Paul Fertser
2013-12-27 10:59:33 UTC
Hi,
I know you folks like jtagging popular SoCs, and those broadcom
families are pretty common in SOHO WiFi equipment. In my particular
case I had Asus RT-N16 I wanted to tinker with.
After system reset those chips work in some undocumented "LV" mode so
nothing really works. The IR length is 32 bits, some hints about it
can be found at [1]. In particular, command 0xfffffffe allows to read
IDCODE from a 32-bit DR. UrJTAG's "detect" prints nothing in this
mode.
To switch away from this nasty useless undocumented mode to standard
EJTAG one needs to:
1. Shift 0x0143ff3a into IR, for this command DR is 32 bits too; end
state apparently doesn't matter, e.g. run/idle is ok;
2. Shift 1 into DR, switch to run/idle;
3. Now the device is in standard EJTAG with IR length 5 (or 7 for some
models), so one needs to reexamine the chain.
I've tested this procedure on RT-N16 with OpenOCD and confirm I'm able
to communicate with the target properly including halting, resuming,
memory reading after performing this trick.
Special DIScredit for this information goes to some dd-wrt people,
specifically to "Lom" and "Tornado" who knew this for quite some time
but decided to not share with anybody except some other proprietary
"usbbdm" vendor. Shame on them!
[1] https://github.com/RMerl/asuswrt-merlin/blob/f9c2e38eba437af5100faa186b874284602a2efb/release/src-rt-6.x.4708/include/hndjtagdefs.h
I know you folks like jtagging popular SoCs, and those broadcom
families are pretty common in SOHO WiFi equipment. In my particular
case I had Asus RT-N16 I wanted to tinker with.
After system reset those chips work in some undocumented "LV" mode so
nothing really works. The IR length is 32 bits, some hints about it
can be found at [1]. In particular, command 0xfffffffe allows to read
IDCODE from a 32-bit DR. UrJTAG's "detect" prints nothing in this
mode.
To switch away from this nasty useless undocumented mode to standard
EJTAG one needs to:
1. Shift 0x0143ff3a into IR, for this command DR is 32 bits too; end
state apparently doesn't matter, e.g. run/idle is ok;
2. Shift 1 into DR, switch to run/idle;
3. Now the device is in standard EJTAG with IR length 5 (or 7 for some
models), so one needs to reexamine the chain.
I've tested this procedure on RT-N16 with OpenOCD and confirm I'm able
to communicate with the target properly including halting, resuming,
memory reading after performing this trick.
Special DIScredit for this information goes to some dd-wrt people,
specifically to "Lom" and "Tornado" who knew this for quite some time
but decided to not share with anybody except some other proprietary
"usbbdm" vendor. Shame on them!
[1] https://github.com/RMerl/asuswrt-merlin/blob/f9c2e38eba437af5100faa186b874284602a2efb/release/src-rt-6.x.4708/include/hndjtagdefs.h
--
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:***@gmail.com
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:***@gmail.com