[SOLVED] Qualcomm Atheros IPQ8065 - Error: CPU-TAP not found in JTAG chain

This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

  • [SOLVED] Qualcomm Atheros IPQ8065 - Error: CPU-TAP not found in JTAG chain

    Hi, I have a Netgear R7800 router, with erased bootloader.
    I want to get access to its memory, and upload a new firmware (or at least bootloader) to it.

    Router's hardware:
    CPU: Qualcomm Atheros IPQ8065, 1.7GHz, 2 cores
    Flash: 128 MiB (Micron MT29F1G08ABBEAH4:E)
    Architecture: ARMv7 Processor rev 0 (v7l), arm_cortex-a15_neon-vfpv4

    The problem is - IPQ8065 is not supported by default, all I got is: ****** Error: CPU-TAP not found in JTAG chain

    The Netgear firmware for this router is fully open sorce. You can get it from:
    downloads.netgear.com/files/GP….2.62_gpl_src.tar.bz2.zip
    This processor is listed as "ipq806x" in U-Boot.

    So I was thinking maybe somebody can take the processor parameters from there and add the support of it to JLink?

    I tried to add it to "JLinkDevices.xml" file, but with no luck.
    I'm new with JTAG and SEGGER, help please.

    The J-Link Commander log:

    Source Code

    1. Connecting to J-Link via USB...O.K.
    2. Firmware: J-Link V10 compiled Mar 7 2019 15:19:19
    3. Hardware version: V10.10
    4. S/N:
    5. License(s): FlashBP, GDB
    6. OEM: SEGGER-EDU
    7. VTref=1.817V
    8. Type "connect" to establish a target connection, '?' for help
    9. J-Link>connect
    10. Please specify device / core. <Default>: ARM7
    11. Type '?' for selection dialog
    12. Device>?
    13. Please specify target interface:
    14. J) JTAG (Default)
    15. TIF>j
    16. Device position in JTAG chain (IRPre,DRPre) <Default>: -1,-1 => Auto-detect
    17. JTAGConf>
    18. Specify target interface speed [kHz]. <Default>: 4000 kHz
    19. Speed>100
    20. Device "ARM7" selected.
    21. Connecting to target via JTAG
    22. TotalIRLen = 15, IRPrint = 0x0011
    23. JTAG chain detection found 2 devices:
    24. #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
    25. #1 Id: 0x200110E1, IRLen: 11, Unknown device
    26. TotalIRLen = 15, IRPrint = 0x0011
    27. JTAG chain detection found 2 devices:
    28. #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
    29. #1 Id: 0x200110E1, IRLen: 11, Unknown device
    30. ****** Error: CPU-TAP not found in JTAG chain
    31. TotalIRLen = 15, IRPrint = 0x0011
    32. JTAG chain detection found 2 devices:
    33. #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
    34. #1 Id: 0x200110E1, IRLen: 11, Unknown device
    35. TotalIRLen = 15, IRPrint = 0x0011
    36. JTAG chain detection found 2 devices:
    37. #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
    38. #1 Id: 0x200110E1, IRLen: 11, Unknown device
    39. ****** Error: CPU-TAP not found in JTAG chain
    40. Cannot connect to target.
    41. J-Link>
    Display All

    The post was edited 1 time, last by Kovur ().

  • Hello,

    Thank you for your inquiry.
    The IPQ8065 is currently not supported by J-Link which is why you don't see it in the device selection.
    FYI the core is a Cortex-A15, not ARM7 (ARMv7 and ARM7 have different meanings). So with a bit of luck connection might work when selecting a generic A15 core type.
    But no promises as this is a "Krait" core from Qualcomm which is a custom core which only has some architectural similarities to Cortex-A15.
    Due to the lack of public documentation from Qualcomm it is hard to tell if they are really compatible to each other or not.

    Kovur wrote:

    So I was thinking maybe somebody can take the processor parameters from there and add the support of it to JLink?
    Unfortunately the demand for such custom cores that don't follow Arm standards is extremely low so currently there are no plans to to add support for this specific target device.
    However as said before, with a bit of luck the core is similar enough to a generic Cortex-A15 so connection might work out of the box.
    For Flash support our open Flash loader interface could be used:
    wiki.segger.com/Open_Flashloader

    Please understand that we can't offer any support in this endevour as this custom core type is officially not supported by us.

    Best regards,
    Nino
    Please read the forum rules before posting.

    Keep in mind, this is *not* a support forum.
    Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
    Should you be entitled to support you can contact us via our support system: segger.com/ticket/

    Or you can contact us via e-mail.
  • First of all - thanks for your answer.

    It's not working with Cortex-A15 either. The log is under spoiler:
    Display Spoiler

    Type "connect" to establish a target connection, '?' for help
    J-Link>connect
    Please specify device / core. <Default>: CORTEX-A15
    Type '?' for selection dialog
    Device>?
    Please specify target interface:
    J) JTAG (Default)
    S) SWD
    T) cJTAG
    TIF>
    Device position in JTAG chain (IRPre,DRPre) <Default>: -1,-1 => Auto-detect
    JTAGConf>
    Specify target interface speed [kHz]. <Default>: 4000 kHz
    Speed>2000
    Device "CORTEX-A15" selected.

    Connecting to target via JTAG
    TotalIRLen = 15, IRPrint = 0x0011
    JTAG chain detection found 2 devices:
    #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
    #1 Id: 0x200110E1, IRLen: 11, Unknown device

    **************************
    WARNING: Could not power-up system power domain.
    **************************
    Scanning AP map to find all available APs
    AP[3]: Stopped AP scan as end of AP map has been reached
    AP[0]: AHB-AP (IDR: 0x44770001)
    AP[1]: APB-AP (IDR: 0x24770002)
    AP[2]: JTAG-AP (IDR: 0x14760010)
    Iterating through AP map to find AHB-AP to use
    AP[0]: Skipped. Not an APB-AP
    AP[1]: APB-AP found
    ROMTbl[0][0]: CompAddr: 80001000 CID: B105900D, PID:04-003BB907 ETB
    ROMTbl[0][1]: CompAddr: 80002000 CID: B105900D, PID:04-003BB906 CTI
    ROMTbl[0][2]: CompAddr: 80003000 CID: B105900D, PID:04-004BB912 TPIU
    ROMTbl[0][3]: CompAddr: 80004000 CID: B105900D, PID:04-001BB908 CSTF
    ROMTbl[0][4]: CompAddr: 80005000 CID: B105900D, PID:04-002BB913 ITM
    ROMTbl[0][5]: CompAddr: 80006000 CID: B105900D, PID:04-000BB962 STM
    ROMTbl[0][6]: CompAddr: 80007000 CID: B105900D, PID:00-00080000 MTBDWT
    ROMTbl[0][7]: CompAddr: 80008000 CID: B105900D, PID:00-00080000 MTBDWT
    ROMTbl[0][8]: CompAddr: 80009000 CID: B105900D, PID:00-00080000 MTBDWT
    ROMTbl[0][9]: CompAddr: 80010000 CID: B105900D, PID:00-200F004D ???
    ROMTbl[0][10]: CompAddr: 80011000 CID: B105900D, PID:00-200F004D ???
    ROMTbl[0][11]: CompAddr: 80012000 CID: B105900D, PID:00-200F004D ???
    ROMTbl[0][12]: CompAddr: 80013000 CID: B105900D, PID:00-200F004D ???
    ROMTbl[0][13]: CompAddr: 80014000 CID: 37373333, PID:37373333-37373333 ???
    TotalIRLen = 15, IRPrint = 0x0011
    JTAG chain detection found 2 devices:
    #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
    #1 Id: 0x200110E1, IRLen: 11, Unknown device


    ****** Error: Cortex-A/R-JTAG (connect): Could not determine address of core deb
    ug registers. Incorrect CoreSight ROM table in device?
    TotalIRLen = 15, IRPrint = 0x0011
    JTAG chain detection found 2 devices:
    #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
    #1 Id: 0x200110E1, IRLen: 11, Unknown device
    TotalIRLen = 15, IRPrint = 0x0011
    JTAG chain detection found 2 devices:
    #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
    #1 Id: 0x200110E1, IRLen: 11, Unknown device
    Cannot connect to target.


    So, I have two options left:
    1) direct programming of flash with J-Flash SPI program.
    2) use open flashloader

    The second choice is more complicated, so I'm trying the first option first.

    The flash memory chip is: Micron MT29F1G08ABBEAH4
    The full datasheet: e2e.ti.com/cfs-file/__key/comm…005.MT29F1G08ABBEAH4E.pdf

    The J-Flash SPI doesn't know this chip, so I trying to add it in the Project Settings.

    I've attached a screenshot and configuration file.


    With the current project settings:
    - it seems I can successfully read it;
    - I can't write to it;
    - I'm getting the wrong flash ID (FF FF FF), although the command is correct (90h).

    Something is wrong with parameters, but I can't figure it out, due to the lack of experience.
    Help, please.

    Is it possible to do with J-Flash SPI tool or the Flash loader is the only way?


    PS: maybe it will help. There are memory adresses used in that router.
    github.com/xieyaxiongfly/Ather…ts/qcom-ipq8065-r7800.dts
    Images
    • MT29F1G08ABBEAH4.png

      335.4 kB, 1,609×1,008, viewed 611 times
    Files

    The post was edited 1 time, last by Kovur ().

  • Hello,

    Regarding the failing A15 connection sequence. It actually looks better than expected. Most components are detected so general communication to the core is working.
    But what is missing is the core debug register which could not be autodetected.
    This can be added manually by the user via a JLinkScript and defining the missing ROM table entries manually.
    Ideally this is described in the public target device user manual.

    Regarding J-Flash SPI, this tool is intended to work with NOR Flashes mostly.
    The Flash you are using is a NAND Flash. The problem with NAND Flashes is that they require lots and lots of use case specific special handlings which the J-Flash SPI software was not created for.
    But you could use our J-Link SDK to create your own version of J-Flash SPI which can handle the specific handlings needed for the NAND you are using.
    More information about the SDK can be found here:
    segger.com/products/debug-prob…nk/technology/j-link-sdk/

    All our J-Link software tools have been created by using the SDK.
    Alternatively you could try to use the open Flash loader interface. But in this case you need a working debug connection to the target device first.

    Best regards,
    Nino
    Please read the forum rules before posting.

    Keep in mind, this is *not* a support forum.
    Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
    Should you be entitled to support you can contact us via our support system: segger.com/ticket/

    Or you can contact us via e-mail.