[E3-hacking] Re: E2 Watchdog timer
Mon, 21 Feb 2005 17:10:04 +0000
> > > If the E3 behaves like the E2 did it will have its WDT enabled and
> > > locked so about 4 or 5 seconds after you halt the CPU the WDT
> > > will time out and reset the box
> > Code to reset the watch-dog's timer writes 0x0000a5a5 to 0xffff8004.
> > e3a0c9fe mov r12, #&3f8000
> > e24cc501 sub r12, r12, #&400000 # r12 = 0xffff8000 = WDT.
> > e3a030a5 mov r3, #&a5
> > e2833ca5 add r3, r3, #&a500 # r3 = 0xa5a5.
> > e58c3004 str r3, [r12, #4] # wdtcntr.
> > Presumably, something similar could be done with JTAG to disable the
> > WDT completely?
> Yes possibly a macro could be writen for macraigors ocd debug to
> periodically write 0xa5a5 to the watchdog counter reset register
> inbetween commands to read other bits of memory but it would be a
> tedious way to do things.
Agreed, I was suggesting executing with JTAG a few instructions similar
to those above once to disable the WDT. Untried:
e3a099fe mov r9, #&3f8000 # r9 = 0x3f8000
e2499501 sub r9, r9, #&400000 # r9 = 0xffff8000 (WDTCTRL)
e3a00066 mov r0, #&66 # r0 = 0x66
e5c90000 strb r0, [r9, #0] # WDTCTRL = 0x66 disable reset 2^29
> From what I recall the watchdog timer cant be disabled completely as
> when the bootloader enables the WDT it also sets the freeze bit in the
> WDT control register which prevents the register being changed, the
> only way to clear this is a reset.
The LH79531 WDT does have a `freeze' bit, but apparently the PBL doesn't
set them. Here's the various constants.
addr ffff8000 WDTCTRL
value 01 01 enable
value 06 00 fiqintr
value 06 02 reserved
value 06 04 reserved
value 06 06 reset
value 08 08 freeze
value 70 00 2^21
value 70 10 2^22
value 70 20 2^23
value 70 30 2^24
value 70 40 2^25
value 70 50 2^26
value 70 60 2^29
value 70 70 2^31
addr ffff8004 WDTCNTR
value ffff a5a5 wakeup
There's two writes that are said to be in the E2 PBL.
0298 e5c90000 strb r0, [r9, #0] # WDTCTRL = 0x67 enable reset 2^29
7c78 e5c01000 strb r1, [r0, #0] # WDTCTRL = 0x7 enable reset 2^21
The first is soon after power-up. The second is in a routine that's
called to reset the E2; it shortens the time down to 2^21 and then
enters a never-ending loop waiting for the WDT to kick in and reset.
Perhaps there are others that do enable freeze, but I'm not aware of
anyone finding them.
> Possibly the bios could be patched to not set the freeze bit and the
> patched version programmed by jtag to give a box that can have the WDT
> disabled just after the CPU is halted, but i never got as far as
> looking to see if/how you would flash the bios by jtag, although it
> could probably be done.
The NOR boot flash is erased in one go to 0xff and then bytes are
re-programmed to clear bits AIUI.
> That and im not sure id want to dump 8 megs of flash with a wiggler,
> it would probably take a day or 2 lol, the wiggler is a very slow
> interface :)
Amstrad use the EXP port to install their latest software when the units
arrive in the factory with PBL already on them. They can also update
the software if it changes before the units are shipped. I think with
JTAG you often use it to load a small program into RAM that you then
execute to ship lots of bytes around. It uses a faster link, e.g. EXP,
> It might also be possible to dump the nand flash by allowing the
> emailer to reset then writing a macro to setup the memory controller
> to map the nand back into address space then read the first 512 (????)
> byte page (just read the same address 512 times) then write to the
> chip to change page and continue to read the next page, but until i
> came across the emailer i had never heard of page mode flash so the
> method of reading/writing/changing page completely boggled me, but it
> basically behaves like a smartmedia card.
I don't know how a SmartMedia card behaves. :-) But someone who knows
explained that once you write the appropriate Read command the NAND
flash will cycle through all the bytes, right on up to the end, on each
Read Enable strobe. The PDF linked from my web pages does make sense
with a bit of study.
> To read it in this manner would require some poking around the board
> to see how they are generating the signal for changing page rather
> that writing to flash I guessed that they are either sitting the chip
> on 2 chipselect lines (ie it would be mapped in 2 places) with one
> enabled for read/write and the other for reading/changing page, or it
> has only one chip select but with some of the address lines wired to
> the control signals so for example a write to a memory address at the
> chips lowest address would actually write to the chip while a write at
> the top of its mapped space would change the page, but this is just a
> random guess, i havent really looked into it.
Hmm. Can't vouch for the accuracy of any of this. It'll make sense
with the above mentioned PDF.
addr a0002005 nand_control
value 01 unk01
value 02 unk02
value 04 unk04
value 08 re
value 10 unk10
value 20 we
value 40 ale
value 80 cle
addr a0002006 nand_data
value ff 00 read_1_1
value ff 01 read_1_2
value ff 10 page_program_c2
value ff 50 read_2
value ff 60 block_erase_c1
value ff 70 read_status
value ff 80 page_program_c1
value ff 90 read_id
value ff d0 block_erase_c2
value ff ff reset
addr a0002007 nand_status
value 01 busy
> Oh and apologies for hijacking the E3 mailing list with E2 stuff but i
> hope some of it will be relevant, most arm boards seem to be built in
> a similar manner.
I asked Jonathan early on, I don't think he minds. And the PBL is
common between the two.
Have you studied the voltages coming out of the three EXP wires on the