From 3a50bb46dc084999f6f7aee8913858ccced49db4 Mon Sep 17 00:00:00 2001 From: Al Dyrius Date: Wed, 25 Sep 2019 23:39:05 -0600 Subject: [PATCH] Update FTDI C232HM cfg, and add two new cfgs from cable modem research Change-Id: Idbeffcd5ff4380b1e7c9fd5ef6ba3ca77cc22d99 Signed-off-by: Al Dyrius Reviewed-on: http://openocd.zylin.com/5307 Tested-by: jenkins Reviewed-by: Andreas Fritiofson --- tcl/board/kc100.cfg | 31 ++++++++++++++++++++++++ tcl/interface/ftdi/c232hm.cfg | 45 +++++++++++++++++++++++++++++++++-- tcl/target/tnetc4401.cfg | 17 +++++++++++++ 3 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 tcl/board/kc100.cfg create mode 100644 tcl/target/tnetc4401.cfg diff --git a/tcl/board/kc100.cfg b/tcl/board/kc100.cfg new file mode 100644 index 000000000..1d383bef5 --- /dev/null +++ b/tcl/board/kc100.cfg @@ -0,0 +1,31 @@ +# Knovative KC-100 cable modem + +# TNETC4401PYP, 208-QFP U3 +source [find target/tnetc4401.cfg] + +# 14-pin EJTAG on JP1. Standard pinout, 1-3-5-7-9-11 = nTRST-TDI-TDO-TMS-TCK-nSRST. Use 2 for GND. +# Was initially disabled in hardware; had to add a solder bridge reenabling R124, R125 on back. +reset_config trst_and_srst separate + +# 16Mb Intel CFI flash. Note this CPU has an internal ROM at 0x1FC0000 (phys) for cold boot. +# All that really does is some minimal checks before jumping to external flash at 0x00000000 phys. +# That is remapped to 0xB0000000 uncached, 0x90000000 cached. +flash bank intel cfi 0xB0000000 0x200000 2 2 $_TARGETNAME + +# Perform this after a clean reboot, halt, and reset init (which should also leave it halted). +proc kc100_dump_flash {} { + echo "Probing 48 TSOP Intel CFI flash chip (2MB)..." + flash probe intel + echo "Dumping 2MB flash chip to flashdump.bin. + flash read_bank 0 flashdump.bin 0 0x200000 +} + +#TODO figure out memory init sequence to be able to dump from cached segment instead + +# There is also a serial console on JP2, 3-5-6 = TX-RX-GND. 9600/8/N/1. + +# Possibly of note, this modem's ancient ethernet port does not support Auto-MDIX. + +# This modem in many ways appears to be essentially a clone of the SB5120. See usbjtag.com. +# The firmware/OS is also susceptible to many of the same procedures in "Hacking the Cable Modem" +# by DerEngel (Ryan Harris), available from No Starch Press. diff --git a/tcl/interface/ftdi/c232hm.cfg b/tcl/interface/ftdi/c232hm.cfg index 387abbb05..4f623e0f8 100644 --- a/tcl/interface/ftdi/c232hm.cfg +++ b/tcl/interface/ftdi/c232hm.cfg @@ -1,4 +1,3 @@ -# # FTDI USB Hi-Speed to MPSSE Cable # # http://www.ftdichip.com/Products/Cables/USBMPSSE.htm @@ -6,10 +5,52 @@ # C232HM-DDHSL-0 and C232HM-EDSL-0 provide 3.3V and 5V on pin 1 (Red), # respectively. # +# Adapter: http://www.ftdichip.com/Support/Documents/DataSheets/Cables/DS_C232HM_MPSSE_CABLE.PDF +# Chip: http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232H.pdf +# See pinout/colors at end of this file. +# +# Tech notes: +# http://www.ftdichip.com/Support/Documents/AppNotes/AN_135_MPSSE_Basics.pdf +# http://www.ftdichip.com/Support/Documents/AppNotes/AN_129_FTDI_Hi_Speed_USB_To_JTAG_Example.pdf interface ftdi #ftdi_device_desc "C232HM-DDHSL-0" #ftdi_device_desc "C232HM-EDHSL-0" + +# Common PID for FT232H ftdi_vid_pid 0x0403 0x6014 -ftdi_layout_init 0x0008 0x000b +# Layout +# High data byte 0x40 configures red LED on ACBUS6 initially high (unlit, since active-low) +# Low data byte 0x08 configures TMS on ACBUS3 initially high (asserted); TCK, TDI low +# High direction byte 0x40 configures red LED on ACBUS6 as high (output) +# Low direction byte 0x0b configures TDO on ACBUS2 as low (input) +ftdi_layout_init 0x4008 0x400b + +# ---A*BUS-------CCCCCCCC|DDDDDDDD +# --------\______76543210|76543210 +# LED 0x4000 = 01000000|00000000 = ACBUS6 +#GPIOL0 0x0010 = 00000000|00010000 = ADBUS4 +#GPIOL1 0x0020 = 00000000|00100000 = ADBUS5 +#GPIOL2 0x0040 = 00000000|01000000 = ADBUS6 +#GPIOL3 0x0080 = 00000000|10000000 = ADBUS7 +# -ndata treats the LED as active-low for expected behavior (toggle when transferring) +ftdi_layout_signal LED -ndata 0x4000 +# Available for aliasing as desired +ftdi_layout_signal GPIOL0 -data 0x0010 -oe 0x0010 +ftdi_layout_signal GPIOL1 -data 0x0020 -oe 0x0020 +ftdi_layout_signal GPIOL2 -data 0x0040 -oe 0x0040 +ftdi_layout_signal GPIOL3 -data 0x0080 -oe 0x0080 + +# C232HM FT232H JTAG/Other +# Num Color Name Func +# 1 Red VCC Optionally, can power the board if it is not using its own power supply. +# 2 Orange ADBUS0 TCK +# 3 Yellow ADBUS1 TDI +# 4 Green ADBUS2 TDO +# 5 Brown ADBUS3 TMS +# 6 Grey ADBUS4 GPIOL0 +# 7 Purple ADBUS5 GPIOL1 +# 8 White ADBUS6 GPIOL2 +# 9 Blue ADBUS7 GPIOL3 +# 10 Black GND Connect to ground diff --git a/tcl/target/tnetc4401.cfg b/tcl/target/tnetc4401.cfg new file mode 100644 index 000000000..48f754527 --- /dev/null +++ b/tcl/target/tnetc4401.cfg @@ -0,0 +1,17 @@ +# Texas Instruments (TI) TNETC4401, MIPS32 DOCSIS-tailored SoC (4Kc-based) +# Used in Knovative KC-100 and Motorola Surfboard SB5120 cable modems. +# Datasheet: https://brezn.muc.ccc.de/~mazzoo/DOCSIS/tnetc4401.pdf +transport select jtag +set _TARGETNAME tnetc4401 +set _CPUTAPID 0x0000100f +jtag newtap $_TARGETNAME tap -irlen 5 -ircapture 0x01 -irmask 0x1f -expected-id $_CPUTAPID +target create $_TARGETNAME mips_m4k -chain-position $_TARGETNAME.tap -endian big + +# May need to halt manually before calling reset init +$_TARGETNAME configure -event reset-init { + halt + echo "Attempting to disable watchdog..." + mwb phys 0xa8610b00 0 256 + halt + wait_halt +} -- 2.30.2