MIB JITAG

[ImDarius]

Кому нибудь удалось подключиться через jtag к миб , как вычитать флеш без выпайки флешки?

[congo]

JTAG to where, the J5 or the MMX module (Tegra 2/3) ?

[ImDarius]

any jtag to read write flash

[congo]

In MIB there are three flashes.
One is near the J5 - the IPL is in that flash.
The other two are near T20/30 on the MMX board. One is for the efs-system, efs-persist, qb_recovery and qb_primary the other is for app and navi data.
Unfortunately there is little to no info about that board. I know that its nVidia Tegra VCM (Visual Computing Module)
Do anyone have have bsdl for T20/T30.

[ImDarius]

i need jtag j5 to read s29gl512 , do you know what jtag tool support this board ?

[simaservis1108]

If you need J5 Ext.Flash I can send you.But you will need to modify the HW Coding block to match your unit,otherwise unit will fail to flash.
Also SWAP certificates will needed to be transfered.

[aleka]

MIB2 MMX Board JTAG pins:
JTAG_pinout.jpg

1 TDI
2 TCK
3
4 GND
5
6 TMS
7 TDO
8 VTref

With help of TegraRCM ( https://turbo-quattro.com/showthread...l=1#post642068 ) in UNIX system you need to load alternative bootloader and BCT file for Tegra 30, for example q-boot, because in own bootloader JTAG debugging is disabled. Use command: sudo tegrarcm -- bct mmx.bct -- booloader qboot.bin --loadaddr 0x84000000 (qboot.bin your own bootloader, mmx.bct your cutoff of MMX dump in 0 to 17EF adresses)

qboot.bin https://yadi.sk/d/YrR4ZywIGi3BQQ
mmx.bct https://yadi.sk/d/_Xbre2kQ4HQi8A

After booting qboot and BCT don't reboot MIB.

IN JTAG setting select Cortex-a9, Flash Memory Spansion S29GL512S, base address: 4800 0000

1.jpg
2.jpg
3.jpg
4.jpg
5.jpg

Connecting to target via JTAG
TotalIRLen = 8, IRPrint = 0x0011
JTAG chain detection found 2 devices:
#0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
#1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
Scanning AP map to find all available APs
AP[3]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x44770001)
AP[1]: APB-AP (IDR: 0x24770002)
AP[2]: JTAG-AP (IDR: 0x14760010)
Iterating through AP map to find APB-AP to use
AP[0]: Skipped. Not an APB-AP
AP[1]: APB-AP found
ROMTbl[0][0]: CompAddr: 80001000 CID: B105900D, PID:04-003BB907 ETB
ROMTbl[0][1]: CompAddr: 80002000 CID: B105900D, PID:04-003BB906 CTI
ROMTbl[0][2]: CompAddr: 80003000 CID: B105900D, PID:04-004BB912 TPIU
ROMTbl[0][3]: CompAddr: 80004000 CID: B105900D, PID:04-001BB908 CSTF
ROMTbl[0][4]: CompAddr: 80005000 CID: B105900D, PID:04-002BB913 ITM
ROMTbl[0][5]: CompAddr: 80006000 CID: B105900D, PID:04-002BB914 SWO
ROMTbl[0][6]: CompAddr: 80020000 CID: B105100D, PID:04-000BB4A9 ROM Table
ROMTbl[1][0]: CompAddr: 80030000 CID: B105900D, PID:04-000BBC09 Cortex-A9
Found Cortex-A9 r2p9
6 code breakpoints, 4 data breakpoints
Debug architecture ARMv7.0
Data endian: little
Main ID register: 0x412FC099
I-Cache L1: 32 KB, 256 Sets, 32 Bytes/Line, 4-Way
D-Cache L1: 32 KB, 256 Sets, 32 Bytes/Line, 4-Way
System control register:
Instruction endian: little
Level-1 instruction cache enabled
Level-1 data cache enabled
MMU enabled
Branch prediction enabled
Memory zones:
[0]: Default (Default access mode)
[1]: AHB-AP (AP0) (DMA like acc. in AP0 addr. space)
[2]: APB-AP (AP1) (DMA like acc. in AP1 addr. space)
Cortex-A9 identified.
J-Link>

[TT-2016]

Hi aleka,

I managed to kill RCC and MMX on my MIB2.5 HIGH unit (Skoda Columbus).
MMX emergency boot is dead.
RCC still accessible, however no SD/CD/USB can be mounted.

I saw your solution get MMX back.
I also saw a discussion (somewhere else) talking about an emergency button on the bottom of the unit to boot into some kind of emergency mode.
I could locate this button on the PCB.
IMG_3173_2.jpg
Currently waiting to get the USB dapter to check what's happening (did not want to solder to the unit).

Is this solution similar to yours?

BR

[aleka]

Hi. No, i think without JTAG adapter you can not repair MMX flash.

[hrdinaveliky]

How connect jtag to Technisat???

[chris2011]

How connect jtag to Technisat???

as i know TSD Jtag is LOCKED

[chris2011]

thanks @

aleka great work can you also post RCC board JTAG ?

[aleka]

thanks @

aleka great work can you also post RCC board JTAG ?

I don't know RCC JTAG pins, but it not need, if you have working MMX Emergency tool.

[hrdinaveliky]

Could you open in the emergency menu.

[chris2011]

Could you open in the emergency menu.

yes but then you just get message "device is now broken" :-) , nothing more.

[hrdinaveliky]

It's not true.

[Audianer2]

Thanks for the pinout for Tegra @aleka
Does anybody know how to connect MIB2 Delphi via JTag?

[TT-2016]

I will test this other solution 1st.
By pressing this button during turning the unit on for 10s you are supposed to get into an emergency mode via the USB interface.
Using nvflash you are supposed to able to flash MMX as well ??????.

Just in case I will also get a JTAG.

Luckily I have a backup of my MMX.
In that case I have to create my own cutoff of MMX dump in 0 to 17EF adresses, right?

The file you provided is just in case I do not have anything, right?
But qboot.bin I would take the one you provided?

[aleka]

Try any variant, you do not make it worse than now

[TT-2016]

@aleka

I tried to follow your steps and got close.
But something is not working...

Do you have an idea?

JTAG connection points:
Bild13.jpg
J-Link pinout:
16.png

JTAG Pin	Function	J-Link Pin
1	TDI	5
2	TCK	9
4	GND	4
6	TMS	7
7	TDO	13
8	Vref	1

tegrarcm command:
010.PNG

Код:

sudo tegrarcm --bct original.bct --bootloader qboot.bin --loadaddr 0x84000000
bct file: original.bct
bootloader file: qboot.bin
load addr 0x84000000
entry addr 0x84000000
device id: 0x7030
uid:  0x015ced07b70ffe12
RCM version: 3.1
downloading miniloader to target at address 0x4000a000 (128916 bytes)...
miniloader downloaded successfully
Chip UID:                0x0000000000000000015ced07b70ffe12
Chip ID:                 0x30
Chip ID Major Version:   0x1
Chip ID Minor Version:   0x3
Chip SKU:                0x90 (t30)
Boot ROM Version:        0x1
Boot Device:             0x6 (SNOR)
Operating Mode:          0x3 (developer mode)
Device Config Strap:     0x0
Device Config Fuse:      0x0
SDRAM Config Strap:      0x2
sending file: original.bct
- 6128/6128 bytes sent
original.bct sent successfully
sending file: qboot.bin
\ 68648/68648 bytes sent
qboot.bin sent successfully

I tried your BCT file and the one I extracted from my own MMX dump.
Same Result in both cases.

After sending the tegrarcm command, I leave the unit untouched (ON) running on 12V.

J-Flash V6.84 output when I try to connect:
000.jpg

Код:

Connecting ...
 - Connecting via USB to probe/ programmer device 0
 - Probe/ Programmer firmware: J-Link V11 compiled Jul 17 2020 16:24:07
 - Device "CORTEX-A9" selected.
 - TotalIRLen = 8, IRPrint = 0x0011
 - JTAG chain detection found 2 devices:
 -  #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
 -  #1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
 - Scanning AP map to find all available APs
 - AP[3]: Stopped AP scan as end of AP map has been reached
 - AP[0]: AHB-AP (IDR: 0x44770001)
 - AP[1]: APB-AP (IDR: 0x24770002)
 - AP[2]: JTAG-AP (IDR: 0x14760010)
 - Iterating through AP map to find APB-AP to use
 - AP[0]: Skipped. Not an APB-AP
 - AP[1]: APB-AP found
 - ROMTbl[0][0]: CompAddr: 80001000 CID: B105900D, PID:04-003BB907 ETB
 - ROMTbl[0][1]: CompAddr: 80002000 CID: B105900D, PID:04-003BB906 CTI
 - ROMTbl[0][2]: CompAddr: 80003000 CID: B105900D, PID:04-004BB912 TPIU
 - ROMTbl[0][3]: CompAddr: 80004000 CID: B105900D, PID:04-001BB908 CSTF
 - ROMTbl[0][4]: CompAddr: 80005000 CID: B105900D, PID:04-002BB913 ITM
 - ROMTbl[0][5]: CompAddr: 80006000 CID: B105900D, PID:04-002BB914 SWO
 - ROMTbl[0][6]: CompAddr: 80020000 CID: 20323232, PID:00-00000000 ???
 - TotalIRLen = 8, IRPrint = 0x0011
 - JTAG chain detection found 2 devices:
 -  #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
 -  #1 Id: 0x4F1F0F0F, IRLen: 04, ARM7TDMI-S Core
 -  ERROR: Cortex-A/R-JTAG (connect): Could not determine address of core  debug registers. Incorrect CoreSight ROM table in device?
 - Target interface speed: 1000 kHz (Auto)
 - VTarget = 1.812V
 - TotalIRLen = 8, IRPrint = 0x0011

J-Flash settings:
001.PNG
002.PNG
003.PNG
004.PNG
005.PNG
006.PNG
007.PNG