Author Topic: Agilent 34461A corrupted flash  (Read 23012 times)

0 Members and 1 Guest are viewing this topic.

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #125 on: July 31, 2023, 12:56:14 am »
there is variable in uboot
Code: [Select]
erase_env=nand erase 0xC0000 0x40000i dont know where it is used but shows the env partition must be 256KiB
 

Online ElectronMan

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Agilent 34461A corrupted flash
« Reply #126 on: July 31, 2023, 12:56:35 am »
I am pretty sure it is not the nand having a physical problem.

the pboot is doing a wrong calculation for some reason
maybe it is not identifying the correct chip ID

That's a distinct possibility. I read through the datasheet, and it indicates that bad block information is stored on the first page OOB in bytes 0x800-0x801, 0x810-0x811, 0x820-0x821, and 0x830-0x831.

Those all appear to be good (they should be 0xFF).

Was the PBOOT reflashed at some point, possibly with the wrong one for your flash chip?
 

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #127 on: July 31, 2023, 01:06:52 am »
I am pretty sure it is not the nand having a physical problem.

the pboot is doing a wrong calculation for some reason
maybe it is not identifying the correct chip ID

That's a distinct possibility. I read through the datasheet, and it indicates that bad block information is stored on the first page OOB in bytes 0x800-0x801, 0x810-0x811, 0x820-0x821, and 0x830-0x831.

Those all appear to be good (they should be 0xFF).

Was the PBOOT reflashed at some point, possibly with the wrong one for your flash chip?

no this meter had not been opened until few days ago
also I dumped the pboot from nand and compared the bin file with my good meter and they are identical.
 

Online ElectronMan

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Agilent 34461A corrupted flash
« Reply #128 on: July 31, 2023, 01:21:56 am »
I am pretty sure it is not the nand having a physical problem.

the pboot is doing a wrong calculation for some reason
maybe it is not identifying the correct chip ID

That's a distinct possibility. I read through the datasheet, and it indicates that bad block information is stored on the first page OOB in bytes 0x800-0x801, 0x810-0x811, 0x820-0x821, and 0x830-0x831.

Those all appear to be good (they should be 0xFF).

Was the PBOOT reflashed at some point, possibly with the wrong one for your flash chip?

no this meter had not been opened until few days ago
also I dumped the pboot from nand and compared the bin file with my good meter and they are identical.

It is starting to get weird now. The flash pages in question look fine. The PBOOT image looks correct. It could be that the chip is not responding properly to parameters and giving the correct ID, but I would expect that to cause problems with UBOOT as well.

You could verify that via JTAG by querying the flash chip for parameters. A memory dump might help too.

It might still be worth doing an erase on that once-empty block at e0000 and reprogram it to see if anything changes. But other than that, I am out of ideas at the moment.
 

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #129 on: July 31, 2023, 01:33:44 am »



It is starting to get weird now. The flash pages in question look fine. The PBOOT image looks correct. It could be that the chip is not responding properly to parameters and giving the correct ID, but I would expect that to cause problems with UBOOT as well.

You could verify that via JTAG by querying the flash chip for parameters. A memory dump might help too.

It might still be worth doing an erase on that once-empty block at e0000 and reprogram it to see if anything changes. But other than that, I am out of ideas at the moment.

i dont know the JTAG pins on the board. Do you?

I will do the erase and re-write but I am pretty sure it will work. maybe the issue is not pboot but it is the uboot
I mean if I understand correctly, uboot reads pboot from 0x320000 into memory but it is a packed (gzipped) binary
so when the bootm command runs, I suppose it must unpack pboot in order for it to execute and maybe that's where the problem starts

 

Online ElectronMan

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Agilent 34461A corrupted flash
« Reply #130 on: July 31, 2023, 02:25:02 am »



It is starting to get weird now. The flash pages in question look fine. The PBOOT image looks correct. It could be that the chip is not responding properly to parameters and giving the correct ID, but I would expect that to cause problems with UBOOT as well.

You could verify that via JTAG by querying the flash chip for parameters. A memory dump might help too.

It might still be worth doing an erase on that once-empty block at e0000 and reprogram it to see if anything changes. But other than that, I am out of ideas at the moment.

i dont know the JTAG pins on the board. Do you?

I will do the erase and re-write but I am pretty sure it will work. maybe the issue is not pboot but it is the uboot
I mean if I understand correctly, uboot reads pboot from 0x320000 into memory but it is a packed (gzipped) binary
so when the bootm command runs, I suppose it must unpack pboot in order for it to execute and maybe that's where the problem starts
Here is the pinout on the connector labeled J102.
Code: [Select]
         0        0 GND
   3.3V  0        0 GND
   TMS   0        0 GND
   TCK   0        0 GND
   TDO   0        0 3.3V
   TDI   0        0 TRST
   3.3V  0        0 GND
 

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #131 on: July 31, 2023, 02:32:41 am »


Here is the pinout on the connector labeled J102.
Code: [Select]
         0        0 GND
   3.3V  0        0 GND
   TMS   0        0 GND
   TCK   0        0 GND
   TDO   0        0 3.3V
   TDI   0        0 TRST
   3.3V  0        0 GND

Great! Thanks. I only have a Segger J-Link. Not sure if it is compatible with Spear320. I doubt that but I will certainly check

How could a memory dump help?
 

Online ElectronMan

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Agilent 34461A corrupted flash
« Reply #132 on: July 31, 2023, 02:40:10 am »


Here is the pinout on the connector labeled J102.
Code: [Select]
         0        0 GND
   3.3V  0        0 GND
   TMS   0        0 GND
   TCK   0        0 GND
   TDO   0        0 3.3V
   TDI   0        0 TRST
   3.3V  0        0 GND

Great! Thanks. I only have a Segger J-Link. Not sure if it is compatible with Spear320. I doubt that but I will certainly check

How could a memory dump help?

I've been using a J-LINK pro with J-Link commander for some things (debugging and breakpointing) and OpenOCD via the j-link on a Linux box for things like dumping full NAND images.

Really the memory dump around the time of failure may just reveal some things about what the software was "thinking" at the time. Parameters it has loaded for the flash device, etc. I could compare it to my memory state. It's a long shot without me being able to actually breakpoint it and follow it myself.
 

Offline TheSteve

  • Supporter
  • ****
  • Posts: 3787
  • Country: ca
  • Living the Dream
Re: Agilent 34461A corrupted flash
« Reply #133 on: July 31, 2023, 06:05:19 am »
I need to read the entire thread in detail, but I'd certainly say it's JTAG time.
VE7FM
 
The following users thanked this post: analogRF

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #134 on: July 31, 2023, 10:40:05 am »
I need to read the entire thread in detail, but I'd certainly say it's JTAG time.

please do. your input is always highly appreciated.
 

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #135 on: July 31, 2023, 12:37:13 pm »
I did the erase and re-write at the empty block at 0xe0000 as was suggested everything is exactly the same including the oob data
looks identical to what i have at 0xc0000 which is what i saw also on my good meter

i really dont think it's the NAND chip physical problem. it is still a software issue

can it have something to do with those "preboot" commands/variables in the uboot?
 

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #136 on: July 31, 2023, 12:42:14 pm »
I also have a crazy idea which may not completely solve the problem but at least might let the meter boot on its own

what if I write the extracted nk.nb0 file in the nand (need to decide in what location) and then using those preboot commands
I load it into memory and change the bootcmd to just start the WInce and therefore bypass the damn pboot altogether
the same way that I boot it now using CEloader or YMODEM.

obviously FW update will not be possible but other than that it seems it should be a solution? no?
 

Online ElectronMan

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Agilent 34461A corrupted flash
« Reply #137 on: July 31, 2023, 03:58:17 pm »
I also have a crazy idea which may not completely solve the problem but at least might let the meter boot on its own

what if I write the extracted nk.nb0 file in the nand (need to decide in what location) and then using those preboot commands
I load it into memory and change the bootcmd to just start the WInce and therefore bypass the damn pboot altogether
the same way that I boot it now using CEloader or YMODEM.

obviously FW update will not be possible but other than that it seems it should be a solution? no?

Could work in theory. Might also be worth a try to modify the default settings in that PBOOT to the correct ones, so it proceeds anyway.

You could write it to a different location in flash, and load it from there via uboot, so you don't have to overwrite the current one.

It is a lot smaller, and probably safer to try than decompressing the entire image.
 

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #138 on: July 31, 2023, 04:54:17 pm »
I also have a crazy idea which may not completely solve the problem but at least might let the meter boot on its own

what if I write the extracted nk.nb0 file in the nand (need to decide in what location) and then using those preboot commands
I load it into memory and change the bootcmd to just start the WInce and therefore bypass the damn pboot altogether
the same way that I boot it now using CEloader or YMODEM.

obviously FW update will not be possible but other than that it seems it should be a solution? no?

Could work in theory. Might also be worth a try to modify the default settings in that PBOOT to the correct ones, so it proceeds anyway.

You could write it to a different location in flash, and load it from there via uboot, so you don't have to overwrite the current one.

It is a lot smaller, and probably safer to try than decompressing the entire image.

I thought about that first but the problem is I dont know where it gets those default values from to change them
and also the first option that it follows automatically if user does not interfere is loading from 0x84000000 which leads to boot fail.
I dont know where it gets that address from and what is supposed to be loaded in there (nk.bin??) and when was it supposed to be loaded there

that;s when I thought I can just write  the uncompressed nk.bin in NAND and load it to memory before the pboot...
 

Online ElectronMan

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Agilent 34461A corrupted flash
« Reply #139 on: July 31, 2023, 05:01:56 pm »
I also have a crazy idea which may not completely solve the problem but at least might let the meter boot on its own

what if I write the extracted nk.nb0 file in the nand (need to decide in what location) and then using those preboot commands
I load it into memory and change the bootcmd to just start the WInce and therefore bypass the damn pboot altogether
the same way that I boot it now using CEloader or YMODEM.

obviously FW update will not be possible but other than that it seems it should be a solution? no?

Could work in theory. Might also be worth a try to modify the default settings in that PBOOT to the correct ones, so it proceeds anyway.

You could write it to a different location in flash, and load it from there via uboot, so you don't have to overwrite the current one.

It is a lot smaller, and probably safer to try than decompressing the entire image.

I thought about that first but the problem is I dont know where it gets those default values from to change them
and also the first option that it follows automatically if user does not interfere is loading from 0x84000000 which leads to boot fail.
I dont know where it gets that address from and what is supposed to be loaded in there (nk.bin??) and when was it supposed to be loaded there

that;s when I thought I can just write  the uncompressed nk.bin in NAND and load it to memory before the pboot...

It gets the 0xd0400000 and 0xd1700000 and 0x84000000 addresses from defaults it loads in the binary.

I PMed you a copy of the xloader you can try, where I changed the defaults to the correct ones.

This is normally in flash @0x320000 but I would recommend writing it somewhere empty and then:
nand read 0x600000 <New Address> 0x10000;bootm 0x600000

to boot and test it.
 
The following users thanked this post: analogRF

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #140 on: July 31, 2023, 05:06:55 pm »

It gets the 0xd0400000 and 0xd1700000 and 0x84000000 addresses from defaults it loads in the binary.

I PMed you a copy of the xloader you can try, where I changed the defaults to the correct ones.

This is normally in flash @0x320000 but I would recommend writing it somewhere empty and then:
nand read 0x600000 <New Address> 0x10000;bootm 0x600000

to boot and test it.
Thanks  :-+

looks very promising. I'll try that.  I will write it somewhere maybe after the current one in the nand

or I can write it at that 0xe0000 no? it's empty
 

Online ElectronMan

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Agilent 34461A corrupted flash
« Reply #141 on: July 31, 2023, 05:13:06 pm »

It gets the 0xd0400000 and 0xd1700000 and 0x84000000 addresses from defaults it loads in the binary.

I PMed you a copy of the xloader you can try, where I changed the defaults to the correct ones.

This is normally in flash @0x320000 but I would recommend writing it somewhere empty and then:
nand read 0x600000 <New Address> 0x10000;bootm 0x600000

to boot and test it.
Thanks  :-+

looks very promising. I'll try that.  I will write it somewhere maybe after the current one in the nand

or I can write it at that 0xe0000 no? it's empty

Yes, that should work.
 

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #142 on: July 31, 2023, 07:15:48 pm »
I uploaded the modified pboot into NAND at 0xe0000 (after erasing and made sure it is all 0xFF before writing)
and then loaded from there into memory at 0x600000 and issued bootm 0x600000
pboot ran exactly the same way it used to and stopped after all those error messages
when I press space bar to enter the bootloader menu, Now I get the correct addresses 0xd0620000 and 0xd2120000
for image locations however when I choose any of them, the unit simply says "loading image 1 from memory at 0xd0620000" and stops there and hangs

I know there is a Nk.bin (compressed exactly as it is in the firmware package) at d0620000 and d2120000
and it is the same on my good meter.

it seems pboot cannot read the nand or it cannot decompress the XPRS Nk.bin so it hangs in there
« Last Edit: July 31, 2023, 07:47:23 pm by analogRF »
 

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #143 on: July 31, 2023, 07:39:26 pm »
it seems the only way is to bypass the pboot by writing the extracted nk.nb0 directly and using the "go" command

but I will give that JTAG a try and see if you guys can decipher anything from memory content
 

Online ElectronMan

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Agilent 34461A corrupted flash
« Reply #144 on: July 31, 2023, 08:52:29 pm »
I uploaded the modified pboot into NAND at 0xe0000 (after erasing and made sure it is all 0xFF before writing)
and then loaded from there into memory at 0x600000 and issued bootm 0x600000
pboot ran exactly the same way it used to and stopped after all those error messages
when I press space bar to enter the bootloader menu, Now I get the correct addresses 0xd0620000 and 0xd2120000
for image locations however when I choose any of them, the unit simply says "loading image 1 from memory at 0xd0620000" and stops there and hangs

I know there is a Nk.bin (compressed exactly as it is in the firmware package) at d0620000 and d2120000
and it is the same on my good meter.

So, this uses the same exact function to verify block status when loading the nkbin as it uses when trying to read the uboot configuration.

It may be failing that part too. It is also possible I missed something.

Either way, we can rule out a bad copy of the xloader as the cause, if you are still seeing the same block defects showing up. Theoretically I could nix the part of that binary that does the bad block check, but that's not a good idea long-term.

If you manage to get connected via JTAG, we can query the flash chip to make sure it is outputting the correct parameters. The flash chips in these devices are not natively supported by the PBOOT, they are supported by OFNI-standard parameters read from the chip. If something is bad there, it could cause what we're seeing.
 

Online ElectronMan

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Agilent 34461A corrupted flash
« Reply #145 on: July 31, 2023, 09:24:52 pm »
If you get JTAG going, here is what you'll need uisng JTAG Commander (the segger tools, if using openocd, replace w1 with mwb and replace mem with mdb in the commands).

First "halt" the CPU while in the uboot prompt.


The first command should output 5 bytes identifying the chip manufacturer and a few parameters (the PBOOT checks this to see if it is natively supported).

Code: [Select]
Read ID:
w1 0xBAB10000 0x90
w1 0xBAB20000 0x0
mem 0xBAB00000 5

Next, PBOOT checks for the ONFI "magic" like this:
Code: [Select]
Read ONFI:
w1 0xBAB10000 0x90
w1 0xBAB20000 0x20
mem 0xBAB00000 4

This should return the letters "ONFI"

Finally, this next is the most likely place there could be an issue. It is the page PBOOT uses to configure itself. It tells it what kind of ECC is in use, as well as lots of other things that could break the boot process if it is wrong. For this reason, the manufacturer includes a checksum in this info, AND alternate copies of parameters later. PBOOT appears to ignore these things.

Code: [Select]
Read Parameter Page:
w1 0xBAB10000 0xEC
w1 0xBAB20000 0x0
mem 0xBAB00000 512

This will grab the complete parameters, with CRC and at least 1 redundant copy.

Make sure you don't resume the CPU after this. Just power cycle it, as you are putting the NAND into a mode UBOOT won't be aware of...
 
The following users thanked this post: analogRF

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #146 on: August 01, 2023, 01:49:58 pm »
I connected the JTag and tried those commands but the "mem" command always says "Could not read memory." :-// :-// :scared:
 

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #147 on: August 01, 2023, 01:57:45 pm »
if I use mem8 instead of mem, it takes the command with no error but then it does not show anything.
 

Online ElectronMan

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Agilent 34461A corrupted flash
« Reply #148 on: August 01, 2023, 02:29:09 pm »
if I use mem8 instead of mem, it takes the command with no error but then it does not show anything.

What was the memory error? Can you try this while in the PBOOT loader? That memory range is sometimes not available in earlier and later boot stages. Just drop into that menu and halt it there to try.

Even with the patched loader booting okay, it would be interesting to see what's wrong with your flash parameters page exactly.
 

Offline analogRF

  • Super Contributor
  • ***
  • Posts: 1024
  • Country: ca
Re: Agilent 34461A corrupted flash
« Reply #149 on: August 01, 2023, 02:32:41 pm »
if I use mem8 instead of mem, it takes the command with no error but then it does not show anything.

What was the memory error? Can you try this while in the PBOOT loader? That memory range is sometimes not available in earlier and later boot stages. Just drop into that menu and halt it there to try.

Even with the patched loader booting okay, it would be interesting to see what's wrong with your flash parameters page exactly.

just says "Could not read memory." that's it

i'll try it in pboot
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf