This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
20b:flash_hacking [2008/08/02 17:53] hpmad |
20b:flash_hacking [2008/08/02 18:17] (current) newell More SAM-BA gripes |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== Flash hacking notes ===== | ||
+ | |||
+ | |||
+ | Using OpenOCD r717 and the JTAG interface, the flash memory of the HP20B was modified. | ||
+ | |||
+ | First, one of the unused pages near the end of memory was modified. | ||
+ | is blank in the stock HP firmware (all bytes 0xff). | ||
+ | to program the flash. | ||
+ | |||
+ | First, the page is written into the flash write buffer. | ||
+ | is one page (256 bytes) long and it will catch any writes to the flash memory region. | ||
+ | |||
+ | > load_image test.bin 0 | ||
+ | 256 byte written at address 0x00000000 | ||
+ | downloaded 256 byte in 0.015625s | ||
+ | |||
+ | |||
+ | The flash module was commanded to write the page. The command consists of a key (0x5a), a | ||
+ | page number (0x01fe), and a command (0x01==write page without erase). | ||
+ | |||
+ | > mww 0xffffff64 0x5a01fe01 | ||
+ | |||
+ | |||
+ | The status of the flash module was examined to see if the command had completed. | ||
+ | indicates that the flash module is ready for the next command. | ||
+ | |||
+ | > mdw 0xffffff68 | ||
+ | 0xffffff68: 00000001 | ||
+ | |||
+ | The entire flash memory was dumped to a file to verify that the 0x1fe page was indeed modified. | ||
+ | |||
+ | > dump_image flash_write_test.bin 0 0x20000 | ||
+ | dumped 131072 byte in 10.968601s | ||
+ | |||
+ | An external diff utility was used to verify that the calculator' | ||
+ | different than the stock flash image. | ||
+ | |||
+ | |||
+ | Interestingly, | ||
+ | checksum the entire flash memory. | ||
+ | a 0xd5 byte, matching the displayed checksum.) | ||
+ | with the modified flash memory. | ||
+ | |||
+ | |||
+ | The next step was to modify part of the active flash memory. | ||
+ | ASCII text. Specifically, | ||
+ | For this experiment, the flash write command was 0x5101da03, which would first erase page 0x1da and then | ||
+ | program it. As in the first experiment, the entire flash image was dumped and compared to stock to | ||
+ | verify that the modification occured. | ||
+ | also affected the checksum, which is now displayed as " | ||
+ | |||
+ | Placing the calculator into the test mode revealed that the modified prompts were in place. | ||
+ | changes were noticeable in the operation of the calculator. | ||
+ | were minor and limited to known text prompts.) | ||
+ | |||
+ | The method described here is tedious and slow--it is limited to programming one page (256 bytes) at a time. | ||
+ | |||
+ | |||
+ | ===== NVGPM hacking notes ===== | ||
+ | |||
+ | There are two non-volatile bits in the AT91SAM7L128 that can be modified by the user. Bit 0 is a protection | ||
+ | bit that locks out the JTAG port. Bit 0 should always remain clear (0) for our purposes! | ||
+ | Bit 1 selects the memory map at boot time. If bit 1 is clear (0), the internal Atmel SAM-BA rom will | ||
+ | be mapped to address 0 and will run at boot. Setting bit 1 to 1 will map the on-chip flash memory to | ||
+ | address 0 at boot, allowing the firmware to run. | ||
+ | |||
+ | The GPNVM bits can be modified over the JTAG interface as the flash memory was modified in the above experiment. | ||
+ | The backup plan, should something go horribly wrong, is to use the ERASE pin to erase the entire flash memory and | ||
+ | GPNVM bits. (ERASE will leave your calculator blank, with NO HP FIRMWARE AT ALL. It will also clear the GPNVM bits, | ||
+ | which would enable JTAG access and configure the chip to boot into the SAM-BA bootloader.) | ||
+ | been tested at this time. (I'm not going to try it until I can reflash the entire image through the JTAG port, just | ||
+ | in case...) | ||
+ | |||
+ | OpenOCD scripts have been written to toggle GPNVM bit 1. They can be run from the OpenOCD telnet interface | ||
+ | by typing " | ||
+ | increased the current drain of the calculator. | ||
+ | program and the SAM-BA bootloader. | ||
+ | serial TX and RX lines. | ||
+ | |||
+ | Note from Cyrille: I do not know why you are experiencing this. programming 128KB with sam-ba takes around 15s for me. And I have programmed over 500 calculators! Were you using a PC running windows or something else? did you get the latest sam-ba from Atmel? what cable are you using? | ||
+ | |||
+ | Answer from newell: Windows 2k, dual P3-450, tested with both SAM-BA v2.8 (current) and v2.7 (previous version, first to support the ' | ||
+ | |||
+ | flash_boot.cfg: | ||
+ | # Set GPNVM bit 1, which will map flash memory to 0 | ||
+ | # This will allow application code to boot, instead of SAM-BA | ||
+ | | ||
+ | soft_reset_halt | ||
+ | | ||
+ | # Set GPNVM bit 1 | ||
+ | mww 0xffffff64 0x5a00010b | ||
+ | | ||
+ | # Show current GPNVM bits | ||
+ | mww 0xffffff64 0x5a00000d | ||
+ | sleep 100 | ||
+ | mdw 0xffffff6c | ||
+ | | ||
+ | soft_reset_halt | ||
+ | mdw 0 0x10 | ||
+ | |||
+ | samba_boot.cfg: | ||
+ | # Clear GPNVM bit 1, which will map SAM-BA ROM to 0 | ||
+ | # This will prevent flash memory from booting. | ||
+ | | ||
+ | soft_reset_halt | ||
+ | | ||
+ | # Clear GPNVM bit 1 | ||
+ | mww 0xffffff64 0x5a00010c | ||
+ | | ||
+ | # Show current GPNVM bits | ||
+ | mww 0xffffff64 0x5a00000d | ||
+ | sleep 100 | ||
+ | mdw 0xffffff6c | ||
+ | | ||
+ | soft_reset_halt | ||
+ | mdw 0 0x10 | ||
+ | |||