Discussion:
[UrJTAG-dev] Help to read flash - unknown device
José Silva
2011-05-25 11:41:04 UTC
Permalink
Hi all,

I've been struggling to read the firmware of a DVR (Digital Video
Recorder) and program another one which had a bad firmware upgrade. I
already posted to the forum but got no replies up to now; I guess the
list is more active.

The device, as far as I know because it has an heatsink, is a HiSilicon,
model Hi3515, here: http://www.hisilicon.com/products/promotion.html

As much as I could find on the net, this chip has a core ARM926EJS

The flash chip is a Spansion S29GL064N

Using UrJTAG 0.10 #1502:
jtag> cable ARM-USB-OCD vid=15ba pid=002a driver=ftdi-mpsse # Olimex
ARM-USB-TINY-H
Connected to libftdi driver.
jtag> detect
IR length: 8
Chain length: 1
Device Id: 01010000000001010000010011001101 (0x00000000500504CD)
Unknown manufacturer!
chain.c(149) Part 0 without active instruction
chain.c(200) Part 0 without active instruction
chain.c(149) Part 0 without active instruction

jtag> discovery
Detecting IR length ... 8
Detecting DR length for IR 11111111 ... 1
Detecting DR length for IR 00000000 ... 1
Detecting DR length for IR 00000001 ... 32
Detecting DR length for IR 00000010 ... 1
...
Detecting DR length for IR 00001101 ... 32
Detecting DR length for IR 00001110 ... 1
...
Detecting DR length for IR 00110001 ... 18

and 1 to the end

So, can anybody help, please?
jss
Mike Frysinger
2011-05-25 13:22:15 UTC
Permalink
Post by José Silva
I've been struggling to read the firmware of a DVR (Digital Video
Recorder) and program another one which had a bad firmware upgrade. I
already posted to the forum but got no replies up to now; I guess the
list is more active.
The device, as far as I know because it has an heatsink, is a HiSilicon,
model Hi3515, here: http://www.hisilicon.com/products/promotion.html
As much as I could find on the net, this chip has a core ARM926EJS
The flash chip is a Spansion S29GL064N
you've got a few things to sort out here. you'll first need to see if there
is an appropriate bus driver for your part. if there is, you'll then have to
figure out what information it needs (signals, instructions, etc...). then
you'll have to define at least those in a data file (see the many examples in
the data/ directory). if there is no bus driver, then you'll probably have to
figure out one (writing a new one from scratch or based on an existing one).

then you should be able to tell urjtag to use that data file for that part in
the chain, initialize the required bus, and then start poking the flash.

g'luck :P
-mike
José Silva
2011-05-25 14:22:07 UTC
Permalink
Hello Mike, thank you so much for replying.
Post by Mike Frysinger
you've got a few things to sort out here. you'll first need to see if there
is an appropriate bus driver for your part.
It seems to accept ejtag:
jtag> initbus ejtag
jtag>

But then:
jtag> detectflash 0
ejtag.c(177) EJADDRESS, EJDATA or EJCONTROL register not found
...
dev ID=0000 man ID=0000
ejtag.c(177) EJADDRESS, EJDATA or EJCONTROL register not found
...
amd_detect: mid 0, did 0
Flash not found!


But there's something that puzzles me; sometimes, couldn't find the way
to reproduce it, the chip enters a state where:

jtag> detect
IR length: 4
Chain length: 1
Device Id: 00000111100100100110010001110111 (0x0000000007926477)
Unknown manufacturer!
chain.c(149) Part 0 without active instruction
chain.c(200) Part 0 without active instruction
chain.c(149) Part 0 without active instruction

which is a completely different chip which was not detected in the other
state; can you interpret this?

Then, after a while, it comes back to the state I reported in the first
place.
Post by Mike Frysinger
if there is, you'll then have to
figure out what information it needs (signals, instructions, etc...). then
you'll have to define at least those in a data file (see the many examples in
the data/ directory). if there is no bus driver, then you'll probably have to
figure out one (writing a new one from scratch or based on an existing one).
then you should be able to tell urjtag to use that data file for that part in
the chain, initialize the required bus, and then start poking the flash.
So, would you say it is accepting ejtag and, if so, what is the minimum
set of data I need; in the meanwhile, I'll try to figure that out of the
examples as you pointed.

Rgds,
jss
Mike Frysinger
2011-05-25 14:54:35 UTC
Permalink
On Wednesday, May 25, 2011 10:22:07 José Silva wrote:

please dont top post
Post by José Silva
ejtag.c(177) EJADDRESS, EJDATA or EJCONTROL register not found
which is what referred to earlier. you need to create a data file for your
part and define the relevant instructions/registers/etc...
Post by José Silva
jtag> detect
IR length: 4
Chain length: 1
Device Id: 00000111100100100110010001110111 (0x0000000007926477)
Unknown manufacturer!
chain.c(149) Part 0 without active instruction
chain.c(200) Part 0 without active instruction
chain.c(149) Part 0 without active instruction
you need to manually associate a data file with your part. urjtag has no data
file in its db for this. once you do, these warnings do not matter.

http://urjtag.org/book/_data_file_format.html
-mike
José Silva
2011-05-25 16:11:42 UTC
Permalink
On 25-05-2011 16:53, Andrew Dyer wrote:

Andrew, thank you for the tip.
ejtag is just for mips cores. It doesn't work on ARM.
jtag> help initbus

Doesn't refer any ARM appropriate bus. What would you recommend then?

Thks,
jss
Michael Walle
2011-05-25 20:18:01 UTC
Permalink
Post by José Silva
Andrew, thank you for the tip.
ejtag is just for mips cores. It doesn't work on ARM.
jtag> help initbus
Doesn't refer any ARM appropriate bus. What would you recommend then?
mh either writing your own bus driver or using the prototype driver if every
pin your flash is connected, can be controlled via boundary scan.

the latter can be very slow!
--
Michael
José Silva
2011-05-25 20:56:48 UTC
Permalink
Post by Michael Walle
Post by José Silva
Andrew, thank you for the tip.
ejtag is just for mips cores. It doesn't work on ARM.
jtag> help initbus
Doesn't refer any ARM appropriate bus. What would you recommend then?
mh either writing your own bus driver or using the prototype driver if every
pin your flash is connected, can be controlled via boundary scan.
the latter can be very slow!
Michael, thank you for replying,

Although I work in electronics, hard and soft (or firm, better said) for
more than 40 years (I saw the birth of the first microprocessor, the
Intel 4004), I must confess that I know almost nothing of jtag and
boundary scan.

That said, this thing is driving me nuts; I have also tried openocd with
no results; I can't get it to halt.

One thing I can't understand, for instance, is why urjtag detects a chip
with irlen of 8 when I know the core cpu is an arm926ejs with an irlen of 4.

So, I guess you won't be surprised if I confess that I don't know what
you mean by "if every pin your flash is connected, can be controlled via
boundary scan"

jss
Michael Walle
2011-05-25 22:45:45 UTC
Permalink
Post by José Silva
Post by Michael Walle
Post by José Silva
Andrew, thank you for the tip.
ejtag is just for mips cores. It doesn't work on ARM.
jtag> help initbus
Doesn't refer any ARM appropriate bus. What would you recommend then?
mh either writing your own bus driver or using the prototype driver if
every pin your flash is connected, can be controlled via boundary scan.
the latter can be very slow!
Michael, thank you for replying,
Although I work in electronics, hard and soft (or firm, better said) for
more than 40 years (I saw the birth of the first microprocessor, the
Intel 4004), I must confess that I know almost nothing of jtag and
boundary scan.
http://en.wikipedia.org/wiki/Boundary_scan
in short, you are able to drive the physical pins directly (or read the
logical value, eg treat it as an input pin). not all pins are suitable for
boundary scan testing (eg. the jtag pins themselves.. or power etc)
Post by José Silva
That said, this thing is driving me nuts; I have also tried openocd with
no results; I can't get it to halt.
does openocd recognize the device correctly? Eg sth like that:
Info : JTAG tap: feroceon.cpu tap/device found: 0x20a023d3 (mfg: 0x1e9, part:
0x0a02, ver: 0x2)
Info : Embedded ICE version 0

Then you are connected to the ARM debug port and boundary scan isn't possible
(that is the prototype driver can't work).
Post by José Silva
One thing I can't understand, for instance, is why urjtag detects a chip
with irlen of 8 when I know the core cpu is an arm926ejs with an irlen of 4.
you may be on the wrong chain. eg. i have a marvell 88f6281, which also has an
arm 926ejs core, which has two jtag TMS pins. one for the internal arm debug
port (for software debugging) and one for the boundary scan 'mode'.
Post by José Silva
So, I guess you won't be surprised if I confess that I don't know what
you mean by "if every pin your flash is connected, can be controlled via
boundary scan"
see above

That all being said, ARM just provides the core itself, there are many actual
processors which are using an arm 926ejs core. you should try to find out
which processor is stuffed on your board.


btw i see that there is an arm9tdmi bus driver, which may be working for you.
but as mike already said, you need the data files/bsdl files for your
processor first.
--
Michael
José Silva
2011-05-25 23:28:41 UTC
Permalink
Post by Michael Walle
http://en.wikipedia.org/wiki/Boundary_scan
in short, you are able to drive the physical pins directly (or read the
logical value, eg treat it as an input pin). not all pins are suitable for
boundary scan testing (eg. the jtag pins themselves.. or power etc)
I understand the principle but there are many details which makes
practice very difficult for me.
Post by Michael Walle
0x0a02, ver: 0x2)
Info : Embedded ICE version 0
Then you are connected to the ARM debug port and boundary scan isn't possible
(that is the prototype driver can't work).
No, openocd does not recognize the chip; I have to define it on the
config file with "jtag newtap" and "target create" clauses. Even
defining the chip, an error results.
Post by Michael Walle
Post by José Silva
One thing I can't understand, for instance, is why urjtag detects a chip
with irlen of 8 when I know the core cpu is an arm926ejs with an irlen of 4.
you may be on the wrong chain. eg. i have a marvell 88f6281, which also has an
arm 926ejs core, which has two jtag TMS pins. one for the internal arm debug
port (for software debugging) and one for the boundary scan 'mode'.
You might have just struck the point, this might be just a debug port
which is a possibility that I never considered before. Maybe now it
makes sense the other device that I randomly detect, as exposed a few
messages before:
Device Id: 00000111100100100110010001110111 (0x0000000007926477), with
irlen of 4, although this is also unknown.

In fact, the board also has a serial port for a console which I can
display. By what I see, it seems like Das U-Boot bootloader; says, I
think, "Uncompressing Linux...Booting the kernel" then it comes to
Login: for a while and then repeats the sequence forever. I'm on a dead
end because I don't know the login. I thing the board manufacturer uses
this port to program the flash, or else they program it before assembly.
Post by Michael Walle
That all being said, ARM just provides the core itself, there are many actual
processors which are using an arm 926ejs core. you should try to find out
which processor is stuffed on your board.
The chip itself is an Huawey Hass HiSilicon Hi3515, as I exposed before;
would this be the processor you mean?
Post by Michael Walle
btw i see that there is an arm9tdmi bus driver, which may be working for you.
but as mike already said, you need the data files/bsdl files for your
processor first.
There is very scarce information of this chip, and it's also very new. I
could only find a description and the schematics of an SDK board, no
bdsl files at all.
That's how the Chinese work, the chip manufacturer makes an SDK board
with the application software and the end-product manufacturer just
makes slight modifications, a pcb, housing and the product is ready for
sale in a few weeks time.

As a side comment, the manufacturer didn't want to disclose the login
password, so that I could reprogram the thing, arguing "Business
Secret". But, as we both know, he is infringing the GNU license by not
disclosing the source.

By the way, it also has an ethernet port but no tftp, as much as I can tell.

Enough of bothering you.
jss

Loading...