All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 87 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 16:38 
Offline

Joined: August 18th, 2011, 4:55
Posts: 24
If we connect resistor of 4.7k to E61 and GND, on power ON, board will execute
RAM test rutine.

For "ffff0000.bin" sha1=5ab6b58869a6cf40aaa60626e8440c0abc186ae8
RAM test rutine:= 0xFFFF01BC

If we connect resistor of 4.7k to E62 and GND, on power ON, board will execute
"Tiny Console" rutine! But this time JTAG and RAM on addr 0x00000000 will be activated!!!

BUT if we connect resistor of 4.7k to E61 and GND, AND connect resistor of 4.7k to E62 and GND.
Board will BOOT from external EEPROM. Since external EEPROM is NOT soldered there will
be error in "Kernel Loader" and CPU will start "terminal" rutine.

For "ffff0000.bin" sha1=5ab6b58869a6cf40aaa60626e8440c0abc186ae8
"terminal" rutine:= 0xFFFF0A50

B.R.

Dejan


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 17:35 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3230
Location: Chicago
Ok I've got kernel(or bootstrap) for the same CPU as in topic. I see it's different comparing to one I reversed before

Here is some info
As you may see the function FFFF0BB6 switches between "boot modes" and it apparently analyzes port 1C00A846
So port 1C00A846 must be connected to E6x points

ROM:FFFF0158 LDR R1, =word_1C00A846
ROM:FFFF015C LDRH R0, [R1]
ROM:FFFF0160 MOV R0, R0,LSR#13
ROM:FFFF0164 CMP R0, #4
ROM:FFFF0168 BEQ Kernel_RAM_check

Connecting E61 to ground equals 1C00A846 = 0x200000 or 4 shl 0x13

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 17:54 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3230
Location: Chicago
"Tiny console" will run if 1C00A84E = 0x80000 or 1C00A846 = 0x400000
Make 1C00A846 = 0xA00000 and x-modem will run

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 18:01 
Offline
User avatar

Joined: May 5th, 2004, 20:06
Posts: 2800
Location: England
This getting interesting. 8)

_________________
All went well until I plugged the drive in.


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 18:10 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3230
Location: Chicago
Can you post addresses from FFFF0014 to FFFF0060, they contain offsets to main functions
It would be much easier to see where is what in your bootstrap

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 18:18 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3230
Location: Chicago
_dex_ wrote:
BUT if we connect resistor of 4.7k to E61 and GND, AND connect resistor of 4.7k to E62 and GND.
Board will BOOT from external EEPROM.

Ok this makes it boot #6
or 0x200000 + 0x400000
E62 to GND makes 0x400000 -> inversed bit 0x16 of port 0x1C00A846
E61 to GND makes 0x200000 -> inversed bit 0x15 of port 0x1C00A846

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 18:22 
Offline

Joined: August 18th, 2011, 4:55
Posts: 24
Doomer wrote:
Ok I've got kernel(or bootstrap) for the same CPU as in topic. I see it's different comparing to one I reversed before

Here is some info
As you may see the function FFFF0BB6 switches between "boot modes" and it apparently analyzes port 1C00A846
So port 1C00A846 must be connected to E6x points

ROM:FFFF0158 LDR R1, =word_1C00A846
ROM:FFFF015C LDRH R0, [R1]
ROM:FFFF0160 MOV R0, R0,LSR#13
ROM:FFFF0164 CMP R0, #4
ROM:FFFF0168 BEQ Kernel_RAM_check

Connecting E61 to ground equals 1C00A846 = 0x200000 or 4 shl 0x13


IT IS decimal 13 not HEX 0x13!!!
4 shl 13 = 0x8000
Anyway ALL ports are 16bit!!!


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 18:30 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3230
Location: Chicago
You are correct
Even easier

E61 to GND makes 0x8000 -> inversed bit 15 of port 0x1C00A846

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 18:34 
Offline

Joined: August 18th, 2011, 4:55
Posts: 24
Doomer wrote:
_dex_ wrote:
BUT if we connect resistor of 4.7k to E61 and GND, AND connect resistor of 4.7k to E62 and GND.
Board will BOOT from external EEPROM.

Ok this makes it boot #6
or 0x200000 + 0x400000
E62 to GND makes 0x400000 -> inversed bit 0x16 of port 0x1C00A846
E61 to GND makes 0x200000 -> inversed bit 0x15 of port 0x1C00A846


From where comes that extra zeros???
There is NOTHING inverted.

E61,E62 have resistor PULLUP r13, r6, so on default, port 1c00a846 have 110x xxxx xxxx xxxx
or when shifted to right 13 times is 6!!!
Mode 6 is normal BOOT from internal ROM!
When E61 and E62 are connected to GND port 1c00a846 will have 000x xxxx xxxx xxxx
or when shifted to right 13 times is 0!!!
Mode 0 is normal BOOT from EXTERNAL serial EEPROM (25p20?)


Last edited by _dex_ on August 30th, 2011, 18:46, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 18:41 
Offline

Joined: August 18th, 2011, 4:55
Posts: 24
Doomer wrote:
Can you post addresses from FFFF0014 to FFFF0060, they contain offsets to main functions
It would be much easier to see where is what in your bootstrap


Just read my previous post how to get bootstrap from board, calculate on that file sha1 and compare.
If there is no match, then it is obvious that address will be slight different!


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 18:49 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3230
Location: Chicago
_dex_ wrote:
From where comes that extra zeros???
There is NOTHING inverted.

