Author Topic: JTAG / UART & more  (Read 6110 times)

nikfreak

  • Developer
  • Hero Member
  • *****
  • Posts: 1171
JTAG / UART & more
« on: March 09, 2016, 08:02:54 PM »
Hi everybody,

I've been playing around with Espressif's ESP-modules lately for some private projects.

OT-OT:
i can recommend NodeMCU (http://en.wikipedia.org/wiki/NodeMCU)
...

Guess, who's playing actually with it  :P

Anyways I just ordered a Bus Pirate V3.6.
My goal is to JTAG our EOS cams. A big package of older cams, mainly EOS 10D, 20D, 30D, 40D, 50D,1000D and 650D should arrive in the next weeks at my door (thanks @Dayton) and I am going to start to get familar dismantling them. Main focus will be JTAG for 50D and 650D and I hope to get access to the bootloader / kernel in some way to get more insights of the cams. There's UART, so there must be a bootloader, too. This may become useful for linux development in some way. Maybe we can get U-BOOT ported to our cams or I am going to fail right at the beginning, who knows? Will keep this post updated from time to time but don't expect miracles anytime soon, I am just going to replicate this tutorial to EOS dslrs and with some luck and hope there will be results to report and try on Digic6 cameras   ;D.
70D.112 & 100D.101

Danne

  • Contributor
  • Hero Member
  • *****
  • Posts: 6744
Re: JTAG / UART & more
« Reply #1 on: March 09, 2016, 08:16:33 PM »
Oh, this is hardcore stuff. I will definitely follow this with great interest. And thanks for the great work on porting cams already. Beautiful work.

DeafEyeJedi

  • Hero Member
  • *****
  • Posts: 3394
  • 5D3 | M1 | 7D | 70D | SL1 | M2 | 50D
Re: JTAG / UART & more
« Reply #2 on: March 10, 2016, 03:53:30 AM »
I am so high reading your post @nikfreak and flying with massive hopes on this wonderful project of yours!
5D3.113 | 5D3.123 | EOSM.203 | 7D.203 | 70D.112 | 100D.101 | EOSM2.* | 50D.109

eduperez

  • Contributor
  • Member
  • *****
  • Posts: 109
Re: JTAG / UART & more
« Reply #3 on: March 10, 2016, 11:35:56 PM »
You might want to contact with member 0xAF in this forum: if I remember correctly, he already worked on JTAG with the 400D.

g3gg0

  • Developer
  • Hero Member
  • *****
  • Posts: 3155
Re: JTAG / UART & more
« Reply #4 on: March 12, 2016, 01:59:07 AM »
yeah, the ESP8266 is nice  ;)
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: paypal@g3gg0.de
ONLY donate for things we have done, not for things you expect!

nikfreak

  • Developer
  • Hero Member
  • *****
  • Posts: 1171
Re: JTAG / UART & more
« Reply #5 on: March 15, 2016, 04:44:23 PM »
@g3gg0 and @a1ex. Got a screenshot from EOSM's Flash Chip Winbond 25Q64 (8MB or 32MB?).

https://drive.google.com/file/d/0B9Mu66yg5QzRRlctYkNKbktyaGM/view?usp=sharing

I should be able to read it out if used in other cams too but can't judge atm what it will contain? Only Firmware or maybe more? While still waiting for delivery I wanted to ask if someone already tried to backup the flash or can I skip this step as we are already able to dump the whole chip contents (ROM0/1.BIN)?
70D.112 & 100D.101

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12423
Re: JTAG / UART & more
« Reply #6 on: March 15, 2016, 06:21:25 PM »
To my knowledge, ROM0/1.BIN are the complete chip contents.

Knowing the chip could be interesting in understanding how to emulate it (for reflashing), for example.

Since you are interested in UART, here's a trick: returning from autoexec.bin will bring a bootloader menu via UART (visible in QEMU as well). IIRC g3gg0 already tried this menu in his emulator (TriX).

Maqs

  • Contributor
  • New to the forum
  • *****
  • Posts: 35
Re: JTAG / UART & more
« Reply #7 on: April 01, 2016, 10:47:17 AM »
@g3gg0 and @a1ex. Got a screenshot from EOSM's Flash Chip Winbond 25Q64 (8MB or 32MB?).

https://drive.google.com/file/d/0B9Mu66yg5QzRRlctYkNKbktyaGM/view?usp=sharing

I should be able to read it out if used in other cams too but can't judge atm what it will contain? Only Firmware or maybe more? While still waiting for delivery I wanted to ask if someone already tried to backup the flash or can I skip this step as we are already able to dump the whole chip contents (ROM0/1.BIN)?

25Q64 has 64 megabits, so 8 MB.

rbrune

  • Contributor
  • Freshman
  • *****
  • Posts: 64
Re: JTAG / UART & more
« Reply #8 on: April 04, 2016, 09:50:10 AM »
The buspirate is a fine little device.

Here is me dumping some flash memory with it: https://twitter.com/_deeperblue/status/466329008746266624

As a1ex said the flash will likely just be 1:1 the content of the ROM0/1.BIN dump files. But if you're able to read/write the flash with the chip still on the camera board (like I did in the photo - but sometimes that doesn't work due to the board layout and how power is distributed) that would open up a great way to reanimate bricked cameras. Same is true if you get JTAG working. Also the buspirate together with flashrom should autodetect the flash chip/type - if that doesn't happen there's probably a wiring issue and/or reading/writing the chip in place doesn't work due to the board layout and it's voltage distribution.

Maqs

  • Contributor
  • New to the forum
  • *****
  • Posts: 35
Re: JTAG / UART & more
« Reply #9 on: April 07, 2016, 10:02:58 PM »
See also https://www.flashrom.org/ISP (some hints for ISP).