Login [Register]
Don't have an account? Register now to chat, post, use our tools, and much more.
Val and I have been reverse engineering one of Val's bricked Primes So far we have found all of the pins necessary for a jtag, which hopefully can fix the other bricked calc's boot code. Also, we now know what is beneath the processor and the RAM chip now. Here are the results (huge images are huge): http://i.imgur.com/UXNxjTV.jpg http://i.imgur.com/L369Xl4.jpg
Wow, that's is impressive work! I know you and Val have each separately been working on reverse-engineering aspects of the HP Prime, and it's great to see that you're joining forces. Out of curiosity, have you investigated the 6-pin set of test points 419 through 424? That looks suspiciously like a JTAG connector to me.
No, we have not. Looking at the datasheet and the traces of TP107-110, they are certainly the JTAG. I am currently looking into the 10-pin U304, and I will look at those next.
EDIT: more info on U304 (again, huge images):
http://i.imgur.com/BRJBJp1.jpg http://i.imgur.com/sfaBuj7.jpg
It appears as U304 is a clock control area, and it appears not to be test points. It actually appears as if it contains a way to change clock settings by moving/adding/removing resistors.
It's common in consumer electronics to be able to add or remove 0-ohm resistors to use the same board for different products. Adding and removing those 0-ohm resistors (which is friendly to pick-and-place processes) can enable and disable different features, or in this case adjust the clock speed, probably.
Spent all day making a nice, pretty image with neatly colored routes. Also investigated the area Kerm mentioned, it seems to be related to touch screen functionality (considering most lead to the ribbon that connects to the capacitive touch screen):

http://puu.sh/h5zah/5d6e790f24.jpg
http://puu.sh/h5zcj/26b8c236dc.jpg

I'll add in Hool's progress tomorrow.
About a week ago I ordered some parts necessary for an experiment, so far everything has arrived except my bus blaster. I got the 20 pin jtag ribbon soldered on today:

http://puu.sh/h5DvM/5080abb79c.jpg

Connected: Vref & Vsupply, TDO, TDI, TMS, TCK, nTRST & nSRST

Not connected: RTCK, DBGACK, DBGRQ

I didn't really know what to do with the ground pins so I soldered them all together and attached them to the ground plane.

(edit: there's some solder pads near the jtag area that have 3.3v and gnd)

Once the bus blaster arrives (probably tomorrow) then we'll see what happens!
I'm rather confused that the JTAG header there didn't have a ground pin of its own, but if you're sure that you have the rest of the pins properly mapped, then I suppose there's no harm in getting ground from the ground plane instead.
Been busy with school lately but I've been able to successfully read, write, and erase the nand flash chip on the prime, along with other JTAG features like halting the processor, controlling memory, etc. The bricked prime the OP mentions is long gone (died in a marching accident) and I have a new one, but the debricking process is still the same (tested by completely erasing and reflashing with the bootloader that comes with the software, then updating via recovery mode & usbtool). Long story short, its pretty much impossible to permabrick the prime with just software. Smile

The process is basically this:
1. Get a bus blaster, or some other probe, and a 20 pin JTAG ribbon cable
2. Connect the cable to the probe and cut the other ends so they correspond to the TAPs
3. Solder TCK, TDI, TMS, TDO, TSRST & TRST (both to same pin), VTG/VREF (to 3.3V), and any ground pin to GND
4. Use OpenOCD to connect to the probe, I made a config file down below so it can be used with the prime
5. Start OpenOCD, reset init, nand probe 0, and then you can use virtually any nand commands OpenOCD provides

After that you can write anything to the flash chip, theres no real restrictions except the size but its nothing to worry about. There is, however, a small problem I encountered and kept me from writing to the chip period. The nand chip has a WP (write protect) pin that is activated when it's active-low, and obviously the prime will keep it active-high.. right? Well, yes and no. Apparently, after completely erasing and then manually resetting (using the switch on the back) the power that's fed to the pin that keeps it active-high is cut. It's powered by a Vcc pin on the RAM (you can sorta see it on the pictures), and I'd imagine that if theres no code to initialize the RAM in the first place then there won't be any power. What I did was connect a 100k pull up resistor to a power source (you can find them all over the board) and to the WP pin on the chip, and after that I was able to write to it again. Picture:

http://puu.sh/h5Dww/4823bd2142.jpg

^ The five pins below the WP pin are not connected to anything internally or externally, so I took advantage of it and made a stronger connection to the wire by making a small solder blob. I also removed the original resistor that kept it active-high, I didn't really need it anymore.

Chances are you won't have to deal with this problem though, just be careful, and make sure to check the status register with the NAND controller if things break. If its the write protect error then you'll probably have to do this.

Anyways, you should be able to have full control of basic debugging functions after that. To debrick, just write BXCBOOT0, reset into recovery mode, and use the connectivity kit or usbtool to update to the latest version. The prime is absolutely a joy to modify, definitely makes me like HP Smile

Config file for OpenOCD

Also, here's a complete flash dump after an erase->reinstall->boot once.
Excellent work - at long last, someone spent the required amount of time and tackled the problem Smile
I cross-posted a summary of this topic at TI-Planet. It's not a front-page news item for now, but it may well become, as this is clearly a very important milestone for the Prime scene Wink

Once again, an important milestone comes from the outside of the traditional HP community: so did the initial modified firmware experiments from critor and I, my later full-custom crappy armfir.elf.

Third-party connectivity kits were also milestones. My libhpcalcs started before the other third-party connectivity kit for the Prime was published, though it was published slightly later. To date, libhpcalcs is the only third-party CK which actually works, in addition to being programmed in a portable and interoperable way. It has no GUI, though.
Quote:
Anyways, you should be able to have full control of basic debugging functions after that. To debrick, just write BXCBOOT0, reset into recovery mode, and use the connectivity kit or usbtool to update to the latest version. The prime is absolutely a joy to modify, definitely makes me like HP


The trick is to avoid conflicts with HP's intentions on keeping its calculator on the list of allowed calculators on standard exams. I don't work for HP, but I suspect that they are not going to make a big deal out of it unless we cross that fine line.
Han wrote:
Quote:
Anyways, you should be able to have full control of basic debugging functions after that. To debrick, just write BXCBOOT0, reset into recovery mode, and use the connectivity kit or usbtool to update to the latest version. The prime is absolutely a joy to modify, definitely makes me like HP


The trick is to avoid conflicts with HP's intentions on keeping its calculator on the list of allowed calculators on standard exams. I don't work for HP, but I suspect that they are not going to make a big deal out of it unless we cross that fine line.
Yes; the most I'm going to do is make a few minor patches to the OS to fix bugs, and I'll probably take a stab at linux. I'm sure the $50 price tag the probe + cables have will deter anyone with true malicious intention.
Val wrote:
Been busy with school lately but I've been able to successfully read, write, and erase the nand flash chip on the prime, along with other JTAG features like halting the processor, controlling memory, etc. The bricked prime the OP mentions is long gone (died in a marching accident) and I have a new one, but the debricking process is still the same (tested by completely erasing and reflashing with the bootloader that comes with the software, then updating via recovery mode & usbtool). Long story short, its pretty much impossible to permabrick the prime with just software. Smile

The process is basically this:
1. Get a bus blaster, or some other probe, and a 20 pin JTAG ribbon cable
2. Connect the cable to the probe and cut the other ends so they correspond to the TAPs
3. Solder TCK, TDI, TMS, TDO, TSRST & TRST (both to same pin), VTG/VREF (to 3.3V), and any ground pin to GND
4. Use OpenOCD to connect to the probe, I made a config file down below so it can be used with the prime
5. Start OpenOCD, reset init, nand probe 0, and then you can use virtually any nand commands OpenOCD provides

After that you can write anything to the flash chip, theres no real restrictions except the size but its nothing to worry about. There is, however, a small problem I encountered and kept me from writing to the chip period. The nand chip has a WP (write protect) pin that is activated when it's active-low, and obviously the prime will keep it active-high.. right? Well, yes and no. Apparently, after completely erasing and then manually resetting (using the switch on the back) the power that's fed to the pin that keeps it active-high is cut. It's powered by a Vcc pin on the RAM (you can sorta see it on the pictures), and I'd imagine that if theres no code to initialize the RAM in the first place then there won't be any power. What I did was connect a 100k pull up resistor to a power source (you can find them all over the board) and to the WP pin on the chip, and after that I was able to write to it again. Picture:

http://puu.sh/h5Dww/4823bd2142.jpg

^ The five pins below the WP pin are not connected to anything internally or externally, so I took advantage of it and made a stronger connection to the wire by making a small solder blob. I also removed the original resistor that kept it active-high, I didn't really need it anymore.

Chances are you won't have to deal with this problem though, just be careful, and make sure to check the status register with the NAND controller if things break. If its the write protect error then you'll probably have to do this.

Anyways, you should be able to have full control of basic debugging functions after that. To debrick, just write BXCBOOT0, reset into recovery mode, and use the connectivity kit or usbtool to update to the latest version. The prime is absolutely a joy to modify, definitely makes me like HP Smile

Config file for OpenOCD

Also, here's a complete flash dump after an erase->reinstall->boot once.



Hi.

I am trying to retrieve my calculator and I was shown this procedure from JTAG. However some images are no longer available. Could you help me how to do the procedure?
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Page 1 of 1
» All times are GMT - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement