--- /dev/null
+# Knovative KC-100 cable modem
+
+# TNETC4401PYP, 208-QFP U3
+source [find target/tnetc4401.cfg]
+
+# 14-pin EJTAG on JP1. Standard pinout, 1-3-5-7-9-11 = nTRST-TDI-TDO-TMS-TCK-nSRST. Use 2 for GND.
+# Was initially disabled in hardware; had to add a solder bridge reenabling R124, R125 on back.
+reset_config trst_and_srst separate
+
+# 16Mb Intel CFI flash. Note this CPU has an internal ROM at 0x1FC0000 (phys) for cold boot.
+# All that really does is some minimal checks before jumping to external flash at 0x00000000 phys.
+# That is remapped to 0xB0000000 uncached, 0x90000000 cached.
+flash bank intel cfi 0xB0000000 0x200000 2 2 $_TARGETNAME
+
+# Perform this after a clean reboot, halt, and reset init (which should also leave it halted).
+proc kc100_dump_flash {} {
+ echo "Probing 48 TSOP Intel CFI flash chip (2MB)..."
+ flash probe intel
+ echo "Dumping 2MB flash chip to flashdump.bin.
+ flash read_bank 0 flashdump.bin 0 0x200000
+}
+
+#TODO figure out memory init sequence to be able to dump from cached segment instead
+
+# There is also a serial console on JP2, 3-5-6 = TX-RX-GND. 9600/8/N/1.
+
+# Possibly of note, this modem's ancient ethernet port does not support Auto-MDIX.
+
+# This modem in many ways appears to be essentially a clone of the SB5120. See usbjtag.com.
+# The firmware/OS is also susceptible to many of the same procedures in "Hacking the Cable Modem"
+# by DerEngel (Ryan Harris), available from No Starch Press.
-#
# FTDI USB Hi-Speed to MPSSE Cable
#
# http://www.ftdichip.com/Products/Cables/USBMPSSE.htm
# C232HM-DDHSL-0 and C232HM-EDSL-0 provide 3.3V and 5V on pin 1 (Red),
# respectively.
#
+# Adapter: http://www.ftdichip.com/Support/Documents/DataSheets/Cables/DS_C232HM_MPSSE_CABLE.PDF
+# Chip: http://www.ftdichip.com/Support/Documents/DataSheets/ICs/DS_FT232H.pdf
+# See pinout/colors at end of this file.
+#
+# Tech notes:
+# http://www.ftdichip.com/Support/Documents/AppNotes/AN_135_MPSSE_Basics.pdf
+# http://www.ftdichip.com/Support/Documents/AppNotes/AN_129_FTDI_Hi_Speed_USB_To_JTAG_Example.pdf
interface ftdi
#ftdi_device_desc "C232HM-DDHSL-0"
#ftdi_device_desc "C232HM-EDHSL-0"
+
+# Common PID for FT232H
ftdi_vid_pid 0x0403 0x6014
-ftdi_layout_init 0x0008 0x000b
+# Layout
+# High data byte 0x40 configures red LED on ACBUS6 initially high (unlit, since active-low)
+# Low data byte 0x08 configures TMS on ACBUS3 initially high (asserted); TCK, TDI low
+# High direction byte 0x40 configures red LED on ACBUS6 as high (output)
+# Low direction byte 0x0b configures TDO on ACBUS2 as low (input)
+ftdi_layout_init 0x4008 0x400b
+
+# ---A*BUS-------CCCCCCCC|DDDDDDDD
+# --------\______76543210|76543210
+# LED 0x4000 = 01000000|00000000 = ACBUS6
+#GPIOL0 0x0010 = 00000000|00010000 = ADBUS4
+#GPIOL1 0x0020 = 00000000|00100000 = ADBUS5
+#GPIOL2 0x0040 = 00000000|01000000 = ADBUS6
+#GPIOL3 0x0080 = 00000000|10000000 = ADBUS7
+# -ndata treats the LED as active-low for expected behavior (toggle when transferring)
+ftdi_layout_signal LED -ndata 0x4000
+# Available for aliasing as desired
+ftdi_layout_signal GPIOL0 -data 0x0010 -oe 0x0010
+ftdi_layout_signal GPIOL1 -data 0x0020 -oe 0x0020
+ftdi_layout_signal GPIOL2 -data 0x0040 -oe 0x0040
+ftdi_layout_signal GPIOL3 -data 0x0080 -oe 0x0080
+
+# C232HM FT232H JTAG/Other
+# Num Color Name Func
+# 1 Red VCC Optionally, can power the board if it is not using its own power supply.
+# 2 Orange ADBUS0 TCK
+# 3 Yellow ADBUS1 TDI
+# 4 Green ADBUS2 TDO
+# 5 Brown ADBUS3 TMS
+# 6 Grey ADBUS4 GPIOL0
+# 7 Purple ADBUS5 GPIOL1
+# 8 White ADBUS6 GPIOL2
+# 9 Blue ADBUS7 GPIOL3
+# 10 Black GND Connect to ground
--- /dev/null
+# Texas Instruments (TI) TNETC4401, MIPS32 DOCSIS-tailored SoC (4Kc-based)
+# Used in Knovative KC-100 and Motorola Surfboard SB5120 cable modems.
+# Datasheet: https://brezn.muc.ccc.de/~mazzoo/DOCSIS/tnetc4401.pdf
+transport select jtag
+set _TARGETNAME tnetc4401
+set _CPUTAPID 0x0000100f
+jtag newtap $_TARGETNAME tap -irlen 5 -ircapture 0x01 -irmask 0x1f -expected-id $_CPUTAPID
+target create $_TARGETNAME mips_m4k -chain-position $_TARGETNAME.tap -endian big
+
+# May need to halt manually before calling reset init
+$_TARGETNAME configure -event reset-init {
+ halt
+ echo "Attempting to disable watchdog..."
+ mwb phys 0xa8610b00 0 256
+ halt
+ wait_halt
+}