Dcu3 jtag

[usbbdm]

I get a lot of requests to support DCU3. I am opening this thread and hope people can come here to discuss. As you all know I am actively developing software for USB JTAG NT and it is very likely that DCU3 will be supported by USB JTAG NT if the road bock is moved.

Here is what I have and can do with USB JTAG NT.
1. I have an ExtremeView XV3300 with ST5105 CPU.
2. USB JTAG NT can read the whole flash from the box. Speed is about 250KB/s.
3. USB JTAG NT can peek and poke data. But peek and poke command is not enough to get the flash ID. The flash of the box is at address 0x40000000. If we can get flash ID with peek and poke command we can program the box with slow mode (~20KB/s)
4. With normal DCU the way to get it JTAG work (same as jkeys) is to install trap function at address 0x80000000 (segment). Then modify the vector and then issue a command to DCU register. (poke 3004 0, poke 03004 20000000). The CPU then goes to the trap code and we can then do anything.
5. I know the DCU register is at address 0x30003000. But any command to 0x30003000 or 0x30003004 will not stop CPU to the trap code.

So if we can
1. Use peek and poke command to get the flash then we can program the chip slowly (not slower than any pjtag).
2. stop the CPU to the trap code then we can program the chip fast (>100KB/s).

I know a lot people on ftatalk is discuss this and I hope they can come here to discuss.

[slugworth]

I stumbled on a program for jtagging the pace3100 receiver which is sti5514 based dcu3.Basically it was using a program called uctap to interface a flash program run under a condensed version of st20 toolset v1.96.
Later versions of st20 toolset have a flashburner program that will work with dcu3,unfortunately they were compiled for an 8meg flash and don't detect the 4meg flash in my magnum 3300 correctly.I was also given another flashburner.lku from a chinese site for the st5105 but that too was for an 8meg flash.If I could figure out how to make a .lku for 4meg flash I could probably get my receiver working again.
The pace3100 file is called pvr2flash.rar and is a working solution for jtagging the sti5514 dcu3,maybe you can get the needed info from that.
Info for uctap:

Code: Select all

ucTAP v 0.2 beta
(c) 2006 TAP Dancers ..May 31  2006.
ucTAP is a program to emulate ST20 Micro 
Connect functions over a basic JTAG interface...
ucTAPsrv [-p LPT port] [-i MC port] [-d MC port] [-c DCU_CTRL_ADR] [-M DCU_CTRL _MASK] [-t] [-v debug_level] 
 -t: Uses a fast memset using a trap, speeds up the loading..  
 -i port:  The MicroConnect Boot
 -d port:  The MicroConnect Data port..
  -v debug_level: debug output 0 (off/default).
  1 (Command summary)..          
  2 (+Specific data details)
  3 (+RAW ethernet payload data)
 -c DCU_CTRL_ADR:  Address of the DCU control register    
   Set automatically if CPU is detected
 -m DCU_CTRL_MASK: Bitmask of DCUControl for device access enable  
   Set automatically if CPU is detected
 ...example:..   ucTAPsrv  -p 0x378 -i 973 -c 0x3 -m 0x00080000

[slugworth]

I have some intersting files but the attachment size limit is too low.

[usbbdm]

slugworth , I saw some of your post on ftatalk.
The only thing need to have USB JTAG NT working on those boxes to gain fast programming speed is to force the trap to work properly. The rest is just as simple as DCU (ST20).

I think ucTap uses different way but I am familiar with how jKeys does and that is implemented in USB JTAG and NT.
Basically I can read and and write ram. If we can write our own interrupt handler and force the box an interrupt then we can run our own code with different command with poke command.

I found on DCU 3 it is easier to get synced with CPU than on normal ST20 boxes. Normal boxes sometime need you to ground a pin but on my FTA box it is not needed to get synced.

You said you have code that can run on 8M flash, that is interesting, I would like to stop the CPU and then use USBJTAG (NT) to read back all the ram to compare as what was changed. Especially the DCU registers.

The moment I changed anything to the address 0x80000040 to 0x8000004f the CPU get stuck (possible already interrupt happened).

[slugworth]

The magnum coder once suggested writing a loader to ram to get the serial port working,then load a correct bootloader to flash via serial port.
He never came up with a working method.Maybe you would have to physically reset the st5105 for that to work.

[slugworth]

wt_flash burner stuff for use with st20 toolset.

[slugworth]

The wtmecburner map output file,but it shows the flash at the wrong address.

[slugworth]

Using a modified mb385.c file made into a .lku I was able to use st20 toolset to erase the flash in my magnum 3300 with sst39vf3201 flash.Now I just have to figure out how to modify the file to program the flash.

Code: Select all

/* ==========================FlashROM cui_commands defines======================= */

#define      READ_MEM            0xF0              /* read flash_rom_array command (written anywhere in mem)*/
#define      COMMAND_INIT1       0xAA              /* part 1 of command initialisation */
#define      COMMAND_INIT2       0x55              /* part 2 of command initialisation */
#define      READ_IDENT          0x90              /* read flash_rom ident command */
#define      SETUP_ERASE         0x80              /* setup to do an erase command */
#define      CHIP_ERASE_CONFIRM  0x10              /* confirm chip erase command   */
#define      PROGRAM             0xA0              /* program command              */

/* ==========================FlashROM Offset defines============================= */
#define      COMMAND_OFFSET1     ((0x5555)<<1)     /*Offset to send COMMAND_INIT1's to */
#define      COMMAND_OFFSET2     ((0x2AAA)<<1)     /*Offset to send COMMAND_INIT2's to */
#define      MFGID_OFFSET        0x00000000        /* manufacturers id offset     */
#define      DEVID_OFFSET        0x00000002        /* device id offset            */
#define      BLOCK_PROT_OFFSET   0x00000004        /* block prot read offset

[usbbdm]

Great progress. If you can erase the flash, you should be able to program the device (might be in slow mode). Sorry for not able to jump on DCU3 for a while.

[slugworth]

You have to write to the flash certain data and a certain sequence to get the manufacture id and device id.The same goes for programming,which I think involves setting vpp high and is where I am stuck now.
I have to copy/paste from different sources which is error prone.
The entire chip erased in 2 seconds,so that was good.

[slugworth]

Should work but I get errors when trying to build the .lku

Code: Select all

/* Sets the Vpp high to allow write access to flash */
static void vpp_high()
{
#if 1
    /* We rely on the board configs to enable flash write access */
    return;
#else    
    int i;
    /* This is for the STi5516/17/MB382 */
/*    *(volatile unsigned int*) 0x20112004 = 0x8;*/
    /* This is for the STi5100/MB390 */
/*    *(volatile unsigned int*) 0x41400000 = 0x30003;*/
    /* This is for STi7710/MB391 */
/*    *(volatile unsigned int*) 0x41400000 = 0x30003;*/
    /* This is for STi5105/MB400 */
/*    *(volatile unsigned int*) 0x45200000 = 0x03000000;*/
    for (i=0; i < 2000; i++);
#endif
}

 /* Set Vpp/Vpen high to allow flash chip programming and erase */
    vpp_high();

    return result;
}

as you can see a few common processor types are covered.

[usbbdm]

If you can erase the chip I do not think you need to raise the vpp high to program. Are you constantly working on this issue? If you have yahoo messenger, add me in and we might work out a better solution. I was just distracted for different issues. If I am focused on DCU3 we should have a good fast programmer already.

[slugworth]

My first approach was to modify the mb385.c file to get it to detect the flash and to erase.I will have to try to do the same with the mb382.c file.
These are the 2 unmodified files from st20 toolset v2.3.1

[usbbdm]

What is your flash address? I used 0x40000000 and does not seems to work. I saw some other addresses.0x7f800000 and 0x60000000.

[slugworth]

Flash address is definitely 40000000 for jtagging.