02:04 <jybz> Hi PaulFertser, thank you. I manage to connect the flash with flashrom and the jlink, read/dump the flash. But I never was able to erase. Worst, somehow, the "Chip status register: Block Protect 4 (BP4)" wasn't set and sets it by itself. I don't find flashrom argument to controle the registers. Here where I am. Good night (what remains ^^)

03:02 <Matt144> PaulFertser: When you say DSP are you referring to the SHARC to the ALTERA (or both?)

03:02 <Matt144> or the*

07:23 <PaulFertser> jybz: probably you just need to change /WP pin state. How did you connect it?

07:23 <PaulFertser> Matt144: to the SHARC. I think ALTERA is just an FPGA, it doesn't have a DSP hard or softcore does it?

07:26 <jybz> I connected /WP to +vcc

07:27 <jybz> PaulFertser: any idea how I can reset the PB4 bit ?

07:28 <jybz> I didn't saw any options in flashrom for it (except refused patch in the mailing list if I'm correct)

07:28 <jybz> I read the flash datasheet, and it seems only to be a software bit, not a fuse. The fuse are reset '0'.

07:30 <PaulFertser> jybz: yes, +Vcc is appropriate. If you're able to fully read the flash it means you're pretty close to having it working. Have you tried -E option?

07:31 <jybz> PaulFertser: no, I didn't. <icon> on #flashrom didn't recommand to do anything on the flash, he takes it with a lot of care

07:33 <PaulFertser> jybz: I guess people there are more experienced than me in using flashrom. Make sure you have the whole dump first. You can inspect (and exctract it) with binwalk.

07:33 <PaulFertser> jybz: because you would want to save individual calibration data for the device.

07:34 <jybz> I don't know if it remains something in the flash, I did a bad thing... https://forum.openwrt.org/t/over-bricked-archer-ac1200-a5/98481

07:35 <jybz> Oh

07:35 <jybz> Chip status register: Block Protect 4 (BP4) is not set

07:35 <jybz> it came back itself

07:38 <PaulFertser> jybz: most likely the individual calibration data is intact, but you should check it with binwalk on your full flash dump.

07:43 <jybz> Ok, I had a dump, i did it three times, compared with sha256sum, but I not sure if they are well.

08:00 <jybz> Ok, the dump after this tries to erase and to flash, has exactly the same sum

08:09 <jybz> As the PB4 bit is reset, I continue this adventure in #flashroom.

08:09 <jybz> Thank you PaulFertser, I will let know know ;)

08:28 <PaulFertser> jybz: good luck!

20:29 <cyrozap> Matt144: You can read/write the flash connected to some FPGAs from OpenOCD if the FPGA is supported by one of the "proxy" bitstreams. Unfortunately, that only works for Xilinx FPGAs right now, but the idea is to program the FPGA with a bitstream that enables reading/writing the flash through special JTAG instructions.

20:35 <cyrozap> But I really don't think you need to go that far to control the focus motor. Assuming that the ADSP/SHARC is running everything, and that's the chip you're talking to via whatever external interface the camera has, you just need to determine the command you need to send to the ADSP that controls focusing. The easiest way to do that is to just sniff the communications when the camera is being controlled

20:35 <cyrozap> by software/hardware that already knows how to do that, but if you don't have access to that, then the next best thing would be to dump and disassemble the firmware to find where commands are processed, then just try all the commands until you find the one that controls the focus.

20:36 <cyrozap> The important thing is, don't reverse engineer anything you don't have to (unless you want to and you're having fun, of course).

20:38 <cyrozap> But reverse engineering an FPGA bitstream is several orders of magnitude more difficult than disassembling and reverse engineering firmware, so if it were me, I'd start with the low-hanging fruit (the ADSP firmware) first, and just treat the FPGA like some black-box fixed-function hardware.

20:54 <PaulFertser> cyrozap: the problem is that it's unclear how the ADSP firmware can be obtained.

20:56 <cyrozap> Oh, I see.

20:58 <cyrozap> According to the datasheet (https://www.analog.com/media/en/technical-documentation/data-sheets/ADSP-21060_21060L_21062_21062L_21060C_21060LC.pdf): "The internal memory of the ADSP-2106x can be booted at system power-up from an 8-bit EPROM, a host processor, or through one of the link ports. Selection of the boot source is controlled by the BMS (boot memory select), EBOOT (EPROM Boot), and LBOOT

20:58 <cyrozap> (link/host boot) pins. 32-bit and 16-bit host processors can be used for booting. The processor also supports a no-boot mode in which instruction execution is sourced from the external memory."

