hugebird
发表于 2011-2-8 19:21:26
2.0.1
增加BCM Chipc spi控制器支持,理论可以支持大部分wifi路由spi flash读写。
hugebird
发表于 2011-2-8 19:37:03
春节这一周都用在这上面了,只有长假期间可以投入一下,平时实在找不到合适的时间。
wifi系列的spi flash估计基本都可以支持了,63x8的spi控制器有好几种,要再等等再说。
如果spi flash cfe出错,jtag无法进入debug模式,还需要按照短接的方法修正。
读写spi flash,建议用并口线,usbasp,stm32 这3个版本的硬件。ft2232和jlink由于不能进行实时轮询,不能进行批量读写,速度可能很慢,提醒大家注意下。
hugebird
发表于 2011-2-8 19:40:29
sycy 发表于 2011-1-30 00:13 static/image/common/back.gif
你好,老大,有个问题想请教一下:
WRT350N V1 的路由.用的是J-link.j-link 版本4.08
注意下是否提示“NOT enter Debug mode”,如果无法进入调试模式,可能是flash cfe代码写入有问题,采用OE接地方式加电,再进行jtag读写操作
uzer222
发表于 2011-2-9 07:09:35
本帖最后由 uzer222 于 2011-2-9 07:11 编辑
hi! i have some errors
brjtag -flash:cfe /cable:3
<code>
HID-Brjtag MCU ROM version: 1.04 on USBASP hardware!
Probing bus ... Done
Detected IR Length is 5
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom manufactured BCM6348 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...0x1FC00000
Probing Flash at Address: 0x1FC00000 ...
Detected pFlash Chip ID (VenID:DevID = 00C2 : 22A8)
*** Found a (4MB) CFI Compatiable Flash Chip from Macronix
- Flash Chip Window Start .... : 1FC00000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 1FC00000
- Selected Area Length ....... : 00040000
*** You Selected to Flash the CFE.BIN ***
=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 11
Erasing block: 1 (addr = 1FC00000)...Done
Erasing block: 2 (addr = 1FC02000)...Done
....
Erasing block: 8 (addr = 1FC0E000)...Done
Erasing block: 9 (addr = 1FC10000)...Done
Erasing block: 10 (addr = 1FC20000)...Done
Erasing block: 11 (addr = 1FC30000)...Done
Loading CFE.BIN to Flash Memory...
3% bytes = 8448
dma write not correctly !!
3809CCFD - FFFFCCFD
dma write not correctly !!
3E4F9D36 - 3E4FFFFF
3% bytes = 9248
dma write not correctly !!
777BED35 - FFFFED35
4% bytes = 12576
dma write not correctly !!
3F62309F - 3F62304F
5% bytes = 14304
dma write not correctly !!
2ADD073A - FFFF073A
5% bytes = 14688
dma write not correctly !!
1BA18939 - FFFF8939
5% bytes = 15008
dma write not correctly !!
EA50D8A4 - E6125EE0
6% bytes = 16128
dma write not correctly !!
C5A8B269 - C5A8FFFF
6% bytes = 16672
dma write not correctly !!
1C6D4CDF - 1C6D4C6F
6% bytes = 17184
dma write not correctly !!
B2CAB9DF - B2CAB96F
7% bytes = 20032
Done(CFE.BIN loaded into Flash Memory OK)
=========================
Flashing Routine Complete
=========================
elapsed time: 101 seconds
*** REQUESTED OPERATION IS COMPLETE ***
</code>
hugebird
发表于 2011-2-9 09:57:57
回复 uzer222 的帖子
The error info show partial write failure. May caused by not enough polling time delay for older MXIC flash chip. try add /L4:128 switch let polling time delay to 128us
>brjtag -flash:cfe /cable:3 /L4:128 /L1:5
or
> brjtag -flash:cfe /cable:3 /L9:1
or
> brjtag -flash:cfe /cable:3 /safemode
uzer222
发表于 2011-2-10 07:05:43
本帖最后由 uzer222 于 2011-2-10 07:15 编辑
回复 hugebird 的帖子
> brjtag -flash:cfe /cable:3 /L4:128 /L1:5 - this command makes much errors
> brjtag -flash:cfe /cable:3 /L9:1- this -many
> brjtag -flash:cfe /cable:3 /safemode- this ok
thanks!
maybe you know about this error? this error appears sometimes
> brjtag -probeonly /erasechip /port:e000
Broadcom EJTAG Debrick Utility v2.0.1-hugebird
Probing bus ... Done
Detected IR Length is 5
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom manufactured BCM6348 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...Address invalid!, Skipped.
Probing Flash at Address: 0x1FC00000 ...
Detected pFlash Chip ID (VenID:DevID = 0000 : 0000)
*** Unknown or NO Flash Chip Detected ***
*** REQUESTED OPERATION IS COMPLETE ***
hugebird
发表于 2011-2-10 10:13:17
本帖最后由 hugebird 于 2011-2-10 10:15 编辑
回复 uzer222 的帖子
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
very common error,avoid this error by optimizting the delay between power-on device and running brjtag command.
*) When using this utility, usually it is best to type the command line
out, then power up the router, about 0.5 second delay, hit <ENTER>
quickly to avoid bad CFE code lead to <CPU NOT enter Debug mode>
or the CPUs watchdog interfering with the EJTAG operations.
If always not enter debug mode, Maybe the currupt CFE lead cpu reject jtag debugging. could short flash oe# pin to GND (shall OE# to vcc with a resistance, but oe# to gnd also works) before power-on device, prevent from boot code loading, then running brjtag. follow the pic show.
thethree
发表于 2011-2-12 21:22:50
用 dma 写 wrt54gs 不工作:
c:\brjtag.exe -flash:cfe /noemw /cable:1
===============================================
Broadcom EJTAG Debrick Utility v1.9o-hugebird
===============================================
Set I/O speed to 6000 KHz
USB TAP device has been initialized. Please confirm VREF signal connected!
Press any key to continue... ONCE target board is powered on!
Probing bus ... Done
Detected IR Length is 8
CPU assumed running under LITTLE endian
CPU Chip ID: 00010100011100010010000101111111 (1471217F)
*** Found a Broadcom manufactured BCM4712 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Probing Flash at Address: 0x1FC00000 ...
Detected Chip ID (VenID:DevID = 0089 : 0017)
*** Found a Intel 28F640J3 4Mx16 (8MB) Flash Chip from Intel
- Flash Chip Window Start .... : 1C000000
- Flash Chip Window Length ... : 00800000
- Selected Area Start ........ : 1C000000
- Selected Area Length ....... : 00040000
*** You Selected to Flash the CFE.BIN ***
=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 2
Erasing block: 1 (addr = 1C000000)...Done
Erasing block: 2 (addr = 1C020000)...Done
Loading CFE.BIN to Flash Memory...
dma write not correctly !!
10000817 - 00800080
dma write not correctly !!
00000000 - 00800080
dma write not correctly !!
00000000 - 00800080
dma write not correctly !!
00000000 - 00800080
dma write not correctly !!
00000000 - 00800080
dma write not correctly !!
00000000 - 00800080
dma write not correctly !!
00000000 - 00800080
不用 dma, 写到 89% 就停了:
c:\brjtag.exe -flash:cfe /noemw /nodma /cable:1
===============================================
Broadcom EJTAG Debrick Utility v1.9o-hugebird
===============================================
Set I/O speed to 6000 KHz
USB TAP device has been initialized. Please confirm VREF signal connected!
Press any key to continue... ONCE target board is powered on!
Probing bus ... Done
Detected IR Length is 8
CPU assumed running under LITTLE endian
CPU Chip ID: 00010100011100010010000101111111 (1471217F)
*** Found a Broadcom manufactured BCM4712 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
*** DMA Mode Forced Off ***
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Probing Flash at Address: 0x1FC00000 ...
Detected Chip ID (VenID:DevID = 0089 : 0017)
*** Found a CFI Compatiable Flash Chip from Intel
- Flash Chip Window Start .... : 1C000000
- Flash Chip Window Length ... : 00800000
- Selected Area Start ........ : 1C000000
- Selected Area Length ....... : 00040000
*** You Selected to Flash the CFE.BIN ***
=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 2
Erasing block: 1 (addr = 1C000000)...Done
Erasing block: 2 (addr = 1C020000)...Done
Loading CFE.BIN to Flash Memory...
^C89% bytes = 234060
c:\>
用 2.01 也是一样的结果。
有人试过吗?
谢谢!
hugebird
发表于 2011-2-13 01:12:04
回复 hugebird 的帖子
2.02
- 修正2.01 引入的一个读取错误
-为hidbrjtag rom增加并行flash写入状态查询。一直以来并行flash写入是以精确延时来保证写入正确,在对较老设备进行写入时延时不好调整,2.02配合hidbrjtag rom可以查询flash的写入状态标志,从而可以有更好的兼容性。效率可能会比精确延时差。
通过/L4:128激活。
hugebird
发表于 2011-2-13 01:18:16
回复 thethree 的帖子
手里没有intel芯片的设备,这部分从没测试过。
看你写入用6MHz,这个速度很难成功的。用/L1:xxx参数将速度降到2MHz一下为好。
ft2232, 可以用/L1:5 降到1MHz
或者用/L9:1选择安全写入脚本。
还有就是是否部分写入成功还是根本无法写入,给的信息太少,无法进行判断