AN 939: JTAG Connections Over SSH

Download PDF
ID 683756
Date 7/07/2021
Public
Document Table of Contents
Document Table of Contents x
1. JTAG Connections Over SSH 2. SSH Tunnels and the JTAG Server 3. Securing JTAG Communication with SSH 4. Document Revision History for AN 939: JTAG Connections Over SSH
1. JTAG Connections Over SSH x
1.1. SSH Server and SSH Client Prerequisites 1.2. Filepath Variables Used in this Publication
3. Securing JTAG Communication with SSH x
3.1. Securing JTAG Communication with an SSH Tunnel 3.2. Securing JTAG Communication with a Reverse SSH Tunnel
1. JTAG Connections Over SSH
2. SSH Tunnels and the JTAG Server
3. Securing JTAG Communication with SSH
4. Document Revision History for AN 939: JTAG Connections Over SSH

3.2. Securing JTAG Communication with a Reverse SSH Tunnel

Use a reverse SSH tunnel (also known as SSH remote port forwarding) to encrypt communication between the Intel® Quartus® Prime JTAG Server on the local machine and JTAG clients such as the Intel® Quartus® Prime Programmer on the remote machine.

These instructions assume that the FPGA board is attached to the local machine. If you have the FPGA board attached to the remote machine, refer to Securing JTAG Communication with an SSH Tunnel.

Before you establish a reverse SSH tunnel for JTAG communications, ensure that you have completed the prerequisites in Securing JTAG Communication with SSH.

To establish a reverse SSH tunnel for secure JTAG communication:

  1. On the remote machine, do the following tasks:
    1. Disable the JTAG Server:
    Linux* operating systems
    Use the kill command to stop the JTAG Server process (jtagd). Stopping this process disables the JTAG Server.
    Windows* operating systems
    Disable the JTAG Server service on Windows* operating systems with the following command: <quartus_installdir>\quartus\bin64\jtagserver.exe --stop.
    1. Ensure that the SSH server is running.
      Refer to your SSH software documentation for instructions on how to start the SSH server and confirm that it is running.
  2. On the local machine, start the SSH client to establish a reverse SSH tunnel between your local and remote machines as follows:
    Linux* operating systems
    On the local machine, start a terminal session and run the following command: 
    ssh -R 1309:localhost:1309 <remote_machine>

    For <remote_machine> , you can specify either the IP address or the host name of the remote machine.

    After you log on to the SSH server, start another terminal session to run the commands in the later steps in this procedure.

    Windows* operating systems
    On the local machine, start a command prompt session and run the following command: 
    putty.exe -ssh -R 1309:localhost:1309 <remote_machine>

    For <remote_machine> , you can specify either the IP address or the host name of the remote machine.

    The putty command launches a separate window for you to enter your SSH credentials. Return to the command prompt session you originally used to run the putty command to run the commands in the later steps in this procedure.

  3. On the local machine (where the FPGA board is installed), start the JTAG Server:
    • On Linux* operating systems, run the following command:
      $ <quartus_installdir>/quartus/linux64/jtagd
    • On Windows* operating systems, run the following command:
      > <quartus_installdir>\quartus\bin64\jtagserver.exe --start
    The JTAG Server uses TCP/IP port 1309.
  4. Confirm that JTAG works over your SSH tunnel as follows:
    1. On the remote machine, run the following command:
      jtagconfig

      This command returns a list of available JTAG connections.

    2. On the local machine, run the following command:
      jtagconfig

      Confirm that this list of available JTAG connections matches the list of JTAG connections listed on the local machine.

  5. Start your JTAG client application.

    JTAG client applications include the Intel® Quartus® Prime Programmer, System Console and Debugging Toolkits, and Signal Tap logic analyzer.

After you have finished using your JTAG client applications, you can close the SSH tunnel in one of the following ways:
  • Running the exit command in the terminal or command prompt window where you started the SSH client on the local machine.
  • Terminate or close the terminal or command prompt window where you started the SSH client on the local machine.
You can confirm that the SSH tunnel is closed by running the jtagconfig command as follows:
  • On the local machine, the jtagconfig command lists only local JTAG connections.
  • On the remote machine, the jtagconfig command returns a No JTAG hardware available message.
Level Two Title