tjtag3 and lx4189

Skip to first unread message

Benjamin Henrion

Apr 22, 2012, 5:14:17 PM4/22/12

I have added one line to tjtag3.c to add the LX4189 cpu def:

sabayon tjtag3 # ./tjtag -backup:wholeflash /fc:89 /wiggler /silent

EJTAG Debrick Utility v3.0 Tornado-MOD

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000010011111010011000111001011 (027D31CB)
*** Found a LX4189 chip ***

- EJTAG IMPCODE ....... : 10010010010010010010010010010010 (92492492)
- EJTAG Version ....... : Unknown (4 is a reserved value)
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R3k ASID_8 MIPS16 MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done

Manual Flash Selection ... Done

Flash Vendor ID: 00000000000000000000000101111110 (0000017E)
Flash Device ID: 00000000000000000010000100000001 (00002101)
*** Manually Selected a Spansion S29GL128P U (16MB) Flash Chip ***

- Flash Chip Window Start .... : 1c000000
- Flash Chip Window Length ... : 01000000
- Selected Area Start ........ : 1f000000
- Selected Area Length ....... : 01000000

*** You Selected to Backup the WHOLEFLASH.BIN ***

Backup Routine Started

Saving WHOLEFLASH.BIN.SAVED_20120422_210703 to Disk...
5% bytes = 916256

But it the dumpfile is empty.

Any idea why?

Benjamin Henrion <bhenrion at>
FFII Brussels - +32-484-566109 - +32-2-3500762
"In July 2005, after several failed attempts to legalise software
patents in Europe, the patent establishment changed its strategy.
Instead of explicitly seeking to sanction the patentability of
software, they are now seeking to create a central European patent
court, which would establish and enforce patentability rules in their
favor, without any possibility of correction by competing courts or
democratically elected legislators."

Jeroen Peelaerts

Nov 28, 2012, 5:52:17 AM11/28/12
Maybe because of this reason

Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done

Doesn't the CPU need to be in debug mode in order to instruct it to do anything?
At least for EJTAG PrAcc I think this is the case. However in this case the DMA mode is enabled,
so not sure it's a strict requirement.

Otherwise maybe an eletrical problem? Did you use a 100ohms resistor between every pin connection?
Also it might be worth to make an extra ground connection from your pc's chassis to that of the modem.


Op zondag 22 april 2012 23:14:17 UTC+2 schreef Benjamin Henrion het volgende:

Jeroen Peelaerts

Apr 9, 2013, 9:43:40 AM4/9/13
Or maybe the flash address which is detected here is not correct.
If you check the livebox' bootlogs, you will see that it detects the flash at address 0xbf580000 for both OpenRG and OpenWRT mod.

The flash start address for this type of flash chip is hardcoded in the tjtag.c source, and maybe in this case this is not correct.

 if (((vendid & 0x00ff) == 0x0001) && (devid == 0x227E))
        unsigned int devsubid_m, devsubid_l;
        vendid = 0x017E;
        devsubid_m = 0x00ff & ejtag_read_h(FLASH_MEMORY_START+0x1C);  // sub ID step 1
        devsubid_l = 0x00ff & ejtag_read_h(FLASH_MEMORY_START+0x1E);  // sub ID step 2
        devid = (0x0100 * devsubid_m) + (0x0000 + devsubid_l);

Also the reason why autoprobing is not working is maybe because of a specific CFI implementation in this chip, there is some code in tjtag.c for this type that changes the flash memory QRY address and because the base address is wrong this might fail as well.

So maybe you might try changing the start addresses and see if it makes any difference, or maybe I will do it if I find the time soon.



Op zondag 22 april 2012 23:14:17 UTC+2 schreef Benjamin Henrion het volgende:


Apr 9, 2013, 12:18:09 PM4/9/13
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done

how can we programme let alone communicate with the flashrom if the processor hasn't entered the debug mode ?


Apr 9, 2013, 12:20:18 PM4/9/13
the flash address was never detected he forced the detection of the flash in manual mode with the fc:89 

Jeroen Peelaerts

Apr 9, 2013, 2:57:18 PM4/9/13
Yes indeed that's what I meant. When using the wholeflash parameter you will get the following flash range for a 16 meg flash

// { size16MB, "WHOLEFLASH", 0x1C000000, 0x1000000 },
     { size16MB, "WHOLEFLASH", 0x1F000000, 0x1000000 },

There was yet another entry here commented out. According to me the addresses defined here are irrelevant to the board at hand. One could maybe try the start address from the boot logs instead of the one defined in the WHOLEFLASH here.

Also you are prolly also right about the cpu state, as I mentioned earlier.

I did some work with openOCD and adding support for a MIPS board (bcm3349) some time ago, so I might to give that a try, as I saw their EJTAG support has been improved quite a bit lately.

Is anyone still working on porting the kernel for this device to 2.6.28? I saw a post from acki some time ago mentioning something about this. Is there any VCS repository currently in use to do this? I would like to get a hold of the sources in that case.



Op dinsdag 9 april 2013 18:20:18 UTC+2 schreef Drekthar het volgende:
Reply all
Reply to author
0 new messages