Electronic – Problems while trying to flash a memory using openocd and jtag


I'm using openocd and jtag for the very first time in my life (after 30 years of playing with electronics), when I dump the flash using dump_image, I got a 4 byte sequence (0x80 0x01 0x59 0x18) in every Kb. downloaded.


0x000000 0x80 0x01 0x59 0x18 real data
0x000010 real data
0x000400 0x80 0x01 0x59 0x18 real data
0x000800 0x80 0x01 0x59 0x18 real data

Real data, means the bytes that was in the flash at the exact position, so, 4 bytes sequence don't shift the real data, it just overwrite the data.

My openocd configuration (just copy some entries):

set  _CHIPNAME tc3162l
set  _ENDIAN big
set _CPUTAPID 0x1438000d

#chip memory MX29LV160CBTC

jtag newtap $_CHIPNAME cpu -irlen 5 -ircapture 0x1 -irmask 0x1f -expected-id $_CPUTAPID
target create $_TARGETNAME mips_m4k -endian $_ENDIAN -chain-position $_TARGETNAME
flash bank mymemory cfi 0xbfc00000 0x200000 2 2 $_TARGETNAME

Tap defined from the first autoprobe, Flash defined based on the original bootloader data sent to serial console, flash probe shows error….

I don't know if the problem might be due to:

  • The first flash write that I've done for the new bootloader using the AT commands might corrupt the flash data, I just flashed the bank 0.
  • I got some problem configuring openocd.
  • I'm using a bad address for flash definition (I just got that address from the original bootloader).
  • Some marker in the flash memory that means something for the Operating System, for example erased sector, or anything like that, but the whole image (2mb) have the same pattern.
  • openocd should find the flash memory by itself????
  • Must init some register of the cpu to work properly whit the flash?


   TapName             Enabled  IdCode     Expected   IrLen IrCap IrMask
-- ------------------- -------- ---------- ---------- ----- ----- ------
 0 tc3162l.cpu            Y     0x1438000d 0x1438000d     5 0x01  0x1f

flash list

{name cfi base 3217031168 size 2097152 bus_width 2 chip_width 2}

flash probe 0

Flash Manufacturer/Device: 0xb540 0xb540
Could not probe bank: no QRY
Try workaround w/0x555 instead of 0x55 to get QRY.
Could not probe bank: no QRY

I been searching in the net for some problem like that without lucky, readed all the openocd manual, some papers about the tc3162l, the datasheet from flash chip and I've learned a lot of jtag, tested different configurations for the flash chip.

Tested with zjtag (found the tap but not the memory), urjtag (found the tap).

Sorry for my english, it's not my primary language and for the long post, just try to explain everything.
I hope that somebody can bring me a tip about the problem or something to read to learn more about jtag, openocd, flash memories and so on.

Background and Presentation

I been playing with electronics as a hobby for more than 30 years, and I'm a newbie with jtag, some days ago I've found an old Zyxel adsl modem in the trash so I play with it, first flashing some parts of the nand with the embedded commands (ZyOs, AT commands) and everythings goes well, I found in the site of another vendor a linux toolchain for the same chipset and the same memory space so I start to playing with it, after a few days I was able to compile the kernel and the apps and finally make an image, the bootloader code is not compilable, the bin is already in the toolchain as a file.
I use the modem AT commands to load the kernel into RAM and execute it, runs ok until try to load the ramfs and hangs, anyway, there is a lot of things that I have to do to build a proper image and run the os into the modem.

After play with read and write with the flash (downloading parts of the flash and uploading again), using embedded AT commands, I got confidence to try something new, so I flashed the bootloader (found in the toolchain) and brick the modem.
I know that the bootloader is the most important code in a firmware, but I need to replace it due to the start address of the modem main code and the start address of the linux kernel.

Nevermind, I'm playing and learning, so I built a wiggler jtag clone, connect to the board and started to play with a VERY new interface and protocols in my life, the JTAG.

Using openocd, it founds the tap and the ID is from Lexra, an IP developer, the chip is a Trendchip tc3162l, very old, but for playing is ok.

I was designing an audio board to select audio inputs for my speakers using the TEA6320, I've started with a 16f84 (got some unused) and got out of memory, my design have a lot of features, like remote control, lcd display, serial port control, clock, alarms, so I switched the design to a 16f648, and I got 400 bytes free at the moment with all of these features. when I found the modem, I think to use it for control my audio switcher as a central unit to control the TEA, the serial port, LCD display and using the ethernet port to implement a upnp service to control the audio system. I have experience using upnp with OpenWRT, in the toolchain that I found for the modem there is a upnp server.

Thanks, Luis

Best Answer