Il router resta con il led rosso acceso fisso e non entra nemmeno in idle mode. Suppongo che il CFE sia andato.
Le foto in alta risoluzione (per scaricarle clickate su "Download this image"):
-
Lato superiore
-
Lato inferiore
-
JTAG
-
seriale
-
Le saldature per il JTAG
-
Il connettore e le resistenze per il JTAG
-
Panoramica con JTAG collegato
Risultato del comando "dmesg" effettuato via telnet su un router funzionante:
Codice:
Linux version 2.6.21.5 (will@STB-Linux) (gcc version 4.2.3) #5 Fri Mar 5 15:44:3
9 CST 2010
Parallel flash device: name AM29DL800B, id 0x22cb, size 8192KB
96358VW prom init
CPU revision is: 0002a010
Determined physical RAM map:
memory: 01fa0000 @ 00000000 (usable)
On node 0 totalpages: 8096
DMA zone: 32 pages used for memmap
DMA zone: 0 pages reserved
DMA zone: 4064 pages, LIFO batch:0
Normal zone: 31 pages used for memmap
Normal zone: 3969 pages, LIFO batch:0
Built 1 zonelists. Total pages: 8033
Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200
brcm mips: enabling icache and dcache...
Primary instruction cache 32kB, physically tagged, 2-way, linesize 16 bytes.
Primary data cache 16kB, 2-way, linesize 16 bytes.
Synthesized TLB refill handler (21 instructions).
Synthesized TLB load handler fastpath (33 instructions).
Synthesized TLB store handler fastpath (33 instructions).
Synthesized TLB modify handler fastpath (32 instructions).
PID hash table entries: 128 (order: 7, 512 bytes)
Using 150.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 29276k/32384k available (2097k kernel code, 3108k reserved, 450k data, 9
2k init, 0k highmem)
KLOB Pool 1 Initialized: 1048576 bytes <0x80300000 ... 0x80400000>
Calibrating delay loop... 296.96 BogoMIPS (lpj=148480)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
Total Flash size: 8192K with 135 sectors
File system address: 0xbe010100
registering PCI controller with io_map_base unset
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
BLOG v1.0 Initialized
NET: Registered protocol family 8
NET: Registered protocol family 20
Time: MIPS clocksource has been installed.
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
fuse init (API version 7.8)
io scheduler noop registered (default)
PPP generic driver version 2.4.2
NET: Registered protocol family 24
physmap platform flash device: 00800000 at be000000
physmap-flash.0: Found 1 x16 devices at 0x0 in 16-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
cmdlinepart partition parsing not available
RedBoot partition parsing not available
Using physmap partition information
Creating 10 MTD partitions on "physmap-flash.0":
0x00010100-0x00790000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-o
nly
0x00010000-0x00790000 : "fw_upgrade"
0x00790000-0x007a0000 : "ML1"
0x007a0000-0x007b0000 : "ML2"
0x007b0000-0x007c0000 : "T_Meter1"
0x007c0000-0x007d0000 : "T_Meter2"
0x007d0000-0x007e0000 : "POT"
0x007e0000-0x007f0000 : "board_data"
0x007f0000-0x00800000 : "nvram"
0x00000000-0x00800000 : "whole_flash"
PCI: Enabling device 0000:00:0a.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:0a.0 to 64
ehci_hcd 0000:00:0a.0: EHCI Host Controller
ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1
ehci_hcd 0000:00:0a.0: irq 18, io mem 0xfffe1300
ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ohci_hcd: 2006 August 04 USB 1.1 'Open' Host Controller (OHCI) Driver
hub 1-0:1.0: over-current change on port 2
PCI: Enabling device 0000:00:09.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:09.0 to 64
ohci_hcd 0000:00:09.0: OHCI Host Controller
ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2
ohci_hcd 0000:00:09.0: irq 13, io mem 0xfffe1400
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new interface driver usblp
drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
brcmboard: brcm_board_init entry
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xfffe0100 (irq = 10) is a BCM63XX
ttyS1 at MMIO 0xfffe0120 (irq = 11) is a BCM63XX
bcmxtmrt: Broadcom BCM6358A1 ATM Network Device v0.1 Mar 5 2010 08:35:00
netem: version 1.2
u32 classifier
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 92k freed
bcmxtmcfg: module license 'Proprietary' taints kernel.
bcmxtmcfg: bcmxtmcfg_init entry
adsl: adsl_init entry
Broadcom BCMPROCFS v1.0 initialized
Broadcom BCM6358A1 Ethernet Network Device v0.3 Mar 5 2010 08:34:49
Config Ethernet Switch Through MDIO Pseudo PHY Interface
ethsw: found bcm5325e!
dgasp: kerSysRegisterDyingGaspHandler: eth0 registered
eth0: MAC Address: XX:XX:XX:XX:XX:XX
eth0 Link UP.
PCI: Enabling device 0000:00:01.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:01.0 to 64
wl: srom not detected, using main memory mapped srom info (wombo board)
KLOB extended to 2 pools
wl0: wlc_attach: MAC addr from system pool. id:0x776c0000
wl0: MAC Address: XX:XX:XX:XX:XX:XX
wl0: Broadcom BCMa8d6 802.11 Wireless Controller 5.10.120.0.cpe4.402.4
dgasp: kerSysRegisterDyingGaspHandler: wl0 registered
KLOB extended to 3 pools
device wl0 entered promiscuous mode
device eth0 entered promiscuous mode
br0: port 2(eth0) entering learning state
br0: port 1(wl0) entering learning state
br0: topology change detected, propagating
br0: port 2(eth0) entering forwarding state
br0: topology change detected, propagating
br0: port 1(wl0) entering forwarding state
BcmAdsl_Initialize=0xC006D188, g_pFnNotifyCallback=0xC0093544
AnnexCParam=0x00000000 AnnexAParam=0x00003987 adsl2=0x00000002
pSdramPHY=0xA1FFFFF8, 0xAFB5BFF5 0xEDBFFFFF
AdslCoreSharedMemInit: shareMemAvailable=21712
AdslCoreHwReset: AdslOemDataAddr = 0xA1FEF96C
AnnexCParam=0x00000000 AnnexAParam=0x00003987 adsl2=0x00000002
dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered
KLOB extended to 4 pools
br0: port 1(wl0) entering disabled state
xDSL G.994 training
KLOB extended to 5 pools
device wl0.1 entered promiscuous mode
device wl0.2 entered promiscuous mode
device wl0.3 entered promiscuous mode
br0: port 1(wl0) entering learning state
br0: topology change detected, propagating
br0: port 1(wl0) entering forwarding state
ADSL G.992 started
ADSL G.992 channel analysis
Prima di tutto dovrò costruirmi un cavo JTAG - LPT per flashare nuovamente il CFE (il bootloader del router). Poi dovrò collegarmi tramite seriale e recuperare il firmware originale da un server TFTP.
Meglio ancora sarebbe riuscire ad avere il backup di due CFE di router diversi, in modo che dal confronto si possa determinare come immettere direttamente il mio MAC address nel CFE. In questo modo non avrei nemmeno la necessità di costruire la seriale e passerei a flashare direttamente l'immagine ufficiale tramite l'idle mode.
La console (non testata):
Codice:
Pin | Segnale | Tensione
-----------------------
1 | VCC | 3.3V
2 | TX | 3.3V
3 | | 0V
4 | | 0V
5 | RX | 3.3V
6 | GND | 0.001V (10 ohm)
Ora vediamo le tensioni sul JTAG:
Codice:
Pin | Tensione
---------------
1 | 3.38V
2 | 0
3 | 3.38V
4 | 0
5 | 3.3V - 2.16V - 0.15V variabile
6 | 0
7 | 3.38V
8 | 0
9 | 2.89V
10 | 0
11 | 3.3V
12 | 0
I pin da usare per il JTAG sono:
Codice:
Pin | Segnale
-------------
3 | TDI
5 | TDO
7 | TMS
9 | TCK
La massa può essere presa da qualsiasi pin pari.
Link molto interessante su come funziona il JTAG:
http://www.fpga4fun.com/JTAG2.html
Ho realizzato questo cavo JTAG:
http://misterox.altervista.org/dokuw...dg834gt:5_jtag (by misteroX)
Le saldature sulla scheda:
Le resistenze e il connettore:
Panoramica con JTAG montato:
il JTAG funziona, ci mette 93 secondi per fare il backup del CFE (256KB).
L'utility usata è tjtag3:
http://www.dd-wrt.com/wiki/index.php/Jtag
Ecco il risultato di "tjtag3 -probeonly":
Codice:
==============================================
EJTAG Debrick Utility v3.0.1 Tornado-MOD
==============================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom BCM6358 Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS16 MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Probing Flash at (Flash Window: 0x1f000000) ...
Done
Flash Vendor ID: 00000000000000000000000011000010 (000000C2)
Flash Device ID: 00000000000000000010001011001011 (000022CB)
*** Found a MX29LV640B 4Mx16 BotB (16MB) Flash Chip ***
- Flash Chip Window Start .... : 1f000000
- Flash Chip Window Length ... : 01000000
- Selected Area Start ........ : 00000000
- Selected Area Length ....... : 00000000
*** REQUESTED OPERATION IS COMPLETE ***
Il comando va dato 2 volte affinchè le successive operazioni funzionino a dovere.