How to HALT ARM926E CPU for external CFI flash access

Open source ARM Debugger

Moderator: phalanx

Post Reply
Posts: 1
Joined: Thu Jul 19, 2018 11:59 am

How to HALT ARM926E CPU for external CFI flash access

Post by openoli » Thu Jul 19, 2018 12:30 pm

i've recently bought an Olimex ARM-USB-OCD-H JTAG probe to program the external Flash of a Sat-Nav radio.
Prior to the FDTI-JTAG i managed to read the whole Flash with an Segger J-Link EDU and J-Flash software. Unfortunately the software ist limited to read only for this basic probe, so i tried to switch to an opensource one.

The board has an OMAP5948 mediaprocessor from TI, which may be simular to OMAP5912 or OMAP-L137/138, but i really don't know because there is no public information about it. Well, the Segger did'nt know it either, and it simply works by using an generic ARM9 CPU, so i guess it should be doable with the Olimex also ;-)

The processor is connected to an external Flash chip from Spansion called S29GL256N via the OMAP default EMIFS-Interface. In Segger J-Flash i simply add it and it worked right out of the box.

I connected the Olimex and could autoprobe the TAPs. Then i started to create an omap5948.cfg for the Olimex probe, where i added all the TAPs:

Code: Select all

adapter_nsrst_delay 100

# TotalIRLen = 50, IRPrint = 0x001444031F3D81
# JTAG chain contains 3 devices:
#  #0 Id: 0x031F3D81, IRLen: 34, DSP
#  #1 Id: 0x0692602F, IRLen: 04, ARM9TDMI Core
#  #2 Id: 0x00000001, IRLen: 12, Unknown device (ICE)
# CP15.0.0: 0x41069263: ARM, Architecure 5TEJ
# CP15.0.1: 0x1D112152: ICache: 16kB (4*128*32), DCache: 8kB (4*64*32)
# Cache type: Separate, Write-back, Format C (WT supported)
# Adaptive clocking not supported for selected CPU core. Only supported for -S cores.
# Auto JTAG speed: 8000 kHz
# JTAG Id: 0x0692602F  Version: 0x0 Part no: 0x6926 Man. Id: 0017

jtag newtap omap5948 dsp -irlen 34 -expected-id 0x031f3d81
jtag newtap omap5948 arm -irlen 4  -expected-id 0x0692602F
jtag newtap omap5948 ice -irlen 12 -expected-id 0x2008f02f

set _TARGETNAME omap5948.arm
target create $_TARGETNAME arm926ejs -endian little -chain-position $_TARGETNAME

$_TARGETNAME configure -work-area-phys 0x20000000 -work-area-size 0x3e800 -work-area-backup 0

flash bank 0 cfi 0x0 0x1000 2 2 $_TARGETNAME
With it, it is possible to start openocd.exe (yes, i'm doing it under Windows 10 ;-) and to connect to the board, but as soon as i try to use flash commands it claims that the CPU is not halted.

From an other board-script i get this procedure:

Code: Select all

# halt target
sleep 1
which does not work for me. The CPU does not stop using the "halt" command.

Then i tried another one, found for a PEEDI adapter:

Code: Select all

# reset ARM
set cpsr       0x000000D3                   ; set supervisor mode
set pc         0x00000000
set control    0x00050078                   ; CP15 Control : disable caches

# disable ARM9 Watchdog Timer
# convert WD timer into GP timer
mww 0xFFFEC808 0x000000F5
mww 0xFFFEC808 0x000000A0
# stop the watchdog timer
mww 0xFFFEB048 0x0000AAAA
sleep 500
mww 0xFFFEB048 0x00005555
sleep 500
Now, i'm completely lost. What commands must be issued to halt the CPU to gain access to the flash?
Is it possible to get those commands from the Segger Communication? Maybe i could connect both probes as chain, let the Segger try to stop CPU and log at Olimex what JTAG commands it sends? Would this work?

Please, any help is highly appreciated :-)

Post Reply