20:58 <PaulFertser> cyrozap: does it mean there's no internal program memory in this device?

20:59 <cyrozap> This chip doesn't have any internal flash, so I think all Matt144 would need to do to dump the firmware is power up the camera, attach JTAG, then dump the internal SRAM and external memory.

21:01 <PaulFertser> cyrozap: but is there any JTAG software that can handle that target?

21:02 <PaulFertser> cyrozap: so probably this board has two flash chips: one for the FPGA and another for the ADSP?

21:06 <cyrozap> No, my thinking is that first the FPGA loads its bistream from flash, then it either 1) loads the ADSP firmware from the same flash chip into the ADSP's SRAM, or 2) makes the firmware accessible to the ADSP over the ADSP's external memory interface.

21:08 <cyrozap> So the flash is shared between the FPGA and the ADSP, with the FPGA acting as the arbiter of that access. Or the FPGA doesn't grant direst access to the flash at all, and just loads the ADSP's SRAM with the firmware from flash one time at boot.

21:10 <cyrozap> And if Matt144 isn't opposed to using Windows and ADI's proprietary VisualDSP++ software (and the corresponding dongle), they could probably use that to dump the memories. Otherwise, they could use OpenOCD's RPC interface to write their own code to interact with the JTAG hardware based on whatever specs ADI has released regarding that.

21:10 <cyrozap> Or they could just desolder and dump the flash.

21:14 <cyrozap> But then the problem becomes, how do you disassemble the code? It doesn't look like any of the popular interactive disassemblers support the SHARC ISA, so support would need to be added to one of them (Ghidra would probably be easiest, and it would enable decompilation for free).

22:10 <vpelletier> Hello. I am trying to debug a linux kernel issue on a riscv board (hifive-unmatched) and I suspect the addresses I am seeing are the virtual addresses, but used as physical addresses.

22:10 <vpelletier> I am running openocd 0.11.0-rc2 as of debian sid

22:11 <vpelletier> (package 0.11.0~rc2-1)

22:12 <vpelletier> taking a glance at the source code (target/riscv/riscv.c) there seems to be mmu support, but being very new to openocd I may be doing something stupid, like not enabling some option

22:13 <vpelletier> my openocd config is https://gist.github.com/a4lg/df51da397b72299042182ccc19f75371 and gdb config is https://gist.github.com/a4lg/b8ec6497c289217d6d28836345b08db7

22:16 <vpelletier> (...my gdb config is based on..., but the rest is path management and seem irrelevant to this issue)

22:17 <PaulFertser> vpelletier: btw, not sure if it helps or confuses but riscv has an OpenOCD fork that's more advanced than the upstream.

22:18 <PaulFertser> vpelletier: and you can use "mdw phys" instead of plain "mdw", that should tell the target code to bypass MMU.

22:19 <vpelletier> I noticed that, and this is actually why I checked the source code for mmu support... could this support be better in their fork ?

22:19 <PaulFertser> idk

22:21 <vpelletier> mmh... what is mdw ?

22:24 <PaulFertser> vpelletier: memory dump word OpenOCD command

22:24 <PaulFertser> vpelletier: you can run OpenOCD commands via Telnet or with "mon mdw" from GDB.

22:30 <vpelletier> mmh, both with and without phys give the same result... it looks like both are interpreted as physical

22:30 <vpelletier> "(gdb) info reg" tells me "pc 0xffffffff80003da8 0xffffffff80003da8 <riscv_of_processor_hartid+144>", which looks like a virtual address to me

22:32 <PaulFertser> vpelletier: if MMU is enabled info reg is supposed to be showing virtual addresses

22:32 <vpelletier> so I would expect it to find "nothing" (zeroes ? some memory controller error due do unavailable address lines ?) if this interpreted as a physical address

22:33 <vpelletier> ah, yes, this is my understanding: the cpu itself is using the virtual addresses

22:33 <vpelletier> I mean, then gdb (or openocd) seem to be using this as a physical address

22:37 <vpelletier> (gdb) thread apply all bt: https://hastebin.com/biqutokoga.txt the first core is not used by the kernel, so it is in what I undertsand as the machine-mode parking code loop, waiting for something to tell it to jump to some actual code, and it would have its mmu disabled (...and probably no caller)

22:38 <vpelletier> anyway, I'll build riscv's version to see if it changes anything

22:52 <vpelletier> on a very tangential note, should "-rtos" be given when declaring each core, or just once as in the configuration file I use ?

23:04 <vpelletier> ...and it does !

23:05 <vpelletier> building riscv's version lets me see stuff on virtual memory addresses

23:07 <vpelletier> unfortunately lx-symbols is still not happy