Skip to main content

Show Posts

This section allows you to view all Show Posts made by this member. Note that you can only see Show Posts made in areas you currently have access to.

Messages - Ramazuri

2
Bus Pirate Support / Experiences with dumping flash content while it is still on the board
Hello everyone,

I would like to ask if anyone has some experiences with dumping content of a flash while it is still located on the PCB.
I am just wondering because I did this for my last project and I ended up running into a bunch of problems. I am not 100% sure if the problems were related to that because it was my first time dealing with flashes but I found out in the end that there are a lot of issues related to that.
Is it always recommendable to desolder the target flash from the board or are there some other workarounds?

-Ramazuri
3
General discussion / Getting access to the content of a SquashFS filesystem
Hello everyone,

I bought myself a while ago a BusPirate to retrieve the content of a NAND Flash via SPI.
After some inicial trouble I managed to dump the entire flash. Unfortunately I am having a big issue with analyzing the filesystem that is part of it. I was hoping that someone has an idea what I can do.

First of all let me tell you what I already did. I gave the dump binwalk as input and extracted the content with the
Code: [Select]
binwalk -Me
command.
So far so good. I knew that I was dealing with a squashfs filesystem, so I installed sasquatch just in case that some weird modification was used that unsquashfs couldn't handle.
Unfortunately sasquatch couldn't handle it either. The whole thing seemed pretty suspicious to me so I took a look at the binary and I found something weird.
The binary started with a squashfs header obviously but afterwards there is a pretty big area before the actual content of the filesystem starts that consists of a periodically repeating Byte structure (16 * 0xff followed by a 0x01 Byte). Also there are UBI signatures appearing throughout the entire binary.
I think the squashfs was running on top of a UBI device and that is why sasquatch couldn't extract it. Does anyone had to deal with a similar situation before and knows what I can do to mount it or to extract the files that it contains?

-Ramazuri
4
Bus Pirate Support / Re: Bus Pirate v3b SPI
Hello liketolearn,

I don't know if you already managed to solve your problem but I might have one or two ideas.

Quote
My understanding (which I am now starting to question and if you do know please educate me) was that the bootloader is stored in the SPI flash.
Are you sure that everything is stored in one flash? For example I am still working with an embedded system that stores the bootloader on a separate flash. In my case the bootloader is stored in a NOR flash and the filesystem and the OS and some other stuff is stored in a NAND flash. So it's separated from each other. This may be your case as well, you should check if there are more storages assembled on the PCB.

Code: [Select]
flashrom -p buspirate_spi:dev=/dev/ttyS3 -c W25Q32.V
This is what your input looks like. You mentioned in your first post that the flash that you are working with is the following: Winbond 25Q1280VS0
Are you sure that the W25Q32.V is similar to yours? This might be the issue why flashrom isn't recognizing it.

Do you have a datasheet for the flash that you are working with? I tried to google it but I can't find any. Tbh the number 1280 looks a little bit weird. I could understand if it would be 128 (if I see this correcty this number provides the density). Are you sure you the name of the flash is correct?

-Ramazuri
5
Bus Blaster JTAG debugger / Does a non-selftest buffer exist for BBv4.1a
Hello everyone,

I am still trying to get my BusBlaster v4.1a to work.
The last time I tried to get it to work I reprogrammed the CPLD buffer logic with the following file:
https://github.com/gbraad/dangerous-prototypes-open-hardware/blob/master/Bus_Blaster/manufacturing_resources/v4.1/Programming/svf/bbv4.svf

Today I found an other svf file that I didn't see before:
https://github.com/DangerousPrototypes/Bus_Blaster/blob/master/buffer_logic/BBv4-JTAGkey-selftest-v1.1.svf

If I see this correctly both svf files are identical. Is there something that I am missing?
Especially because the manual says
Quote
We highly recommend users upgrade to a non-selftest buffer immediately.

Someone mentioned this before but nobody replied to that so I am trying it again.
http://dangerousprototypes.com/forum/index.php?topic=10245.0
6
Bus Pirate Support / Re: Bus Pirate communication in SPI Mode / SPI speed
Ok I managed to fix everything. I will describe real quick what I did to read out the content.
I had a couple of problems until I managed to fix everything, I still don't know why a few of these problems occured but I will describe them and how I fixed them.

Since the device that I worked with was a NAND flash I couldn't simply perform the 0x03 operation (seems to be an operation code for a read operation in many flash memorys).
I had to perform a page read to cache operation first and then I could read the page from the cache.
My device consisted of 1024 blocks in total and every block had 64 pages.
One page consisted of 2048 Bytes + 128 Byte. (Only the first 2048 Bytes of each page were interesting for me)
The first page of the first block is loaded into the cache automatically after powering up the device.

First of all I had to set up my BusPirate.
To do so, I used the following input:
20x 0x00 (Enter BBIO Mode)
0x01 (Enter SPI Mode)
0x64 (set SPI speed to 2MHz)
0x8a(CLK idle low, CKE Edge from active to idle, w=3.3V, SMP Sample = Middle)
0x49(activates CS and powers up the BP)

My next steps are basically:
Reading out the first page that is automatically loaded into the cache and after that go through every page in every block, loading them into the cache via a loop one by one and writing the output into a file.

To send the operations codes to my flash that were necessary I used the write-then-read-command of the BusPirate.
Basically 0x04 and then the parameters.
The last parameter of this function is the command that I want to use to my flash.
So I used this function to send a read page to cache command to my flash followed by a read page from cache command.
This is the idea behind it.

I had two significant problems:

1. I couldn't read an entire page from the cache, if I tried to read 2048 Byte, the first 700 Bytes (sometimes more and sometimes less, it was really inconsistent) were written correctly to the file and the rest was just a bunch of 0 Bytes or F Bytes.
I found out, while I was playing around with the settings that the number of "correct bytes" changed when I altered the SPI speed.
Unfortunately 2MHz worked best for me, with that SPI speed I managed to get the ~700 Bytes mentioned above.

What I did to fix that:
I simply splitted the pages into 4 * 512 Bytes.
Instead of reading the entire page, I loaded the same page 4 times and performed a read operation with a different offset. (+512 Bytes then the last one).   

2. I couldn't perform more then 2 write-then-read operations. After the third operation the BP started to do weird things and it ended up in BBIO Mode and started to change settings and stuff.

What I did to fix that:
I simply reinitiated the BP after every second write-then-read command.
20x 0x00 (BBIO Mode)
0x0f (BP Reset)
20x 0x00 (BBIO Mode)
and then SPI Mode, SPI speed and general settings.
Of course this made the whole thing slower, but I still managed to read the whole NAND flash (1Gb) in around 20 to 30 minutes. At least it worked this way and I think 30 minutes is still ok.
7
Bus Pirate Support / Re: Bus Pirate communication in SPI Mode / SPI speed
I will explain how I did it after finishing it.
Unfortunately I had an other problem. I can read everything up to block 4.
After that it looks like the script doesn't load the blocks correctly and it repeats the first 3 blocks when I reach certain addresses, so I guess there is still something wrong with the addresses that I have to fix.

The output that I get if I load one of those blocks manually is UBI.
8
Bus Pirate Support / Re: Bus Pirate communication in SPI Mode / SPI speed
Hello USBEprom,

these are some very valuable information. Thank you a lot for replying.

Btw. I managed to read out the first page entirely yesterday with the 2 MHz. I had to use a little trick though. I splitted the page into 4 areas with the same size and then I read out the 4 areas one by one. Seems like I can get 544 Byte consitantly every time. Finally some progress :D
9
Bus Pirate Support / Re: Bus Pirate communication in SPI Mode / SPI speed
Btw is it possible to use other SPI speeds then the possible 8 (30KHz, 125KHz, 250KHz, 1MHz, 2MHz, 2,6MHz, 4 MHz, 8MHz)?
Something like 2.3 MHz for example, I am just wondering if it's possible to let the BP communicating at such a speed.

Edit: The wires that I use to set the connection are around 15cm long, do you think this may be too long?
11
Bus Pirate Support / Re: Bus Pirate communication in SPI Mode / SPI speed
I'm not clear what this means. This is the result?

What chip is it? Are there setup and configuration commands, or address commands? Is your script handling that?

Hello Ian,

thank you for replying.

First of all about the byte sequence that I posted. (0x04 0x00 0x04 0x08 0x80 0x03 0x00 0x00 0x00)

http://dangerousprototypes.com/docs/SPI_(binary)#00000100_-_Write_then_read
I was referring to this site. I use the Write then read command from the Bus Pirate to read out the content.
Basically 0x04 is the BP command,
the next two bytes 0x00 0x04 are the number of bytes that I will write,
the next two bytes 0x08 0x80 are the number of bytes that I want to read (2176),
and the last four bytes are the bytes that I want to write. In my case 0x03 is the read page from cache command from my flash and the following three bytes are the parameters.
This is what I send to the Bus Pirate.

The Flash that I am trying to read is this one: GD5F1GQ4RCYIG from Giga Device.

There are specific commands to transfer pages to the cache and to read pages from the cache.
That's not necessary for the first page though because the Flash reads the first page automatically to the Cache when the Flash is supplied with power, that means for the first page I can start directly with the read page from Cache command.
12
Bus Pirate Support / Bus Pirate communication in SPI Mode / SPI speed
Hello everyone,

I have one question related to the Bus Pirates SPI Mode and the configuration of the SPI speed.

I have a Script with that I can read out the content of the first page of a NAND Flash.
That script does the following.
makes the BP enter BBIO1 Mode (20* 0x00) -> makes the BP enter SPI Mode (0x01) -> configures the SPI speed and the SPI Mode (0x64 = 2MHz and 0x8a = CLK idle low, CKE Edge from active to idle, w=3.3V, SMP Sample = Middle) -> supplies power to the NAND Flash and activates CS (0x49).
After all the configuration is done it reads out the first page that is automatically loaded into the Cache from the Flash when it is powered up.

To do so, I used the Write-then-read function: 0x04 0x00 0x04 0x08 0x80 0x03 0x00 0x00 0x00

When I look at the file that contains the content of the first page, it looks like a part of the content is cutted off from the rest and in between there are a bunch of 0 bytes (sometimes 0xFF bytes it does look inconsitent).  Besides of that I know how the first page has to look like and the beginning is correct but once I reach the middle or so it should look different.
I tried a few things until I found out that when I change the SPI speed the output gets even messier. That's why I assume it has something to do with that.
I would like to ask you guys if someone of you knows and can explain me why my output is different with a different SPI speed and how do I determine which SPI speed I need to use and what if the speed value that I need is not part of the 8 values that the BP supports?
13
Bus Blaster JTAG debugger / Re: BusBlaster v4.1a can't connect to JTAG
Hello ian,

yes I needed to set a Jumper to access Update Buffer Mode, I was only able to reprogram the CPLD after setting it.
There is also an other Mode, called Normal Mode but I have no idea what it does.
 
Edit:
I found something about normal mode on the dp site. Can't really tell if I need that though:
When MODE is set to normal, the secondary JTAG interface of the FT2232 is connected to multipurpose pins on the CPLD.

Btw I followed the instructions to reprogram it and now I get a different error :/

jtag> cable jtagkey vid=0x0403 pid=0x6010 interface=0
Connected to libftd2xx driver.
jtag> detect
discovery.c:117 urj_tap_detect_register_size() Warning: TDO seems to be stuck at 0
Error: usbconn/libftd2xx.c:127 usbconn_ftd2xx_flush() ftdi/ftd2xx error: FT_Write() failed: io error
jtag> reset
jtag> cable jtagkey vid=0x0403 pid=0x6010 interface=1
Connected to libftd2xx driver.
jtag> detect
discovery.c:117 urj_tap_detect_register_size() Warning: TDO seems to be stuck at 1
Error: part.c:450 urj_part_parts_set_instruction() invalid parameter: NULL parts

When I place the jumper in normal mode I get the same error that I posted before in Reply #4
14
Bus Blaster JTAG debugger / Re: BusBlaster v4.1a can't connect to JTAG
EDIT:
I managed to find the patched version (at least I think so).
It is named jtag-rev11.exe

I just wanted to see what happens when I try to connect it interface=0 and I got this:

discovery.c:117 urj_tap_detect_register_size() Warning: TDO seems to be stuck at 1
Error: parse.c:208 urj_parse_file() no error: Cannot open file 'C:\Users\XXXXXX/.jtag/rc' to parse

Same result for interface=1.
Don't know if that's better though.

I am still looking for the correct bsdl and svf files for my Bus Blaster v4.1a

EDIT:
I found this on GitHub. Can you please verify that these are the bsdl and svf files that I am looking for?
https://github.com/gbraad/dangerous-prototypes-open-hardware/tree/master/Bus_Blaster/manufacturing_resources/v4.1/Programming
15
Bus Blaster JTAG debugger / Re: BusBlaster v4.1a can't connect to JTAG
Can you check the soldering on your board? At one point people were having problems as they had bad solder joints.

Also can you try
Code: [Select]
cable jtagkey pid=0x6010 vid=0x0403 interface=1
and see if you can detect the CPLD correctly?

Also I would reprogram the CPLD with the jtagkey bitstream, just in case it had the selftest bitstream.

Hello tayken,

first of all thanks for trying to help me.

I checked the soldering on my board. It looks good to me, there are no pins or components that are desoldered. They are all soldered well to the Board.

Besides of that I tried out using interface=1 instead of interface=0. The result is still the same. It connects to the libftd2xx driver but detect produces the same output as before.

I wanted to reprogram the CPLD but the problem is that on the dangerous prototypes website is written that to do so you need to use a patched .exe file of UrJTAG but I can't find this specific file.
Can you tell me where I can download this patched file?