JTAG for the Wallaby
This page is about the discovery and the use of the JTAG possibilities of the Wallaby. JTAG is a protocol designed to do in-circuit testing and debugging of hardware devices and circuit boards. Although JTAG allows very advanced means of debugging, the main purpose of this exercise so far was to reach the possibility of flashing the ROM without a bootloader. More information on JTAG can be found in the resources at the end of this page.
Discovery of the JTAG pads
The first step to be taken is the discovery of the so-called test pads that connect to the JTAG pins on the StrongARM. From the datasheet of the SA-1110 StrongARM processor the location of these 5 pins is known. Unfortunately the SA-1110 is mounted with a 256 Ball Grid Array (BGA) package. This means access to the pins is impossible without removing or destroying the chip. The chip can be seen on the top right on the picture below.
Now de-soldering of a 256 pin BGA is not a task to perform with a simple soldering iron. In general these packages are put on the board in a manufacturing process and hot-air rework stations exist to do maintenance like replacement. Unfortunately a hot air soldering station is not part of our equipment portfolio. Luckily, we have more brains than money so someone suggested using a normal oven.
What better idea than cooking an XDA?
Some research on the net learned that a typical melting temperature for BGA solder would lie somewhere between 180-210 degrees Celsius. Especially at temperatures at the high end, the chips would almost certainly be killed. For this exercise that doesn't matter. What we want is that the PCB is still in proper condition after cooking. Some texts on manufacturing speak of a process called 'pre-baking'. This is meant to get rid of any moisture in an orderly fashion and usually takes about 24 hours at 100 C. At higher temperatures the moister could lead to blistering and delaminating in the PCB (and possibly chips, but we don't care about that).
The oven used was a Whirlpool combi micro-wave. It has a hot-air oven that can go up to 250 C. The PCB was placed on a glass plate and pre-baked (30 minutes at 100 C and 60 minutes at 120 C). All in all the following equipment was used:
- XDA PCB
- Whirlpool VIP34 combi micro-wave oven
- glass plate
- oven glove
- pair of tweezers
- small screwdrivers
- Sony cybershot camera
After the pre-bake the Quick Heat feature of the oven was used to increase the temperature first to 200 C. At this temperature it was not possible to get any parts to move on the board. So the temperature was further increased to 225 C and just when that temperature was reached on the display, it was possible to remove the first components. Removing the components was done with a pair of tweezers and small screwdrivers as can be seen in the pics below. Taking the plate out of the oven allowed about 2 minutes of time for manipulation before the solder became solid again .Several of the bigger chips and all metal casings were removed in three baking's.
The finished result can be seen below and can be compared to the picture at the top. Although the chips did not come off clean completely, there were only a few shorts due to solder residue. Apparently the temperature of 225 C (probably lower in the oven at that time) was just high enough to soften the solder, but not let it reflow yet.
Tracing the pads
The next step was to trace the pins to test pads on the board. This exercise was also performed by someone for the iPAQ 3600. The results for fitting an adapter can be seen on this page. The JTAG protocol makes use of 5 pins: TDI, TDO, TMS, TCK and nTRST. Further a Ground and Vstandby voltage (3.3V) are needed. Of the five pins, three were traced directly to pads very close to the place of the StrongARM chip. One could even be traced visually.
For the TMS and TCK a location was found on the other side of the board under the cable for the LCD. A group of possibly also a set of JTAG pads was found here. However, only TMS and TCK could be identified. Theoretically these pads could contain TDI and TDO pads that are located somewhere else on a JTAG chain. The TMS and TCK were traced to two pins of the HERCROM chip (the combined ARM & DSP chip for the GSM part), which suggests more parts are JTAG enabled on the board. De ground (GND) was connected to a piece of blank copper trace on the edge also all metal casings are connected the the ground plane.
Using JTAG on the Wallaby
To actually use JTAG, an interface is necessary to a PC. For the more advanced JTAG purposes, special equipment is used to interface at high speeds to the JTAG pins. Also specific hardware can be used to talk proprietary commands to the devices connected on the JTAG chain. Luckily, also a lot more simple interfaces are possible. Most are based on the PC's parallel port and use a simple buffer IC for voltage level conversion (5V to 3.3V or 1.8V). The best known cables are those from Altera (the ByteBlaster) and the Xilinx cable (PDF). For our testing we used a ByteBlaster MV cable adapter. It is important to tie the nTRST line to the Vstandby voltage with a pull-up resistor for proper operation of JTAG on the StrongARM. A 100 or 220 ohm resistor should be fine.
Finally, to use the adapter to talk the JTAG protocol, software is needed. Quite a few free software packages are available, but the most mature is the jtag tool that is part of the openwince project. This tool also supports a wide range of cables among which the simple device that was described at the iPAQ page mentioned earlier.
The JTAG interface, the ByteBlaster cable and the jtag tool software together finally allow reading and writing of the Flash ROM. Unfortunately, reading is a bit simpler than writing. The first steps with the jtag software and the XDA are shown here:
When trying the flash the bootloader, an error occurs:
The 'sr = 0x00AA00AA' indicates a status message of: Low Programming voltage detected. Apparently the Wallaby needs the programming voltage explicitly set. This meant back to the drawing board (actually IDA Pro): In the code of the bootloader the setting and clearing of a bit related to flashing was discovered. When the XDA flashes it first sets bit 0x10000 in address 0xA6000000. After it is done it clears this bit again. The address 0xA6000000 is a virtual address; the real physical address is 0x40000000. We think that this is some kind of memory mapped I/O port, maybe and ASIC. To change this bit with the jtag software, we need a feature that currently is only available in the CVS version: poke.
Quickly testing this new find results in:
So we found the missing bit for successfully flashing the XDA! The poke command was not yet present in the jtag 0.4 release. Therefore I had to create a small patch. However the latest versions at this time is 0.5.1, which does have the poke.
There are quite a few resources for JTAG and related use. First off a few sites that offer background information on the JTAG protocol and its use:
- An introduction to JTAG:
- Texas Instruments on JTAG:
- Corelis on JTAG:
Cables for JTAG at a hobby level are all based on the parallel port of a PC. Mostly the adapter converts between voltage levels. The best known adapters are:
- Xilinx Parallel Cable III:
- Altera ByteBlaster:
- Keith Koep:
Software for JTAG comes in many forms. Most projects are quick and dirty or are hardly being developed. One is currently taking the lead with active development:
- The Openwince project at SourceForge with a special JTAG page:
Other projects in different stages: