Lpc2000

Hi Dominic,
If the clocks are unrelated / asynchronous and you rely on RTCK, then sure the fastest you 
can run the TCK at is 1/6 of the core frequency. But if you control the core frequency (i.e. 
generate it and feed it into the oscillator pin) and also generate TCK, I reckon that you 
might be able to push TCK up to 1/2 of the core frequency and get it through the 
synchronizer.

Now I don't know how many TCK ticks it takes to issue a command over JTAG (or if you 
can take over while the CPU is held in reset all the way from power-on). But the MAM is 
fully disabled so you'll need seven core ticks for each FLASH memory access. I do hope 
that someone who knows JTAG can tell me "Well the scan chain is 32 bits long and a 
command is 4 bits long so you'll need at least 36 TCK, i.e. 72* core cycles to take over. 
And in that time the core has executed over 10 instructions so the potential trapdoor is 
already bolted shut". I don't know JTAG so I can't say such things.

*according to my suspicion that you can push TCK up to half the core frequency

Regards,
Danish
--- In lpc2000@yahoogroups.com, Dominic Rath <Dominic.Rath@...> wrote:
> 
> http://www.arm.com/support/faqip/3732.html
> The LPCs are ARM7TDMI-S cores, requiring the synchronization logic shown in 
> the above faq entry. That means they can't run TCK above 1/6th of the core 
> frequency.
> 
> Regards,
> 
> Dominic
>