help me trace the flash write enable

[bushing]

Gang,

I have a utility (a modified version of flash_and_burn that I posted about earlier) that should be able to reporgram the ST Micro flash chip onboard the PB.

However, when it tries sending commands, the chip plays dumb -- it acts as if it is never getting a write pulse, so instead of returning command responses it just returns the contents of the ROM.

I'm having trouble tracing the write enable line (pin 11 on the flash chip) back to the CPU.  There's no trace connected to it on the topside, so I'm thinking it must run under the chip, to a via ... but I know some of you are better at this than I am. Hopefully it connects to one of the GPIO pins on the CPU -- I understand that that's a typical configuration.  Other options include a jumper somewhere...

I  think that's about all that's still standing in our way.

Ben

[judb]

I'm on it.  Give me a little bit.  I have to go look up the write enable pin and do some tracing.

[judb]

i traced continuity to pin 201 on the ARM chip(or could be 200 its REALLY hard to tell but from reading the discirptions 201 seems to be the right one anyhow)  its the ROM expansion Write Enable pin... back to the write enable pin on the flash chip (pin 11)

[bushing]

i traced continuity to pin 201 on the ARM chip(or could be 200 its REALLY hard to tell but from reading the discirptions 201 seems to be the right one anyhow)  its the ROM expansion Write Enable pin... back to the write enable pin on the flash chip (pin 11)

?! okay, back to the drawing board .. thanks for putting the time in!

[judb]

what do you mean about back to the drawning board? do you need a new flash utility becasue the one you have wont put the right signal to the write enable pin?

[bushing]

what do you mean about back to the drawning board? do you need a new flash utility becasue the one you have wont put the right signal to the write enable pin?

Nah... I took another look at the traces, and you're right -- I was tired and distracted when I was looking before, and so I was looking at pin 12, not pin 11.  I see now that pin 11 is hooked up to the write enable pin on the SDRAM, and the two of them are connected to the CPU, like you said.

I meant, back to the drawing board, as in I now don't have an explanation as to why my flashing code doesn't work.   So I need to come up with another one ... but I still don't see a reason why it can't work.

The way it should work is that you write out a special sequence to the "rom" chip (it's like 0xA0 to address 0xAAA, then 0xFF to 0xFFF, then 0x90 to 0xAAA, or something -- it's spelled out in the datasheet).  It then spits back out an ID code so you can identify what kind of chip it is.  You should be able to read back 0x20 0x57 from the first two bytes of the flash chip... instead, what we're getting back is the first two bytes of the ROM image itself, which means it ignored the command sequence.  

I took some code that is known to work with other flash chips, and just modified the command sequence, so I don't know why it won't work!

In the mean time, i'm going to try to completely nail down how the boot rom image functions.  I'm having trouble getting IDA Pro to handle the address references correctly, but I've identified the crypto functions as well as the IDE interface functions.  

It's possible (but not horribly likely) that there is a way we can corrupt the drive signature in a way that will force it to pass ... that'd be the only way to avoid having to flash the chip.

Ben

[judb]

I dont suppose you looked at their flash utility to see what commands its passing to the flash chip did you?

[bushing]

I dont suppose you looked at their flash utility to see what commands its passing to the flash chip did you?

... what flash utility?

-b

[judb]

I am not sure, progpld maybe?