Lpc2000

--- In lpc2000@yahoogroups.com, "Felix" <felix_lazarev@y...> wrote:
>
> ok, i've tried couple experiments and done RE of the boot loader, 
and 
> here are my findings:
> 
> 1. JTAG pins are configured as GPIO inputs during reset, RTCK is 
> sampled by the boot loader itself and GPIO are configured 
accordingly 
> at latter stage
> 2. There is something, like CRP latch in the chip, the boot loader 
> writes 0xFFFFFFFF there, if CRP is enabled
> 3. it is possible to rewrite the boot loader only, even on CRP 
> protected devices.
> 4. it is possible to ENABLE the JTAG on CRP protected devices, 
using 
> 5 asm commands run from ram, however FLASH is still inaccessible 
from 
> JTAG -- it's reading 0xFFFFFFFF once CRP latch is set. Never the 
less 
> zeroing the CRP latch by means of JTAG enables full access to 
FLASH, 
> provided, you stop CPU before that (zeroing CRP latch resets the 
cpu 
> core. Only the core, not periferals)
> 
> This was tested on LPC2129, with latest bootloader.
> tools :
> IDA Pro Advanced,
> philips on-field boot loader update utility
> Olimex LPC2129 board.
>

Hi, Sorry, I do not understand a few points:
Item 3) How do you write to the boot loader??
        If CRP is ON.  JTAG should be disabled and user cannot
        load/execute to/from RAM (ISP Command also disabled)
Item 4) Same questions,  How do you put that few (5 ARM) 
        instructions onto the RAM and execute??  JTAG and ISP
        load/execute to/from RAM are disabled.

=> Is there another way to force load+run code from RAM when both
   JTAG and ISP command are disabled?? 
Thanks, and Regards  /MH