# Diebold Accuvote TSx openocd conf # ================================= # This is the configuration for use of a flyswatter2 device # for interacting with the PXA255 based CPU and flash memory # in Diebold AccuVote TSx devices. A standard JTAG header can # be located on the PCB adjacent to PCMCIA slot 1. # # This configuration file should be placed in directory as # openocd.cfg and launched with "openocd --debug" for best # results. # # To reprogram the flash chip, you need to remove the memory # protections and erase all existing data. This can be done # directly using "flash write_image" command and giving the # erase unlock options. An erased chip should read 0xffffffff # on all sectors. You may need to reset the device to see this. # # To debug the BallotStation software you must handle an # eBoot exception during "Launching OS". Using gdb attached # and booted from a halted state you must handle an exception # at 0xffff0018 using "stepi" returning to 0x841047a8 then # "cont" execution to access the host OS. You have full # supervisor mode rights. "gdb-multiarch" did not work as # effectively for me as a native "gdb" running on an ARM # based device. # # (gdb) set arch xscale # (gdb) target remote localhost:3333 # # It is strongly recommended that you take a backup of your # device ROM before using the flash commands, use gdb or # openocd to read memory location 0x0 -> 0x04000000 which # you can use to restore the device should you brick it. # # -- Hacker Fantastic # https://hacker.house source /usr/share/openocd/scripts/interface/ftdi/flyswatter2.cfg transport select jtag # set PXA255 CPU as target (core running at 400Mhz) source /usr/share/openocd/scripts/target/pxa255.cfg # internal bus is 200Mhz for flash chip, comment # the two lines below to debug the CPU @ 300kHz speed # uncomment the two lines below to read/write flash memory. adapter_khz 200000 ftdi_tdo_sample_edge falling # enable passing information to gdb for debugging and memory maps. gdb_memory_map enable gdb_flash_program enable # P30_65nm_SBC_64M flash, "flash write_image erase unlock rom.bin" # from "telnet localhost 4444"to use openocd commands. set _FLASHNAME0 $_TARGETNAME.flash0 flash bank $_FLASHNAME0 cfi 0x00000000 0x04000000 2 4 $_TARGETNAME # working area for bulk block writing - map to RAM - use of working area # prevents using flash commands due to a bad read of status register and # openocd using its own injected code, disabling a working area gives you # direct read/write to the flash chip using CFI through the FT2232. # Comment the line below if using flash commands. #$_TARGETNAME configure -work-area-phys 0x0a000000 -work-area-size 8096