Realtek RTL8181 JTAGing

25 July 2004

Some luck! Cavnex's JTAG is working now. I can get a register dump and peek and poke the memory. Here's a regdump.
H> r R0=0x00000000 R1=0xffffffff R2=0xffffffff R3=0xdeadbeef R4=0xffffffff R5=0xffffffff R6=0xffffffff R7=0xffffffff R8=0x42420202 R9=0x80005dc8 R10=0xffffffff R11=0xffffffff R12=0xffffffff R13=0xffffffff R14=0xffffffff R15=0xffffffff R16=0xffffffff R17=0xffffffff R18=0xffffffff R19=0xffffffff R20=0xffffffff R21=0xffffffff R22=0xffffffff R23=0xffffffff R24=0xffffffff R25=0xffffffff R26=0x80000000 R27=0xbfc05e74 R28=0xffffffff R29=0xffffffff R30=0xffffffff R31=0xffffffff PC=0x80c0ef44 BVA=0x00000000 Count=0x00000000 Compare=0x00000000 SR=0x00000000 Cause=0x00000000 EPC=0x00000000 WatchLo=0x00000000 WatchHi=0x00000000 PerfCtr=0x00000000 ParError=0x00000000 CacheError=0x00000000 ErrorEPC=0x00000000 DEBUG=0xc0000020 DEPC=0x80c0ef44

Just to clear some things up, a BSDL file is not needed as the RTL8181 implements most of MIPS' EJTAG v2.0 standard. So, if you have a JTAG kit that can speak EJTAG 2.0 (not the later v2.5) then you should have no trouble replicating the above.

16 July 2004

Cavnex have kindly sent me their parallel port JTAG interface and their own software that is Lexra compatible! This weekend should bring some interesting results.

16 May 2004

I have tried Macraigors demo versions of the FLASH programmer and more importantly the OCD debugger in Windows. The OCD debugger was configured to debug MIPS EJTAG v2.5 in 32 bit mode but there was no joy. The RTL8181 is not EJTAG compliant with MIPS' EJTAG spec. As can be seen below there are too many registers missing.

---

I got my mitts on a real life Macraigor parallel port Wiggler and reran the jtag program and got some more positive results. With the Xilinx unit I noticed there seemed to be inordinately short data chains (ie -1). This time I have had more luck and as you can see the 96 bit register is probably the boundary scan chain.

jtag> cable parallel 0x378 WIGGLER Initializing Macraigor Wiggler JTAG Cable on parallel port at 0x378 jtag> detect IR length: 5 Chain length: 1 Device Id: 00010101001010000000000000001101 Unknown manufacturer! chain.c(110) Part 0 without active instruction chain.c(133) Part 0 without active instruction chain.c(110) Part 0 without active instruction jtag> discovery Detecting IR length ... 5 Detecting DR length for IR 11111 ... 1 Detecting DR length for IR 00000 ... -1 Detecting DR length for IR 00001 ... 32 Detecting DR length for IR 00010 ... -1 Detecting DR length for IR 00011 ... 32 Detecting DR length for IR 00100 ... 1 Detecting DR length for IR 00101 ... 1 Detecting DR length for IR 00110 ... 1 Detecting DR length for IR 00111 ... 1 Detecting DR length for IR 01000 ... -1 Detecting DR length for IR 01001 ... 32 Detecting DR length for IR 01010 ... 32 Detecting DR length for IR 01011 ... 96 Detecting DR length for IR 01100 ... -1 Detecting DR length for IR 01101 ... 36 Detecting DR length for IR 01110 ... -1 Detecting DR length for IR 01111 ... -1 Detecting DR length for IR 10000 ... -1 Detecting DR length for IR 10001 ... -1 Detecting DR length for IR 10010 ... -1 Detecting DR length for IR 10011 ... -1 Detecting DR length for IR 10100 ... -1 Detecting DR length for IR 10101 ... -1 Detecting DR length for IR 10110 ... -1 Detecting DR length for IR 10111 ... -1 Detecting DR length for IR 11000 ... -1 Detecting DR length for IR 11001 ... -1 Detecting DR length for IR 11010 ... -1 Detecting DR length for IR 11011 ... -1 Detecting DR length for IR 11100 ... -1 Detecting DR length for IR 11101 ... -1 Detecting DR length for IR 11110 ... -1 jtag>

12 May 2004

Apparently Realtek use some externally supplied ICE toolchain to muck about with JTAG so no BSDL file will be forthcoming. The only other hope is that this port does comply with MIPS's EJTAG specification. Also, if anyone reading this has any ideas on how to work out which instruction bit patterns map to which mandatory JTAG specified instuctions and how to work out how to map boundary scan bits to pin locations then drop me a line.

11 May 2004

If you do use a different JTAG interface to the Xilinx type make sure it's 3.3V compatible. I have seen other JTAG interfaces people have done on the internet which are not 3.3V tolerant. As the parallel port is 5V hooking it directly to the RTL8181's pins or through a 5V logic device will result in possible permanent damage to the chip. Xilinx's JTAG design uses a 74HC family part which operates from 2V to 6V and with judicious use of resistors ensures no overvoltage and overcurrent damage can occur to sub 5V devices. This interface will work down to 2.5V or maybe less if you ever intend to use it on other parts.

6 May 2004

Looking at MIPS's EJTAG specs it looks like the RTL8181 doesn't implement the EJTAG instructions at all. This is a shame. The interface is a bog standard IEEE1149.1 boundary scan interface. The manufacturers ID of the chip looks like it's (surprise surprise) 5280 and the part number is 6.

5 May 2004

I've started to have some success with the JTAG interface and the RTL8181. I have used a Minitar AP board that someone had given me after accidentally overwriting the bootblock with the wrong flash command.

After searching with a multimeter I could not find where the JTAG pins broke out to on the PCB - I would have expected a bunch of pads or holes for an unused header to provide easy access to the signals. Not so. It would seem that this board was never intended to be used with JTAG, so perhaps when the OEM manufactures this board the FLASH chips are preloaded with the software. This would be a faster and cheaper way than using slow old JTAG to program the boards.

You can see in the picture below that I had to solder fine green wire onto a single inline header. The JTAG pod I am using is a borrowed Xilinx Parallel Download Cable III. If you don't have access to one then the schematic is provided freely for it here. All the parts should be available at a good electronics store (such as Jaycar) I'll have to give the pod back and make one up myself. The program I am using is Openwince JTAG running on Redhat FC1. You can use this utility in Windows if you compile it with CYGWIN.

Pin 205 when pulled to ground sets the processor into JTAG mode. On the Minitar board this can be achieved by shorting out R28 on the underside.

The following RTL8181 pins are used by this JTAG unit:

6 - TDO 9 - TMS 11 - TDI 64 - CLK

On J1 VCC is connected to pin 2 and GND to pin 8. You can see this on the clearly in the photo. When you run jtag make sure you have privileges to the parallel port and make sure the parallel port is running in EPP mode (usually the default case but can be set in your BIOS). Following is the output from jtag.

JTAG Tools 0.5.1 Copyright (C) 2002, 2003 ETC s.r.o. JTAG Tools is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. There is absolutely no warranty for JTAG Tools. Warning: JTAG Tools may damage your hardware! Type "quit" to exit! Type "help" for help. jtag> cable parallel 0x3bc DLC5 Initializing Xilinx DLC5 JTAG Parallel Cable III on parallel port at 0x3bc jtag> detect IR length: 5 Chain length: 1 Device Id: 00010101001010000000000000001101 Unknown manufacturer! chain.c(110) Part 0 without active instruction chain.c(133) Part 0 without active instruction chain.c(110) Part 0 without active instruction jtag> discovery Detecting IR length ... 5 Detecting DR length for IR 11111 ... 1 Detecting DR length for IR 00000 ... -1 Detecting DR length for IR 00001 ... 32 Detecting DR length for IR 00010 ... -1 Detecting DR length for IR 00011 ... -1 Detecting DR length for IR 00100 ... 1 Detecting DR length for IR 00101 ... 1 Detecting DR length for IR 00110 ... 1 Detecting DR length for IR 00111 ... 1 Detecting DR length for IR 01000 ... -1 Detecting DR length for IR 01001 ... -1 Detecting DR length for IR 01010 ... -1 Detecting DR length for IR 01011 ... -1 Detecting DR length for IR 01100 ... -1 Detecting DR length for IR 01101 ... -1 Detecting DR length for IR 01110 ... -1 Detecting DR length for IR 01111 ... -1 Detecting DR length for IR 10000 ... -1 Detecting DR length for IR 10001 ... -1 Detecting DR length for IR 10010 ... -1 Detecting DR length for IR 10011 ... -1 Detecting DR length for IR 10100 ... -1 Detecting DR length for IR 10101 ... -1 Detecting DR length for IR 10110 ... -1 Detecting DR length for IR 10111 ... -1 Detecting DR length for IR 11000 ... -1 Detecting DR length for IR 11001 ... -1 Detecting DR length for IR 11010 ... -1 Detecting DR length for IR 11011 ... -1 Detecting DR length for IR 11100 ... -1 Detecting DR length for IR 11101 ... -1 Detecting DR length for IR 11110 ... -1 jtag>

While the jtag is doing it's thing, the WLAN LED should light up as this pin doubles as the CLK signal.

That's all for tonight. In the next week or so I hope to dig a little further with this tool so see what I can discover. No doubt some code will have to be written to support the RTL8181 properly, but the best thing would be the BSDL file from Realtek which would be an enourmous help and allow things like FLASH reprogramming and possibly debugging with gdb.