I'm starting to look at the JTAG of the c155. does anyone know the VCC level the IC's are running at. JTAG lines will likely be the same.
thanks
On Wed, Mar 17, 2010 at 6:59 AM, Nathan Fain nat@fains.com wrote:
I'm starting to look at the JTAG of the c155. does anyone know the VCC level the IC's are running at. JTAG lines will likely be the same.
2.8 V for the IOs AFAICT
Hi,
Nathan Fain :
I'm starting to look at the JTAG of the c155. does anyone know the VCC level the IC's are running at. JTAG lines will likely be the same.
Yes, the JTAG voltage is 2,8V, but I assume these pins are quite resistant, so 3.3V should work, too.
This is what I got with a Xilinx DLC5 and urjtag on a Sagem my201x (Calypso lite, just like the C155):
Reading 0 bytes if idcode Read 00001110 00110000 00000000 00000010 00000000 00000000 00000000
For figuring out more commands and flash access of these Sagem phones (maybe this will work on the C155 too), I'll build the clone of a Sagem JTAG Unlocker for Calypso phones next week.
There are a few around, and for some you can even find schematics and hex-files. The one I'll build is based on an ATMega32, connects to the parallel port, and the software also supports "dump flash" and "write flash" beneath obviously, but uninteresting for us, "unlock".
Since these Calypso-based Sagem phones have no serial bootloader, the "unlockers" always depended on JTAG for accessing the flash, so my approach is to find out more about the Calypso JTAG with either sniffing or disassembling one of those Sagem JTAG Unlockers.
The target should be flash-access with openocd on at least the C123 and C155, and maybe some of the Sagems.
Since most of these Sagem phones (e.g. the my201x and myx2-2) don't use Rita as GSM transceiver, but just like the newer Motorola Compal models (W220 and C161) a Silicon Laboratories Si4210 Aero II (for which register-level documentation is available), it would be nice to have a driver for this at some later point.
These Sagem phones (in particular the myx-1) are still highly available on different marketplaces.
Regards, Steve
Hi Steve,
On Wed, Mar 17, 2010 at 05:00:54PM +0100, Steve Markgraf wrote:
For figuring out more commands and flash access of these Sagem phones (maybe this will work on the C155 too), I'll build the clone of a Sagem JTAG Unlocker for Calypso phones next week.
There are a few around, and for some you can even find schematics and hex-files. The one I'll build is based on an ATMega32, connects to the parallel port, and the software also supports "dump flash" and "write flash" beneath obviously, but uninteresting for us, "unlock".
Since these Calypso-based Sagem phones have no serial bootloader, the "unlockers" always depended on JTAG for accessing the flash, so my approach is to find out more about the Calypso JTAG with either sniffing or disassembling one of those Sagem JTAG Unlockers.
I'm quite sure they simply use bit-banging and regular JTAG EXTEST to create read and write cycles on the address + data bus. That is nice for flashing / unbricking, but it's not nearly quite as nice (for software development) as to get access to the ARM7TDMI EmbeddedICE block (e.g. with OpenOCD) to halt the CPU at any time, dump the registers, single step through code, etc.
Since most of these Sagem phones (e.g. the my201x and myx2-2) don't use Rita as GSM transceiver, but just like the newer Motorola Compal models (W220 and C161) a Silicon Laboratories Si4210 Aero II (for which register-level documentation is available), it would be nice to have a driver for this at some later point.
sure, if the documentation is available it should not be muhc of a problem...
These Sagem phones (in particular the myx-1) are still highly available on different marketplaces.
please note that at least some of the sagem phones (particularly the myx101) exist in two versions (with the same marketing name), old models with Calpso and newer models with LoCosto.
baseband-devel@lists.osmocom.org
-
Harald Welte -
Nathan Fain -
Steve Markgraf -
Sylvain Munaut