jtag flash dump dit9719

Started by 7.4, 04. Oct 2011, 21:11

previous topic - next topic
Go Down

7.4

Hi
I eventually got around to playing with this box.  I used a xeloa type jtag interface and I patched FLAPs1.4.exe ( a branch of wrt54g) to include the SMP8634 cpu.

It all works fine but when I try to dump 1 meg of flash starting at 0x1FC00000 I only get the first 64K dumped correctly.  Everything after 0x1FC10000 is all 00 00 00....
Is this read protected?  The first 64K is identical to Mick's bootloader.bin so I'm confident the interface is working correctly.

This is a short version my output from 0x1FC10000

Code: [Select]

BTVJTAG>flaps  -backup:custom  /instrlen:5 /fc:01
/window:1FC00000 /start:1FC10000 /length:00000100  /notimestamp /xeloa

=====================================================
    FLAPS MIPS EJTAG Flash Utility probes-v1.4
    Patched for BT Vision DiT9719   by 007.4
=====================================================

   Waiting 1 second..

Selected  port  = 0x0378

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00001000011000110000000000000001 (08630001)
*** Found a SigmaDesigns SMP8634 Rev A CPU chip ***

  - EJTAG IMPCODE ............... : 01000000010000010100000000000000 (40414000)
  - EJTAG Version ............... : 2.6
  - EJTAG Implementation flags .. : R4k ASID_8 MIPS16 NoDMA MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Init PrAcc ... Done
Clearing Watchdog ... Done
Done

Flash Vendor ID: 00000000000000000000000000000000 (00000000)
Flash Device ID: 00000000000000000000000000000000 (00000000)
    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00100000
    - Selected Area Start ........ : 1fc10000
    - Selected Area Length ....... : 00000100

*** Manually Selected a MX29LV800BTC 512kx16 TopB  (1MB) Flash Chip ***

*** You Selected to Backup the CUSTOM.BIN ***

=========================
Backup Routine Started
=========================

Saving CUSTOM.BIN.SAVED to Disk...
[  1% Backed Up]   1fc10000: 00000000 00000000 00000000 00000000
[  7% Backed Up]   1fc10010: 00000000 00000000 00000000 00000000
[ 14% Backed Up]   1fc10020: 00000000 00000000 00000000 00000000
[ 20% Backed Up]   1fc10030: 00000000 00000000 00000000 00000000
[ 26% Backed Up]   1fc10040: 00000000 00000000 00000000 00000000
[ 32% Backed Up]   1fc10050: 00000000 00000000 00000000 00000000
[ 39% Backed Up]   1fc10060: 00000000 00000000 00000000 00000000
[ 45% Backed Up]   1fc10070: 00000000 00000000 00000000 00000000
[ 51% Backed Up]   1fc10080: 00000000 00000000 00000000 00000000
[ 57% Backed Up]   1fc10090: 00000000 00000000 00000000 00000000
[ 64% Backed Up]   1fc100a0: 00000000 00000000 00000000 00000000
[ 70% Backed Up]   1fc100b0: 00000000 00000000 00000000 00000000
[ 76% Backed Up]   1fc100c0: 00000000 00000000 00000000 00000000
[ 82% Backed Up]   1fc100d0: 00000000 00000000 00000000 00000000
[ 89% Backed Up]   1fc100e0: 00000000 00000000 00000000 00000000
[ 95% Backed Up]   1fc100f0: 00000000 00000000 00000000 00000000
Done  (CUSTOM.BIN.SAVED saved to Disk OK)

bytes written: 256
=========================
Backup Routine Complete
=========================
elapsed time: 0 seconds


*** REQUESTED OPERATION IS COMPLETE ***


Also I have to manually select the flash chip.  Anyone know why it is not correctly identified?

Help please!

Cheers
007.4

merkin

#1
06. Oct 2011, 02:30 Last Edit: 06. Oct 2011, 02:37 by merkin


It all works fine but when I try to dump 1 meg of flash starting at 0x1FC00000 I only get the first 64K dumped correctly.  Everything after 0x1FC10000 is all 00 00 00....
Is this read protected?  The first 64K is identical to Mick's bootloader.bin so I'm confident the interface is working correctly.

This is a short version my output from 0x1FC10000

Code: [Select]

BTVJTAG>flaps  -backup:custom  /instrlen:5 /fc:01
/window:1FC00000 /start:1FC10000 /length:00000100  /notimestamp /xeloa

=====================================================
    FLAPS MIPS EJTAG Flash Utility probes-v1.4
    Patched for BT Vision DiT9719   by 007.4
=====================================================

   Waiting 1 second..

Selected  port  = 0x0378

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00001000011000110000000000000001 (08630001)
*** Found a SigmaDesigns SMP8634 Rev A CPU chip ***

  - EJTAG IMPCODE ............... : 01000000010000010100000000000000 (40414000)
  - EJTAG Version ............... : 2.6
  - EJTAG Implementation flags .. : R4k ASID_8 MIPS16 NoDMA MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Init PrAcc ... Done
Clearing Watchdog ... Done
Done

Flash Vendor ID: 00000000000000000000000000000000 (00000000)
Flash Device ID: 00000000000000000000000000000000 (00000000)
    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00100000
    - Selected Area Start ........ : 1fc10000
    - Selected Area Length ....... : 00000100

*** Manually Selected a MX29LV800BTC 512kx16 TopB  (1MB) Flash Chip ***

*** You Selected to Backup the CUSTOM.BIN ***

=========================
Backup Routine Started
=========================

Saving CUSTOM.BIN.SAVED to Disk...
[  1% Backed Up]   1fc10000: 00000000 00000000 00000000 00000000
[  7% Backed Up]   1fc10010: 00000000 00000000 00000000 00000000
[ 14% Backed Up]   1fc10020: 00000000 00000000 00000000 00000000
[ 20% Backed Up]   1fc10030: 00000000 00000000 00000000 00000000
[ 26% Backed Up]   1fc10040: 00000000 00000000 00000000 00000000
[ 32% Backed Up]   1fc10050: 00000000 00000000 00000000 00000000
[ 39% Backed Up]   1fc10060: 00000000 00000000 00000000 00000000
[ 45% Backed Up]   1fc10070: 00000000 00000000 00000000 00000000
[ 51% Backed Up]   1fc10080: 00000000 00000000 00000000 00000000
[ 57% Backed Up]   1fc10090: 00000000 00000000 00000000 00000000
[ 64% Backed Up]   1fc100a0: 00000000 00000000 00000000 00000000
[ 70% Backed Up]   1fc100b0: 00000000 00000000 00000000 00000000
[ 76% Backed Up]   1fc100c0: 00000000 00000000 00000000 00000000
[ 82% Backed Up]   1fc100d0: 00000000 00000000 00000000 00000000
[ 89% Backed Up]   1fc100e0: 00000000 00000000 00000000 00000000
[ 95% Backed Up]   1fc100f0: 00000000 00000000 00000000 00000000
Done  (CUSTOM.BIN.SAVED saved to Disk OK)

bytes written: 256
=========================
Backup Routine Complete
=========================
elapsed time: 0 seconds


*** REQUESTED OPERATION IS COMPLETE ***


Also I have to manually select the flash chip.  Anyone know why it is not correctly identified?

Help please!

Cheers
007.4


Not familiar with that hardware or flash utility.  Just curious, what speeds do you get over LPT port?
I made this http://www.t-hack.com/wiki/index.php/EJTAG and used this flash utility http://www.t-hack.com/wiki/index.php/Dump_X300T_Bootloader
to dump parts of the flash on my SMP8634 based box http://www.t-hack.com/forum/index.php?topic=859.0. 

Try that combo if possible.

Where exactly are you starting to read from?  Because you said starting at 0x1FC00000, but in the code section it says /start:1FC10000.  (I use the same value for "/window:" and "/start:", but admittedly I do not know what the "/window:" command even does.

Also the beginning of the Flash is always mapped to 0xac000000.  Try this tool also http://www.t-hack.com/wiki/index.php/Debrick_SMP863x_Device

Good Luck.

7.4

Hi
I've disconnected the jtag now and installed a modchip (I've got problems with that - I'll post about later!)

The FLAPS.exe is just a more recent version of wrt54g.exe with three jtag devices supported. It just needed some minor tweaking for the SMP8634  CPU chip.

It took about 18 minutes to dump 1meg.
I started at 0x1FC00000.  Up to 0x1FC10000 the dump was all OK, same as bootloader posted by Mick. After that it was all 00000....

It seems I should have set start at 0xAC000000 or dumped RAM to get the decrypted version. 
What is the RAM start address?

Thanks for your input.
007.4

7.4

I've now gone back to jtag as I cannot get the box to boot without the NR01 error enev though the modchip appears to be working.

I've dumped 1meg starting at 0xAC000000.  There are big sections very similar to the bootloader that Mick posted however my dump starts with this
Code: [Select]

AC000000h: 80 00 00 00 EE 07 8E 07 EB CB 74 89 5D 55 D5 1A ; €...î.Ž.ëËt‰]UÕ.
AC000010h: E7 85 45 D4 69 63 19 93 00 0D 78 2E 62 6F 6F 74 ; ç…EÔic."..x.boot
AC000020h: 00 00 80 00 00 00 0B 78 2E 64 73 00 40 00 01 00 ; ..€....x.ds.@...
AC000030h: 00 0F 78 2E 64 30 2E 63 66 67 00 BA 11 41 E3 00 ; ..x.d0.cfg.º.Aã.
AC000040h: 0F 78 2E 64 31 2E 63 66 67 00 BA 11 41 E3 00 0B ; .x.d1.cfg.º.Aã..
AC000050h: 78 2E 64 74 00 01 00 00 00 00 0C 78 2E 63 73 66 ; x.dt.......x.csf
AC000060h: 00 02 00 00 00 00 0E 78 2E 6C 32 72 7A 63 00 0C ; .......x.l2rzc..
AC000070h: 00 00 00 00 0D 78 2E 6C 32 78 7A 00 15 00 00 00 ; .....x.l2xz.....


whereas my dump starting at 0x1FC00000 was
Code: [Select]

1FC00000h: F0 00 00 00 63 B3 1A 3C 78 2C 5A 37 08 00 40 03 ; ð...c³.<x,Z7..@.
1FC00010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
1FC00020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
1FC00030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
1FC00040h: 45 43 45 43 E4 3E 66 93 E4 3E 06 00 00 00 00 00 ; ECECä>f"ä>......


which is the same as Mick's bootloader.

What is the correct offset for the bootloader?

Thanks for any help.
007.4

7.4

I'll answer my own question.

I found the bootloader at 0x93600000.

007.4

Go Up