Thursday, July 14, 2011

JTAG on Amit/Zalip CDE530AM-S

I recently bough a very nice and very cheap WiFi router - Amit CDE530AM-S.
It's based on the Ralink RT3050 chipset, with 8MB of flash, 32MB of RAM and USB host.

Motivated by Arran Short, who's managed to run OpenWrt (a modified Fonera 2.0n image) on an Edimax NS-1500 (also based on RT3050), I decided to try running OpenWrt on the Amit.

The device has a bootloader, but it has no documentation, and there are no official firmware images available to try to decipher the required format.

I've managed to set up a JTAG connection using OpenOCD, here's a little HOWTO.

Hardware connection

First of all, the CDE530AM-S has two serial ports, one nicely brought out on a pin header, unfortunately it's not used for anything. The one used as a serial console is just two tiny pads on the underside of the board near the chip, fortunately they are marked RX and TX, the baud rate is 57600.

As for JTAG, there is a standard EJTAG header on the underside of the board, but to make it work you have to populate a small resistor near the TDO pin (I guess you can bridge it with solder, just to be safe I soldered in a 51 Ohm resistor). All the other pads are for pull-downs or pull-ups so you can ignore them.
Don't forget about that resistor (R28)!


Software

I'm using OpenOCD and a Wiggler clone parallel port JTAG adapter.
Connect everything, the nTRST pin can be pulled high all the time if your adapter doesn't control it.

Create a file rt3050.cfg containing (you have to change the contents if you use a different adapter):

set  _CHIPNAME rt3050
set  _ENDIAN little

#daemon configuration
telnet_port 4444
gdb_port 3333
#interface
interface parport
parport_port 0
parport_cable wiggler
#jtag_speed 0
set _CPUTAPID 0x1335024F
jtag_nsrst_delay 100
jtag_ntrst_delay 100

# jtag scan chain
# format L IRC IRCM IDCODE (Length, IR Capture, IR Capture Mask, IDCODE)
jtag newtap $_CHIPNAME cpu -irlen 5  -ircapture 0x1 -irmask 0x1

set _TARGETNAME [format "%s.cpu" $_CHIPNAME]
target create $_TARGETNAME mips_m4k -endian $_ENDIAN -chain-position $_TARGETNAME



How to use JTAG:

1. Open two terminal windows
2. Connect everything and power up the router
3. In one terminal run "openocd -f rt3050.cfg" (you have to that quickly after power up, before the device leaves the bootloader)
4. In the other terminal run "telnet localhost 4444" 
5. Use the telnet window to send commands to OpenOCD, start off with writing "halt", which will stop the CPU and allow you to read and edit the memory

Some useful commands:

mdb [phys] addr [count]
Display contents of address addr, as 32-bit words (mdw), 16-bit halfwords (mdh), or 8-bit bytes (mdb).

dump_image filename address size
Dump size bytes of target memory starting at address to the binary file named filename.

load_image filename address [[bin|ihex|elf|s19] min_addr max_length]
Load image from file filename to target memory offset by address from its load address.

resume [address]
Resume the target at its current code position, or the optional address if it is provided.

Refer to OpenOCD documentation for more info.

Refer to the RT3050/52 datasheet for memory mapping information:
qasdfdsaq.com/files/RT3050_5x_V2.0_081408_0902.pdf