hallo soweit ich hier von anleitung lesen kann ist der sti 55xx unterstuzung
vorhanden das würde heisen alle reihen der sti55
===========================================================================
====
jKeys Version 1.3.2 by Dave2
jKeys is a program primarily used to access memory on IRDs. It works by utlizing processor diagnostic devices via the JTAG port. This software has been used on STMicroelectronics STiXXXX (ST20 based core) and LSI SC2000 processors.
Basic
-----
- works on Windows 95/98/Me/NT/2K (XP anyone?)
- auto detects STMicroelectronics ST20 base processors and LSI SC2000
(ST micros STi5500, STi5505, STi5508, STi5510, ST20-TP2, ST20-TP4, ST20-GP6) (LSI micro SC2000).
- automatically pulls IRD number and boxkeys on start up
- scans for boxkeys
- reads memory and saves to file
- optionally indicate speed performance
- optionally log JTAG communications to file
- parallel port diagnostics
Advanced
--------
- DCU Peek/Poke (STiXXXX)
- Passive Trap (STiXXXX)
- EJTAG DMA Read/Write (SC2000)
- Flash Tools (STiXXXX only)
- auto detects flash memory (shows base, size, mfg/dev codes, manufacturer and part number)
(29F400BT, 29F160BT, 28F800, 28F160, 28F320)
- user specified base address for manually detecting flash memory
- erase flash
- write data from file to flash
- check and adjust EMI configuration registers
- trap read/write byte, word ,dword
- DCU Peek/Poke
- trap idcode, memstart, reboot
- passive trap interrogation
===========================================================================
====
Release History
---------------
Version 1.3.3 (Build 106) (December 31,2001)
Added support for ST M29F400T (Expanded instruction addresses to 4 octets)
Version 1.3.2 (Build 105) (December 21, 2001)
Added STi5505, Corrected ST20-TP4 and STi5508 detection
Added support for AM29DL323 flash support
Version 1.3.1 (Build 104) (October 21, 2001)
Allowed Flash Detect/DCU Peek/Poke on Flash Tools page even if flash not detected
Version 1.3.1 (October 14, 2001)
Added 28Fxxx flash support (RCA Model drd420re DTV)
Automatically pulls IRD and Box Keys on start up
Added passive trap for STiXXXX processors
Added user definable flash base address and flash detect button in flash tools
Added performance indicator option to indicate erase/detect/programming times
Added Get Flash ID in Flash Tools
Added user definable base address in flash tools
Flash Tools now additionally displays flash size, manufacturer and part number
Added DCU Peek/Poke to Flash Tool
Added EMI config register display/modify dialog accessible from Flash Tools
Version 1.2.2(a/b)
Automatically detects STiXXXX and SC2000 processors.
Added SC2000 EJTAG and DMA Read/Write.
Version 1.2.1
Added 29x160 flash detection (2M flash) for programming.
Version 1.2.0
Added Flash Tools for flash programming using IRD side code for fast writes (to 29040 flash currently).
Version 1.1.0
Slight enhancements, dialog allowed DCU Poke/Peek, JTAG comm logging
Version 1.0.0 (August 2001)
First version - read memory only, STi55xx processor, port diagnostics
===========================================================================
====
Using jKeys
To use jKeys, you need to connect a parallel port JTAG connector to the JTAG interface on your IRD. The exact connections to the IRD depend on the make, model, and processor used. Once the connection is made you simply run jKeys and the box keys should be pulled automatically. jKeys uses the assumptions that the IRD number and box keys for STiXXXX based IRDs resides at memory locations 0x7FFFFFC0 and 0x7FFFFFC4 respectively. The IRD number and box keys on SC20000 based IRDs are assumed to be at 0x1FC0FFF0 and 0x1FC0FFF4 respectively. These addresses are the IRD memory addresses, not offsets in a binary image taken from the flash chip. If the IRD being used does not follow this, then you can specify the IRD number, a starting address, and length in bytes to search memory. This search assumes that the box keys will immediately follow the 4 byte IRD number.
jKeys can also write to several flash devices. From the main dialog, pressing Flash Tools button will start you into your journey.
jKeys can also be used to interrogate/modify memory locations in IRDs which may be useful for finding exploits. This is possible under both STiXXXX and SC2000 processors.
