Friday 11 October 2019

connecting JTAG to BK8000L

from datasheet of BK3254 bluetooth module, we know that CPU is BA22, there is posibility that cpu in bk8000L is the same, so I searched "ba22 openocd" and found this post:

https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/

from which I take jtag HW and SW part

jtag HW and SW part


JTAG HW:
 FT232H usb module: https://www.aliexpress.com/item/33052982174.html

SW: https://github.com/alephsecurity/BA2-toolchain (jtag-r34432.tar.xz)

patch for generic FT232H board


 open ftdi_driver.c

and add this line to ftdi_driver.c file

{ 0x0403, 0x6014, NULL, NULL, l_amontec_jtagkey2, 0 },

/* vendor, product, name pairs of supported devices */
struct ftdi_device_desc supported_devs[] = {
    { 0x0403, 0x6010, "Beyond", "Debug Key", l_beyond_debug_key_v1_2, 0 },          // Beyond Debug Key
    { 0x0403, 0x6010, "Beyond", "Debug Hub", l_beyond_debug_key_v1_1, 0 },          //   (eng. sample 2)
    { 0x0403, 0x6010, "Beyond", "JTAG Adapter", l_beyond_debug_key_v1_0, 0 },       //   (eng. sample 1)
    { 0x0403, 0xcff8, "Amontec", NULL, l_amontec_jtagkey2, 0 },                     // Amontec jtagkey/jtagkey2
    { 0x15ba, 0x002a, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-tiny-h
    { 0x15ba, 0x002b, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-ocd-h"
    { 0x15ba, 0x0004, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-tiny"
    { 0x15ba, 0x0003, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-ocd"
    { 0x0403, 0x6010, "Digilent", "Digilent Adept USB Device", l_digilent_hs1, 0 }, // Digilent hs1 ("adept")
    { 0x0403, 0xac09, "Atomic", NULL, l_amontec_jtagkey, 0 },                       // Atomic programming AP-114 (same layout as Amontec)
    { 0x0403, 0x8220, "DISTORTEC", "JTAG-lock-pick Tiny 2", l_lockpick2, 1 },       // JTAG-lock-pick Tiny 2
{ 0x0403, 0x6014, NULL, NULL, l_amontec_jtagkey2, 0 },
    { 0, 0 }
};



Connecting JTAG to BK8000L



AD0    TCK
AD1    TDI
AD2    TDO
AD3    TMS
AD5    /SRST
 
(https://www.tiaowiki.com/w/TIAO_USB_Multi_Protocol_Adapter_Lite_User%27s_Manual#20_PIN_JTAG_Connector) 
 
then short SCLK and SO pin on external flash, so CPU cant start up, plug FT232H adapter to USB and fire up jtag sw:
 
update: starting jp3 shortly after releasing RESET button does the trick also ... 
 
 
 nail@sid:~/tmp/jtag_ba22$ ./jp3 ftdi jtag://localhost:1234 -t15M
jp3: JTAG protocol via USB/parallel port for linux.
Version 1.6.3
Assuming debug_if's TAP has an IDCODE of 0x14951185.
Using 'FTDI Single RS232-HS (?)' interface.
Enabling high speed ftdi mode.
Using JTAG clock of 15 MHz
Disabling UART not supported/required on this adapter.
JTAG chain length: 1
Found device 0 (IDCODE: 14951185) to have a debug_if connected to it
  Debug interfaces(s) detected: if3
  Using debug interface 3.
Processor version: BA22 v5.2.2
  Memory interface for debuggers: yes
Remote ba debugging using jtag://localhost:1234
Press CTRL+c to exit.
 

OPENOCD

nail@sid:~/tmp/jtag_ba22$ openocd -f interface/ftdi/um232h.cfg -c "adapter_khz 100" -c " transport select jtag"
Open On-Chip Debugger 0.10.0+dev-00936-g0a13ca1-dirty (2019-10-07-08:06)
Licensed under GNU GPL v2
For bug reports, read
    http://openocd.org/doc/doxygen/bugs.html
adapter speed: 100 kHz

jtag
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 100 kHz
Warn : There are no enabled taps.  AUTO PROBING MIGHT NOT WORK!!
Info : JTAG tap: auto0.tap tap/device found: 0x14951185 (mfg: 0x0c2 (Flextronics (Orbit Semiconductor)), part: 0x4951, ver: 0x1)
Warn : AUTO auto0.tap - use "jtag newtap auto0 tap -irlen 2 -expected-id 0x14951185"
Error: IR capture error at bit 2, saw 0x3FFFFFFFFFFFFFF5 not 0x...3
Warn : Bypassing JTAG setup events due to errors
Warn : gdb services need one or more targets defined


 small update: 


so I have few minutes while eating my lunch:


https://www.beyondsemi.com/25/beyond-ba22-de-deeply-embedded-processor/#tab3
-> GCC
https://www.beyondsemi.com/86/beyondstudio-integrated-development-environment/
  • GCC 4.9.2
  • Binutils 2.24
  • GDB 7.8,1
  • Newlib C library 2.1.0
so I created account and requested access to beyond studio

GCC is GPL, so it one of these applies:
 - processor supported in upstream

 - they must give as patch




give as some hints, but I do not have time to play with it

Performance
Transfer rate in excess of 600 kB/s
30MHz maximum JTAG clock
....


SW was something special for BA22:  https://github.com/alephsecurity/BA2-toolchain
there are patches for gcc and other utils .....  anyone to take look?



then I go back to original site where It all started:
https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/
and previous post:
https://alephsecurity.com/2019/07/09/xiaomi-zigbee-2/


I installed radare2 pyba2 and run ti against bk8000l.bin, but I never use it so, I only try what I find on net :)


git clone https://github.com/radareorg/radare2
cd radare2 ; sys/install.sh
r2pm init
r2pm -i lang-python

git clone https://github.com/alephsecurity/pyba2
cd pyba2

r2 -I ba2r2.py BK8000L

in radare2:

aaaa -AA
v