[E3-hacking] Re: E2 PBL bios dump.

en4rab e3-hacking@earth.li
Tue, 8 Feb 2005 07:07:41 -0800 (PST) 

I have sent otaku a copy of the bios dump i made from my E2 emailer.
I also had an idea for recovery of the bios of the E3, has anyone yet
worked out if the Jtag port of the CPU in the E3 is taken to a usable
header on the e3's board.
According to the datasheet for the e3's cpu the jtag pins are at
locations U15, U16, U17, T14 and R13 (the jtag signals are called
(nTrst, TDO, TDI, TMS and TCK off hand i cant rember which pin is which)

If these pins are routed to a suitable set of test points it should be
relatively easy (if time consuming) to dump the bios of the E3 using an
inexpensive (£10ish) wiggler type jtag interface.
This site has details of how to build a cheap wiggler compatible
buffered jtag lead, http://jtag-arm9.sourceforge.net/ , however there
are several places selling these interface for around a tenner (although
these dont include the transistor for control of the nTrst line) since
jtag leads have just become a popular way to read data off some other UK
equipment.

Dumping of the bootloader could then be done using either macraigors ,
http://www.macraigor.com/ , flashprog (the demo will read but not write
the flash) or the long winded  method using ocd commander and a macro to
read each byte then converting the log of this macro to a binary file
(which was how I dumped the E2 bios as i hadnt sussed flashprog :)

If the E3 behaves like the E2 did it will have its WDT enabled and
locked  so about 4 or 5 seconds after you halt the CPU the WDT will time
out and reset the box, this resulted in the memory controller being in
its boot up state with the bios (on chip select 0) being mapped throught
the whole of memory, reading past the end of the bios chip just looped
back to the beginning of the chip.
Because the WDT was enabled I was unable to get a dump of the ram from a
running box so i couldnt recover the uncompressed firmware image from
ram.
I am interested in getting an E3 to play with but unfortunately time and
money are not on my side at the moment, but if i do i will look at
dumping the E3 bios too (and ram if WDT is not enabled)
Just a word of warning, dont use a jtag interface that doesnt have a
74hc244 or ac244 chip as i dont think arm cores are 5v tolerant so the
simple resistor based jtag leads may well kill the CPU.

I think the jtag interface from tailor-madecircuits,
http://www.tailor-madecircuits.com/jtag_interface.htm , should work for
dumping the bios but it doesnt have the nTrst circuitry, but I think it
will work, but be warned TMC have had a run on these so there is a bit
of a delay on them.

Obviously all of this will only be of use if the jtag signals have been
routed to somewhere usefull on the E3's board.

en4rab

=====
--
|     .-.   en4rab@yahoo.com
|    /   \         .-.
|   /     \       /   \       .-.     .-.     _   _
+--/-------\-----/-----\-----/---\---/---\---/-\-/-\/\/---
| /         \   /       \   /     '-'     '-'
|/           '-'         '-'  -END OF TRANSMISSION-


		
__________________________________ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo