Author Topic: Work with a poorly documented chinese processor + several questions  (Read 1852 times)

0 Members and 1 Guest are viewing this topic.

Offline soFPGTopic starter

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
First and foremost I want to say that I am doing this as a hobby, so fun and learning by doing is the main goal of this project. I don't care if it seems possible or not, at least I want to try it.

But what is the project? I basically want to step out of the microcontroller world and work with a "real" processor, external RAM, external Flash etc. I know there are several microcontrollers from Atmel / STM which have broken out address - and databus...but I want to go a different way!
A different way means to work with a cheap 16-year old GSM baseband processor from Mediatek: the MT6205B. It features a 26MHz 32-bit ARM7TDMI CPU.

What I have at the moment is 176 pages of datasheet and a reference schematic for a "simple" GSM phone. But I don't really care about GSM or network stuff, my first goal is to get the processor working together with RAM/Flash and display (16-bit 8080 interface).

Unfortunately the two documents I have are marked as "confidential" so I am not sure if I am allowed to share them here - but I do it anyways: https://www.yumpu.com/en/document/view/39819735/mt6205b-gsm-baseband-processor-data-sheet-data-sheet-gadget (if this is not allowed here I can remove this link of course)

The most important part for me at the moment is to understand the boot-up sequence of the processor and how to get my C-program from my PC over a interface (don't know which interface is used at the end) to the CPU and into the external Flash.
What I know at the moment is that the MT6205B has internal SRAM and internal Boot ROM which are used for "factory programming" and the Boot ROM is not writeable (I assume). The Boot-Mode is configured by a GPIO called "BOOT" depending on whether it is tied to GND or VCC. There are these two boot modes:
  • Running code from Boot Code for factory programming
(I don't really know what "Boot Code" means here?)
  • Running code from external flash for normal operation

Quote
The Boot Code is placed with Memory Re-Mapping Mechanism in External Memory Controller and includes just two words of instruction: There is a jump instruction that leads the processor to run the code started at address 0x48000000 where the System ROM is placed
I don't understand where this "Boot Code" is comming from? It sounds to me that Boot Code is not equal to System ROM - but where is it stored?

Quote
Usually the Factory Programming Host connects with MT6205B by UART1 interface. To have it work properly the system should boot up from Boot Code, that is the pin BOOT tied to GND. The download speed can be up to 230K bps.
After system being reset, the Boot Code will guide the processor to run the Factory Programming software placed in System ROM. Then, the MT6205B will start and continue to poll the UART1 port until valid information is detected. The first information received on the UART1 will be used to configure the chip for factory programming. The flash downloader program is then transferred into System RAM or external SRAM
Again, I don't quite understand what is Boot Code and what is System ROM. Boot Code are these two instructions described above (LDR + jump to 0x48.....) and System ROM contains UART1 initialization? And the stuff which is received by UART1 is then transferred to System RAM - so it makes sense that the program which is transferred over UART1 contains initialization code for external Flash and then can be used as a "bootloader" to actually program the flash?
Unfortunately that's basically all information for the boot up sequence and no further hints about what is "valid information". No further information about the baud rate (maybe 230.000?).

The MT6205B has JTAG-pins - I don't know if they can be used to program the flash via a JLink for example? I've never done anything with JTAG so I don't know if it is enough for the JTAG interface to know that there is a "ARM7TDMI"-based processor connected or if I actually need some kind of config file for the specific processor?

What I hope for at the moment is to find some people here who have experience with boot up sequences of processors and / or JTAG flash programming and maybe can give me some hints here or there.

« Last Edit: November 02, 2019, 07:55:52 pm by soFPG »
 

Offline GeorgeOfTheJungle

  • Super Contributor
  • ***
  • !
  • Posts: 2699
  • Country: tr
Re: Work with a poorly documented chinese processor + several questions
« Reply #1 on: November 02, 2019, 08:49:53 pm »
Everything you are saying sounds almost exactly like this: https://github.com/espressif/esptool/wiki
The further a society drifts from truth, the more it will hate those who speak it.
 

Offline soFPGTopic starter

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Work with a poorly documented chinese processor + several questions
« Reply #2 on: November 02, 2019, 09:52:20 pm »
Doesn't sound too complicated to write a piece of software which pushes data over UART but then I found this:

https://github.com/espressif/esptool/wiki/Firmware-Image-Format

So in case the MT6205B expects any specific image format (besides just raw asm instructions) I am pretty much fckd - right?

Edit: There is actually some information regarding an image header used by Mediatek for the bootloader: https://github.com/u-boot/u-boot/blob/master/doc/README.mediatek But I don't know if this one is also applicable for the MT6205 (maybe they use the same across all their chips?)

Edit_2: Found something again (maybe bootloader code for MT6205): https://github.com/mtek-hack-hack/mtktest/tree/master/%20mtktest%20--username%20qq413187589/N65/N65_V1/bootloader/src

Edit_3: More information on bootloader: https://wenku.baidu.com/view/eef683a1b0717fd5360cdc0c // https://wenku.baidu.com/view/35306fc5aa00b52acec7ca07.html
« Last Edit: November 02, 2019, 10:14:28 pm by soFPG »
 

Offline soFPGTopic starter

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Work with a poorly documented chinese processor + several questions
« Reply #3 on: November 03, 2019, 09:55:29 am »
What I am also wondering about right now is this schematic:

http://read.pudn.com/downloads183/ebook/858385/MT6205.pdf

As you can see on Page1 the "VD33" pins are connected to "VDD". "VDD" is connected, as shown an page 3, to "Vio" of the MT6305 IC (which generates all the voltage levels to fit the MT6205).

But as you can see in the datasheet of the MT6305 at page 9: https://datasheetspdf.com/pdf-file/746585/MediaTek/MT6305B/1 "Vio" is only max. "2.9V". I would have expected to have 3.3V on a pin called "VD33" and also 2.9V is a rather strange voltage for I/O-pins, isn't it?
Can anyone lift this curtain for me?
 

Offline GeorgeOfTheJungle

  • Super Contributor
  • ***
  • !
  • Posts: 2699
  • Country: tr
Re: Work with a poorly documented chinese processor + several questions
« Reply #4 on: November 03, 2019, 12:03:51 pm »
See page 20-21 of the MT6205B .pdf, it says VDD33 typical 2.8V.

865730-0
The further a society drifts from truth, the more it will hate those who speak it.
 
The following users thanked this post: soFPG

Offline soFPGTopic starter

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Work with a poorly documented chinese processor + several questions
« Reply #5 on: November 03, 2019, 05:47:56 pm »
Thanks for your reply,

VDD is 2.8V so I guess that it is used for GPIOs and UARTs. I am wondering whether UART1 is 3.3V compatible or not. Because if not, I can't use my USB-to-UART converter or any other USB/UART converter chip (like the CH340G) :(
Why are they even doing 2.8V
« Last Edit: November 03, 2019, 05:50:55 pm by soFPG »
 

Offline GeorgeOfTheJungle

  • Super Contributor
  • ***
  • !
  • Posts: 2699
  • Country: tr
Re: Work with a poorly documented chinese processor + several questions
« Reply #6 on: November 03, 2019, 06:27:25 pm »
Thanks for your reply,

VDD is 2.8V so I guess that it is used for GPIOs and UARTs. I am wondering whether UART1 is 3.3V compatible or not. Because if not, I can't use my USB-to-UART converter or any other USB/UART converter chip (like the CH340G) :(
Why are they even doing 2.8V

Yes yes, you can use it, just put a 1kΩ resistor in the TXD output of the usb-serial chip, the voltage difference is only 0.5 volts. And RXD will have no problems in recognizing 2.8V as a one.
The further a society drifts from truth, the more it will hate those who speak it.
 
The following users thanked this post: soFPG

Online RoGeorge

  • Super Contributor
  • ***
  • Posts: 7012
  • Country: ro
Re: Work with a poorly documented chinese processor + several questions
« Reply #7 on: November 03, 2019, 06:31:23 pm »
Wikipedia says that is an ARM7 processor.  AFAIK ARM7 use to have JTAG interface, and indeed your MT6502 has it, too, on pins C2, C3, A1, C1, D3 - JTRST, JTCK, JTDI, JTMS, JTDO in the posted schematic.  You should use JTAG to load and test your bootloader.

You'll need a toolchain that supports ARM7, preferably should support your exact processor model, and a JTAG programmer compatible with that toolchain.

Anyway, even if you would have complete documentation, it will still be a considerable time and effort spent to write a bootloader together with the other BSP (Board Support Package) files and firmware required to control that GSM board.

If you have the time and the will to spend it on reverse engineering, better look into some very widespread old mobile phone, like a Nokia 3310 or 5110, so once you manage to take control of it, you would have virtualy infinite free hardware to play with, or to re-purpose it for future projects.

The question is, why that old GSM board/processor?
« Last Edit: November 03, 2019, 06:43:54 pm by RoGeorge »
 

Offline soFPGTopic starter

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Work with a poorly documented chinese processor + several questions
« Reply #8 on: November 03, 2019, 08:15:48 pm »
Yes yes, you can use it, just put a 1kΩ resistor in the TXD output of the usb-serial chip, the voltage difference is only 0.5 volts. And RXD will have no problems in recognizing 2.8V as a one.

Nice  :D :)

Edit: I almost forgot: I either have 5V or 2.8V on this board and I don't really want to add another voltage regulator just for the CH340G USB-to-UART bridge..do you think the CH340G will work with 2.8V too?

Quote
You should use JTAG to load and test your bootloader.
The question is if I am able to do it just with a JTAG programmer (like J-Link EDU) and IDE (like Embedded Studio from Segger) alone or if I need some kind of JTAG config file for this specific MT6205B? I don't know - I have never worked with JTAG.

Quote
You'll need a toolchain that supports ARM7, preferably should support your exact processor model, and a JTAG programmer compatible with that toolchain.
The J-Link EDU supports every ARM-architecture: https://www.segger.com/products/debug-probes/j-link/technology/cpus-and-devices/overview-of-supported-cpus-and-devices/
It also supports infinite flash breakpoints but I am not sure if directly programming into external flash is supported for the EDU version or for this MT6205B at all.

Their IDE "Embedded Studio" is free for non-commercial purposes.

Quote
The question is, why that old GSM board/processor?
It is nothing too complicated:
  • simple external memory interface (for SRAM, Flash, parallel Display)
  • doable BGA pin pitch for hobbyist (0.8mm)
  • low pin-count (181)
  • cheap (1.50$)

I won't to any GSM / SIM stuff, not really interested in it. I also heard that it is almost impossible to get it working

My plan is to work with some more high speed processors after that. I hope I can adapt some of the knowledge I gain with this project.
« Last Edit: November 03, 2019, 08:25:19 pm by soFPG »
 

Online RoGeorge

  • Super Contributor
  • ***
  • Posts: 7012
  • Country: ro
Re: Work with a poorly documented chinese processor + several questions
« Reply #9 on: November 03, 2019, 08:29:58 pm »
These pages explain what is JTAG, how and why it came into existence, in general.
https://www.fpga4fun.com/JTAG.html

I don't know if those particular JTAG models you mentioned will work with your processor or not, most probably yes, but you should ask the producer of the JTAG programmer, just to be sure.
 
The following users thanked this post: soFPG

Offline amyk

  • Super Contributor
  • ***
  • Posts: 8526
Re: Work with a poorly documented chinese processor + several questions
« Reply #10 on: November 03, 2019, 10:34:04 pm »
Article about "opening" a slightly newer MTK processor, might be of help: https://www.bunniestudios.com/blog/?p=4297
 

Offline soFPGTopic starter

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Work with a poorly documented chinese processor + several questions
« Reply #11 on: November 05, 2019, 07:33:26 pm »
Quote
Article about "opening" a slightly newer MTK processor, might be of help
Thanks for your reply. I read the blog post two times and watched his talk at the conference but I wasn't able to pull much information out for me. Not much indepth detail in my opinion. Also wasn't able to find his GitHub...

So meanwhile what I found out is that the CH340G actually supports 2.8V as a minimum supply voltage (see attached picture).
I am still looking for a cheap SRAM with capacity >= 512kByte...
 

Online coppice

  • Super Contributor
  • ***
  • Posts: 10034
  • Country: gb
Re: Work with a poorly documented chinese processor + several questions
« Reply #12 on: November 05, 2019, 07:50:53 pm »
If you have the time and the will to spend it on reverse engineering, better look into some very widespread old mobile phone, like a Nokia 3310 or 5110, so once you manage to take control of it, you would have virtualy infinite free hardware to play with, or to re-purpose it for future projects.

The question is, why that old GSM board/processor?
There are enormous numbers of old phones based on the Mediatek chip sets. They are no better or worse documented than the TI chip sets in old Nokia phones. Both makers produced good documentation, but the documentation was only made available to verified customers. Some of the Mediatek documentation might only be in Chinese (probably both simplified and traditional, with Mediatek being a Taiwanese company, but most of their customers being in China). You might be able to be get hold of stray copies for either chip set, but its pot luck.
 

Offline soFPGTopic starter

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Work with a poorly documented chinese processor + several questions
« Reply #13 on: November 07, 2019, 10:46:23 pm »
So this chip has a shared memory bus for SRAM and Flash. Besides address- and data lines there are also #UB and #LB pins which select either the upper or lower byte of the 16 bits of data.

I was able to find SRAM modules which also have these #UB and #LB pins but unfortunately I wasn't successful with flash modules (which makes sense - why would you want to split a cpu instruction?).

Anyone here who knows if I can just ignore #UB & #LB pins for the flash module?

A possible solution of course would be to use two 8-bit modules and then somehow combine #CS and #UB / #LB.
 

Offline soFPGTopic starter

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Work with a poorly documented chinese processor + several questions
« Reply #14 on: November 08, 2019, 10:06:10 pm »
Found this tool which claims to be able to flash MT6205B CPU: http://mobisoft.com.ua/files/3113_china-tools-v1.03.html (this site in general is a pure gold)

Edit: Also a firmware for the MT6205B: http://mobisoft.com.ua/files/773_full-sky-mix-301-300-6205.html , but don't know what I can do with it

Edit_2: The schematic from a chinese phone with an MT6205B uses combined flash + sram IC AM41DL6408G: http://www.chipfind.ru/datasheet/amd/am41dl6408g.htm and according to the block diagram on page 5, #UB & #LB are only used for the SRAM, not for the flash! So that basically means that I can use any 16-bit flash and don't have to worry about #UB / #LB.
« Last Edit: November 09, 2019, 11:00:25 am by soFPG »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf