About "Kernel Loader"
First we have to know somethig about kernel blocks in flash. They have 0x20 bytes headers like first one for kernel loader.
;------------------------------------- 1 ;block nr 1 ;describe typ? 1,3 = compresed data? 0,0 ;maybe high 16 bits of decompresed size? 0x51,0x70,0,0 ;=0x00007051 size of block with CHK 0x50,0x70,0,0 ;=0x00007051 size of block 0x2d,0xd,0,0 ;=0x00000d2d offset of block data in FLASH (physical addr 0xfff00d2d) 0,0,0,0 ;=0x00000000 physical addr where decompresed block have to be stored 0xff,0xff,0xff,0xff ;=0xffffffff execute address but if it is 0xffffffff then it will not be executed! 1,0xa,0,0 ;? 0x48,0x8c ;=0x8c48 lower 16 bits of decompresed size. 0 ;? 0x98 ;cheksum ;-------------------------------------
Once started, "Kernel Loader" initialize SDRAM, change vector base,etc. Then it test block header, copy block to sdram, decompres from sdram to appropriate destination. if "execute address" is 0xffffffff then next block will be handled. Once "execute address" is not 0xffffffff,kernel loader will execute code from that address. In my case it is 0x00000000, reset vector!!!
If any of blocks have bad data cheksum, "kernel loader" will loop( It is related to SATA communication)
In my case one of kernal block was demaged, and I found a way to repair using JTAG debugger.
This will work only if you already have correct backup, and "flash loader" is not corupted. (If your "flash loader" is also corupted then procedure is a little different)
Get dump of FLASH data using JTAG, and compare with previous backup to find what block is demaged (look to block headers description in this post). Create file of that blocks from backup file using some hexeditor.
Set your board to test mode(first three pins from jumper header connect to GND) Connect JTAG, SATA cable and power up board. Run JTAG debugger. Halt target. Look to "offset address" of demaged block and add 0xfff00000 to get phisical address. Use that address to set in debuger watch point with read mode only. Set PC to 0xffff0000 AND HIT RUN!!!
If everything is ok it will halt CPU. Look at dissasembled code in debugger to find what is destination address in "copy_mem" function. Now set break point on end of that rutine. Hit RUN again. Once halted load data from file that you previously created to destination address, to owerwrite bad data from flash.
Repeat this to every block that is corrupted. Finaly just hit RUN and drive will start to communicate over SATA.
Now you can use free program "WDR-demo" to write backup FLASH to board. And that is it!
Now since I repaired my drive I can look for rutine for writing FLASH.
B.R
Dejan
|