external debug methods [3]. This approach allows developers to debug software as it runs directly on the target silicon, providing a window into the internal state of the device without requiring the software to be emulated on different hardware [2]. By integrating debug functionality onto the chip itself, OCD systems offer a powerful alternative to traditional external debugging tools like in-circuit emulators (ICE), which substitute for the target processor, often at greater cost and complexity [3][3]. The core principle of on-chip debugging involves a combination of on-chip hardware and off-chip software [3]. An on-chip debug module, implemented as dedicated silicon, provides mechanisms for halting the processor, examining and modifying memory and registers, and setting breakpoints or watchpoints [3]. An external development platform, typically a debugger or debug adapter, communicates with this internal module through a standardized physical interface [3]. A commonly used protocol for this communication is JTAG (Joint Test Action Group), though many semiconductor vendors have developed their own proprietary interfaces and technologies, such as Background Debug Mode (BDM), OnCE, and MPSD [1][3]. These vendor-specific technologies are collectively referred to as on-chip debug [3]. The key characteristic of OCD is that the application being analyzed is executed on the actual target device, not emulated, leading to highly accurate real-time observation of system behavior [2]. On-chip debug technologies are fundamental to modern embedded software development, offering a blend of capabilities traditionally associated with both debug monitors and in-circuit emulators but with reduced cost and system intrusion [3]. Their applications span from initial firmware bring-up and algorithm validation to performance profiling and the diagnosis of complex, real-time faults in deployed systems. The integration of debug circuitry directly into microcontrollers and SoCs represents a significant industry trend to counter the increasing complexity and shrinking physical access points in modern electronics [3]. As such, on-chip debugging has become a standard feature in most contemporary embedded processors, providing developers with essential visibility and control for creating reliable software for everything from simple microcontrollers to advanced multicore SoCs [3].

Overview

On-chip debugging (OCD) represents a fundamental architectural shift in embedded systems development, moving debugging capabilities from external hardware into the processor silicon itself. Unlike traditional in-circuit emulation (ICE), which substitutes the target processor with specialized hardware to enable real-time monitoring and control [9], OCD integrates dedicated debugging circuitry directly onto the microprocessor or microcontroller die. This embedded approach allows developers to monitor and control program execution on the actual target device without requiring physical substitution of the processor [9]. The technology emerged in response to increasing system complexity, higher clock speeds, and surface-mount packaging that made traditional emulation techniques increasingly impractical and costly.

Architectural Implementation and Core Mechanisms

The implementation of on-chip debugging involves several hardware components integrated into the processor architecture. A central element is the hardware breakpoint system, which operates independently from software-based breakpoints. When a developer sets a hardware breakpoint at a specific memory address, that target address is loaded into a dedicated hardware comparator register [6]. The processor's program counter is continuously compared against this register value during execution. When a match occurs, the comparator circuit generates a halt request signal that interrupts normal processor operation, freezing execution at precisely the desired instruction [6]. This hardware-based approach offers significant advantages over software breakpoints, which typically involve replacing instruction opcodes with special breakpoint instructions, thereby altering the original program code. Additional OCD circuitry typically includes:

  • Real-time trace buffers that capture program flow without halting execution
  • Watchpoint registers for monitoring data accesses to specific memory locations
  • Serial communication interfaces dedicated to debugger communication
  • Processor state capture registers that preserve context during debug events
  • Clock domain crossing logic to maintain debug functionality across different processor clock modes

These components operate in parallel with the main processor core, enabling non-intrusive observation of system behavior. The debug logic typically runs on a separate clock domain or utilizes clock gating techniques to minimize power consumption when debugging features are inactive.

Evolution from Traditional Debugging Methods

The development of OCD technologies addressed specific limitations inherent in earlier debugging methodologies. Background Debug Mode (BDM), pioneered by Motorola (now NXP Semiconductor) for their 68HC12 and later microcontroller families, established an early standard for on-chip debugging through a dedicated serial interface. This approach provided developers with direct access to processor internals while the device operated in normal system context. Similarly, On-Chip Emulation (OnCE) and Microprocessor System Debug (MPSD) represented proprietary implementations from other semiconductor vendors, each offering variations on the core concept of integrated debug hardware. The transition to OCD was driven by multiple technological factors:

  • Increasing processor clock speeds exceeding 100 MHz made signal integrity challenging for external emulation pods
  • Surface-mount packages with fine-pitch leads or ball-grid arrays limited physical access to processor signals
  • System-on-chip designs with multiple clock domains complicated external timing analysis
  • Low-power modes that shut down external interfaces rendered traditional debug connections unusable
  • Real-time operating systems requiring non-intrusive debugging during task execution

As noted earlier, the key characteristic distinguishing OCD from emulation is that the application executes on the actual target device, providing highly accurate observation of system behavior. This execution fidelity comes from the debug logic monitoring the live processor rather than reconstructing behavior from external signals.

Standardization and Interface Protocols

While early implementations were largely proprietary, industry standardization efforts have coalesced around several interface protocols. The IEEE 1149.1 Joint Test Action Group (JTAG) standard, originally developed for boundary scan testing, has been widely adopted as a transport layer for OCD implementations. Many semiconductor vendors have added software debug capabilities to their existing JTAG ports, creating a common physical interface for both testing and debugging functions. This convergence allows developers to use standardized hardware debug probes across multiple device families from different manufacturers. The debugging protocol itself typically operates through a command-response mechanism where the host debugger sends commands to the on-chip debug module, which then executes operations such as:

  • Reading and writing processor registers
  • Accessing memory spaces (flash, RAM, and peripherals)
  • Controlling program execution (run, halt, single-step)
  • Configuring breakpoints and watchpoints
  • Streaming real-time trace data

Higher-performance implementations may utilize additional dedicated debug pins beyond the basic JTAG interface to support features like real-time trace output, which streams program counter values and other execution data to external capture hardware without interrupting processor operation.

Comparative Advantages and Limitations

On-chip debugging offers several distinct advantages over traditional in-circuit emulation. The integrated nature of OCD eliminates signal fidelity issues associated with physical connection between emulator pods and target systems, particularly at high clock speeds. Since the debug logic observes the actual processor core, timing measurements reflect true system behavior rather than emulated approximations. OCD systems also typically support debugging in low-power modes where external interfaces might be disabled, a capability rarely available with traditional ICE systems. However, OCD implementations face certain constraints inherent to their integrated design:

  • Limited number of hardware breakpoints (typically 4-8 comparators) compared to virtually unlimited software breakpoints
  • Fixed functionality determined at silicon design time, lacking the flexibility of reprogrammable external emulation hardware
  • Potential silicon area overhead (typically 5-15% of core logic) dedicated to debug circuitry
  • Dependency on processor resources that may affect worst-case interrupt latency during debug events
  • Security considerations requiring careful implementation to prevent unauthorized access through debug ports

Despite these limitations, the semiconductor industry has widely adopted OCD as the primary debugging methodology for embedded systems. The technology continues to evolve with enhancements like multi-core debugging support, non-intrusive data trace, and power-aware debugging that maintains functionality across all device power states. Building on the execution fidelity mentioned previously, these advancements ensure that developers can analyze true system behavior under actual operating conditions, a capability that has become essential as embedded systems grow in complexity and performance requirements.

Historical Development

The historical development of on-chip debugging (OCD) represents a significant evolution in embedded systems development, transitioning from external hardware emulation to integrated silicon-based solutions. This progression was driven by increasing microprocessor complexity, rising costs of traditional emulation, and the need for more accurate real-time debugging in target systems.

Early Foundations and the Emulation Era (1970s-1980s)

The earliest debugging of microprocessor-based systems relied on primitive methods such as single-stepping processors and analyzing logic states with oscilloscopes. The introduction of the first in-circuit emulators (ICEs) in the late 1970s marked a major advancement. These systems replaced the target microprocessor with a specialized pod that emulated the processor's functionality while providing control and visibility to the developer. While revolutionary for their time, ICE systems faced significant limitations:

  • They required custom hardware for each processor family, often costing tens of thousands of dollars
  • Electrical and timing characteristics sometimes differed from the actual target processor
  • Rapid processor evolution made emulator development lag behind chip availability
  • High-speed processors presented increasing challenges for accurate emulation

These limitations created a growing need for more integrated, cost-effective debugging solutions that could keep pace with semiconductor advancement.

The JTAG Revolution and Initial Debug Applications (1990-1994)

A pivotal development occurred in 1990 with the standardization of the Joint Test Action Group (JTAG) interface as IEEE 1149.1. Originally conceived for board-level testing of integrated circuit interconnects, JTAG provided a standardized serial interface for accessing chip internals [10]. Semiconductor manufacturers quickly recognized JTAG's potential beyond manufacturing test. By the mid-1990s, processor vendors began repurposing JTAG ports for basic debug functions, creating the first generation of what would become on-chip debugging. The initial JTAG-based debug implementations were relatively primitive, typically offering:

  • Basic halt/run control of the processor
  • Limited register access
  • Simple memory peek/poke operations
  • No hardware breakpoint support

Despite their limitations, these early implementations demonstrated the viability of using existing chip interfaces for development tools, reducing the need for expensive custom emulation hardware.

Proprietary On-Chip Debug Architectures Emerge (1995-1999)

As processor speeds increased and system-on-chip designs grew more complex, the limitations of repurposed JTAG became apparent. This led to the development of dedicated, proprietary on-chip debug architectures from major semiconductor vendors. Motorola (now NXP Semiconductors) introduced Background Debug Mode (BDM) for its 68HC12 family in 1995, representing one of the first dedicated OCD interfaces. BDM provided:

  • Dedicated debug interface pins separate from functional I/O
  • Enhanced command set for debug operations
  • Hardware breakpoint support
  • Non-intrusive memory access during program execution

Other vendors followed with their own implementations, including OnCE (On-Chip Emulation) from Freescale (now also NXP) and MPSD (Microprocessor System Debug) from various vendors. Each proprietary system offered unique features but shared the common characteristic of dedicated debug circuitry integrated into the processor silicon. This period also saw the emergence of debug interfaces that could operate while maintaining the target system's exact electrical and timing characteristics—a significant advantage over traditional emulation [4].

