when the bootloader enables the WDT it also sets the freeze bit in the WDT control register which prevents the register being changed, the only way to clear this is a reset. Possibly the bios could be patched to not set the freeze bit and the patched version programmed by jtag to give a box that can have the WDT disabled just after the CPU is halted, but i never got as far as looking to see if/how you would flash the bios by jtag, although it could probably be done. I also have no idea if the bootloader would check to see if the value in the WDT controller register had been tampered with. That and im not sure id want to dump 8 megs of flash with a wiggler, it would probably take a day or 2 lol, the wiggler is a very slow interface :) It might also be possible to dump the nand flash by allowing the emailer to reset then writing a macro to setup the memory controller to map the nand back into address space then read the first 512 (????) byte page (just read the same address 512 times) then write to the chip to change page and continue to read the next page, but until i came across the emailer i had never heard of page mode flash so the method of reading/writing/changing page completely boggled me, but it basically behaves like a smartmedia card. To read it in this manner would require some poking around the board to see how they are generating the signal for changing page rather that writing to flash I guessed that they are either sitting the chip on 2 chipselect lines (ie it would be mapped in 2 places) with one enabled for read/write and the other for reading/changing page, or it has only one chip select but with some of the address lines wired to the control signals so for example a write to a memory address at the chips lowest address would actually write to the chip while a write at the top of its mapped space would change the page, but this is just a random guess, i havent really looked into it.
Oh and apologies for hijacking the E3 mailing list with E2 stuff but i hope some of it will be relevant, most arm boards seem to be built in a similar manner. en4rab
From: Ralph Corderoy ralph@inputplus.co.uk Reply-To: e3-hacking@earth.li
Hi en4rab,
If the E3 behaves like the E2 did it will have its WDT enabled and locked so about 4 or 5 seconds after you halt the CPU the WDT will time out and reset the box
Code to reset the watch-dog's timer writes 0x0000a5a5 to 0xffff8004.
e3a0c9fe mov r12, #&3f8000 e24cc501 sub r12, r12, #&400000 # r12 = 0xffff8000 = WDT. e3a030a5 mov r3, #&a5 e2833ca5 add r3, r3, #&a500 # r3 = 0xa5a5. e58c3004 str r3, [r12, #4] # wdtcntr.
Presumably, something similar could be done with JTAG to disable the WDT completely?
Cheers,
Ralph.
===== -- | .-. en4rab@yahoo.com | / \ .-. | / \ / \ .-. .-. _ _ +--/------------/----------/------/------/--/-//--- | / \ / \ / '-' '-' |/ '-' '-' -END OF TRANSMISSION-
__________________________________ Do you Yahoo!? All your favorites on one personal page Try My Yahoo! http://my.yahoo.com