Hi en4rab,
If the E3 behaves like the E2 did it will have its WDT enabled and locked so about 4 or 5 seconds after you halt the CPU the WDT will time out and reset the box
Code to reset the watch-dog's timer writes 0x0000a5a5 to 0xffff8004.
e3a0c9fe mov r12, #&3f8000 e24cc501 sub r12, r12, #&400000 # r12 = 0xffff8000 = WDT. e3a030a5 mov r3, #&a5 e2833ca5 add r3, r3, #&a500 # r3 = 0xa5a5. e58c3004 str r3, [r12, #4] # wdtcntr.
Presumably, something similar could be done with JTAG to disable the WDT completely?
Yes possibly a macro could be writen for macraigors ocd debug to periodically write 0xa5a5 to the watchdog counter reset register inbetween commands to read other bits of memory but it would be a tedious way to do things.
Agreed, I was suggesting executing with JTAG a few instructions similar to those above once to disable the WDT. Untried:
e3a099fe mov r9, #&3f8000 # r9 = 0x3f8000 e2499501 sub r9, r9, #&400000 # r9 = 0xffff8000 (WDTCTRL) e3a00066 mov r0, #&66 # r0 = 0x66 e5c90000 strb r0, [r9, #0] # WDTCTRL = 0x66 disable reset 2^29
From what I recall the watchdog timer cant be disabled completely as when the bootloader enables the WDT it also sets the freeze bit in the WDT control register which prevents the register being changed, the only way to clear this is a reset.
The LH79531 WDT does have a `freeze' bit, but apparently the PBL doesn't set them. Here's the various constants.
addr ffff8000 WDTCTRL value 01 01 enable value 06 00 fiqintr value 06 02 reserved value 06 04 reserved value 06 06 reset value 08 08 freeze value 70 00 2^21 value 70 10 2^22 value 70 20 2^23 value 70 30 2^24 value 70 40 2^25 value 70 50 2^26 value 70 60 2^29 value 70 70 2^31 addr ffff8004 WDTCNTR value ffff a5a5 wakeup
There's two writes that are said to be in the E2 PBL.
0298 e5c90000 strb r0, [r9, #0] # WDTCTRL = 0x67 enable reset 2^29 7c78 e5c01000 strb r1, [r0, #0] # WDTCTRL = 0x7 enable reset 2^21
The first is soon after power-up. The second is in a routine that's called to reset the E2; it shortens the time down to 2^21 and then enters a never-ending loop waiting for the WDT to kick in and reset.
Perhaps there are others that do enable freeze, but I'm not aware of anyone finding them.
Possibly the bios could be patched to not set the freeze bit and the patched version programmed by jtag to give a box that can have the WDT disabled just after the CPU is halted, but i never got as far as looking to see if/how you would flash the bios by jtag, although it could probably be done.
The NOR boot flash is erased in one go to 0xff and then bytes are re-programmed to clear bits AIUI.
That and im not sure id want to dump 8 megs of flash with a wiggler, it would probably take a day or 2 lol, the wiggler is a very slow interface :)
Amstrad use the EXP port to install their latest software when the units arrive in the factory with PBL already on them. They can also update the software if it changes before the units are shipped. I think with JTAG you often use it to load a small program into RAM that you then execute to ship lots of bytes around. It uses a faster link, e.g. EXP, to communicate.
It might also be possible to dump the nand flash by allowing the emailer to reset then writing a macro to setup the memory controller to map the nand back into address space then read the first 512 (????) byte page (just read the same address 512 times) then write to the chip to change page and continue to read the next page, but until i came across the emailer i had never heard of page mode flash so the method of reading/writing/changing page completely boggled me, but it basically behaves like a smartmedia card.
I don't know how a SmartMedia card behaves. :-) But someone who knows explained that once you write the appropriate Read command the NAND flash will cycle through all the bytes, right on up to the end, on each Read Enable strobe. The PDF linked from my web pages does make sense with a bit of study.
To read it in this manner would require some poking around the board to see how they are generating the signal for changing page rather that writing to flash I guessed that they are either sitting the chip on 2 chipselect lines (ie it would be mapped in 2 places) with one enabled for read/write and the other for reading/changing page, or it has only one chip select but with some of the address lines wired to the control signals so for example a write to a memory address at the chips lowest address would actually write to the chip while a write at the top of its mapped space would change the page, but this is just a random guess, i havent really looked into it.
Hmm. Can't vouch for the accuracy of any of this. It'll make sense with the above mentioned PDF.
addr a0002005 nand_control value 01 unk01 value 02 unk02 value 04 unk04 value 08 re value 10 unk10 value 20 we value 40 ale value 80 cle addr a0002006 nand_data value ff 00 read_1_1 value ff 01 read_1_2 value ff 10 page_program_c2 value ff 50 read_2 value ff 60 block_erase_c1 value ff 70 read_status value ff 80 page_program_c1 value ff 90 read_id value ff d0 block_erase_c2 value ff ff reset addr a0002007 nand_status value 01 busy
Oh and apologies for hijacking the E3 mailing list with E2 stuff but i hope some of it will be relevant, most arm boards seem to be built in a similar manner.
I asked Jonathan early on, I don't think he minds. And the PBL is common between the two.
Have you studied the voltages coming out of the three EXP wires on the E2?
Cheers,
Ralph.