Qualcomm Atheros IPQ8065 - Error: CPU-TAP not found in JTAG chain

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Qualcomm Atheros IPQ8065 - Error: CPU-TAP not found in JTAG chain

      Hi, I have a Netgear R7800 router, with erased bootloader.
      I want to get access to its memory, and upload a new firmware (or at least bootloader) to it.

      Router's hardware:
      CPU: Qualcomm Atheros IPQ8065, 1.7GHz, 2 cores
      Flash: 128 MiB (Micron MT29F1G08ABBEAH4:E)
      Architecture: ARMv7 Processor rev 0 (v7l), arm_cortex-a15_neon-vfpv4

      The problem is - IPQ8065 is not supported by default, all I got is: ****** Error: CPU-TAP not found in JTAG chain

      The Netgear firmware for this router is fully open sorce. You can get it from:
      downloads.netgear.com/files/GP….2.62_gpl_src.tar.bz2.zip
      This processor is listed as "ipq806x" in U-Boot.

      So I was thinking maybe somebody can take the processor parameters from there and add the support of it to JLink?

      I tried to add it to "JLinkDevices.xml" file, but with no luck.
      I'm new with JTAG and SEGGER, help please.

      The J-Link Commander log:

      Source Code

      1. Connecting to J-Link via USB...O.K.
      2. Firmware: J-Link V10 compiled Mar 7 2019 15:19:19
      3. Hardware version: V10.10
      4. S/N:
      5. License(s): FlashBP, GDB
      6. OEM: SEGGER-EDU
      7. VTref=1.817V
      8. Type "connect" to establish a target connection, '?' for help
      9. J-Link>connect
      10. Please specify device / core. <Default>: ARM7
      11. Type '?' for selection dialog
      12. Device>?
      13. Please specify target interface:
      14. J) JTAG (Default)
      15. TIF>j
      16. Device position in JTAG chain (IRPre,DRPre) <Default>: -1,-1 => Auto-detect
      17. JTAGConf>
      18. Specify target interface speed [kHz]. <Default>: 4000 kHz
      19. Speed>100
      20. Device "ARM7" selected.
      21. Connecting to target via JTAG
      22. TotalIRLen = 15, IRPrint = 0x0011
      23. JTAG chain detection found 2 devices:
      24. #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
      25. #1 Id: 0x200110E1, IRLen: 11, Unknown device
      26. TotalIRLen = 15, IRPrint = 0x0011
      27. JTAG chain detection found 2 devices:
      28. #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
      29. #1 Id: 0x200110E1, IRLen: 11, Unknown device
      30. ****** Error: CPU-TAP not found in JTAG chain
      31. TotalIRLen = 15, IRPrint = 0x0011
      32. JTAG chain detection found 2 devices:
      33. #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
      34. #1 Id: 0x200110E1, IRLen: 11, Unknown device
      35. TotalIRLen = 15, IRPrint = 0x0011
      36. JTAG chain detection found 2 devices:
      37. #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
      38. #1 Id: 0x200110E1, IRLen: 11, Unknown device
      39. ****** Error: CPU-TAP not found in JTAG chain
      40. Cannot connect to target.
      41. J-Link>
      Display All

      The post was edited 1 time, last by Kovur ().

    • Hello,

      Thank you for your inquiry.
      The IPQ8065 is currently not supported by J-Link which is why you don't see it in the device selection.
      FYI the core is a Cortex-A15, not ARM7 (ARMv7 and ARM7 have different meanings). So with a bit of luck connection might work when selecting a generic A15 core type.
      But no promises as this is a "Krait" core from Qualcomm which is a custom core which only has some architectural similarities to Cortex-A15.
      Due to the lack of public documentation from Qualcomm it is hard to tell if they are really compatible to each other or not.

      Kovur wrote:

      So I was thinking maybe somebody can take the processor parameters from there and add the support of it to JLink?
      Unfortunately the demand for such custom cores that don't follow Arm standards is extremely low so currently there are no plans to to add support for this specific target device.
      However as said before, with a bit of luck the core is similar enough to a generic Cortex-A15 so connection might work out of the box.
      For Flash support our open Flash loader interface could be used:
      wiki.segger.com/Open_Flashloader

      Please understand that we can't offer any support in this endevour as this custom core type is officially not supported by us.

      Best regards,
      Nino
      Please read the forum rules before posting: Forum Rules

      Keep in mind, this is not a support forum. Its main purpose is user to user interaction.
      Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
      Should you be entitled to support contact us per e-mail.
      Alternatively our support system can be used as well: segger.com/ticket/
    • First of all - thanks for your answer.

      It's not working with Cortex-A15 either. The log is under spoiler:
      Display Spoiler

      Type "connect" to establish a target connection, '?' for help
      J-Link>connect
      Please specify device / core. <Default>: CORTEX-A15
      Type '?' for selection dialog
      Device>?
      Please specify target interface:
      J) JTAG (Default)
      S) SWD
      T) cJTAG
      TIF>
      Device position in JTAG chain (IRPre,DRPre) <Default>: -1,-1 => Auto-detect
      JTAGConf>
      Specify target interface speed [kHz]. <Default>: 4000 kHz
      Speed>2000
      Device "CORTEX-A15" selected.

      Connecting to target via JTAG
      TotalIRLen = 15, IRPrint = 0x0011
      JTAG chain detection found 2 devices:
      #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
      #1 Id: 0x200110E1, IRLen: 11, Unknown device

      **************************
      WARNING: Could not power-up system power domain.
      **************************
      Scanning AP map to find all available APs
      AP[3]: Stopped AP scan as end of AP map has been reached
      AP[0]: AHB-AP (IDR: 0x44770001)
      AP[1]: APB-AP (IDR: 0x24770002)
      AP[2]: JTAG-AP (IDR: 0x14760010)
      Iterating through AP map to find AHB-AP to use
      AP[0]: Skipped. Not an APB-AP
      AP[1]: APB-AP found
      ROMTbl[0][0]: CompAddr: 80001000 CID: B105900D, PID:04-003BB907 ETB
      ROMTbl[0][1]: CompAddr: 80002000 CID: B105900D, PID:04-003BB906 CTI
      ROMTbl[0][2]: CompAddr: 80003000 CID: B105900D, PID:04-004BB912 TPIU
      ROMTbl[0][3]: CompAddr: 80004000 CID: B105900D, PID:04-001BB908 CSTF
      ROMTbl[0][4]: CompAddr: 80005000 CID: B105900D, PID:04-002BB913 ITM
      ROMTbl[0][5]: CompAddr: 80006000 CID: B105900D, PID:04-000BB962 STM
      ROMTbl[0][6]: CompAddr: 80007000 CID: B105900D, PID:00-00080000 MTBDWT
      ROMTbl[0][7]: CompAddr: 80008000 CID: B105900D, PID:00-00080000 MTBDWT
      ROMTbl[0][8]: CompAddr: 80009000 CID: B105900D, PID:00-00080000 MTBDWT
      ROMTbl[0][9]: CompAddr: 80010000 CID: B105900D, PID:00-200F004D ???
      ROMTbl[0][10]: CompAddr: 80011000 CID: B105900D, PID:00-200F004D ???
      ROMTbl[0][11]: CompAddr: 80012000 CID: B105900D, PID:00-200F004D ???
      ROMTbl[0][12]: CompAddr: 80013000 CID: B105900D, PID:00-200F004D ???
      ROMTbl[0][13]: CompAddr: 80014000 CID: 37373333, PID:37373333-37373333 ???
      TotalIRLen = 15, IRPrint = 0x0011
      JTAG chain detection found 2 devices:
      #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
      #1 Id: 0x200110E1, IRLen: 11, Unknown device


      ****** Error: Cortex-A/R-JTAG (connect): Could not determine address of core deb
      ug registers. Incorrect CoreSight ROM table in device?
      TotalIRLen = 15, IRPrint = 0x0011
      JTAG chain detection found 2 devices:
      #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
      #1 Id: 0x200110E1, IRLen: 11, Unknown device
      TotalIRLen = 15, IRPrint = 0x0011
      JTAG chain detection found 2 devices:
      #0 Id: 0x4BA00477, IRLen: 04, CoreSight JTAG-DP
      #1 Id: 0x200110E1, IRLen: 11, Unknown device
      Cannot connect to target.


      So, I have two options left:
      1) direct programming of flash with J-Flash SPI program.
      2) use open flashloader

      The second choice is more complicated, so I'm trying the first option first.

      The flash memory chip is: Micron MT29F1G08ABBEAH4
      The full datasheet: e2e.ti.com/cfs-file/__key/comm…005.MT29F1G08ABBEAH4E.pdf

      The J-Flash SPI doesn't know this chip, so I trying to add it in the Project Settings.

      I've attached a screenshot and configuration file.


      With the current project settings:
      - it seems I can successfully read it;
      - I can't write to it;
      - I'm getting the wrong flash ID (FF FF FF), although the command is correct (90h).

      Something is wrong with parameters, but I can't figure it out, due to the lack of experience.
      Help, please.

      Is it possible to do with J-Flash SPI tool or the Flash loader is the only way?


      PS: maybe it will help. There are memory adresses used in that router.
      github.com/xieyaxiongfly/Ather…ts/qcom-ipq8065-r7800.dts
      Images
      • MT29F1G08ABBEAH4.png

        335.4 kB, 1,609×1,008, viewed 15 times
      Files

      The post was edited 1 time, last by Kovur ().

    • Hello,

      Regarding the failing A15 connection sequence. It actually looks better than expected. Most components are detected so general communication to the core is working.
      But what is missing is the core debug register which could not be autodetected.
      This can be added manually by the user via a JLinkScript and defining the missing ROM table entries manually.
      Ideally this is described in the public target device user manual.

      Regarding J-Flash SPI, this tool is intended to work with NOR Flashes mostly.
      The Flash you are using is a NAND Flash. The problem with NAND Flashes is that they require lots and lots of use case specific special handlings which the J-Flash SPI software was not created for.
      But you could use our J-Link SDK to create your own version of J-Flash SPI which can handle the specific handlings needed for the NAND you are using.
      More information about the SDK can be found here:
      segger.com/products/debug-prob…nk/technology/j-link-sdk/

      All our J-Link software tools have been created by using the SDK.
      Alternatively you could try to use the open Flash loader interface. But in this case you need a working debug connection to the target device first.

      Best regards,
      Nino
      Please read the forum rules before posting: Forum Rules

      Keep in mind, this is not a support forum. Its main purpose is user to user interaction.
      Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
      Should you be entitled to support contact us per e-mail.
      Alternatively our support system can be used as well: segger.com/ticket/