User Manual for

USB JTAG

Aug 2008
(0.26)

-1-
 Preface

Disclaimer
The information in this document is subject to change without notice. The manufacture
makes no representations or warranties with respect to contents hereof and specifically
disclaims any implied warranties of merchantability or fitness for any particular purpose.
The manufacture reserves the right to revise this publication and to make changes from
time to time in the content hereof without obligation of the manufacturer to notify any
person of such revision or changes.
Use USB EJTAG at your own risk. Nothing is implied outside this document.
The manufacture is not responsive for any damage using the USB JTAG software
and hardware.

USB JTAG is not freeware. It is not based on any freeware. It must only be used
on product purchased on www.usbjtag.com or its dealer.
If you are not sure your product is from this
site, please send email to usbbdm@usbjtag.com If you use clone hardware do not use this
software. If you do not agree, do not use it.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND

CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVE R CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) Auther USB BDM

www.usbjtag.com
All rights reserved.

-2-
Terms
In this document, target or target board refers to any device that has MIPS or ST20 core
CPU. Eg.Broadcom, LSI, etc. USB JTAG and USB EJTAG are both used for USB JTAG
device. EJTAG is the JTAG name for MIPS core. DCU is the JTAG name for ST20 core.
Please refer to usbjtag.def.

Only power on JTAG and target AFTER the JTAG and target connected. Connect JTAG
and target with one side power on could burn either JTAG or target.

-3-
______________________________________________
TABLE OF CONTENTS
Disclaimer ....................................................................................................................... 2
Chapter 1 Basic concept .................................................................................................. 5
1.1 What is JTAG ............................................................................................................ 5
1.2 What can be done with USB JTAG .......................................................................... 5
1.3 Some technical data .................................................................................................. 5
Chapter 2 Install USB JTAG............................................................................................. 5
2.1 Setup software........................................................................................................... 5
2.2 Install hardware......................................................................................................... 6
Chapter 3. Using USB JTAG software............................................................................ 9
3.1 Software layout. ........................................................................................................ 9
Check the version of software....................................................................................... 11
Configure the software.................................................................................................. 11
Commands .................................................................................................................... 16
Common commands ................................................................................................. 16
EJTAG commands. ................................................................................................... 20
ST20 commands........................................................................................................ 21
JTAG Usage .................................................................................................................. 22
Program flash ................................................................................................................ 22
Script ............................................................................................................................. 22
Bug report. .................................................................................................................... 23

-4-
Chapter 1 Basic concept
1.1 What is JTAG
Here is the quote from <<MIPS EJTAG Specification>>

EJTAG is a hardware/software subsystem that provides comprehensive debugging and

performance tuning capabilities to MIPS® microprocessors and to system-on-a-chip
components having MIPS processor cores. It exploits the infrastructure provided by the
IEEE 1149.1 JTAG Test Access Port (TAP) standard to provide an external interface,
and extends the MIPS instruction set and privileged resource architectures to provide a
standard software architecture for integrated system debugging.

[New] USB JTAG now support ST20 core from STMicroelectronics.

Arm7, Arm 9 support is on the plan.

USB JTAG software runs on Microsoft Windows system. The tested OS are Windows
XP, Windows 2000, Windows Vista 32 bit, Vista 64 bit. Windows 98 should be
supported but have not tested.

1.2 What can be done with USB JTAG

USB JTAG provides an affordable yet powerful enough to gain most functions that a
professional JTAG tool can provide. It allows you to
1. Get memory from target board.
2. Write memory to target board.
3. Program flash using target CPU and memory.
4. Do simple debugging. Break the target and single step. (MIPS32 only for now)

In the future, it is possible to attach to GNU debugger. More debug functions will be
added in the future.

1.3 Some technical data

USB JTAG software is fully configurab le to fit your needs. You can even build your own
DLL to plug in the software to provide various functions. For detail how to write your
own plug in DLL, contact dctbdm@yahoo.com.
With USB 1.1 interface support, USB EJTAG can:
1. In DMA mode read/write target memory at 200KB/s. USB EJTAG uses DMA
mode to access target memory, it depends on the target and sometime the speed
can be lower than this number. In non-DMA mode, the read/write target at about
300KB/s.
2. Use parallel programming to gain the fastest programming speed. For some board
it can gain the speed of 200KB/s programming speed.

Chapter 2 Install USB JTAG

2.1 Setup software
Unzip all the files to a folder.

-5-
There two drivers you can use to run USB JTAG. If you want to use Windows WinUSB
driver (must use it for Vista 64 bit )
Plug in the USB, when it ask for driver, point to the driver directory (For Vista 64 bit
choose 64 bit, for other versions of Windows, select 32 bit). Check video
http://www.usbjtag.com/pafiledb/index.php?act=category&id=5
If you want to use default ezusb driver from Cypress
Do not plug the USB JTAG the first time you execute the application.
The driver installation happened automatically after the first time you run the usbjtag.exe.

You must get activation.txt from the vender. If you do not have the activation.txt,
please send to activation@usbjtag.com and give your purchase information. This is
to fight with the clone hardware.

2.2 Install hardware

The EJTAG connector on the board matches the standard Broadcom 14 pin EJTAG
connector.

Here are the definitions of EJTAG.

Pin1 – TRST
Pin3 – TDI
Pin5 - TDO
Pin7 – TMS
Pin9 – TCK
Pin11 – RESET
Pin13 – DEBUG (Not used)
Pin 2, 4,6,8,10 Ground. Pin 14 NC.
On back of the USB JTAG module, printed lableis used to indicate pin 1. The
preconnected ribbon cable has a red pin indicate pin 1,too.
If your target does not have the same pinout, you need to make a connector to
match your target.

-6-
Some board might not have JTAG connector and you need to solder a connector for it.
Here is an example for sb5101 cable modem with a JTAG connector soldered on.

Here is another example of solder a convert cable on dvi3000.

-7-
Look at the pin header soldered on DCT6412 Phase III board. (header shown)

1. Power off the target board.

2. Plug the JTAG connector to the JTAG connector on target board (You might need
a connector, if you are not sure post your question to the forum.
http://www.usbjtag.com/vbforum ).
Improper connecting to the target will not work and might kill your target or
USB JTAG.
3. Connect the USB JTAG one of the PC’s USB slot.
4. Power on the target board.

-8-
Chapter 3. Using USB JTAG software
3.1 Software layout.
There are two types of layout, Enable register view when configure. Register view
provides the information of the registers during debug. (Register view only support
EJTAG32 or EJTAG64)

Normal view.
1. Title bar show USB JTAG and the test module used. It also has the email address
of licensed user.
2. Command window accept your command s.
3. Output Window prints the result of the execution of commands.
4. Memory tabs can be configured in usbjtag.def text file.

-9-
 5. Connect status indicate the USB JTAG to PC connect state, during the running of
the software, you can unplug/plug the USB connector to PC. When JTAG not
connected, no command can be send to the target CPU.
6. DEBUG state should be monitored carefully. During memory access, DEBUG
should be off. DEBUG ON is only used for programming flash. (It is very
important to make sure that any watchdog is disabled so flash can be programmed
properly. For known target, initialization could either embedded in the test.dll or
defined in usbjtag.dll. If you are not sure about this, DO NOT PORGRAM the
flash yet).
7. DEBUG State will be TRAP state if the target is selected to be ST20. TRAP ON
is used to tell if we can access target memory and program the flash.
8. Progress bar is used for some lengthy operation like read/write memory or
program flash.
9. Debrick state (added in 0.20). When target

Register view, display MIPS register values when in debug mode.

Note: For some board when power on and you see DEBUG ON, type “r” command. If
PC is 0xBFC00000 then type “g” or press F5 to run the target.

- 10 -
 Check the version of software
Help->about, version of the software printed out. Example

USB JTAG is the main application. Test module is the plug in DLL. If present, a new
pull down menu exists after the “Tools” menu. The plug in DLL must exist in the
same folder as the main USB JTAG application.

Configure the software

Before the software can be used, configuration must be done based on your target.
1. usbjtag.def must exist under the same directory as the usbjtag.exe
2. Definition file example
// ============================================================================
// USB EJTAG definition file
// ============================================================================
// Parts def
MANUFACTURERS:
0x007 TI
0x009 Intel
0x015 Philips Semi. (Signetics)
0x01f Atmel
0x034 Cypress
0x035 DEC
0x049 Xilinx
0x06e Altera
0x0bf Broadcom
0x150 Broadcom # or "Sibyte, Incorporated" ?
0x036 LSI
0xE Motorola

