Hi! I have myself a console locked ti-ar7 device (Vtech ip8100) & need to identify the correct jtag interface. The device has both the ti-ar7 & an additional arm chip. I have read that the apparent partial jtag is for this secondary chip. There seem to be two serial console ports, but I am unable to (lack the training to) find the additional jtag. Please advise?

Edit:
console unlock via ssh worked after a downgrade to firmware 11.1.0 , still would be nice to have jtag!

(Last edited by yopo on 23 Mar 2010, 00:01)

Don't know which one is the "partial jtag" but I'd guess the 2x10 pins in the second picture below the
TNET... IC is the JTAG for this chip. Maybe  EJTAG standard 20 pin header? Try to find GND and Vcc pins with a multimeter.

that makes good sense! I didn't know there was a 20 pin ejtag, just thought they came in 14. Showing my ignorance I guess. Just below the ti-ar7 there is a 20 pin header. Will look for the pinout and check. Thanks!

Looks to me like the bottom left corner of the bottom pic if those labels say what I think they say (TDI, TDO, TCK, etc).

I read that was for the secondary arm chip for the voice module.

here is what i got for the 20 pin header, it doesn't match jtag and i can't find the 20 pin e-jtag pinout.

Once I tried to JTAG the device too, but no success.
cound you give more details on how you managed to login in serial or ssh console?
I don't have the login account, neither can I downgrade the firmware from the web GUI.
thanks

cyt is floating around in the wild and for firmwares pre the 07 build, it modifies the firmware's temp provisioning with a dns and tftp server providing the ability for a user to upload an xml config either via tftp or cyt, but this is not permanent. The ssh interface can be accessed with the new admin pw. You must enable it in the newly available admin tab.

I've read that it is possible to replace the env label for the cyt_private address with that of the bootloader making the /dev/mtd/7ro bootloader writable through ssh via dd, but I have yet to come to any success as it remains unwritable

The devices conform to wrtp54gs for the most part, or so i believe
http://wiki.openwrt.org/oldwiki/openwrt … _b.bootcfg

http://text.broadbandreports.com/forum/ … ~start=680

(Last edited by yopo on 23 Mar 2010, 03:55)

Look here. Check if the Vcc and ground pins match on your board.

(Last edited by jal2 on 23 Mar 2010, 09:34)

If the SoC is a TNETV1060 (hard to read on your photo), you may find both the EJTAG of the MIPS core and the JTAG pins of the internal C55x DSP on the 20 pins and the standard layout won't apply :-(. Have a look into the TNETV1060 datasheet.

thanks, the datasheet is very helpful. I will try to scrape the cpu's jtag pin, will see whether I can map the 20 pin connector.

(Last edited by beyondwind on 24 Mar 2010, 17:41)

Just came across a hw tool which may help to enumerate JTAG pins. I'll give it a try on a WNR2000, just ordered an Arduino @ 3.3V.

Wow, thanks for the link! I actually have an arduino board and just happened to be doing some programming on it last night. Looks like I have another use for it.

Be careful with the TTL levels, most Arduinos are 5V and most targets are 3.3V. At least add
some resistors to limit the current.

Well, I bricked it by accident as I expected I might have during sleep deprivation:( I managed to get openwrt r20537 on to a second in hopes of installing a package that would let me modify my bootloader, as I was unable to trace those jtag pins... not enough experience. I can get to shell (only after many firmware flash attempts) but ethernet does not work, so it seems I am stuck. The wan comes up automatically, but can't talk. The mac id is trunticated... edit: I eventually got it working.

All the same Jal2, thanks for the datasheet. I hope someone can make use of it.

If anyone can offer some info regarding a means to enable ethernet communication on both ports (on the VLYNQ bus) to work or a means to get the dsp driver to play ball ( http://tinyurl.com/yc83qvm http://tinyurl.com/ybg4hk2 ), it would be much appreciated. It would be badass to some day get astrisk working on this box.

(Last edited by yopo on 1 Apr 2010, 16:30)

I wouldn't call this a bricked router. Seems like the PSPBoot has built-in tftp (either server or client), couln't you use this to download
a new image (http://oldwiki.openwrt.org/OpenWrtDocs( … PBoot.html)? After you figured out what's wrong with the ethernet in your build.
BTW, you may include the lrz package and download a new firmware via serial (x/zmodem), althrough this takes some time. Flash on command line with sysupgrade afterwards.
How did you flash OpenWRT, in the GUI or in the bootloader?

I wouldn't try to replace the bootloader unless you know JTAG is working...

Actually on the first i did brick it. I wiped out the bootloader partition. I can restore the old firmware on this other one in the manner you mention easily. I ended up separating the other board to look for the pinout trace to jtag. I'll upload the pics when this svn is done compiling.

Anyway, to follow up, here are the pics (fixed Jal2 -stupid  time sensitive dynamic addys)

http://www.youshare.com/Guest/5ca9cad104dc5aee.JPG.html

http://www.youshare.com/Guest/36e24586f030695f.JPG.html

(Last edited by yopo on 10 Apr 2010, 19:39)

First and third links give a "forbidden" error, second and forth a "File not found".

After tracing through CPU pins from the datasheet, I managed to map the jtag pins:
pin 2 TRST
3: TCK
4: TDI
5:TDO
6: TMS
19: VCC

Short pin 2 (TRST) to Pin 19 VCC during jtag

Initially I did manage to probe the correct CPUID with tjtagv3, however, the flash chip mx29lv641 is not supported. I can't find the datasheet for mx29lv641, is there a way we can find out the sector arrangement for this flash chip?

Right now my board is hardware dead, maybe because I messed too much with the traces. I am wondering whether it is worth to buy another one from Ebay.

WOW, you are a champ! I can't wait to try it. Strangely my flash chips are labeled S29GL064M90TAIR7 (48 pin tsop). I found datasheets for both. I assume they are the same given their shared root id and since the pinouts appeared the same at a quick glance.

mx29lv641: http://cnc.ic-on-line.cn/IOL/datasheet/ … 286720.pdf
S29GL064M90TAIR7: http://www.datasheetarchive.com/pdf-dat … 643890.pdf

Edit: just found this "Try TJTAG 3.0 Rc1 with switch /f:85 (S29GL064M BotB)"
http://tinyurl.com/ya75y96 -try that?

"/fc:87 ............. Spansion S29GL064M BotB    (8MB)"
"/fc:88 ............. Spansion S29GL064M TopB    (8MB)"
http://tinyurl.com/ygsq3ug -try that?

I am not sure if you would find it worth it, but given their capacity and their choice pricing (~$15-25 shipped), it may be worth it. One can obtain a linksys rtp300 for the same price or less. Amazon has been a good place to find such vonage gear lately:

http://tinyurl.com/ydowhqm
http://tinyurl.com/ybrwjkp

I managed to stick kamikaze on the one live ip8100 the other day and it has been running an openvpn client since, barring intentional resets. There is a problem though, no switch support at the moment or support for the Legerity voice dsp (Le88221), though there is source says the wiki:

http://tinyurl.com/yg8d8oy
http://tinyurl.com/ybg4hk2 -drivers?

datasheet:
http://tinyurl.com/ycam97a

Software support for a jtag would be great. Finally an easy way to wipe out those pesky read only env vars or even swap out the boot loader for something more comprehensive.

Edit: I connected the pins as you describe and got the bastard talking!
Time to play...

(Last edited by yopo on 4 Apr 2010, 20:26)

jtag works, I've tried

/fc:87 ............. Spansion S29GL064M BotB    (8MB)
/fc:88 ............. Spansion S29GL064M TopB    (8MB)

in tjtag3 and still can't get the damned thing to boot with my backup of pspboot...
I believe it is a BotB, but don't know...

According to this datasheet a S29GL064M90TAIR7 is a uniform sector flash (see page 23), i.e. 128 sector of equal size.
If tjtag doesn't provide it, you may try TopB, as this matches the uniform layout in the first sectors where the bootloader usually resides (for MIPS in a 32 Mbit flash).

BTW, couldn't you read the flash content after writing it and compare it with the original source?

uniform sector, I remember that, not knowing what it meant explicitly. Thanks Jal2.

I did read back the the written backup after writing with both fc ids and they both yielded the same files as the source, so I am kind of at a loss to understand what you mean. I requested backup from the same location I read to, 0xB0000000 & 0x90000000 which are both supposed to be references to bootloader memory space start for ar7 devices, confirmed by the env vars on the second device that I have yet to jtag. I guess the only recourse is to find a jtag soft with support for this uniform sector r6/7 flash chip or diy.

This a good place to start maybe?

"Software Changes When Migrating From Boot To Uniform"
http://www.spansion.com/Support/AppNote … m_an_e.pdf

Edit: I got luck looking through the source of tjtag and googled like mad finding a jtag tool which espouses support for the chip

http://download.modem-help.co.uk/utilit … e=brjtag.c

trying it now

(Last edited by yopo on 7 Apr 2010, 04:35)

Strange. I thought a MIPS bootloader would always be located at 0xbfc00000 (aka 0x1fc00000 physical), as this is the reset vector of a MIPS CPU.
AFAIR if you write to a flash which is uniform using a BotB scheme, you will erase the first sector more than once (because the sw handles it as several sectors), loosing all but the last part written.

I just see that your flash is a 64 MBit (took it for a 32 MBit before) i.e. it probably starts at 0x1f800000 and the bootloader resides in the middle where all three sector schemes (TopB, BotB and uniform) are the same.

It should be fairly easy to add a uniform sector S29GL064 to tjtag, but I guess your problem is something else. I'll have a look later.

This patch should add support for S29GL064 uniform to tjtag 3.0.1. I'd expect autodetect to work, so no need for "/fc:XX":

diff -ur tjtag3-0-1/tjtag.c tjtag3-0-1.work/tjtag.c
--- tjtag3-0-1/tjtag.c    2009-08-30 21:19:26.000000000 +0200
+++ tjtag3-0-1.work/tjtag.c    2010-04-07 09:40:50.000000000 +0200
@@ -383,6 +383,7 @@
     { 0x017E, 0x1A01, size4MB, CMD_TYPE_AMD, "Spansion S29GL032M TopB    (4MB)"   ,63,size64K,     8,size8K,   0,0,        0,0        },
     { 0x017E, 0x1000, size8MB, CMD_TYPE_AMD, "Spansion S29GL064M BotB    (8MB)"   ,8,size8K,     127,size64K,   0,0,        0,0        },
     { 0x017E, 0x1001, size8MB, CMD_TYPE_AMD, "Spansion S29GL064M TopB    (8MB)"   ,127,size64K,     8,size8K,   0,0,        0,0        },
+    { 0x017E, 0x1301, size8MB, CMD_TYPE_AMD, "Spansion S29GL064M U       (8MB)"   ,128,size64K,     0,0,   0,0,        0,0        },
 
     { 0x017E, 0x2101, size16MB, CMD_TYPE_AMD, "Spansion S29GL128P U      (16MB)"   ,128,size128K,     0,0,   0,0,        0,0        },
     { 0x017E, 0x1200, size16MB, CMD_TYPE_AMD, "Spansion S29GL128M U      (16MB)"   ,128,size128K,   0,0,      0,0,        0,0         },

Well, after recompiling the source of tjtag 3.01 with the addition of

{ 0x017E, 0x1301, size8MB, CMD_TYPE_AMD, "Spansion S29GL064M U       (8MB)"   ,128,size64K,     0,0,   0,0,        0,0        },

supplied by Jal2, allowing support of the uniform sector 8mb flash chip S29GL064M90TAIR7, using the laborious efforts of beyondwind's pinout hunting, I was successfully able to not only revive my bricked ip8100, but change the default envars of the original firmware, effectively allowing the permanent alteration of the default admin password, the original provisioning hash dir and crypt key!

I can't begin to thank you both for your help. There is no way I could have done it without you!

...to reiterate for any others poor bastards playing with these ti-ar7 devices

(every doc I have read mentions the below bootloader addy as universal between them)

PSPBoot Name      Start                    End                 Size
BOOTLOADER     0x90000000     0x90010000     0x010000 (64K)
boot_env             0x90010000     0x90020000     0x010000 (64K)

tjtag -backup:custom /window:90000000 /start:90000000 /length:20000 /nodma /silent

Edit Envars with a good text editor to remove bs vonage defaults

CONSOLE_STATE   unlocked
ADMIN_PWD ABW9wzpK6VV4Q (Admin)
CRYPT_KEY "change" (must be in hex and divisible by 2)
HASH_DIR "change"

Save and flash

tjtag -flash:custom /window:90000000 /start:90000000 /length:20000 /nodma /silent

make sure you use a pre 2007 firmware because the web interfaces for voip settings are broken intentionally (you may downgrade via tftp in the manner described below concerning reflashing old firmware)

finally, wipe out the config partitions for a & b (ip8100) or the cyt private partition rtp300, moto vt2x42, pap2v2,wrtp54g) so defaults are custom or blank respectively (-refer to the oldwiki for exact addy space)

ip8100
CONFIG_A        0x90400000,0x90420000
CONFIG_B        0x90420000,0x90440000

tjtag -erase:custom /window:90000000 /start:90400000 /length:40000 /nodma /silent

Upon entering the web interface, under the provisioning tab enter http://127.0.0.1 as both the provisioning and firmware server to prevent provisioning errors, then fill in your details for the given service. Your device will only accept [abcd] + [0-9] as the auth user name per the closed ggsip app sadly, but any combination of those characters works at any practical length, though I am not sure the limit.

Openwrt via serial @3.3v 115200,n,8,1,hw

To install openwrt from pspboot so to yield access to all flash memory, create a new partition encompassing all of the memory following the bootenv addy, format it, set it active, and tftp your image. Connect your ethernet cable to wan (as you will not need to switch it later) using a static ip on the box with your tftp server, making sure first to set the router's ip to the same subnet so it can talk. Your vars may be already good, or different depending on whether you have adam2 or an earlier pspboot, so make sure first; at the pspboot prompt "printenv" will show you what you are working with. In addition "printenv envlist" will give you some alternate envs which have yet to be set.

setenv MAC_PORT 2

setenv IPA 192.168.15.1

setenv SUBNET_MASK  255.255.255.0

setenv FULL 0x90020000,replace-with-end-addy-refer-to-openwrt-wiki

fmt FULL

setenv BOOTCFG m:f:"FULL"

tftp -i your-tftp-server-ip your-image FULL

Only wan works, but it is good enough for you to run an openvpn server and icecast

Since your bootvars will be maintained, flashing the old firmware is as simple as resetting one of the original partitions as active after formatting and tftping the original fw from the pspboot serial console.

e.g.

fmt IMAGE_A

tftp -i your-tftp-server-ip your-firmware IMAGE_A

setenv BOOTCFG m:f:"IMAGE_A"

refer to if in doubt or in trouble:
http://tinyurl.com/yhsaqmf oldwiki
http://tinyurl.com/yg8d8oy
http://tinyurl.com/yb5w5p8 pspboot guide

Thanks again guys!

(Last edited by yopo on 10 Apr 2010, 18:54)