| As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Difference between revisions of "CW308T-D2000"
From ChipWhisperer Wiki
(→How to flash D2000 board using OpenOCD) |
(→Programming) |
||
| Line 45: | Line 45: | ||
Info : JTAG tap: quark_d2000.lmt enabled | Info : JTAG tap: quark_d2000.lmt enabled | ||
| − | At this point it will hold, waiting for new commands. Open a second command prompt, and run: | + | At this point it will hold, waiting for new commands. There is two ways to proceed: |
| + | |||
| + | ==== Connecting with GDB ==== | ||
| + | |||
| + | Connecting and programming with GDB may be preferred if you wish to also do any debug. It however is more limited in what commands you can run. If this does not work see the next section about using telnet commands. Open a second command prompt, and run: | ||
C:\IntelSWTools\ISSM_2016.0.027\issm_env.bat | C:\IntelSWTools\ISSM_2016.0.027\issm_env.bat | ||
gdb | gdb | ||
| − | + | You can then run the following within a GDB console: | |
target remote :3333 | target remote :3333 | ||
| − | monitor clk32M | + | monitor clk32M 125 |
monitor load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\quark_d2000_rom.bin 0x0 | monitor load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\quark_d2000_rom.bin 0x0 | ||
monitor load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\simpleserial_example\\release\\quark_d2000\\x86\\bin\\simpleserial_aes.bin 0x00180000 | monitor load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\simpleserial_example\\release\\quark_d2000\\x86\\bin\\simpleserial_aes.bin 0x00180000 | ||
| − | The first load_image is used for the ROM image. This | + | The first load_image is used for the ROM image. This should only be done once - do not reload every time, only reload the application. The boards as shipped come with a ROM image so you can skip that step if using the NewAE example code. |
| + | |||
| + | Notes: | ||
| + | |||
| + | # The <code>monitor clk32M 125</code> sets a 125 kHz JTAG clock frequency. This may be too slow, but is recommended especially when loading ROM due to potential for misprogramming on the target board due to the shunt resistor. Note it takes a long time (~60 seconds) to program the ROM code so don't abort it! | ||
| + | # If the above fails, see the next note on recovering normal settings with the telnet interface. | ||
| + | # You can short F13 (GPIO1 on the ChipWhisperer-Lite) to GND to force the JTAG pins on. It is suggested to do this via the ChipWhisperer-Lite software (setting it as a GPIO output and then setting it low). This requires the 'ROM' code programmed in already. | ||
| + | # Do not reload the ROM code unless needed -- this is the boot code and if something gets corrupt it can brick the device. | ||
| + | |||
| + | ==== Connecting with Telnet to Monitor ==== | ||
| + | |||
| + | When running the <code>target remote :3333</code> or other commands above, you may encounter errors that seem fatal. Do not fret, you can likely recover everything using another mode. To do so: | ||
| + | |||
| + | # Power cycle the target board, and re-run the openocd command previously specified (assuming you have encountered errors and the system is in an unknown state). | ||
| + | # If this fails, set GPIO1 to LOW, and power cycle the target. Try connecting again. | ||
| + | |||
| + | Assuming the connect works, open a second command prompt and run | ||
| + | |||
| + | telnet localhost 4444 | ||
| + | |||
| + | Note the port connected to is 4444 (not :3333) as before. This now enters the monitor directly, and you can try running the following commands: | ||
| + | |||
| + | reset halt | ||
| + | set QUARK_D2000_OTPC_DATA_WRITE_ENABLED 1 | ||
| + | mass_erase | ||
| + | clk32M 100 | ||
| + | load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\quark_d2000_rom.bin 0x0 | ||
| + | load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\simpleserial_example\\release\\quark_d2000\\x86\\bin\\simpleserial_aes.bin 0x00180000 | ||
| + | |||
| + | The following should be the example output of these commands: | ||
| + | |||
| + | > reset halt | ||
| + | JTAG tap: quark_d2000.cltap tap/device found: 0x0e786013 (mfg: 0x009, part: 0xe786, ver: 0x0) | ||
| + | Enabling lmt core tap | ||
| + | JTAG tap: quark_d2000.lmt enabled | ||
| + | target state: halted | ||
| + | target halted due to debug-request at 0x0000ffff in real mode | ||
| + | target state: halted | ||
| + | target halted due to debug-request at 0x0000fff0 in real mode | ||
| + | > set QUARK_D2000_OTPC_DATA_WRITE_ENABLED 1 | ||
| + | 1 | ||
| + | > mass_erase | ||
| + | Deleting OTPC, OTPD and FLASH regions | ||
| + | 0xb0100014: 00000001 | ||
| + | > clk32M 100 | ||
| + | adapter speed: 3 kHz | ||
| + | adapter speed: 100 kHz | ||
| + | JTAG tap: quark_d2000.cltap tap/device found: 0x0e786013 (mfg: 0x009, part: 0xe786, ver: 0x0) | ||
| + | Enabling lmt core tap | ||
| + | JTAG tap: quark_d2000.lmt enabled | ||
| + | target state: halted | ||
| + | target halted due to debug-request at 0x0000fff0 in real mode | ||
| + | > load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\quark_d2000_rom.bin 0x0 | ||
| + | ....8192 bytes written at address 0x00000000 | ||
| + | downloaded 8192 bytes in 66.997505s (0.119 KiB/s) | ||
| + | > load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\simpleserial_example\\release\\quark_d2000\\x8 | ||
| + | .2872 bytes written at address 0x00180000 | ||
| + | downloaded 2872 bytes in 42.280869s (0.066 KiB/s) | ||
| + | |||
| + | Note you can try the following if still having trouble: | ||
| + | |||
| + | # Use a slower JTAG clock speed. | ||
| + | # Short the SHUNTH/SHUNTL pins. | ||
== Schematic == | == Schematic == | ||
Revision as of 17:06, 5 February 2018
| CW308T-D2000 | |
|---|---|
 | |
| Target Device | Intel Quark D2000 |
| Target Architecture | x86 |
| Hardware Crypto | No |
| Design Files | OSH Park PCBs |
The D2000 target is a bit of an oddball. It's an x86 target, but is really a microcontroller (internal flash etc).
Contents
Programming
An external programmer is needed for this target. The Quark D2000 dev-board can be used with jumper wires, or a standard OpenOCD programmer can be used. The suggested programmer is the Olimex ARM-USB-OCD-H as is available from suppliers such as Mouser and Digi-Key (mouser link provided).
How to flash D2000 board using OpenOCD
We'll modify the provided scripts from the Intel ISSM distribution (compiler etc for D2000). Start a Windows command prompt and run the following commands:
C:\IntelSWTools\ISSM_2016.0.027\issm_env.bat cd %ISSM_DEBUGGER_ROOT%\openocd bin\openocd.exe -f scripts\interface\ftdi\olimex-arm-usb-ocd-h.cfg -f scripts\board\quark_d2000.cfg
Note we specify two script files - the first had the JTAG connection (the olimex-arm-usb-ocd-h.cfg), the second had the D2000. This should result in an output like the following:
Open On-Chip Debugger 0.8.0-dev-g7845893 (2015-11-26-18:12)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.sourceforge.net/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'jtag'
adapter speed: 1000 kHz
trst_only separate trst_push_pull
flash_rom
Info : clock speed 1000 kHz
Info : JTAG tap: quark_d2000.cltap tap/device found: 0x0e786013 (mfg: 0x009, part: 0xe786, ver: 0x0)
Enabling lmt core tap
Info : JTAG tap: quark_d2000.lmt enabled
At this point it will hold, waiting for new commands. There is two ways to proceed:
Connecting with GDB
Connecting and programming with GDB may be preferred if you wish to also do any debug. It however is more limited in what commands you can run. If this does not work see the next section about using telnet commands. Open a second command prompt, and run:
C:\IntelSWTools\ISSM_2016.0.027\issm_env.bat gdb
You can then run the following within a GDB console:
target remote :3333 monitor clk32M 125 monitor load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\quark_d2000_rom.bin 0x0 monitor load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\simpleserial_example\\release\\quark_d2000\\x86\\bin\\simpleserial_aes.bin 0x00180000
The first load_image is used for the ROM image. This should only be done once - do not reload every time, only reload the application. The boards as shipped come with a ROM image so you can skip that step if using the NewAE example code.
Notes:
- The
monitor clk32M 125sets a 125 kHz JTAG clock frequency. This may be too slow, but is recommended especially when loading ROM due to potential for misprogramming on the target board due to the shunt resistor. Note it takes a long time (~60 seconds) to program the ROM code so don't abort it! - If the above fails, see the next note on recovering normal settings with the telnet interface.
- You can short F13 (GPIO1 on the ChipWhisperer-Lite) to GND to force the JTAG pins on. It is suggested to do this via the ChipWhisperer-Lite software (setting it as a GPIO output and then setting it low). This requires the 'ROM' code programmed in already.
- Do not reload the ROM code unless needed -- this is the boot code and if something gets corrupt it can brick the device.
Connecting with Telnet to Monitor
When running the target remote :3333 or other commands above, you may encounter errors that seem fatal. Do not fret, you can likely recover everything using another mode. To do so:
- Power cycle the target board, and re-run the openocd command previously specified (assuming you have encountered errors and the system is in an unknown state).
- If this fails, set GPIO1 to LOW, and power cycle the target. Try connecting again.
Assuming the connect works, open a second command prompt and run
telnet localhost 4444
Note the port connected to is 4444 (not :3333) as before. This now enters the monitor directly, and you can try running the following commands:
reset halt set QUARK_D2000_OTPC_DATA_WRITE_ENABLED 1 mass_erase clk32M 100 load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\quark_d2000_rom.bin 0x0 load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\simpleserial_example\\release\\quark_d2000\\x86\\bin\\simpleserial_aes.bin 0x00180000
The following should be the example output of these commands:
> reset halt JTAG tap: quark_d2000.cltap tap/device found: 0x0e786013 (mfg: 0x009, part: 0xe786, ver: 0x0) Enabling lmt core tap JTAG tap: quark_d2000.lmt enabled target state: halted target halted due to debug-request at 0x0000ffff in real mode target state: halted target halted due to debug-request at 0x0000fff0 in real mode > set QUARK_D2000_OTPC_DATA_WRITE_ENABLED 1 1 > mass_erase Deleting OTPC, OTPD and FLASH regions 0xb0100014: 00000001 > clk32M 100 adapter speed: 3 kHz adapter speed: 100 kHz JTAG tap: quark_d2000.cltap tap/device found: 0x0e786013 (mfg: 0x009, part: 0xe786, ver: 0x0) Enabling lmt core tap JTAG tap: quark_d2000.lmt enabled target state: halted target halted due to debug-request at 0x0000fff0 in real mode > load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\quark_d2000_rom.bin 0x0 ....8192 bytes written at address 0x00000000 downloaded 8192 bytes in 66.997505s (0.119 KiB/s) > load_image C:\\chipwhisperer\\hardware\\victims\\firmware\\intel_quark\\simpleserial_example\\release\\quark_d2000\\x8 .2872 bytes written at address 0x00180000 downloaded 2872 bytes in 42.280869s (0.066 KiB/s)
Note you can try the following if still having trouble:
- Use a slower JTAG clock speed.
- Short the SHUNTH/SHUNTL pins.
Schematic
See GIT Repo for PDF of schematic.
Board Layout
See GIT Repo for gerber files.