- 11 -
0x20 STi
Broadcom:
0x1250 BCM1250
0x3310 BCM3310
0x5421 BCM5421S
0x3345 BCM3345
0x3348 BCM3348
0x3349 BCM3349
0x3350 BCM3350
0x3352 BCM3352
0x5352 BCM5352
0x7115 BCM7115
0x7038 BCM7038
LSI:
0x4000 SC2000
Motorola:
0x1c55 17500QK
TI:
0x0001 TNETC4401
STi:
0xD4C9 STi5500
0xD405 STi5518
0xd4cb STi5505
0xd502 STi5518
0xd402 STi5508
0xd4cd STi5510
0xD41D STi5516
0xD41F STi5517
0x5193 ST20-TP2
0x5194 ST20-TP3
0x5198 ST20-TP4
0x5196 ST20-GP6

TargetTest:
Test:
Name=DCT2500
DLL=DCTTest.dll
Memory=Ram,0,0x80000000,0x1000000
Memory=NVRAM,0,0x98000000,0x40000
Memory=boot,1,0x90000000,0x20000
Memory=plat,1,0x90020000,0x160000
Memory=app1,1,0x90180000,0x80000
Memory=app2,1,0x90200000,0x20000
Memory=app3,1,0x90220000,0x20000
Memory=app4,1,0x90240000,0x20000
Memory=rsvd,1,0x90260000,0x1a0000
Programram=0x80200000
Protocol=EJTAG
Init=0xfffe072c,0
Init=0xfffe7000,0x1000000e
Init=0xfffe7004,0x02000011
Init=0xfffe7008,0x1c000000
Init=0xfffe700c,0x02000011
Init=0xfffe7018,0x18000005
Init=0xfffe701c,0x02000019
Init=0xfffe7020,0x18000005
Init=0xfffe7024,0x02000015
Endian=Big
IRLength=5

Test:
Name=DCT700
DLL=DCTTest.dll
Memory=Ram,0,0x80000000,0x1000000
Memory=NVRAM,0,0x98000000,0x40000
Memory=boot,1,0x90000000,0x20000
Memory=plat,1,0x90020000,0x160000
Memory=app1,1,0x90180000,0x80000
Memory=app2,1,0x90200000,0x20000
Memory=app3,1,0x90220000,0x20000
Memory=app4,1,0x90240000,0x20000

- 12 -
Memory=rsvd,1,0x90260000,0x1a0000
Programram=0x80100000
Init=0xba000078,0x1000AF49
Init=0xba00007C,0x1C00AF49
Endian=Big
IRLength=5
Protocol=EJTAG
DMA=No
ProbTrap=1

Test:
Name=SB510X
DLL=SB5100.dll
Memory=Ram,0,0x80000000,0x800000
// Boot loader
Memory=Boot,1,0x9fc00000,0x8000
// configuration
Memory=cfg,1,0x9fc08000,0x8000
// first copy of firmware
Memory=Image0,1,0x9fc10000,0xf0000
// second copy of firmware
Memory=Image1,1,0x9fd00000,0xf0000
// log data
Memory=log,1,0x9fdf0000,0x10000
Programram=0x80400000
// watch dog
Init=0xfffe0224,0
// initialize chip set
Init=0xfffe2300,0x1a
Init=0xfffe2304,0
Init=0xfffe2308,0x8040
Init=0xfffe230C,3
Init=0xfffe2310,0x4824
Endian=Big
IRLength=5
Protocol=EJTAG
DMA=Yes
ProbTrap=1

Test:
Name=DVI3000
Memory=Ram,0,0x80000000,0x1000000
Memory=Code,1,0x9FC00000,0x400000,0x20000
Memory=NVRAM,0,0x1F000000,0x40000
Memory=Sys,0,0xFFFE0000,0x8000
Programram=0x80100000
Endian=Little
IRLength=5
//Init=0xfffe072c,0
Protocol=EJTAG
DMA=Yes
ProbTrap=1

Test:
Name=DP301-010
Memory=Ram,0,0x80000000,800000
Memory=U23,1,0x9fc00000,0x200000
Memory=U22,1,0x9fe00000,0x1f0000
Memory=Eeprom,2,0,0x800
Programram=0x80020000
EepomRegAddr=0xBE250000
Endian=Little
IRLength=5
Protocol=EJTAG
DMA=Yes
ProbTrap=0

Test:
Name=SB5120MX
DLL=sb5120.dll
IRLength=5

- 13 -
Endian=Big
Memory=Ram,0,0x94000000,800000
Memory=Boot,1,0x90000000,0x10000
Memory=CmApp0,1,0x90010000,0xf0000
Memory=CmApp1,1,0x90100000,0xf0000
//Memory=DSPower,1,0x901f0000,0x4000
Memory=Cert,1,0x901f0000,0x8000
Memory=NVRAM0,1,0x901f8000,0x2000
Memory=Evlog0,1,0x901fa000,0x2000
Memory=Evlog1,1,0x901fc000,0x4000
//Memory=NVRAM1,1,0x901fe000,0x2000
Programram=0x94040000
Protocol=EJTAG
DMA=No
ProbTrap=1

Test:
Name=SB5120TE
//DLL=sb5120.dll
IRLength=5
Endian=Big
Memory=Ram,0,0x94000000,800000
// boot loader
Memory=Boot,1,0x90000000,0x10000
// first firmware image
Memory=CmApp0,1,0x90010000,0xf0000
// second firmware (backup)
Memory=CmApp1,1,0x90100000,0xf0000
// Unknown
Memory=DSPower,1,0x901f0000,0x4000
// Certificate and Unknown Reserved
Memory=Cert,1,0x901f4000,0x4000
// not allowed Memory=Cert,1,0x901f4000,0x1800
// Unknown
// not allowed Memory=Reserved,1,0x901f5800,0x2800
// first log
Memory=EvLog0,1,0x901f8000,0x2000
// second log (backup)
Memory=EvLog1,1,0x901fa000,0x2000
// first config
Memory=NVRAM0,1,0x901fc000,0x2000
// second config (backup)
Memory=NVRAM1,1,0x901fe000,0x2000
Programram=0x94040000
Protocol=EJTAG
DMA=No
ProbTrap=1

Test:
Name=SGB900
DLL=sgb900.dll
Memory=Ram,0,0x80000000,0x1000000
// Boot loader
Memory=boot,1,0x9fc00000,0x20000
Memory=App,1,0x9fc20000,0x3c0000
Memory=cfg,1,0x9fFe0000,0x20000
Programram=0x80400000
// watch dog
Init=0xfffe0224,0
Endian=Big
IRLength=5
Protocol=EJTAG
DMA=Yes
ProbTrap=1

Test:
Name=SB4X00
Endian=Big
Memory=Ram,0,0x80000000,800000
Memory=Firm,1,0x9fC00000,110000
Memory=Cfg0,1,0x9fD10000,10000

- 14 -
Memory=Firm1,1,0x9fD20000,E0000
Programram=0x80400000
Endian=Big
IRLength=5
Protocol=EJTAG
DMA=Yes
ProbTrap=1
DebugMem=0
// watch dog
Init=0xfffe0224,0

Test:
Name=IRD2700
IRLength=5
Memory=sys,0,0x2000,0x2000
Memory=ram,0,0x80000000,0x800000
Memory=firm,1,0x7ff80000,0x80000
Memory=Eeprom,2,0,0x800
Programram=0x80000200
DCUReg=0x3000
Protocol=DCU
Eepromprot=1
Endian=Little
Init=0x2000,0xB291
Init=0x2010,0xB6D1
Init=0x2020,0xB291
Init=0x2030,0xB6D1

Test:
Name=DP301-013.1
IRLength=5
Memory=sys,0,0x2000,0x2000
Memory=ram,0,0x80000000,0x800000
Memory=firm,1,0x7FC00000,0x400000
Memory=Eeprom,2,0,0x2000
Programram=0x80000200
DCUReg=0x3000
Protocol=DCU
Eepromprot=4
Endian=Little
Init=0x2000,0xB291
Init=0x2010,0xB6D1
Init=0x2020,0xB291
Init=0x2030,0xB6D1

Test:
Name=DCT6412
DLL=DCT6412.dll
Memory=Ram,0,0x80000000,0x1000000
Memory=NVRAM,0,0x9F000000,0x40000
Memory=boot,1,0x9c000000,0x20000
Memory=Plat,1,0x9c020000,0xfA0000
Memory=test,1,0x9cfC0000,0x40000
Programram=0x80200000
//KernelAddr=0x0
Protocol=EJTAG64
ProbTrap=1
Endian=Little
IRLength=5
DMA=No

Test:
Name=WRT54GS
Memory=Ram,0,0x80000000,0x800000
Memory=CFE,1,0x9fc00000,0x40000
Memory=KERNEL,1,0x9fc40000,0x1B0000
Memory=NVRAM,1,0x9fDF0000,0x10000
Programram=0x80200000
Endian=Little
IRLength=8
Protocol=EJTAG

- 15 -
DMA=Yes
ProbTrap=1

First section is JTAG parts definitions. This can be added for newer manufactory and
parts. Start from EJTAG test, each Test: defines a test group data of test.
Name= the name for the test.
Memory, each memory will define a tag in the main window so read/write memory
can be done. The first field is the name of the tab. The second field 0-ram, 1- flash.
Then is the start address and length in hex.
Programram is the ram address used to program flash. You must make sure that
enough ram to hold both program data and about 1K of data table.
Emdian either big or little. If wrong Endian is selected, the data might be swapped.
IRLength is the length of the IR.
Init= you can configure many initialize to initialize, mainly used to disable the watch
dog or chip select when no good flash exist.

Commands
USB EJTAG software is command driven. In command window type “help” will give
you all the command available. Type “help command” can give detail of that
command. Up, Down arrow keys can be used to go through the command history in
the command window.

Common commands
? d Display the address.
Syntax: d address (in hexadecimal)
Example: d 9fc80000
? exit Exit the whole application.
Syntax: exit
? help print command help.
Syntax: help—This will print all the command names.
Syntax: help (cmd) —This will print the usage of the cmd.
Example: help flshdct
? reset Reset the target.
Syntax: reset
Note: Not all the target board has the reset pin connected to JTAG port and even
the JTAG pin is connected to the JTAG port reset command might not reset the
target for some other reasons. If this happened a power off/on will do the same
work as reset.
? detect Detect the target CPU and possible flash types. If there are memory tabs
defined as flash then a flash detect command is also issued.
Syntax: detect
Shortcut: F1
Example: (sb5101)
-detect

- 16 -
 IDCODE 334917F
Broadcom BCM3349
IMPCODE 800904
DMA supported
Found Address= 9fc00000 Intel 28F160C3B
? search Search the memory block. This is ONLY used for an unknown target and
you want to find the memory map. Most important to find where the firmware
starts. For most user this command is not used.
Syntax: search start end step.
Example:
-SEARCH 90000000 a0000000 200000
Address 90000000 data=FFFFFFFF
Address 90200000 data=FFFFFFFF
. . . . . .
Address 9E000000 data=0BF00004
Address 9E200000 data=0BF00004
Address 9E400000 data=0BF00004
Address 9E600000 data=0BF00004
Address 9E800000 data=0BF00004
Address 9EA00000 data=0BF00004
Address 9EC00000 data=0BF00004
Address 9EE00000 data=0BF00004
Address 9F000000 data=0BF00004
Address 9F200000 data=0BF00004
Address 9F400000 data=0BF00004
Address 9F600000 data=0BF00004
Address 9F800000 data=0BF00004
Address 9FA00000 data=0BF00004
Address 9FC00000 data=0BF00004
Address 9FE00000 data=0BF00004
By further analyze the firmware we can then know thet the firmware starts at
9fc00000. For MIPS CPU they also maps as 1fc00000 or Bfc00000.
? flshdct Detect the flash type.
Syntax: flshdct tabname
flshdct address
Example:
-flshdct boot
Found Address= 9fc00000 Intel 28F160C3B
-flshdct 9fc00000
Found Address= 9fc00000 Intel 28F160C3B
? flshset Set a flash type to the tab. This is used when the target is complete dead
and normal rescue method cannot be used.
Syntax: flshdct tabname value1 value2. (Value1 and value2 will be the same
value otherwise flshdct is used. Manufacture ID and chip ID).
Example:
-FLSHSET boot 89 8891
Found Address= 9fc00000 Intel 28F160C3B

- 17 -
 -configshow
Test name: SB5100
Test DLL: SB5100.dll
IRLength: 5
Endian: Big
Boot Flash=Intel 28F160C3B
cfg Flash=Intel 28F160C3B
Image0 Flash=Intel 28F160C3B
Image1 Flash=Intel 28F160C3B
log Flash=Intel 28F160C3B
? initusb Initialize the USB PORT. This will trigger USB PORT to reinitialize the
USB JTAG. It might take several seconds to get back “JTAG connected” state.
Syntax: initusb
? getram Read memory from target to PC. This is length operation and the progress
bar will show roughly where you are. After completion of the memory read, the
memory in the tabs will be updated. You can view and edit the memory in the
memory tabs. Be careful when edit the memory map, since most flash firmware
has complicated checksum to avoid data corruption, simply edit the firmware and
program back might not work.
Syntax: getram tab
getram start length
Example: getram boot
getram 9fc00000 200000
? save Save the PC memory to a file. The default file extension is “.bin”
Syntax: save tabname
save start length
Example: save boot
save 9fc00000 200000
? ldram Load binary file t o PC memory. This is opposite to “save” command.
Syntax: ldram tabname (filename)
ldram address
Example: ldram boot
ldram 9fc00000
? cmpram Compare the PC memory with target memory. This is very useful
especially for programming flash. If you use EJTAG you cannot do cmpram right
after the programming if non-DMA is used. The OK means the memory are
identical between PC and the target. Othe rwise the failed address will be
displayed.
Syntax: cmpram tabname
cmpram address length
Example: cmpram boot
cmpram 9fc00000 200000
? setram Opposite to getram, this set the target memory from PC. This can only be
used for ram not for flash. For flash you can only use “program” or “sprogram”
to alter the target memory.
Syntax: setram tabname

- 18 -
 setram address length
Example: setram 80000000 200
? peek Get one word from target.
Syntax: peek address
Example: peek 80000000
? poke Set one word to target.
Syntax: poke address value
? flshlist List all the flash types that are defined in flash.def
Syntax: flshlist
? about Display about dialog box.
Syntax: about
? cls Clear the screen
Syntax: cls
? e Edit data in PC memory. To update to the target ram or flash you need to use
“setram” or “program” commands.
Syntax: e address data1 data 2 ….
Example: -e 9fc08000 11 22 33 44
? f Fill data in PC memory. To update to the target ram or flash you need to use
“setram” or “program” commands.
Syntax: f tabname value
f start length value
Example: f bootff
f 9fc00000 200000 ff
? s Search patterns in PC memory.
Syntax: s tabname string
s tabname data1 data2 …
s start length string
s start length data1 data2 …
Example:
-s image1 "SB5100"
-s image1 40 08 80
-s 9fd00000 100000 "SB5100"
-s 9fd00000 100000 40 08 80
? configshow Show all the configuration.
Syntax:configshow
Example:
-CONFIGSHOW
Test name: SB5100
Test DLL: SB5100.dll
IRLength: 5
Endian: Big
Boot Flash=Intel 28F160C3B
cfg Flash=Intel 28F160C3B
Image0 Flash=Intel 28F160C3B
Image1 Flash=Intel 28F160C3B
log Flash=Intel 28F160C3B

- 19 -
 ? erase Erase the flash. The erase command used with sprogram. Normal program
command auto erase the flash. This command only used when normal program
command does not work. ST20 target must use erase/sprogram to program the
flash. Please note the erase command does not have feedback while erasing. And
normally erase take quite a long time. A 2M flash’s erase normally will take up to
20-40 seconds. If after long time the program does not return something has gone
wrong and you need to stop the program and start again.
Syntax: erase tabname
erase address length
Example:
-ERASE image0
Erase starts
Erase time 00:00:08 .021
? sprogram Slow program. This is slow program compared to normal program. In
EJTAG this method does not use target ram. In EJTAG when the boot is not setup
and the initialization sequence to access ram is unknown, sprogram normally used
for program a boot block. Make sure the target flash is erased.
Syntax: sprogram tabname
sprogram start length
Example:
-ERASE boot
Erase starts
Erase time 00:00:00 .031
-SPROGRAM boot
Program Starts...
Program time 00:00:08 .084
-CMPRAM boot
Compair data OK

EJTAG commands.
? program Program the flash or eeprom. If you program flash make sure you have
execute “flshdct” or “detect” command. The right flash type must be set to the
memory.
Syntax: program tabname
program address length
Example: program boot
program 9fc00000 200000
program eeprom
-PROGRAM image0
Erase starts...
Erase time 00:00:08 .071
Program speed 138.26 KB/s
Program time 00:00:07 .081
Program pass, if no further programming needed, power
off/on the target

- 20 -
 ? bk Break the target. Normally use this with register view enabled.
Syntax: bk
Shortcut: F6
? r Read registers or set register value to the target
Syntax: r
r register value
Example: r r1 8000200
? t Single step. (Not for EJTAG64)
Syntax: t
Shortcut: F10
? g Execute in full speed.
Syntax:g
Shortcut: F5
? debrick (New in 0.20)
Syntac: debrick 1 (0)
Turn on off the debrick. This is used only when target board does not boot up.
When Drbrick is on after the detect the flash the DEBUG stays on and you can
use erase command to erase the chip. This is used when sometime you can detect
the flash but you cannot erase the flash.
In EJTAG, when power on the CPU fetch at address 0xBFC00000, if the address
0xBFC00000 is empty, the CPU normally enters an known state and it is easy to
detect the flash and program. No debrick mode needed. If the 0xBFC00000 is
programmed incorrectly with wrong boot, the CPU execute the program and thus
crash might happen, and this will cause the JTAG unstable as the CPU might
crash so fast that it cannot accept JTAG command to stop. Another technique
used to debrick is to disable the chip select of flash to let 0xBFC00000 export
0xff to CPU. Use 100ohm resistor to connect 3V to CS sometime do the job. For
detail debrick technique, go to www.usbjtag.com/vbforum to discuss.

ST20 commands.
? blkchk Check if the flash is blanked. If the result is not blanked do not try to use
sprogram.
Syntax: blkchk tabname
blkchk start length
Example:
-blkchk flash
Flash blanked
? pokeh Poke two bytes.
Syntax: pokeh address value
? pokeb Poke one byte.
Syntax:pokeb address value
? peekh Peek two bytes.
Syntax:peekh address
? peekb Peek one byte
Syntax: peekb address

- 21 -
? Flshdcth This happens on IRD6000 dish receiver while there were two flash chip
and one hold the high word of data and another flash hold lower word of data.
flshcdth uses different routine to detect the flash. In the usbjtag.def the
“Protocol=DCU” and “HiLo=1”. If not the flshdcth will not get the right result.
Syntax:flshdcth tabname
? hdramh This is the same reason as for flshdcth. When file saved in high word or
lower word. You can use ldramh command to only load to high word or lower
word of the memory in pc.
Syntax: ldram address
Example:
-ldramh 7fc00000 (lower word file)
-ldramh 7fc00002 (high word file.)

JTAG Usage
? Read memory
Use “getram” command. Eg. “getram u22”
? Write memory
Use “setram” command. Eg. “setram nvram”
Program flash
Since this is very important to understand the process of programming flash. In most
case, you can burn flash in fast mode. But if the flash is accidentally erased and no
initialization is known, then a slow mode is used. I highly encourage you find the
good initialization so in any case a fast programming can be used.
First you need to make sure that watchdog is disabled. For known board with proper
initialization a “detect” command will both detect the CPU and initialize the target. IT
IS VERY IMPORTANT EACH TIME TARGET IS PLUGGED IN, A “DETECT”
needs to be executed. F1 is the short cut key.

EJTAG only.
If it is the first time you program the flash, type the command “bk”, this command
puts the CPU in “DEBUG ON” mode. Please do nothing for at least 30 seconds. If
debug on stays, then the watch dog is disabled and you can program the flash safely.
You only need to do this once for each type of target. If DEBUG goes off, then the
watchdog is not disabled and program the flash is unsafe. Before you do a real
programming, make sure the data is valid. (“bk” is break command and “g” is run to
normal command).

You can then program the flash by typing the command “program tabname or
program start length”. It is highly recommend the first time find a non-used sector to
program and compare to make sure you have can program properly.

Script
USB EJTAG can execute a DOS like script. A text file with extension of usp can be
used. Here is a example of restore sb5100 firmware.
// **************************
// sb5100 restore script

- 22 -
// **************************
detect
ldram 9fc00000 %1
echo Press enter to program, any other character with return exit the script.
pause
program 9fc00000 200000
In this example, %1 is the first parameter passed to the script.
Echo just type to the screen.
Pause wait for return key only. If enter key entered after any character, the script will
exit execution.

Bug report.

Please report bug to usbbdm@usbjtag.com . Since there are so many target out there
and people use them in different way, there must be bugs in the software. (Especially
when you use script). So if you find a bug or want to make an enhancement request,
do not hesitate to write to me. The support forum and chat room can also be used.
www.usbjtag.com/vbforum
www.usbjtag.com/vbforum/chat

- 23 -