 |
 |
 |
 |
By Madis Lobjakas & Janus Krarup
Background Debugging Mode is a special feature of Motorola 683xx MCU's. It allows you to interface to the MCU and perform various operations. The usefull things that can be done from here are reading, writing memory (including memory mapped I/O) and single-stepping through code. Programs can be uploaded into RAM and executed from there. To access this mode, you need a simple interface and a special terminal program running on a PC. What does this have to do with Motorola GSM phones? Every single Motorola GSM phone until (and with) the 8400 used the MC68332. The next generation consisting of the 8700/d460 until the cd920/d520 used the MC68338. The very latest units like the v and m series does not use a Motorola MCU and hence has no BDM capabilities. To use this special MCU feature, you WILL have to open your phone and do some soldering. Here is what you need to get started:
1. First You need a IBM-PC compatible computer with free LPT (printer) port. Even old slow XT is OK.
2. Download software. I recommend BD32 debuger by Scott Howard. This is an exellent tool with built-in simple macro language and and disassembler. And it is freeware.
3. Now You have to build small piece of hardware circuit diagram can be found in downloaded archive bd32-122.zip - copy file "bdm-if.prn" directly into Epson compatible printer to get needed scheme. Or look at aplication note #1230 from Motorola. Another nice diagram is available here.
The shopping list is short:
1 74HC76
2 74HC132
3. resistor 10kOhm
4. capacitor 0.1uF
5. capacitor 0.01uF
6. D25Male connector
7. Diode generic Si Low power (1N4148 for example)
8. Piece of protoype board and less than 0.5m of montage wire
9. 8 or 10 pin (2x4 or 2x5 0.1") header
If 74HC76 is difficult to find then it can be replaced by more common 74HC74 and then circuit diagram can be found on other great page. All the components are generic and cheap. I spent less than 2 EUR for all the above stuff.
4. It's time to open the phone. The 8900, StarTac130, d160/170, d520 and cd920/930 are good phones because they have easy accesable BDM connection pads. All cd930/920 I have seen have even clear markings for all pads.Older phones have big enough MCU's and BDM wires can be soldered directly to MCU pins. I will work equally well, but requires a steady hand. The pins you need to access are clustered together. I have sucessfully used BDM on an 8200 in this way. The StarTAC 70/85 does not have dedicated pads, but it has a huge service connector on the side of the PCB which includes the BDM connections (If anyone know which pins they are on, please let me know!).
The GSM phones have a software watchdog that we will have to disable in order to make it easier to work with BDM. A watchdog is a feature of the MCU that is used to check if the program executes as intended and doesn't enter a loop that it can't exit from. The program running on the phone will have to reset a status flag with regular intervals or the watchdog will reset the MCU. If 500 miliseconds goes by without the MCU resetting the watchdog, the watchdog will assume that the program has crashed. The hardware watchdog that is part of the power controller (CAR on older phones) will then power down the phone. When entering BDM mode and halting the MCU, the watchdog will think the program crashed and the hardware watchdog will power down the phone as soon as normal operation is resumed. The hardware watchdog can be disabled manually, by connecting "WD" or "WDOG" pad to high logic level (power pad labeled "L275" ).In this way, you can resume MCU operation and continue the execution o fthe program when returning from the halted state (It is not enough to disable the software watchdog throug the appropriate MCU register.)
Other wires are exactly like on interface circuit diagram
so here are some layouts:
|
|
|
|
5. Read the document "bd32.doc" to configure interface. Configuration information is stored in "bd32.cfg". Frist line is the name of the port that the interface is plugged into. The second line contains the delay parameter that is depandable of the speed of your computer (0 for XT and >130 for fast pentium).
6. First test: Run bd32.exe and turn phone on. Issue command "reset". Does phone restart? If phone simply turns off then "WD" pin has no constant high voltage. If nothing happens check your interface hardware and cibbectir wiring once more.
7. If reset was sucsessful, then the msetup is working and you can start to use it. In windowed mode, it will look like this:
The basic commands that you should know about are: md (memory dump) and mm (memory modify).
The memory map if the motorola phones are very conserved from model to model. The basic layout is like this:
0x000000-0x003FFF Boot loader
0x004000-0x0FFFFF Main program
0x100000-0x11FFFF RAM
0x120000-0x121FFF EEPROM
The memory map can always be derived by following program execution from reset and studying the chip select registers. RAM can be read and written, FLASH is read-only and EEPROM can be both read and written. However before the EEPROM can be written to, the WE line has to be activated. The EEPROM WE line is 0xFFFA49
This page is not complete yet. More to come:
-brief list of the most important MCU registers
-chip selects and WE for EEPROM + Flash OE pin
-backup and restore of EEPROM - DS2401 considerations
-Flashing over BDM.