Friday 11 October 2019

connecting JTAG to BK8000L

from datasheet of BK3254 bluetooth module, we know that CPU is BA22, there is posibility that cpu in bk8000L is the same, so I searched "ba22 openocd" and found this post:

https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/

from which I take jtag HW and SW part

jtag HW and SW part


JTAG HW:
 FT232H usb module: https://www.aliexpress.com/item/33052982174.html

SW: https://github.com/alephsecurity/BA2-toolchain (jtag-r34432.tar.xz)

patch for generic FT232H board


 open ftdi_driver.c

and add this line to ftdi_driver.c file

{ 0x0403, 0x6014, NULL, NULL, l_amontec_jtagkey2, 0 },

/* vendor, product, name pairs of supported devices */
struct ftdi_device_desc supported_devs[] = {
    { 0x0403, 0x6010, "Beyond", "Debug Key", l_beyond_debug_key_v1_2, 0 },          // Beyond Debug Key
    { 0x0403, 0x6010, "Beyond", "Debug Hub", l_beyond_debug_key_v1_1, 0 },          //   (eng. sample 2)
    { 0x0403, 0x6010, "Beyond", "JTAG Adapter", l_beyond_debug_key_v1_0, 0 },       //   (eng. sample 1)
    { 0x0403, 0xcff8, "Amontec", NULL, l_amontec_jtagkey2, 0 },                     // Amontec jtagkey/jtagkey2
    { 0x15ba, 0x002a, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-tiny-h
    { 0x15ba, 0x002b, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-ocd-h"
    { 0x15ba, 0x0004, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-tiny"
    { 0x15ba, 0x0003, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-ocd"
    { 0x0403, 0x6010, "Digilent", "Digilent Adept USB Device", l_digilent_hs1, 0 }, // Digilent hs1 ("adept")
    { 0x0403, 0xac09, "Atomic", NULL, l_amontec_jtagkey, 0 },                       // Atomic programming AP-114 (same layout as Amontec)
    { 0x0403, 0x8220, "DISTORTEC", "JTAG-lock-pick Tiny 2", l_lockpick2, 1 },       // JTAG-lock-pick Tiny 2
{ 0x0403, 0x6014, NULL, NULL, l_amontec_jtagkey2, 0 },
    { 0, 0 }
};



Connecting JTAG to BK8000L



AD0    TCK
AD1    TDI
AD2    TDO
AD3    TMS
AD5    /SRST
 
(https://www.tiaowiki.com/w/TIAO_USB_Multi_Protocol_Adapter_Lite_User%27s_Manual#20_PIN_JTAG_Connector) 
 
then short SCLK and SO pin on external flash, so CPU cant start up, plug FT232H adapter to USB and fire up jtag sw:
 
update: starting jp3 shortly after releasing RESET button does the trick also ... 
 
 
 nail@sid:~/tmp/jtag_ba22$ ./jp3 ftdi jtag://localhost:1234 -t15M
jp3: JTAG protocol via USB/parallel port for linux.
Version 1.6.3
Assuming debug_if's TAP has an IDCODE of 0x14951185.
Using 'FTDI Single RS232-HS (?)' interface.
Enabling high speed ftdi mode.
Using JTAG clock of 15 MHz
Disabling UART not supported/required on this adapter.
JTAG chain length: 1
Found device 0 (IDCODE: 14951185) to have a debug_if connected to it
  Debug interfaces(s) detected: if3
  Using debug interface 3.
Processor version: BA22 v5.2.2
  Memory interface for debuggers: yes
Remote ba debugging using jtag://localhost:1234
Press CTRL+c to exit.
 

OPENOCD

nail@sid:~/tmp/jtag_ba22$ openocd -f interface/ftdi/um232h.cfg -c "adapter_khz 100" -c " transport select jtag"
Open On-Chip Debugger 0.10.0+dev-00936-g0a13ca1-dirty (2019-10-07-08:06)
Licensed under GNU GPL v2
For bug reports, read
    http://openocd.org/doc/doxygen/bugs.html
adapter speed: 100 kHz

jtag
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 100 kHz
Warn : There are no enabled taps.  AUTO PROBING MIGHT NOT WORK!!
Info : JTAG tap: auto0.tap tap/device found: 0x14951185 (mfg: 0x0c2 (Flextronics (Orbit Semiconductor)), part: 0x4951, ver: 0x1)
Warn : AUTO auto0.tap - use "jtag newtap auto0 tap -irlen 2 -expected-id 0x14951185"
Error: IR capture error at bit 2, saw 0x3FFFFFFFFFFFFFF5 not 0x...3
Warn : Bypassing JTAG setup events due to errors
Warn : gdb services need one or more targets defined


 small update: 


so I have few minutes while eating my lunch:


https://www.beyondsemi.com/25/beyond-ba22-de-deeply-embedded-processor/#tab3
-> GCC
https://www.beyondsemi.com/86/beyondstudio-integrated-development-environment/
  • GCC 4.9.2
  • Binutils 2.24
  • GDB 7.8,1
  • Newlib C library 2.1.0
so I created account and requested access to beyond studio

GCC is GPL, so it one of these applies:
 - processor supported in upstream

 - they must give as patch




give as some hints, but I do not have time to play with it

Performance
Transfer rate in excess of 600 kB/s
30MHz maximum JTAG clock
....


SW was something special for BA22:  https://github.com/alephsecurity/BA2-toolchain
there are patches for gcc and other utils .....  anyone to take look?



then I go back to original site where It all started:
https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/
and previous post:
https://alephsecurity.com/2019/07/09/xiaomi-zigbee-2/


I installed radare2 pyba2 and run ti against bk8000l.bin, but I never use it so, I only try what I find on net :)


git clone https://github.com/radareorg/radare2
cd radare2 ; sys/install.sh
r2pm init
r2pm -i lang-python

git clone https://github.com/alephsecurity/pyba2
cd pyba2

r2 -I ba2r2.py BK8000L

in radare2:

aaaa -AA
v


12 comments:

  1. Thomas, good evening!

    Tell me how (software / hardware) I can disable the A2DP profile and enable GPIO PA mute? BK3254 SSOP28, not QFN. External flash is absent. PCB has TCK/TDI/TDO/TMS/RSTN pads. I have photo, if needed.

    ReplyDelete
    Replies
    1. hello, I can't help you, what you see here, is all I know about it ... nothing more ...

      Delete
  2. If I understand correctly, did you fail to connect to BK3254 with 3254_ToolKit2.6.exe?

    ReplyDelete
  3. Hi Tomas,

    I am tempted to buy BK3254 adapter board for my bluetooth project. The only thing stopping me is a working example. I have gone through your github library but I am not sure how to include your codes in my main function. Please can you post/send me a working example? I want to use the module to play music, receive and make calls etc, and I want to use the gpio pins for other purposes.

    ReplyDelete
    Replies
    1. something like this? https://github.com/tomaskovacik/BK3254/blob/master/example/BK3254/BK3254.ino

      Delete
    2. Hi Tomas,
      Thank you for your reply. The example you have suggested is a library of functions right? I mean which one is the main function. Also, why is it .ino file? And how do I upload the firmware into BK3254 module. Pardon me for my amateur questions.

      Delete
    3. eh, there is no way you can upload anything into that module other then using BEKEN oficial SW and HW. Link is for arduino library as stated on repository main page ...

      Delete
  4. I just ordered the module. I meant how do I upload your example on the module? Beken website is currently not working. Is it possible using Adruino IDE to upload that example you have suggested?

    ReplyDelete
    Replies
    1. that sketch run on avr mcu (on arduino) board. it is not uploaded to beken chip

      Delete
  5. Ahh or do you mean, I will need an additional Adruino or a microcontroller, upload your example and use it to control the module?

    ReplyDelete