===========================================================================
====
Brief Functional Description of jKeys
jKeys starts up and automatically attempts to initiate JTAG communications on the specified parallel port. Upon successfully doing so, it displays the JTAG Info and then proceeds to read the IRD number and box keys. If any failure occurs, it will be noted in a pop up message.
jKeys Main Dialog
-----------------
The main dialog has a pull down menu and 3 display sections.
JTAG Info
Device ID - is the JTAG device ID read from the processor.
Device - if identified, will show the name of the processor.
Box Keys - the box keys
LPT Port
By default, selects LPT1 (0x378 on most machines). User selectable as 0x378, 0x278, and 0x3BC. As jKeys uses the parallel port, you must specify this prior to successful JTAG access. This value is saved between jKeys sessions so if the default is incorrect, select the correct port and it will be preserved for future sessions.
IRD Info
Start Address - user enterable hexadecimal number to indicate IRD memory start address
Bytes - user enterable hexadecimal number indicating the number of bytes to process
IRD # - user enterable IRD number as seen on the back of the IRD or on the Info screen
Find Keys Button - uses the Start Address and Bytes values to scan memory on the IRD for the boxkeys. The IRD # must be entered to allow jKeys to identify where the box keys are. The find relies on the fact that the boxkeys immediately follow the IRD number.
Save Mem Button - uses the Start Address and Bytes to read memory from the IRD and saves to a file in binary format.
Flash Tools Button - Initiates special actions on the IRD to allow flash id, erase, and programming functions. Entering flash tools will prompt you with the required actions. NOTE - on the 2700 IRD that I develop with, I don't need to apply ground to BootSource0, you simply remove and reapply the power to the IRD and press OK within a few seconds and I'm successfully in captive trap.
File | Exit Menu Item - hmmm, I wonder?
Tools | Get Device ID - re-retrieves the JTAG device Id, IRD number, and box keys.
Tools | Save Memory - same as Save Mem button.
Tools | Find Keys - same as Find Keys button.
Tools | Flash Tools - same as Flash Tools button.
Tools | Port Diagnostics - opens the Port Diagnostics dialog.
Tools | DCU Poke/Peek - opens the DCU Poke/Peek dialog (STi processors only)
Tools | EJTAG DMA Read/Write - opens the EJTAG DMA Read/Write (LSI SC2000 processor only)
Tools | Passive Trap/DCU - opens the Passive Trap/DCU Dialog
Flash Tools Dialog
------------------
The Flash Tools dialog provides flash id, erase, and programming. Once selected, a pop up appears prior to the flash dialog opening indicating how to enable Flash Tools. Special code is transferred to the IRD and operated in a 'captive trap'. Essentially, the IRD stops executing the native code and _only_ performs the requested functions. This is necessary to perform flash operations. The following message will be shown:
"Flash tools utilize the DCU trap handler in the STi55xx processors. For the purpose used here, it is required that the processor be reset in boot from link mode. To do this, ensure BootSource0 is tied to ground when reset. Follow these steps: 1. Remove power from the IRD, 2. Connect JTAG connector as normal, 3. Hold Pad 1 Low (take wire from Pad 1 to ground), 4. Apply Power. Once this is done, press Ok, OR you can flee by pressing Cancel."
When the Flash Tools dialog appears, the IRD side code will be transferred and the IRD will be forced into exectuing 'captive trap'. At this point, both Bank1 and Bank3 EMI configuration registers are modified to allow #CE and #BE on write actions (read config value and OR with 0x640). NOTE: if this configuration does not work on your IRD (well, let me know for one) you can modifiy by pressing the Check EMI Config to pull up/modify the current configurations. At this point, it attempts to identify the flash at offset 0x7FF80000 (NOTE flashes mapped at locations 0x7FE00000 will also be identified using a base address of 0x7FF80000 because only lower address lines are used, read flash documentation for more). It uses algorithms (I refer to as JEDEC, but that's not really correct) identical to 29F400. Upon failing that, it attempt to identify using a Flash File algorithm (my name again) which is identical to that used for 28F160. Upon successfull identifying the flash, it displays the base address (modified as 0x80000000 - size, based on top of memory) the flash size, the Mfg/Device codes read, the Manufacturer name (if known) and the Part number.
