May 17th, 2010

Восстановление USR9107 с помощью JTAG

Отказ от ответственности


Автор не несет никакой ответственности, за Ваши действия или бездействия, за физический, финансовый, моральный или любой другой ущерб. Помните, все действия, которые Вы выполняете со своим оборудованием, в лучшем случае приведут к лишению гарантии. Статья не является пошаговым руководством: Вы должны понимать, что Вы делаете.


Вступление


После очередной компиляции и установки OpenWRT [1] на USRobotics USR9107 [2], модем вдруг перестал откликаться в консоли и подавать признаков жизни. Для восстановления модема мной было прочитано и изучено десяток мануалов и доков по оживлению подобных девайсов. В конечном итоге, удалось оживить через интерфейс JTAG [4],[5]. Для восстановления через JTAG из подручных средств сначала был собран упрощенный вариант переходника ByteBlaster. В процессе изучения материала я собрал еще несколько вариантов переходников. Тестирование проводил как в ОС Windows, так и OS Linux. Все схемы, распиновки, логи, описание и ссылки ниже. Надеюсь, собранный мной материал, поможет и Вам восстановить свое устройство.



Распиновка и расположение JTAG на плате




JTAG и UART на плате (кликабельно)


Распиновка UART
UART (Header 1x4pin)
====================
1 Tx
2 Rx
3 3.3v
4 GND



Схемы подключения JTAG к LPT порту


В зависимости от установленного ПО, для работы можно использовать либо Altera ByteBlasterMV [6] или ByteBlaster II [7], либо Xilinx DLC 5 [8] parallel download cable (unbuffered), либо Wiggler от Macraigor Systems [9],[10]. Все варианты не содержат буфера, просты в изготовлении, подключаются к параллельному порту компьютера и работают одинаково. Главное условие - короткий кабель 10-15 см., чтобы помехи не влияли на работу. Резисторы можно использовать одинакового номинала, в пределах 33-150 Ом.
Сигнал TRST в схемах подключения можно не использовать, он всего лишь переводит TAP контроллер в исходное состояние, что можно проделать и софтверно, удерживая TMS в "логической единице" в течение 5 тактов TCK. Для нормальной работы TAP контроллера на TRST должна быть "логическая единица".

ByteBlaster MV


ByteBlaster II


DLC 5


Wiggler



Драйверы ввода/вывода LPT порта


Каждая программа использует свой драйвер и его обязательно нужно установить. Самые распространенные драйверы это GiveIO.sys [11] и ioperm.sys [12]. Есть еще InpOut32/64 для Windows Vista/7 32/64bit, ftd2xx.dll и другие. Настройка LPT порта в BIOS [20].







Программы для работы с интерфейсом JTAG


C GUI оболочкой для Windows - EJTAG Tiny Tools [13],[14],[15]. Без GUI - EJTAG Debrick Utility доработанная Tornado [16],[17] и специализированная версия для Broadcom от hugebird [18], а также вариант для Linux/Windows - UrJTAG [19].

EJTAG Tiny Tools


Работает через ByteBlaster. Драйвер ввода/вывода GiveIO.sys. Текущая версия v.1.0.6.17. По сообщению разработчика, развитие программы заморожено, на смену ей пришла коммерческая версия EJTAG Tiny Tools CPLD.


Лог программы:
FileVersion = 1.0.6.17
Speed = 188076
-----------------------------------------------------------------------
Выбран режим работы с MIPS процессором
CPU ID = 0634817F
CPU ID = 00000007
CPU ID = 00000000
CPU ID = 00000000
CPU ID = 00000000
CPU ID = 00000000
CPU ID = 00000000
CPU ID = 0634817F
Найден ЦПУ : Broadcom BCM6348 Rev 1 CPU
Длина инструкций EJTAG : 5
IMPCODE = 800904
Версия  EJTAG  1 - 2.0
EJTAG функции :  R4k  DMA  MIPS32 
Включаем доступ к записи памяти DMA ... Готово
Перевод процессора в Debug ... >Отладочный режим ОК!< ... Готово
-------- Определяем флешь --------
Режим работы флешь = AMD 16 bit
Flash Base адресс = 0x1FC00000
Первые 16 байт флеши : 
 0010 7802 0000 0000 0000 0000 0000 0000 
 
CFI  = Q, R, Y
Boot type = 67
CFI флешь найдена
VENDOR ID = 0002
CFI данные : AMD-совместимая
Найденная флешь : ManufactureID = 0020 DeviceID = 22C4
Считываем парамеры из CFI
Размер флешь = 2097152
Кол-во блоков = 4
Сортируем блоки для top-boot флешь
Область = 3; Размер блока = 65536; Кол-во блоков = 31
Область = 2; Размер блока = 32768; Кол-во блоков = 1
Область = 1; Размер блока = 8192; Кол-во блоков = 2
Область = 0; Размер блока = 16384; Кол-во блоков = 1
Готово
Красным маркером выделены баги программы.

EJTAG Debrick Utility by Tornado


Работает через DLC 5 и WIGGLER. Драйвер ввода/вывода GiveIO.sys. Текущая версия v.3.0.1.


Лог программы:
C:\tjtag>tjtag3 -probeonly /flash_debug

==============================================
 EJTAG Debrick Utility v3.0.1 Tornado-MOD
==============================================

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom BCM6348 Rev 1 CPU chip ***

    - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... Processor Entered Debug Mode! ... Done
Clearing Watchdog ... Done
spi_flash_read 0x1fc00000
spi_flash_mmr  0x00000000
spi_flash_mmr_size 0x00000000
spi_flash_ctl  0x18000040
spi_flash_opcode 0x18000044
spi_flash_data 0x18000048
spi_ctl_start 0x80000000
spi_ctl_busy 0x80000000

Probing Flash at (Flash Window: 0x1fc00000) ...

Debug AMD Vendid :    00000000000000000000000000100000 (00000020)
Debug AMD Devdid :    00000000000000000010001011000100 (000022C4)
Done

Flash Vendor ID: 00000000000000000000000000100000 (00000020)
Flash Device ID: 00000000000000000010001011000100 (000022C4)
*** Found a ST M29W160ET 1Mx16 TopB    (2MB) Flash Chip ***

    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00200000
    - Selected Area Start ........ : 00000000
    - Selected Area Length ....... : 00000000



 *** REQUESTED OPERATION IS COMPLETE ***


Broadcom EJTAG Debrick Utility by hugebird


Работает через DLC 5, WIGGLER и специализированный USB/JTAG модуль. Драйвер ввода/вывода GiveIO.sys, InpOut32/64, ftd2xx.dll. Текущая версия v.1.9f.


Лог программы:
C:\brjtag>brjtag -probeonly /showppb

        ===============================================
         Broadcom EJTAG Debrick Utility v1.9b-hugebird
        ===============================================

Probing bus ... Done

Instruction Length set to 5

CPU assumed running under BIG endian

CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom manufactured BCM6348 REV 01 CPU ***

    - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... Processor Entered Debug Mode! ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 1fc00009
MPI register show Flash Access Base Addr : 1fc00000

Probing Flash at Address: 0x1FC00000 ...
Detected Chip ID (VenID:DevID = 0020 : 22C4)
*** Found a CFI Compatiable Flash Chip from ST/Numonyx



Flash Sector Protection type 0



 *** REQUESTED OPERATION IS COMPLETE ***


C:\brjtag>brjtag -backup:cfe

        ===============================================
         Broadcom EJTAG Debrick Utility v1.9b-hugebird
        ===============================================

Probing bus ... Done

Instruction Length set to 5

CPU assumed running under BIG endian

CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom manufactured BCM6348 REV 01 CPU ***

    - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... Processor Entered Debug Mode! ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 1fc00009
MPI register show Flash Access Base Addr : 1fc00000

Probing Flash at Address: 0x1FC00000 ...
Detected Chip ID (VenID:DevID = 0020 : 22C4)
*** Found a CFI Compatiable Flash Chip from ST/Numonyx

    - Flash Chip Window Start .... : 1FC00000
    - Flash Chip Window Length ... : 00200000
    - Selected Area Start ........ : 1FC00000
    - Selected Area Length ....... : 00040000

*** You Selected to Backup the CFE.BIN ***

=========================
Backup Routine Started
=========================

Saving CFE.BIN.SAVED_20100519_150430 to Disk...
Done  (CFE.BIN.SAVED_20100519_150430 saved to Disk OK)

bytes written: 262144
=========================
Backup Routine Complete
=========================
elapsed time: 104 seconds


 *** REQUESTED OPERATION IS COMPLETE ***


UrJTAG


Работает через ByteBlaster, DLC 5, WIGGLER и большое кол-во специализированных адаптеров. Драйвер ввода/вывода ioperm.sys и специализированные. Текущая версия v.0.10.


Профайл JTAG declarations for Broadcom BCM6348 /usr/local/share/urjtag/broadcom/bcm6348/bcm6348 [20]
# $Id: bcm6348 2008-05-12 16:55:43 pudeev.livejournal.com $
#
# JTAG declarations for Broadcom BCM6348
# Copyright (C) 2004 Alan Wallace <aww@adelphia.net>

register	BR		1
register	BSR		480
register	DIR		32
register	EJIMPCODE	32
register	EJADDRESS	32
register	EJDATA		32
register	EJCONTROL	32
register	EJALL		96
register	EJFASTDATA	1

instruction length 5

instruction	EXTEST		00000	BSR
instruction	BYPASS		11111	BR
instruction	SAMPLE/PRELOAD	00010	BSR
instruction	IDCODE		00001	DIR
instruction	EJTAG_IMPCODE	00011	EJIMPCODE
instruction	EJTAG_ADDRESS	01000	EJADDRESS
instruction	EJTAG_DATA	01001	EJDATA
instruction	EJTAG_CONTROL	01010	EJCONTROL
instruction	EJTAG_ALL	01011	EJALL
instruction	EJTAGBOOT	01100	BR
instruction	NORMALBOOT	01101	BR
instruction	EJTAG_FASTDATA	01110	EJFASTDATA

endian big


Лог работы программы:
jtag> cable byteblaster parallel 0x378
Initializing parallel port at 0x378

jtag> detect
IR length: 5
Chain length: 1
Device Id: 00000110001101001000000101111111 (0x000000000634817F)
  Manufacturer: Broadcom
  Part(0):         BCM6348
  Stepping:     Rev 1
  Filename:     /usr/local/share/urjtag/broadcom/bcm6348/bcm6348

jtag> print
 No. Manufacturer              Part                 Stepping Instruction  Register
------------------------------------------------------------------------------------------------------------------
   0 Broadcom                  BCM6348              Rev 1     BYPASS  BR

jtag> dr
0

jtag> instruction EJTAG_IMPCODE
jtag> shift ir
jtag> shift dr
jtag> dr
00000000100000000000100100000100
Расшифровка:
31:29 EJTAGver 000 Version 1 and 2.0
   28 R4k/R3k    0 R4k privileged environment
   24 DINTsup    0 DINT signal not supported
22:21 ASIDsize  00 No ASID in implementation
   16 MIPS16e    0 No MIPS16e support
   14 NoDMA      0 EJTAG DMA is supported
    0 MIPS32/64  0 MIPS 32-bit processor

jtag> initbus ejtag_dma
ImpCode=00000000100000000000100100000100
EJTAG version: <= 2.0
EJTAG Implementation flags: R4k DMA MIPS32
Clear memory protection bit in DCR
Clear Watchdog
Potential flash base address: [0x1fc00009], [0x1800]
Processor successfully switched in debug mode.

jtag> print
 No. Manufacturer              Part                 Stepping Instruction  Register
------------------------------------------------------------------------------------------------------------------
   0 Broadcom                  BCM6348              Rev 1     EJTAG_CONTROL  EJCONTROL

Active bus:
*0: EJTAG compatible bus driver via DMA (JTAG part No. 0)
        start: 0x00000000, length: 0x1E000000, data width: 32 bit, (USEG : User addresses)
        start: 0x1E000000, length: 0x02000000, data width: 16 bit, (FLASH : Addresses in flash (boot=0x1FC000000))
        start: 0x20000000, length: 0x60000000, data width: 32 bit, (USEG : User addresses)
        start: 0x80000000, length: 0x20000000, data width: 32 bit, (KSEG0: Kernel Unmapped Cached)
        start: 0xA0000000, length: 0x20000000, data width: 32 bit, (KSEG1: Kernel Unmapped Uncached)
        start: 0xC0000000, length: 0x20000000, data width: 32 bit, (SSEG : Supervisor Mapped)
        start: 0xE0000000, length: 0x20000000, data width: 32 bit, (KSEG3: Kernel Mapped)

jtag> dr
00000000001000101000000100001000
Расшифровка:
   31 Rocc       0 No reset occurred
30:29 Psz      000 Byte
   23 VPED       0
   22 Doze       0
   21 Halt       1
   20 PerRst     0
   19 PRnW       0
   18 PrAcc      0 No pending processor access
   16 PrRst      0 No processor reset applied
   15 ProbEn     1
   14 ProbTrap   0 Normal Memory 0xffffffff bfc00480
   12 EjtagBrk   0 No pending Debug Interrupt exeption
    3 DM         1 Processor is in Debug Mode

jtag> readmem 0x1fc00000 0x00010000 /cfe.dump
address: 0x1FC00000
length:  0x00010000
reading:
addr: 0x1FC10000
Done.
$ dump cfe.dump | grep CFE
000004e0  4346 4531 4346 4531 0000 0000 0000 0000 CFE1CFE1........
00000500  1000 02ac 0000 0000 4346 4531 4346 4531 ...,....CFE1CFE1

jtag> readmem 0x1fc10000 0x00000100 /bcm.dump
address: 0x1FC10000
length:  0x00000100
reading:
addr: 0x1FC10100
Done.
$ head bcm.dump
6   Broadcom Corporatio ver. 2.0      6348  96348R-A        1 1834756   0      0
         3217096960  983044    3217096960  851712    2

jtag> readmem 0x1fc00000 0x00200000 /fullflash.dump
address: 0x1FC00000
length:  0x00200000
reading:
addr: 0x1FE00000
Done.
jtag> dr
00000000001000101000000100001000

jtag> detectflash 0x1fc00000
Query identification string:
        Primary Algorithm Command Set and Control Interface ID Code: 0x0002 (AMD/Fujitsu Standard Command Set)
        Alternate Algorithm Command Set and Control Interface ID Code: 0x0000 (null)
Query system interface information:
        Vcc Logic Supply Minimum Write/Erase or Write voltage: 2700 mV
        Vcc Logic Supply Maximum Write/Erase or Write voltage: 3600 mV
        Vpp [Programming] Supply Minimum Write/Erase voltage: 0 mV
        Vpp [Programming] Supply Maximum Write/Erase voltage: 0 mV
        Typical timeout per single byte/word program: 16 us
        Typical timeout for maximum-size multi-byte program: 0 us
        Typical timeout per individual block erase: 1024 ms
        Typical timeout for full chip erase: 0 ms
        Maximum timeout for byte/word program: 256 us
        Maximum timeout for multi-byte program: 0 us
        Maximum timeout per individual block erase: 8192 ms
        Maximum timeout for chip erase: 0 ms
Device geometry definition:
        Device Size: 2097152 B (2048 KiB, 2 MiB)
        Flash Device Interface Code description: 0x0002 (x8/x16)
        Maximum number of bytes in multi-byte program: 1
        Number of Erase Block Regions within device: 4
        Erase Block Region Information:
                Region 0:
                        Erase Block Size: 16384 B (16 KiB)
                        Number of Erase Blocks: 1
                Region 1:
                        Erase Block Size: 8192 B (8 KiB)
                        Number of Erase Blocks: 2
                Region 2:
                        Erase Block Size: 32768 B (32 KiB)
                        Number of Erase Blocks: 1
                Region 3:
                        Erase Block Size: 65536 B (64 KiB)
                        Number of Erase Blocks: 31
Primary Vendor-Specific Extended Query:
        Major version number: 1
        Minor version number: 0
        Address Sensitive Unlock: Required
        Erase Suspend: Read/write
        Sector Protect: 1 sectors per group
        Sector Temporary Unprotect: Not supported
        Sector Protect/Unprotect Scheme: 29BDS640 mode (Software Command Locking)
        Simultaneous Operation: Not supported
        Burst Mode Type: Supported
        Page Mode Type: Not supported

jtag> eraseflash 0x1fc00000 35
Chip: AMD Flash
        Manufacturer: ST/Samsung
        Chip: Unknown (ID 0x22c4)
        Protected: 00ff

Erasing 35 Flash blocks from address 0x1fc00000
(2% Completed) FLASH Block 0 : Unlocking ... flash_unlock_block 0x1FC00000 IGNORE
Erasing ... flash_erase_block 0x1FC00000
flash_erase_block 0x1FC00000 DONE
(5% Completed) FLASH Block 1 : Unlocking ... flash_unlock_block 0x1FC04000 IGNORE
Erasing ... flash_erase_block 0x1FC04000
flash_erase_block 0x1FC04000 DONE
(8% Completed) FLASH Block 2 : Unlocking ... flash_unlock_block 0x1FC06000 IGNORE
Erasing ... flash_erase_block 0x1FC06000
flash_erase_block 0x1FC06000 DONE
(11% Completed) FLASH Block 3 : Unlocking ... flash_unlock_block 0x1FC08000 IGNORE
Erasing ... flash_erase_block 0x1FC08000
flash_erase_block 0x1FC08000 DONE
(14% Completed) FLASH Block 4 : Unlocking ... flash_unlock_block 0x1FC10000 IGNORE
Erasing ... flash_erase_block 0x1FC10000
flash_erase_block 0x1FC10000 DONE
(17% Completed) FLASH Block 5 : Unlocking ... flash_unlock_block 0x1FC20000 IGNORE
Erasing ... flash_erase_block 0x1FC20000
flash_erase_block 0x1FC20000 DONE
(20% Completed) FLASH Block 6 : Unlocking ... flash_unlock_block 0x1FC30000 IGNORE
Erasing ... flash_erase_block 0x1FC30000
flash_erase_block 0x1FC30000 DONE
(22% Completed) FLASH Block 7 : Unlocking ... flash_unlock_block 0x1FC40000 IGNORE
Erasing ... flash_erase_block 0x1FC40000
flash_erase_block 0x1FC40000 DONE
(25% Completed) FLASH Block 8 : Unlocking ... flash_unlock_block 0x1FC50000 IGNORE
Erasing ... flash_erase_block 0x1FC50000
flash_erase_block 0x1FC50000 DONE
(28% Completed) FLASH Block 9 : Unlocking ... flash_unlock_block 0x1FC60000 IGNORE
Erasing ... flash_erase_block 0x1FC60000
flash_erase_block 0x1FC60000 DONE
(31% Completed) FLASH Block 10 : Unlocking ... flash_unlock_block 0x1FC70000 IGNORE
Erasing ... flash_erase_block 0x1FC70000
flash_erase_block 0x1FC70000 DONE
(34% Completed) FLASH Block 11 : Unlocking ... flash_unlock_block 0x1FC80000 IGNORE
Erasing ... flash_erase_block 0x1FC80000
flash_erase_block 0x1FC80000 DONE
(37% Completed) FLASH Block 12 : Unlocking ... flash_unlock_block 0x1FC90000 IGNORE
Erasing ... flash_erase_block 0x1FC90000
flash_erase_block 0x1FC90000 DONE
(40% Completed) FLASH Block 13 : Unlocking ... flash_unlock_block 0x1FCA0000 IGNORE
Erasing ... flash_erase_block 0x1FCA0000
flash_erase_block 0x1FCA0000 DONE
(42% Completed) FLASH Block 14 : Unlocking ... flash_unlock_block 0x1FCB0000 IGNORE
Erasing ... flash_erase_block 0x1FCB0000
flash_erase_block 0x1FCB0000 DONE
(45% Completed) FLASH Block 15 : Unlocking ... flash_unlock_block 0x1FCC0000 IGNORE
Erasing ... flash_erase_block 0x1FCC0000
flash_erase_block 0x1FCC0000 DONE
(48% Completed) FLASH Block 16 : Unlocking ... flash_unlock_block 0x1FCD0000 IGNORE
Erasing ... flash_erase_block 0x1FCD0000
flash_erase_block 0x1FCD0000 DONE
(51% Completed) FLASH Block 17 : Unlocking ... flash_unlock_block 0x1FCE0000 IGNORE
Erasing ... flash_erase_block 0x1FCE0000
flash_erase_block 0x1FCE0000 DONE
(54% Completed) FLASH Block 18 : Unlocking ... flash_unlock_block 0x1FCF0000 IGNORE
Erasing ... flash_erase_block 0x1FCF0000
flash_erase_block 0x1FCF0000 DONE
(57% Completed) FLASH Block 19 : Unlocking ... flash_unlock_block 0x1FD00000 IGNORE
Erasing ... flash_erase_block 0x1FD00000
flash_erase_block 0x1FD00000 DONE
(60% Completed) FLASH Block 20 : Unlocking ... flash_unlock_block 0x1FD10000 IGNORE
Erasing ... flash_erase_block 0x1FD10000
flash_erase_block 0x1FD10000 DONE
(62% Completed) FLASH Block 21 : Unlocking ... flash_unlock_block 0x1FD20000 IGNORE
Erasing ... flash_erase_block 0x1FD20000
flash_erase_block 0x1FD20000 DONE
(65% Completed) FLASH Block 22 : Unlocking ... flash_unlock_block 0x1FD30000 IGNORE
Erasing ... flash_erase_block 0x1FD30000
flash_erase_block 0x1FD30000 DONE
(68% Completed) FLASH Block 23 : Unlocking ... flash_unlock_block 0x1FD40000 IGNORE
Erasing ... flash_erase_block 0x1FD40000
flash_erase_block 0x1FD40000 DONE
(71% Completed) FLASH Block 24 : Unlocking ... flash_unlock_block 0x1FD50000 IGNORE
Erasing ... flash_erase_block 0x1FD50000
flash_erase_block 0x1FD50000 DONE
(74% Completed) FLASH Block 25 : Unlocking ... flash_unlock_block 0x1FD60000 IGNORE
Erasing ... flash_erase_block 0x1FD60000
flash_erase_block 0x1FD60000 DONE
(77% Completed) FLASH Block 26 : Unlocking ... flash_unlock_block 0x1FD70000 IGNORE
Erasing ... flash_erase_block 0x1FD70000
flash_erase_block 0x1FD70000 DONE
(80% Completed) FLASH Block 27 : Unlocking ... flash_unlock_block 0x1FD80000 IGNORE
Erasing ... flash_erase_block 0x1FD80000
flash_erase_block 0x1FD80000 DONE
(82% Completed) FLASH Block 28 : Unlocking ... flash_unlock_block 0x1FD90000 IGNORE
Erasing ... flash_erase_block 0x1FD90000
flash_erase_block 0x1FD90000 DONE
(85% Completed) FLASH Block 29 : Unlocking ... flash_unlock_block 0x1FDA0000 IGNORE
Erasing ... flash_erase_block 0x1FDA0000
flash_erase_block 0x1FDA0000 DONE
(88% Completed) FLASH Block 30 : Unlocking ... flash_unlock_block 0x1FDB0000 IGNORE
Erasing ... flash_erase_block 0x1FDB0000
flash_erase_block 0x1FDB0000 DONE
(91% Completed) FLASH Block 31 : Unlocking ... flash_unlock_block 0x1FDC0000 IGNORE
Erasing ... flash_erase_block 0x1FDC0000
flash_erase_block 0x1FDC0000 DONE
(94% Completed) FLASH Block 32 : Unlocking ... flash_unlock_block 0x1FDD0000 IGNORE
Erasing ... flash_erase_block 0x1FDD0000
flash_erase_block 0x1FDD0000 DONE
(97% Completed) FLASH Block 33 : Unlocking ... flash_unlock_block 0x1FDE0000 IGNORE
Erasing ... flash_erase_block 0x1FDE0000
flash_erase_block 0x1FDE0000 DONE
(100% Completed) FLASH Block 34 : Unlocking ... flash_unlock_block 0x1FDF0000 IGNORE
Erasing ... flash_erase_block 0x1FDF0000
flash_erase_block 0x1FDF0000 DONE
(100% Completed) FLASH Block 34 : Unlocking ... Erasing ... Ok.

Erasing Completed.


После полного стирания флешки, программа UrJTAG ее теперь не детектит
UrJTAG 0.10 #1781
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

WARNING: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable wiggler parallel 0x378
Initializing parallel port at 0x378

jtag> detect
IR length: 5
Chain length: 1
Device Id: 00000110001101001000000101111111 (0x000000000634817F)
  Manufacturer: Broadcom
  Part(0):         BCM6348
  Stepping:     Rev 1
  Filename:     /usr/local/share/urjtag/broadcom/bcm6348/bcm6348

jtag> initbus ejtag_dma
ImpCode=00000000100000000000100100000100
EJTAG version: <= 2.0
EJTAG Implementation flags: R4k DMA MIPS32
Clear memory protection bit in DCR
Clear Watchdog
Potential flash base address: [0x0], [0x0]
Processor successfully switched in debug mode.

jtag> detectflash 0x1fc00000
dev ID=0000   man ID=0000
amd_detect: mid 0, did 0
Flash not found!


Другой программой флешка детектится, т.е. это вероятно баг UrJTAG
C:\tjtag>tjtag3 -probeonly /wiggler /flash_debug

==============================================
 EJTAG Debrick Utility v3.0.1 Tornado-MOD
==============================================

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom BCM6348 Rev 1 CPU chip ***

    - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... Processor Entered Debug Mode! ... Done
Clearing Watchdog ... Done
spi_flash_read 0x1fc00000
spi_flash_mmr  0x00000000
spi_flash_mmr_size 0x00000000
spi_flash_ctl  0x18000040
spi_flash_opcode 0x18000044
spi_flash_data 0x18000048
spi_ctl_start 0x80000000
spi_ctl_busy 0x80000000

Probing Flash at (Flash Window: 0x1fc00000) ...

Debug AMD Vendid :    00000000000000000000000000100000 (00000020)
Debug AMD Devdid :    00000000000000000010001011000100 (000022C4)
Done

Flash Vendor ID: 00000000000000000000000000100000 (00000020)
Flash Device ID: 00000000000000000010001011000100 (000022C4)
*** Found a ST M29W160ET 1Mx16 TopB    (2MB) Flash Chip ***

    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00200000
    - Selected Area Start ........ : 00000000
    - Selected Area Length ....... : 00000000



 *** REQUESTED OPERATION IS COMPLETE ***


И стирается
C:\tjtag>tjtag3 -erase:wholeflash /wiggler

==============================================
 EJTAG Debrick Utility v3.0.1 Tornado-MOD
==============================================

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom BCM6348 Rev 1 CPU chip ***

    - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... Processor Entered Debug Mode! ... Done
Clearing Watchdog ... Done

Probing Flash at (Flash Window: 0x1fc00000) ...
Done

Flash Vendor ID: 00000000000000000000000000100000 (00000020)
Flash Device ID: 00000000000000000010001011000100 (000022C4)
*** Found a ST M29W160ET 1Mx16 TopB    (2MB) Flash Chip ***

    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00200000
    - Selected Area Start ........ : 1fc00000
    - Selected Area Length ....... : 00200000

*** You Selected to Erase the WHOLEFLASH.BIN ***

=========================
Erasing Routine Started
=========================
Total Blocks to Erase: 35

Erasing block: 1 (addr = 1fc00000)...Done
Erasing block: 2 (addr = 1fc10000)...Done
Erasing block: 3 (addr = 1fc20000)...Done
Erasing block: 4 (addr = 1fc30000)...Done
Erasing block: 5 (addr = 1fc40000)...Done
Erasing block: 6 (addr = 1fc50000)...Done
Erasing block: 7 (addr = 1fc60000)...Done
Erasing block: 8 (addr = 1fc70000)...Done
Erasing block: 9 (addr = 1fc80000)...Done
Erasing block: 10 (addr = 1fc90000)...Done
Erasing block: 11 (addr = 1fca0000)...Done
Erasing block: 12 (addr = 1fcb0000)...Done
Erasing block: 13 (addr = 1fcc0000)...Done
Erasing block: 14 (addr = 1fcd0000)...Done
Erasing block: 15 (addr = 1fce0000)...Done
Erasing block: 16 (addr = 1fcf0000)...Done
Erasing block: 17 (addr = 1fd00000)...Done
Erasing block: 18 (addr = 1fd10000)...Done
Erasing block: 19 (addr = 1fd20000)...Done
Erasing block: 20 (addr = 1fd30000)...Done
Erasing block: 21 (addr = 1fd40000)...Done
Erasing block: 22 (addr = 1fd50000)...Done
Erasing block: 23 (addr = 1fd60000)...Done
Erasing block: 24 (addr = 1fd70000)...Done
Erasing block: 25 (addr = 1fd80000)...Done
Erasing block: 26 (addr = 1fd90000)...Done
Erasing block: 27 (addr = 1fda0000)...Done
Erasing block: 28 (addr = 1fdb0000)...Done
Erasing block: 29 (addr = 1fdc0000)...Done
Erasing block: 30 (addr = 1fdd0000)...Done
Erasing block: 31 (addr = 1fde0000)...Done
Erasing block: 32 (addr = 1fdf0000)...Done
Erasing block: 33 (addr = 1fdf8000)...Done
Erasing block: 34 (addr = 1fdfa000)...Done
Erasing block: 35 (addr = 1fdfc000)...Done
=========================
Erasing Routine Complete
=========================
elapsed time: 28 seconds


 *** REQUESTED OPERATION IS COMPLETE ***


И записывается
C:\tjtag>tjtag3 -flash:cfe /wiggler

==============================================
 EJTAG Debrick Utility v3.0.1 Tornado-MOD
==============================================

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom BCM6348 Rev 1 CPU chip ***

    - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... Processor Entered Debug Mode! ... Done
Clearing Watchdog ... Done

Probing Flash at (Flash Window: 0x1fc00000) ...
Done

Flash Vendor ID: 00000000000000000000000000100000 (00000020)
Flash Device ID: 00000000000000000010001011000100 (000022C4)
*** Found a ST M29W160ET 1Mx16 TopB    (2MB) Flash Chip ***

    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00200000
    - Selected Area Start ........ : 1fc00000
    - Selected Area Length ....... : 00040000

*** You Selected to Flash the CFE.BIN ***

=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 4

Erasing block: 1 (addr = 1fc00000)...Done
Erasing block: 2 (addr = 1fc10000)...Done
Erasing block: 3 (addr = 1fc20000)...Done
Erasing block: 4 (addr = 1fc30000)...Done

Loading CFE.BIN to Flash Memory...
[  0% Flashed]   1fc00000: 78020010 00000000 00000000 00000000
[  0% Flashed]   1fc00010: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00020: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00030: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00040: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00050: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00060: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00070: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00080: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00090: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000a0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000b0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000c0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000d0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000e0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000f0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00100: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00110: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00120: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00130: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00140: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00150: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00160: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00170: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00180: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00190: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001a0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001b0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001c0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001d0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001e0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001f0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00200: 56030010 00000000 00000000 00000000
[  0% Flashed]   1fc00210: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00220: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00230: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00240: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00250: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00260: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00270: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00280: 41030010 10001a24 00000000 00000000
[  0% Flashed]   1fc00290: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002a0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002b0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002c0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002d0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002e0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002f0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00300: 23030010 00000000 00000000 00000000
[  0% Flashed]   1fc00310: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00320: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00330: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00340: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00350: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00360: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00370: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00380: 05030010 20001a24 00000000 00000000
[  0% Flashed]   1fc00390: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc003a0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc003b0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc003c0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc003d0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc003e0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc003f0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00400: e7020010 28001a24 00000000 00000000
[  0% Flashed]   1fc00410: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00420: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00430: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00440: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00450: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00460: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00470: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00480: c9020010 30001a24 00000000 00000000
[  0% Flashed]   1fc00490: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc004a0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc004b0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc004c0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc004d0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc004e0: 31454643 31454643 00000000 00000000
[  0% Flashed]   1fc004f0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00500: ac020010 00000000 31454643 31454643
[  0% Flashed]   1fc00510: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00520: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00530: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00540: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00550: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00560: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00570: 2d656663 25000176 00000501 00000000
[  0% Flashed]   1fc00580: 02000000 00000000 00000000 00000000
[  0% Flashed]   1fc00590: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc005a0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc005b0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc005c0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc005d0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc005e0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc005f0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00600: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00610: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00620: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00630: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00640: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00650: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00660: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00670: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00680: 00000000 34333639 412d5238 00000000
[  0% Flashed]   1fc00690: 00000000 00000000 00000000 0b000000
[  0% Flashed]   1fc006a0:


... и останавливается на адресе 1fc006a0, но с ключем /bypass операция выполняется до конца
C:\tjtag>tjtag3 -flash:cfe /wiggler /bypass


Проверим теперь UrJTAG в режиме PrAcc
UrJTAG 0.10 #1781
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

WARNING: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable wiggler parallel 0x378
Initializing parallel port at 0x378

jtag> detect
IR length: 5
Chain length: 1
Device Id: 00000110001101001000000101111111 (0x000000000634817F)
  Manufacturer: Broadcom
  Part(0):         BCM6348
  Stepping:     Rev 1
  Filename:     /usr/local/share/urjtag/broadcom/bcm6348/bcm6348

jtag> initbus ejtag
ImpCode=00000000100000000000100100000100 00800904
EJTAG version: <= 2.0
EJTAG Implementation flags: R4k DMA MIPS32
Processor entered Debug Mode.

jtag> print
 No. Manufacturer              Part                 Stepping Instruction  Register
------------------------------------------------------------------------------------------------------------------
   0 Broadcom                  BCM6348              Rev 1    EJTAG_DATA  EJDATA

Active bus:
*0: EJTAG compatible bus driver via PrAcc (JTAG part No. 0)
        start: 0x00000000, length: 0x20000000, data width: 8 bit
        start: 0x20000000, length: 0x20000000, data width: 16 bit
        start: 0x40000000, length: 0x20000000, data width: 32 bit

jtag> dr
00100000000000000000000000011110

jtag> readmem 0x1fc00000 0x00010000 /cfe.dump
address: 0x1FC00000
length:  0x00010000
reading:
addr: 0x1FC10000
Done.
$ dump cfe.dump | grep CFE
000004e0  4346 4531 4346 4531 0000 0000 0000 0000 CFE1CFE1........
00000500  1000 02ac 0000 0000 4346 4531 4346 4531 ...,....CFE1CFE1

jtag> detectflash 0x1fc00000
dev ID=0000   man ID=0010
amd_detect: mid 10, did 0
Flash not found!

jtag> detectflash 0x3fc00000
Query identification string:
        Primary Algorithm Command Set and Control Interface ID Code: 0x0002 (AMD/Fujitsu Standard Command Set)
        Alternate Algorithm Command Set and Control Interface ID Code: 0x0000 (null)
Query system interface information:
        Vcc Logic Supply Minimum Write/Erase or Write voltage: 2700 mV
        Vcc Logic Supply Maximum Write/Erase or Write voltage: 3600 mV
        Vpp [Programming] Supply Minimum Write/Erase voltage: 0 mV
        Vpp [Programming] Supply Maximum Write/Erase voltage: 0 mV
        Typical timeout per single byte/word program: 16 us
        Typical timeout for maximum-size multi-byte program: 0 us
        Typical timeout per individual block erase: 1024 ms
        Typical timeout for full chip erase: 0 ms
        Maximum timeout for byte/word program: 256 us
        Maximum timeout for multi-byte program: 0 us
        Maximum timeout per individual block erase: 8192 ms
        Maximum timeout for chip erase: 0 ms
Device geometry definition:
        Device Size: 2097152 B (2048 KiB, 2 MiB)
        Flash Device Interface Code description: 0x0002 (x8/x16)
        Maximum number of bytes in multi-byte program: 1
        Number of Erase Block Regions within device: 4
        Erase Block Region Information:
                Region 0:
                        Erase Block Size: 16384 B (16 KiB)
                        Number of Erase Blocks: 1
                Region 1:
                        Erase Block Size: 8192 B (8 KiB)
                        Number of Erase Blocks: 2
                Region 2:
                        Erase Block Size: 32768 B (32 KiB)
                        Number of Erase Blocks: 1
                Region 3:
                        Erase Block Size: 65536 B (64 KiB)
                        Number of Erase Blocks: 31
Primary Vendor-Specific Extended Query:
        Major version number: 1
        Minor version number: 0
        Address Sensitive Unlock: Required
        Erase Suspend: Read/write
        Sector Protect: 1 sectors per group
        Sector Temporary Unprotect: Not supported
        Sector Protect/Unprotect Scheme: 29BDS640 mode (Software Command Locking)
        Simultaneous Operation: Not supported
        Burst Mode Type: Supported
        Page Mode Type: Not supported

jtag> readmem 0x3fc00000 0x0000200 /cfi.dump
address: 0x3FC00000
length:  0x00000200
reading:
addr: 0x3FC00200
Done.
$ hexdump -Cv cfi.dump
00000000  00 20 22 c4 ff ff ff ff  00 43 00 00 00 00 00 00  |. "......C......|
00000010  00 00 ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000020  00 51 00 52 00 59 00 02  00 00 00 40 00 00 00 00  |.Q.R.Y.....@....|
00000030  00 00 00 00 00 00 00 27  00 36 00 00 00 00 00 04  |.......'.6......|
00000040  00 00 00 0a 00 00 00 04  00 00 00 03 00 00 00 15  |................|
00000050  00 02 00 00 00 00 00 00  00 04 00 00 00 00 00 40  |...............@|
00000060  00 00 00 01 00 00 00 20  00 00 00 00 00 00 00 80  |....... ........|
00000070  00 00 00 1e 00 00 00 00  00 01 ff ff ff ff ff ff  |................|
00000080  00 50 00 52 00 49 00 31  00 30 00 00 00 02 00 01  |.P.R.I.1.0......|
00000090  00 01 00 04 00 00 00 00  00 00 00 50 00 34 00 43  |...........P.4.C|
000000a0  00 43 00 41 00 32 00 45  00 57 00 53 41 14 ff ff  |.C.A.2.E.W.SA...|
000000b0  ff ff ff ff ff ff ff ff  ff ff 00 4d 00 54 00 45  |...........M.T.E|
000000c0  00 5f 17 31 3c 48 6e 4a  54 59 ff ff ff ff 00 30  |._.1(HnJTY.....0|
000000d0  00 36 00 36 ff ff ff ff  ff ff ff ff ff ff ff ff  |.6.6............|
000000e0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
000000f0  ff ff 00 17 00 0c ff ff  ff ff ff ff ff ff ff ff  |................|
00000100  00 04 ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000110  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff 00 03  |................|
00000120  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000130  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000140  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000150  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000160  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000170  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000180  ff ff ff ff 00 53 00 54  00 4d 00 35 00 10 00 1d  |.....S.T.M.5....|
00000190  00 1f 00 32 0e 62 ff ff  00 6a ff ff ff ff ff ff  |...2.b...j......|
000001a0  32 22 20 08 00 38 ff ff  ff ff ff ff ff ff ff ff  |2" ..8..........|
000001b0  ff ff ff ff ff ff ff ff  ff ff ff ff 00 00 00 00  |................|
000001c0  00 00 00 00 00 00 ff ff  ff ff ff ff ff ff ff ff  |................|
000001d0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
000001e0  ff ff ff ff ff ff ff ff  00 4d 00 4c 00 4c 00 4c  |.........M.L.L.L|
000001f0  00 4c ff ff ff ff 00 0d  aa 55 ff ff aa ac aa 55  |.L.......U.....U|
00000200

Считанный, записанный и рассмотренный дамп файла cfi.dump представляет собой специальную область флеш памяти, которая, согласно [25] и [26], содержит информацию о вендоре и типе микросхемы (выделено оранжевым маркером), технические параметры интерфейса CFI, геометрии флеш памяти. Эта специальная область памяти носит название "Electronic Databook". Идентифицировать ее можно по ASCII стрингу “QRY“ (выделено желтым маркером).

Ниже описание всех полей "Electronic Databook" для микросхемы ST M29W160ET [27].
Address (hex) Data x16 (hex) Description Value
00 0020 Flash Vendor ID STMicroelectronics
01 22c4 Flash Device ID M29W160ET
02 ffff
03 ffff
04 0043
05 0000
06 0000
07 0000
08 0000
09 ffff
0a ffff
0b ffff
0c ffff
0d ffff
0e ffff
0f ffff
10 0051 Query Unique ASCII String "QRY" Q
11 0052 R
12 0059 Y
13 0002 Primary Algorithm Command Set and Control Interface ID code 16 bit ID code defining a specific algorithm 2 - AMD Compatible
14 0000
15 0040 Address for Primary Algorithm extended Query table (ASCII String "PRI") P = 40h
16 0000
17 0000 Alternate Vendor Command Set and Control Interface ID Code second vendor - specified algorithm supported NA
18 0000
19 0000 Address for Alternate Algorithm extended Query table NA
1a 0000
1b 0027 VCC Logic Supply Minimum Program/Erase voltage 2,7V
1c 0036 VCC Logic Supply Maximum Program/Erase voltage 3,6V
1d 0000 VPP [Programming] Supply Minimum Program/Erase voltage NA
1e 0000 VPP [Programming] Supply Maximum Program/Erase voltage NA
1f 0004 Typical timeout per single Byte/Word program = 2n μs 16μs
20 0000 Typical timeout for minimum size write buffer program = 2n μs NA
21 000a Typical timeout per individual block erase = 2n ms 1s
22 0000 Typical timeout for full chip erase = 2n ms NA
23 0004 Maximum timeout for Byte/Word program = 2n times typical 256μs
24 0000 Maximum timeout for write buffer program = 2n times typical NA
25 0003 Maximum timeout per individual block erase = 2n times typical 8s
26 0000 Maximum timeout for chip erase = 2n times typical NA
27 0015 Device Size = 2n in number of Bytes 2 MByte
28 0002 Flash Device Interface Code description x8, x16 Async.
29 0000
2a 0000 Maximum number of Bytes in multi-Byte program or page = 2n NA
2b 0000
2c 0004 Number of Erase Block Regions within the device. It specifies the number of regions within the device containing contiguous Erase Blocks of the same size 4
2d 0000 Region 1 Information. Number of identical size erase block = 0000h+1 1
2e 0000
2f 0040 Region 1 Information. Block size in Region 1 = 0040h * 256 Byte 16 KByte
30 0000
31 0001 Region 2 Information. Number of identical size erase block = 0001h+1 2
32 0000
33 0020 Region 2 Information. Block size in Region 2 = 0020h * 256 Byte 8 KByte
34 0000
35 0000 Region 3 Information. Number of identical size erase block = 0000h+1 1
36 0000
37 0080 Region 3 Information. Block size in Region 3 = 0080h * 256 Byte 32 KByte
38 0000
39 001e Region 4 Information. Number of identical-size erase block = 001Eh+1 31
3a 0000
3b 0000 Region 4 Information. Block size in Region 4 = 0100h * 256 Byte 64 KByte
3c 0001
3d ffff
3e ffff
3f ffff



Ссылки


1. OpenWRT
http://www.openwrt.com/
2. Описание, документация и прошивки USR9107 на официальном сайте USRobotics
http://www.usr.com/support/product-template.asp?prod=9107
3. USRobotics USR9108 serial console access
http://blog.dvl.pl/article/2009/09/14/usr9108-serial-console/
4. EJTAG Specification, Revision 2.60
http://pvtridvs.net/pool/docs/mips/MD00047-2B-EJTAG-SPC-02.60.pdf
5. EJTAG Specification, Revision 3.10
http://downloads.buffalo.nas-central.org/LS2_MIPSel/DevelopmentTools/JTAG/MD00047-2B-EJTAG-SPC-03.10.pdf
6. ByteBlasterMV устройство загрузки конфигурации ПЛИС фирмы Altera
http://www.altera.ru/cgi-bin/go?35
7. ByteBlaster II Download Cable User Guide
http://www.altera.com/literature/ug/ug_bbii.pdf
8. Parallel Download Cable III (DLC 5)
http://www.xilinx.com/itp/xilinx4/data/docs/pac/appendixb.html
9. Wiggler JTAG for MIPS CPU
http://adm5120.narod.ru/ejtag-adm5120.htm
10. The Wiggler interface
http://www.macraigor.com/wiggler.htm
11. Работа с LPT под Win 2000, XP: драйвер GiveIO.sys
http://www.pcports.ru/articles/3.php
12. ioperm support for Cygwin
http://openwince.sourceforge.net/ioperm/
13. Работа с программой EJTAG Tiny Tools
http://forum.tele-sat.ru/showthread.php?t=1236
14. Руководство по использованию EJTAG Tiny Tools CPLD
http://www.raduga.asia/ejtag_cpld.htm
15. Сайт автора EJTAG Tiny Tools
http://icegsm.narod.ru/
16. Broadcom EJTAG Debrick Utility by hugebird
http://www.chinadsl.net/viewthread.php?tid=44959
17. UrJTAG
http://www.urjtag.org/
18. Michael V. Pudeev - Подключение JTAG на D-Link DSL-2640U
http://pudeev.livejournal.com/33915.html
19. Все о midge и ADM5120
http://midge.vlad.org.ua/wiki/
20. Реанимация D-link DSL-2500U/BRU/D H/W Ver. D1
http://adslhw.pskov.ru/
21. Sinus 1054 DSL
http://sites.google.com/site/zigfisher/Home/sinus-1054-dsl
22. Open On-Chip Debugger
http://openocd.berlios.de/web/
23. FCC-ID Federal Communications Commission (Федеральная комиссия по связи США)
http://www.fcc.gov/oet/ea/fccid/
24. MIPS (архитектура)
http://ru.wikipedia.org/wiki/MIPS_(архитектура)
25. Common Flash Memory Interface Specification Release 2.0
http://www.amd.com/us-en/assets/content_type/DownloadableAssets/cfi_r20.pdf
26. Common Flash Memory Interface Specification Revision 03
http://www.spansion.com/Support/AppNotes/CFI_Spec_AN_03.pdf
27. M29W160ET Datasheet
http://www.chipfind.ru/datasheet/pdf/stmicroelectronics/m29w160et.pdf
28. Пример использования JTAG на ADM5120
http://adm5120.narod.ru/ejtag_work.htm