|
||||||||||||||||||||||||||||
To use JTAG for unbricking it is necessary to disassemble the device and solder wires to the JTAG pads. PLEASE REMOVE THE RED BATTERY LEAD FROM THE DEVICE BEFORE OPERATING ON IT.
On some Sansa models the pinout is documented on the PCB, on others the JTAG pinout is not documented.
Please look at https://forums.rockbox.org/index.php?topic=14064 first if the pinout is not yet documented on this page.
You will also need a JTAG interface for your computer, if you have a parallel port a simple 'wiggler' type will do the job, but might be slow. The cheapest option for USB JTAG interfaces are FT2232 based devices like the OOCDLink http://www.joernonline.de/contrexx2/cms/index.php?page=126 (a DIY device, schematics, partslist etc. available on the site) or the commercial JTAGKey2.
Finally you need JTAG interfacing software, this guide is written for the open source openocd http://openocd.berlios.de/.
This guide assumes you will use a OOCDLink or compatible, if you use a different device you will have to adjust the openocd configuration accordingly.
General Step by step overview
Step by step walkthroughUnfortunately there is no magic bullet yet, the step-by-step may or may not work depending at where exactly the boot fails. Ideally someone would write a patch for openocd so openocd can access the nand flash directly. Right now you have to get the original firmware to boot so you can upload a new firmware image and trigger the flashing process. To achieve this it helps a lot to have some low-level ARM processor/assembly knowledge.
Open On-Chip Debugger 0.4.0 (2010-02-23-17:04) Licensed under GNU GPL v2 For bug reports, read http://openocd.berlios.de/doc/doxygen/bugs.html jtag_ntrst_delay: 100 Info : clock speed 6000 kHz Info : JTAG tap: as3525.cpu tap/device found: 0x00922f0f (mfg: 0x787, part: 0x0922, ver: 0x0) Info : Embedded ICE version 2 Info : as3525.cpu: hardware has 2 breakpoint/watchpoint units
Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Open On-Chip Debugger >
> halt target state: halted target halted in ARM state due to debug-request, current mode: Supervisor cpsr: 0x60000093 pc: 0x30047bc4 MMU: enabled, D-Cache: enabled, I-Cache: enabled > reg cpsr 0x60000013 cpsr (/32): 0x60000013 > load_image /path/to/firmware 0 118332 bytes written at address 0x00000000 downloaded 118332 bytes in 4.371294s (26.436 kb/s) > resume 0
Debugging the bootloader
> halt target state: halted target halted in ARM state due to debug-request, current mode: Supervisor cpsr: 0x60000093 pc: 0x30047bc4 MMU: enabled, D-Cache: enabled, I-Cache: enabled > bp 0 4 hw breakpoint set at 0x00000000 > resume
target state: halted target halted in ARM state due to breakpoint, current mode: Supervisor cpsr: 0x000000d3 pc: 0x00000000 MMU: disabled, D-Cache: disabled, I-Cache: disabled > resume target state: halted target halted in ARM state due to breakpoint, current mode: Supervisor cpsr: 0x60000053 pc: 0x00000000 MMU: disabled, D-Cache: disabled, I-Cache: disabled Example OpenOCD configurationtelnet_port 4444 gdb_port 3333 # Note: This is for FT2232 based USB interfaces, if you use a wiggler type parallel port interface refer to the openocd documentation on how to configure it interface ft2232 # Note: Substitute different layout here if you don't use a oocdlink, refer to openocd documentation for supported layouts. ft2232_layout oocdlink # Note: I used an EEPROM-less FT2232 board with the default USB ids, you will have to substitute your JTAG interface USB ids here ft2232_vid_pid 0x0403 0x6010 jtag_ntrst_delay 100 set _CHIPNAME as3525 set _ENDIAN little set _CPUTAPID 0x00922f0f #jtag scan chain jtag newtap $_CHIPNAME cpu -irlen 4 -expected-id $_CPUTAPID set _TARGETNAME $_CHIPNAME.cpu target create $_TARGETNAME arm920t -endian $_ENDIAN -chain-position $_TARGETNAME -variant arm920t # FIXME: copied from Samsung config $_TARGETNAME configure -work-area-phys 0x200000 -work-area-size 0x4000 -work-area-backup 1 Bus Pirate OpenOCD configuration# # Buspirate with OpenOCD support # # http://dangerousprototypes.com/bus-pirate-manual/ # This configuration worked as-is for me with a Sansa Fuze V1 interface buspirate # you need to specify port on which BP lives (might need to be a serial port) buspirate_port /dev/ttyUSB0 #buspirate_port /dev/bus_pirate #You should ultimately change the udev rules for your serial JTAG interfaces so you have a dedicated address you can use, see here: http://wiki.countercaster.com/The_Bus_Pirate_on_Linux:_From_/dev/ttyUSB%3F_to_/dev/bus_pirate # communication speed setting buspirate_speed normal # or fast # Note that fast did not work for my bus pirate # voltage regulator Enabled = 1 Disabled = 0 #buspirate_vreg 0 #Enable this if you plan to use the 3.3V power from your bus pirate to power your sansa # pin mode normal or open-drain #buspirate_mode normal # pullup state Enabled = 1 Disabled = 0 #buspirate_pullup 0 jtag_khz 6000 jtag_ntrst_delay 100 set _CHIPNAME as3525 set _ENDIAN little set _CPUTAPID 0x00922f0f #jtag scan chain jtag newtap $_CHIPNAME cpu -irlen 4 -expected-id $_CPUTAPID set _TARGETNAME $_CHIPNAME.cpu target create $_TARGETNAME arm920t -endian $_ENDIAN -chain-position $_TARGETNAME -variant arm920t $_TARGETNAME configure -work-area-phys 0x200000 -work-area-size 0x4000 -work-area-backup 1
Known JTAG pinoutsC200v2C240v2 JTAG pinout USB 1 GND F 2 TDO L 3 TCK A 4 TMS S 5 TDI H 6 TRST 7 VCC RAM Clip+ & Fuze V1 (confirmed for Sansa Fuze as of Oct 5th 2010, most likely works with Fuze V2 as well)ClipPlus JTAG pinout (For the Sansa Fuze V1, pin 1 (+3.3v) is near the ground power wire and pin 8 (Gnd) is near the display connector. Sansa Fuze V2 ground wire joint:If you decide to remove the battery entirely from your V2 Fuze so you can JTAG your fuze with an external power supply, please note that the solder joint holding the ground wire in place has some sort of flux resistant coating on it making it hard to desolder and resolder. It can still be done. DISPLAY CONNECTOR 8 GND 7 nSRST 6 TDO (high impedance) 5 TCK (pulldown) 4 TMS (pullup) 3 TDI (pullup) 2 nTRST (pulldown) <-THIS PIN MUST BE PULLED HIGH (TO +3.3/VDD) with a 5-50KOhm resistor, the range of workable resistors is probably even wider. 1 VCC BUTTONS
r6 - 02 Apr 2021 - 20:46:07 - UnknownUser
Copyright © by the contributing authors.
|