Archives

Twiddling the JTAG TAP (Test Access Port)

$ sudo jtag

UrJTAG 0.10 #2017
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable usbblaster
Connected to libftdi driver.

jtag> detect
IR length: 5
Chain length: 1
Device Id: 00110010011010011011010011000001 (0x3269B4C1)
  Unknown manufacturer! (01001100000) (/usr/local/share/urjtag/MANUFACTURERS)

jtag> discover
Detecting IR length ... 5
Detecting DR length for IR 11111 ... 1
Detecting DR length for IR 00000 ... 573
Detecting DR length for IR 00001 ... 573
Detecting DR length for IR 00010 ... 32
Detecting DR length for IR 00011 ... 32
Detecting DR length for IR 00100 ... warning: TDO seems to be stuck at 0   -1
Detecting DR length for IR 00101 ... 177
Detecting DR length for IR 00110 ... 19
Detecting DR length for IR 00111 ... 1
Detecting DR length for IR 01000 ... warning: TDO seems to be stuck at 0   -1
Detecting DR length for IR 01001 ... warning: TDO seems to be stuck at 0   -1
Detecting DR length for IR 01010 ... 1
Detecting DR length for IR 01011 ... 1
Detecting DR length for IR 01100 ... 1
Detecting DR length for IR 01101 ... 1
Detecting DR length for IR 01110 ... 1
Detecting DR length for IR 01111 ... 1
Detecting DR length for IR 10000 ... 1
Detecting DR length for IR 10001 ... 32
Detecting DR length for IR 10010 ... 32
Detecting DR length for IR 10011 ... 33
Detecting DR length for IR 10100 ... 33
Detecting DR length for IR 10101 ... 2
Detecting DR length for IR 10110 ... 1
Detecting DR length for IR 10111 ... 1
Detecting DR length for IR 11000 ... 1
Detecting DR length for IR 11001 ... 1
Detecting DR length for IR 11010 ... 1
Detecting DR length for IR 11011 ... 1
Detecting DR length for IR 11100 ... 1
Detecting DR length for IR 11101 ... 1
Detecting DR length for IR 11110 ... 1

jtag> help instruction
Usage: instruction INSTRUCTION
Usage: instruction length LENGTH
Usage: instruction INSTRUCTION CODE REGISTER
Change active INSTRUCTION for a part or declare new instruction.

INSTRUCTION   instruction name (e.g. BYPASS)
LENGTH        common instruction length
CODE          instruction code (e.g. 11111)
REGISTER      default data register for instruction (e.g. BR)

jtag> instruction length 5

jtag> help register
Usage: register NAME LENGTH
Define new data register with specified NAME and LENGTH.

NAME          Data register name
LENGTH        Data register length

jtag> # now we define the registers
jtag> # we dont know their names so we will number them instead, REG00, REG01, etc..
jtag>
jtag> register REG31 1
jtag> register REG00 573
jtag> register REG01 573
jtag> register REG02 32
jtag> register REG03 32
jtag> # instruction code 04 (00100) was -1 so we ignore
jtag> register REG05 177
jtag> register REG06 19
jtag> register REG07 1
jtag> # instruction code 08 (01000) was -1 so we ignore
jtag> # instruction code 09 (01001) was -1 so we ignore
jtag> register REG10 1
jtag> register REG11 1
jtag> register REG12 1
jtag> register REG13 1
jtag> register REG14 1
jtag> register REG15 1
jtag> register REG16 1
jtag> register REG17 32
jtag> register REG18 32
jtag> register REG19 33
jtag> register REG20 33
jtag> register REG21 1
jtag> register REG22 1
jtag> register REG23 1
jtag> register REG24 1
jtag> register REG25 1
jtag> register REG26 1
jtag> register REG27 1
jtag> register REG28 1
jtag> register REG29 1
jtag> register REG30 1
jtag>
jtag> # now we define a new instruction for selecting each register
jtag>
jtag> instruction SEL_REG31 11111 REG31
jtag> instruction SEL_REG00 00000 REG00
jtag> instruction SEL_REG01 00001 REG01
jtag> instruction SEL_REG02 00010 REG02
jtag> instruction SEL_REG03 00011 REG03
jtag> # there is no instruction code 04
jtag> instruction SEL_REG05 00101 REG05
jtag> instruction SEL_REG06 00110 REG06
jtag> instruction SEL_REG07 00000 REG07
jtag> # there is no instruction code 08
jtag> # there is no instruction code 09
jtag> instruction SEL_REG10 01010 REG10
jtag> instruction SEL_REG11 01011 REG11
jtag> instruction SEL_REG12 01100 REG12
jtag> instruction SEL_REG13 01101 REG13
jtag> instruction SEL_REG14 01110 REG14
jtag> instruction SEL_REG15 01111 REG15
jtag> instruction SEL_REG16 10000 REG16
jtag> instruction SEL_REG17 10001 REG17
jtag> instruction SEL_REG18 10010 REG18
jtag> instruction SEL_REG19 10011 REG19
jtag> instruction SEL_REG20 10100 REG20
jtag> instruction SEL_REG21 10101 REG21
jtag> instruction SEL_REG22 10110 REG22
jtag> instruction SEL_REG23 10111 REG23
jtag> instruction SEL_REG24 11000 REG24
jtag> instruction SEL_REG25 11001 REG25
jtag> instruction SEL_REG26 11010 REG26
jtag> instruction SEL_REG27 11011 REG27
jtag> instruction SEL_REG28 11100 REG28
jtag> instruction SEL_REG29 11101 REG29
jtag> instruction SEL_REG30 11110 REG30
jtag>
jtag> # now we can test our register and instruction declarations.
jtag>
jtag> # first we select instruction code 02 (00010) and shift it in
jtag> # (we know from datasheet that instruction (00010) selects the IDCODE register)
jtag>
jtag> instruction SEL_REG02
jtag> shift ir
jtag>
jtag> # now we shift out its 32-bit data register
jtag> 
jtag> shift dr
jtag> 
jtag> # and view the data register
jtag> 
jtag> dr
00110010011010011011010011000001 (0x3269B4C1)
jtag> 
jtag> # we know that 0x3269b4c1 is the IDCODE for a TriMedia TM3260 CPU
jtag>
jtag> # from this we confirm instruction code 02 (00010) selects the IDCODE register
jtag> 
jtag> # now we can look at the register(s) of 573 bits. We can guess from
jtag> # the very long length that this is the Boundary Scan Register (BSR)
jtag>
jtag> ins SEL_REG00
jtag> shift ir
jtag> shift dr
jtag> dr
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111 (0x00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF)
jtag>
jtag> # nothing meaningful scanned out there, so this must be the EXTEST instruction for
jtag> # the BSR, for writing to the register only
jtag>
jtag> # now we try the other instruction (code 00001) that manipulates that 573-bit register
jtag>  
jtag> ins sel_REG01
jtag> shift ir
jtag> shift dr
jtag> dr
00010101101110110110110101101101101001101101100001101101101110101110110110
11011011011011011011011011011011011011011011011011111111011111111111011111
01011101101101101101101101000101101101101101101101101111011011011000101000
11110101110101111101100001101000011110101101100000001000000000001100000001
00110000110110110110110110100100100100110000100100110100000000100000000001
01010000010000011011011011011000011000000000011000000000000011000011010011
01110100000000000000000000000000000000000010100000000010110110100010110101
0010010000010010010010010101010010010010000010010010010 (0x00000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000005A920924AA490492)
jtag> 
jtag> # JTAG instruction code 00001 must be the SAMPLE instruction for the BSR
jtag> # The bits shifted out are the boundary scan cell values (CPU I/O pin states)
jtag>
jtag> # If we shift out the data register again we will see some of the pin states change.
jtag> # these will be the CPU I/O pins to the main memory bus, PCI bus, etc:
jtag>
jtag> shift dr
jtag> dr
00010101101110110110110101101101101001101101100001101101101110101110110110
11011011011011011011011011011011011011011011011011111111011111111111011111
01011101101101101101101101000101101101101101101101101111011011011000101000
01000001110101111101100001101000011110101101100000001010100000001100000001
00110000110110110110110110100100100100110000100100100100000000100000000001
01010000010000011011011011011000011000000000011000000000000011000011010011
01110100000000000000000000000000000000000010100000000010110110100010110101
0010010000010010010010010101010010010010000010010010010 (0x00000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000005A920924AA490492)
jtag>
jtag> # study very closely! A few bit states have changed, e.g. spot the different
jtag> # bits at the beginning of the fourth line.
jtag>
jtag> # Those changed bits will be boundary scan cells storing state of the DRAM / PCI bus pins
jtag> # (ignore hexadecimal conversion: 0x5A920.. it is wrong)
jtag>
jtag> # One more example showing how to write to a JTAG register:
jtag>
jtag> # We know from Philips datasheet that instruction (10001) selects the DATAIN
jtag> # register of TriMedia JTAG controller
jtag>
jtag> ins SEL_REG17
jtag> shift ir
jtag> shift dr
jtag> dr
00000000000000000000000000000000 (0x00000000)
jtag>
jtag> # The DATAIN register has 0x00000000 in it, so we shift in a recognisable value:
jtag>
jtag> dr 0xcafebabe
11001010111111101011101010111110 (0xCAFEBABE)
jtag> shift dr
jtag> dr
00000000000000000000000000000000 (0x00000000)
jtag> shift dr
jtag> dr
11001010111111101011101010111110 (0xCAFEBABE)
jtag> 
jtag> # We can try that again with another memorable value
jtag>
jtag> dr 0xbabeb00b
10111010101111101011000000001011 (0xBABEB00B)
jtag> shift dr
jtag> dr
11001010111111101011101010111110 (0xCAFEBABE)
jtag> shift dr
jtag> dr
10111010101111101011000000001011 (0xBABEB00B)
jtag> 
jtag> # That example demonstrates how to write to a JTAG register
jtag>

The card edge connector on the 2Wire modem-routers (update)

The photo below shows the PCB of the 2Wire 2700HGV. On the top edge of the board is a card edge connector. The fingers of the connector are terminals for a JTAG TAP port and i2c bus:

2700HGV annotated PCB (click to enlarge)

1.0mm (.039") contact centres (pitch) - Sullins 1600 series card edge connector

bottom side of edge connector

“Parallel”, another eyeballer of 2Wire PCBs has his beady eye on the card edge connector of the 2Wire 3801HGV. This device is supplied by AT&T as the CPE for its U-Verse FTTC product. [1]

The 3801HGV is a VDSL2 modem, apparently with a dual core TM32 processor, possibly the Trimedia Denali or the 2Wire-branded Diablo. [2]

The connector is also found on the 3801 (photo from dslreports.com)

bottom view of the 3801 edge card connector (dslreports.com)

UPDATE:

A suitable card edge connector has been obtained for the 2Wire devices. It is the Sullins component GCE08DHRN. More information at [3].

The full pinout for the card edge connector is now documented.  See [4]

[1] http://www.dslreports.com/forum/r26213976-
[2] http://www.dslreports.com/forum/r25425661-
[3] http://hackingbtbusinesshub.wordpress.com/2011/12/20/rejoice-the-card-edge-connector-has-arrived/
[4] http://hackingbtbusinesshub.wordpress.com/2012/01/16/discovering-2wire-card-edge-pinout-for-jtag-i2c/

2701 JTAG connection (updated #2)

An Altera USBBlaster JTAG programmer hooked to the 2701HGV-C (click to enlarge)

root@core2quad:~/# jtag
UrJTAG 0.10 #1995
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007,2008,2009 Kolja Waschk and respective authors

warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable usbblaster
Connected to libftdi driver.

jtag> detect
IR length: 5
Chain length: 1
Device Id: 00110010011010011011010011000001 (0x3269B4C1)
Unknown manufacturer! (01001100000) (~/urjtag/MANUFACTURERS)

jtag>

Good stuff!

The device isn’t immediately recognised by the UrJTAG tool but the output proves nevertheless that the 2701HGV JTAG pinout is spot on.

Kudos goes to hackers Ray “Revs-Per-Min” Haverfield, Troy “tjm08” Mueller and “Smiggy” of the Ozzie Whirlpool forum who discovered and documented it..

UPDATE#1:

root@core2quad:~/# jtag
UrJTAG 0.10 #1995
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007,2008,2009 Kolja Waschk and respective authors

warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable usbblaster
Connected to libftdi driver.

jtag> detect
IR length: 5
Chain length: 1
Device Id: 00110010011010011011010011000001 (0x3269B4C1)
  Manufacturer: 2Wire (0x4C1)
  Part(0):      Ares (0x269B)
  Stepping:     Rev 3
  Filename:     /usr/local/share/urjtag/2wire/ares/ares

jtag> print
 No. Manufacturer      Part    Stepping   Instruction       Register
---------------------------------------------------------------------
   0 2WIRE             ARES    Rev 3      SAMPLE/PRELOAD    BSR

jtag> discovery
Detecting IR length ... 5
Detecting DR length for IR 11111 ... 1
Detecting DR length for IR 00000 ... -1
Detecting DR length for IR 00001 ... 573
Detecting DR length for IR 00010 ... 32
Detecting DR length for IR 00011 ... 32
Detecting DR length for IR 00100 ... warning: TDO seems stuck at 0 -1
Detecting DR length for IR 00101 ... 177
Detecting DR length for IR 00110 ... 19
Detecting DR length for IR 00111 ... 1
Detecting DR length for IR 01000 ... warning: TDO seems stuck at 0 -1
Detecting DR length for IR 01001 ... warning: TDO seems stuck at 0 -1
Detecting DR length for IR 01010 ... 1
Detecting DR length for IR 01011 ... 1
Detecting DR length for IR 01100 ... 1
Detecting DR length for IR 01101 ... 1
Detecting DR length for IR 01110 ... 1
Detecting DR length for IR 01111 ... 1
Detecting DR length for IR 10000 ... 1
Detecting DR length for IR 10001 ... 32
Detecting DR length for IR 10010 ... 32
Detecting DR length for IR 10011 ... 33
Detecting DR length for IR 10100 ... 33
Detecting DR length for IR 10101 ... 2
Detecting DR length for IR 10110 ... 1
Detecting DR length for IR 10111 ... 1
Detecting DR length for IR 11000 ... 1
Detecting DR length for IR 11001 ... 1
Detecting DR length for IR 11010 ... 1
Detecting DR length for IR 11011 ... 1
Detecting DR length for IR 11100 ... 1
Detecting DR length for IR 11101 ... 1
Detecting DR length for IR 11110 ... 1

jtag>

Those discoveries shown above can be used in conjunction with the Nexperia data book[3] to provide us with JTAG register and instruction declarations for the TM32 JTAG DEBUG module.

root@core2quad:~/# cat /usr/local/share/urjtag/MANUFACTURERS
#
# $Id: MANUFACTURERS 1827 2010-08-16 20:07:33Z vapier $
#
# Manufacturer ID database
# Copyright (C) 2002 ETC s.r.o.
#
# Written by Marcel Telka, 2002.
# Amended by asbokid, 2011.
#
# Documentation:
# [1] JEDEC Solid State Tech. Assoc., "Standard Manufacturer's
#     Identification Code", September 2001, Order Number: JEP106-K
#

# bits 11-1 of the Device Identification Register
00000000110	lexra		Lexr
00000000111	hitachi		Hitachi
00000001001	intel		Intel
00000001110	freescale	Freescale (Motorola)
00000010101	philips		Philips Semi. (Signetics)
00000010111	ti		Texas Instruments
00000011000	toshiba		Toshiba
00000011111	atmel		Atmel
00000100001	lattice		Lattice Semiconductors
00000100100	ibm		IBM Semiconductors
00000110100	cypress		Cypress
00000110101	dec             DEC
00001001001	xilinx		Xilinx
00001100101	analog		Analog Devices, Inc.
00001101110	altera		Altera
00010101011	lattice		Lattice Semiconductors
00010111111	broadcom	Broadcom
00011100101	analog		Analog Devices, Inc.
00101010000	broadcom	Broadcom     # or "Sibyte, Inc." ?
00101110000	brecis		Brecis (PMC-Sierra)
00111101001	marvell		Marvell
00110101011	marvell		Marvell
# collides with other ARM-based chips
#11110000111	arm  		ARM
01001100000	2wire		2Wire

root@core2quad:~/# mkdir -p /usr/local/share/urjtag/2wire/ares

root@core2quad:~/# touch /usr/local/share/urjtag/2wire/PARTS

root@core2quad:~/# cat /usr/local/share/urjtag/2wire/PARTS
#
# $Id: PARTS ares 2011-09-19 19:12:46Z asbokid $
#
# Written by asbokid
#
#
# bits 27-12 of the Device Identification Register
0010011010011011	ares		Ares

root@core2quad:~/# touch /usr/share/urjtag/2wire/ares/STEPPINGS

root@core2quad:~/# cat /usr/share/urjtag/2wire/ares/STEPPINGS
#
# $Id: STEPPINGS ares 2011-09-19 19:12:46Z asbokid $
#
# Written by asbokid
#
# Documentation:
# [1] NXP, "Nexperia PNX15xx/952x Series Data Book",Rev.4.0,12/2007
#
# bits 31-28 of the Device Identification Register
0011	ares	Rev 3

root@core2quad:~/# touch /usr/share/urjtag/2wire/ares/ares

root@core2quad:~/# cat /usr/share/urjtag/2wire/ares/ares
#
# $Id: ares 2011-09-19 19:12:46Z asbokid $
#
# JTAG declarations for 2Wire Ares - Trimedia TM32 core
#
# Written by asbokid
#
# Documentation:
# [1] NXP, Chapter 24 ,"Nexperia PNX15xx/952x Series Data Book",
#     Rev. 4.0, 12/2007
#

register	BR		1
register	BSR		573
register	DIR		32

# The TM32 has two 32-bit JTAG data registers, DATAIN and DATAOUT
# and two 8-bit JTAG control registers, CTRL1 and CTRL2.
# See 24-753 in [1]
#
# The JTAG CTRL registers are used for handshaking between a debug
# monitor running on a TM3260 CPU and a debugging front-end running
# on a host.
#
# The JTAG registers live in MMIO space where they are accessible by
# the debug monitor.
#
# The registers IFULLIN and OFULLOUT are virtual registers.
#
# IFULLIN is formed from connecting in series CTRL2.ifull and DATAIN
# OFULLOUT is formed from connecting CTRL1.ofull and DATAOUT
#
# The reason for the virtual registers is to shorten the scan time.
# See 24-755 in [1]
#
# The CTRL1.sleepless bit no longer has a function. See 24-755 in [1]

register	DATAIN		32
register	DATAOUT		32

register	CTRL1		8
register	CTRL2		8

register	IFULLIN		33
register	OFULLOUT	33

instruction length 5

instruction	EXTEST		00000	BSR
instruction	BYPASS		11111	BR
instruction	SAMPLE/PRELOAD	00001	BSR
instruction	IDCODE		00010	DIR

instruction	DATA_IN		10001	DATAIN
instruction	DATA_OUT	10010	DATAOUT
instruction	IFULL_IN	10011	IFULLIN
instruction	OFULL_OUT	10100	OFULLOUT
instruction	CTL1		10101	CTRL1
instruction	CTL2		10110	CTRL2

root@core2quad:~/#

The declarations above are in a tarball at [4].

UPDATE#2:

A JTAG tool has now been built for the TriMedia core. It can be used to boot the TriMedia over JTAG.

TriMedia object code is downloaded over the JTAG interface and the core executes it. The tool can be used to dump the NAND flash contents. [5]

[1] http://open-wrt.ru/forum/viewtopic.php?id=22816

[2] http://forums.whirlpool.net.au/forum-replies.cfm?t=808533&p=9&#r176

[3] https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B6wW18mYskvBNDc0NDZiYzQtNGM5Ny00ODRiLWEyMzQtODBjMDhhODBlNDk4&hl=en_US

[4] https://docs.google.com/leaf?id=0B6wW18mYskvBM2ZmMDQ2OTAtN2E0YS00MTM3LWI4YjYtNGNlNjg1N2YwNzkz&hl=en_US

[5] http://hackingbtbusinesshub.wordpress.com/2011/12/19/open-source-trimedia-jtag-tools/

Altera USB-Blaster plug pinout (update)

The Altera USB-Blaster is an efficient USB JTAG programmer. Clones sell for US$10 or less.

The programmer comes with a comprehensive manual with a pinout diagram for the JTAG device side. [1]

That diagram unfortunately shows no orientation. There should be a polarisation lug to the 10-pin female plug in figure 2-3, but it isn’t shown.  The lug is critical to making the right connections.

Every time we want to use this programmer, it takes ages to re-discover the pinout!

Obviously we are not alone because here, voilà, is an idiot-proof pinout diagram for the USB-Blaster.

The diagram comes courtesy of Gerry O’Brien at Digital-Circuitry.com. [2]

Thanks Gerry!

Click to enlarge: USB Blaster pinout (courtesy of Gerry from digital-circuitry.com)

UPDATE:

On the forum of edaboard.com, Ozzie poster cube007 provides a schematic for the Altera USB-Blaster JTAG programmer. [3] The diagram was found in the Rev. 1c12 schematics for the Altera Nios-II Demo Board.  You need to register with edaboard.com to download attachments but a local copy is at [4].

USB-Blaster revision 1c12 board schematic. Click to enlarge. Full PDF at (4)

[1] http://www.altera.com/literature/ug/ug_usb_blstr.pdf
[2] http://www.alteraforum.com/forum/showthread.php?t=28850
[3] http://www.edaboard.com/thread35648.html
[4] http://hackingbtbusinesshub.files.wordpress.com/2012/01/nios2_evaluation_1c12_board_schematic_131.pdf

Discovering JTAG registers

Michael Pudeev has authored an excellent article on JTAG programming. [1]

Michael documents his use of UrJTAG, an open source JTAG tool, to program the flash memory of a MIPS-based Broadcom device.

The CPU used in the BT BusinessHub has a 2Wire-branded Trimedia VLIW core. It is closely related to the Philips PNX15xx family of processors.

Michael’s commentary is in Russian, but his screenshots are almost self-explanatory by themselves..

It’s interesting to see how Michael adds Device Identification Register entries to urjtag for an unknown part discovered in the JTAG chain.

[1] http://pudeev.livejournal.com/33915.html#cutid1

Discovering JTAG pinout for the 2Wire 2700HG (update)

UPDATE:

We now have the pinout for the card edge connector used in 2Wire routers.  The pinout is the same for all routers. See [2]

The information below is retained for interest only.


The following is lifted from the openwrt.org forum. It was posted back in 2009 by tjm08 (Troy J. Mueller).

tjm08 writes:

I have a 2Wire 2700HG-D which has an Atheros-based [802.11] chipset, 128Mbit flash, 64 MByte RAM, and a TriMedia VLIW processor.

There are two headers for an edge connector, J-1 (14 pins) and J-2 (2 pins). I am trying to figure how to access the flash for JTAG.

The stock firmware does not support tftp, and the firmware is corrupted due to some experimentation.

I believe that I can fabricate a parallel interface cable, using all 8 of the data pins, and three of the ground pins.

2 of the 14 pins at J-1 are not connected, three are ground, and the remaining nine (2 @ 0.0v 7 @ 3.3v) are unidentified.

One pin (#10) bridges to pin 1 of J-2, and J-2 is documented as starting a diagnostic “Functional Test Mode”.

Pins 6 and 8 appear to cause a reset (post light blink pattern) when connected to ground.

J-1 Header
Note: Even pins are on the top of the board, odd pins underneath

01 – 3.3v
02 – GND (connects to 04 via trace; continuity to GND)
03 – 0.0v
04 – GND (connects to 02 via trace; continuity to GND
Key
05 – 3.3v
06 – 3.3v (nSRST?; causes sys reset LED pattern when pulled to GND)
07 – 3.3v
08 – 3.3v (nSRST?; causes sys reset LED pattern when pulled to GND)
09 – 3.3v
10 – 3.3V (FTM) (Functional Test Mode;connects to pin 1 of J-1 hdr as documented)
11 – N.C.
12 – 0.0v
13 – N.C.
14 – GND (continuity to GND)

J-2 Header
01 – 3.3V (FTM)
02 – GND (Documented for “Functional Test Mode”)

To find:
nSRST (optional JTAG, consistent with observed behavior)
nTRST (optional JTAG, possible; used for logic reset of JTAG chain)
TCK (essential JTAG; Test clock signal)
RTCK (optional JTAG, possible; used for adaptive clocking and higher data transfer)
TDI (essential JTAG; Test Data Input)
TDO (essential JTAG; Test Data Output)

I believe that nTRST may be either pin #3 or pin #12, based on the procedure used by Smiggy and Revs Per Minute.

tjm then quotes from Revs-Per-Min, who documents his test method as follows on

http://forums.whirlpool.net.au/forum-replies.cfm?t=808533&p=9&#r176

The method I used [for determining JTAG pinout on the 2701] was fairly simple but laborious.

1. Measure the resistance of all pins to GND and 3.3V power supply. You need to measure under the electrolytic capacitors to determine which is the main 3.3v supply. Mark them carefully on a pinout graphic all your measurements. This is important to do a clean accurate test. Turn it on and measure all voltages. Mark them on your graphic.

2. The pins that have already been defined as putting the box into special boot mode. Mark those.

3. One pin will have high resistance to GND and 3.3v. It is TDO, ie output which cannot be pulled up or down but floating. Mine showed 3Mohm.

4. One pin will be at either full supply potential 3.3v or 0v will be nTRST. (Assuming they have nTRST turned off. It was in mine.) It will more than likely have a different resistance than other pins. Mine was 5K to 3.3v 1.5K GND. It will, hence have much lower voltage to ground and be at or near 0v.

5. Hopefully you now have a bunch of pins next to each other, which are unknown. In my case 4,5 then 12,13,14 All measure 3.3v. All have 1k to 3.3v and 2k to GND. I traced pins 4, 5 to I2C serial eprom. So it won’t be those. That leaves the 3 pins bunched together. 12,13,14 which makes sense. The rest is trial and error.

Make up a grid and work through the combinations. TDI, TMS, TCK. Start the JTAG software each time. I just used the hairy dairy maid one. When I hit the right combo all the LEDs turned on indicating I had put the processor in a diagnostic mode. Only one or perhaps two combinations will do that. So you now have the 4 JTAG pins plus NTRST defined. Or perhaps two possibles.

There is a procedure documented on JTAG Finder, which is essentially a logic procedure where all potential JTAG Pins are hooked up simultaneously. A data signal is sent to one pin at a time, and all of the other pins are observed for changes in logic state. More information can be found at: http://www.elinux.org/JTAG_Finder

Given the tentative JTAG pinout that I have now, I think that I can build an unbuffered parallel interface with 8 connects on parallel pins 2-9 (data pins), and reserve pin 13 for TDO when found.

Then I should be able to implement the finder method to narrow things down.

After that, figure how to work with the TriMedia VLIW CPU and the NAND flash. The cable would be identical to the unbuffered cable described in the wiki, with the exception of using all eight of the data bus signals.

Any thoughts on this method?

Last edited by tjm08 (2009-12-09 15:43:47)

Taken from: the openwrt forum thread entitled “Finding JTAG Pinouts, New Hardware (2Wire 2700HG-D)”   [1]

[1] https://forum.openwrt.org/viewtopic.php?id=22816

[2] http://hackingbtbusinesshub.wordpress.com/2012/01/16/discovering-2wire-card-edge-pinout-for-jtag-i2c/

PCB photos of the 2Wire 2701HG-B and 2700

The following photos of the 2Wire 2701HG-B and the 2700 were taken by “Smiggy“, a contributor to the Australian Whirlpool forum for broadband discussion.

Here, Smiggy highlights the card edge connector for the JTAG TAP (and the i2c bus) on the 2Wire 2700.

Photo courtesy of "smiggy"

Here, Smiggy is illustrating the pinout of the boot ROM (where fitted) on the 2701.

Photo courtesy of "smiggy"

The Ares CPU on the 2Wire 2701HG-B board. The Ares is a Trimedia TM32 core:

Photo courtesy of "smiggy"

Photos found at [1].

[1] http://a.nfshost.com/2701hgb.jpg