Menu
▾
▴
#6 EJTAG 2.0 for RTL8181
Is anyone considering adding support for EJTAG 2.0 (at least basic
flash read/write functionality, no debugging etc.) to openwince-jtag?
It would help hacking RTL8181-based WLAN devices more safely (see
http://rtl8181.sourceforge.net/\) - normally there is a bootloader in
the flash (Ethernet+serial connections needed), but if something ever
goes wrong while flashing, you have to use JTAG or unsolder the
TSOP flash chip - if you have a programmer with such a socket...
It's the MIPS EJTAG 2.0 specification (not the later 2.5), and I
couldn't find any free tools for it - just proprietary ones...
Thanks,
Marek
Logged In: YES
user_id=395402
You? :-)
Is the specification available somewhere on the net? If so,
then adding the support shouldn't be too hard.
Logged In: YES
user_id=912118
The 2.6 spec is available online from MIPS if you agree to
some legal
mumbo-jumbo. I've heard from vendors there is a lot of
differences in
implementations of EJTAG from vendor to vendor and core to core.
IIRC, MIPS EJTAG has two modes, one is "DMA" mode where the
JTAG can cause cpu bus cycles directly, the other is where
the jtag interface is used to respond to cpu memory accesses
in a special range of memory and you have to write little
bits of MIPS code to do what you want and emulate that
memory on the host side. The DMA mode is optional and not as
widely supported as the normal mode.
As for code, there is some ejtag code in the bcm1250 bus
driver that's commented out in jtag-0.5x, but I have no idea
whether it would run on a lexra mips core. There's also
some old ejtag patches to gdb for a philips mips core
floating around on sourceforge.
Logged In: YES
user_id=1341419
Some expirements with JTAG on the RTL8181:
http://www.wireless.org.au/~jhecker/rtljtag/
ManufID: 6
PartNumber: 5280
This SoC is based on the Lexra 5280 core, hence part
number. Not sure about ManufID. Is this Lexra or Realtek ?
The MIPS EJTAG is a MIPS-specific debbuging interface on
top of the conventional JTAG:
http://www.mips.com/content/Documentation/MIPSDocument
ation/EJTAG/doclibrary
Some additional links:
http://www.melbournewireless.org.au/wiki/?minitar
http://www.melbournewireless.org.au/wiki/?MinitarHacking
http://www.linux-mips.org/wiki/Lexra
http://web.archive.org/web/20010116175000/http://www.altera.
com/html/mega/m-lx-5280.html
Logged In: YES
user_id=1341419
MIPS EJTAG publication is available at the MIPS site. You
need a ~free~ registration to download it.
This publication is a mix of the v 2.0, 2.5 and 2.6. All of this
versions is a slightly different. However, all of the EJTAG-
compatible devices has IR length=5 and all of them has a
IMPCODE instruction (00011). It is possible to get a precise
EJTAG version through this instruction.
Logged In: YES
user_id=38847
I've just released a modified version of openwince-jtag
from CVS - see http://www.amelek.gda.pl/rtl8181/jtag/ .
Well tested with RTL8181; read-only tested with RTL8186,
ADM5120 and AR2312 (need volunteers with bricked boxes).
Unfortunately, it needed more changes than simply adding a
new "ejtag" bus driver. Most important is a workaround in
libbrux/flash/amd.c (amdstatus) for toggle bits not
toggling (instead of checking toggle bits, it now checks
for reading the correct data twice in a row). It seems
that at least the RTL8181 doesn't deassert flash CE/OE
between repeated reads from the same address (without any
other mamory access in between) - data changes (more and
more bits read as 1 during erase) but Q6/Q2 don't toggle.
Logged In: YES
user_id=1433140
could you provide diff file or point another files was
changed?
The openwince project is no longer active.
If this report is related to JTAG Tools, please try UrJTAG at
http://urjtag.sourceforge.net/