Hi, I'm Julien, and I'm working on French tv-box K8006.
First congratulation for this forum and wiki, the staff and peoples job are very useful for me.
I made my JTAG (DL5) cable and it's working
On my box (KMM3210 board, x300t identical, rev 0D) , I make the SMP modification, but if JTAG_Enable is directly on 3.3v Jtag send only "0000" on TDO pin. You must plug JTAG_Enable (SMP) to JTAG_enable pin (bottom UART0), if 10k resistor is on PCB jumper is not necessary.
I don't now why but this configuration work for me, and i hope this can be useful.
I experiment pacher, yamon, bootloader, and flashing with wrt54g debrick utility:
-Bootloader Dump successful (with wrt54g -backup:custom /window:AC000000 /start:AC000000 /length:100000)
(flash memory are detected only if you specify AC000000 custom address.)
You can view Xenv configuration values with hexa editor inside bootloader Dump (0x00000000 to 0x000004F0 approximately)
xenv K8006, model KMM3210-TF-A rev 0D:
a.avclk_mux 0x00000000
a.board_id "KMM3210-TF-A"
a.cd2_freq 0x05b8d800
a.cd4_freq 0x01fca055
a.chip_rev 0x86340082
a.enable_devices 0x00023efe
a.gpio_data 0x00000000
a.gpio_dir 0x00000000
a.gpio_irq_map 0x0d090800
a.hostclk_mux 0x00000100
a.irq_fall_edge_hi 0x00000000
a.irq_fall_edge_lo 0x0000c000
a.irq_rise_edge_hi 0x000001ff
a.irq_rise_edge_lo 0xff28ca00
a.pb_cs_config 0x000c10c0
a.pb_def_timing 0x01090008
a.pb_timing0 0x01090008
a.pb_timing1 0x00110101
a.pb_use_timing0 0x000003fc
a.pb_use_timing1 0x000003f3
a.pcidev1_irq_route 0x01010101
a.pcidev2_irq_route 0x01010101
a.pcidev3_irq_route 0x01010101
a.pcidev4_irq_route 0x02020202
a.premux 0x00000603
a.scard_5v_pin 0x00000001
a.scard_cmd_pin 0x00000002
a.scard_off_pin 0x00000000
a.uart0_gpio_data 0x00000000
a.uart0_gpio_dir 0x00000000
a.uart0_gpio_mode 0x0000006e
a.uart1_gpio_data 0x00000000
a.uart1_gpio_dir 0x00000000
a.uart1_gpio_mode 0x0000006e
a.uart_console_port 0x00000000
a.uart_used_ports 0x00000001
l.cs0_size 0x00000000
l.cs1_size 0x00000000
l.cs2_part1_offset 0x00000000
l.cs2_part1_size 0x00008000
l.cs2_part2_offset 0x00008000
l.cs2_part2_size 0x800e8000
l.cs2_part3_offset 0x000f0000
l.cs2_part3_size 0x80010000
l.cs2_parts 0x00000003
l.cs2_size 0x00400000
l.cs3_size 0x00000000
x.boot 0x00008000
x.csf 0x00000002
x.d0.cfg 0xe34111ba
x.d1.cfg 0xe34111ba
x.ds 0x00010040
x.dt 0x00000001
x.l2rzc 0x0000000c
x.l2xz 0x00000015
z.boot0 0x00040000
z.boot1 0x00080000
z.boot2 0x4c040000
z.boot3 0x4c080000
z.default_boot 0x00000000
a.eth_mac "00:00:DE:xx:xx:xx"
I using this method because Yamon prompt doesn't work on my board.
Xenv configuration are identical to the German version (KMM3210-TG-A)
I currently using this xenv configuration to make imself zboot and zb-image-yamon files (signed with cpu keys, you can find everything on google...)
I use dd to concatenate files in one zboot file:
dd if=zboot2.bin of=zboot bs=262144 (0x40000)
dd if=zbimage-yamon of=zboot bs=262144 seek=1
dd if=zbimage-linux-xrpc of=zboot bs=524288 seek= 1 (0x80000) (don't add actually, my fist objective is see Yamon prompt.)
I build zbimage-linux-xrpc but it's too big for flash, may be corect this by select other options on menuconfig.
Well, I keep you informed ^^ if I can help you for work progress...
Big sizeUPDATE:zboot (2) failed
I rebuild another zboot => flash blocked at AC006000, flashs blocs ar protected?
Go to erase:custom .... /length:100000, so full ram should be set to "FF".
Go to backup:custom .... /length:100000, i see severals blocks are still programmed:
0xAC000000:0xAC005FFF => erased, unprotected (xenv may be...)
0xAC006000:0xAC007FFF => not erased, protected! (
for what? xboot? xenv autobackup? ....)
0xAC008000:0xAC07FFFF => erased, unprotected (zboot should start at 0xAC040000 so what is in 0xAC008000 to 0xAC03FFFF?)
0xAC080000:0xAC0D8433 => not erased, protected... don't understand, everything are crypted.
0xAC0D8434:0xAC0EFFFF=> erased, unprotected.
0xAC0F0000:0xAC0F0A4E => not erased, protected, string are not crypted, for exemple :
"AV Content Protection"
"
http://www.sciatl.com/security/pki/crl/msiptve/CA00024_000.crl" <= security certificate, link still active.
"Client Authentication"
"iptvdiscovery.iptv.club-internet.fr"
There are messages in front of box, on LCD screen:
"Démarrage..."
"Erreur..."
"Téléchargement..."
"Club internet!"
"Mode debug"
"Vidage mémoire..."
"Recherche serveur"
"Configuration par défaut"
This part may be use by Windows CE for update, authentication?
Flashing at 33%... what and see...
I find my stupid error, flash memory address Length are 80000 (512kb, 16 bits) and no 100000, so outside should be ram data? or harddisk? i don't know.
This is the flash structure table that we can see on datasheet: (MCX29LV800CBT)
In BigC:\X300T\debrick>ejtag -erase:custom /window:AC000000 /start:AC000000 /length:80000
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00001000011000110000000000000001 (08630001)
*** Found a SigmaDesigns SMP8634 Rev A CPU chip ***
- EJTAG IMPCODE ....... : 01000000010000010100000000000000 (40414000)
- EJTAG Version ....... : 2.6
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Probing Flash at (Flash Window: 0xac000000) ... Done
Flash Vendor ID: 00000000000000000000000011000010 (000000C2)
Flash Device ID: 00000000000000000010001001011011 (0000225B)
*** Found a MX29LV800BTC 512kx16 BotB (1MB) Flash Chip ***
- Flash Chip Window Start .... : ac000000
- Flash Chip Window Length ... : 00100000
//don't understand...
- Selected Area Start ........ : ac000000
- Selected Area Length ....... : 00080000
//my custom length => 512k * 16 bits
*** You Selected to Erase the CUSTOM.BIN ***
=========================
Erasing Routine Started
=========================
Total Blocks to Erase: 19
Erasing block: 1 (addr = ac000000)...Done
Erasing block: 2 (addr = ac002000)...Done
Erasing block: 3 (addr = ac003000)...Done
Erasing block: 4 (addr = ac004000)...Done
Erasing block: 5 (addr = ac008000)...Done
Erasing block: 6 (addr = ac010000)...Done
Erasing block: 7 (addr = ac018000)...Done
Erasing block: 8 (addr = ac020000)...Done
Erasing block: 9 (addr = ac028000)...Done
Erasing block: 10 (addr = ac030000)...Done
Erasing block: 11 (addr = ac038000)...Done
Erasing block: 12 (addr = ac040000)...Done
Erasing block: 13 (addr = ac048000)...Done
Erasing block: 14 (addr = ac050000)...Done
Erasing block: 15 (addr = ac058000)...Done
Erasing block: 16 (addr = ac060000)...Done
Erasing block: 17 (addr = ac068000)...Done
Erasing block: 18 (addr = ac070000)...Done
Erasing block: 19 (addr = ac078000)...Done
//19 blocks, confirmed by datasheet
