pcmhacking.net

Yeah well its not just the flash in its address space. There are bunch of chips and registers. For what your doing you might no need to figure out the memory mapping, but it will help understand the whole system.

When your reading via BDM your seeing the databus as the processor sees it. Im not sure the exact details here - but I think its something like there is a memory controller of some kind that is mapping different chips in to the processors 32 bit address space. I do know that if you read the address FF xx xx xx and 00 xx xx xx you'll get exactly the same data. This is why i say only 24 bits are connected even though its a 32 bit cpu. You could read 00 00 00 to FF FF FF and see whats there. It might take a while to scroll through in a hex viewer, but its an option.

Is there a schematic of the '0411 at all? I can compare it to mine and see where they differ.

Not that I am aware of. What I know is based on poking at it and seeing what happens.

so I noticed some interesting behavior when repeatedly trying to get the ID of my flash. Sometimes it would come back as FFFF, FFFF. Othertimes, 0000,0000. I feel that there is a setup issue with the BDM..going to post to the USBJTAG forum to get some feedback.

Yeah thats definitely not right. It would be 0089 for the manufacturer (intel), and 889D for bottom fill 28F800. Its possible the flash isnt connected directly to the CPU, thus the CPU isnt able to put it in to command mode or the A9 pin cant be set to VIn so without going in to command mode your just reading data from the void which is 0x00000000 (which doesnt even look to be mapped to the flash chip). In the '0411 there is a chip between the flash and the processor so when writing the chip in software you need to understand how to address the chip in the middle via the registers is has mapped rather than knowing the flash pins are a 1:1 mapping back to the cpu.

Do you have a bin from some other car which you know is right? That'd help you identify where the flash is mapped from your dump.

From the datasheet:

3.2.2 READ IDENTIFIER
To read the manufacturer and device codes, the device must be in intelligent identifier read mode, which can be reached using two methods: by writing the intelligent identifier command (90H) or by taking the A9 Pin to VID. Once in intelligent identifier read mode, A0=0 outputs he manufacturer’s identification code and A0=1 outputs the device code. In byte-wide mode, only the lower byte of the above signatures is read (DQ 15 /A –1 is a “don’t care” in this mode). See Table 5 for product signatures. To return to read array mode, write a Read Array Command (FFH)

Here is the whole data sheet, though I imagine you already have it.

The eeprom is connected directly to the CPU, I confirmed this earlier. However, address 0 on the CPU is not connected to the EEPROM, so this is probably screwing with things quite a bit. I need to get approved on the USBJTAG forum in order to post...waiting on that...

brute force it, read the whole range 00000000 to 00FFFFFF and zip up and post the bin

it might become clear where its mapped.

Here it is...I don't have a good diff util on this computer but I'll do a diff in the morning, to see if the lower parts are the same. I had to zip it as it was too large in the native format to be posted.

Ivan

iblackford wrote:The eeprom is connected directly to the CPU, I confirmed this earlier. However, address 0 on the CPU is not connected to the EEPROM, so this is probably screwing with things quite a bit. I need to get approved on the USBJTAG forum in order to post...waiting on that...

MCU A0 would only be used for byte addressing, so as the Flash is no doubt configured in x16 mode, this isn't used here.

Joe.

Ah, that makes sense about A0.

I tried to bring the .bin into my version of IDA pro (5.0, something I found from the net).

I remember just a few weeks ago having a more full version, but something must have happened to it...now I just seem to have the freeware version that can't disassemble the 683xx. Does anyone have, or know of a good source of a disassembler?