OpenWrt Forum Archive

Topic: Finding JTAG Pinouts, New Hardware (2Wire 2700HG-D)

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I have a 2Wire 2700HG-D which has an atheros based chipset, 128mBit Flash, 64 Mb RAM, and a TriMedia VLIW processor.  There are two headers for an edge connector, J-1 (14 pins) and J-2 (2 pins).  I am trying to figure how to access the flash for JTAG.  The stock firmware does not support tftp, and the firmware is corrupted do to some experimentation.  I believe that I can fabricate a parallel interface cable, using all 8 of the data pins, and three of the ground pins.  2 of the 14 pins at J-1 are not connected, three are ground, and the remining 9 (2 @ 0.0 V. 7 @ 3.3V) are unknown.  One pin (#10) bridges to pin 1 of J-2, and J-2 is documented as starting a diagnostic "Functional Test Mode".  Pins 6 & 8 appear to cause a reset (post light blink pattern) when connected to ground.


J-1 Header  Note:  Even pins are on the top of the board, odd pins underneath
01 - 3.3V   02 - GND (connected to 04 via trace; continuity to GND)   
03 - 0.0V   04 - GND (connected to 02 via trace; continuity to GND
Key
05 - 3.3V   06 - 3.3V (nSRST?;  causes system reset led pattern when shorted to ground)
07 - 3.3V   08 - 3.3V (nSRST?;  causes system reset led pattern when shorted to ground)
09 - 3.3V   10 - 3.3V (FTM) (Functional Test Mode;  connected to pin 1 of J-1 Header, which is documented)
11 - N.C.   12 - 0.0V
13 - N.C.   14 - GND (continuity to GND)

J-2 Header
01 - 3.3V (FTM)  02 - GND  (Documented for "Functional Test Mode")

To find:
nSRST (optional JTAG, consistant with observed behavior)
nTRST (optional JTAG, possible; used for logic reset of JTAG chain)
TCK    (essential JTAG; Test clock signal)
RTCK  (optional JTAG, possible;  used for adaptive clocking and higher data transfer)
TDI     (essential JTAG; Test Data Input)
TDO    (essential JTAG; Test Data Output)

I Believe that nTRST may be either pin #3 or pin #12, based on the procedure used by Smiggy.

Quoting from Smiggy, who documented his test method as follows on
http://forums.whirlpool.net.au/forum-re … 08533.html

The method I used was fairly simple but laborious.

1. Measure the resistance of all pins to GND and 3.3V power supply. You need to measure under the electrolytic capacitors to determine which is the main 3.3v supply. Mark them carefully on a pinout graphic all your measurements. This is important to do a clean accurate test. Turn it on and measure all voltages. Mark them on your graphic.

2. The pins that have already been defined as putting the box into special boot mode. Mark those.

3. One pin will have high resistance to GRND and 3.3v. It is TDO, ie output which cannot be pulled up or down but floating. Mine showed 3Mohm.

4. One pin will be at either full supply potential 3.3v or 0v will be nTRST. (Assuming they have nTRST turned off. It was in mine.) It will more than likely have a different resistance than other pins. Mine was 5K to 3.3v 1.5K GND. It will, hence have much lower voltage to ground and be at or near 0v.

5. Hopefully you now have a bunch of pins next to each other, which are unknown. In my case 4,5 then 12,13,14 All measure 3.3v. All have 1k to 3.3v and 2k to GND. I traced pins 4, 5 to I2C serial eprom. So it won't be those. That leaves the 3 pins bunched together. 12,13,14 which makes sense. The rest is trial and error. Make up a grid and work through the combinations. TDI, TMS, TCK. start the JTAG software each time. I just used the hairy dairy maid one. When I hit the right combo all the LED's turned on indicating I had put the processor in a diagnostic mode.
Only one or perhaps two combinations will do that. So you now have the 4 JTAG pins plus NTRST defined. Or perhaps two possibles.

There is a procedure documented on JTAG finder, which is essentially a logic procedure where in all potential JTAG Pins are hooked up simultaneously.  A data signal is sent to one pin at a time, and all of the other pins are observed for changes in logic state.  more information can be found at:  http://www.elinux.org/JTAG_Finder

Given the tentative pinout that I have now, I think that I can build an unbuffered parallel interface with 8 connects on parallel pins 2-9 (data pins), and reserve pin 13 for TDO when found.  Then I should be able to implement the finder method to narrow things down.  After that, figure how to work with the TriMedia VLIW CPU and the NAND flash.  The cable would be identical to the unbuffered cable described in the wiki, with the exception of using all eight of the data bus signals.


Any thoughts on this method?

(Last edited by tjm08 on 9 Dec 2009, 15:43)

The pinout for the dual row card edge connector found in the 2Wire routers is as follows:

http://hackingbtbusinesshub.files.wordpress.com/2012/01/2wirecardedgepinout_400px.png

There are now some development tools for the TriMedia core found in these routers.

A disassembler has been built for the TriMedia VLIW core, and there are utilities to re-build the boot ROM and JTAG tools to download object code to the core and to dump the NAND flash contents.

More info at:

http://hackingbtbusinesshub.wordpress.c … -jtag-i2c/

P.S. Please contact if you have experience in reverse-engineering a flash file system, especially TrueFFS from m-Systems.   The file system used in the 2Wire may be sitting on top of the Flash Translation Layer from TrueFFS and this needs to be understood.

The discussion might have continued from here.