How to download PBL from Convers+

[Go4IT]

Lately i needed to gather the primary bootloader (PBL) from an Convers+. This is no part of any downloadable firmware, it is programmed in factory and (think) never been updated or changed. But to get behind some "secrects" of the firmware it's needed.
I managed to download it via JTAG using my Segger J-Link interface. You can do it with "J-Link Commander" like this (i put a comment after each command, which you don't enter of course, just to make clear what it does):

Code: Select all

connect // then choose MAC7116 as device, auto IR-Len detection, 1000 khz JTAG-clock

halt // stop CPU

be // set to Big Endian mode (IMPORTANT!)

save c:\temp\pbl.bin 0, 5000 // load memory location 0x0000 0000 - 0x0000 4FFF and store it into a binary file at c:\temp

So simple, eh?
You could also use "J-Link Flash" or "J-Link Memory" tool for this task.

Hope this help somebody, sometime...

[paxtonix]

Im waiting for my Jtag as well- then the magic will start

[DGAlexandru]

I think JTAG-ing this devices it's too much for some users... either because they are not interested in doing it or because connecting something wrong might lead to a dead chip (MAC7116).

Did you tried to disassemble the BootLoader that is sent over CAN?
It is loaded in RAM then I think the PC_Register is set to one of its functions, without rebooting the CPU.
Having a pseudo-code for it will allow us to understand easier the main functions of MAC7116, like EEPROM, Internal Flash and External Flash access and also CAN communication, without any other functions interference. Also we could find the CAN message it needs in order to be able to also access Internal Flash address range 0x0000 0000 - 0x0000 4FFF.

I'm still struggling to find the initialization values for the CPU in JTAG-mode in order to access also External Flash. Segger J-Link software doesn't have defined this type of External Flash, but it has similar ones and you can also define one yourself, which I did, but I can't access all the banks and even like this the dump has mixed bytes from different banks.

[tomy75]

viewtopic.php?f=16&t=79#p717

[Go4IT]

@DGAlexandru, the one downloaded for update, the SBL - Secondary Bootloader is something completely different than the PBL. It is just a software which takes control over the system instead of the firmware. It would be also interesting to know how it works, but i will start a different thread for discussing this topic
Maybe, someday we are able to build own software instead of SBL to do "funny" things.

What's so important of the PBL is that it contains library functions used by the firmware and vice versa.
Also, like the SBL it is relatively small (compared to the huge firmware of the Convers+ system, which also contains an RTOS) and so a chance to fully understand what it does.

[paxtonix]

Maybe, someday we are able to build own software instead of SBL to do "funny" things.

I like your approach.

[Stevebe]

connect // then choose MAC7116 as device, auto IR-Len detection, 1000 khz JTAG-clock

halt // stop CPU

be // set to Big Endian mode (IMPORTANT!)

save c:\temp\pbl.bin 0, 5000 // load memory location 0x0000 0000 - 0x0000 4FFF and store it into a binary file at c:\temp
[/code]
So simple, eh?
You could also use "J-Link Flash" or "J-Link Memory" tool for this task.

Hope this help somebody, sometime...

Are you setting moda and mod b is it mod b hi
Have you got a flash project file or is only in commander.

[Go4IT]

mod a or mod b ? No clue what that is.
I just use "be" command to get Big Endian byteorientation.
And yes, i've done it all in J-Link Commander and there it's no so easy having a setup file. Think it can be done with a JLinkScript file, but didn't do this right now...

[Stevebe]

mod a or mod b ? No clue what that is.

Processor MODE pin 70 and 71

3991BE98-38A1-4C7C-9BB0-64358A784D40.jpeg

[Go4IT]

Ah, now i know what you mean I already measured those pins out a while ago and therefore know that it is "Normal Single Chip Mode": viewtopic.php?f=25&t=30#p188