Amtec (ElsagDatamag) Argo 55/95 – Take 2: Serial access

In the previous post, we saw that the board sports three interesting headers (in red):

Argo 95 headers

Argo 95 headers (Click to enlarge)

But what are they for? Well, this is what I found using a logic probe:

1. UART
Vcc   NC    GND   RxD   TxD
o     o     o     o     o
+3,3   0     0    +2,9  +3,2

2. JTAG
Vcc
o     o     o     o     o     o     o

o     o     o     o     o     o     o
Vcc         GND   GND   GND   GND   GND
(Probable pinout: http://www.jtagtest.com/pinouts/ejtag)

3. ?
+3,3   0    +2,9  +3,2  +3,2   0
o     o     o     o     o     o
Vcc   GND               TxD?

I have absolutely no idea of what the port 3 is: there is activity on pin 5, but it isn’t a serial port. Port 1 is what we were looking for: we can connect using a RS232 – TTL adapter and a terminal emulator (115000 baud, 8 bits, no parity, 1 stop bit), and… voilà! The bootlog!

Reading the bootlog, we  learn some useful things: the box runs OpenRG, and the bootloader is U-Boot – and is freely accessible!

These are the available commands:

=> help
? – alias for ‘help’
askenv – get environment variables from stdin
autoscr – run script from memory
base – print or set address offset
bdinfo – print Board Info structure
boot – boot default, i.e., run ‘bootcmd’
boot_openrg – boot Openrg active image
bootd – boot default, i.e., run ‘bootcmd’
bootm – boot application image from memory
bootp – boot image via network using BOOTP/TFTP protocol
cmp – memory compare
coninfo – print console devices and information
cp – memory copy
crc32 – checksum calculation
dhcp – boot image via network using DHCP/TFTP protocol
echo – echo args to console
erase – erase FLASH memory
flayout – print FLASH layout and sections
flinfo – print FLASH memory information
get_openrg_active – print info about Openrg images in flash and indicate what is
the active
go – start application at address ‘addr’
gpio – GPIO management commands
help – print online help
iminfo – print header information for application image
imls – list all images found in flash
imxtract- extract a part of a multi-image
itest – return true/false on integer compare
led – LED management commands
loadb – load binary file over serial line (kermit mode)
loads – load S-Record file over serial line
loady – load binary file over serial line (ymodem mode)
loop – infinite loop on address range
md – memory display
mii – MII utility commands
mm – memory modify (auto-incrementing)
mtest – simple RAM test
mw – memory write (fill)
nfs – boot image via network using NFS protocol
nm – memory modify (constant address)
pci – list and access PCI Configuration Space
ping – send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect – enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset – Perform RESET of the CPU
run – run commands in an environment variable
saveenv – save environment variables to persistent storage
setenv – set environment variables
sleep – delay execution for some time
tftpboot- boot image via network using TFTP protocol
update_openrg – update openrg writing inactive image section
update_openrg_factory – update openrg factory settings
version – print monitor version

Wow, seems a lot of fun, right? :)

 

Written by bano on 2012/01/16 Categories: Hacking Tags: , , , , , , , ,
22 Comments on Amtec (ElsagDatamag) Argo 55/95 – Take 2: Serial access

22 Comments

Leave a Reply