The development of a replacement bootloader for the 2Wire 2701HGV-C allows us to experiment to discover the secrets within the 2Wire Ares CPU.
Inside a TriMedia CPU, in addition to the TM32 core(s), are a number of “modules” contained in “chiplets”.
One module contains the DRAM controller, another holds the JTAG controller, there’s a boot module, a module for the PCI/XIO (flash) controller, and so on.
Each of those modules is accessed through the MMIO address space of the CPU. In the 2Wire Ares, the MMIO space is a 2MByte aperture bounded by the address range [ 0x1be0 0000 to 0x1bff ffff ].
Each CPU module has its own slice of that MMIO address space. At a minimum, a module has a 4kByte sub-aperture where the control and status registers for the module are mapped.
A special register is found at offset 0xffc in the MMIO aperture of every module. This is the module’s ‘identifier register’. Peeking it will report the ID of the module.
Peeking every MMIO address ending in 0xffc should, in theory, identify every module in a 2Wire CPU by its 16-bit module ID.
From this peeking experiment the following modules are identified in the 2Wire Ares, the CPU that drives the 2701HGV-C:
(grep is used to filter out the many occurrences of the hexspeak word “DEADABBA”. This word indicates that an MMIO region is unused. “00000000″ likely means the same).
asbokid@u50si1:~/asboboot$ grep -viE 'DEADABBA|00000000' discoveredmodules.txt 1be08ffc = 00000029 1be40ffc = 01130100 1be41ffc = 01160000 1be42ffc = 010a1000 1be47ffc = 01082000 1be4dffc = 01280000 1be4effc = 010b0000 1be60ffc = 01230000 1be61ffc = 01270000 1be64ffc = 0124009b 1bf00ffc = 2b802001
The CPU module identifier is a 32-bit word:
Bits 31:16 hold the module ID number
Bits 15:12 hold the major revision number of the module
Bits 11:8 hold the minor revision number of the module
Bits 7:0 hold the aperture size (0 = 4kByte, 1 = 8kB, 2 = 12kB, etc.)
This information can be used to identify the following modules in the 2Wire Ares CPU:
NULL Module ID 0x0000 (Rev.0.0) of 0x29 size with MMIO offset 0x00,8000 PCI/XIO Module ID 0x0113 (Rev.0.1) of 4kB size with MMIO offset 0x04,0000 SPY M-ARC Module ID 0x0116 (Rev.0.0) of 4kB size with MMIO offset 0x04,1000 BOOT Module ID 0x010a (Rev.1.0) of 4kB size with MMIO offset 0x04,2000 CLOCK Module ID 0x0108 (Rev.2.0) of 4kB size with MMIO offset 0x04,7000 GLOBAL2 Module ID 0x0128 (Rev.0.0) of 4kB size with MMIO offset 0x04,d000 MPBC Module ID 0x010b (Rev.0.0) of 4kB size with MMIO offset 0x04,e000 RESET Module ID 0x0123 (Rev.0.0) of 4kB size with MMIO offset 0x06,0000 TM32 JTAG Module ID 0x0127 (Rev.0.0) of 4kB size with MMIO offset 0x06,1000 MPI NULL Module ID 0x0124 (Rev.0.0) of 0x9b size with MMIO offset 0x06,4000 TM32 CORE Module ID 0x2b80 (Rev.2.0) of 8kB size with MMIO offset 0x10,0000
We can cross-reference those apertures and IDs with the public documentation for the closely-related Philips PNX15xx/PNX95xx and the PNX852x CPU series: [1] [2] [3]
UPDATE #1:
This probing provides strong evidence that the 2Wire Ares has its origins in a dual core architecture. The cores would be a MIPS32 and a TriMedia TM32.
The ‘fingerprints’ of a MIPS32 core once upon a time being in the Ares include:
- a module with the same ID as a MIPS Peripheral Interface Bus Controller (0x010b)
- a module with the same ID as a MPI Null Module (0×0124)
- a bootscript write command to the MMIO(RST_CTL) reset control register for the MIPS32
- memory map layout with DRAM shadowed at 0×4000,0000 (for a MIP32 with the TLB disabled)
However, we would also expect to find a MIPS-standard EJTAG module in the CPU, and some commands in the bootscripts which write to MMIO registers to configure the MIPS architecture. Yet those things have not been found.
It is possible that the TM32 core has been disabled from accessing an EJTAG module (if present) and disabled from accessing any other units attached to the MIPS PI bus.
Peripheral access can be disabled by setting the CPU Protection Registers in the GLOBAL2 module. In theory, TM32 access to all MPI devices (and TPI devices) can be re-enabled by writing to the GLOBAL2 registers MMIO(0x04d000) and MMIO(0x04d004).
UPDATE #2:
Those two commands have been added to the boot scripts to make all modules attached to the MPI bus and the TPI bus visible and accessible to the TM32 core:
# enable TM32 access to all modules attached to the MIPS PI bus # MMIO(TM_OWNED_M_PI) = ffffffff echo -n -e "\x00\xd0\xe4\x1b\xff\xff\xff\xff" >> asbo005_2701hgv-c_bootrom.bin # enable TM32 access to all modules attached to the TM32 PI bus # MMIO(TM_OWNED_T_PI) = ffffffff echo -n -e "\x04\xd0\xe4\x1b\xff\xff\xff\xff" >> asbo005_2701hgv-c_bootrom.bin
Disappointingly, adding those bootscript commands did not reveal the presence of any more CPU modules.
What we were expecting to find is an EJTAG TAP port on the 2×7 set of header pins on the 2Wire 2701 PCB and on the card edge connectors found in other models of 2Wire.
However, the MIPS-standard EJTAG signal pins, if present, would be physically separate to the TM32 JTAG pins. The two TAPs cannot be multiplexed together.
Since we know that the header pins and card edge connectors provide a TM32 JTAG TAP, then if an EJTAG module is present in the Ares, its external lines must be located elsewhere on the board. That said, there are no indications that an EJTAG module is in the 2Wire Ares.
[1] http://www.future-mag.com/0810/docs/PNX15XX_PNX952X_SER_N_4.pdf
[2] http://www.tridentmicro.com/wp-content/uploads/2010/01/UM101041.pdf
[3] https://docs.google.com/open?id=0B6wW18mYskvBNmRiN2E4MTUtM2JhMS00MDcwLTlmZjQtM2MzNjUxYzY5MmQ1
