Author

Topic: Hacking BitForce SC firmware with only free software (Read 7389 times)

member
Activity: 73
Merit: 10
www.bitex.co.uk - A new begining in cryptotech
Probably A stupid question, but Have I missed something key in this process?  I managed to successfully flash my Jalapeno using the RPI and Luke-Jr's URJTAG build, however now when I try and and do detect after declaring the GPIO Jtag cable i get:

Code:
jtag> cable gpio tdo=9 tdi=10 tck=11 tms=25
Initializing GPIO JTAG Chain
jtag> detect
error: not found: queue is empty

Also since trying to connect the JTAG this time I do not get any hashrate, although my LED's on the Jalapeno indicate its booted.  Any suggestions would be welcome.

Thanks

[UPDATE 05/01/2014]

Figured it out, the connectors on my Jalapeno looked a bit grubby, co cleaned them with some electrical contact cleaner, tired again and worked first time Smiley
erk
hero member
Activity: 826
Merit: 500
I am trying to program the BFL AT32UC3A1256 with either urjtag or avrdude.

The problem I have is my programer is a JTAGICE Mk1 clone. The Mk1 was an RS-232 device so the clones use a FTDI or in this case a CH341 USB-RS-232 converter chip to do their stuff. It's not recognized by Altmel/AVR-studio versions greater than 4.19 unforunately 4.19 doesn't support the AT32UC3A1256 chips, and later version of Atmelstudio don't support JTAGICE Mk1. You can't win!

So far I haven't gotten urjtag to recognize the device either, although linux quite happily sees it on the USB port:

Code:
Bus 002 Device 004: ID 1a86:7523 QinHeng Electronics HL-340 USB-Serial adapter

[190562.309034] usbcore: registered new interface driver ch341
[190562.309102] usbserial: USB Serial support registered for ch341-uart
[190562.309155] ch341 2-1:1.0: ch341-uart converter detected
[190562.322280] usb 2-1: ch341-uart converter now attached to ttyUSB0


And of course avrdude has no entry for programming the AT32UC3A1256


I feel like I am so close to flashing the jally.

Any pointers on how to get urjtag working with this device would be greatly appreciated.


full member
Activity: 176
Merit: 100
Thanks to the info in this guide (and the UrJTAG clone), as well as several hours of Googling and debugging... I've got my Jalapeno being programmed by an Arduino right now.

I used the Arduiggler project as the basis of the programmer. Arduiggler was chosen over my Bus Pirate because of the support for it in UrJTAG - or at least, the potential thereof. My Bus Pirate promised god-honest JTAG support, but with no interface, relying only on OpenOCD which is an impossibly complicated program to try to use - and apparently the Jally's new-generation AVR32 UC3 chip isn't supported. Once I got everything to compile and talk to each other, on Ubuntu in VMware, it worked practically right off the bat. But the word "slow" could not even begin to describe how unusably slow the programming function went. Making some optimizations to both ends of the code helped with about a 2x improvement.

256 pages to program, and it's on page 109 now after nearly an hour and a half. I could probably type bits into the thing faster than it's programming. >.< So, yeah... bought one of those USB JTAG programmer sticks off eBay for $20. Now let's see if I still have a functioning Jally after this thing gets done programming...

BTW, I can't seem to find much info about tweaking the firmware. I gave a good once-over through the config parameters code, but what settings are used in those "omg 8gh/s" binaries? For that matter, what about the settings of the stock Jalapeno firmware?
newbie
Activity: 46
Merit: 0
I just wanted to report another success flashing a Jalapeno.  Before flashing, it was hashing at about 5.3 GH/s, and after flashing it's up to 7.7GH/s.

I used a FT2232 based JTAG adapter that I had laying around (a EKC-LM3S6965 eval board to be exact) together with a modified floppy disk cable to convert from the 20-pin ARM JTAG pinout to the 10-pin AVR32 JTAG pinout.  Luke-Jr's pinout table says to connect AVR32 JTAG pin 8 to ARMJTAG pin 3, but looking at the schematic pin 8 is N/C (SC-MainBoard-1.0-ToRelease.pdf).  To get proper reset functionality via JTAG, you want to connect the signal nSRST, AVR32 pin 6 to ARMJTAG pin 15.

