Friday, 11 October 2019

connecting JTAG to BK8000L

from datasheet of BK3254 bluetooth module, we know that CPU is BA22, there is posibility that cpu in bk8000L is the same, so I searched "ba22 openocd" and found this post:

https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/

from which I take jtag HW and SW part

jtag HW and SW part


JTAG HW:
 FT232H usb module: https://www.aliexpress.com/item/33052982174.html

SW: https://github.com/alephsecurity/BA2-toolchain (jtag-r34432.tar.xz)

patch for generic FT232H board


 open ftdi_driver.c

 and add this line to ftdi_driver.c file

 { 0x0403, 0x6014, NULL, NULL, l_amontec_jtagkey2, 0 },

 /* vendor, product, name pairs of supported devices */
struct ftdi_device_desc supported_devs[] = {
    { 0x0403, 0x6010, "Beyond", "Debug Key", l_beyond_debug_key_v1_2, 0 },          // Beyond Debug Key
    { 0x0403, 0x6010, "Beyond", "Debug Hub", l_beyond_debug_key_v1_1, 0 },          //   (eng. sample 2)
    { 0x0403, 0x6010, "Beyond", "JTAG Adapter", l_beyond_debug_key_v1_0, 0 },       //   (eng. sample 1)
    { 0x0403, 0xcff8, "Amontec", NULL, l_amontec_jtagkey2, 0 },                     // Amontec jtagkey/jtagkey2
    { 0x15ba, 0x002a, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-tiny-h
    { 0x15ba, 0x002b, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-ocd-h"
    { 0x15ba, 0x0004, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-tiny"
    { 0x15ba, 0x0003, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-ocd"
    { 0x0403, 0x6010, "Digilent", "Digilent Adept USB Device", l_digilent_hs1, 0 }, // Digilent hs1 ("adept")
    { 0x0403, 0xac09, "Atomic", NULL, l_amontec_jtagkey, 0 },                       // Atomic programming AP-114 (same layout as Amontec)
    { 0x0403, 0x8220, "DISTORTEC", "JTAG-lock-pick Tiny 2", l_lockpick2, 1 },       // JTAG-lock-pick Tiny 2
{ 0x0403, 0x6014, NULL, NULL, l_amontec_jtagkey2, 0 },
    { 0, 0 }
};


Connecting JTAG to BK8000L


 
AD0    TCK
AD1    TDI
AD2    TDO
AD3    TMS
AD5    /SRST
 
(https://www.tiaowiki.com/w/TIAO_USB_Multi_Protocol_Adapter_Lite_User%27s_Manual#20_PIN_JTAG_Connector) 
 
then short SCLK and SO pin on external flash, so CPU cant start up, plug FT232H adapter to USB and fire up jtag sw:
 
update: starting jp3 shortly after releasing RESET button does the trick also ... 
 
 
 nail@sid:~/tmp/jtag_ba22$ ./jp3 ftdi jtag://localhost:1234 -t15M
jp3: JTAG protocol via USB/parallel port for linux.
Version 1.6.3
Assuming debug_if's TAP has an IDCODE of 0x14951185.
Using 'FTDI Single RS232-HS (?)' interface.
Enabling high speed ftdi mode.
Using JTAG clock of 15 MHz
Disabling UART not supported/required on this adapter.
JTAG chain length: 1
Found device 0 (IDCODE: 14951185) to have a debug_if connected to it
  Debug interfaces(s) detected: if3
  Using debug interface 3.
Processor version: BA22 v5.2.2
  Memory interface for debuggers: yes
Remote ba debugging using jtag://localhost:1234
Press CTRL+c to exit.
 

OPENOCD

nail@sid:~/tmp/jtag_ba22$ openocd -f interface/ftdi/um232h.cfg -c "adapter_khz 100" -c " transport select jtag"
Open On-Chip Debugger 0.10.0+dev-00936-g0a13ca1-dirty (2019-10-07-08:06)
Licensed under GNU GPL v2
For bug reports, read
    http://openocd.org/doc/doxygen/bugs.html
adapter speed: 100 kHz

jtag
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 100 kHz
Warn : There are no enabled taps.  AUTO PROBING MIGHT NOT WORK!!
Info : JTAG tap: auto0.tap tap/device found: 0x14951185 (mfg: 0x0c2 (Flextronics (Orbit Semiconductor)), part: 0x4951, ver: 0x1)
Warn : AUTO auto0.tap - use "jtag newtap auto0 tap -irlen 2 -expected-id 0x14951185"
Error: IR capture error at bit 2, saw 0x3FFFFFFFFFFFFFF5 not 0x...3
Warn : Bypassing JTAG setup events due to errors
Warn : gdb services need one or more targets defined

 small update: 
so I have few minutes while eating my lunch:


https://www.beyondsemi.com/25/beyond-ba22-de-deeply-embedded-processor/#tab3
-> GCC
https://www.beyondsemi.com/86/beyondstudio-integrated-development-environment/
  • GCC 4.9.2
  • Binutils 2.24
  • GDB 7.8,1
  • Newlib C library 2.1.0
so I created account and requested access to beyond studio

GCC is GPL, so it one of these applies:
 - processor supported in upstream

 - they must give as patch



Beyond Debug Key Leaflet on site: https://www.beyondsemi.com/beyond-debug-key/#tab2

give as some hints, but I do not have time to play with it

Performance
Transfer rate in excess of 600 kB/s
30MHz maximum JTAG clock
....


SW was something special for BA22:  https://github.com/alephsecurity/BA2-toolchain
there are patches for gcc and other utils .....  anyone to take look?



then I go back to original site where It all started:
https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/
and previous post:
https://alephsecurity.com/2019/07/09/xiaomi-zigbee-2/


I installed radare2 pyba2 and run ti against bk8000l.bin, but I never use it so, I only try what I find on net :)


git clone https://github.com/radareorg/radare2
cd radare2 ; sys/install.sh
r2pm init
r2pm -i lang-python

git clone https://github.com/alephsecurity/pyba2
cd pyba2

r2 -I ba2r2.py BK8000L

in radare2:

aaaa -AA
v


Posted by at 12 comments:
Subscribe to: Posts (Atom)