SparkFun Forums 

Where electronics enthusiasts find answers.

Open source ARM Debugger
By jekkos
#141361
I have been working on OpenOCD support for the bcm3349 chipset, found in the motorola sb5101 cable modem. I want to be able to use it to flash different firmware to the device. Therefore I soldered a JTAG header to the board. I have succesfully managed to detect the bcm3349 chipset type using a bus pirate as programmer, but up til now the flash memory is not be detected correctly.
Code: Select all
> scan_chain
   TapName             Enabled  IdCode     Expected   IrLen IrCap IrMask
-- ------------------- -------- ---------- ---------- ----- ----- ------
 0 bcm3349.cpu            Y     0x0334917f 0x0334917f     5 0x01  0x03
The flash chip is an INtel TE28F160 that, according to the datasheet ( http://pdf.chinaicmart.com/88889/44107.pdf ), supports CFI. I found the flash start address in the config file of Tom's Jtag Utility, which is commonly used to flash this modem. The size of the chip is 8MB (check http://www.mail-archive.com/openocd-dev ... tagkey.cfg config file where this chip is used). I declared it as follows
Code: Select all
flash bank cfi 0x9fc00000 0x200000 2 2 0
When probing it through OpenOCD, I get the following error (read abort).
Code: Select all
Flash Manufacturer/Device: 0x00ff 0x00ff
Could not probe bank: no QRY
Try workaround w/0x555 instead of 0x55 to get QRY.
Could not probe bank: no QRY
auto_probe failed
in procedure 'flash'
Excerpt from the datasheet about CFI support, which mentions the 0x98 command. It seems that openOCD will execute a single bus sequence with address = 0x55, data = 0x98, which will put the device into CFI query mode.
Code: Select all
The CFI query mode outputs Common Flash Interface (CFI) data after issuing the Read Query
Command (0x98). The CFI data structure contains information such as block size, density,
command set, and electrical specifications. Once in this mode, read cycles from addresses shown in
Appendix C, “Common Flash Interface,” retrieve the specified information. To return to read-array
mode, issue the Read Array command (0xFF).
Also, the config file for Tom's jtag utility contains a couple of instructions to set up the board (architecture is MIPS32). These are the following
Code: Select all
// watch dog
Init=0xfffe0224,0
// initialize chip set
Init=0xfffe2300,0x1a
Init=0xfffe2304,0
Init=0xfffe2308,0x8040
Init=0xfffe230C,3
Init=0xfffe2310,0x4824
I ported these to the openOCD config file as follows
Code: Select all
  halt
  echo "Disabling watch dog.."
  $_TARGETNAME mww 0xfffe0224 0
  echo "Initializing chipset.."
  $_TARGETNAME mww 0xfffe2300 0x1a
  $_TARGETNAME mww 0xfffe2304 0
  $_TARGETNAME mww 0xfffe2308 0x8040
  $_TARGETNAME mww 0xfffe230C 3
  $_TARGETNAME mww 0xfffe2310 0x4824
Am I using the correct write instruction bit lengths here? Chances are that there is some sort of setup instruction here required to access the flash memory. Weird thing is that the addresses used to write the instructions to are not in range of the RAM or flash memory earlier defined in the file.

The complete config file from Tom's jtag utility is as follows
Code: Select all
/*
+=====================================================================+
|                            JTAG Utility                             |
|                      (c)2008 ToM - tplewa@o2.pl                     |
|                                                                     |
|			BCM3349 DEFINITION FILE                       |
+=====================================================================+
*/

IRlength=5 
Protocol=ejtag
Endian=big


Ram=0x80000000,0x800000	//Ram=RAM_ADDRESS_START,RAM_SIZE
Flash=0x9fc00000		// Flash=FLASH_ADDRESS_START



//Definition for Motorola SB5001

#Boot loader
MemoryTab=Boot,0x9fc00000,0x8000

#configuration
MemoryTab=cfg,0x9fc08000,0x8000

#first copy of firmware
MemoryTab=Image0,0x9fc10000,0xf0000

#second copy of firmware
MemoryTab=Image1,0x9fd00000,0xf0000

#log data
MemoryTab=log,0x9fdf0000,0x10000

/*

// watch dog
Init=0xfffe0224,0
// initialize chip set
Init=0xfffe2300,0x1a
Init=0xfffe2304,0
Init=0xfffe2308,0x8040
Init=0xfffe230C,3
Init=0xfffe2310,0x4824

*/
And finally the complete openOCD file (containing all previously pieces of code)
Code: Select all
# Work-area is a space in RAM used for flash programming
# By default use 16kB
if { [info exists WORKAREASIZE] } {
   set  _WORKAREASIZE $WORKAREASIZE
} else {
   set  _WORKAREASIZE 0x800000
}

# JTAG speed should be <= F_CPU/6. F_CPU after reset is 8MHz, so use F_JTAG = 1MHz
adapter_khz 1000

adapter_nsrst_delay 100
jtag_ntrst_delay 100

#jtag scan chain
if { [info exists CPUTAPID ] } {
   set _CPUTAPID $CPUTAPID
} else {
   set _CPUTAPID 0x0334917f
}
jtag newtap $_CHIPNAME cpu -irlen 5 -expected-id $_CPUTAPID

set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME mips_m4k -endian $_ENDIAN -chain-position $_TARGETNAME

$_TARGETNAME configure -work-area-phys 0x80000000 -work-area-size $_WORKAREASIZE -work-area-backup 0

$_TARGETNAME configure -event reset-init {
  halt
  echo "Disabling watch dog.."
  $_TARGETNAME mww 0xfffe0224 0
  echo "Initializing chipset.."
  $_TARGETNAME mww 0xfffe2300 0x1a
  $_TARGETNAME mww 0xfffe2304 0
  $_TARGETNAME mww 0xfffe2308 0x8040
  $_TARGETNAME mww 0xfffe230C 3
  $_TARGETNAME mww 0xfffe2310 0x4824
}

# flash size will be probed
set _FLASHNAME $_CHIPNAME.flash
flash bank $_FLASHNAME cfi 0x9fc00000 0x200000 2 2 0

init
Any insights would be greatly appreciated.
#141505
It seems that most of the other utilties use DMA to access the flash memory. I'm not sure whether openOCD uses the DMA mode for EJTAG in this case. I found that there was a patch submitted some time ago to support this. At first sight, I can't seem to retrieve any of the debug messages involved in openocd's output for this.

The switch should be made according to the IMPCODE of the board, so this should be transparant for most cases. Will need to do some more investigation on this.