Marvell 88i6745n JTAG

[_dex_]

If we connect resistor of 4.7k to E61 and GND, on power ON, board will execute
RAM test rutine.

For "ffff0000.bin" sha1=5ab6b58869a6cf40aaa60626e8440c0abc186ae8
RAM test rutine:= 0xFFFF01BC

If we connect resistor of 4.7k to E62 and GND, on power ON, board will execute
"Tiny Console" rutine! But this time JTAG and RAM on addr 0x00000000 will be activated!!!

BUT if we connect resistor of 4.7k to E61 and GND, AND connect resistor of 4.7k to E62 and GND.
Board will BOOT from external EEPROM. Since external EEPROM is NOT soldered there will
be error in "Kernel Loader" and CPU will start "terminal" rutine.

For "ffff0000.bin" sha1=5ab6b58869a6cf40aaa60626e8440c0abc186ae8
"terminal" rutine:= 0xFFFF0A50

B.R.

Dejan

[Doomer]

Ok I've got kernel(or bootstrap) for the same CPU as in topic. I see it's different comparing to one I reversed before

Here is some info
As you may see the function FFFF0BB6 switches between "boot modes" and it apparently analyzes port 1C00A846
So port 1C00A846 must be connected to E6x points

ROM:FFFF0158 LDR R1, =word_1C00A846
ROM:FFFF015C LDRH R0, [R1]
ROM:FFFF0160 MOV R0, R0,LSR#13
ROM:FFFF0164 CMP R0, #4
ROM:FFFF0168 BEQ Kernel_RAM_check

Connecting E61 to ground equals 1C00A846 = 0x200000 or 4 shl 0x13

[Doomer]

"Tiny console" will run if 1C00A84E = 0x80000 or 1C00A846 = 0x400000
Make 1C00A846 = 0xA00000 and x-modem will run

[guru]

This getting interesting.

[Doomer]

Can you post addresses from FFFF0014 to FFFF0060, they contain offsets to main functions
It would be much easier to see where is what in your bootstrap

[Doomer]

BUT if we connect resistor of 4.7k to E61 and GND, AND connect resistor of 4.7k to E62 and GND.
Board will BOOT from external EEPROM.

Ok this makes it boot #6
or 0x200000 + 0x400000
E62 to GND makes 0x400000 -> inversed bit 0x16 of port 0x1C00A846
E61 to GND makes 0x200000 -> inversed bit 0x15 of port 0x1C00A846

[_dex_]

Ok I've got kernel(or bootstrap) for the same CPU as in topic. I see it's different comparing to one I reversed before

Here is some info
As you may see the function FFFF0BB6 switches between "boot modes" and it apparently analyzes port 1C00A846
So port 1C00A846 must be connected to E6x points

ROM:FFFF0158 LDR R1, =word_1C00A846
ROM:FFFF015C LDRH R0, [R1]
ROM:FFFF0160 MOV R0, R0,LSR#13
ROM:FFFF0164 CMP R0, #4
ROM:FFFF0168 BEQ Kernel_RAM_check

Connecting E61 to ground equals 1C00A846 = 0x200000 or 4 shl 0x13

IT IS decimal 13 not HEX 0x13!!!
4 shl 13 = 0x8000
Anyway ALL ports are 16bit!!!

[Doomer]

You are correct
Even easier

E61 to GND makes 0x8000 -> inversed bit 15 of port 0x1C00A846

[_dex_]

BUT if we connect resistor of 4.7k to E61 and GND, AND connect resistor of 4.7k to E62 and GND.
Board will BOOT from external EEPROM.

Ok this makes it boot #6
or 0x200000 + 0x400000
E62 to GND makes 0x400000 -> inversed bit 0x16 of port 0x1C00A846
E61 to GND makes 0x200000 -> inversed bit 0x15 of port 0x1C00A846

From where comes that extra zeros???
There is NOTHING inverted.

E61,E62 have resistor PULLUP r13, r6, so on default, port 1c00a846 have 110x xxxx xxxx xxxx
or when shifted to right 13 times is 6!!!
Mode 6 is normal BOOT from internal ROM!
When E61 and E62 are connected to GND port 1c00a846 will have 000x xxxx xxxx xxxx
or when shifted to right 13 times is 0!!!
Mode 0 is normal BOOT from EXTERNAL serial EEPROM (25p20?)

Last edited by _dex_ on August 30th, 2011, 18:46, edited 1 time in total.

[_dex_]

Can you post addresses from FFFF0014 to FFFF0060, they contain offsets to main functions
It would be much easier to see where is what in your bootstrap

Just read my previous post how to get bootstrap from board, calculate on that file sha1 and compare.
If there is no match, then it is obvious that address will be slight different!

[Doomer]

From where comes that extra zeros???
There is NOTHING inverted.

E61,E62 have resistor PULLUP r13, r6, so on default, port 1c00a846 have 110x xxxx xxxx xxxx
or when shifted to right 13 times is 6!!!
Mode 6 is normal BOOT from internal ROM!
When E61 and E61 are connected to GND port 1c00a846 will have 000x xxxx xxxx xxxx
or when shifted to right 13 times is 0!!!
Mode 0 is normal BOOT from EXTERNAL serial EEPROM (25p20?)

Yep, sorry for incorrect info
This is 4

If we connect resistor of 4.7k to E61 and GND, on power ON, board will execute
RAM test rutine.

or 100x xxxx xxxx xxxx

So Boot modes 0,1,5,6,7 are coded everything else is default. 4 and 3 are taken. Which leaves only 2
If it goes on default bit 12 will trigger x-modem
E61, E62 to ground and some two pins on 3.3V

Last edited by Doomer on August 30th, 2011, 18:54, edited 2 times in total.

[Doomer]

Just read my previous post how to get bootstrap from board, calculate on that file sha1 and compare.
If there is no match, then it is obvious that address will be slight different!

I guess copy-paste is too much work
Good luck

[_dex_]

Just read my previous post how to get bootstrap from board, calculate on that file sha1 and compare.
If there is no match, then it is obvious that address will be slight different!

I guess copy-paste is too much work
Good luck

It is TOTALY NOT IMPORTANT what are those addresses!
Only important is that they are fixed functions.
example:

LDR R0,=0xFFFF0050
LDR R0,[R0]
BLX R0

Will always call DIVr0r1 function. etc,etc

[Doomer]

It is TOTALY NOT IMPORTANT what are those addresses!
Only important is that they are fixed functions.
example:

LDR R0,=0xFFFF0050
LDR R0,[R0]
BLX R0

Will always call DIVr0r1 function. etc,etc

I know that, that's why I'm asking
But it doesn't matter anymore

[Doomer]

So Boot modes 0,1,5,6,7 are coded everything else is default. 4 and 3 are taken. Which leaves only 2
If it goes on default bit 12 will trigger x-modem
E61, E62 to ground and some two pins on 3.3V

Actually only E62 to ground and we need one more pin on 3.3 to call x-modem
Missing R26 seems promising

[_dex_]

So Boot modes 0,1,5,6,7 are coded everything else is default. 4 and 3 are taken. Which leaves only 2
If it goes on default bit 12 will trigger x-modem
E61, E62 to ground and some two pins on 3.3V

Actually only E62 to ground and we need one more pin on 3.3 to call x-modem
Missing R26 seems promising

You have to read my posts carefully.

************************************************
BUT if we connect resistor of 4.7k to E61 and GND, AND connect resistor of 4.7k to E62 and GND.
Board will BOOT from external EEPROM. Since external EEPROM is NOT soldered there will
be error in "Kernel Loader" and CPU will start "terminal" rutine.

For "ffff0000.bin" sha1=5ab6b58869a6cf40aaa60626e8440c0abc186ae8
"terminal" rutine:= 0xFFFF0A50
************************************************

So you have to connect e61 and e62 to GND and since there is not inserted U12
CPU will call your "X-modem" rutine

[Doomer]

So you have to connect e61 and e62 to GND and since there is not inserted U12
CPU will call your "X-modem" rutine

Yeah that's a hack, for this particular board and bootstrap.
But correct x-modem call will be triggered as I described

But anyway - there is no flash writing commands in bootstrap
And internal flash does not have pure SPI interface I even doubt that it's serial flash
So back to reversing. If you reversed other Marvell chips before and know the internal flash commands you might be finishing fast with your task

PS: It's not "mine" it's Marvell's. Take some code add standard flash "5A" header to it and send it to a drive using hyperterminal x-modem. The code will be executed accordingly to the header

[_dex_]

So you have to connect e61 and e62 to GND and since there is not inserted U12
CPU will call your "X-modem" rutine

Yeah that's a hack, for this particular board and bootstrap.
But correct x-modem call will be triggered as I described

But anyway - there is no flash writing commands in bootstrap
And internal flash does not have pure SPI interface I even doubt that it's serial flash
So back to reversing. If you reversed other Marvell chips before and know the internal flash commands you might be finishing fast with your task

PS: It's not "mine" it's Marvell's. Take some code add standard flash "5A" header to it and send it to a drive using hyperterminal x-modem. The code will be executed accordingly to the header

Well, I'm not familiar with Marvell chips, I do not know internal flash commands.
I just want to repair two of my scorpio blue HDD!

About "x-modem" I will check that.

[guru]

does the MCU have IAP hidden away? I haven't gone this deep before :O)

[dobrevjetser]

Very interesting lecture