Results 1 to 3 of 3

Thread: How to Jtag the Intel TE28F160 chipped 7000E+

  1. #1
    V.I.P splinters24hr's Avatar
    Join Date
    Dec 2004
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    How to Jtag the Intel TE28F160 chipped 7000E+

    Jtag how to The Intel TE28F160 (7000) series

    --------------------------------------------------------------------------------

    How to reprogram Mvision FCIS7000 containing the Intel TE28F160 flash memory using Jkeys & Wall software



    With due thanks to: "Geppetto" "Mvision" "Galaxis" and "Salim Montasser" for instructions.

    If like me you have a receiver with either a "red light" "err0"or "err 6" showing in your display panel, the flash memory chip inside your receiver is corrupt and needs to be re-written by means of a Jtag and the correct software all of which is available for download from here. I purchased my jtag for £22.00 from Germany on the internet check E *ay (its a piece of hardware that connects to your computers printer port with another usb lead supplying the +5v required by the flash to make the necessary operations, together with a ribbon cable that connects via the connector "CN1" inside your receiver."

    Ok so get the hardware then download the software you need the Jkeys and Wall software (from the stickies here). And the file also here “ Jtag for all flashes” as this file is the only one that contains the files for the Intel.

    So open up your receiver and locate "CN1" connect the 20pin connector ensuring that the red lead on the ribbon cable (indicates Pin1) is the right way round, don’t worry too much if you get it wrong because nothing will work if you do but when I did it I didn’t cause any damage!! But try to get it right if you can!! The correct way is to look carefully at "CN1" and see which is pin 1, you can usually tell because the pins are marked either with a small arrow or a number, Pin 1 is normally at the end of CN1 closest to the ribbon cable next to it. While your here you will need to see which "Flash" your receiver has in it to enable you to select the correct settings in "Jkeys"

    The flash chip is located approx 1 1/2 inches North West of CN1 and will be one of three types MX29LV160, Intel TE28F160 or M29W160ET
    The software we will be using is designed only for these three chips.

    The main processor should be an Omega ST5518.

    Ok so now we need to connect the Jtag interface to the computer printer port and also a spare Usb port (some interfaces come with batteries and dispense with the usb lead.)

    Having satisfied yourself all the connections are correct open the Jkeys software you will see in the top left corner it will detect your main processor in your receiver with a device ID and device type 5518 if it doesn't detect your 5518 then the jtag interface at the end of the ribbon cable is either connected the wrong way round, or not connected properly, be careful because the pins of CN1 are fragile.

    Under the heading IRD info check that the IRD model is correct for your receiver make if it isn’t change it to the correct one.
    Under the heading "Save memory" the field "region" should show the correct flash chip in your receiver again if it doesn’t then change it to the correct one!

    Ok now the next bit threw me at first so I will try to help here in the panel of Jkeys bottom right there are three buttons Flash programming, EPROM programming and Development Panel, click on development panel this will give you an on screen instruction by jkeys to ground pin one switch off the Receiver, whatever you do DONT!!! Instead open "Wall" accept the error message saying the id code is incorrect and then click on resetUp until the numbers and letters in the Implementation field remain the same, you may have to click this several times, when they stay the same then leave wall running in the background, go back to the jkeys error message and click accept, you should now be looking at the "development panel”



    The following procedure now changes depending on which flash chip you have in your receiver, these instructions are only for the INTEL TE28F160


    Ok so far so good…hmmm,

    Development panel

    Only for the Intel TE28F160!!!

    This bit I got wrong the first few times I did it so follow here very very carefully,
    In “User Function click on “load to” this will open up a directory in your computer where you installed the files, load the file “ FCIS7000 TE28f160.bin” now click in the Address” enter the number 80000140 this is the memory address we are going to write the data to click “Get Memstart” and if you have done things correctly the number 80000140 will appear in the data line above, now click “Trigger User” and in the nine “Arguments fields” should appear 00000000 nine times. If and only if you get this result can you proceed by closing the development panel, don’t worry because the settings are now correct to write to the correct memory locations within the flash.

    Closing the development panel returns you to the main jkeys screen you were at earlier, check firstly the IRD model shows the FCIS7000 & the Intel flash TE28F160 on the left hand side and on the right hand side Chip/sector programming will show “Full” and the Single location programming address should read 7FE0000 ,if this is not the case you have made an error, as the Chip sector programming will remain greyed out if all is not correct!!

    Ok now we ready to program the flash, click on “Erase” to erase the entire contents of the flash memory, we have to do this as we are unable to write to a location that is not empty, now I had to Erase this several times before all sectors were clear, if you want you can check by clicking on “Read” saving the memory dump and opening in “ultraedit” if you have any data in the file the flash is not empty and you will run into problems during the next step.

    Now click on the arrow to right of where it says “Full” and instead of selecting “full” select the first of 38 sectors, which is SA0 click on erase again to ensure the sector is clear and then click on program, select the SA0 bin file and then click program a message will appear saying” write to sector xxxx/xxxxxx” say yes and if all is well the first sector of the chip will be written.

    Now at this stage I started to get very excited, don’t because I got as far as writing sector 12 when I received an error message stating “unable to write to sector xxx/xxxxxxx address is not empty!! After starting the whole procedure again from the start I got as far as sector 13, the next time sector 37!!!

    What I think was wrong and this is only speculation on my part, is I don’t think my jtag hardware power supply could cope with so much use, as the error appeared at different sectors, so I hope you are luckier, anyway and this is important, the way I did it was when I reached a sector that returned an error I erased that sector only, and then tried to re-write, you may have to do this more than once, sometimes this worked sometimes it didn’t, if it didn’t then the way to go is to remember the sector you last programmed, close jkeys and wall, yes close them, open them again, and go through the procedure of resetUp select the chip and receiver click on development panel go through that procedure again, until you return to the flash programming screen, but this time do not click on “Full” and do not click on “erase” or you will erase the sectors you have already written.

    Select the sector that returned the error, ie if you got as far as programming sector 19 successfully, then when you tried sector 20 it refused with an error, now start to program sector 20 again and you should find it will work! If it refuses erase that sector and try again, if it wont program close jkeys and wall and try again from 20. what I didn’t realise at the time was if I had successfully got as far as sector 30 and then got an error then I was starting from sector SA0 again, it is not necessary to do this , as the data previously written stays there unless you do a “Full” erase. I discovered this by getting as far as sector 37 when I got an error so I thought I would just try writing the last sector and it worked!!!

    So to reiterate as you write sector by sector successfully, that location will retain the data unless you do a full erase.

    So that is the procedure for the Intel flash, the procedure for the other two flash memories are much easier in my opinion as you do not have to write the flash sector by sector but in one go.


    I hope this guide helps, you do have to have a lot of patience, but if you persevere you will get there in the end, I am happy to assist anyone that has problems just let me know.


    Regards,

    Dave

  2. #2
    Security Admin echelon's Avatar
    Join Date
    Dec 2004
    Posts
    12,732
    Thanks
    13,913
    Thanked 9,112 Times in 4,411 Posts
    Jtag For Fcis7000

    --------------------------------------------------------------------------------

    I WILL NOT TAKE ANY RESPONSIBLE FOR ANY DAMAGE DONE.



    From Mvision by Tomodachi.

    Jtag For Fcis7000
    By Salim Montasser.




    ONLY FOR the MODELS WITH FLASH (MACRONIX 29LV160AT) ILLUSION SAT DUAL M4 US


    I have looked for and only I adapted information, as well as translated the instructions for greater understanding of those than they do not take the English very well. Is tested with commercial a Jtag interface, the one of the battery, with flat cable of 20 threads and connectors FC-20P 1 to 1 in both sides, like the one of the following picture:



    1. - To connect the Jtag with the receiver extinguished, if habeis affluent wiring, the red cable (thread nº1) must go to terminal 1 (it has a small triangle serigrafiado in the plate) of connector CN1 of the receiver. In the following page I put two photos to you with the details:
    Detail Flash and CN1

    Detail aligned connection


    2. - To ignite the receiver connected yet, Jtag to the LPT1 and Exit to the CN1 of the receiver, bridge of the activated Jtag (it qualifies the feeding)

    3. - To execute the provided Jkeys, to click in preferences and to select to the port and direction of used memory (by defect 0x378) If everything well is connected, the Jkeys it will recognize the model of micro, is only necessary to select the receiver and the drop-down "IRD Model", in "Region" will select the type of flash automatically:



    4. - To click in "Development Panel" and next to open Wall, will leave a Warning, dadle to you to soon accept and to "Reset uP". (To return to ignore warning that leaves with "Accepting")



    5. - We already can give when "Accepting" of the message picture that Panel "of the Jkeys left when giving him to" Development. It will leave the following screen:



    6. - Now it is necessary to follow the following sequence introducing values in the field "Address" and "Data", soon to give "to Write Byte":

    Address: 2000E000
    Data: 00
    click en “Write Byte”
    Address: 2000E020
    Data: 01
    click en “Write Byte”
    Address: 2000E030
    Data: 00
    click en “Write Byte”
    Address: 2000E040
    Data: 00
    click en “Write Byte”

    With this we crushed values that soon the receiver will respond to us, so that the Jkeys knows to interpret it (I do not have the smaller idea of porqué, this is medal for Salim Montasser, I it I was trying one season by force of extinguishing and to ignite but went neither half of or) Or, or we can close the "Development Panel".

    7. - We click in "Programming Flash" and return to select the receiver in the drop-down one of "IRD Model", assuring that the direction of beginning in 7FE00000 is selected to us "to Full" and, so that thus:



    At this moment we can click in "Read" of the section "Chip/Sector Programming" to keep a copy from firm present.



    In order to record new firm to him first click in "Erase".Cuando is necessary to erase the flash doing finishes erasing is when we can put another one to him, but if we put bin to him of that we are customary to use via port series, the receiver it does not work, it remains dead absolutely. It does not pass anything, if you pay attention (and here it is where I have put him hand, I reduce is mere translation and adaptation of the work of Salim), the files do not weigh the same, is a difference of 1 Kb between whom you have extraido and the one that usually we put via to him 232. The answer is that to the files that put via port series with boxloader or very recommendable FCISUtils de Tonejo adds a head to them that is mere interpretation, then, this head we must eliminate it before writing in the flash. I use UltraEdit-32, but with any publisher hex you can do it. It is necessary to eliminate the first 30 bytes, to where the real code begins (evileyes), I put photos to you so that you see it well:

    Selection of which one is due to eliminate:



    Eliminating...



    Keeping the final result:



    Well, or we are at readiness to put firmware to him via Jtag, since or we have erased the flash, we give "Program", we selected the modified file and we put it to the flash:



    When it finishes, or we can extinguish the receiver, clear jtag and return to ignite it, if everything has gone or (I have made it infinity of times and she has never failed to me) or we have new firmware and the receiver starts without newness.

    With this open route either it is possible to be played the more with the apparatus, and the users to whom it comes great to change the interface to them of communications that as much has cracked, or can update the receiver, by the way, I put a photo to them of mine after changing it so that they know where it is:


    I do not become person in charge of any malfunction of your receivers. If you are decided to follow these steps, you takes responsible for your own actions.








    Information in this post is for educational purposes only
    You can't use it to watch pay TV without subscription.
    Attached Files Jtag_FCIS7000.zip (151.0 KB, 16 views)



    FOR INFORMATION ONLY !!!!!!!!!!!!

    Here's a little bit that I've done . Thanks go out to Salim Montasser . Point 6) is a bit dodgy . I've never used a Jtag so I'm not 100% sure what's going on . I'll finish the rest when I get a chance .

    ================================= ================= =======
    JTAG FOR FCIS 7000
    (AT PRESENT ONLY FOR MODELS WITH FLASH MACRONIX 29LV160AT)
    ILLUSION SAT M4 DUAL CI

    Firstly , I'd like to tell you that this guide was based almost totally on Salim Montasser's work . A big thanks goes out to him . I've only adapted and translated the information .

    The tests are done using a commercial JTAG . The one with the lithium battery and the 20 pin FC-20P connector (one to one) as shown in the following photo .

    1) Connect the JTAG with the receiver switched OFF . If you've cabled it right then the red cable (pin 1) should go to terminal 1 (it's got a a little silk screen triangle on the board) of the CN1 connector on the reciever .

    2) Switch on the receiver with everything connected , JTAG to LPT1 y the output of CN1 to the receiver , with the jumper on the Jtag activated (it activates the power)

    3) Execute the supplied "Jkeys" , click on "Preferences" and select the port and the memory address used (0x378 by defect)

    4) Click on "Development Panel" and straight way open "Wall" . You'll get a warning , click "Accept" and then "Reset uP" . Ignore the warning again by pressing "Accept"

    5) Now we can hit the "Accept" on the "Development Panel" window . You should see the following screen .

    6) Now you need to follow the following sequence introducing values in the "Address" and "Data" boxes and confirming with "Write Byte"

    By doing this we overwrite some data which will allow us to communicate with the reciever , so that the Jkeys knows how to interpret it (I've no idea why . This is for Salim Montasser . I was trying for a while switching the power on and off but it didn't work half as well)

    Now we can close the "Development Panel"

    7) Now click on "Flash Programming" and we reselect the receiver in "IRD MODEL" , making sure that we've selected "Full" and the start address 7FE00000 just like in the following picture .

    At this point we can click on "Read" in the "Chip/Sector Programming" section in order to backup the actual firmware .

    In order to write the new firmware firstly we need to erase the flash by clicking on "Erase" . When it finishes then we can select the other one , but if we select a .bin file , like we're used to doing via the serial port , then the receiver won't work . It'll be completely knackered .

    ================================= ================= =======

    courtesy of ssjenkins

    thank you m8

  3. #3
    V.I.P Graham7's Avatar
    Join Date
    Dec 2004
    Posts
    645
    Thanks
    4
    Thanked 12 Times in 7 Posts

    Jtag For Fcis7000 tools.

    Jtag For Fcis7000 tools.


    Information in this post is for educational purposes only.
    You can't use it to watch pay TV without subscription.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •