Broadcom 万能刷猫工具! JTAG硬件+Linux源码
这里有 Broadcom的 JTAG做法,以及在linux下用http://spacetoad.com/tmp/hairydairymaid_debrickv22.zip
-=-=-=-=- 以下内容由 wqnet 在 2005年11月11日 02:32pm 时添加 -=-=-=-=-
Modem板上的12Pin接口就是JTAG
可以用来调试程序、写Flash。
一般没有焊接头,需要自己焊一个上去。
即使你的猫已经不能启动,不响应任何连接,只要硬件没坏,就可以用它写Flash。
但是它的写入速度太慢,一般不要用它写整个固件。可以先写入cfe的bootblock,然后用以太网口写,速度会快很多。
Broadcom 万能刷猫工具! JTAG硬件+Linux源码
下不了Broadcom 万能刷猫工具! JTAG硬件+Linux源码
期待有新的结果公布Broadcom 万能刷猫工具! JTAG硬件+Linux源码
4Pin的是RS232的终端线,要求Flash内有能启动的系统。这个可以刷没有任何系统的空Flash片,或刷错固件、刷过程中掉电等不能启动的猫。不过这个程序是刷路由器的,目前只支持BCM4712、BCM5352,不支持6335、6345这两个芯片,需要修改源码才能刷猫,正在研究中。
刷新工具选择顺序是这样的
首选telnet;不能用telnet的用4pin线;最后才用到这个。
如果这个也不好使的话,很不幸,你的猫硬件已经挂了……
Broadcom 万能刷猫工具! JTAG硬件+Linux源码
谢谢,应该还有接4pin的方法Broadcom 万能刷猫工具! JTAG硬件+Linux源码
能下啊,我网通、铁通的线路都试过……你用的是啥线路?
不行的话用代理服务器试试。
Broadcom 万能刷猫工具! JTAG硬件+Linux源码
下了一半就不能下了,怎么回事呀.Broadcom 万能刷猫工具! JTAG硬件+Linux源码
谁能提供一个稳定的FTP?我传上去吧。Broadcom 万能刷猫工具! JTAG硬件+Linux源码
QQ共享呀.Broadcom 万能刷猫工具! JTAG硬件+Linux源码
);i++;
}
if (strcmp(choice,"/noreset")==0)
issue_reset = 0;
else
if (strcmp(choice,"/nobreak")==0)
issue_break = 0;
else
if (strcmp(choice,"/noerase")==0)
issue_erase = 0;
else
if (strcmp(choice,"/notimestamp")==0)
issue_timestamp = 0;
else
if (strncmp(choice,"/fc:",4)==0)
sscanf(choice,"/fc:%d", &selected_fc);
else
{
show_usage();
printf("\n*** ERROR - Invalid <switch> specified ***\n\n");
exit(1);
}
j++;
}
}
// Detect & Initialize
chip_detect();
// For Good Measure
test_reset();
// Find Starting "ctrl_reg" Value
set_instr(INSTR_CONTROL);
ctrl_reg = ReadData();
// New Init Sequence
if (issue_reset)ejtag_issue_reset(); // Reset Processor and Peripherals
ejtag_dma_write(0xff300000,0); // Clear DCR
ejtag_dma_write(0xb8000080,0); // Clear Watchdog
if (issue_break)ejtag_jtagbrk(); // Put into EJTAG Debug Mode
// Flash Chip Detection
if (selected_fc != 0)
sflash_config();
else
sflash_probe();
if (flash_size == size2MB)
{
FLASH_MEMORY_START = CFE_START_2MB;
if (run_option == 1 )run_backup("CFE.BIN", CFE_START_2MB, CFE_LENGTH_2MB);
if (run_option == 2 )run_backup("NVRAM.BIN", NVRAM_START_2MB, NVRAM_LENGTH_2MB);
if (run_option == 3 )run_backup("KERNEL.BIN", KERNEL_START_2MB, KERNEL_LENGTH_2MB);
if (run_option == 4 )run_backup("WHOLEFLASH.BIN", WHOLEFLASH_START_2MB,WHOLEFLASH_LENGTH_2MB);
if (run_option == 5 )run_erase("CFE.BIN", CFE_START_2MB, CFE_LENGTH_2MB);
if (run_option == 6 )run_erase("NVRAM.BIN", NVRAM_START_2MB, NVRAM_LENGTH_2MB);
if (run_option == 7 )run_erase("KERNEL.BIN", KERNEL_START_2MB, KERNEL_LENGTH_2MB);
if (run_option == 8 )run_erase("WHOLEFLASH.BIN",WHOLEFLASH_START_2MB,WHOLEFLASH_LENGTH_2MB);
if (run_option == 9 )run_flash("CFE.BIN", CFE_START_2MB, CFE_LENGTH_2MB);
if (run_option == 10)run_flash("NVRAM.BIN", NVRAM_START_2MB, NVRAM_LENGTH_2MB);
if (run_option == 11)run_flash("KERNEL.BIN", KERNEL_START_2MB, KERNEL_LENGTH_2MB);
if (run_option == 12)run_flash("WHOLEFLASH.BIN",WHOLEFLASH_START_2MB,WHOLEFLASH_LENGTH_2MB);
}
if (flash_size == size4MB)
{
FLASH_MEMORY_START = CFE_START_4MB;
if (run_option == 1 )run_backup("CFE.BIN", CFE_START_4MB, CFE_LENGTH_4MB);
if (run_option == 2 )run_backup("NVRAM.BIN", NVRAM_START_4MB, NVRAM_LENGTH_4MB);
if (run_option == 3 )run_backup("KERNEL.BIN", KERNEL_START_4MB, KERNEL_LENGTH_4MB);
if (run_option == 4 )run_backup("WHOLEFLASH.BIN", WHOLEFLASH_START_4MB,WHOLEFLASH_LENGTH_4MB);
if (run_option == 5 )run_erase("CFE.BIN", CFE_START_4MB, CFE_LENGTH_4MB);
if (run_option == 6 )run_erase("NVRAM.BIN", NVRAM_START_4MB, NVRAM_LENGTH_4MB);
if (run_option == 7 )run_erase("KERNEL.BIN", KERNEL_START_4MB, KERNEL_LENGTH_4MB);
if (run_option == 8 )run_erase("WHOLEFLASH.BIN",WHOLEFLASH_START_4MB,WHOLEFLASH_LENGTH_4MB);
if (run_option == 9 )run_flash("CFE.BIN", CFE_START_4MB, CFE_LENGTH_4MB);
if (run_option == 10)run_flash("NVRAM.BIN", NVRAM_START_4MB, NVRAM_LENGTH_4MB);
if (run_option == 11)run_flash("KERNEL.BIN", KERNEL_START_4MB, KERNEL_LENGTH_4MB);
if (run_option == 12)run_flash("WHOLEFLASH.BIN",WHOLEFLASH_START_4MB,WHOLEFLASH_LENGTH_4MB);
}
if ((flash_size == size8MB) || (flash_size == size16MB))// Treat 16MB Flash Chip like it is an 8MB Flash Chip
{
FLASH_MEMORY_START = CFE_START_8MB;
if (run_option == 1 )run_backup("CFE.BIN", CFE_START_8MB, CFE_LENGTH_8MB);
if (run_option == 2 )run_backup("NVRAM.BIN", NVRAM_START_8MB, NVRAM_LENGTH_8MB);
if (run_option == 3 )run_backup("KERNEL.BIN", KERNEL_START_8MB, KERNEL_LENGTH_8MB);
if (run_option == 4 )run_backup("WHOLEFLASH.BIN", WHOLEFLASH_START_8MB,WHOLEFLASH_LENGTH_8MB);
if (run_option == 5 )run_erase("CFE.BIN", CFE_START_8MB, CFE_LENGTH_8MB);
if (run_option == 6 )run_erase("NVRAM.BIN", NVRAM_START_8MB, NVRAM_LENGTH_8MB);
if (run_option == 7 )run_erase("KERNEL.BIN", KERNEL_START_8MB, KERNEL_LENGTH_8MB);
if (run_option == 8 )run_erase("WHOLEFLASH.BIN",WHOLEFLASH_START_8MB,WHOLEFLASH_LENGTH_8MB);
if (run_option == 9 )run_flash("CFE.BIN", CFE_START_8MB, CFE_LENGTH_8MB);
if (run_option == 10)run_flash("NVRAM.BIN", NVRAM_START_8MB, NVRAM_LENGTH_8MB);
if (run_option == 11)run_flash("KERNEL.BIN", KERNEL_START_8MB, KERNEL_LENGTH_8MB);
if (run_option == 12)run_flash("WHOLEFLASH.BIN",WHOLEFLASH_START_8MB,WHOLEFLASH_LENGTH_8MB);
}
printf("\n\n *** REQUESTED OPERATION IS COMPLETE ***\n\n");
chip_shutdown();
return 0;
}
下面是源程序的.h文件
// **************************************************************************
//
//WRT54G.H - Header file for the WRT54G/GS EJTAG DeBrick Utilityv4.1
//
//Note:
//This program is for De-Bricking the WRT54G/GS routers
//
//New for v4.1 - software re-written to support 38 flash chips and
// auto-detect flash chip & flash size & adjust
// region info accordingly for reading/writing to the
// flash chips.Also added support for compiling under
// Windows, Linux, and FreeBSD.
//
// **************************************************************************
//Written by HairyDairyMaid (a.k.a. - lightbulb)
//hairydairymaid@yahoo.com
// **************************************************************************
//
//This program is copyright (C) 2004 HairyDairyMaid (a.k.a. Lightbulb)
//This program is free software; you can redistribute it and/or modify it
//under the terms of version 2 the GNU General Public License as published
//by the Free Software Foundation.
//This program is distributed in the hope that it will be useful, but WITHOUT
//ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
//FITNESS FOR A PARTICULAR PURPOSE.See the GNU General Public License for
//more details.
//To view a copy of the license go to:
//http://www.fsf.org/copyleft/gpl.html
//To receive a copy of the GNU General Public License write the Free Software
//Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA02111-1307, USA.
//
// **************************************************************************
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#ifndef WINDOWS_VERSION
#include <unistd.h>
#include <sys/ioctl.h>
#ifdef __FreeBSD__
#include <dev/ppbus/ppi.h>
#include <dev/ppbus/ppbconf.h>
#define PPWDATA PPISDATA
#define PPRSTATUS PPIGSTATUS
#else
#include <linux/ppdev.h>
#endif
#endif
#define true1
#define false 1
#define RETRY_ATTEMPTS 16
// ------------------------------------------------------
// --- Choose only one cable specific section below
// ------------------------------------------------------
//
// --- Xilinx Type Cable ---
#define TDI 0
#define TCK 1
#define TMS 2
#define TDO 4
//
// --- Wiggler Type Cable ---
// #define TDI 3
// #define TCK 2
// #define TMS 1
// #define TDO 7
//
// ------------------------------------------------------
// --- Some BCM47XX Instructions ---
#define INSTR_IDCODE 0x01
#define INSTR_EXTEST 0x00
#define INSTR_SAMPLE 0x02
#define INSTR_PRELOAD 0x02
#define INSTR_BYPASS 0xFF
#define INSTR_CONTROL 0x0A
#define INSTR_DATA 0x09
#define INSTR_ADDRESS 0x08
// --- Some EJTAG Bit Masks ---
#define TOF (1 << 1 )
#define BRKST (1 << 3 )
#define DRWN (1 << 9 )
#define DERR (1 << 10)
#define DSTRT (1 << 11)
#define SETDEV (1 << 14)
#define PROBEN (1 << 15)
#define DMAACC (1 << 17)
#define PRACC (1 << 18)
#define PRNW (1 << 19)
#define DLOCK (1 << 5 )
#define TIF (1 << 2 )
#define SYNC (1 << 23)
#define PRRST (1 << 16)
#define PERRST (1 << 20)
#define JTAGBRK (1 << 12)
#define DNM (1 << 28)
#define DMA_BYTE 0x00000000//DMA tranfser size BYTE
#define DMA_HALFWORD 0x00000080//DMA transfer size HALFWORD
#define DMA_WORD 0x00000100//DMA transfer size WORD
#define DMA_TRIPLEBYTE0x00000180//DMA transfer size TRIPLEBYTE
// --- For 2MB Flash Chips ---
#defineCFE_START_2MB 0x1FC00000
#defineCFE_LENGTH_2MB 0x40000
#defineKERNEL_START_2MB 0x1FC40000
#defineKERNEL_LENGTH_2MB 0x1B0000
#defineNVRAM_START_2MB 0x1FDF0000
#defineNVRAM_LENGTH_2MB 0x10000
#defineWHOLEFLASH_START_2MB0x1FC00000
#defineWHOLEFLASH_LENGTH_2MB 0x200000
// --- For 4MB Flash Chips ---
#defineCFE_START_4MB 0x1FC00000
#defineCFE_LENGTH_4MB 0x40000
#defineKERNEL_START_4MB 0x1FC40000
#defineKERNEL_LENGTH_4MB 0x3B0000
#defineNVRAM_START_4MB 0x1FFF0000
#defineNVRAM_LENGTH_4MB 0x10000
#defineWHOLEFLASH_START_4MB0x1FC00000
#defineWHOLEFLASH_LENGTH_4MB 0x400000
// --- For 8MB Flash Chips ---
#defineCFE_START_8MB 0x1C000000
#defineCFE_LENGTH_8MB 0x40000
#defineKERNEL_START_8MB 0x1C040000
#defineKERNEL_LENGTH_8MB 0x7A0000
#defineNVRAM_START_8MB 0x1C7E0000
#defineNVRAM_LENGTH_8MB 0x20000
#defineWHOLEFLASH_START_8MB0x1C000000
#defineWHOLEFLASH_LENGTH_8MB 0x800000
#definesize8K 0x2000
#definesize16K 0x4000
#definesize32K 0x8000
#definesize64K 0x10000
#definesize128K 0x20000
#definesize2MB 0x200000
#definesize4MB 0x400000
#definesize8MB 0x800000
#definesize16MB 0x1000000
#defineCMD_TYPE_BSC0x01
#defineCMD_TYPE_SCS0x02
#defineCMD_TYPE_AMD0x03
#defineCMD_TYPE_SST0x04
// --- Uhh, Just Because I Have To ---
static unsigned char clockout(void);
static unsigned int ReadData(void);
static unsigned int ReadWriteData(unsigned int in_data);
static unsigned int ejtag_dma_read(unsigned int addr);
static unsigned int ejtag_dma_read_h(unsigned int addr);
void ShowData(unsigned int value);
void WriteData(unsigned int in_data);
void capture_dr(void);
void capture_ir(void);
void chip_detect(void);
void chip_shutdown(void);
void clockin(int tms, int tdi);
void define_block(unsigned int block_count, unsigned int block_size);
void ejtag_dma_write(unsigned int addr, unsigned int data);
void ejtag_dma_write_h(unsigned int addr, unsigned int data);
void ejtag_issue_reset(void);
void ejtag_jtagbrk(void);
void identify_flash_part(void);
void lpt_closeport(void);
void lpt_openport(void);
void run_backup(char *filename, unsigned int start, unsigned int length);
void run_erase(char *filename, unsigned int start, unsigned int length);
void run_flash(char *filename, unsigned int start, unsigned int length);
void set_instr(int instr);
void sflash_config(void);
void sflash_erase_area(unsigned int start, unsigned int length);
void sflash_erase_block(unsigned int addr);
void sflash_probe(void);
void sflash_reset(void);
void sflash_write_word(unsigned int addr, unsigned int data);
void show_usage(void);
void test_reset(void);