Кому нибудь удалось подключиться через jtag к миб , как вычитать флеш без выпайки флешки?

JTAG to where, the J5 or the MMX module (Tegra 2/3) ?

any jtag to read write flash

In MIB there are three flashes.
One is near the J5 - the IPL is in that flash.
The other two are near T20/30 on the MMX board. One is for the efs-system, efs-persist, qb_recovery and qb_primary the other is for app and navi data.
Unfortunately there is little to no info about that board. I know that its nVidia Tegra VCM (Visual Computing Module)
Do anyone have have bsdl for T20/T30.

i need jtag j5 to read s29gl512 , do you know what jtag tool support this board ?

Does anyone have photos of the MIB board(s) ?

If you need J5 Ext.Flash I can send you.But you will need to modify the HW Coding block to match your unit,otherwise unit will fail to flash.
Also SWAP certificates will needed to be transfered.

MIB2 MMX Board JTAG pins:
68695

1 TDI
2 TCK
3
4 GND
5
6 TMS
7 TDO
8 VTref

With help of TegraRCM ( https://turbo-quattro.com/showthread.php?31492-MMX-restore-HELP&p=642068&viewfull=1#post642068 ) in UNIX system you need to load alternative bootloader and BCT file for Tegra 30, for example q-boot, because in own bootloader JTAG debugging is disabled. Use command: sudo tegrarcm -- bct mmx.bct -- booloader qboot.bin --loadaddr 0x84000000 (qboot.bin your own bootloader, mmx.bct your cutoff of MMX dump in 0 to 17EF adresses)

qboot.bin https://yadi.sk/d/YrR4ZywIGi3BQQ
mmx.bct https://yadi.sk/d/_Xbre2kQ4HQi8A

After booting qboot and BCT don't reboot MIB.

IN JTAG setting select Cortex-a9, Flash Memory Spansion S29GL512S, base address: 4800 0000

68696
68697
68698
68699
68700

Connecting to target via JTAG
TotalIRLen = 8, IRPrint = 0x0011
JTAG chain detection found 2 devices:
#0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
#1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
Scanning AP map to find all available APs
AP[3]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x44770001)
AP[1]: APB-AP (IDR: 0x24770002)
AP[2]: JTAG-AP (IDR: 0x14760010)
Iterating through AP map to find APB-AP to use
AP[0]: Skipped. Not an APB-AP
AP[1]: APB-AP found
ROMTbl[0][0]: CompAddr: 80001000 CID: B105900D, PID:04-003BB907 ETB
ROMTbl[0][1]: CompAddr: 80002000 CID: B105900D, PID:04-003BB906 CTI
ROMTbl[0][2]: CompAddr: 80003000 CID: B105900D, PID:04-004BB912 TPIU
ROMTbl[0][3]: CompAddr: 80004000 CID: B105900D, PID:04-001BB908 CSTF
ROMTbl[0][4]: CompAddr: 80005000 CID: B105900D, PID:04-002BB913 ITM
ROMTbl[0][5]: CompAddr: 80006000 CID: B105900D, PID:04-002BB914 SWO
ROMTbl[0][6]: CompAddr: 80020000 CID: B105100D, PID:04-000BB4A9 ROM Table
ROMTbl[1][0]: CompAddr: 80030000 CID: B105900D, PID:04-000BBC09 Cortex-A9
Found Cortex-A9 r2p9
6 code breakpoints, 4 data breakpoints
Debug architecture ARMv7.0
Data endian: little
Main ID register: 0x412FC099
I-Cache L1: 32 KB, 256 Sets, 32 Bytes/Line, 4-Way
D-Cache L1: 32 KB, 256 Sets, 32 Bytes/Line, 4-Way
System control register:
Instruction endian: little
Level-1 instruction cache enabled
Level-1 data cache enabled
MMU enabled
Branch prediction enabled
Memory zones:
[0]: Default (Default access mode)
[1]: AHB-AP (AP0) (DMA like acc. in AP0 addr. space)
[2]: APB-AP (AP1) (DMA like acc. in AP1 addr. space)
Cortex-A9 identified.
J-Link>

How connect jtag to Technisat???

thanks @
aleka (https://turbo-quattro.com/member.php?10396-aleka) great work can you also post RCC board JTAG ?

thanks @
aleka (https://turbo-quattro.com/member.php?10396-aleka) great work can you also post RCC board JTAG ?


I don't know RCC JTAG pins, but it not need, if you have working MMX Emergency tool.

How connect jtag to Technisat???

as i know TSD Jtag is LOCKED

Could you open in the emergency menu.

Could you open in the emergency menu.

yes but then you just get message "device is now broken" :-) , nothing more.

It's not true.

Thanks for the pinout for Tegra @aleka (https://turbo-quattro.com/member.php?10396-aleka)
Does anybody know how to connect MIB2 Delphi via JTag?

Hi aleka,

I managed to kill RCC and MMX on my MIB2.5 HIGH unit (Skoda Columbus).
MMX emergency boot is dead.
RCC still accessible, however no SD/CD/USB can be mounted.

I saw your solution get MMX back.
I also saw a discussion (somewhere else) talking about an emergency button on the bottom of the unit to boot into some kind of emergency mode.
I could locate this button on the PCB.
69050
Currently waiting to get the USB dapter to check what's happening (did not want to solder to the unit).

Is this solution similar to yours?

BR

Hi. No, i think without JTAG adapter you can not repair MMX flash.

I will test this other solution 1st.
By pressing this button during turning the unit on for 10s you are supposed to get into an emergency mode via the USB interface.
Using nvflash you are supposed to able to flash MMX as well ??????.

Just in case I will also get a JTAG.

Luckily I have a backup of my MMX.
In that case I have to create my own cutoff of MMX dump in 0 to 17EF adresses, right?

The file you provided is just in case I do not have anything, right?
But qboot.bin I would take the one you provided?

Try any variant, you do not make it worse than now

I agree, on the software side.
However, I could still shorten or damage the hardware.

Killing RRC and MMX was not that smart...

I could extract the BCT from my MMX dump.
How do I get my qboot.bin, is it also a part of the MMX dump?

Flasing via JTAG starting from base address: 4800 0000.
Do I flash the full MMX dump or do I have to cut the BCT off?

Thanks a lot again!

qboot seems to be located between 60000 - 70D00

Start and end as well as the middle part of that part of the MMX are very similar to the qboot.bin you provided.

A0000 -> qb_recovery.img 262144


120000 -> qb_primary.img 262144


760000 -> mifs-stage1.img 3145728


A60000 -> mifs-stage2.img 48234496


160000 -> eifs.img 6291456


0x03600000 -> efs-system.img 2097152


0x03800000 -> efs-persist.img

Some of my notes.

760000 -> mifs-stage1.img 3145728 need some modifications :)

760000 -> mifs-stage1.img 3145728 need some modifications :)

What do you mean by this?

I'm manly looking for a way to recover my unit with a broken MMX image.

What do you mean by this?

I'm manly looking for a way to recover my unit with a broken MMX image.

Write me pm.

Header of the image should contain the word "ANDROID!"
If you use dump from unit then it will be there.
If you use image from software SD then you will need to edit it before use.
Check the first 8 bytes.
They should be "41 4E 44 52 4F 49 44 21". On stock image they are "41 ff 44 ff 4f ff 44 ff".
That's it.

@aleka (https://turbo-quattro.com/member.php?10396-aleka)

I tried to follow your steps and got close.
But something is not working...

Do you have an idea?

JTAG connection points:
69211
J-Link pinout:
69212



JTAG Pin
Function
J-Link Pin


1
TDI
5


2
TCK
9


4
GND
4


6
TMS
7


7
TDO
13


8
Vref
1






tegrarcm command:
69202



sudo tegrarcm --bct original.bct --bootloader qboot.bin --loadaddr 0x84000000
bct file: original.bct
bootloader file: qboot.bin
load addr 0x84000000
entry addr 0x84000000
device id: 0x7030
uid: 0x015ced07b70ffe12
RCM version: 3.1
downloading miniloader to target at address 0x4000a000 (128916 bytes)...
miniloader downloaded successfully
Chip UID: 0x0000000000000000015ced07b70ffe12
Chip ID: 0x30
Chip ID Major Version: 0x1
Chip ID Minor Version: 0x3
Chip SKU: 0x90 (t30)
Boot ROM Version: 0x1
Boot Device: 0x6 (SNOR)
Operating Mode: 0x3 (developer mode)
Device Config Strap: 0x0
Device Config Fuse: 0x0
SDRAM Config Strap: 0x2
sending file: original.bct
- 6128/6128 bytes sent
original.bct sent successfully
sending file: qboot.bin
\ 68648/68648 bytes sent
qboot.bin sent successfully


I tried your BCT file and the one I extracted from my own MMX dump.
Same Result in both cases.

After sending the tegrarcm command, I leave the unit untouched (ON) running on 12V.

J-Flash V6.84 output when I try to connect:
69203



Connecting ...
- Connecting via USB to probe/ programmer device 0
- Probe/ Programmer firmware: J-Link V11 compiled Jul 17 2020 16:24:07
- Device "CORTEX-A9" selected.
- TotalIRLen = 8, IRPrint = 0x0011
- JTAG chain detection found 2 devices:
- #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
- #1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
- Scanning AP map to find all available APs
- AP[3]: Stopped AP scan as end of AP map has been reached
- AP[0]: AHB-AP (IDR: 0x44770001)
- AP[1]: APB-AP (IDR: 0x24770002)
- AP[2]: JTAG-AP (IDR: 0x14760010)
- Iterating through AP map to find APB-AP to use
- AP[0]: Skipped. Not an APB-AP
- AP[1]: APB-AP found
- ROMTbl[0][0]: CompAddr: 80001000 CID: B105900D, PID:04-003BB907 ETB
- ROMTbl[0][1]: CompAddr: 80002000 CID: B105900D, PID:04-003BB906 CTI
- ROMTbl[0][2]: CompAddr: 80003000 CID: B105900D, PID:04-004BB912 TPIU
- ROMTbl[0][3]: CompAddr: 80004000 CID: B105900D, PID:04-001BB908 CSTF
- ROMTbl[0][4]: CompAddr: 80005000 CID: B105900D, PID:04-002BB913 ITM
- ROMTbl[0][5]: CompAddr: 80006000 CID: B105900D, PID:04-002BB914 SWO
- ROMTbl[0][6]: CompAddr: 80020000 CID: 20323232, PID:00-00000000 ???
- TotalIRLen = 8, IRPrint = 0x0011
- JTAG chain detection found 2 devices:
- #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
- #1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
- ERROR: Cortex-A/R-JTAG (connect): Could not determine address of core debug registers. Incorrect CoreSight ROM table in device?
- Target interface speed: 1000 kHz (Auto)
- VTarget = 1.812V
- TotalIRLen = 8, IRPrint = 0x0011




J-Flash settings:
69204
69205
69206
69207
69208
69209
69210

In flash device info (9 pic) uncheck Automatically detect flash memory and manually chose Spansion S29GL512S, base address: 4800 0000 (tel:4800 0000)

Sorry, for missing this!

I changed the settings, however situation is exactly the same.

69213

During testing I just booted the unit (no tegrarcm and hidden button).
In this state I can connect via JTAG!

Just trying to read a part of the flash 48000000 - 49000000.
The whole flash does not work due to reboot of the unit after ~3 minutes.

You can not write full flash due reboot, but first part of mmx dump have Emergency tool. Due the Emergency tool you can write whole flash.

Which hex range from the Original MMX dump would this be?

Which hex range from the Original MMX dump would this be?
I don’t remember and my laptop not with me now, but it seems to me it located at beginning position of MMX dump.

// qb_recovery.img 0xA0000
// qb_primary.img 0x120000
// eifs.img 0x600000

Still stuck with the situation mentioned above.

69214

ROM Table and Corex-9 are missing in the ROM Table.

HI,
HOW TO PAUSE restart (WATCHDOG) AFTER 2 MINUTES
THANKS A LOT

This does not work?
https://cartechnology.co.uk/showthread.php?tid=68918&pid=566411#pid566411

Regards.

No, the solution was for MIB1.
I tried to follow a similar way on my MIB2, but git stuck. I think the NVFlash Version I got is still not the right one.

Are these BCT files uniqe for each MMX board ?? or are the working if it is same FW on other MMX board ?

BCT is specific for board model.

thanks congo, i am stuck in EFU red menu flash is damaged , JTAG can't connect, and i have no backup :-( , so only way is to desolder and read SGL ?

@aleka (https://turbo-quattro.com/member.php?10396-aleka)

I'm still stuck with the issue:
69214

Any ideas?

i tested tegrarcm uploaded BCT and qboot works, connection for JTAG is then unlocked and working it start to read SGL512 but the unit reboots after 1min :cower: so i cant read or write the flash.

How far gone is your MMX?

Mine is completly dead and I do not have success with the qboot and BCT I extracted from my MMX backup.

Could you share your setting or compare with mine I postet earlier?

mine is also completly dead i flashed the QB_primary and QB_Recovery to the adresses which was posted here in this thread, after it shows stage2 bootloader failed to load.

Using nvflash you are supposed to able to flash MMX as well ������.

with nvflash it should be possible to flash the NOR then no Jtag is need , ;-)

This does not work?
https://cartechnology.co.uk/showthread.php?tid=68918&pid=566411#pid566411

Regards.

Somebody can explain how to restart or pause watchdog in MIB1? or copy here, I dont have acess to this link... :-(

reading is working fine , but i never could write it , i think there maybe must set TRST low maybe

Somebody can explain how to restart or pause watchdog in MIB1? or copy here, I dont have acess to this link... :-(

Info: for Mib1, after login in emergency mode you must execute "slay -9 MIBEmergency" and it stop reboot and counter.

You can not write full flash due reboot, but first part of mmx dump have Emergency tool. Due the Emergency tool you can write whole flash.

Hi @aleka , Do you now if is possible to flash eifs.img from emergency mode?. (MIB1 MHIG)
I have full time access to emergency by Uart but i dont know telnet passwd. The unit have some problems and I try to repair it reflashing.

A0000 -> qb_recovery.img 262144


120000 -> qb_primary.img 262144


760000 -> mifs-stage1.img 3145728


A60000 -> mifs-stage2.img 48234496


160000 -> eifs.img 6291456


0x03600000 -> efs-system.img 2097152


0x03800000 -> efs-persist.img

Some of my notes.
Only to correct this, if "A60000 -> mifs-stage2.img 48234496" it is long to 0x0385FFFF therefore overwrites 0x03600000 -> efs-system.img 2097152 and 0x03800000 -> efs-persist.img, My correction is:

120000 -> qb_primary.img 262144


760000 -> mifs-stage1.img 3145728


A60000 -> mifs-stage2.img 48234496


160000 -> eifs.img 6291456


0x03A40000 -> efs-system.img 2097152


0x03EC0000 -> efs-persist.img