[E3-hacking] Re: E2 Watchdog timer

[en4rab]

Yes possibly a macro could be writen for macraigors ocd debug to
periodically write 0xa5a5 to the watchdog counter reset register
inbetween commands to read other bits of memory but it would be a
tedious way to do things.
>From what I recall the watchdog timer cant be disabled completely as
when the bootloader enables the WDT it also sets the freeze bit in the
WDT control register which prevents the register being changed, the only
way to clear this is a reset.
Possibly the bios could be patched to not set the freeze bit and the
patched version programmed by jtag to give a box that can have the WDT
disabled just after the CPU is halted, but i never got as far as looking
to see if/how you would flash the bios by jtag, although it could
probably be done.
I also have no idea if the bootloader would check to see if the value in
the WDT controller register had been tampered with.
That and im not sure id want to dump 8 megs of flash with a wiggler, it
would probably take a day or 2 lol, the wiggler is a very slow interface
:)
It might also be possible to dump the nand flash by allowing the emailer
to reset then writing a macro to setup the memory controller to map the
nand back into address space then read the first 512 (????) byte page
(just read the same address 512 times) then write to the chip to change
page and continue to read the next page, but until i came across the
emailer i had never heard of page mode flash so the method of
reading/writing/changing page completely boggled me, but it basically
behaves like a smartmedia card.
To read it in this manner would require some poking around the board to
see how they are generating the signal for changing page rather that
writing to flash I guessed that they are either sitting the chip on 2
chipselect lines (ie it would be mapped in 2 places) with one enabled
for read/write and the other for reading/changing page, or it has only
one chip select but with some of the address lines wired to the control
signals so for example a write to a memory address at the chips lowest
address would actually write to the chip while a write at the top of its
mapped space would change the page, but this is just a random guess, i
havent really looked into it.

Oh and apologies for hijacking the E3 mailing list with E2 stuff but i
hope some of it will be relevant, most arm boards seem to be built in a
similar manner.
en4rab



> From: Ralph Corderoy <ralph@inputplus.co.uk>
> Reply-To: e3-hacking@earth.li
> 
> 
> Hi en4rab,
> 
> > If the E3 behaves like the E2 did it will have its WDT enabled and
> > locked  so about 4 or 5 seconds after you halt the CPU the WDT will
> > time out and reset the box
> 
> Code to reset the watch-dog's timer writes 0x0000a5a5 to 0xffff8004.
> 
>     e3a0c9fe  mov r12, #&3f8000
>     e24cc501  sub r12, r12, #&400000     # r12 = 0xffff8000 = WDT.
>     e3a030a5  mov r3, #&a5
>     e2833ca5  add r3, r3, #&a500         # r3 = 0xa5a5.
>     e58c3004  str r3, [r12, #4]          # wdtcntr.
> 
> Presumably, something similar could be done with JTAG to disable the
> WDT
> completely?
> 
> Cheers,
> 
> 
> Ralph.


=====
--
|     .-.   en4rab@yahoo.com
|    /   \         .-.
|   /     \       /   \       .-.     .-.     _   _
+--/-------\-----/-----\-----/---\---/---\---/-\-/-\/\/---
| /         \   /       \   /     '-'     '-'
|/           '-'         '-'  -END OF TRANSMISSION-


		
__________________________________ 
Do you Yahoo!? 
All your favorites on one personal page – Try My Yahoo!
http://my.yahoo.com