Contents |
Legal Stuff
This Howto strongly bases on the one from Walter Schweizer and Juergen Messerer.
SIMpad JTAG HOWTO
What can you do with a dead SIMpad?
Try to bring it back to life with JTAG!
SIMpad has a JTAG interface. With this interface you can install the primary bootloader if it has accidentaly been overwritten. With the help of the JTAG you can restore the bootloader and reload the operating system.
Warning
This HOWTO describes a modification of SIMpad. If it is badly done, you might destroy the SIMpad! Do it only, if you are used to modifying electronic devices. The backlight inverter generates high voltage and the batteries can generate high currents. Do not touch the backlight inverter and do not short circuit the battery!!!
We will not assume any responsibility for any damages on your hardware! In short, the use of this howto, software etc. is at your own risk!
Prerequisites
Hardware
- PC or Laptop with Linux or Windows and parallel port.
- JTAG cable DLC5 or Keith&Koep.
- Alternatively, an FT2232 based JTAG cable can be used on PCs or Laptops with an USB port. Here is an example of such a cable: http://www.hs-augsburg.de/~hhoegl/proj/usbjtag/usbjtag.html
- SIMpad CL4, SL4 or SLC
- Jumper
- 2 pin jumper connector J10
- 10 pin jumper connector J12
- Torx T8 screwdriver (some Models have T6 screws)
- Philips No. 0 screwdriver
- Soldering iron
- Solder remover (Solder Wick)
Software
- JTAG Tools 0.4
- Source Jtag-0.4.tar.bz2
- I have created a Slackware package Jtag-0.4-i486-1.tgz (if you don't have Slackware you can just untar it to / and execute the doint.sh script)
- or JTAG Tools 0.5.1 (openwince-jtag in apt-get)
- or UrJTAG (urjtag in apt-get)
- Includes for JTAG Tools
- Source Include-0.4.2.tar.bz2
- Slackware package Include-0.4.2-i486-1.tgz (you only need the includes if you want to build JTAG Tools yourself)
- SIMpad rom file "simpad.rom" CL or SL Pbl-simpad-1.0.tar.gz
Preparation
The SIMpad does not have the powerjumper and the JTAG connector in place, so you have to add them by yourself.
Remove the back of the housing of the SIMpad.
J18 J2 J5
++-+-+-+-----------------------------+---------------+--+-+--+
|+-+ | | | | | | |
+----+++ | | +-+ |
| | | |
++ | | |
J7 || | PCMCIA | |
|| | | |
++ | | |
| +-----------------+ | | |
| | | +---------------+ |
| | Smart Card | | | |
| | | +---------------+ |
| | | |
| +-----------------+ +---+ ++---+ |
| J4 | x | J17|| |J19 |
++ +---+ ++---+ |
J20|| J12++++ ++ +--+ |
++ ++||||S2 J10 | |J3 |
J13++ ++ J21++++++ +--+ |
++ ++S1 ++ |
J23|| ++J6 |
++-----------------------------------------------------+
SIMpad main board
In the picture above you see the main board with the relevant connectors. The connectors J10 and J12 are missing. J4 is the test point head with a small hole in the middle. S1 is the reset switch, S2 disconnects the battery when pressed.
Unplug the cables in J7, J20, J13, J23, J21, J19, J3 and J6 and unscrew the main board.
First you have to remove the solder in the holes for J10 and J12. Some holes of J12 are difficult to unsolder because they are connected to ground and dissipate the heat. One iron on each side helps. Then you insert the jumper connectors J12 and J10 and solder them.
As an alternative you can also use some thin wires to make a connection between J12 and the JTAG cable, so you do not need remove the solder and insert the connectors.
Then you insert the jumper connector J12 and J10 and solder them.
1 o o o o o o 6
7 o o o o o o 12
13 o o X o o 16
17 o o o o o o 22
23 o o o o o o 28
J4
+---+
TRST 1 |o o| 2 VCC +---+
TDI 3 |o o| 4 VCC 1 |o o| 2
TDO 5 |o o| 6 GND +---+
TMS 7 |o o| 8 GND
TCK 9 |o o| 10 GND
+---+
J12 J10
J4, J12 and J10 detail
Pictures
(thx to zcitso)
Before:
Click here for high resolution Version
After:
Click here for high resolution Version
Or with female plug (x29a):
Click here for high resolution Version
JTAG-Cable
Either you can use the Keith+Koep cable or build a passive one. A simple cable is a passive version of the DLC5 cable. It must be kept short because otherwise the signals become unreliable. I successfully built one with 60 cm 9 pole ribbon cable. Between each active signal (4) I put a GND (5). The resistors are on the jtag header:
---------< 2 VCC
|
--***----< 1 TRST
______ 200
select 13 >------------------------***----< 5 TDO
200
data 0 2 >------------------------***----< 3 TDI
200
data 1 3 >------------------------***----< 9 TCK
200
data 2 4 >------------------------***----< 7 TMS
200
gnd 21-25 >===============================< 6,8,10 GND
DB25 PC Cable JTAG Header
Pictures
(thx to zcitso)
Zcitso ones (resistors on DB25 side):
Click here for high resolution Version
Mr Nice ones (resistors on JTAG side):
Click here for high resolution Version
x29a (100Ohm on DB25 [parallel] side):
Software
The JTAG tools are able to program the SIMpad's FLASH. Use Version 0.4 for best results. Compile and install them according to the instructions in the tarball.
I (x29a) just used the bin from apt-get (Debian3.1) which is openwince-jtag (JTAG-Tools 0.5.1) and they worked right out of the box.
In order to install using apt, just type (as superuser)
apt-get install openwince-jtag
You might have to update your apt-cache first using
apt-get update
Flash Procedure
Check your parport first
Many people have problems with the connection to their parallelports.
- First check your Bios - note the Adress of the Parallelport
(irq i/o port etc.) If there are no things like this you may have only ACPI - thats standard on newer Computers.
- Check if the modules are loaded:
#lsmod | grep parport
There shuld be at least 2 modules loaded parport and parport_pc
If there are no modules loaded, it could be that parport is compiled in the Kernel and not build as module.
This you can check this way:
gzip -cd /proc/config.gz | cat | grep PARPORT
Here you will see something like this:
CONFIG_PARPORT=m CONFIG_PARPORT_PC=m
m means that parport is configured as module. y means that parport is configured to be compiled into the kernel and n means that there is no parport suppurt compiled.
Now check for a free IRQ
cat /proc/interrups
and a free I/O Port:
cat /proc/ioports
If you see there already your parport mapped everything is ok! But check against your BIOS notes if they differ you need to change the port by unloading the modules first (rmmod parport and rmmod parport_pc).
To load the modules type (Change the I/O Port and IRQ Numbers!)
modprobe parport modprobe parport_pc io=0x378 irq=5
Flash it
Connect the SIMpad to the power supply. You don't need to put the main board back into the housing and connect all internal cables. Put a jumper on J10 to keep power on. Plug the JTAG cable to the PC and to the SIMpad.
Start the JTAG tools with jtag and enter the following sequence:
jtag> cable ppdev /dev/parport# DLC5 (or KeithKoep) (# = parport number, e.g. 0)
or try adressing directly:
jtag> cable parallel 0x378 DLC5
where 0x378 is the correct value for your Interupt.
jtag> detect
This should identify the SA1110 processor. Output might look something like this:
IR length: 5 Chain length: 1 Device Id: 10001001001001100001000000010011 Manufacturer: Intel Part: SA1110 Stepping: B4 Filename: /usr/share/jtag/intel/sa1110/sa1110
jtag> detectflash
This should identify one 28F128 FLASH with 16 bit bus. The second chip cannot be reached with the JTAG tools. Output might look like:
buswidth: 16
CFI query: 000000aa, 98
Query identification string:
Primary Algorithm Command Set and Control Interface ID Code: 0x0001 (Int el/Sharp Extended Command Set)
Alternate Algorithm Command Set and Control Interface ID Code: 0x0000 (n ull)
Query system interface information:
Vcc Logic Supply Minimum Write/Erase or Write voltage: 2700 mV
Vcc Logic Supply Maximum Write/Erase or Write voltage: 3600 mV
Vpp [Programming] Supply Minimum Write/Erase voltage: 0 mV
Vpp [Programming] Supply Maximum Write/Erase voltage: 0 mV
Typical timeout per single byte/word program: 128 us
Typical timeout for maximum-size multi-byte program: 128 us
Typical timeout per individual block erase: 1024 ms
Typical timeout for full chip erase: 0 ms
Maximum timeout for byte/word program: 2048 us
Maximum timeout for multi-byte program: 2048 us
Maximum timeout per individual block erase: 16384 ms
Maximum timeout for chip erase: 0 ms
Device geometry definition:
Device Size: 16777216 B (16384 KiB, 16 MiB)
Flash Device Interface Code description: 0x0002 (x8/x16)
Maximum number of bytes in multi-byte program: 32
Number of Erase Block Regions within device: 1
Erase Block Region Information:
Region 0:
Erase Block Size: 131072 B (128 KiB)
Number of Erase Blocks: 128
jtag> flashmem 0 simpadXX.rom # XX is SL or CL depending on your module
Flashing the hh.org bootloader directly is not possible - cause it won't boot.
Output could be:
Note: Supported configuration is 2 x 16 bit or 1 x 16 bit only buswidth: 16 CFI query: 000000aa, 98 Manufacturer: Intel Chip: 28F128J3A program: block 0 unlocked erasing block 0: 0 addr: 0x0001FFFE block 1 unlocked erasing block 1: 0 addr: 0x00022EBE verify: addr: 0x00022EBE Done.
The address should count up after the first block has been erased. Then the second block is erased and programmed. It takes about 15 minutes until programming is finished.
Tryjtag> helpor
jtag> help <command>to play around with your jtag-console.
Verification will fail with JTAG-Tools 0.4.x!, this is OK! (JTAG-Software bug?) (0.5.1 will verify everything)
After you remove the cable and press reset you should see the PBL message on the serial interface. If the bootloader is now ok you are done and the bootloader starts. You can additional check Upgrading_the_Siemens_bootloader_to_2.5.3 to upgrade your loader.
If not, short pin 1 and 2 on the test header J4 and press reset again. The piggy back bootloader should be programmed. This is also called the alternative bootloader because it runs in an alternative memory space and the normal bootloader can be downloaded, which would otherwise overlap.
Look at the occupied memory addresses to see which one is running. Normal bootloader starts at 0x8014 and alternative bootloader starts at 0x1f00014.
Final Work
To finish remove jumper, power and put the main board back, connect all internal cables and screw the back on the SIMpad.