Products > Test Equipment

Sniffing the Rigol's internal I2C bus

<< < (770/899) > >>

ytsejam:
Has anyone successfully dumped the flash content of DSA815 ?
Just got a tiny progress, hope to see if anyone can share their finding?

I tried to dump BF526's async banks (0x20000000 ~ 0x203FFFFF) with bfin toolchain and ARM-USB-OCD-H cable,
however I found that the dump files are inconsistent, results are not the same.
(Tried on both DSA815 with bootloader 1.03  and 1.04)

Since TopJTAG was mentioned previously, I decided to give it a try.
The flash chip on DSA815 is Spansion S29GL064N90TFI04 (TSOP48 package, 8MB Parallel NOR flash, CFI compiant).
I used Segger J-LINK v9 as the JTAG cable.
I managed to figure out the setting for TopJTAG Flash Programmer:

------------------------------
1. BSDL for BF526 is attached.
2. Data bus is 16-bit wide with 16-bit maximum capable data
3. Signal pins:

CE = AMS0, active = low
OE = AOE  , active = low
WE = AWE , active = low

A0 ~ A18 = ADDR1 ~ ADDR19
(A21 ~ A19 seem to be hardcoded as 110 or controlled by other device, FPGA?)

D0 ~ D15 = DATA0 ~ DATA15

4. Static pins

No static pins defined.

-------------------------------

With the above setting, I was able to dump 1MB flash content.

My intention was to dump the flash content of a DSA815 with bootloader 1.03 and restore it on my DSA815 with bootloader 1.04.
I was able to dump 1MB binary files from each.

However when I tried to restore the dump from 1.03 to my 1.04 DSA815, the program and verification process was completed successfully.
But when I rebooted my DSA815, the bootloader remains 1.04 and everything is unchanged. (WP# was hardcoded at VIH, maybe there is some dynamic write protections?)

I was confused by the design.
BF526 supports up to 4 async banks with each has 1MB address. That will only be able to provide 4 MB address in total.
However, they uses a 8 MB flash. Is the reset of the space used by FPGA?

Also, as I mentioned, if A21 ~ A19 are hard coded with 110, BF526 will only be able to access 1MB flash space in this case.
And the size of DSA800_UpdateFile.sys (firmware) is nearly 2.x MB. I believe that A21 ~ A19 must be connect to BF526 in some ways.
Or it won't be able to program the whole content of the firmware update into the flash chip.

According to past experience, usually flash will maintain multiple copies of firmware (I've seen the case with 4 copies), and the content will be checked during boot. Maybe I was just updated one of them?

Appreciate if anyone with similar experience can share your finding.

UPDATE
The setup profile for TopJTAG Flash Programmer is attached. Remove the suffix .txt before use.
BDSL file needs to be placed in the same folder with the setup profile.

ytsejam:
UPDATE: the above method actually works.

Previously, I tried to program my DSA815 (bootloader 01.04, FW 01.09, RF FPGA FW 00.05, Digital FPGA FW 00.04) with the flash dump from another DSA815 (bootloader 01.03, FW 01.07, RF FPGA FW 00.05, Digital FPGA FW 00.04). I didn't notice any change.

Next, I tried to upgrade my DSA815 to FW 01.12, after upgrade, the sysinfo shows: bootloader 01.04, FW 01.12, RF FPGA FW 00.05, Digital FPGA FW 00.05
Then I Programmed the flash with the dump file from the old DSA815. Once I reboot my DSA815, the bootloader prompts something like "Factory Boot".
Which means, the bootloader cannot boot into the firmware on the flash. Obviously, this is because the bootloader is not able to recognise part of the code on the flash. I think this is due to the version of Digital FPGA FW version mismatch. I guess the portion I write into the flash was the Digital FPGA FW.

The factory boot mode can be recovered by pressing PRESET to load a FW version 01.12.

Though no immediate success, but this might give me a clue that if I can dump the correct portion of the flash, I should be able to "restore" the bootloader back to 01.03.

guiasse:
Hello,
I'm trapped on a firmware 1.12 / boot 1.04. There is no way to downgrade firmware.
Does anybody have a way to do that ?
Best regards,

N8AUM:

--- Quote from: guiasse on March 16, 2015, 11:24:23 am ---Hello,
I'm trapped on a firmware 1.12 / boot 1.04. There is no way to downgrade firmware.
Does anybody have a way to do that ?
Best regards,

--- End quote ---

I wonder how many of us are in the same boat ?

guiasse:
If i'm right the only way for the moment is to use a pic over Fram to reset time trial at each boot.
Did somebody try that with last realease ?

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod