[zrbarnes]

EDIT: Even though I started this thread months ago, RobBrownNZ has been the real champion in making this a reality. I'm glad that I was able to get the ball rolling. Most of the information I provided were very amature-ish guesses, so you're best to stick with his info.

RobBrownNZ, on 19 January 2011 - 03:42 PM, said:

I'll put together a guide for using serial and JTAG over the next couple of days, hopefully we can get some more people playing with this and find ways to make it useful. I mean, we now have serial and JTAG access, so that's gotta be a good thing!

Hooking up a serial link is very easy. You need a ribbon cable and breakout board as zrbarnes posted at the start of this thread, a USB-serial adapter like this: http://www.sparkfun.com/products/718, a 3.3k resistor (5c at Radio Shack), some wire and a little bit of soldering ability. About $30 all up.

If your bootloader is intact, then you can definitely unbrick your unit through the serial link. If your bootloader is fried, then you need JTAG and we need to figure out how use JTAG to re-program (at least) the bootloader.

The CON4 pinout, just for completeness:
Pin 1 - 3.3V supply
Pin 2 - 3.3V supply
Pin 3 - GND
Pin 4 - 3.3V supply
Pin 5 - Unknown input
Pin 6 - Unknown input
Pin 7 - RTCK
Pin 8 - GND
Pin 9 - serial terminal Tx from PDN
Pin 10 - serial terminal Rx into PDN
Pin 11 - nReset (SRST)
Pin 12 - TDI
Pin 13 - TMS
Pin 14 - GND
Pin 15 - TCK
Pin 16 - TDO, should use a pullup (15k will do).
Pin 17 - nReset (SRST)
Pin 18 - GND
Pin 19 - Unknown input
Pin 20 - Unknown input

Original Post:

After slightly failing at getting USB OTG to work (why won't you work??), I have turned my attention elsewhere. My current project is trying to figure out the purpose of the empty CON4 connector on the board. However, even though I dabble in device modification, I am rarely a pioneer. Over the years, I've had many items that I thought I had bricked and started investigating JTAG hacking, but in the end, I always found another solution. Therefore, I don't have a whole lot of experience in tracing circuits (though I do know my way around a mulitmeter), nor have I ever seen the typical behavior of JTAG and/or serial port data lines.If this CON4 gives access to the JTAG data lines, it would allow a whole slew of kernel testing to be done without fear of bricking the device. Regardless of what CON4 is, if the pins are valuable for other mods, then it gives us easy access that doesn't require soldering (which is nice since I don't have a good soldering setup yet or a whole lot of experience with surface mount stuff).I know we don't have a lot of hardware engineers here, and I might eventually try to cross-post at some of the other forums where reverse engineering has more focus. For now, I'm posting it here to see if anyone with a PDN can help, or has already done any research. It was briefly discussed in http://www.slatedroi...l-high-res.html but sadly, no one seemed excited enough to proceeded with exploring it.All discussion of probability aside, it would be really nice if the 20pin CON4 connector on the board was just a standard arm JTAG port. However, looking at the voltages, they don't really line up. Therefore, we need a way to identify what pins are what (hopefully without needing to remove the CPU to trace the pins). If anyone is interested in getting involved, I have an infinite amount of pictures of every part of this device.


From the top pin (1) to the bottom pin (20), while booting, I measured the following voltage on the pins (all are in reference to ground being connected to the negative side of the power adapter):

• 3.3069
• 3.3069
• 0.014
• 3.3069
• 0.001
• 0.001
• 0.014
• 0.014
• 3.3069
• 0.014
• 3.3069
• 3.3069
• 3.3069
• 0.014
• 0.015
• 0.98
• 3.3069
• 0.014
• 3.3069
• 0.001

On the back, there are several test points close to the CON4 area. Using a multimeter, I assumed (since my multimeter isn't very accurate) that if I measured a very low resistance (<5 ohms), then the points were connected.

• TP143: Pins 3, 8, 14, 18 = 0.015v
• TP144: Pins 1, 2, 4 = 3.3v
• TP145: Pin 9 = 3.3v
• TP146: Pin 10 = 0.018v
• TP147: Pins 11, 17 = 3.3v
• TP148: Pin 12 = 3.3v
• TP149: Pin 13 = 3.3v
• TP150: Pin 15 = 0.015v
• TP151: Pin 16 = 0.95v
• TP152: Pins 11, 17 = 3.3v

Here is my amateur speculation:Curious to me is pin 16. It's consistently is in the .80-.95 range. Could this be a pulse with a 25% duty cycle? (3.3 / 4 ~ .85)? I suppose I would need an oscilloscope to know for sure. I'm guessing the TP144 node is Vdd, while the TP143 node is Gnd. Probably the other pins at 3.3v are high signals, while the other 0.015v signals are low signals. The pins with 0.001v are probably not connected to anything. I haven't experimented with measuring the voltages at different times, but if someone knows of a good time to check them that might give some more info, let me know. Also, if you want me to check if a pin is connected to a resistor, or what the value of the resistors are, I can provide that info as well.

This post has been edited by zrbarnes: 23 February 2011 - 05:28 AM

[zrbarnes]

I don't want to assume that this is a JTAG header, since that is ridiculously wishful thinking, but I'm going to go ahead and compile some info from the sources I have, and maybe someone else might be able to benefit from them.

• Standard ARM 20pin JTAG Pinout:
  
  
• More info about the signals: arm-jtag.pdf
• From Samsung, s3c6410_user_manual_rev1.1.pdf:
  
• From Samsung, SMDK6410_CPU_BD_SCHEMATICS_REV1.0.pdf:
  
  

Some of the other 6410 development boards have 20pin connectors that aren't JTAG headers, but none of those seemed to immediately match up either. Sometime in the near future, I might post that info here.

This post has been edited by zrbarnes: 23 February 2011 - 05:30 AM

[zrbarnes]

Regardless of whether or not this contains JTAG lines, there may be other goodies contained. To help with this mod, since these lines are already terminated in a connector, it might be beneficial to access these pins without soldering to the mainboard or modifying the PDN in any permanent way. If this is desired, then we can make use of the following:

20 pin, 0.5mm pitch Flat Flexible Cable (FFC)

• Available in various thickness and length
• You might already have this if you collect broken electronics, like me . Common in audio/visual electronics. If you find a 0.5mm pitch cable with too many pins, you could very carefully cut off the extra pins near the connector (or the entire length of the cable if you really want to).
  
• Compatible Digikey Parts
  

Daughterboard that converts 20 pin, 0.5mm pitch FFC connector to standard 2.54mm pins

• Manufacturer part#: NHD-FFC20
• Digikey part#: NHD-FFC20-ND (cheapest option for shipping in USA)
• Mouser part#: 763-NHD-FFC20
• Available elsewhere too.
• This could be made much smaller by dremeling off the side parts that are there to add resistors.
• If you are good at soldering, you can definitely make this yourself.
• I'd love to see some alternatives if you find them. This is the only 20 pin, with 0.5mm pitch that I could find.
  

2x10 pin 2.54mm through-hole header

• Many variations; also some with plastic boarder, some without.
• To salvage this part, look for it on motherboards (pc, routers, printers, etc); you could combine smaller headers (like using two 2x5's side by side), or cut off extra pins if it has too many
• Available for sale at tons of places (ebay, digikey, etc.)
  

This post has been edited by zrbarnes: 23 February 2011 - 05:31 AM

[Mark Adams]

Would you like me to move this to the PDN hardware mod sub forum for you? You might get the attention of the solder and screwdriver crowd there. Guys like HWGeek (I think that's his handle, close enough anyway) just love to tear these thing apart you know. And now you done gave them a map. ;)

[zrbarnes]

Mark Adams said:

Would you like me to move this to the PDN hardware mod sub forum for you? You might get the attention of the solder and screwdriver crowd there. Guys like HWGeek (I think that's his handle' date=' close enough anyway) just love to tear these thing apart you know. And now you done gave them a map. ;)

Doh! I dropped it in the wrong forum. That's what I get for having too many tabs open. Thanks!

This post has been edited by zrbarnes: 23 February 2011 - 05:33 AM

[Mark Adams]

Thought so. It's on it's way.

[derelicte]

very good detective work. have you tried measuring the resistance of the resistors next to con4? It might provide some insight as to what the connector is for.I have to ask though. why the obsession with finding a jtag interface? what do you hope to use it for?

[zrbarnes]

When I get some time, I'll measure the resistors and post that info.As for why... we don't have an actual recovery method for bricked devices. The stock firmware recovery method is only useful for recovering from a handful of scenarios, and beyond that, it's useless. If anyone is actually going to get involved with kernel hacking or building a custom recovery image, then they are going to need jtag to recover the device when it inevitably fails.JTAG also opens up other doors, but I don't know enough about it to really explain it.

[RobBrownNZ]

Hi,

I'm a hardware engineer. I've just pulled my WPDN apart for no good reason, found CON4, wondered if it might be a JTAG connector, and then google led me to this thread .

It's holiday season at the moment so it'll be a couple of weeks before I can really get into it, but I'm very interested in seeing what can be made of this (because of course with JTAG, we can look at kernel changes etc without fear of bricking).

Is there still interest in this from other people?

Regards,
Rob.

[Mark Adams]

Interest YES. Zero ability, but highly interested!

[davidr]

x2

[Motley Jester]

Here Here! (Having just found out that for no apparent reason my PDWN must have bricked just sitting connected to my PC tonight).  Complete nothing.  Tried disconnecting battery and power, and left it that way for a couple hours, while also giving the buttons some vigorous working... but to no avail.  And I wasn't even doing anything inherently dangerous at the time.    So if JTAG will help recover from situations like these...  I'm VERY interested in this mod.

[mrsburnout]

Quote

Here Here! (Having just found out that for no apparent reason my PDWN must have bricked just sitting connected to my PC tonight).  Complete nothing.  Tried disconnecting battery and power, and left it that way for a couple hours, while also giving the buttons some vigorous working... but to no avail.  And I wasn't even doing anything inherently dangerous at the time.    So if JTAG will help recover from situations like these...  I'm VERY interested in this mod.

Did you know the PDN does not charge through your computer? (AC adaptor only)  Try  recharging your battery and then press the reset when powering back on.

[RobBrownNZ]

Quote

Interest YES. Zero ability, but highly interested!

OK, cool. I just ordered some flat flex and a breakout board (excellent information and links, zrbarnes!) and I'll report back when I have something to... erm... report

[Motley Jester]

@mrsburnout: Although opinions vary on whether or not it charges well enough to compensate for the power loss from being on while connected to a computer or not, I did indeed have it plugged in.  And the battery is full.  I think during a file transfer the other day I had it flake out (pause, spew some SCSI device errors to the log via USB) and then it locked.  My guess is that it somehow hosed the / root filesystem.  Probably not severely, but well enough. 

Not a bother, I'm going to attempt an exchange today (putting on my best... "I dunno what happened Mr/Mrs. Clerk-At-Store, it just won't turn on... duh... help me... " XD)  Then I'll bring the new one home and try flashing with that 1/3 firmware. No worries.  I'm still fascinated by this project, because they're right.. JTAG would be the answer to our prayers concerning tampering with the base kernel in the unit.

Also, the other hardware folks that are working on adding back in basic functionality (camera, bluetooth, GPS, etc) could benefit from this.  Has anyone attempted to wade through the contacts at Pandigital and try and lock onto a dev?  It'd be great if we could find out what kind of setup they're using to do the initial flash to the unit. 

[mac1_131]

careful using a ohmmeter to directly ohm out those pins - it might run enough current through some sensitive cmos to pop it.

better to use something with a higher impedance, like a scope, if you have access to one

[Motley Jester]

Just some random impressions...  Disclaimer: I know just about diddly-squat about eletronics at the board level... however, sometimes common sense prevails...

Looking at the pins and examining the traces they connect to (or don't connect to), it appears that:

Pins [1] and [2] share the same trace.

Pins [3], [8], [14]. and [18] also share the same trace, to GND. (I'm fairly certain about [14], because even though I can't see where it goes, it's thickness compared to the surrounding traces makes it almost apparent.

Pins [4], [9], [11], [12], [13], and [15] appear to all be individual traces. ( I'm not sure on 9, unless it passes through to the other side of the circuit board, it doesn't look like it connects to anything.  So I'm just crossing my fingers.. cuz it doesn't add up without 9.)

Pins [5], [6], [7], [10], [16], [17], [19], [20] do not appear to be used.

[3], [8], [14], and [18] appear to connect to the "thick" layer (wow, I have zero terminology), which I assume is GND. So that would rule them out as I/O lines.

[1], [2], and [4] all look like they pass through to the other side of the board (it'd be nifty to see a nice picture of that side).  Either that or the indents are test points for a "bed of nails" rig (aha!) prior to (erk) "green-sheeting" the board.

According to the JTAG diags n' stuff you've posted, we need 7 individual channels plus a GND I'm guessing (I'm just winging it here folks). 

So, doing a little twisted logic, 3, 8, 14, and 18 are out cuz they're GND, 1 and 2 are the same, and along with 4 might pass through the board (or they're just nail points), and a bunch don't look used at all.  So we end up with [1, 2], [4], [9]. [11], [12], [13], [15].... which makes lucky number seven.  The exact number of control lines we need for the JTAG diagrams you posted.

Of course, I'm proly dead wrong.. but hey, you can't say it wasn't well thought out.

Update To My Mad Theories:

I had some more thoughts while looking just to the right of the leads for the connector... at those banks of (I'm assuming) surface mount resistors(?)... I'm really reaching here... anyway...  It's VERY hard to make out what happens to the traces as they approach that bank because of the white positioning lines that overlay everything.  However, it DOES look (the more I look at it) like it may just be JTAG header.  Whether it's custom, or if they just used some weird, wonky standard that's in-house for the fab process they used to assemble these things...  *SHRUG*...  anyway...

Oh and Pin 16 may just be XjRTCK which is the clock pulse. Because without something to send a high signal to activate the "Peripherals" debugger, I would think there wouldn't be any output on XjTDO.

Of course, a thought just occurred to me...  just how many of the lines are necessary at the minimum to flash (and maybe debug) the board?  I mean, these guys aren't known for being too thorough... what if they only needed 4 out of the 7 leads?

Another wild idea, what if [1,2], and [4] are the two Output lines, and [11] through [15] are the input lines.  Everything else is either GND or NC?

[Ok, you can start laughing at me now.]

[JPdonnel]

While I do not know much about JTAG I do see how it has been used by other groups to do some good things. I posted some pictures of the back side of the board in the �Ladies and Gents - For your viewing pleasure, the guts of the Novel (high-res)� area today and pulled the CPU diagram and turned it into digital. Hope this helps

[JPdonnel]

Full diag

[MumbleThumbs]

Anyone know how many layers this board is?  If it is a simple dual sided board than it should be easy to trace...I doubt it is though.  Looks like I am going to have to pull my second one apart and do some tracing.