Author Topic: Serial debug (console) approach...?  (Read 33076 times)

0 Members and 1 Guest are viewing this topic.

Offline para

  • Senior Member
  • Veteran.
  • *****
  • Posts: 181
Re: Serial debug (console) approach...?
« Reply #20 on: March 28, 2005, 02:53:53 pm »
@judb: referencing your post over there, have you seen the locking and encryption feature built into the 8052? I don't think they use the lock (because it might not allow firmware updates) but I'm pretty sure they use the encryption. This would mean we can't get the controller's code without erasing the whole IC...

Para


Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: Serial debug (console) approach...?
« Reply #21 on: March 28, 2005, 03:14:04 pm »
I am going to try and be optimistic about it and say perhaps they didnt take the time to implement that.

Since we are dealing with two diffrent firmware regions (on flash chip for the ARM CPU) and the Winbond microcontroler has an embeded reprogrammabale area for booting I'd guess the winbond portion is not encrypted data, unless we have the boot process completley backwards.

Do we know for sure that the ARM CPU isnt the booting device that boots directly from flash and then straps the 8052 with code from the same flash rom?

I think we should update an assumption thread about the whole loading process given the patent info we saw and the capabiliities of the chips that are listed in the PDF's I posted.

Also who had the board that took pictures of it and posted them?  That thread disappeared.
That board has pretty significant deviation in layout from my board and I'd like to compare the chips on each to see if they are the same or not.

Also anyone have a red box they can open up and read the chip part numbers / post good photos of the boards?  I doubt the design is that drastic.  

In fact, I wouldn't be suprised if there was a way to bypass the encryption / setup diffrences by putting the right chip or resistor on the surface of the board.  (more wishful thinking)
« Last Edit: March 28, 2005, 03:15:47 pm by judb »

Offline A543

  • Senior Member
  • Veteran.
  • *****
  • Posts: 214
Re: Serial debug (console) approach...?
« Reply #22 on: March 28, 2005, 03:23:06 pm »
Just another thought. It's possible that the Red boxes don't have protected code.  We might be able to extract their boot code and get a general idea of how the newer boxes boot, or even use the Red boot code to program the newer uC.
We need some Red info.

Offline para

  • Senior Member
  • Veteran.
  • *****
  • Posts: 181
Re: Serial debug (console) approach...?
« Reply #23 on: March 28, 2005, 03:31:20 pm »
Quote
Do we know for sure that the ARM CPU isnt the booting device that boots directly from flash and then straps the 8052 with code from the same flash rom?

Well, the 8052 has a loader ROM which activates a firmware (application) update if requested. If not it loads the application ROM . That's exactly the procedure being described by Terry Kennedy (see FAQ), isn't it?

Quote
Also who had the board that took pictures of it and posted them?  That thread disappeared.

Damn, you're right! I got these images on my HDD but don't have enough allowed traffic to put it on a public server... I hope Paul's taking care of that problem and restores that thread. A few hours ago it was still there!

Para

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: Serial debug (console) approach...?
« Reply #24 on: March 28, 2005, 03:40:36 pm »
Send them to me, I'll host them.  I have over 60 gigs of bandwidth on my server to burn by the end of march. :)

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: Serial debug (console) approach...?
« Reply #25 on: March 28, 2005, 03:57:19 pm »
Heres some photos I took of my board...
http://www.savageguild.com/phatnoise/keg1-02.jpg

http://www.savageguild.com/phatnoise/keg1-03.jpg

Higher rez versions available...
« Last Edit: March 28, 2005, 05:19:48 pm by judb »

Offline para

  • Senior Member
  • Veteran.
  • *****
  • Posts: 181
Re: Serial debug (console) approach...?
« Reply #26 on: March 28, 2005, 04:05:23 pm »
That looks definitely different compared to the other shots! Is there any model number you could post with the pictures? Just for us to know what model where're looking at...

Para
« Last Edit: March 28, 2005, 09:34:21 pm by para »

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: Serial debug (console) approach...?
« Reply #27 on: March 28, 2005, 05:21:24 pm »
This is from a Keg CX910.  I have two of them and they both have a similar layout.  They are from 2001 2002 timeframe.

the board itself has a silk screened name on the back if you look at the photo.

Also, I think the 710 keg is the same board but with less connectors on the back (power and RCA I think)

Offline para

  • Senior Member
  • Veteran.
  • *****
  • Posts: 181
Re: Serial debug (console) approach...?
« Reply #28 on: March 28, 2005, 06:35:10 pm »
Hm, is there any warranty seal on the Phatbox? I hope  I get mine out of customs tomorrow morning. If there's no seal I'll try to open it and get us some pix.

Para

PS: I'll send you the other shots in the next hours...

Update: Well, we're just too stupid 8):
http://forum.phathack.com/cgi-bin/yabb/YaBB.cgi?board=faqlist;action=display;num=1111166455
(I wrote it and you should be aware of it)
« Last Edit: March 28, 2005, 09:33:26 pm by para »

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: Serial debug (console) approach...?
« Reply #29 on: March 28, 2005, 09:51:46 pm »
Yeah my photos are of a diffrent rev board and those pictures were posted in a diffrent thread a while back I swear! :)

Offline para

  • Senior Member
  • Veteran.
  • *****
  • Posts: 181
Re: Serial debug (console) approach...?
« Reply #30 on: March 28, 2005, 10:02:53 pm »
Ok, so we're even more stupid than I thought! Have a look at page 1 from time to time :-[

Going to bed, Para

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: Serial debug (console) approach...?
« Reply #31 on: March 28, 2005, 10:57:47 pm »
LOL okay im a moron and or the search feature is broken as I searched for those photos and it came up with results that were not the post on page 1.

BAH!

Offline sbingner

  • Administrator
  • Veteran.
  • *****
  • Posts: 1301
Re: Serial debug (console) approach...?
« Reply #32 on: March 28, 2005, 11:09:18 pm »
The pics were mine, should still be accessible... but I have to wait till I get home to get the links again...  I'll go ahead and make links off the http://www.phathack.com page... anybody have high bandwidth?  I have a 384K upstream at the moment, soon to be 768K...

Sam

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
« Last Edit: March 29, 2005, 05:34:20 am by judb »

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: Serial debug (console) approach...?
« Reply #34 on: March 29, 2005, 05:29:25 am »
Okay, so here's the deal.  Mitch and I sat down tonight and traced the board to find the JTAG connector pins for the xilink chips and the ARM CPU.

JP5 -- XILINX 9572XL - JTAG
Pin 6   > 9572XL Pin 48 - TDO
Pin 8   > 9572XL Pin 83 - TDO
Pin 10 > 9572XL Pin 45 - TDO
Pin 12 > 9572XL Pin 47 - TDO

JP6 -- ARM JTAG (No Connector, just pads)
Pin 3   > 7312 Pin 125 - nTRST
Pin 5   > 7312 Pin 11 - TDI
Pin 7   > 7312 Pin 58 - TMS
Pin 9   > 7312 Pin 90 - TCLK
Pin 11 > 7312 Pin 22 - TDO

JP8 -- ARM UART1 (SERIAL PORT!!!)
Pin 5  > 7312 Pin 32 - TDX[1]
Pin 7  > 7312 Pin 36 - RXD[1]
Pin 9  > 7312 Pin 37 - DCD
Pin 11 > 7312 Pin 38 - DSR
Pin 13 > 7312 Pin 35 - CTS

JP9 -- XILINX 5032C - JTAG
Pin 6   > 5032C Pin 26 - TCLK
Pin 8   > 5032C Pin 32 - TDO
Pin 10 > 5032C Pin 1 - TDI
Pin 12 > 5032C Pin 7 - TMS

You can use either:
Molex 87332-1420
or
DigiKey WM18078-ND

To connect to the 14 pin mini JTAG interface on the boards to get access to all but the ARM JTAG interface as it doesnt have anything on the boards pads.

I think this is how they program the boxes from the factory so this SHOULD be a way for us to get into them and fix em.

I really need my hands on a red box, anyone in central texas got one?  I swear we wont break it. :)






heres some info i found on the JTAG interface for ARM.
http://www.arm.com/support/faqdev/4511.html
« Last Edit: March 29, 2005, 05:30:37 am by judb »

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: Serial debug (console) approach...?
« Reply #35 on: March 29, 2005, 05:33:16 am »
Tomorrow we are headed to see if we can get the parts we need to roll our own JTAG interface...

http://www.xilinx.com/support/programr/jtag_cable.pdf should be some help for making your own if you are so inclined.

Ebay has some already made but the pins are too far apart to hook into this connector on the board.

I am mostly interested in starting with the serial port right now.

I bought a KCA-R70FM adaptor so I can test at my desk the Keg. :)

Offline shack

  • Newbie
  • Posts: 14
Re: Serial debug (console) approach...?
« Reply #36 on: March 29, 2005, 06:20:42 am »
I've got a Red box and would be happy to contribute, though I'm not much of a hardware kind of guy.

Offline para

  • Senior Member
  • Veteran.
  • *****
  • Posts: 181
Re: Serial debug (console) approach...?
« Reply #37 on: April 03, 2005, 06:23:13 pm »
« Last Edit: April 03, 2005, 06:23:31 pm by para »

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: Serial debug (console) approach...?
« Reply #38 on: April 03, 2005, 09:11:19 pm »
Looks like if bash and profile files exist on the DMS in the root of PHATSYS (/dos) it will launch a shell.. but not otherwise.

I need an ARM complied version of bash... hmmm (wanders over to google)

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: Serial debug (console) approach...?
« Reply #39 on: April 12, 2005, 07:31:27 pm »
On further inspection, if I read the busy box setup right, the -/bin/sh command SHOULD be putting a shell on /dev/console which is redirected to /dev/ttyS0 so the bash script might be out of date and not used anymore.

I need to keep plugging at getting the console to work.  stupid serial ports! bah!