Интерфейс JTAG (Joint Test Action Group) служит для тестирования печатных плат с помощью функции граничного сканирования (boundary scan), программирования энергонезависимой памяти и отладки процессора (debug). В чипе Broadcom BCM6348, cо встроенным CPU MIPS32 4Kc, используется расширенная версия JTAG - EJTAG (Enhanced Joint Test Action Group):
Интерфейс EJTAG в D-Link DSL-2640U (разъем 8pin на печатной плате модема обозначен J7):
 |
1 - TDO (Test Data Output) 3.306v 2 - SRST (System Reset) 3.306v 3 - TMS (Test Mode Select) 3.292v 4 - TDI (Test Data Input) 3.294v 5 - TCK (Test Clock) 2.795v 6 - TRST (Test Reset) 3.306v 7 - GND (Ground) 0v 8 - n/a |
Схема адаптера c подключением к LPT порту используется самая простая, на резисторах:
Сделал кабель (длина 26см) и подключил модем к LPT порту ПК:
Скачал утилиту EJTAG Debrick Utility Tornado-MOD. Для ОС Windows установил и запустил драйвер GiveIO.sys (Панель управления -> Диспетчер устройств -> Вид -> Показать скрытые устройства -> Драйверы устройств не Plug and Play -> giveio -> Свойства -> Драйвер -> Состояние: Работает).
Для определения типа CPU и FLASH памяти нужно выполнить:
C:\ejtag>tjtagv2 -probeonly
==========================================
EJTAG Debrick Utility v2.1.4-Tornado-MOD
==========================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom BCM6348 Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... Processor did NOT enter Debug Mode! ... Done
Clearing Watchdog ... Done
Probing Flash at (Flash Window: 0x1fc00000) ... Done
Flash Vendor ID: 00000000000000000000000011000010 (000000C2)
Flash Device ID: 00000000000000000010001010101000 (000022A8)
*** Found a MX29LV320B 2Mx16 BotB (4MB) Flash Chip ***
- Flash Chip Window Start .... : 1fc00000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 00000000
- Selected Area Length ....... : 00000000
*** REQUESTED OPERATION IS COMPLETE *** |
Эта же утилита в ОС Linux:
debian:/sbin# tjtag3 -probeonly
==============================================
EJTAG Debrick Utility v3.0 RC1 Tornado-MOD
==============================================
Failed to open /dev/parport0: No such file or directory
debian:/sbin# dmesg | grep parport
parport: PnPBIOS parport detected.
parport0: PC-style at 0x378, irq 7 [PCSPP,TRISTATE,EPP]
debian:/sbin# mknod /dev/parport0 c 99 0
debian:/sbin# chmod a+rw /dev/parport0
debian:/sbin# tjtag3 -probeonly
==============================================
EJTAG Debrick Utility v3.0 RC1 Tornado-MOD
==============================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom BCM6348 Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... ECR: 0x00200100 Done
Enabling Memory Writes ... Mem 0x2000001a
Done
Halting Processor ...
00000000001000001000000100000000 (00208100)
00000000001000000000000100000000 (00200100)
Processor Entered Debug Mode! ... Done
Clearing Watchdog ... Done
Probing Flash at (Flash Window: 0x1fc00000) ...
Done
Flash Vendor ID: 00000000000000000000000011000010 (000000C2)
Flash Device ID: 00000000000000000010001010101000 (000022A8)
*** Found a MX29LV320B 2Mx16 BotB (4MB) Flash Chip ***
- Flash Chip Window Start .... : 1fc00000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 00000000
- Selected Area Length ....... : 00000000
*** REQUESTED OPERATION IS COMPLETE ***
debian:/sbin# |
Сделать бэкап 64K-области NVRAM (последний, 71-й блок FLASH памяти):
C:\ejtag>tjtagv2 -backup:nvram /noreset /bypass .... .... *** You Selected to Backup the NVRAM.BIN *** ========================= Backup Routine Started ========================= Saving NVRAM.BIN.SAVED_20081016_195648 to Disk... [ 0% Backed Up] 1fff0000: ffffffff ffffffff ffffffff ffffffff .... [ 99% Backed Up] 1ffffff0: ffffffff ffffffff ffffffff ffffffff Done (NVRAM.BIN.SAVED_20081016_195648 saved to Disk OK) bytes written: 65536 ========================= Backup Routine Complete ========================= elapsed time: 23 seconds *** REQUESTED OPERATION IS COMPLETE *** |
Очистить область NVRAM (заполнить "FF-пустышками" все ячейки 71-го блока):
C:\ejtag>tjtagv2 -erase:nvram /noreset /bypass .... .... *** You Selected to Erase the NVRAM.BIN *** ========================= Erasing Routine Started ========================= Total Blocks to Erase: 1 Erasing block: 71 (addr = 1fff0000)...Done ========================= Erasing Routine Complete ========================= elapsed time: 0 seconds *** REQUESTED OPERATION IS COMPLETE *** |
Записать дамп NVRAM в FLASH память из файла бэкапа NVRAM.BIN:
C:\ejtag>tjtagv2 -flash:nvram /noemw /bypass .... .... *** You Selected to Flash the NVRAM.BIN *** ========================= Flashing Routine Started ========================= Total Blocks to Erase: 1 Erasing block: 71 (addr = 1fff0000)...Done Entered Unlock Bypass mode-> Loading NVRAM.BIN to Flash Memory... [ 0% Flashed] 1fff0000: 00000000 00000000 00000000 00000000 .... [ 99% Flashed] 1ffffff0: 00000000 00000000 00000000 00000000 Done (NVRAM.BIN loaded into Flash Memory OK) ========================= Flashing Routine Complete ========================= elapsed time: 193 seconds *** REQUESTED OPERATION IS COMPLETE *** |
По аналогии бэкапим/стираем/записываем остальные области FLASH памяти: CFE, kernel, FS (ключ custom). Или используем весь дамп FLASH памяти (ключ wholeflash).
Пример использования ключа custom. Сделать бэкап CFE (64K):
C:\ejtag>tjtagv2 -backup:custom /start:1fc00000 /window:1fc00000 /length:10000 /noreset /bypass .... .... [ 99% Backed Up] 1fc0fff0: ffffffff ffffffff ffffffff ffffffff Done (CUSTOM.BIN.SAVED_20081016_034611 saved to Disk OK) bytes written: 65536 ========================= Backup Routine Complete ========================= elapsed time: 175 seconds |
Полный дамп FLASH памяти с factory firmware v.3-06-04-1C00 для D-Link DSL-2640U можно скачать отсюда (файл сжат 7-Zip).
Все дампы на диске сохраняются в бинарном формате с порядком байт в слове - Big-Endian. Для просмотра и редактирования таких файлов в hex-редакторе удобнее использовать привычный порядок байт в слове - Little-Endian.
Конвертировать бинарный файл из 32bit формата Big-Endian в Little-Endian можно с помощью утилиты byteswap (скачать утилиту для Linux или Windows):
# ./byteswap CFE.BIN cfe.bin |
UrJTAG
UrJTAG - мощный инструмент для доступа к CPU, FLASH, RAM через JTAG интерфейс.
Скачать и собрать самую свежую версию утилиты UrJTAG
debian:/home/pudeev/Desktop# svn co https://urjtag.svn.sourceforge.net/svnroot/urjtag urjtag . . . Checked out revision 1417. debian:/# cd urjtag/trunk/jtag debian:/home/pudeev/Desktop/urjtag/trunk/jtag# ./autogen.sh debian:/home/pudeev/Desktop/urjtag/trunk/jtag# ./configure debian:/home/pudeev/Desktop/urjtag/trunk/jtag# make debian:/home/pudeev/Desktop/urjtag/trunk/jtag# make install |
Запуск UrJTAG 0.9 ревизия #1417
debian:/home/pudeev# jtag UrJTAG 0.9 #1417 Copyright (C) 2002, 2003 ETC s.r.o. Copyright (C) 2007, 2008 Kolja Waschk and the respective authors UrJTAG is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. There is absolutely no warranty for UrJTAG. WARNING: UrJTAG may damage your hardware! Type "quit" to exit, "help" for help. jtag> |
Список всех доступных команд
jtag> help Command list: quit exit and terminate this session help display this help frequency setup JTAG frequency cable select JTAG cable reset reset JTAG chain discovery discovery of unknown parts in the JTAG chain idcode Read IDCODEs of all parts in a JTAG chain detect detect parts on the JTAG chain signal define new signal for a part scan read BSR and show changes since last scan salias define an alias for a signal bit define new BSR bit register define new data register for a part initbus initialize bus driver for active part print display JTAG chain list/status part change active part for current JTAG chain bus change active bus instruction change active instruction for a part or declare new instruction shift shift data/instruction registers through JTAG chain dr display active data register for a part get get external signal value test test external signal value shell shell cmmd set set external signal value endian set/print endianess peek read a single word poke write a single word readmem read content of the memory and write it to file writemem write content of file to the memory detectflash detect parameters of flash chips attached to a part flashmem burn flash memory with data from a file eraseflash erase flash memory by number of blocks script run command sequence from external file include include command sequence from external repository addpart manually adds parts on the JTAG chain usleep Sleep some number of microseconds debug debug jtag program Type "help COMMAND" for details about a particular command. |
Хелп по любой команде. Например,
jtag> help idcode Usage: idcode [BYTES] Read [BYTES]|all IDCODEs of all parts in a JTAG chain. BYTES must be an unsigned integer, Use 0 for BYTES to read all bytes jtag> help detectflash Usage: detectflash ADDRESS Detect flash memory type connected to a part. ADDRESS Base address for memory region |
Инициализация параллельного порта, к которому подключен кабель DLC5
jtag> cable DLC5 parallel 0x378 Initializing parallel port at 0x378 |
Определение типа процессора
jtag> detect IR length: 5 Chain length: 1 Device Id: 00000110001101001000000101111111 (0x000000000634817F) Manufacturer: Broadcom Unknown part! chain.c(149) Part 0 without active instruction chain.c(200) Part 0 without active instruction chain.c(149) Part 0 without active instruction jtag> |
Создал конфигурационные файлы и добавил информацию о CPU 0x000000000634817F
debian:/# cat /usr/local/share/urjtag/broadcom/PARTS # # $Id: PARTS 1399 2008-12-09 21:21:04Z kawk $ # # Copyright (C) 2003 ETC s.r.o. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA # 02111-1307, USA. # # Written by Matan Ziv-Av <matan@svgalib.org>, 2003. # # bits 27-12 of the Device Identification Register 0001001001010000 bcm1250 BCM1250 0011001100010000 bcm3310 BCM3310 0101010000100001 bcm5421s BCM5421S 0100011100010010 bcm4712 BCM4712 0110001101011000 bcm6358 BCM6358 0110001101001000 bcm6348 BCM6348 0110001101000101 bcm6345 BCM6345 0110001100111000 bcm6338 BCM6338 |
debian:/# mkdir /usr/local/share/urjtag/broadcom/bcm6348 debian:/# touch /usr/local/share/urjtag/broadcom/bcm6348/STEPPINGS debian:/# cat /usr/local/share/urjtag/broadcom/bcm6348/STEPPINGS # # $Id: STEPPINGS 599 2004-06-13 18:16:43Z telka $ # # Copyright (C) 2004 Alan Wallace <aww@adelphia.net> # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA # 02111-1307, USA. # # Written by Alan Wallace <aww@adelphia.net>, 2004. # # bits 31-28 of the Device Identification Register 0000 bcm6348 Rev 1 |
debian:/# touch /usr/local/share/urjtag/broadcom/bcm6348/bcm6348 debian:/# cat /usr/local/share/urjtag/broadcom/bcm6348/bcm6348 # # $Id: bcm6348 2008-05-12 16:55:43 pudeev.livejournal.com $ # # JTAG declarations for Broadcom BCM6348 # Copyright (C) 2004 Alan Wallace <aww@adelphia.net> register BR 1 register BSR 480 register DIR 32 register EJIMPCODE 32 register EJADDRESS 32 register EJDATA 32 register EJCONTROL 32 register EJALL 96 register EJFASTDATA 1 instruction length 5 instruction EXTEST 00000 BSR instruction BYPASS 11111 BR instruction SAMPLE/PRELOAD 00010 BSR instruction IDCODE 00001 DIR instruction EJTAG_IMPCODE 00011 EJIMPCODE instruction EJTAG_ADDRESS 01000 EJADDRESS instruction EJTAG_DATA 01001 EJDATA instruction EJTAG_CONTROL 01010 EJCONTROL instruction EJTAG_ALL 01011 EJALL instruction EJTAGBOOT 01100 BR instruction NORMALBOOT 01101 BR instruction EJTAG_FASTDATA 01110 EJFASTDATA endian big # initbus ejtag_dma # initbus ejtag |
Определение типа процессора выполнено корректно
jtag> detect IR length: 5 Chain length: 1 Device Id: 00000110001101001000000101111111 (0x000000000634817F) Manufacturer: Broadcom Part(0): BCM6348 Stepping: Rev 1 Filename: /usr/local/share/urjtag/broadcom/bcm6348/bcm6348 |
Просканируем в Test Access Port (TAP) все значения регистра данных (DR), с длиной регистра инструкций (IR) 5 бит
jtag> discovery Detecting IR length ... 5 Detecting DR length for IR 11111 ... 1 Detecting DR length for IR 00000 ... 480 Detecting DR length for IR 00001 ... 32 Detecting DR length for IR 00010 ... 480 Detecting DR length for IR 00011 ... 32 Detecting DR length for IR 00100 ... 1 Detecting DR length for IR 00101 ... Warning: TDO seems to be stuck at 0 -1 Detecting DR length for IR 00110 ... Warning: TDO seems to be stuck at 0 -1 Detecting DR length for IR 00111 ... 1 Detecting DR length for IR 01000 ... 32 Detecting DR length for IR 01001 ... 32 Detecting DR length for IR 01010 ... 32 Detecting DR length for IR 01011 ... 96 Detecting DR length for IR 01100 ... 1 Detecting DR length for IR 01101 ... 1 Detecting DR length for IR 01110 ... 1 Detecting DR length for IR 01111 ... 1 Detecting DR length for IR 10000 ... Warning: TDO seems to be stuck at 0 -1 Detecting DR length for IR 10001 ... 1 Detecting DR length for IR 10010 ... 1 Detecting DR length for IR 10011 ... 1 Detecting DR length for IR 10100 ... 1 Detecting DR length for IR 10101 ... 1 Detecting DR length for IR 10110 ... 1 Detecting DR length for IR 10111 ... 1 Detecting DR length for IR 11000 ... 1 Detecting DR length for IR 11001 ... 1 Detecting DR length for IR 11010 ... 1 Detecting DR length for IR 11011 ... 1 Detecting DR length for IR 11100 ... 1 Detecting DR length for IR 11101 ... 1 Detecting DR length for IR 11110 ... 1 |
Тоже самое, но при сбросе TAP контроллера (подача напряжения +3,3v через резистор 100Ом на TRST)
jtag> discovery Detecting IR length ... 5 Detecting DR length for IR 11111 ... 1 Detecting DR length for IR 00000 ... 480 Detecting DR length for IR 00001 ... 32 Detecting DR length for IR 00010 ... 480 Detecting DR length for IR 00011 ... 32 Detecting DR length for IR 00100 ... 1 Detecting DR length for IR 00101 ... 1 Detecting DR length for IR 00110 ... 1 Detecting DR length for IR 00111 ... 1 Detecting DR length for IR 01000 ... 32 Detecting DR length for IR 01001 ... 32 Detecting DR length for IR 01010 ... 32 Detecting DR length for IR 01011 ... 96 Detecting DR length for IR 01100 ... 1 Detecting DR length for IR 01101 ... 1 Detecting DR length for IR 01110 ... 1 Detecting DR length for IR 01111 ... 1 Detecting DR length for IR 10000 ... Warning: TDO seems to be stuck at 0 -1 Detecting DR length for IR 10001 ... 1 Detecting DR length for IR 10010 ... 1 Detecting DR length for IR 10011 ... 1 Detecting DR length for IR 10100 ... 1 Detecting DR length for IR 10101 ... 1 Detecting DR length for IR 10110 ... 1 Detecting DR length for IR 10111 ... 1 Detecting DR length for IR 11000 ... 1 Detecting DR length for IR 11001 ... 1 Detecting DR length for IR 11010 ... 1 Detecting DR length for IR 11011 ... 1 Detecting DR length for IR 11100 ... 1 Detecting DR length for IR 11101 ... 1 Detecting DR length for IR 11110 ... 1 |
Инициализация шины с режимом DMA (Direct Memory Access) для прямого доступа к FLASH памяти без участия CPU
jtag> initbus ejtag_dma
ImpCode=00000000100000000000100100000100
EJTAG version: <= 2.0
EJTAG Implementation flags: R4k DMA MIPS32
Clear memory protection bit in DCR
Clear Watchdog
Potential flash base address: [0x0], [0x3fc00000]
Processor successfully switched in debug mode.
jtag> print
No. Manufacturer Part Stepping Instruction Register
-------------------------------------------------------------------------------------------------------------------
0 Broadcom BCM6348 Rev 1 EJTAG_CONTROL EJCONTROL
Active bus:
*0: EJTAG compatible bus driver via DMA (JTAG part No. 0)
start: 0x00000000, length: 0x1E000000, data width: 32 bit, (USEG : User addresses)
start: 0x1E000000, length: 0x02000000, data width: 16 bit, (FLASH : Addresses in flash (boot=0x1FC000000))
start: 0x20000000, length: 0x60000000, data width: 32 bit, (USEG : User addresses)
start: 0x80000000, length: 0x20000000, data width: 32 bit, (KSEG0: Kernel Unmapped Cached)
start: 0xA0000000, length: 0x20000000, data width: 32 bit, (KSEG1: Kernel Unmapped Uncached)
start: 0xC0000000, length: 0x20000000, data width: 32 bit, (SSEG : Supervisor Mapped)
start: 0xE0000000, length: 0x20000000, data width: 32 bit, (KSEG3: Kernel Mapped)
jtag> readmem 0x1fc00000 0x00002000 test.bin
address: 0x1FC00000
length: 0x00002000
reading:
addr: 0x1FC02000
Done.
jtag> |
Или инициализация шины с режимом PrAcc (Processor Access) для доступа к FLASH памяти через внутреннюю память процессора (считывание данных при этом идет медленно, ориентировочно - 4096 байт за 25 сек)
jtag> initbus ejtag
No. Manufacturer Part Stepping Instruction Register
-------------------------------------------------------------------------------------------------------------------
0 Broadcom BCM6348 Rev 1 EJTAG_DATA EJDATA
Active bus:
*0: EJTAG compatible bus driver via PrAcc (JTAG part No. 0)
start: 0x00000000, length: 0x20000000, data width: 8 bit
start: 0x20000000, length: 0x20000000, data width: 16 bit
start: 0x40000000, length: 0x20000000, data width: 32 bit
jtag> readmem 0x1fc00000 0x00400000 wholeflash.bin
address: 0x1FC00000
length: 0x00400000
reading:
addr: 0x20000000
Done.
|
Update до ревизии #1430 (update 10/02/2009):
debian:/home/pudeev/Desktop/urjtag# svn up ... ... ... Updated to revision 1430. debian:/# cd urjtag/trunk/jtag debian:/home/pudeev/Desktop/urjtag/trunk/jtag# ./autogen.sh debian:/home/pudeev/Desktop/urjtag/trunk/jtag# ./configure debian:/home/pudeev/Desktop/urjtag/trunk/jtag# make debian:/home/pudeev/Desktop/urjtag/trunk/jtag# make install |
Приветствуется любая информация по работе устройства через интерфейс JTAG !
Оглавление:
Часть I. Описание, тех. характеристики
Часть II. Подключаем консольный кабель
Часть III. Boot Loader, OS Linux 2.6.8.1 и оболочка BusyBox 1.0
Часть IV. Собрал первую тестовую прошивку
Часть V. Процесс сборки/разборки и обновления firmware
Часть VI. Подключение JTAG кабеля
