|
|
(7 intermediate revisions by the same user not shown) |
Line 24: |
Line 24: |
| ===LS2=== | | ===LS2=== |
| ==Arm-based boxes== | | ==Arm-based boxes== |
− | Tampakuro/kuroguy discovered the layout of the JTAG Port on LS Pro v1 and an early KuroPro by tracing the wiring. The account of his work and early efforts is here : [http://forum.nas-central.org/viewtopic.php?f=39&t=3001 JTAG for the LS Pro and LS Live]. He found that the v1 had a non-standard pinout. The v2 LS Live has a [http://hri.sourceforge.net/tools/jtag_faq_org.html#_Toc63218717 standard ARM 20 pin layout]. mdfirefighter and others discovered that Dominic Rath's OpenOCD software was the key to opening the LS Pro to JTAG - this is detailed in the same thread linked to above.
| + | ===LS Pro and LS Live=== |
− | ===LS Pro/LS Live (arm9)===
| + | See the article at [http://buffalo.nas-central.org/index.php/JTAG_%26_OpenOCD_for_LS-Pro JTAG & OpenOCD for the LS-Pro] for complete details and instructions. |
− | ====Flash structure====
| + | |
− | For the LSProV2, here is the output of flinfo while in u-boot:
| + | |
− | Marvell>> flinfo
| + | |
− |
| + | |
− | Bank # 1: SST SST39VF020 (2 Mbit)
| + | |
− | Size: 256 kB,Bus Width: 1, device Width: 1.
| + | |
− | Flash base: 0xfffc0000,Number of Sectors: 64 Type: REGULAR.
| + | |
− | Sector Start Addresses:
| + | |
− | 00000000 (RO) 00001000 (RO) 00002000 (RO) 00003000 (RO) 00004000 (RO)
| + | |
− | 00005000 (RO) 00006000 (RO) 00007000 (RO) 00008000 (RO) 00009000 (RO)
| + | |
− | 0000a000 (RO) 0000b000 (RO) 0000c000 (RO) 0000d000 (RO) 0000e000 (RO)
| + | |
− | 0000f000 (RO) 00010000 (RO) 00011000 (RO) 00012000 (RO) 00013000 (RO)
| + | |
− | 00014000 (RO) 00015000 (RO) 00016000 (RO) 00017000 (RO) 00018000 (RO)
| + | |
− | 00019000 (RO) 0001a000 (RO) 0001b000 (RO) 0001c000 (RO) 0001d000 (RO)
| + | |
− | 0001e000 (RO) 0001f000 (RO) 00020000 (RO) 00021000 (RO) 00022000 (RO)
| + | |
− | 00023000 (RO) 00024000 (RO) 00025000 (RO) 00026000 (RO) 00027000 (RO)
| + | |
− | 00028000 (RO) 00029000 (RO) 0002a000 (RO) 0002b000 (RO) 0002c000 (RO)
| + | |
− | 0002d000 (RO) 0002e000 (RO) 0002f000 (RO) 00030000 (RO) 00031000 (RO)
| + | |
− | 00032000 (RO) 00033000 (RO) 00034000 (RO) 00035000 (RO) 00036000 (RO)
| + | |
− | 00037000 (RO) 00038000 (RO) 00039000 (RO) 0003a000 (RO) 0003b000 (RO)
| + | |
− | 0003c000 (RO) 0003d000 (RO) 0003e000 (RO) 0003f000
| + | |
− | ====Background and Required Hardware Software====
| + | |
− | CAUTION : USE AT YOUR OWN RISK. IT IS POSSIBLE TO BRICK ONE'S BOX WITH THESE METHODS. UNBRICKING IS NOT GUARANTEED.
| + | |
− | These directions have been tested and checked on a LSProV2. The OCD software we use is [http://openfacts.berlios.de/index-en.phtml?title=Open_On-Chip_Debugger OpenOCD], created by Dominic Rath.
| + | |
− | *[http://openfacts.berlios.de/index-en.phtml?title=Open_On-Chip_Debugger OpenOCD]. You should probably work with the version that most of us here have used - [http://downloads.nas-central.org/ALL_LS_KB_ARM9/openocd-lspro.tgz download it from here].
| + | |
− | *JTAG adapter like the Olimex ARM-USB-TINY (tested) or a Wiggler (Wigglers and other paraport adapters seem slower than USB).
| + | |
− | *an x86 desktop/laptop running Linux (tested w/ Ubuntu 7.10)
| + | |
− | *JTAG headers already attached to your ARM-based LinkStation's board
| + | |
− | | + | |
− | ====Setting Up OpenOCD====
| + | |
− | *Compiling: See [http://openfacts.berlios.de/index-en.phtml?title=Building_OpenOCD Building OpenOCD] for full details. The directions are listed below for using it with the Olimex JTAG USB TINY adapter, which is ftdi-based. Read the INSTALL file for details on building it for parallel port Wiggler devices.
| + | |
− | **Install libftdi (http://www.intra2net.com/opensource/ftdi/) or libftd2xx (http://www.ftdichip.com/Drivers/D2XX.htm). Most accounts seem to indicate that more users have better luck with libftdi (which is available as a package for Ubuntu, for instance.)
| + | |
− | **Build and install OpenOCD. Download it from the downloads on our site, or from svn at the OpenOCD site. Then configure, make and make install.
| + | |
− | ./configure --enable-ft2232_libftdi
| + | |
− | make
| + | |
− | make install
| + | |
− | Also, '''if you are using libftdi''', you may have to add the following line to your /etc/fstab:
| + | |
− | none /proc/bus/usb usbfs defaults,devmode=0666 0 0
| + | |
− | | + | |
− | If you are using a parallel port Wiggler, you should read the literature and docs in the source, as they will guide you on what to do in terms of configuring before building.
| + | |
− | | + | |
− | | + | |
− | *Configuring OpenOCD - Again, see [http://openfacts.berlios.de/index-en.phtml?title=OpenOCD_configuration Configuring OpenOCD] for details. Hints below.
| + | |
− | | + | |
− | | + | |
− | | + | |
− | *Available Commands in OpenOCD - Listed for reference. While working in the telnet daemon window w/ OpenOCD, entering the command '''help''' will yield a list of available commands and summary of help.
| + | |
− | > help
| + | |
− | help display this help
| + | |
− | sleep sleep for <n> milliseconds
| + | |
− | version show OpenOCD version
| + | |
− | shutdown shut the server down
| + | |
− | exit exit telnet session
| + | |
− | log_output redirect logging to <file> (default: stderr)
| + | |
− | debug_level adjust debug level <0-3>
| + | |
− | jtag_speed set jtag speed (if supported) <speed>
| + | |
− | scan_chain print current scan chain configuration
| + | |
− | endstate finish JTAG operations in <tap_state>
| + | |
− | jtag_reset toggle reset lines <trst> <srst>
| + | |
− | runtest move to Run-Test/Idle, and execute <num_cycles>
| + | |
− | statemove move to current endstate or [tap_state]
| + | |
− | irscan execute IR scan <device> <instr> [dev2] [instr2] ...
| + | |
− | drscan execute DR scan <device> <var> [ dev2 ] [var2] ...
| + | |
− | verify_ircapture verify value captured during Capture-IR <enable|disable>
| + | |
− | var allocate, display or delete variable <name> [num_fields|"del"] [size1] ...
| + | |
− | field display/modify variable field <var> <field> [value|"flip"]
| + | |
− | script execute commands from <file>
| + | |
− | xsvf run xsvf <file>
| + | |
− | targets no help available
| + | |
− | flash no help available
| + | |
− | banks - list configured flash banks
| + | |
− | info - print info about flash bank <num>
| + | |
− | probe - identify flash bank <num>
| + | |
− | erase_check - check erase state of sectors in flash bank <num>
| + | |
− | protect_check - check protection state of sectors in flash bank <num>
| + | |
− | erase - erase sectors at <bank> <first> <last>
| + | |
− | write - write binary <bank> <file> <offset>
| + | |
− | protect - set protection of sectors at <bank> <first> <last> <on|off>
| + | |
− | nand no help available
| + | |
− | pld programmable logic device commands
| + | |
− | arm7_9 arm7/9 specific commands
| + | |
− | write_xpsr - write program status register <value> <not cpsr|spsr>
| + | |
− | write_xpsr_im8 - write program status register <8bit immediate> <rotate> <not cpsr|spsr>
| + | |
− | write_core_reg - write core register <num> <mode> <value>
| + | |
− | sw_bkpts - support for software breakpoints <enable|disable>
| + | |
− | force_hw_bkpts - use hardware breakpoints for all breakpoints (disables sw breakpoint support) <enable|disable>
| + | |
− | dbgrq - use EmbeddedICE dbgrq instead of breakpoint for target halt requests <enable|disable>
| + | |
− | fast_writes - (deprecated, see: arm7_9 fast_memory_access)
| + | |
− | fast_memory_access - use fast memory accesses instead of slower but potentially unsafe slow accesses <enable|disable>
| + | |
− | dcc_downloads - use DCC downloads for larger memory writes <enable|disable>
| + | |
− | etb_dump - dump current ETB content
| + | |
− | armv4_5 armv4/5 specific commands
| + | |
− | reg - display ARM core registers
| + | |
− | core_state - display/change ARM core state <arm|thumb>
| + | |
− | disassemble - disassemble instructions <address> <count> ["thumb"]
| + | |
− | arm9tdmi arm9tdmi specific commands
| + | |
− | vector_catch - catch arm920t vectors ["all"|"none"|"<vec1 vec2 ...>"]
| + | |
− | arm926ejs arm926ejs specific commands
| + | |
− | cp15 - display/modify cp15 register <opcode_1> <opcode_2> <CRn> <CRm> [value]
| + | |
− | cache_info - display information about target caches
| + | |
− | virt2phys - translate va to pa <va>
| + | |
− | mdw_phys - display memory words <physical addr> [count]
| + | |
− | mdh_phys - display memory half-words <physical addr> [count]
| + | |
− | mdb_phys - display memory bytes <physical addr> [count]
| + | |
− | mww_phys - write memory word <physical addr> <value>
| + | |
− | mwh_phys - write memory half-word <physical addr> <value>
| + | |
− | mwb_phys - write memory byte <physical addr> <value>
| + | |
− | cfi no help available
| + | |
− | reg no help available
| + | |
− | poll poll target state
| + | |
− | wait_halt wait for target halt [time (s)]
| + | |
− | halt halt target
| + | |
− | resume resume target [addr]
| + | |
− | step step one instruction
| + | |
− | reset reset target [run|halt|init|run_and_halt|run_and_init]
| + | |
− | soft_reset_halt halt the target and do a soft reset
| + | |
− | mdw display memory words <addr> [count]
| + | |
− | mdh display memory half-words <addr> [count]
| + | |
− | mdb display memory bytes <addr> [count]
| + | |
− | mww write memory word <addr> <value>
| + | |
− | mwh write memory half-word <addr> <value>
| + | |
− | mwb write memory byte <addr> <value>
| + | |
− | bp set breakpoint <address> <length> [hw]
| + | |
− | rbp remove breakpoint <adress>
| + | |
− | wp set watchpoint <address> <length> <r/w/a> [value] [mask]
| + | |
− | rwp remove watchpoint <adress>
| + | |
− | load_image load_image <file> <address> ["bin"|"ihex"]
| + | |
− | dump_image dump_image <file> <address> <size>
| + | |
− | load_binary [DEPRECATED] load_binary <file> <address>
| + | |
− | dump_binary [DEPRECATED] dump_binary <file> <address> <size>
| + | |
− | | + | |
− | ====Starting Your LinkStation/KuroPro & OpenOCD, Connecting with Telnet and Getting Flash Access====
| + | |
− | *Start your ARM-based LinkStation by '''first''' ''holding the reset button on'', and then pressing the POWER ON/OFF button. After it powers up you will immediately here a musical tone.
| + | |
− | *Once you hear the tone, you will need to do both of the following as root (note that some users state that there is an advantage in doing these in rapid succession).
| + | |
− | *In a terminal window, cd to your OpenOCD config file and start it. From this window you will see only diagnostic information, mainly. Change directory to the docs/configs in the openocd directory. Then start openocd, directing it to use the config file that you have set up previously.
| + | |
− | root@bitbaker-i686:/home/davygravy/Desktop/configs# openocd -f lsp_wig.cfg
| + | |
− | Info: openocd.c:86 main(): Open On-Chip Debugger (2007-04-26 16:40 CEST)
| + | |
− | Error: embeddedice.c:190 embeddedice_build_reg_cache(): unknown EmbeddedICE version (comms ctrl: 0x00000018)
| + | |
− | The error seems commonplace to most of us that have used it. Until we know otherwise, most of us are assuming it is not a huge problem.
| + | |
− | OpenOCD is now running.
| + | |
− | *In a second terminal window, start telnet pointed to loopback, port 4444. This window is where you will control the communication and commands to your device via the jtag interface. You will have to halt your processor, verify the flash banks, and probe them (so that they are recognized properly). '''Note that your processor must be halted - this is a requirement for the probing the flash.'''
| + | |
− | Execute the following commands:
| + | |
− | halt
| + | |
− | flash banks
| + | |
− | flash probe 0
| + | |
− | The 'flash banks' may be omitted - it is optional. The output will look similar to this:
| + | |
− | root@bitbaker-i686:/usr/src# telnet localhost 4444
| + | |
− | Trying 127.0.0.1...
| + | |
− | Connected to localhost.
| + | |
− | Escape character is '^]'.
| + | |
− | Open On-Chip Debugger
| + | |
− | > halt
| + | |
− | requesting target halt...
| + | |
− | > Target 0 halted
| + | |
− | target halted in ARM state due to debug request, current mode: Abort
| + | |
− | cpsr: 0x600000d7 pc: 0x00000028
| + | |
− | MMU: disabled, D-Cache: disabled, I-Cache: enabled
| + | |
− | > flash banks
| + | |
− | #0: cfi at 0xfffc0000, size 0x00040000, buswidth 1, chipwidth 1
| + | |
− | > flash probe 0
| + | |
− | flash 'cfi' found at 0xfffc0000
| + | |
− | Once this is done, you have verified that you have proper access to the flash.
| + | |
− | | + | |
− | ====Erasing and Flashing====
| + | |
− | Now erase it, check your erase and then write the u-boot.bin file to flash. This may take anywhere from about an hour up to 5 or 6 hours. Do not interrupt the process. Execute the following:
| + | |
− | flash erase 0 0 63
| + | |
− | flash erase_check 0
| + | |
− | flash write 0 /usr/src/openocd-package/doc/configs/lspstock052207.bin 0xfffc0000
| + | |
− | The file to be used as an image for flash should be changed to fit your situation (the one shown is for a LS Pro V1).
| + | |
− | > flash erase 0 0 63
| + | |
− | erased sectors 0 through 63 on flash bank 0 in 4s 484466us
| + | |
− | > flash erase_check 0
| + | |
− | successfully checked erase state
| + | |
− | > flash write 0 /usr/src/openocd-package/doc/configs/lspstock052207.bin 0xfffc0000
| + | |
− | wrote file /usr/src/openocd-package/doc/configs/lspstock052207.bin to flash bank 0 at offset 0xfffc0000 in 12107s 811284us
| + | |
− | >
| + | |
− | | + | |
− | ====Verifying Flash and Flashing====
| + | |
− | To check to see if your flashing was successful (that the file you wanted to write to flash was actually written), dump it out and compared:
| + | |
− | dump_image currentcontents.bin 0xfffc0000 0x40000
| + | |
− | | + | |
− | diff currentcontents.bin lspstock052207.bin
| + | |
− | The second command should return nothing if the flash contents are identical to the image file.
| + | |
− | | + | |
− | ====Reference, Notes and Special Situations====
| + | |
− | #For a look at development of OpenOCD, see the [https://lists.berlios.de/pipermail/openocd-development/ OpenOCD Development List Archives]
| + | |
− | #A [http://forum.sparkfun.com/viewforum.php?f=18 forum for OpenOCD users] is hosted by SparkFun - great for posting problems and searching for answers.
| + | |
− | #Be aware that as of svn r332, Feroceon (not a true ARM926) is still not officially supported by OpenOCD. Success is not guaranteed...at least a handful of us have flashed once or twice, and then been able to proceed with a third flash. Presumably, the processor was in a state that allowed us to do the first flash(es) but for some unknown reason comes to be in some less manageable state. The difficulty for some of us has been getting the processor halted.
| + | |
− | #OpenOCD svn revision 335 with a small patch gave success for me, after I patched the source (acknowledgement to bbradley for the patch). In src/target/feroceon.c, find these lines:
| + | |
− | /* asserting DBGRQ won't win over the undef exception */
| + | |
− | arm7_9->use_dbgrq = 0 ;
| + | |
− | change the 0 to 1:
| + | |
− | /* asserting DBGRQ won't win over the undef exception */
| + | |
− | arm7_9->use_dbgrq = 1 ;
| + | |
− | and then compile normally. Note that the 'halt' command didn't work, nor did reset. The only way to get it halted was to do a soft_reset_halt and simultaneously connect pins (RTCK) and (sRST) long enough to get it to halt. ('''Do this at your own risk.''')
| + | |
− | root@bytebaker-i686:/home/davygravy# telnet localhost 4444
| + | |
− | Trying 127.0.0.1...
| + | |
− | Connected to localhost.
| + | |
− | Escape character is '^]'.
| + | |
− | Open On-Chip Debugger
| + | |
− | > halt
| + | |
− | requesting target halt...
| + | |
− | waiting for target halted...
| + | |
− | timed out while waiting for target halted
| + | |
− | timed out while waiting for target halted
| + | |
− | > reset
| + | |
− | > soft_reset_halt
| + | |
− | requesting target halt and executing a soft reset
| + | |
− | value captured during scan didn't pass the requested check: captured: 0x0f check_value: 0x01 check_mask: 0x0f
| + | |
− | in_handler reported a failed check
| + | |
− |
| + | |
− | ...
| + | |
− |
| + | |
− | value captured during scan didn't pass the requested check: captured: 0x0f check_value: 0x01 check_mask: 0x0f
| + | |
− | in_handler reported a failed check
| + | |
− | Target 0 halted
| + | |
− | target state: halted
| + | |
− | target halted in ARM state due to debug request, current mode: Supervisor
| + | |
− | cpsr: 0x000000d3 pc: 0x00000000
| + | |
− | MMU: disabled, D-Cache: disabled, I-Cache: disabled
| + | |
− | > flash probe 0
| + | |
− | probing failed for flash bank '#0' at 0xfffc0000
| + | |
− | > flash probe 0
| + | |
− | flash 'cfi' found at 0xfffc0000
| + | |
− | > flash probe 0
| + | |
− | flash 'cfi' found at 0xfffc0000
| + | |
− | > flash erase 0 0 63
| + | |
− | erased sectors 0 through 63 on flash bank 0 in 2.822007s
| + | |
− | > flash erase_check 0
| + | |
− | not enough working area available(requested 20, free 0)
| + | |
− | no working area available, falling back to slow memory reads
| + | |
− | successfully checked erase state
| + | |
− | > flash write 0 /home/davygravy/Desktop/configs/lspro-v2flash.bin 0xfffc0000
| + | |
− | not enough working area available(requested 96, free 0)
| + | |
− | no working area available, can't do block memory writes
| + | |
− | Programming at fff80000, count 00040000 bytes remaining
| + | |
− | Programming at fff80100, count 0003ff00 bytes remaining
| + | |
− | Programming at fff80200, count 0003fe00 bytes remaining
| + | |
− |
| + | |
− | ...
| + | |
− |
| + | |
− | Programming at fffbfc00, count 00000400 bytes remaining
| + | |
− | Programming at fffbfd00, count 00000300 bytes remaining
| + | |
− | Programming at fffbfe00, count 00000200 bytes remaining
| + | |
− | Programming at fffbff00, count 00000100 bytes remaining
| + | |
− | Fixup 1 unaligned tail bytes
| + | |
− | wrote 262144 byte from file /home/davygravy/Desktop/configs/lspro-v2flash.bin to flash bank 0 at offset 0xfffc0000 in 6522.530762s (0.039249 kb/s)
| + | |
− | > dump_image currentcontents.bin 0xfffc0000 0x40000
| + | |
− | dumped 262144 byte in 18.345442s
| + | |
− | > exit
| + | |
− | Connection closed by foreign host.
| + | |
− | root@bytebaker-i686:/home/davygravy#
| + | |
− | #YMMV. Good Luck.
| + | |
| | | |
| ===Terastation Pro v2/Terastation Live (arm9)=== | | ===Terastation Pro v2/Terastation Live (arm9)=== |
TODO: Add generic info about JTAG and why it safes ones ass if he messes with the flash
TODO: Add info about the additional Hardware mods needed to make JTAG working. Hint: bridge!
+ needed info about Flash structure
TODO: add specific Info if additional hardware mods are needed.
+ needed info about Flash structure
TODO: add specific Info if additional hardware mods are needed.
+ needed info about Flash structure
TODO: Add info about the JTAG cable that works on the
+ needed info about Flash structure
Similar to the other arm9-based boxes from buffalo these 2 only have uboot in flash. everything else is read and executed from harddisc.
TODO: we need to link + describe either how to compile the tools and how to use the precompiled tools from the download-section
Updating via JTAG is very slow. This is not really surprising as the JTAG protocol is a bit-level serial protocol. Writing the firmimg.bin file can easily take 24 hours or longer.