[Libre-soc-dev] Programming a PPC440EPx via JTAG

Boris Shingarov Shingarov at labware.com
Wed Oct 13 14:26:33 BST 2021 

Dear Santa Claus:

Thank  you for the most perfect Christmas gift!  I've been trying to  reverse-engineer the protocol myself, first as a "project for one  long-weekend" and then expanding it to "a few weekends" but never really  finished it.  I have a number of PPC4xx boards (a Walnut, a Sequoia,  various Xilinx boards, a couple of FreeScale boards, the  (still-shipping-from-manufacturer!!!) XMF5) laying around and it's been  getting progressively more impossible to make any use of them because of  the proprietary JTAG drivers.  Well at least Xilinx is barely usable  from a VM running a 10-year-old Debian.  But stuff like Macraigor or  CodeWarrior, it's Windows-only and it doesn't work in emulation, and  some of these probes connect only to a real parallel port (none of  USB-to-PPT will work, I also failed with PCI PPT cards), and even if we  let issues like freedom aside, just from a pure technical perspective of  JTAG-software these boards are essentially bricks in 2021.

So  I made a cheap logic analyzer out of sigrok and a BeagleBoneBlack, and  piggybacked it on the 16pin tap, and then tried to make sense of the  captured TDI/TDO bitvectors and write a Decoder subclass (stacked on top  of the JTAG Decoder, in the same way the MIPS EJTAG Decoder does it).

I  only do it as a nice weekend-distraction, so progress on this one is  moving very slowly.  Perhaps with your code I can bypass all that  detective work.  I'll try to use your code this weekend.  If it works,  as the next step I'll try extending OpenOCD so we can actually connect  GDB to a bare-metal 4xx.

-- bgs

P.S.:  Santa, next time you can log in as yourself, and remember Christmas is  in December -- you posted your present on Canadian Thanksgiving!

-----"Libre-soc-dev" <libre-soc-dev-bounces at lists.libre-soc.org> wrote: -----
To: "Libre-Soc General Development" <libre-soc-dev at lists.libre-soc.org>
From: "Cesar Strauss" 
Sent by: "Libre-soc-dev" 
Date: 10/12/2021 08:56AM
Subject: [Libre-soc-dev] Programming a PPC440EPx via JTAG

Hi Luke,

I think you wanted to hear about how an embedded PowerPC CPU, which I 
have in the Lab, can be programmed/debugged via JTAG.

The board is this one:
https://urldefense.proofpoint.com/v2/url?u=https-3A__casper.astro.berkeley.edu_wiki_ROACH-2D2-5FRevision-5F2&d=DwIGaQ&c=sPZ6DeHLiehUHQWKIrsNwWp3t7snrE-az24ztT0w7Jc&r=ecC5uu6ubGhPt6qQ8xWcSQh1QUJ8B1-CG4B9kRM0nd4&m=o3vwcAMwfWkAVkVqpNlNx6tFlSkUoKhyj6_y77tVP_s&s=rohPhwopZCMcLbxENvYyzmAV-wJwdb2NnbFvB_Dr3so&e= 

It seems to have a PPC440EPx, a PowerPC embedded SoC.
See: https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_List-5Fof-5FPowerPC-5Fprocessors-23AMCC&d=DwIGaQ&c=sPZ6DeHLiehUHQWKIrsNwWp3t7snrE-az24ztT0w7Jc&r=ecC5uu6ubGhPt6qQ8xWcSQh1QUJ8B1-CG4B9kRM0nd4&m=o3vwcAMwfWkAVkVqpNlNx6tFlSkUoKhyj6_y77tVP_s&s=oBx-BK_kXSOWUunqsQX9bGm_fp_hn992uFAssawUvN4&e= 
Core: https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_PowerPC-5F400-23PowerPC-5F440&d=DwIGaQ&c=sPZ6DeHLiehUHQWKIrsNwWp3t7snrE-az24ztT0w7Jc&r=ecC5uu6ubGhPt6qQ8xWcSQh1QUJ8B1-CG4B9kRM0nd4&m=o3vwcAMwfWkAVkVqpNlNx6tFlSkUoKhyj6_y77tVP_s&s=EC0PQUx3pMJ6d_bMhka_2Pg9rhq88t6SjZNVRGXtGjk&e= 

The JTAG protocol, apparently undocumented and proprietary, was 
reverse-engineered, and seems to have:

1) a command for uploading and executing a single Power instruction,
2) a debug SPR that can be read and written into,
3) a debug mode register, for doing reset, halt, run, etc.

 From that, higher-level operations can be performed, like reading and 
writing to registers, SPRs, memory, PC, etc.

Here's the program which implements the above, reading a high-level 
command file, and generating an SVF file:

https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ska-2Dsa_roach2-5Ftesting_blob_master_roach2-5Fproduction-5Ftest_ocdc-5Fmacro-5Fconvert.py&d=DwIGaQ&c=sPZ6DeHLiehUHQWKIrsNwWp3t7snrE-az24ztT0w7Jc&r=ecC5uu6ubGhPt6qQ8xWcSQh1QUJ8B1-CG4B9kRM0nd4&m=o3vwcAMwfWkAVkVqpNlNx6tFlSkUoKhyj6_y77tVP_s&s=Vir4Om4Pz4oFdZc-NGyDQw_nfXEGYDrNECGysuoj5kw&e= 

A sample command file is this:

https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ska-2Dsa_roach2-5Ftesting_blob_master_roach2-5Fproduction-5Ftest_support-5Ffiles_program.mac&d=DwIGaQ&c=sPZ6DeHLiehUHQWKIrsNwWp3t7snrE-az24ztT0w7Jc&r=ecC5uu6ubGhPt6qQ8xWcSQh1QUJ8B1-CG4B9kRM0nd4&m=o3vwcAMwfWkAVkVqpNlNx6tFlSkUoKhyj6_y77tVP_s&s=cYoq9mBDvjmmM-Oc41DZYOs77gJoOcbn_AGQhJ09fYs&e= 

It loads a program into memory, which implements a XMODEM protocol 
server over the serial port, and writes the incoming file (something 
like uBoot.bin or memtest.bin) into Flash.

Regards,

Cesar

_______________________________________________
Libre-soc-dev mailing list
Libre-soc-dev at lists.libre-soc.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.libre-2Dsoc.org_mailman_listinfo_libre-2Dsoc-2Ddev&d=DwIGaQ&c=sPZ6DeHLiehUHQWKIrsNwWp3t7snrE-az24ztT0w7Jc&r=ecC5uu6ubGhPt6qQ8xWcSQh1QUJ8B1-CG4B9kRM0nd4&m=o3vwcAMwfWkAVkVqpNlNx6tFlSkUoKhyj6_y77tVP_s&s=_AtPDyFBARQ2ojCvJT8Lj4i-8nWQq7eRayN_WEHsi2U&e=

More information about the Libre-soc-dev mailing list