WANTED : JTAG Access, Dead or Alive!

General Forum for talking area for D series TVs.

User avatar
juusso
SamyGO Moderator
Posts: 10129
Joined: Sun Mar 07, 2010 6:20 pm

Re: WANTED : JTAG Access, Dead or Alive!

Post by juusso »

Just got ULINK2-USB-JTAG-Emulator-ARM9-Cortex-Keil-Ulink-II-Debug-Adapter-ULINK-2 wich came with KEIL MDK411 software. Might anyone knows which processor type should be selected for D6000? :oops:
ARM7(little endian) should be ok? (ARM7TDMI-S based high-performance 32-bit RISC Microcontroller with Thumb extensions).

cat /proc/cpuinfo:

Code: Select all

Processor	: ARMv7 Processor rev 1 (v7l)
BogoMIPS	: 1196.03
Features	: swp half thumb fastmult vfp edsp neon vfpv3 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x2
CPU part	: 0xc09
CPU revision	: 1

Hardware	: Samsung SDP1001 Evaluation board
Revision	: 0000
Serial		: 0000000000000000
Goal: to get flash dump (especially kernel)
Goal2: flash back right kernel to its place.

Problem: wrong kernel flashed and system doesn`t boot at all.

Might goals are mission impossible, haven`t connected cable to board yet, trying to understand software/configs...

P.s. might if becomme growing, will move to separate topic.
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE
arris69
Official SamyGO Developer
Posts: 1700
Joined: Fri Oct 02, 2009 8:52 am
Location: Austria/Vienna (no Kangaroos here)
Contact:

Re: WANTED : JTAG Access, Dead or Alive!

Post by arris69 »

juuso wrote:Just got ULINK2-USB-JTAG-Emulator-ARM9-Cortex-Keil-Ulink-II-Debug-Adapter-ULINK-2 wich came with KEIL MDK411 software. Might anyone knows which processor type should be selected for D6000? :oops:
ARM7(little endian) should be ok? (ARM7TDMI-S based high-performance 32-bit RISC Microcontroller with Thumb extensions).

cat /proc/cpuinfo:

Code: Select all

Processor	: ARMv7 Processor rev 1 (v7l)
BogoMIPS	: 1196.03
Features	: swp half thumb fastmult vfp edsp neon vfpv3 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x2
CPU part	: 0xc09
CPU revision	: 1

Hardware	: Samsung SDP1001 Evaluation board
Revision	: 0000
Serial		: 0000000000000000
Goal: to get flash dump (especially kernel)
Goal2: flash back right kernel to its place.

Problem: wrong kernel flashed and system doesn`t boot at all.

Might goals are mission impossible, haven`t connected cable to board yet, trying to understand software/configs...

P.s. might if becomme growing, will move to separate topic.
don't trust /proc/cpuinfo if the kernel comes from korea....
just try normal armv7 cpu then i guess samsung don't mount really the components what they announce...
User avatar
juusso
SamyGO Moderator
Posts: 10129
Joined: Sun Mar 07, 2010 6:20 pm

Re: WANTED : JTAG Access, Dead or Alive!

Post by juusso »

What is on-chip flash type?

sbav1?
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE
sbav1
Official SamyGO Developer
Posts: 374
Joined: Fri Jan 15, 2010 10:20 am

Re: WANTED : JTAG Access, Dead or Alive!

Post by sbav1 »

juuso wrote:Just got ULINK2-USB-JTAG-Emulator-ARM9-Cortex-Keil-Ulink-II-Debug-Adapter-ULINK-2 wich came with KEIL MDK411 software. Might anyone knows which processor type should be selected for D6000? :oops:
ARM7(little endian) should be ok? (ARM7TDMI-S based high-performance 32-bit RISC Microcontroller with Thumb extensions).
C-Series/D-Series ARM core is Cortex-A8 (or perhaps Cortex-A9 in D-Series ?) == ARMv7 architecture. ARM7TDMI core was much older & simpler (ARMv4 architecture)..
Original Keil ULINK2 JTAG adapter supported ARM core list looks somehow limited to me (ARM7/ARM9/Cortex-M cores). Will it work with SDP1001 JTAG interface? I dunno.. maybe (at least on physical level).

Re: on-chip flash type: we don't even know if there is any on-chip flash in SDP1001 (ARM CPU may be starting from OneNAND boot block / 1kB BootRAM directly).
In general, OneNAND access (dumping/flashing) is tricky. Two methods I'm aware of:
1) Via JTAG boundary scan: really hard to figure out if there are no manufacturer specs available (SDP1001 is quite complex SoC, with great many pins/pads, and many internal CPU cores/subsystems). Doesn't look very promising - unless we can obtain detailed documentation somehow. Old-fashioned industrial espionage, perhaps :)
2) Use JTAG to load and run some specially crafted ARM code for re-flashing, using built-in chip controllers/external access capabilities. Those controllers are chip specific, too, but potentially much easier to figure out (we have U-Boot sources for B-Series, with OneNAND access code included, that should be a good start). Often, such code is already present in flash or BootROM, left out as backdoor/service/emergency access method. I remember there was one extra flash partition (at least in B/C-Series) with some OneNAND-related code on it; I wonder what is it exactly for?

For some devices, there are hidden/undocumented built-in auxiliary hardware interfaces for booting/flashing.. Interesting fact: all ARM-based B/C/D-Series mainboards I've seen so far have two test pads directly under OneNAND chips. I find that a little suspicious ;).

I can't find any datasheet for KFG1GN6W2D used in D-series (?), and it doesn't follow Samsung own naming scheme; WTF is this kitty??
In B/C-Series they were using generic Samsung-made flex-OneNANDs (SLC + MLC), with detailed specs/datasheets easily available. No built-in 2-wire interface of any kind mentioned in the datasheets, though. So, what are those two pads used for?
User avatar
erdem_ua
SamyGO Admin
Posts: 3125
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: WANTED : JTAG Access, Dead or Alive!

Post by erdem_ua »

sbav, doesn't all OneNANDs are compatible each other for programming and reading? (Except mhz and voltage levels) I thought un-soldering chip and re-programming is possible if chip re-balled after... ( Or using compatible chip )
sbav1
Official SamyGO Developer
Posts: 374
Joined: Fri Jan 15, 2010 10:20 am

Re: WANTED : JTAG Access, Dead or Alive!

Post by sbav1 »

erdem_ua wrote:sbav, doesn't all OneNANDs are compatible each other for programming and reading?
AFAIK, no. Most of them are similar (more or less), but important details tend to differ from chip to chip.

EDIT: In D6XXX training manual, there is KFG1G16U2D mentioned (SLC, 128MB) , datasheet for this one easier to find.
LLStarks
Posts: 58
Joined: Mon Nov 07, 2011 12:17 pm

Re: WANTED : JTAG Access, Dead or Alive!

Post by LLStarks »

Do similar devices exist for Mips?
LN32D550K1FXZA (ROOTED)
T-MSV4AUSC-1001.2
T-MSV4AUSS-2001 (wtf is this?)
User avatar
juusso
SamyGO Moderator
Posts: 10129
Joined: Sun Mar 07, 2010 6:20 pm

Re: WANTED : JTAG Access, Dead or Alive!

Post by juusso »

First impression: "Communication to Jtag device failed".
It saidn`t "Jtag device not found". which i get if TV is off, but seems either jtag is disabled on mainboard or here are some specific connection data needed.
LE40B653T5W,UE40D6750,UE65Q8C
Have questions? Read SamyGO Wiki, Search on forum first!
FFB (v0.8), FFB for CI+ . Get root on: C series, D series, E series, F series, H series. rooting K series, exeDSP/exeTV patches[C/D/E/F/H]

DO NOT EVER INSTALL FIRMWARE UPGRADE

Post Reply

Return to “[D] General”