Announcement

Collapse
No announcement yet.

JTAG Read memory - empty file?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    JTAG Read memory - empty file?

    Hello,


    I tried to read the memory from a device through JTAG. However I get a 0 byte (empty) .bin file. There are no errors. The following message is displayed: Completed in 00:00:00.015 (Average Transfer Rate: 0.00 kB/s).
    Could it be that there is something wrong with the soldering? Or the settings? Or could it be that there is simply no data on the device that can be extracted through JTAG?
    Tags: None
  • #2
    Hi,
    Most probably You did something wrong.


    Please tell me what exactly You wanted to do ?
    - Read RAM (JTAG TAB)
    - Read ROM (DCC TAB)


    For instructions on how to read ROM via JTAG please visit FAQ:
    RIFF JTAG Box FAQ - JTAG Manager - DCC Read/Write TAB
    ICQ: 299-912-089
    QQ: 1634811353

    Comment

    • #3
      Thanks for the quick response. Either one would be fine (I know it sounds weird but I don't really care what kind of data I get), but I got the empty file from the JTAG tab.


      However I just realised I didn't fill in the Length in the JTAG tab. When I do, the percentage bar fills up to 100%, and when it's done, I get the following message: ERROR: Wrong response from the RIFF Box.



      In the DCC tab, I get an error saying: Current ID does not belong to the LinkSys WRT54GL family. Which is understandable since I'm trying to JTAG a Fritz!box router. When I ignore the error in the settings, I get the following message: ERROR(0x44): Communication is not established. Terminating.


      I hope you can help me so that either one (or both) will work! Thanks in advance


      EDIT: Oh also I read from various sources that you should 'Halt The Target' before reading memory in the JTAG tab, but when I try to do that, I get the following message: ERROR: Failed to Halt the Target
      Last edited by Thro; 09-25-2019, 12:00 PM.

      Comment

      • #4
        Fritz!box router isn't tested, I even have no idea what exact mcu is inside.


        Please click "Analyze JTAG Chain" and post log output here.
        ICQ: 299-912-089
        QQ: 1634811353

        Comment

        • #5
          Just in case that it uses same mcu and H/W init as Linksys, make sure to set everything as on this screenshot:


          (Current production version of JTAG Manager has a bug related to reading JTAG HW Init settings from DLL so in some case it must be set manually)
          Attached Files
          ICQ: 299-912-089
          QQ: 1634811353

          Comment

          • #6
            JTAG Chain output:


            Following devices are found on the JTAG chain:
            Device on TAP #0: ID = 0x00002306, IR Length = 0x08 bits
            Device on TAP #1: ID = 0x00000306, IR Length = 0x06 bits
            Total IR length: 0x000E bits


            Unfortunately the Linkysys settings do not work.


            EDIT: I just noticed I accidentally pulled off the sysrst before I did this. I soldered it back and now it shows me this:


            Following devices are found on the JTAG chain:
            Device on TAP #0: ID = 0x00002306, IR Length = 0x04 bits
            Device on TAP #1: ID = 0x00000306, IR Length = 0x05 bits
            Device on TAP #2: ID = 0xFFFFFFFE, IR Length = 0x05 bits
            Total IR length: 0x000E bits
            Last edited by Thro; 09-25-2019, 01:11 PM.

            Comment

            • #7
              Ok please try this:


              On JTAG TAB set this:


              Manual parameters from user,
              Clock 8MHz TCK
              MIPS32 IR8 target
              Reset, Halt after 0ms for reset strategy
              3.3V for I/O
              TAP #0


              Click Analyze, connect, halt, and post log.
              ICQ: 299-912-089
              QQ: 1634811353

              Comment

              • #8
                Alright, I selected those settings, here is the output:

                Analyze JTAG Chain:


                Open serial port...OK
                Connecting to the RIFF Box...OK
                Firmware Version: 1.52 (RIFFBOX1), JTAG Manager Version: 1.86
                Selected Custom Target: [MIPS32 IR8, 3.30V, TAP0]

                Connecting to the target...OK
                Set I/O Voltage reads as 3.30V, TCK Frequency is 8 MHz

                Following devices are found on the JTAG chain:
                Device on TAP #0: ID = 0x00002306, IR Length = 0x04 bits
                Device on TAP #1: ID = 0x00000306, IR Length = 0x05 bits
                Device on TAP #2: ID = 0xFFFFFFFE, IR Length = 0x05 bits
                Total IR length: 0x000E bits


                Connect & Get ID:

                Open serial port...OK
                Connecting to the RIFF Box...OK
                Firmware Version: 1.52 (RIFFBOX1), JTAG Manager Version: 1.86
                Selected Custom Target: [MIPS32 IR8, 3.30V, TAP0]

                Connecting to the MIPS32 IR8 target...OK
                Set I/O Voltage reads as 3.30V, TCK Frequency is 8 MHz

                Target ID on TAP0: 0x6ECCCF81 - Connected OK

                Halt the Target:

                Open serial port...OK
                Connecting to the RIFF Box...OK
                Firmware Version: 1.52 (RIFFBOX1), JTAG Manager Version: 1.86
                Selected Custom Target: [MIPS32 IR8, 3.30V, TAP0]

                Halting target...ERROR
                ERROR: Failed to Halt the Target.

                Comment

                • #9
                  This is going nowhere, so lets start from from basics.


                  What exact CPU model is inside this router ? I see different information on google, and since You didn't said which fritz router model this is, I can't clue out cpu model either.
                  ICQ: 299-912-089
                  QQ: 1634811353

                  Comment

                  • #10
                    It's a Fritz!Box 7360, which has a Lantiq PSB80920 (Link)

                    Also I checked with the multimeter and Vcc is connected to sysrst, is it supposed to be this way? I'm pretty sure they weren't connected when I checked every pin combination before I started soldering, but now they are connected, even when nothing is touching the pins, there is no solder or wires between them and the pins remain connected when I desolder the wires going to the Riff Box. Or I could just be mistaken and they were connected the whole time.

                    Comment

                    • #11
                      We have just partial support for MIPS 32 mcu-s, but let me check what type is this one exactly.
                      As for SYSRST/Vcc short, I've no idea, if I remember well NRST is not used for MIPS mcu-s we tested.
                      ICQ: 299-912-089
                      QQ: 1634811353

                      Comment

                      • #12
                        Ok so now things a bit more clear.


                        This is MIPS 34K, IR lenght 05.


                        GND, TCK, TRST, TMS, TDO, TDI pins should be connected, no Vcc or NRST/SYSRST required.
                        MIPS32 IR5 should be selected.


                        If You manage to halt it then there is some chance You can do something (upload u-boot into RAM and execute it).


                        You may need to play with TAP selection (#0 or #1). As for reset strategy, most probably should be set to "RESET, halt after 100 ms".


                        At the moment we can't work to add this MCU support in full, so in case this fails You might want to try do something over YAMON interface and TFTP server. I can only presume there is some hero on internet who posted instructions.
                        ICQ: 299-912-089
                        QQ: 1634811353

                        Comment

                        • #13
                          I checked all signals with a multimeter from the pin itself to the adapter that goes in the Riff Box, I tried those settings, I played with other settings...


                          Sadly, I can never get past Halt the Target so I guess this device is currently not JTAG-able with a Riff Box or the router has some kind of hardware damage that I don't know about.


                          Thanks a lot for your help and time anyway, I appreciate it a lot

                          Comment

                          Previous template Next
                          Working...
                          X

                          We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.

                          By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

                          I Agree