Here's the table that I used:
SignalARM 20-pinAVR32 10-pin
VTref/VCC14
TDI59
TMS75
TCLK/TCK91
TDO133
nSRST156
GND4, 6, 8, 10, 12, 14, 16, 18, 202, 10
Any pins not listed in this table are N/C for the purpose of flashing BitForce hardware.  In theory, any GND pin can be connected to any GND pin, so long as there is at least one GND in your cable. Though you may want to get your multimeter out and verify that all the GND pins are indeed connected internally on your particular JTAG adapter. Pin 2 and 10 are internally connected according to the Jalapeno schematic.

On the software side, I compiled URJTAG from Luke-Jr's git repo using Cygwin on windows.  To get it to compile properly, I had to install a bunch of cygwin packages, download the FTDI drivers, apply a patch from http://www.mail-archive.com/urjtag-development@lists.sourceforge.net/msg01342.html, run autogen.sh again, and run ./configure --with-ftd2xx="/cygdrive/c/CDMv2.08.30WHQLCertified/" --disable-svf --disable-bsdl
Then, to get URJTAG to properly identify and work with my Jalapeno's AT32UC3A1128, I added the following line to /usr/local/share/urjtag/atmel/PARTS
0001111011100011   at32uc3a   AT32UC3A1128

Other notes: I compiled my own firmware for the Jalapeno. Cygwin doesn't have the srecord package in its repositories so I used my Ubuntu machine for that particular command.
sr. member
Activity: 252
Merit: 250
And I had success using the GPIO pins of my Raspberry Pi to reflash my Jalapenos, so you can get away without needing an actual JTAG dongle if you have a RPi lying around not doing much.

Full details at the URL below, and some over on the Experimenting with Jalapeno Firmware thread (or whatever its called) too
http://randomcontent.wolfnexus.net/RandomSite/reflashing-a-butterfly-labs-jalapeno-with-only-a-raspberry-pi/
[URL]https://bitcointalk.org/index.php?topic=236875.0[URL]
legendary
Activity: 2912
Merit: 1060
Forgot deleted
sr. member
Activity: 420
Merit: 250
Looks nice, but for $10 more I'd rather use the device atmel studio expects
This is the free software thread. Atmel Studio is off-topic.

+1

   jtag open h/w and s/w.
legendary
Activity: 2576
Merit: 1186
Looks nice, but for $10 more I'd rather use the device atmel studio expects
This is the free software thread. Atmel Studio is off-topic.
sr. member
Activity: 420
Merit: 250
  Bus Blaster v3 cheaper about 35usd http://www.seeedstudio.com/depot/bus-blaster-v3-p-1415.html
  case about 4usd                              http://www.seeedstudio.com/depot/bus-blaster-v3-acrylic-case-v1-sobv1dp8049-p-1315.html?cPath=178_184



ps: free shipping order more than 50usd
sr. member
Activity: 384
Merit: 250
Spotted this and thought it might be interesting to work with...
https://github.com/synthetos/PiOCD/wiki/Using-a-Raspberry-Pi-as-a-JTAG-Dongle
Anyone want to try it out?

I wrote this to program FPGAs from RasPi, its crude (sorry, not a professional programmer) but works. Unfortunately its not using JTAG, but could be adapted. The altera jrunner code is a useful starting point for JTAG.

Its a bit hacky, so probably not worth following up, but I've written this now so I'll post it anyway (and its a weird coincidence that this thread was right above one on repurposing BFL FPGA rigs for litecoin,).
sr. member
Activity: 252
Merit: 250
Spotted this and thought it might be interesting to work with...
https://github.com/synthetos/PiOCD/wiki/Using-a-Raspberry-Pi-as-a-JTAG-Dongle
Anyone want to try it out?
legendary
Activity: 2576
Merit: 1186
Sounds like it.
Wish I saw that one, would probably have got it instead (to support open hardware).
sr. member
Activity: 420
Merit: 250
legendary
Activity: 2576
Merit: 1186
Thanks Luke, great to know it can be done with DIY tools. Now to decide which JTAG gizmo to build, I wanted something dirt cheap and easy, like a parallel port one, but word is they take forever to flash a larger ROM, would you have any experience that would allow you to comment on how long this might take to go over a parallel port JTAG?
Dunno, most PCs don't even have parports anymore.
And IIRC the voltages they use vary - you don't want to use anything other than 3.3V for this!
hero member
Activity: 518
Merit: 500
Hodl!
Thanks Luke, great to know it can be done with DIY tools. Now to decide which JTAG gizmo to build, I wanted something dirt cheap and easy, like a parallel port one, but word is they take forever to flash a larger ROM, would you have any experience that would allow you to comment on how long this might take to go over a parallel port JTAG?
legendary
Activity: 2576
Merit: 1186
Ok, starting a thread here to deal with hacking on BitForce SC firmware using only free software.
Non-free software is off-topic here. Note that closed-source software is always non-free, even if you don't have to pay for it.

Needless to say, if you damage your mining devices doing this, you're on your own.
Neither I nor BFL are likely to provide compensation or any warranty for hacking firmware.

Overview:
1. Toolchain (success, docs WIP)
2. Building (WIP)
3. Flashing (complete)
4. Debugging (nothing done)


Step 1: Toolchain

This is a pain. I'll document it later.
For now, you can play with my (Gentoo-oriented) notes:
Code:
crossdev -t avr32 -s1  # this will fail! but sets up stuff for us


# BEGIN binutils

mkdir -p /etc/portage/patches/cross-avr32/binutils/
cd /etc/portage/patches/cross-avr32/binutils/
PATCHES="
20-binutils.2.20.1-avr32-autoconf.patch
30-binutils-2.20.1-avr32-bfd.patch
31-binutils-2.20.1-avr32-binutils.patch
32-binutils-2.20.1-avr32-gas.patch
33-binutils-2.20.1-avr32-include.patch
34-binutils-2.20.1-avr32-ld.patch
35-binutils-2.20.1-avr32-opcodes.patch
40-binutils-2.20.1-avr32-fixes.patch
41-binutils-2.20.1-avr32-fpu.patch
42-binutils-2.20.1-avr32-bug-7435.patch
50-binutils-2.20.1-avr32-mxt768e.patch
51-binutils-2.20.1-avr32-uc3c.patch
52-binutils-2.20.1-avr32-uc3l0128.patch
53-binutils-2.20.1-avr32-uc3a4.patch
54-binutils-2.20.1-avr32-uc3d.patch
55-binutils-2.20.1-avr32-uc3l3l4.patch
"
for patch in $PATCHES; do
wget http://distribute.atmel.no/tools/opensource/avr32-gcc/binutils-2.20.1/$patch
done

# Possibly change make.conf to MAKEOPTS=-j1 - not sure if necessary


USE='-* multitarget' emerge =cross-avr32/binutils-2.20.1-r1

# interrupt build (Ctrl-Z) immediately after patches are applied
cd /var/tmp/portage/cross-avr32/binutils-2.20.1-r1/work/binutils-2.20.1
$EDITOR opcodes/Makefile.am  # find avr-dis.c and add under it: avr32-asm.c avr32-dis.c avr32-opc.c
for d in . gold intl libiberty gprof ld binutils etc gas opcodes bfd; do ( cd "$d"; autoreconf; ); done
fg

aclocal -I config
autoconf
automake
autoheader
for d in bfd opcodes binutils gas ld; do
pushd $d
autoconf
automake
autoheader
popd
done
fg

# interrupt build (Ctrl-Z) after bfd has configured
cd /var/tmp/portage/cross-avr32/binutils-2.20.1-r1/work/build/bfd
make headers
fg

# DONE binutils


# BEGIN gcc

mkdir -p /etc/portage/patches/cross-avr32/gcc/
cd /etc/portage/patches/cross-avr32/gcc/
PATCHES="
30-gcc-4.4.3-avr32.patch
31-gcc-4.4.3-avr32-rmw.patch
32-gcc-4.4.3-avr32-sleep-builtin.patch
33-gcc-4.4.3-avr32-ucr3fp.patch
34-gcc-4.4.3-avr32-fpu.patch
35-gcc-4.4.3.avr32-delay-cycles.patch
36-gcc-4.4.3.avr32-list-devices.patch
40-gcc-4.4.3-avr32-fpemul-fixes.patch
41-gcc-4.4.3-avr32-fix-const_int_addr.patch
42-gcc-4.4.3-avr32-fix-reorg_opt_bug11763.patch
43-gcc-4.4.3-avr32-4_4_3-upgrade.patch
44-gcc-4.4.3-avr32-bug-12671.patch
45-gcc-4.4.3-avr32-bug-7435.patch
46-gcc-4.4.3-avr32-bug-9675.patch
50-gcc-4.4.3-avr32-mxt768e.patch
51-gcc-4.4.3-avr32-uc3c.patch
52-gcc-4.4.3-avr32-uc3l0128.patch
53-gcc-4.4.3-avr32-uc3a4.patch
54-gcc-4.4.3-avr32-uc3d.patch
55-gcc-4.4.3-avr32-uc3l3l4u.patch
"
for patch in $PATCHES; do
wget http://distribute.atmel.no/tools/opensource/avr32-gcc/gcc-4.4.3/$patch
done

USE='-*' ACCEPT_KEYWORDS=** emerge =cross-avr32/gcc-4.4.3-r3

# DONE gcc


# BEGIN atmel-headers

layman -a luke-jr
ACCEPT_KEYWORDS=** emerge cross-avr32/atmel-headers

# DONE atmel-headers


# BEGIN newlib

mkdir -p /etc/portage/patches/cross-avr32/newlib/
cd /etc/portage/patches/cross-avr32/newlib/
# skip 10-newlib-1.16.0-avr32-atmel-version.patch
PATCHES="
30-newlib-1.16.0-avr32.patch
31-newlib-1.16.0-flashvault.patch
"
for patch in $PATCHES; do
wget http://distribute.atmel.no/tools/opensource/avr32-gcc/newlib-1.16.0/$patch
done

ln -s /usr/portage/sys-libs/newlib /usr/portage/local/crossdev/cross-avr32/
USE=-* ACCEPT_KEYWORDS=** emerge =cross-avr32/newlib-2.0.0

# interrupt build (Ctrl-Z) immediately after source unpacks
cd /var/tmp/portage/cross-avr32/newlib-2.0.0/work/newlib-2.0.0/
for patch in $PATCHES; do
patch -p0 <"/etc/portage/patches/cross-avr32/newlib/$patch"
done
cd newlib
autoreconf
fg

# interrupt build (Ctrl-Z) immediately after you see:
#    >>> Install newlib-2.0.0 into /var/tmp/portage/cross-avr32/newlib-2.0.0/image/ category cross-avr32
mkdir -p /var/tmp/portage/cross-avr32/newlib-2.0.0/image//usr/avr32/lib

# DONE newlib


ln -s /usr/lib/binutils/avr32/2.20.1/ldscripts/ /usr/avr32/lib/


Step 2: Building

TODO. I haven't done this 100% yet.
My BitForce_SC repository has a "make" branch that compiles to a .elf binary for now.


Step 3: Flashing

I decided to use the "TUMPA" JTAG interface (WARNING: this shop closed almost right after I ordered, until Aug 17).
There are many other options (including some nice open hardware you have to build yourself), but I don't have any experience with them (note that it must work at 3.3V!).
NOTE: I think Atmel's "Dragon" adapter will not work for this!

This board has a 20-pin JTAG connector, and the BFL boards have a 10-pin JTAG connector, each with different pinouts (ie, you can't just match half the 20-pin with the 5-pin!)
You want to connect these pins:
Name20-pin/TUMPA10-pin/BFL
VCC/VREF/VTAR14
nTRST38
TDI59
TMS75
TCK91
TDO133
GND20*10*
You can use any GND pin on both ends, only one needs to be connected.

Next, you'll need to install a special version of UrJTAG.
For some reason, they ignored AVR32 flash patches in 2009.
We need that. We also need a part definition for the AVR32 chip in BFL's devices.
I've put all this together in a git clone of UrJTAG for simplicity.
Build this from source and install it.

If you have an Intel HEX firmware (such as the 1.2.5 release binary - which is, by the way, probably compiled only for one particular model), you can convert it to the format needed for UrJTAG using this command:
Code:
srec_cat BitForce_SC-1.2.5.hex  -intel -offset -0x80000000 -byte-swap 4 -o BitForce_SC-1.2.5.bin -binary
Note that UrJTAG for some reason needs the firmware with all the words flipped backward (hence the -byte-swap 4 option).
This may be a bug in the aforementioned AVR32 flash patches, and if so, I may fix it at some point.

Now plug in the TUMPA (or equivalent) and start UrJTAG.
The first thing you need to do is configure your JTAG cable.
For TUMPA, this is:
Code:
cable ft2232 vid=0x0403 pid=0x8A98
Next, configure it for the AVR32:
Code:
detect
initbus avr32 HSBU

Before you flash, you must halt the CPU:
Code:
instruction HALT
shift ir
dr 1
shift dr
shift dr
If the chip is locked (BFL seems to ship at least some this way), you must unlock it (this erases the firmware on it too):
Code:
instruction CHIP_ERASE
shift ir
Now, flash the binary:
Code:
flashmem 0 BitForce_SC-1.2.5.bin
Once this completes, you can reenable the CPU:
Code:
instruction HALT
shift ir
dr 0
shift dr
shift dr


Step 4: Debugging

OpenOCD doesn't seem to have usable AVR32 support yet.
I probably won't give this any attention myself, but feel free to contribute.


See also:
Jump to: