Author Topic: Programming (non-JTAG) MAX7000 devices  (Read 10660 times)

0 Members and 1 Guest are viewing this topic.

Offline ale500

  • Frequent Contributor
  • **
  • Posts: 397
Re: Programming (non-JTAG) MAX7000 devices
« Reply #50 on: December 13, 2020, 06:47:03 am »
Thanks for the offer !

I think, "just" knowing how the programming, erase works, or where and how the 12 V are applied may just be enough. Shipping the chips and getting them back would be more expensive than buying a bunch of XC9572xl and making adapters for them. The versions in VQ64 actually work :). The info could help some other folks too. What do you think ?
 

Offline vvervvurm

  • Newbie
  • Posts: 3
  • Country: de
Re: Programming (non-JTAG) MAX7000 devices
« Reply #51 on: December 16, 2020, 10:16:27 pm »
Quote
I wonder if someone who knows for sure can confirm that - if the security bit of a "S" type device has been set, can the device be erased by means of JTAG only, or as @bingo beleves, do you need a "parallel" mode type programmer to clear the security bit and erase the device?

I have salvaged some EPM7064AE devices from old Cisco hardware. Although the security bit was not set - the JTAG was disabled. I could not access them with my USB Blaster. After reading this thread I mustered up the courage to apply 12.25 volts via 2.2k resistor to the OE1n pin (after the normal 3.3 volt VCC). Current draw on that pin was minute ( < 1mA ). Suddenly the JTAG worked and I was able to read and erase the device.

So I would give it a shot. It could also work on 7000S devices I would guess.

I hope this helps. :)
 

Offline ale500

  • Frequent Contributor
  • **
  • Posts: 397
Re: Programming (non-JTAG) MAX7000 devices
« Reply #52 on: December 17, 2020, 03:44:45 pm »
@vvervvurm:

Did you keep the 12.5 V during the JTAG transaction or not ?
 

Offline vvervvurm

  • Newbie
  • Posts: 3
  • Country: de
Re: Programming (non-JTAG) MAX7000 devices
« Reply #53 on: December 18, 2020, 11:33:41 am »
yes, VPP stayed on for the whole time ..
(of course after erasing it was not needed any longer as normal JTAG was enabled again)

I have only 2 samples .. so I was not brave enough to set the security flag and try to pull off the same trick again .. and as mentioned my parts are of the AE variety ..
 

Offline vvervvurm

  • Newbie
  • Posts: 3
  • Country: de
Re: Programming (non-JTAG) MAX7000 devices
« Reply #54 on: December 18, 2020, 12:30:15 pm »
@ale500
You might have already seen this topic (near the end of the thread) https://www.eevblog.com/forum/fpga/atmel-atf150x-cpld-and-wincupl/

So I think I was just lucky that my devices had no security bit set. Sorry for getting your hopes up.  :(

edit: The whole "100ms pulse" sounds very much like parallel programming mode as I can't think of a way for a timed pulse in JTAG protocol. (?)
« Last Edit: December 18, 2020, 12:33:03 pm by vvervvurm »
 

Offline Cyberbiotics

  • Newbie
  • Posts: 3
  • Country: es
Re: Programming (non-JTAG) MAX7000 devices
« Reply #55 on: February 24, 2021, 01:00:40 pm »
Hi All! New to the forums.

I purchased 20 EPM7128S MAX7000S devices and most of them didn't respond  to the JTAG commands, I tried the +12V in OE1 method (Pin 84 in PLCC-84) in all of them with no luck. I tried both 1k and 2k7 resistors without voltage drop. Has anyone been able to reset the JTAG fuse in MAX7000S devices this way??

Here you have some pictures of my devices, all of them were sanded with sandpaper and remarked, all of them same datecodes on top but different on the bottom of the IC. Maybe some of them werent MAX7000S devices but MAX7000 devices, which as someone stated before do not have the JTAG circuitry.

Keep an eye for those counterfeits! :palm:


« Last Edit: February 24, 2021, 01:05:32 pm by Cyberbiotics »
 

Offline marcopolo

  • Regular Contributor
  • *
  • Posts: 122
  • Country: fr
    • Retronik
Re: Programming (non-JTAG) MAX7000 devices
« Reply #56 on: February 24, 2021, 01:19:19 pm »
Ebay or Aliexpress?

Offline Cyberbiotics

  • Newbie
  • Posts: 3
  • Country: es
Re: Programming (non-JTAG) MAX7000 devices
« Reply #57 on: February 24, 2021, 01:28:54 pm »
Ebay, Polida. Bought new working ICs from him in the past but now they are selling these "fully functional" remarked ICs. I don't understand the reason why someone would erase good chip markings with sandpaper.

I found an interesting vids about detecting counterfeit ICs

https://youtu.be/12u_hBkHB88
https://youtu.be/k72SFBOZ_lw
 

Offline CJay

  • Super Contributor
  • ***
  • Posts: 4023
  • Country: gb
Re: Programming (non-JTAG) MAX7000 devices
« Reply #58 on: February 24, 2021, 05:16:25 pm »
Ebay, Polida. Bought new working ICs from him in the past but now they are selling these "fully functional" remarked ICs. I don't understand the reason why someone would erase good chip markings with sandpaper.

I found an interesting vids about detecting counterfeit ICs

https://youtu.be/12u_hBkHB88
https://youtu.be/k72SFBOZ_lw

Polida are bloody awful for fakes, remarked etc. Not only that they get *really* pissy when you leave them a negative pointing it out, I've been banned from buying from them and all their other ebay accounts.
 

Offline marcopolo

  • Regular Contributor
  • *
  • Posts: 122
  • Country: fr
    • Retronik
Re: Programming (non-JTAG) MAX7000 devices
« Reply #59 on: February 24, 2021, 05:30:56 pm »
Polida are bloody awful for fakes, remarked etc.
Like all Chinese sellers  (UTSource included) :(

The only thing to do is to never buy from them.

Offline CJay

  • Super Contributor
  • ***
  • Posts: 4023
  • Country: gb
Re: Programming (non-JTAG) MAX7000 devices
« Reply #60 on: February 25, 2021, 10:20:07 am »
Polida are bloody awful for fakes, remarked etc.
Like all Chinese sellers  (UTSource included) :(

The only thing to do is to never buy from them.

Easy to say, damned difficult to do because the fake crap turns up everywhere, there's another thread here where I've a suspicion the OP has got a fake RF power transistor that he bought from a local store.

I've been bitten by genuinely UK based sellers who've sold fake parts too.

On balance I've had a more positive than negative experience but it's getting more difficult to avoid.
 

Offline ale500

  • Frequent Contributor
  • **
  • Posts: 397
Re: Programming (non-JTAG) MAX7000 devices
« Reply #61 on: February 27, 2021, 05:43:16 pm »
Are you sure your chips are sanded down ? try with nail polish remover (acetone or ethyl acetate). Mine do not seem to be repainted but the 12 V on OE1 didn't help.
Anecdote: I bought 8 27C400, I got 9 repainted TC5742000 (same size 256k x16). Sadly my MiniPro do not want to read them, read ID or anything... Most probably they are burnt somehow.
En otras palabras: nos cagaron :(
 

Offline ceteras

  • Contributor
  • Posts: 5
Re: Programming (non-JTAG) MAX7000 devices
« Reply #62 on: March 11, 2021, 12:55:53 pm »
Regarding 7000S series with JTAG pins used as IO:
https://www.intel.com/content/dam/www/programmable/us/en/pdfs/literature/an/an100.pdf
Page 7, Table 2: Disabling IEEE Std.1149.1 Circuitry in MAX Devices.

Here, in the rightmost column "Enabled for ISP and BST, Disabled During User Mode", we see for MAX 7000S :
Quote
Either:
• Pull the TMS signal high and the TCK signal low
or
• Pull the TMS signal high before pulling the TCK signal high

Am I wrong if I interpret this as a way to re-enable the JTAG if it was disabled by turning off the Enable JTAG BST Support
option in the Quartus II software?

I have one 44pin EPM7064S with disabled JTAG but can't test right now.
Anybody else can give this a try? The pull up should be 4.7K and the pull down 1K.
I'll try it later and come back.
 

Offline ale500

  • Frequent Contributor
  • **
  • Posts: 397
Re: Programming (non-JTAG) MAX7000 devices
« Reply #63 on: March 11, 2021, 02:41:47 pm »
Are you sure ? , it looks like that is the way to disable the port. Anyways, the devices I have seem to have the pins repurposed as IOs.
 

Offline Cyberbiotics

  • Newbie
  • Posts: 3
  • Country: es
Re: Programming (non-JTAG) MAX7000 devices
« Reply #64 on: March 11, 2021, 03:08:14 pm »
Yes, it seems that now Polida is selling fakes. They asked me to smash the ICs... I opened a case and was fully refunded.
Trying acetone in them removed a black oily substance that was masking the sandpaper imperfections. The device marking was very well done with laser engraving technique, but as could be expected, all devices had the same datecode. On the backside of the ICs older datecodes could be found
Are you sure your chips are sanded down ? try with nail polish remover (acetone or ethyl acetate). Mine do not seem to be repainted but the 12 V on OE1 didn't help.
Anecdote: I bought 8 27C400, I got 9 repainted TC5742000 (same size 256k x16). Sadly my MiniPro do not want to read them, read ID or anything... Most probably they are burnt somehow.
En otras palabras: nos cagaron :(

I also tried the 12V in OE method, but it didn't work in any case.
 

Offline ceteras

  • Contributor
  • Posts: 5
Re: Programming (non-JTAG) MAX7000 devices
« Reply #65 on: March 11, 2021, 06:54:14 pm »
I tried pulling the pins, didn't work.
 

Offline TomKeddie

  • Newbie
  • Posts: 1
  • Country: ca
Re: Programming (non-JTAG) MAX7000 devices
« Reply #66 on: March 25, 2021, 04:07:47 am »
@migry awesome efforts on the non-jtag devices, I have the same problem. Seems like I should just ewaste them and use a bunch of 22v10s instead but I wanted to check what you ended up doing.  Thanks Tom.
 

Offline migry

  • Contributor
  • Posts: 42
  • Country: gb
Re: Programming (non-JTAG) MAX7000 devices
« Reply #67 on: May 02, 2021, 09:58:27 pm »
I have put further work on a back burner for the time being, however I would very much like to spend some more time.

The more I think about it, the more I like the idea of modifying DosBox to output the programmer "commands" to a serial port (USB RS232) as long as I can figure out how to do this inside DosBox. The serial output would connect to the Arduino Mega, which would be able to parse the data stream in order to set the pins and power supplies as just like the programmer would. The timings wouldn't be perfectly accurate, but hopefully would be good enough to get a response from the device.

I will look into "erase" as this appears to be the action people need/want. I did buy 10 EPM7032 devices, so I can sacrifice one and program the lock bit. These particular devices are the later JTAG ones, and I have confirmed that I am able to program them using the cheap Chinese Altera USB Blaster clone.
 

Offline ale500

  • Frequent Contributor
  • **
  • Posts: 397
Re: Programming (non-JTAG) MAX7000 devices
« Reply #68 on: May 03, 2021, 01:46:20 pm »
Is your USBBlaster clone's VCC pin 5 V tolerant ? Mine is not: internally has a level converter (A LCX245) that only accepts up to 3.3V supply voltage, I powered with 3.3V.
 

Offline Rasz

  • Super Contributor
  • ***
  • Posts: 2571
  • Country: 00
    • My random blog.
Re: Programming (non-JTAG) MAX7000 devices
« Reply #69 on: May 04, 2021, 12:03:12 am »
wouldnt that depend on the clone? those based on EZ-USB FX2LP CY7C68013A should be 5v tolerant
Who logs in to gdm? Not I, said the duck.
My fireplace is on fire, but in all the wrong places.
 

Offline ale500

  • Frequent Contributor
  • **
  • Posts: 397
Re: Programming (non-JTAG) MAX7000 devices
« Reply #70 on: May 04, 2021, 07:30:48 am »
My clone doesn't have a cypress chip, it has a FTDI, an Altera CPLD and the LCX245.
 

Offline Beta_vulgaris

  • Contributor
  • Posts: 30
  • Country: 00
Re: Programming (non-JTAG) MAX7000 devices
« Reply #71 on: September 20, 2021, 05:57:02 am »
So I have a log of the EPM7032 sequence which the ALL03 programmer applies to the device to confirm its ID, which of course it fails to do.

So I have wired up a perf board with a PLCC44 socket, where each pins comes to a row of 44 turned pin header for connection. I then found a 5V Arduino, a Nano, which has more or less the required number of pins.

Yesterday. I was able to code the data from the previously posted file into the Arduino sketch in order to generate the waveforms that would be applied by the ALL03 programmer. I then hooked all the programming pins (thanks once again to the site http://matthieu.benoit.free.fr/ ) to pins of the Arduino. Turns out that "analogue" pins named A0 to A5 can be used as digital, but not A6 and A7 - guess which pin I used for a critical signal! I was able to confirm that when the Vpp pin was taken over about 11V the chip went into test mode and previously clamped shift in data now had no contention and was the right level. I scoped the 2 suspected shift out pins: SDOUTA and SDOUTB, and they had identical waveforms which were defintely the EPM7032 responding to the stimulus.

Today. I wanted to properly capture the response. I didn't quite have enough pins, so I moved some stuff around. Mistake  :( . When I raised Vpp from 5V to 12V (which was OK yesterday) I was getting current clamping on my PSU, and a burning smell  :-DD . After some messing around the lights (of  the Arduino went out). Oops! Turns out the min hub (to which the Nano was plugged on) no longer was lit. When tested elsewhere the min hub appeared to light up, and the Nano too. The hub connected to the back of my Dell monitor. The EPM7032 was very hot, and clearly I had blown it up. I eventually figured out that you must ONLY connect Vpp when a number of other inputs are grounded, and appear to put the device into a state where Vpp does not destroy the chip, however I am not 100% sure which pins are the critical ones.

So I ripped out all the wires from the Nano to the EPM7032 board connector and started again. After the usual debugging and discovery of swapped wires, I got the same waveforms on SDOUTA and SDOUTB as yesterday. I used my Rigol scope logic analyser to capture the waveforms (attached).

I also confrmed which pins become outputs and which inputs when Vpp puts the EPM7032 into "programming" mode.

NTPW - input
MTIN - input
SCK - input
SDINA - input
BE - input
BEM - input
SS - input
SBI - input
TM - input
A0 to A6 - input
SDINB - input
SK - input

Vpp - needs around 12V to put the device into test mode (but ONLY do this if the other pins have been set!)

SDOUTA - output
SDOUTB - output
SCOA - output
SCOB - output

--migry
EPM7032/EPM7064 in PLCC44 package have different non-ISP programming pinout?
References: http://matthieu.benoit.free.fr/120.htm
« Last Edit: September 20, 2021, 06:04:30 am by Beta_vulgaris »
Electronics, Geospatial, Aerospace
Programmable Logic Devices (PLD) Programming Algorithm Preservation
 

Offline c64

  • Regular Contributor
  • *
  • Posts: 180
  • Country: au
Re: Programming (non-JTAG) MAX7000 devices
« Reply #72 on: October 21, 2021, 04:08:44 am »
So, you found a dos software which talks to a programmer via LPT port. You are running it in dosbox and managed to intercept all requests it sends to LPT port. Is it correct? Now you need to send all data to the real MAX700 via com port.

You could run it in virtual box which supports dos and can have virtual com port. Not sure it your LPT port hacking will work under virtual box
 

Offline edevaldo

  • Newbie
  • Posts: 2
  • Country: us
Re: Programming (non-JTAG) MAX7000 devices
« Reply #73 on: October 21, 2021, 03:22:51 pm »
Quote
I wonder if someone who knows for sure can confirm that - if the security bit of a "S" type device has been set, can the device be erased by means of JTAG only, or as @bingo beleves, do you need a "parallel" mode type programmer to clear the security bit and erase the device?

Yes it can. The security bit does not prevent erasing. But there is a programming option to disable JTAG and make the pins available for IO. Used devices, particularly in lower pin count packages, are usually programmed to disable JTAG. When this happens you need parallel (not the port) programmer like the hilo to put the device back in a erased state and make t he JTAG pins available.

You are getting really close to it. Just fantastic.
 

Offline edevaldo

  • Newbie
  • Posts: 2
  • Country: us
Re: Programming (non-JTAG) MAX7000 devices
« Reply #74 on: October 21, 2021, 03:32:13 pm »
My point was that adding the extra circuitry to convert the non-JTAG device to the new JTAG equivalent would add many more extra flops, as compared to the 32 which form the basis of the device as "seen" by the end user.
 
To implement JTAG you need at least 4 flops for the state machine, one for the re-timing of TDO, at least 4 for the instruction register, 32 flops if you implement the Device ID register, plus any addition flops to tie into the old programming circuitry.

From my experiments on the non-JTAG EPM7032 there are at least two shift registers each 10 bits long (so this requires 20 flops). So even in the non-JTAG design there are more "hidden" flops needed for programming, than the 32 which are used by the end user.

[Edit: I originally said 16 user flops and not 32!]

A macrocell is a really complex piece of circuit. And you need high voltage circuitry to program each eeprom bit in the device and there may be hundreds or even a few thousand of them. Once read they may ned need to be latched somehow... For the different product terms you can select 16 or more inputs, then there is the expansion terms, optional routing, IO configuration, polarities, select clock and reset sources for the flops...

The additional circuit for JTAG is nothing by comparison. CPLDs may be even worse than FPGAs, and they need thousands of transistors to implement each logic element.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf