On the internet, it always shows that each pin of the IC has its own Boundary Scan register (the yellow boxes)
But looking at BSDL files there are actually more BS registers than pins.
So for the questions:
- Is it right to say that there are always more BS registers than pins?
- What are the other BS registers used for OR Why are they there?
- How can we use JTAG(TAP controller, state machine etc) to find out which are the pin's BS register?
P.S. I have posted this question on StackExchange Reverse Engineering but there werent any reply.
https://reverseengineering.stackexchange.com/questions/9119/jtag-finding-bs-registers-for-ics-pins
Best Answer
1) Usually yes but that will depend on the device. Sometimes you have devices that only have a few Boundary Scan enabled pins (and i.e. lots of power/gnd/analogue pins) and then the size of the Boundary-register may be smaller than the number of pins. But that is rare.
2) The most common structure behind a bidirectional pin are 3 Boundary Scan cells: 1 Input-cell (for reading the pin), 1 output-cell (output3 - meaning it can be tristated) for writing the pin and 1 control-cell for enabling/disabling the output3-cell. There can also be bidirectional cells and purely internal cells when i.e. the same architecture is used for multiple packages. If you have a pure output- or input-pin you may just find an output- or input-cell behind the pin.
3) That information is usually provided by the device manufacturer. There are ways to reverse engineer a BSDL-file but they are a lot of work. Usually that means you need the device on a board, powered up and functional without anything around (so you can freely toggle all pins). First you have figure out the size and commands of the Instruction-register and the size of the Boundary register. Then you shift in known pattern into the Boundary-register to switch pin-states and try to find the pin that actually changes state and construct your BSDL-file based on that information. As said earlier: Tedious work!