If the flash detect algorithm can't identify the flash, a pop up will return with the manufacture and device code read using both the JEDEC and Flash File requests. Note these as I'm open to adding more flash devices in the future
The Flash Tools dialog is layed out with the top portion being flash info and actions, and the bottom being some diagnostic actions.
Flash Info
Base Address - detected base address of the flash. User enterable for different flashes.
Size - detected size of the flash.
Mfg/Device Codes - manufacturer and device code read from flash.
Manufacturer - manufacturer name.
Part - part number.
Get Flash ID Button - re-retrieves the flash mfg/id codes. It uses the currently entered Base Address so a user can select a different memory address if one knows where a flash resides.
Erase Flash Button - if the flash is identified, this button erases the _whole_ flash.
Write Flash - if the flash is identified, this button allows binary data from a file to be programmed into the flash. This assumes the data from the file is to be programmed starting at the base address for the size of the flash, or the size of the file (whichever is less). NOTE: the base address must be the real base address of the flash (or processor mirrored).
Check EMI Config - pulls up the EMI Config Registers Dialog.
Address - user enterable hexadecimal value for various actions.
Data - user enterable/action updated hexadecimal value for/result of various actions.
Read Byte/Word/DWord Buttons - utilizes the 'captive trap' routine to read the data size specified. It uses the value from the Address as the memory reference and update the Data upon success.
Write Byte/Word/DWord Button - utilizes the 'captive trap' routine to writed the data size specified. It uses the values from the Address and Data entries for writing.
Get Memstart Button - uses the 'captive trap' routine to request the memstart value (read ST20 and C2/C4 Instruction docs).
Get Product ID - uses the 'captive trap' routine to request the productid value (read ST20 and C2/C4 Instruction docs). This value is the same as that reported via the JTAG Device ID.
Reboot/Reload - EXPERIMENTAL, this uses the 'captive trap' routine to reboot the processor. It then reloads the 'captive trap' routine and attempts to enter it. This sometimes works, and somtimes doesn't. Like I say, its experimental!
DCU Peek Button - uses the specified Address to read a 32 bit value from the IRD memory and then displays the value in the Data field. The DCU is an inherent mechanism in the processor which acts independantly of the operating code in the IRD.
DCU Poke Button - uses the specified Address to write the 32 bit value from the Data field to the IRD memory. The DCU is an inherent mechanism in the processor which acts independantly of the operating code in the IRD.
EMI Config Registers Dialog
---------------------------
Simple dialog that reads the Bank0-3 Data0 Configurations registers (0x2000, 0x2010, 0x2020, and 0x2030). These registers indicate to the processor how to access memory at these chip selects. (The best reference I've seen for this is the ST20-GP6 doc, on page 62). If you figure these need to be modified, change the value and press the corresponding Update button.
Port Diagnostics Dialog
-----------------------
Simple dialog that indicates the current status of the port inputs and allows the state of the outputs to be changed. Using a voltmeter, you can check the levels of the outputs and confirm correct operation.
DCU Poke/Peek Dialog (STi processors only)
------------------------------------------
The DCU Poke/Peek dialog allows 32 bit write/read actions to memory on STi processors.
Address - user enterable hexadecimal value for various actions.
Data - user enterable/action updated hexadecimal value for/result of various actions.
Peek Button - uses the specified Address to read a 32 bit value from the IRD memory and then displays the value in the Data field. The DCU is an inherent mechanism in the processor which acts independantly of the operating code in the IRD.
Poke Button - uses the specified Address to write the 32 bit value from the Data field to the IRD memory. The DCU is an inherent mechanism in the processor which acts independantly of the operating code in the IRD.
EJTAG DMA Read/Write Dialog(LSI SC2000 processor only)
------------------------------------------------------
The EJTAG DMA Read/Write Dialog dialog allows 32 bit write/read actions to memory on the LSI SC2000 processor.
Address - user enterable hexadecimal value for various actions.
Data - user enterable/action updated hexadecimal value for/result of various actions.
DMA Read Button - uses the specified Address to read a 32 bit value from the IRD memory and then displays the value in the Data field. The EJTAG DMA is an inherent mechanism in the processor which acts independantly of the operating code in the IRD.
DMA Write Button - uses the specified Address to write the 32 bit value from the Data field to the IRD memory. The EJTAG DMA is an inherent mechanism in the processor which acts independantly of the operating code in the IRD.
Passive Trap/DCU Dialog(STi processors only)
--------------------------------------------
This dialog is completely for experimentation. It transfers a small, custom written IRD side portion of code into the IRD. This software allows for a 'passive trap' to operate in the background while normal operation occurs. It only takes action when a request fomr this dialog is issued. The request is services and normal operation resumes. So what makes this so special when DCU Peek/Poke perform the same operation? Well, Peek/Poke only operate on memory, not internal peripherals. The documentation states that the _only_ internal peripherals accessible to the DCU via Peek/Poke are the EMI and the DCU registers. This means that any other internal peripherals (like general I/O config/control, DVB decryption key registers, etc...) cannot be accessesed. I haven't had much time to experiment with this myself, but it is there for everyone to play with.
Upon entry, the presence of the trap is automatically detected. If not loaded, minimal functionality is allowed as DCU Peek/Poke are also accessible. The trap defaults to load at address 0x80000800. The STi family has internal SRAM at 0x80000000 which will always be present. The lower portion is used for configuration, trap vectors, etc.. (read the docs). This 'passive trap' handler requires a total of 0x74 bytes. On the 2700 IRD I've been developping with, loading the trap at 0x80000800 has been successful. If you find that it doesn't work, try moving it around, keeping in mind that going lower may result in corruption of necessary memory.
Trap Address - the location to load/is loaded with the 'passive trap' handler.
Load Trap Button - initiates the loading of the 'passive trap' handler to the address specified.
Address - user enterable hexadecimal value for various actions.
Data - user enterable/action updated hexadecimal value for/result of various actions.
Read Byte/Word/DWord Buttons - utilizes the 'captive trap' routine to read the data size specified. It uses the value from the Address as the memory reference and update the Data upon success.
Write Byte/Word/DWord Button - utilizes the 'captive trap' routine to writed the data size specified. It uses the values from the Address and Data entries for writing.
DCU Peek Button - uses the specified Address to read a 32 bit value from the IRD memory and then displays the value in the Data field. The DCU is an inherent mechanism in the processor which acts independantly of the operating code in the IRD.
DCU Poke Button - uses the specified Address to write the 32 bit value from the Data field to the IRD memory. The DCU is an inherent mechanism in the processor which acts independantly of the operating code in the IRD.
If you exit and re-enter this dialog, it will remember and re-check to see if the 'passive trap' handler has been loaded into memory.
===========================================================================
====
Contributions and Credits
Of course I can't take all the credit for everthing that jKeys does. In creating the program I've had several people make suggestions and provide a great deal of assistance. This includes some program segments, algorithm sequencing, interface communications, and of course beta testing. I can't recall all of the people, but as many as I can are noted below:
DPxxx - blaknite
SC2000 EJTAG Interface - Here are most of the ppl that spent some quality time working on this project (asterisk means ALOT of work) *SatHackr, *Inssomniak, *satFTE, *dishwasher (dug up most of the documentation), *shellot, vankanma, Crispy, DishNightOwl, MageMinds, bula, TRoN, netsurge, manshank, Davez, Meister, Stibby, *tedgreen, *jandv (me), and Dave2.
Original Version - well I can't recall everyone and as I try to I can't read the posts any further.
Anonymous - as well there were a few who sent me hard to find information or would give me some insight, and thanks to those.
habe heute diese file in den database gestellt ich glaube es ist für dein samsung und das gute sie ist in englisch