AN 939: JTAG Connections Over SSH

Download PDF
ID 683756
Date 7/07/2021
Public
Document Table of Contents
Document Table of Contents x
1. JTAG Connections Over SSH 2. SSH Tunnels and the JTAG Server 3. Securing JTAG Communication with SSH 4. Document Revision History for AN 939: JTAG Connections Over SSH
1. JTAG Connections Over SSH x
1.1. SSH Server and SSH Client Prerequisites 1.2. Filepath Variables Used in this Publication
3. Securing JTAG Communication with SSH x
3.1. Securing JTAG Communication with an SSH Tunnel 3.2. Securing JTAG Communication with a Reverse SSH Tunnel
1. JTAG Connections Over SSH
2. SSH Tunnels and the JTAG Server
3. Securing JTAG Communication with SSH
4. Document Revision History for AN 939: JTAG Connections Over SSH

3.1. Securing JTAG Communication with an SSH Tunnel

Use an SSH tunnel (also known as SSH port forwarding) to encrypt communication between the Intel® Quartus® Prime JTAG Server on a remote machine and JTAG clients such as the Intel® Quartus® Prime Programmer on a local machine.

These instructions assume that the FPGA board is attached to the remote machine. If you have the FPGA board attached to the local machine, refer to Securing JTAG Communication with a Reverse SSH Tunnel.

Before you establish an SSH tunnel for JTAG communications, ensure that you have completed the prerequisites in Securing JTAG Communication with SSH.

To establish an SSH tunnel for secure JTAG communication:

  1. On the local machine, disable the JTAG Server:
    Linux* operating systems
    Use the kill command to stop the JTAG Server process (jtagd). Stopping this process disables the JTAG Server.
    Windows* operating systems
    Disable the JTAG Server service on Windows* operating systems with the following command: <quartus_installdir>\quartus\bin64\jtagserver.exe --stop.
  2. On the remote machine, ensure that the SSH server is running.
    Refer to your SSH software documentation for instructions on how to start the SSH server and confirm that it is running.
  3. On the local machine, start the SSH client to establish an SSH tunnel between your local and remote machines as follows:
    Linux* operating systems
    On the local machine, start a terminal session and run the following command: 
    ssh -L 1309:localhost:1309 <remote_machine>

    For <remote_machine> , you can specify either the IP address or the host name of the remote machine.

    After you log on to the SSH server, start another terminal session to run the commands in the later steps in this procedure.

    Windows* operating systems
    On the local machine, start a command prompt session and run the following command: 
    putty.exe -ssh -L 1309:localhost:1309 <remote_machine>

    For <remote_machine> , you can specify either the IP address or the host name of the remote machine.

    The putty command launches a separate window for you to enter your SSH credentials. Return to the command prompt session you originally used to run the putty command to run the commands in the later steps in this procedure.

  4. On the remote machine (where the FPGA board is installed), start the JTAG Server:
    • On Linux* operating systems, run the following command:
      $ <quartus_installdir>/quartus/linux64/jtagd
    • On Windows* operating systems, run the following command:
      > <quartus_installdir>\quartus\bin64\jtagserver.exe --start
    The JTAG Server uses TCP/IP port 1309.
  5. Confirm that JTAG works over your SSH tunnel as follows:
    1. On the local machine, run the following command:
      jtagconfig

      This command returns a list of available JTAG connections.

    2. On the remote machine, run the following command:
      jtagconfig

      Confirm that this list of available JTAG connections matches the list of JTAG connections listed on the local machine.

  6. Start your JTAG client application.

    JTAG client applications include the Intel® Quartus® Prime Programmer, System Console and Debugging Toolkits, and Signal Tap logic analyzer.

After you have finished using your JTAG client applications, you can close the SSH tunnel in one of the following ways:
  • Running the exit command in the same terminal or command prompt window where you started the SSH client on the local machine.
  • Terminate or close the terminal or command prompt window where you started the SSH client on the local machine.
You can confirm that the SSH tunnel is closed by running the jtagconfig command as follows:
  • On the local machine, the jtagconfig command returns a No JTAG hardware available message.
  • On the remote machine, the jtagconfig command lists only local JTAG connections.
Level Two Title