Week #7 was is little bit frustrating, because of no real progress, only more unfinished things which aren’t working. Week #8 was a lot better.
1. Sniffing the communication between the 2 embedded controllers H8S and PMH4.
I’ve tried to build an protocol analyser with the msp430, but the data output was somehow strange. For testing purpose I used my H8S firmware to produce testing data. But the msp430 decoded only wrong data. I’m using IRQs on the clock to do the magic and writing it to a buffer before transmitting it via UART. Maybe the msp430 is too slow for that? Possible. Set a GPIO to high when the IRQ routing start and to low when it ends. Visualize the clock signal and connect the IRQ measure pin to an oscilloscope. The msp430 is far too slow. I’m using memory dereference in the IRQ routine, which takes a lot of time. Maybe the msp430 is fast enough, when using asm routine and registers to buffer the 3 byte transmission. But a logic analyser would definitely work. So I borrowed two logic analyser. An OLS (Openbench Logic Sniffer) and a Saleae Logic16.
There isn’t so much data on the lines. Every 50 ms there is a short transmission of 3 byte. But I don’t want to decode the data by hand. So it needs a decoder for the logic analyser. sigrok looks like the best start point and both analyser are supported.
I’ve started with the Openbench Logic Sniffer, but unfortunately it doesn’t have enough RAM to buffer the input long enough. Maybe the external trigger input can be used. But before doing additional things I would like to test with the Logic16.
The Logic16 doesn’t support any triggers but it can stream all data over USB even with multiple MHz. Good enough to capture all data. I found out that the best samplerate is 2 MHz. Otherwise the LE signal isn’t captured, because it’s a lot shorter than a clock change. In the end I created a decoder with libsigrokdecode.
sigrok-cli -i boots_and_shutdown_later_because_too_hot.sr –channels 0-3 -P ec_xp:clk=2:data=3:le=1:oe=0 | uniq -c
67 0x01 0x07 0xc8
3 0x01 0x04 0xc8
4 0x01 0x10 0x48
1120 0x01 0x17 0x48
67 0x01 0x07 0xc8
0x01 0x07 0xc8 is called when only power is plugged in, like a watchdog(every 500ms)
0x01 0x17 0x48 is called when the device is powered on, like a watchdog (every 50ms)
0x01 0x04 0xc8 around the time power button pressed
0x01 0x10 0x48 around the time power button pressed
2. Flash back the OEM H8S firmare
The OEM H8S firmware is included in the bios updates. cabextract and strings is enough for extracting it out of the update. Look for SREC lines. Put the SREC lines into a separate file and flash them back via UART bootloader and the renesas flash tool. The display powers up and it’s booting again with OEM BIOS.
I could imagine they are using a similar update method like the UART bootloader. First transfer a flasher application into RAM and afterwards communicate with the flasher to transfer the new firmware, but the communication works over LPC instead of UART.
3. Progress on the bootloader
I’ve implemented the ADC converter to enable the speaker amp and the display backlight brightness.
Written down LPC registers and just enable the Interface in order to get GateA20 working. Still unclear how far this works.
4. How to break into the bootloader?
The idea of the bootloader is providing a brick free environment for further development. The bootloader loads the application which adds full support for everything. It should be possible to stop the loading application and flash a new application into the EC flash. When starting development on the x60 or x201 I want to use I2C line as debug interface. I2C chips have a big footstep and are easy to access. But there must be a way to abort the loading. I will use the function key in combination with the leds.
- Remove the battery and power plug.
- Press the function key
- Put the power plug in
- Wait until leds blinking
- release the function key within 5 seconds after the leds starting to blink to enter the bootloader.
The H8S will become I2C slave on a specific address.
What next?
- Add new PMH4 commands to the H8S
- solder additional pins to MAINOFF PWRSW_H8 A20 KBRC
- use the logic analyser to put the communication in relation with these signals
- UART shell
- I2C master & client
- solder LPC pins to analyse firmware update process
- test T40 board with new PMH4 commands and look if all power rails are on
Thank you for your work, just to be sure that you are aware of this old project. Someone reversed the whole firmware for T60, I believe.
http://ec.gnost.info/ec-18s/ec.html
Happy hacking!