Standardization and Mainstream Adoption (2000-2005)

The proliferation of proprietary debug interfaces created fragmentation in the development tool market, increasing costs for both tool vendors and developers. In response, industry consortia began working toward standardization. The most significant development was the creation of the Nexus 5001 Forum standard (IEEE-ISTO 5001) in 2003, which defined a scalable, modular debug interface for 32-bit embedded processors. During this period, on-chip debugging became a standard feature in most microcontrollers and embedded processors. Key advancements included:

  • Multi-core processor debug support
  • Real-time trace capabilities
  • Power-aware debugging
  • Secure debug access modes for protected systems

The Atmel AVR microcontroller family, introduced in the late 1990s, incorporated its OCD system during this era. As noted in documentation, the AVR ONE! debugger interfaced with the internal on-chip debug system, providing monitoring and control while the application executed on the actual target device. This approach eliminated the timing discrepancies inherent in traditional emulation.

Modern Integration and Advanced Features (2006-Present)

The current era of on-chip debugging is characterized by deep integration with processor architectures and sophisticated feature sets. Modern OCD systems are no longer peripheral additions but are designed as integral components of the processor subsystem. Contemporary implementations typically include:

  • Complex event systems triggering on combinations of addresses, data values, and external signals
  • Non-stop debugging where peripheral functions continue during code halts (e.g., USART transmissions completing while the processor is halted)
  • Power domain-aware debugging for energy-constrained applications
  • Security features preventing unauthorized access to proprietary code
  • High-speed trace buffers capturing program flow without halting execution

Processors now commonly use JTAG or derivative interfaces (such as Serial Wire Debug for ARM Cortex processors) to provide access to their debug and emulation functions [10]. Field-programmable gate arrays (FPGAs) and complex programmable logic devices (CPLDs) similarly use JTAG for both programming and debug access [10]. The evolution of OCD has fundamentally transformed embedded development, enabling debugging scenarios that were previously impossible. As noted earlier, the key characteristic of OCD—execution on the actual target device—has been maintained and enhanced throughout its development. Modern systems can monitor for break conditions while the application runs independently, only interrogating the device through its debug interface when a break occurs. This allows peripherals to continue operating normally during debug sessions, maintaining system timing integrity that cannot be achieved with traditional emulation approaches. Today, on-chip debugging represents a mature technology that continues to evolve alongside processor architectures, with ongoing developments in areas such as artificial intelligence accelerator debugging, heterogeneous multi-core systems, and security-critical application development.

Principles of Operation

The operational principles of on-chip debugging (OCD) are fundamentally distinct from traditional emulation and rely on specialized hardware integrated into the target microcontroller or microprocessor. This integrated debug module operates concurrently with the main processor core, enabling real-time control and observation without disrupting the target system's normal electrical and temporal behavior [2].

Core Architecture and Run Mode

At the heart of an OCD system is a dedicated debug module embedded within the target device's silicon. This module interfaces with the processor's internal buses, registers, and critical control units. When the debugger initiates Run mode, the primary processor core executes application code from its native memory at full speed, completely independent of the external debug hardware [2]. The external debug probe, such as an AVR ONE!, assumes a passive monitoring role, continuously sampling the state of the debug interface for predefined break conditions [2]. During this period, the application runs with the exact electrical loading and timing characteristics of the final system—a level of fidelity unattainable with traditional in-circuit emulators that substitute the target processor [2]. The debug module typically operates from the same clock domain as the core but may use a separate power domain to remain active during low-power sleep states of the main CPU.

Breakpoint Mechanisms

OCD systems implement breakpoints through two primary methods: hardware comparators and software instructions. The mechanism used determines limitations and functionality.

Hardware Breakpoints

Hardware breakpoints are implemented using dedicated comparator circuits within the OCD module. These circuits continuously monitor the program counter (PC) bus. When the PC value matches a pre-programmed address stored in a comparator register, the debug module generates a trap signal, forcing the CPU into a halted debug state [2]. The number of simultaneous hardware breakpoints is physically constrained by the quantity of comparator registers fabricated on the die, typically ranging from 2 to 8 in common microcontrollers [2]. The trigger condition is often expressed by the digital logic equation: TRIGGER = (PC == COMPARE_REGISTER) & ENABLE_BIT where:

  • PC is the current program counter value (typically 16 to 32 bits wide). - COMPARE_REGISTER is the user-defined address stored in the debug module. - ENABLE_BIT is a control flag within the debug control register. This operation occurs combinatorially within a single clock cycle, ensuring precise, cycle-accurate halting.

Software Breakpoints

Software breakpoints are implemented by dynamically modifying program memory. The debugger software replaces the instruction opcode at the target address with a specific BREAK instruction native to the processor's debug module [6][2]. The original instruction is stored in a buffer. When the processor fetches and executes the BREAK opcode, it triggers an exception that transfers control to the debug handler, halting the core [2]. The process can be summarized as:

  1. Read and backup original opcode at address A. 2. Write BREAK instruction opcode to address A. 3. Upon execution, the processor halts and the debug module enters stopped mode. 4. To resume, the debugger restores the original opcode, steps the instruction, and re-inserts the BREAK opcode if the breakpoint remains active. Not all devices support this method, as it requires the processor instruction set to include a dedicated BREAK opcode recognized by the debug module [2]. A key limitation is that software breakpoints cannot be set in read-only memory (ROM) or flash memory that is locked from write access.

Stopped Mode and Peripheral Independence

When a breakpoint triggers (via either hardware or software), the CPU enters stopped mode. In this state, the execution pipeline is frozen, and the core ceases fetching new instructions. Crucially, this halt is applied selectively. The debug module's intervention is typically architected to stop the clock to the core or issue a hold signal, while leaving clock domains for peripheral modules and I/O subsystems active [2]. This design principle ensures peripheral independence. For example, if a breakpoint is reached immediately after initiating a serial transmission via a USART, the USART peripheral continues to be clocked and will complete the transmission of the data frame autonomously, even though the core is halted and cannot execute further instructions [2]. Similarly, timer/counter modules will continue to count, and analog-to-digital converters (ADCs) may complete conversions. This behavior is critical for debugging real-time embedded systems where interrupting I/O timing could cause system failures (e.g., disrupting a PWM signal controlling a motor or a communication protocol). The debug module can still sample the state of these running peripherals via the internal bus to provide a coherent snapshot of the system at the breakpoint.

Debug Communication Interface and Protocol

Communication between the external debug probe and the on-chip debug module occurs via a dedicated serial interface. Building on the proprietary architectures mentioned earlier, such as Motorola's Background Debug Mode (BDM), these interfaces use low-pin-count protocols [2]. BDM, for instance, uses a simple 3-wire interface (plus ground and power):

  • DSCLK (Serial Clock): Driven by the debugger, typically at frequencies from 100 kHz to 10 MHz, synchronizing data transfer.
  • DSI (Serial Data In): Carries command and data bits from debugger to target. Commands are shifted in serially, most significant bit (MSB) first. A BDM command packet is 17 bits long: 16 bits of command/address followed by a turnaround control bit [2]. This structure can be represented as: Packet = {CMD[15:0], T} where CMD is the command field and T is the control bit governing the direction of the subsequent data phase. Following a command, one or more extension words (typically 16 or 32 bits) of data may be transferred in either direction. The protocol allows the host debugger to perform low-level operations such as:
  • Reading and writing CPU registers (e.g., R0 = 0x55AA). - Reading and writing memory locations (e.g., MEM[0x1000]). - Directly controlling the execution pipeline (e.g., step, run, halt). This interface operates independently of the target's main functional I/O pins and often remains active even when the core is in reset or low-power mode, enabling the debugger to gain control of a non-responsive system.

Types and Classification

On-chip debugging (OCD) systems can be classified along several key dimensions, including their underlying hardware interface, the architectural approach to debug agent integration, and the sophistication of their control and monitoring capabilities. These classifications reflect the evolution of the technology from simple extensions of existing test ports to complex, dedicated subsystems.

By Hardware Interface and Protocol

The physical and protocol layer for accessing the debug circuitry forms a primary classification axis. Systems are broadly divided between those leveraging standardized test interfaces and those employing proprietary, vendor-specific ports.

  • JTAG-Based Systems: Many OCD implementations repurpose the industry-standard Joint Test Action Group (JTAG) interface, defined by IEEE Std 1149.1, for debug access [8]. Originally designed for boundary-scan testing, the JTAG Test Access Port (TAP) provides a serial communication channel into the device. Debug functionality is accessed by shifting commands and data through the boundary-scan chain or dedicated debug registers [8]. This approach is common across ARM, MIPS, and many RISC-V cores, where the debug module is accessed as a TAP resource. The interface requires a minimum of four signals: Test Data In (TDI), Test Data Out (TDO), Test Clock (TCK), and Test Mode Select (TMS) [8].
  • Proprietary Dedicated Interfaces: Several semiconductor vendors developed optimized, dedicated debug interfaces separate from JTAG. These often provide higher bandwidth or lower pin count. Prominent examples include:
  • Background Debug Mode (BDM): Introduced by Motorola (now NXP) for its microcontroller families, BDM uses a dedicated serial interface and a special BGND instruction or external signal to halt the CPU and transfer control to the on-chip debug hardware [3].
  • On-Chip Emulation (OnCE): Developed by Freescale (also now NXP) for its DSP and Power Architecture cores.
  • Embedded Trace Macrocell (ETM) and Serial Wire Debug (SWD): ARM-specific protocols; SWD is a two-pin alternative to JTAG for Cortex-M cores.
  • Hybrid or Multi-Interface Systems: Modern devices often incorporate multiple debug interfaces. A single chip might offer a JTAG port for compliance testing and basic debug, a proprietary high-speed trace port for real-time program flow capture, and a lower-pin-count alternative like SWD for resource-constrained development boards.

By Architectural Integration of the Debug Agent

The design and placement of the debug logic within the system-on-chip (SoC) or microcontroller significantly impacts its capabilities. A key differentiator is whether the debug agent operates as a separate, autonomous module or is tightly coupled with the processor core.

  • Autonomous Debug Modules: In this common architecture, the debug module is a distinct hardware block that communicates with an external debugger via the debug interface (e.g., JTAG). It can independently monitor system buses, access memory and registers, and control CPU execution by asserting halt signals or intercepting instructions [3]. Crucially, this module resides inside any caches and memory management units (MMUs), allowing it to observe addresses and data exactly as the CPU sees them, even when these signals are not externally accessible [3]. As noted earlier, when the processor is running, it executes code independently, unaware of the debug module's monitoring activities until a halt condition is triggered [3][3].
  • Core-Integrated Debug Units: Some designs integrate debug functionality more deeply into the processor pipeline itself. This can enable advanced features like non-intrusive data watchpoints, performance counters, and real-time trace without halting execution. The debug logic has direct access to pipeline stages and internal registers.
  • System-Aware Debug Architectures: Advanced OCD systems extend beyond the CPU core to integrate with on-chip peripherals and system resources. This allows for cross-triggering, where an event in a peripheral (e.g., a timer overflow or ADC conversion complete) can trigger a CPU breakpoint, and vice-versa [5]. It also enables the debugger to access peripheral registers directly. A critical capability in such systems is that when the CPU core is halted at a breakpoint, selected peripherals can be configured to continue operating autonomously. For instance, a USART initiated just before a breakpoint will continue its transmission at full speed even while the core is stopped, preventing communication errors [3].

By Functional Capability and Breakpoint Support

OCD systems are also classified by the depth and type of control they offer, with breakpoint implementation being a defining feature.

  • Basic OCD: Provides fundamental control and inspection functions, typically including:
  • Code download to memory.
    • Reading and writing of memory and processor registers.
    • Processor reset, start, stop, and single-step execution.
    • Status monitoring (running or halted) [5]. Systems at this level often force on-chip peripherals to shut down during debug sessions to simplify the debugger's view of the system state [5].
  • Advanced OCD with Hardware Breakpoints: These systems incorporate dedicated hardware comparators within the debug module to implement breakpoints. When the Program Counter (PC) matches a value stored in a comparator register, the OCD hardware forces the core into a stopped state [3]. Since each hardware breakpoint requires dedicated comparator circuitry, the number available is a fixed hardware limit dependent on the specific OCD module implementation [3]. This method is non-intrusive and does not modify program code.
  • Software Breakpoints and Complex Triggering: In addition to or instead of hardware breakpoints, systems may support software breakpoints by temporarily replacing an instruction in memory with a special debug instruction (e.g., a BGND opcode) [3]. Furthermore, advanced systems support complex break conditions beyond a simple PC match. These can include:
  • Data Watchpoints: Halting execution when a specific memory location is read or written with a particular value.
  • Event-Based Triggers: Entering debug mode based on hardware events such as interrupts, specific bus transactions, or signals from other system modules [5].
  • Sequential or Boolean Triggers: Combining multiple events in a logical sequence (e.g., halt after event A occurs, then event B occurs) to isolate complex bugs. The classification of an OCD system across these dimensions determines its suitability for different development tasks, from basic firmware loading on a simple microcontroller to the sophisticated, real-time analysis of a complex, multi-core SoC where accurate electrical and timing characteristics must be preserved during debugging.

Key Characteristics

Performance Parameters and Limitations

The operational performance of on-chip debugging systems is defined by several key parameters that directly impact debugging efficiency. The JTAG clock frequency, which governs the speed of the debug interface, typically operates at a maximum of 50 MHz [7]. This clock rate directly influences data transfer speeds between the debug host and the target processor. Memory read and write operations through the debug interface achieve speeds of approximately 1 MB/s, while flash memory programming operations are significantly slower at around 32 KB/s [7]. For real-time program flow analysis, trace streaming capabilities can reach data rates up to 800 Mb/s, enabling detailed execution monitoring without halting the processor [7]. These performance metrics establish practical boundaries for debug session interactivity and data collection.

Hardware Breakpoint Resources

A critical resource in any OCD system is the number of available hardware breakpoints, which are implemented using dedicated comparator circuits within the processor core. These resources vary significantly across processor architectures and families. For ARM Cortex-M series microprocessors, the maximum number of hardware breakpoints ranges from 2 to 6 depending on the specific core implementation [6]. For instance, the Cortex-M0+ core provides only 2 hardware breakpoints, while the higher-performance Cortex-M7 core can support up to 6 hardware breakpoints [6]. In addition to standard program execution breakpoints, Cortex-M processors typically support up to 4 access breakpoints that can monitor data or peripheral register accesses, often with the capability to compare against specific values [7]. These hardware resources are finite and must be managed carefully during complex debugging sessions, as exceeding available breakpoints requires switching to software-based alternatives which modify program memory.

Standardization Efforts: GEPDIS and Nexus

Building on the proprietary debug architectures discussed previously, industry-wide standardization became essential as embedded systems proliferated across diverse applications. To address the challenging issue of real-time debugging across multiple processor architectures, a consortium of companies formed the Global Embedded Processor Debug Interface Standard (GEPDIS) group in April 1998, operating under the code name "Nexus" [Source Materials]. This consortium brought together 24 companies including silicon vendors, hardware development tool manufacturers, and software tool providers from Europe, Japan, and the United States [Source Materials]. The GEPDIS consortium collaborated with the IEEE Industry Standards and Technology Organization (IEEE-ISTO) to establish a formal standard, eventually published as IEEE-ISTO 5001, commonly known as the Nexus standard [Source Materials]. This standardization effort aimed to create a unified interface that would allow debug tools to work across processors from multiple vendors, reducing toolchain fragmentation and development costs.

Physical Connection Challenges

As noted earlier, connecting debug hardware to the target system presents significant practical challenges that have evolved with semiconductor technology. As integrated circuit package sizes decrease and lead pitches shrink, the physical connection between debug probes and target boards becomes increasingly difficult [11]. This connection challenge is frequently cited as the most frustrating aspect of using in-circuit emulation and debugging tools [11]. Modern solutions often employ specialized adapters, fine-pitch connectors, or board-mounted headers to maintain reliable electrical connections. The debug interface must maintain signal integrity despite these physical constraints, requiring careful attention to impedance matching, signal termination, and noise immunity in the debug interface design.

Interface Evolution and Capabilities

Today's on-chip debugging typically employs serial interfaces, with JTAG being the most common, though other proprietary interfaces exist [12]. These interfaces connect to dedicated hardware within the integrated circuit that enables communication with a host computer for examining and modifying internal processor state, setting breakpoints, and controlling program execution [12]. Beyond digital logic access, some implementations extend JTAG capabilities to include analog and mixed-signal measurements by incorporating circuitry that connects test access port pins to various analog nodes within the device [13]. This expansion of functionality allows for more comprehensive system debugging that includes power management verification, analog sensor interface validation, and mixed-signal system integration testing.

Debug Operation Modes

In addition to the Run mode mentioned previously, where the processor executes application code independently, OCD systems support several other operational modes essential for debugging. These typically include:

  • Stop Mode: The processor halts execution completely, allowing full inspection and modification of all registers and memory
  • Single-Step Mode: The processor executes one instruction at a time, pausing after each for state examination
  • Real-Time Trace Mode: The processor executes at full speed while streaming execution data to the debug host
  • Memory Access Mode: Direct memory access independent of processor execution for memory testing and verification

These modes, combined with the performance characteristics and breakpoint resources, define the practical debugging capabilities available to developers working with embedded systems. The balance between intrusive debugging (which halts execution) and non-intrusive observation (through trace) represents a fundamental trade-off in debug system design, with different applications requiring different approaches based on timing constraints and system complexity.

Applications

On-chip debugging (OCD) serves as a critical hardware-based capability that functionally replaces traditional software debug monitors while incorporating features once exclusive to in-circuit emulators (ICEs), all at a significantly lower cost [4][11]. This integration provides developers with a powerful toolset that combines the basic halting and inspection functions of a monitor with advanced, non-invasive observation capabilities similar to an ICE, without requiring the target's memory resources or a dedicated communication channel for debug operations [4][12]. The dedicated hardware and circuitry embedded within the system-on-chip (SoC) itself perform these functions [5].

Core Debugging Methodologies

The application of OCD spans several distinct debugging methodologies, each suited to different stages of development and problem isolation. Self-hosted debug involves code running on the processor core utilizing the built-in debug functionality to identify software problems autonomously [5]. In contrast, external debug employs an external debugging component, or debugger, to access and manipulate the on-chip debug features for software analysis [5]. External debug is further classified into specific operational modes. Invasive debug involves the debugger interacting directly with the processor by halting its execution, typically to examine register states or memory at a specific point [5]. Non-invasive debug allows for the examination of memory content and peripheral registers while the processor continues to execute application code uninterrupted [5]. Run control debugging enables external hardware and software to access and control CPUs, primarily utilizing the JTAG interface along with auxiliary sideband signals [5].

Debug Interfaces and Hardware Integration

Enabling on-chip debugging requires two primary components: a debug interface and a debug tool [5]. The debug interface is a hardware module that facilitates communication between the SoC and the external debug tool; it can be embedded directly within the SoC or attached as a separate chip [5]. A foundational technology for many OCD implementations is the Joint Test Action Group (JTAG) standard, originally designed for board-level testing. The key hardware addition for JTAG is the Boundary Scan Register (BSR), a register whose individual cells sit at the boundary between the device's functional core and its physical pins or balls [10]. This placement is why JTAG testing is commonly called boundary scan [10]. The boundary scan cells operate in two primary modes: in functional mode, they do not affect the device's normal operation, and in test mode, they disconnect the device's functional core from its pins, allowing for external control and observation [10].

Advanced Debugging Support in Modern Architectures

Modern microcontroller architectures, particularly Arm Cortex-M cores, have evolved sophisticated on-chip debugging subsystems that offer layered capabilities. Serial Wire Debug (SWD) provides a two-pin (clock and data) interface for efficient invasive debugging, offering a reduced pin-count alternative to traditional JTAG while maintaining core run-control functions [4]. For non-invasive monitoring, Data Trace capabilities are often implemented via a Serial Wire Output (SWO) pin, which streams application-generated data, such as printf-style messages or variable values, to the debugger in real-time without halting the core [4]. The most advanced level of observation is provided by Instruction Trace through an Embedded Trace Macrocell (ETM). The ETM is a dedicated hardware block that non-intrusively captures the full instruction stream executed by the processor, enabling detailed reconstruction of program flow for complex fault diagnosis and performance analysis [4].

Breakpoint Implementation and Control

A fundamental application of OCD is the implementation of execution breakpoints. One common method is the use of a software breakpoint, which involves the debugger inserting a specific BREAK instruction into the program memory on the target device [4]. When the processor fetches and executes this instruction, program execution halts, and the OCD system enters a stopped mode, awaiting further commands from the debug host [4]. It is important to note that not all microcontroller devices support this specific breakpoint instruction within their OCD modules [4]. Alternatively, hardware breakpoints utilize dedicated comparators within the debug logic to halt the processor when a specific address is accessed or an instruction is fetched, without modifying the program memory.

Comparative Advantage Over Traditional Methods

The applications of OCD present distinct advantages when compared to its predecessors. Unlike a pure software debug monitor, which consumes target resources (memory, communication channels), OCD leverages dedicated on-chip hardware, freeing those resources for the application [4][5]. Compared to a full in-circuit emulator (ICE), which typically replaces the target CPU with a special "bond-out" version to provide visibility, OCD provides many similar features—such as real-time control and trace—while allowing the application to run on the actual production silicon [11][12]. This leads to more accurate timing and peripheral interaction analysis. Furthermore, as noted earlier regarding ICEs, since the emulator replaces the CPU, it generally does not require the target hardware to be fully functional for basic debugging [11]. OCD shares this advantage to a large degree, as the debug logic is independent and can often be accessed even if the core application is not running correctly, aiding in the debugging of catastrophic failures and boot-up sequences.

Design Considerations

Implementing effective on-chip debugging (OCD) requires careful architectural planning that balances functional capabilities against physical constraints and security implications. The design process must address fundamental trade-offs between debug access, silicon area overhead, performance impact, and system vulnerability.

Standardization Challenges

A persistent challenge in OCD implementation is the lack of consistent capabilities and communication interfaces across different processor architectures [3]. While the JTAG interface has emerged as a de facto standard for physical connection among many vendors, the actual debug features accessible through this interface vary significantly between manufacturers and even between product families from the same vendor [3]. This fragmentation complicates toolchain development and increases learning curves for engineers working across multiple platforms. In response to this issue, industry consortiums have formed to establish unified standards. The Global Embedded Processor Debug Interface Standard (GEPDIS) consortium, organized in April 1998 under the code name "Nexus," brought together 24 companies including silicon vendors and development tool providers from Europe, Japan, and the United States to address real-time debug standardization across multiple architectures [16]. This consortium worked with the IEEE-ISTO (Industry Standards and Technology Organization) to establish a charter for standardized debug interfaces [16]. More recently, the IEEE-1149.x family of standards has continued to evolve, with the "Selective Toggle" (also called "Atoggle") standard being approved and published to address specific aspects of test and debug interface functionality [13].

Hardware Resource Constraints

The physical implementation of debug circuitry presents significant design constraints, primarily concerning silicon real estate and pin allocation. Debug hardware typically consumes valuable chip area that could otherwise be used for core functionality or additional features. Industry guidelines suggest that debug circuitry should occupy no more than two to three percent of total integrated circuit real estate; exceeding this threshold makes the inclusion of comprehensive debug features commercially challenging to justify [5]. This limitation forces designers to implement highly optimized debug logic that provides maximum observability and controllability with minimal gate count. The challenge extends to pin usage as well, with debug interfaces competing for limited I/O resources that are also needed for application functionality. Designers must carefully allocate a minimal number of dedicated debug pins or implement multiplexing schemes that share pins between debug and normal operational modes. This resource constraint directly impacts the capabilities that can be implemented, often forcing trade-offs between features like real-time trace, complex breakpoint configurations, and extensive memory access windows.

Security Implications

The powerful low-level access provided by OCD interfaces creates significant security vulnerabilities that must be addressed during system design [15]. The JTAG interface, while invaluable for debugging and testing embedded systems, provides attackers with potential entry points to extract sensitive information, modify firmware, or bypass security mechanisms [15]. These security threats manifest in several critical areas:

  • Intellectual property theft through firmware extraction
  • Cryptographic key disclosure from secure storage areas
  • Authentication bypass by modifying security-critical code
  • Introduction of malicious code through debug access
  • Side-channel attacks facilitated by debug observation capabilities

To mitigate these risks, designers implement various security measures including authentication protocols for debug access, debug port disable mechanisms, privilege-based debug capabilities, and encrypted communication between debug probes and target devices. Some implementations provide granular control over which debug features remain accessible in secured devices, allowing essential field diagnostics while protecting sensitive system components. The security architecture must balance the need for diagnostic access during development and maintenance against the requirement to protect deployed systems from unauthorized intrusion.

Interpretation Complexity

The raw data provided through debug interfaces often requires specialized interpretation to become meaningful to developers [14]. Unlike higher-level debugging environments that can present information in contextually relevant formats, low-level debug interfaces provide hints and signals that must be decoded using specialized devices and software programs [14]. This interpretation layer adds complexity to both the design of debug hardware and the development of accompanying software tools. The debug circuitry must generate sufficiently detailed information to reconstruct program flow and system state, while tool developers must create analysis software that can translate this information into actionable insights. This challenge is particularly pronounced in systems with complex pipelines, multiple execution units, or advanced power management features that affect the visibility and timing of debug information. The interpretation problem extends to real-time trace capabilities, where high-speed data streams (reaching up to 800 Mb/s in some implementations) must be captured, processed, and presented in ways that help developers identify timing issues, race conditions, and other subtle bugs that only manifest during full-speed execution.

Interface Evolution and Specialization

As noted earlier, the transition from basic JTAG-based debugging to dedicated on-chip debug architectures represented a significant evolution in capability. Building on this foundation, modern implementations continue to specialize based on application requirements and architectural considerations. Different processor families implement varying combinations of debug features optimized for their target markets, with real-time control systems emphasizing deterministic behavior analysis, while application processors focus on software development productivity. This specialization extends to the physical interface layer, where variations in clocking schemes, voltage levels, and signal integrity requirements create compatibility challenges across different debug tools and target systems. The industry continues to develop new interface standards and enhancements to existing protocols, with organizations like the GEPDIS consortium working to establish common ground while allowing for necessary specialization [16]. This ongoing evolution reflects the fundamental tension in debug interface design between standardization for tool compatibility and customization for optimal integration with specific processor architectures.

References

  1. [1]Debugging The Embedded Systemhttps://embeddedwala.com/Blogs/embeddedsystem/debugging-the-embedded-system
  2. [2]6.1 Introduction to On-chip Debugging (OCD)https://onlinedocs.microchip.com/oxy/GUID-05B5DA30-9A97-4741-AA07-5C6EFB62B22D-en-US-2/GUID-6847BD4A-FFD9-4C0E-B752-B7AACB1AC7F6.html
  3. [3]Introduction to On-Chip Debughttps://barrgroup.com/blog/introduction-chip-debug
  4. [4]4.5 AVR Devices - On-Chip Debugging (OCD)https://onlinedocs.microchip.com/g/GUID-8D61C0B9-A97F-4F4D-99F8-1D7424264C2A-en-US-1/GUID-01833F80-6EE5-4242-8DE7-7AEEBD48E7BE.html
  5. [5]A Complete Guide to SoC Debugging | Part 1https://ignitarium.com/understanding-the-debug-architecture-of-arm-based-soc/
  6. [6]Embedded Systems: Difference between Software Breakpoint and Hardware Breakpointhttps://medium.com/@wadixtech/embedded-systems-difference-between-software-breakpoint-and-hardware-breakpoint-f5d637b9e7d4
  7. [7]ULINK Debugger Comparisonhttps://www.keil.com/arm/ulink/cmp.asp
  8. [8]Technical Guide to JTAGhttps://www.corelis.com/education/tutorials/jtag-tutorial/jtag-technical-primer/
  9. [9]In-circuit emulationhttps://grokipedia.com/page/In-circuit_emulation
  10. [10]What is JTAG and how can I make use of it? - XJTAG Tutorialhttps://www.xjtag.com/about-jtag/what-is-jtag/
  11. [11]Beginner's Corner - In-Circuit-Emulatorshttps://www.ganssle.com/articles/BegincornerICE.htm
  12. [12]Lost Techniques: Bond-out CPUs And In Circuit Emulationhttps://hackaday.com/2025/10/01/lost-techniques-cpu-in-circuit-emulation/
  13. [13]IEEE-1149.x Related Standardshttps://www.corelis.com/ieee-1149-x-related-standards/
  14. [14]High speed microcomputer in-circuit emulatorhttps://patents.google.com/patent/US5321828A/en
  15. [15]Diving into JTAG — Security (Part 6)https://interrupt.memfault.com/blog/diving-into-jtag-part-6
  16. [16]A new development tool standard with the IEEE-ISTOhttps://ieeexplore.ieee.org/document/808587