E61,E62 have resistor PULLUP r13, r6, so on default, port 1c00a846 have 110x xxxx xxxx xxxx
or when shifted to right 13 times is 6!!!
Mode 6 is normal BOOT from internal ROM!
When E61 and E61 are connected to GND port 1c00a846 will have 000x xxxx xxxx xxxx
or when shifted to right 13 times is 0!!!
Mode 0 is normal BOOT from EXTERNAL serial EEPROM (25p20?)

Yep, sorry for incorrect info
This is 4
_dex_ wrote:
If we connect resistor of 4.7k to E61 and GND, on power ON, board will execute
RAM test rutine.

or 100x xxxx xxxx xxxx

So Boot modes 0,1,5,6,7 are coded everything else is default. 4 and 3 are taken. Which leaves only 2
If it goes on default bit 12 will trigger x-modem
E61, E62 to ground and some two pins on 3.3V

_________________
https://www.linkedin.com/in/artemrubtsov/


Last edited by Doomer on August 30th, 2011, 18:54, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 18:49 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3230
Location: Chicago
_dex_ wrote:
Just read my previous post how to get bootstrap from board, calculate on that file sha1 and compare.
If there is no match, then it is obvious that address will be slight different!

I guess copy-paste is too much work
Good luck

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 19:01 
Offline

Joined: August 18th, 2011, 4:55
Posts: 24
Doomer wrote:
_dex_ wrote:
Just read my previous post how to get bootstrap from board, calculate on that file sha1 and compare.
If there is no match, then it is obvious that address will be slight different!

I guess copy-paste is too much work
Good luck


It is TOTALY NOT IMPORTANT what are those addresses!
Only important is that they are fixed functions.
example:

LDR R0,=0xFFFF0050
LDR R0,[R0]
BLX R0

Will always call DIVr0r1 function. etc,etc


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 19:05 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3230
Location: Chicago
_dex_ wrote:
It is TOTALY NOT IMPORTANT what are those addresses!
Only important is that they are fixed functions.
example:

LDR R0,=0xFFFF0050
LDR R0,[R0]
BLX R0

Will always call DIVr0r1 function. etc,etc

I know that, that's why I'm asking
But it doesn't matter anymore

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 19:16 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3230
Location: Chicago
Doomer wrote:
So Boot modes 0,1,5,6,7 are coded everything else is default. 4 and 3 are taken. Which leaves only 2
If it goes on default bit 12 will trigger x-modem
E61, E62 to ground and some two pins on 3.3V

Actually only E62 to ground and we need one more pin on 3.3 to call x-modem
Missing R26 seems promising

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 19:35 
Offline

Joined: August 18th, 2011, 4:55
Posts: 24
Doomer wrote:
Doomer wrote:
So Boot modes 0,1,5,6,7 are coded everything else is default. 4 and 3 are taken. Which leaves only 2
If it goes on default bit 12 will trigger x-modem
E61, E62 to ground and some two pins on 3.3V

Actually only E62 to ground and we need one more pin on 3.3 to call x-modem
Missing R26 seems promising



You have to read my posts carefully.

************************************************
BUT if we connect resistor of 4.7k to E61 and GND, AND connect resistor of 4.7k to E62 and GND.
Board will BOOT from external EEPROM. Since external EEPROM is NOT soldered there will
be error in "Kernel Loader" and CPU will start "terminal" rutine.

For "ffff0000.bin" sha1=5ab6b58869a6cf40aaa60626e8440c0abc186ae8
"terminal" rutine:= 0xFFFF0A50
************************************************

So you have to connect e61 and e62 to GND and since there is not inserted U12
CPU will call your "X-modem" rutine


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 19:44 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3230
Location: Chicago
_dex_ wrote:
So you have to connect e61 and e62 to GND and since there is not inserted U12
CPU will call your "X-modem" rutine

Yeah that's a hack, for this particular board and bootstrap.
But correct x-modem call will be triggered as I described

But anyway - there is no flash writing commands in bootstrap
And internal flash does not have pure SPI interface I even doubt that it's serial flash
So back to reversing. If you reversed other Marvell chips before and know the internal flash commands you might be finishing fast with your task

PS: It's not "mine" it's Marvell's. Take some code add standard flash "5A" header to it and send it to a drive using hyperterminal x-modem. The code will be executed accordingly to the header

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 30th, 2011, 21:01 
Offline

Joined: August 18th, 2011, 4:55
Posts: 24
Doomer wrote:
_dex_ wrote:
So you have to connect e61 and e62 to GND and since there is not inserted U12
CPU will call your "X-modem" rutine

Yeah that's a hack, for this particular board and bootstrap.
But correct x-modem call will be triggered as I described

But anyway - there is no flash writing commands in bootstrap
And internal flash does not have pure SPI interface I even doubt that it's serial flash
So back to reversing. If you reversed other Marvell chips before and know the internal flash commands you might be finishing fast with your task

PS: It's not "mine" it's Marvell's. Take some code add standard flash "5A" header to it and send it to a drive using hyperterminal x-modem. The code will be executed accordingly to the header


Well, I'm not familiar with Marvell chips, I do not know internal flash commands.
I just want to repair two of my scorpio blue HDD!

About "x-modem" I will check that.


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 31st, 2011, 2:50 
Offline
User avatar

Joined: May 5th, 2004, 20:06
Posts: 2800
Location: England
does the MCU have IAP hidden away? I haven't gone this deep before :O)

_________________
All went well until I plugged the drive in.


Top
 Profile  
 
 Post subject: Re: Marvell 88i6745n JTAG
PostPosted: August 31st, 2011, 7:08 
Offline

Joined: December 27th, 2006, 10:15
Posts: 1844
Location: Belgium
Very interesting lecture 8)

_________________
Murphy was an optimist

Datarecovery in Belgium, Holland, France and Germany
Datarecoverytools http://www.drtools.eu


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 87 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group