Using JTAG to read/write the flash

theed · Вс апр 06, 2014 1:33 pm

On an earier post in the repair a damaged headunit topic, Totalfree was so kind to reveal the JTAG pinout of the MMI 3G unit.
Pinout side connector, front of unit facing left:
U1............U10
===========
B1............B10

Board connector FT2232 jtag interface
U6= MPMD -> attach to 3.3V+
U7 = TDI -> TDI
U9 = TRST -> Attach to PRESET (B7) - to TRST
U10 = TCK -> TCK
B7 = PRESET -> Attach to TRST (U9) - to TRST
B8 = TMS -> TMS
B9 = TDO -> TDO
B10 = GND -> GND

I have hooked up the unit to a FT2232 JTAG interface according to the scheme above (with trial and error i created the above scheme).
When the unit is powered up TRST (interface) must be connected to ground, in comination with MPMD high the jtag interface becomes active.
When scanning the JTAG chain there is a device answering (so communication over JTAG possible

).
Next thing is to figure out how the flash is connected to the SH7785 by using a bsdl file from reneseas.

Result so far:

UrJTAG 0.10 #1502
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

WARNING: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable ft2232 vid=0403 pid=8A98
Connected to libftd2xx driver.
jtag> detect
IR length: 8
Chain length: 1
Device Id: 00001000000000011111010001000111 (0x000000000801F447)
Unknown manufacturer!
chain.c(149) Part 0 without active instruction
chain.c(200) Part 0 without active instruction
chain.c(149) Part 0 without active instruction
jtag>

Question did anyone have a succesfull JTAG session with the MMI unit, or has some comment or tips?.

theed · Ср апр 09, 2014 4:06 pm

The device ID listed (801F447) is the SH7785 processor of the MMI.
Does anybody know how the flash S29GL512 is connected to the processor, straight or by an FPGA?

theed · Вс апр 20, 2014 12:27 am

Trying the program "Boundry scan tooling v 6.1.0.0, with the sh7785.bsdl file.
The adresses and the datalines are evident to connect in the scan tool.
Does anybody know where to connect the CE_Q, OE_Q, WE_Q, WP_Q, RST_Q and BYTE_Q to on the SH7785?

theed · Пн май 12, 2014 10:37 pm

Finally i have got some sucess with the JTAG port using topjtag flash and the ft2232.
It is possible to read the flash, at this moment i am trying to write the flash.

spinmar · Вт май 13, 2014 10:02 am

Very good!!!

vierchatura · Ср май 21, 2014 9:20 am

theed писал(а):Trying the program "Boundry scan tooling v 6.1.0.0, with the sh7785.bsdl file.
The adresses and the datalines are evident to connect in the scan tool.
Does anybody know where to connect the CE_Q, OE_Q, WE_Q, WP_Q, RST_Q and BYTE_Q to on the SH7785?

Hi

Can you give some details how you could read Flash memory via JTAG

theed · Ср июн 11, 2014 10:49 pm

I have had some little success writing the flash with a other program topjtag flash and the ft2232. With trial and error.
The connection diagram of the first post is correct. The unit needs to be connected to a power source on the main connector on the back.
I downloaded the sh7785 bsdl file from the renesas website. This file has to be altered before it can be used in topjtag flash program.
Change the PRBG0436GA-A string in PRBG0436GA_A then topjtag will accept the file.
The flash array data bus organization is 32bit (1 chip X 32), and the flash is cfi compliant.
I assume the flash are connected parrallel, flashchip 1 holds D0 until D15 and flashchip 2 holds D16 until D31.

The signal pins are connected according to the scheme below:
Flash Pin JTAG device PIN Active
CE W11/ cs0_n Low
OE U11/ rd_n Low
WE W12/ we0_n Low

A0 Y9 / a2
A1 W9 / a3
etc continue until A23 (notice the offset of 2 adress lines A0 and A1 are not used?)
A23 AA1 / a25

The datalines are connected 1 on 1, so
D0 y10/d0
continue
D31 AA20/d31

One flash chip is connected to the CS_0 and WE_0 of the processor, this flash contains the IPL and is readable.
I tried to write to the flash, something strange happens, only the adrespairs 0 1 and 4 5 and 8 9 and C D are written.
So there has to be something with the adress lines, have to figure that out.
Almost there :-)

vierchatura · Чт июн 19, 2014 12:31 am

To theed

if you have ever read Fhash by SDcard and same flashes with programmer you wil know why it is so. There are 2 same Flashes
to first one is written pairs 0 1 and 4 5 and 8 9 total 64MB
to second is written 2 3 and 6 7 and A B total 64MB

So you will 128MB Flash readed by SD Card

theed · Вт июн 24, 2014 9:57 pm

vierchatura писал(а):To theed

if you have ever read Fhash by SDcard and same flashes with programmer you wil know why it is so. There are 2 same Flashes
to first one is written pairs 0 1 and 4 5 and 8 9 total 64MB
to second is written 2 3 and 6 7 and A B total 64MB

So you will 128MB Flash readed by SD Card

Okay, thanks i will try to experiment with the chip and write select lines then.
Flashing will be in two stages then.

when i have success in writing i will inform.

eprst · Вс июл 06, 2014 2:51 pm

You could read completely?

theed · Пн июл 07, 2014 12:09 pm

Yes, reading is no problem at all. Binairy compaired it to the ifs images and it is the same.

eprst · Пн июл 07, 2014 1:07 pm

give medetailed instructions please

Crash-100 · Сб июл 12, 2014 3:54 pm

Pin #WE in two flash is not same.
First flash #WE -W12
second #WE - Y17

theed · Сб окт 04, 2014 12:25 am

today i had success with writing a flash to the unit.
Using topjtag and done in two phases, write one chip at a time (switching to different WE lines).
All thanks to crash-100, for the WE lines and that a24 is connected to W11/cs0_n.

theed · Пн окт 06, 2014 11:36 am

Finally writing to the flash with JTAG is possible.
Topjtagflash does not have the possbility to attach two lines from the flash to one line on the processor.
writing and erasing must be done in two phases, first for #WE -W12 and then for the second #WE-Y17.
This has to be switched in the pin assingnment, in topjtagflash.

The process is quite complex:
1. Erase the sectors to write, with the erase command in the program, for both the flashes
2. Check if the to write area is fully erased (FF)
3. Then load the bin image to write in topjtag flash, and write these in two phases (first W12 then Y17)

The flash is programmed and the binairy compare of the read form the flash is the same as the file.

But a new challenge came up after flasing the images:
I flashes a IPL and the FPGA images and when booting the terminal gives:
could not load FPGA image @80040000: DONE pin low after programming
and
could not load FPGA image @80100000: DONE pin low after programming

In the IPL the newly flashed images are detected by the scan command.
Does anybody know how to correct the error (where is the DONE pin, on the jtag header).

Hoborg · Пн дек 15, 2014 8:12 pm

And is there any chance to copy this two flash to the dead MMI from the working one with programmer i.e. Elnec Beeprog2 ?

Hoborg · Пн дек 15, 2014 8:13 pm

And is there any chance to copy this two flash to the dead MMI from the working one with programmer i.e. Elnec Beeprog2 ?

Crash-100 · Вт дек 16, 2014 11:08 am

Do you know how much it costs adapter for this flash.

Hoborg · Вт дек 16, 2014 6:18 pm

Yes , but I have programer and original adpters and I have a problem with copy this flashes this way.

Crash-100 · Вт дек 16, 2014 6:36 pm

whera you from ?