Nano2G HW analysis

From freemyipod.org
Revision as of 10:48, 14 June 2009 by Sto (talk | contribs) (Created page with '200px|thumb|Top layer, including JTAG 200px|thumb|Bottom layer 300px [[File:2G_bck_annotation.png|3...')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Top layer, including JTAG
Bottom layer

Nano 2g frt a.png Nano 2g bck a.png

previous work

See Hardware#2G_Nano_2.

SOC analysis

S5L8701_analysis

Circuit analysis

After desoldering all components, the circuit was analyzed with a continuity tester.

Small test needles (nailbed needles are great) were used for contacting.

For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad.

Not all connection were routed, mainly the connections to the S5L8701 SOC.

Results are a detailed pinout of the 8701

See also S5L8701_analysis.

JTAG

The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why).

But now we have the locations of the pins : see picture

pin locations

.

The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins).

After connecting a xilinx paralell cable, and installing openwince, we can try to connect to the JTAG :

$ sudo jtag
JTAG Tools 0.5.1
Copyright (C) 2002, 2003 ETC s.r.o.
JTAG Tools is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for JTAG Tools.

Warning: JTAG Tools may damage your hardware! Type "quit" to exit!

Type "help" for help.

jtag> cable ppdev /dev/parport0 DLC5
Initializing Xilinx DLC5 JTAG Parallel Cable III on ppdev port /dev/parport0
Error: Cable initialization failed!
jtag> cable parallel 0x378 DLC5
Initializing Xilinx DLC5 JTAG Parallel Cable III on parallel port at 0x378
jtag> detect
IR length: 4
Chain length: 1
Device Id: 0
chain.c(110) Part 0 without active instruction
chain.c(133) Part 0 without active instruction
chain.c(110) Part 0 without active instruction
jtag> discovery
Detecting IR length ... 4
Detecting DR length for IR 1111 ... 1
Detecting DR length for IR 0000 ... -1
Detecting DR length for IR 0001 ... 1
Detecting DR length for IR 0010 ... 5
Detecting DR length for IR 0011 ... -1
Detecting DR length for IR 0100 ... 1
Detecting DR length for IR 0101 ... 1
Detecting DR length for IR 0110 ... 1
Detecting DR length for IR 0111 ... 1
Detecting DR length for IR 1000 ... 1
Detecting DR length for IR 1001 ... 1
Detecting DR length for IR 1010 ... 1
Detecting DR length for IR 1011 ... 1
Detecting DR length for IR 1100 ... -1
Detecting DR length for IR 1101 ... 1
Detecting DR length for IR 1110 ... 32
jtag>

We can see the instruction length is 4 bits. the screen freezes directly when we use the JTAG.


We currently do not know if this interface is the JTAG of the ARM or the CALM processor. In the 8700 doc, there seems to be a switch pin. However, here, the switch pin (P10) is an output at H level. Even by forcing it to GND. there seems to be no change in the JTAG structure. Other pins were tried, no jtag commutation was found.

Todo

-find which processor is connected
-check the doc of the ARM and the CALM for JTAG info
-try to use an ARM debugging program ?
-find a commutation pin
-if the JTAG does not help, we can probably make a SDRAM sniffing (clock frequency was only about 12 MHZ !)