[E3-hacking] E3 JTAG

Jonathan McDowell e3-hacking@earth.li
Tue, 19 Apr 2005 22:28:28 +0100 

On Tue, Apr 19, 2005 at 09:23:03PM +0100, Matt Evans wrote:
> Anyone worked out where/if (uhoh) the JTAG TAP is brought out to on
> the E3's motherboard?  Google won't tell me :(
> 
> (Failing that, has anyone got a broken one they could strip down &
> find out? ;)

I've no idea about the JTAG pinouts, but I have been working on trying
to figure out the E3 PBL (having bricked it by overwriting my kernel in
the NAND flash). I think I've almost figured out how to feed it a block
over the modem to execute - it looks like a Q;Q; as used in the actual
flash. Haven't actually worked out how to talk to it just over the EXP
port yet though. First time dealing with ARM disassembly. :(

Got a few functions marked up so far; is anyone else working on it who
has anything to share?

; FUNC: 0x00001744      setup_vectors()
; FUNC: 0x000018d8      change_processor_mode(r0, r1)
; FUNC: 0x0000206c      uart0_setbaud(r0)
; FUNC: 0x00002144      tx_uart0_char(r0)
; FUNC: 0x000021d4      tx_uart0_string(*r0)
; FUNC: 0x00002200      printf(r0, ...)
; FUNC: 0x0000a468      getkey()
; FUNC: 0x00011ddc      strcat(*r0, *r1)

Oh, and .c filename strings:

     7c4:       676f7250        db "ProgAppInit.c", 0, 0, 0
    1188:       2e687366        db "fsh.c", 0, 0, 0
    13e8:       70687366        db "fshprogi.c", 0, 0
    1494:       73687366        db "fshstart.c", 0, 0
    1ab4:       396d7261        db "arm9\cpuint.c", 0, 0, 0
    1d70:       2e776468        db "hdw.c", 0, 0, 0
    2138:       396d7261        db "arm9\dsi.c", 0, 0
    72dc:       746c6270        db "pbltask.c", 0, 0, 0
    77ec:       636c6270        db "pblconf.c", 0, 0, 0
    7a44:       646c6270        db "pbldecod.c", 0, 0
    8814:       726c6270        db "pblrersec.c", 0
    8e90:       756c6270        db "pblusrdev.c", 0
    9b04:       756c6270        db "pblusrerase.c", 0, 0, 0
    a240:       756c6270        db "pblusrkbd.c", 0
    a6a0:       756c6270        db "pblusrmod.c", 0, 0
    a884:       756c6270        db "pblusrmodem.c", 0, 0, 0
    b3f0:       756c6270        db "pblusrtransfer.c", 0 ,0, 0, 0
    b66c:       646d7978        db "xymdownload.c", 0, 0, 0
    c2b0:       6273666d        db "mfsblank.c", 0, 0
    c470:       6c73666d        db "mfslrc.c", 0, 0, 0, 0
    c7ec:       6d73666d        db "mfsmount.c", 0, 0
    ce34:       7273666d        db "mfsread.c", 0, 0, 0
    cf04:       6573666d        db "mfsextra.c", 0, 0
    d4ac:       6673666d        db "mfsformat.c", 0
    d8ec:       7273666d        db "mfsremap.c", 0, 0
    dd18:       72646664        db "dfdrdid.c", 0, 0, 0
    df30:       72646664        db "dfdread.c", 0, 0, 0
    e748:       65646664        db "dfderase.c", 0, 0
    efc8:       77646664        db "dfdwrite.c", 0, 0
    f9b8:       316d6168        db "ham1chk.c", 0, 0, 0
    fd2c:       72637a6c        db "lzcrw1_decompress.c", 0
    fd78:       2e6d6974        db "tim.c", 0, 0, 0
    fde8:       2e687366        db "fsh.c", 0, 0, 0
    ff48:       70687366        db "fshprogi.c", 0, 0
   10238:       65687366        db "fshedev.c", 0, 0, 0
   10314:       73687366        db "fshstart.c", 0, 0
   1072c:       396d7261        db "arm9\comdrv.c", 0, 0, 0
   107fc:       396d7261        db "arm9\comdrvp.c", 0, 0
   1091c:       396d7261        db "arm9\comdrvi.c", 0, 0
   110b4:       646d646d        db "mdmdrvi.c", 0, 0, 0
   11488:       646d646d        db "mdmdrvp.c", 0, 0, 0
   11898:       396d7261        db "arm9\cpuint.c", 0, 0, 0
   11ba8:       2e776468        db "hdw.c", 0, 0, 0
   1247c:       7773666d        db "mfswritebuff.c", 0, 0
   125fc:       6573666d        db "mfserase.c", 0, 0
   128fc:       7773666d        db "mfswrite.c", 0, 0

J.

-- 
Real Programmers don't drink decaf.
This .sig brought to you by the letter V and the number 42
Product of the Republic of HuggieTag