jtag voltage

Steve Markgraf steve at steve-m.de
Wed Mar 17 16:00:54 UTC 2010


Nathan Fain :
> I'm starting to look at the JTAG of the c155.  does anyone know the VCC
> level the IC's are running at.  JTAG lines will likely be the same. 

Yes, the JTAG voltage is 2,8V, but I assume these pins are quite 
resistant, so 3.3V should work, too.

This is what I got with a Xilinx DLC5 and urjtag on a Sagem my201x 
(Calypso lite, just like the C155):

Reading 0 bytes if idcode
Read 00001110 00110000 00000000 00000010 00000000 00000000 00000000

For figuring out more commands and flash access of these Sagem phones 
(maybe this will work on the C155 too), I'll build the clone of a Sagem 
JTAG Unlocker for Calypso phones next week.

There are a few around, and for some you can even find schematics and 
hex-files. The one I'll build is based on an ATMega32, connects to the 
parallel port, and the software also supports "dump flash" and "write 
flash" beneath obviously, but uninteresting for us, "unlock".

Since these Calypso-based Sagem phones have no serial bootloader, the 
"unlockers" always depended on JTAG for accessing the flash, so my 
approach is to find out more about the Calypso JTAG with either sniffing 
or disassembling one of those Sagem JTAG Unlockers.

The target should be flash-access with openocd on at least the C123 and 
C155, and maybe some of the Sagems.

Since most of these Sagem phones (e.g. the my201x and myx2-2) don't use 
Rita as GSM transceiver, but just like the newer Motorola Compal models 
(W220 and C161) a Silicon Laboratories Si4210 Aero II (for which 
register-level documentation is available), it would be nice to have a 
driver for this at some later point.

These Sagem phones (in particular the myx-1) are still highly available 
on different marketplaces.


