JTAG in the SC2105, which means by stupidity I have more work to do

I have been struggling with a certain device for some time and currently my problem is to take control of the processor. In theory, you could say that jtag will take care of the problem. The problem, however, is that the device I am trying to bring back to life is extremely unpopular. Not only is there no service documentation for the device itself, but finding anything more about the processor than a flyer borders on the miraculous. The processor is an LSI Logic SC2105. So far I know it’s an SoC and has a MIPS core in it, so when I get to the jtag, I know how to set the registers to make it controllable. On the motherboard I have a lot of different pins, after testing I think I found the ones responsible for JTAG. And now the fun begins.

I use three tools to work with that interface:

• OpenOCD
• urJTAG
• ftjref

USBJTAG to Bof30 converter (based on FT2232, working as oocdlink).

How I found the JTAG connector:

The hardware I’m analyzing is a Harmonic PVR 6000, which is actually a Scopus IRD-2900 series with an SC2105 processor. This processor is an enhanced version of the SC2005 with AC3 and something else. This widened the possibilities of finding information a bit.

I found on the web a service diagram of a device based on SC2005 with a description of the pins of the jtag. The problem that this chassis is a BGA, multilayer board. Luckily there were several vias and one of them is a potential TCLK signal. The ground is obvious, the power supply too. What remains is TDI, TDO, TMS, TRST. With help came the Internet. On one forum I found a discussion about connecting a jtag to an SC2000 processor. There are technical notes circulating on the net about the changes between processor generations, and as far as the pins were concerned, the changes were cosmetic and did not apply to the jtag. The “service connector” was IDC16 and the pin layout was almost identical. The difference was only in the additional power supply. That is, I had something to hook up to.

I prepared the cables, connected everything and now I was looking for IDCODE.

Of course, no program detected anything, until I turned on the programs in that special order:

• urJtag -> connect to USB-JTAG(oocdlink) interface only -> quit
• ftjref -> profit, it downloads IDCODE !

Important note, urJtag when trying to detect IDCODE reports that the TDO signal is stuck at 0. I don’t know, but I tried pulling up TRST to VRef through a 3.3k resistor (maybe too big?) Maybe the jtag state machine reset procedure is wrong. However, so far that’s all I’ve determined.

Anyone, ever had a bit more to do with jtag and can give me some hints? I would like to fix this device. I broke it in a stupid way. I analyzed the flash dump and found a way to enter the service menu. I prepared a small soft patch for myself, only instead of updating the part they call Application, I tried to upload the part they call Product, which is kind of like the whole operating system. Unfortunately, the first stage of programming was a flash cleanup and the whole thing went to /dev/null before I realized my mistake.

The other option that comes into play is to solder out the flash and program outside the device, but that’s a last resort. Luckily the flash is very typical and full documentation is available.