JTAG Connection

Sonos PLAY:5 uses this 16-pin JTAG pinout. (See http://cache.freescale.com/files/soft_dev_tools/doc/user_guide/CWH-UTP-UG.pdf, pg. 21).

A Raspberry Pi can be configured as a JTAG adapter by following the instructions found at http://sourceforge.net/p/urjtag/discussion/682993/thread/d31f1840/.

You can check out my patched version of UrJTAG from here:

git clone https://github.com/bgelb/urjtag.git

Many thanks to Laurent Pinchart for sharing his MPC8272 patches with me. I fixed them up (since they no longer applied to UrJTAG at head anymore) a bit and plan to contribute them back to UrJTAG when I have a chance.

Using my patches, UrJTAG output looks like this:

jtag> cable gpio tdo=9 tdi=10 tck=11 tms=25

Initializing GPIO JTAG Chain

jtag> detect

IR length: 8

Chain length: 1

Device Id: 00000001100011001101000000011101 (0x018CD01D)

Manufacturer: Freescale (Motorola) (0x01D)

Part(0): mpc8247 (0x18CD)

Stepping: 0

Filename: /usr/local/share/urjtag/freescale/mpc8247/mpc8247

jtag> initbus mpc8272

jtag> print

No. Manufacturer Part Stepping Instruction Register

-------------------------------------------------------------------------------------------------------------------

0 Freescale (Motorola) mpc8247 0 SAMPLE/PRELOAD BSR

Active bus:

*0: Freescale MPC8272 compatible bus driver via BSR (JTAG part No. 0)

start: 0x00000000, length: 0x10000000, data width: 8 bit, (EEPROM)

start: 0x10000000, length: 0x10000000, data width: 8 bit, (Flash)

Then the boot (Flash) EEPROM can be accessed like this:

jtag> peek 0x0

URJ_BUS_READ(0x00000000) = 0x04 (4)

jtag> peek 0x8

URJ_BUS_READ(0x00000008) = 0x42 (66)

jtag> peek 0x10

URJ_BUS_READ(0x00000010) = 0x42 (66)

jtag> peek 0x18

URJ_BUS_READ(0x00000018) = 0x1A (26)

Or a chunk of memory can be dumped like this:

jtag> readmem 0x0 1024 first1k.bin

address: 0x00000000

length: 0x00000400

reading:

addr: 0x00000400

Done.

Some software work will be needed to enable any access to the 32Mbit NAND Flash part on the Sonos. It will not work in the current configuration (though CS2 is mapped to an address range).

Initially "detectflash" would not detect the NOR flash part used for bootup and I could not manually read the device and mfr IDs by poking in the necessary command cycles. Eventually I determined that the WE# pin on the NOR flash was not connected (just pulled up to 3.3V). There is a stuff option on the PCB that needs to be stuffed in order to connect WE# to WE_DQM_BS_B(0). R25159 must be stuffed w/ 0-ohm. See the below picture.

Once R25159 is stuffed (and my urjtag patches are applied, since I had to add a definition for the EN29LV010), the detectflash command works:

jtag> detectflash 0x0

dev ID=006e man ID=001c

Found EON EN29LV010 flash, size = 131072 bytes.

Query identification string:

Primary Algorithm Command Set and Control Interface ID Code: 0x0002 (AMD/Fujitsu Standard Command Set)

Alternate Algorithm Command Set and Control Interface ID Code: 0x0000 (null)

Query system interface information:

Vcc Logic Supply Minimum Write/Erase or Write voltage: 0 mV

Vcc Logic Supply Maximum Write/Erase or Write voltage: 0 mV

Vpp [Programming] Supply Minimum Write/Erase voltage: 0 mV

Vpp [Programming] Supply Maximum Write/Erase voltage: 0 mV

Typical timeout per single byte/word program: 0 us

Typical timeout for maximum-size multi-byte program: 0 us

Typical timeout per individual block erase: 0 ms

Typical timeout for full chip erase: 0 ms

Maximum timeout for byte/word program: 0 us

Maximum timeout for multi-byte program: 0 us

Maximum timeout per individual block erase: 0 ms

Maximum timeout for chip erase: 0 ms

Device geometry definition:

Device Size: 131072 B (128 KiB, 0 MiB)

Flash Device Interface Code description: 0x0000 (x8)

Maximum number of bytes in multi-byte program: 0

Number of Erase Block Regions within device: 1

Erase Block Region Information:

Region 0:

Erase Block Size: 16384 B (16 KiB)

Number of Erase Blocks: 8

I replaced the EN29LV010 on my board with a Microchip SST39LF010. There is a subtle difference in the command set (need to send 0x5555/0x2aaa vs. 0x555/0x2aa on the addr pins during command sequence) which I hacked UrJTAG (for now) to do. Longer term, need to add proper support for this flash chip type.

I was able to program the new flash chip with UrJTAG and the bootloader now loads successfully.

jtag> flashmem 0x0 sonos5-boot-rom-cold.bin

Chip: AMD Flash

Manufacturer: SST

Chip: SST39LF010

Protected: 0001

program:

flash_unlock_block 0x00000000 IGNORE

block 0 unlocked

flash_erase_block 0x00000000

flash_erase_block 0x00000000 DONE

erasing block 0: 0

flash_unlock_block 0x00004000 IGNORE

block 1 unlocked

flash_erase_block 0x00004000

flash_erase_block 0x00004000 DONE

erasing block 1: 0

flash_unlock_block 0x00008000 IGNORE

block 2 unlocked

flash_erase_block 0x00008000

flash_erase_block 0x00008000 DONE

erasing block 2: 0

flash_unlock_block 0x0000C000 IGNORE

block 3 unlocked

flash_erase_block 0x0000C000

flash_erase_block 0x0000C000 DONE

erasing block 3: 0

flash_unlock_block 0x00010000 IGNORE

block 4 unlocked

flash_erase_block 0x00010000

flash_erase_block 0x00010000 DONE

erasing block 4: 0

flash_unlock_block 0x00014000 IGNORE

block 5 unlocked

flash_erase_block 0x00014000

flash_erase_block 0x00014000 DONE

erasing block 5: 0

flash_unlock_block 0x00018000 IGNORE

block 6 unlocked

flash_erase_block 0x00018000

flash_erase_block 0x00018000 DONE

erasing block 6: 0

flash_unlock_block 0x0001C000 IGNORE

block 7 unlocked

flash_erase_block 0x0001C000

flash_erase_block 0x0001C000 DONE

erasing block 7: 0

addr: 0x0001FFFF

verify:

addr: 0x0001FFFF

Done.