WAG325N用JTAG线刷CFE的诡异现象!!!!
用JTAG线刷这个帖子里的https://www.chinadsl.net/thread-38685-1-1.html公版CFE1.0.37-11.3,64KB刷了177S,速度太慢了,最奇怪的是刷完后用TTL线查看,还是原来的CFE!!没刷成功
然后直接用BRJTAG清除CFE和NVRAM,都显示成功,再用TTL线查看还是老样子!!等于没清除!!
太奇怪了,
下面是BRJTAG清除的记录:
D:\jtag>brjtag -erase:cfe
===============================================
Broadcom EJTAG Debrick Utility v1.9o-hugebird
===============================================
Probing bus ... Done
Detected IR Length is 5
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom manufactured BCM6358 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS16 MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 1F80000A
MPI register show Flash Access Base Addr : 1F800000
Probing Flash at Address: 0x1F800000 ...
Detected Chip ID (VenID:DevID = 007F : 227E)
*** Found a CFI Compatiable Flash Chip from EON
- Flash Chip Window Start .... : 1F800000
- Flash Chip Window Length ... : 00800000
- Selected Area Start ........ : 1F800000
- Selected Area Length ....... : 00040000
*** You Selected to Erase the CFE.BIN ***
=========================
Erasing Routine Started
=========================
Total Blocks to Erase: 4
Erasing block: 1 (addr = 1F800000)...Done
Erasing block: 2 (addr = 1F810000)...Done
Erasing block: 3 (addr = 1F820000)...Done
Erasing block: 4 (addr = 1F830000)...Done
=========================
Erasing Routine Complete
=========================
elapsed time: 2 seconds
*** REQUESTED OPERATION IS COMPLETE ***
D:\jtag>brjtag -erase:nvram
===============================================
Broadcom EJTAG Debrick Utility v1.9o-hugebird
===============================================
Probing bus ... Done
Detected IR Length is 5
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom manufactured BCM6358 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS16 MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 1F80000A
MPI register show Flash Access Base Addr : 1F800000
Probing Flash at Address: 0x1F800000 ...
Detected Chip ID (VenID:DevID = 007F : 227E)
*** Found a CFI Compatiable Flash Chip from EON
- Flash Chip Window Start .... : 1F800000
- Flash Chip Window Length ... : 00800000
- Selected Area Start ........ : 1FFF0000
- Selected Area Length ....... : 00010000
*** You Selected to Erase the NVRAM.BIN ***
=========================
Erasing Routine Started
=========================
Total Blocks to Erase: 1
Erasing block: 128 (addr = 1FFF0000)...Done
=========================
Erasing Routine Complete
=========================
elapsed time: 0 seconds
*** REQUESTED OPERATION IS COMPLETE ***
下面是TTL的启动结果:
CFE version 1.0.37-5.4 for BCM96358 (32bit,SP,BE)
Build Date: 浜?11鏈? 7 17:06:48 CST 2006 (wanles@localhost.localdomain)
Copyright (C) 2000-2005 Broadcom Corporation.
Boot Address 0xbf800000
Initializing Arena.
Initializing Devices.
Parallel flash device: name EON FLASH, id 0x0000, size 8192KB
CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz
Total memory: 33554432 bytes (32MB)
Total memory used by CFE:0x80401000 - 0x80527450 (1205328)
Initialized Data: 0x8041D1C0 - 0x8041EBD0 (6672)
BSS Area: 0x8041EBD0 - 0x80425450 (26752)
Local Heap: 0x80425450 - 0x80525450 (1048576)
Stack Area: 0x80525450 - 0x80527450 (8192)
Text (code) segment: 0x80401000 - 0x8041D1BC (115132)
Boot area (physical): 0x00528000 - 0x00568000
Relocation Factor: I:00000000 - D:00000000
Board IP address : 192.168.1.1
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Board Id Name : 96358GW
Psi size in KB : 24
Number of MAC Addresses (1-32) : 10
Base MAC Address : 00:1d:7e:ad:fd:ad
Ethernet PHY Type : Internal
Memory size in MB : 32
CMT Thread Number : 0
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Code Address: 0xFF00FF45, Entry Address: 0xc0959e00
Failed on decompression.Corrupted image?
web info: Waiting for connection on socket 0.
CFE>
是不是这个猫的CFE储存地址和常见的不一样啊??
请大家帮看看,给点建议,我都不知道该怎么办了
我想刷WHOLEFLASH,中途停止,验证一下,看看能不能把CFE刷掉,但是不太敢刷了,第一,时间太长了,按这个速度算得6个多小时,第二,万一真的刷掉了,这个CFE的备份我还没有(虽然用JTAG备份过,但是我怀疑根本没有备份成功),就只能刷WHOLEFLASH了,而且官方的固件我也不知道里面有没有CFE,如果没有的话,刷WHOLEFLASH估计也还是砖头一块。 这个猫的官方固件用BRFWMOD认不出来
显示如下:
E:\d>brfwmod -showinfo -i 1.bin
===============================================================
Broadcom ADSL FW Image De/Compress Utility v1.7a-hugebird
Supprot CFE nvram format (Broadcom rev.3)
===============================================================
Warning!...Source TAG Checksum not match.
============Decoding Tag Information=============
Tag Ver signature = ''
SIG1(comany info) = ''
SIG2(FW version) = ''
Chip ID = ''
Board ID = ''
FW endianess = Big Endian
No CFE in Image
No RootFS in Image
No Kernel in Image
Total Image length= 0x00000000
=================================================
*** REQUESTED OPERATION IS COMPLETE, Bye! ***
E:\d> http://downloads.linksysbycisco.com/downloads/firmware/1224639133585/WAG325Nv2-EU-ANNEXA-ETSI-1.00.12_fw.zip
固件官方地址,帮我分析下看看有没有CFE,有的话,我就可以刷WHOLFLASHL恢复了,
现在的CFE支持的命令虽然少,但是至少还有希望
此CFE 支持的命令如下:
CFE> help
Available commands:
assign sercomm assign mode
download sercomm download
r Run program from flash image or from host depend on flag
reset Reset the board
help Obtain help for CFE commands
For more information about a command, enter 'help command-name'
*** command status = 0
CFE> 官方固件用ultraedit打开查看,文件头有64KB的“00”或者说“.”
64KB以后才是正常的固件 CFE没坏,直接从cfe的web里面升级固件应该就可以恢复了。
可能EON的flash有扇区保护,需要加高压才可以解除保护进行编程操作,这个就比较特殊了。
贴一下
brjtag -probeonly /verbose
显示的内容 brjtag -probeonly /verbose
显示的内容如下:
D:\jtag>brjtag -probeonly /verbose
===============================================
Broadcom EJTAG Debrick Utility v1.9o-hugebird
===============================================
Probing bus ... Done
Detected IR Length is 5
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom manufactured BCM6358 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS16 MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 06008000
MPI register show Flash Access Base Addr : 06008000
Probing Flash at Address: 0x06008000 ...
Read raw Chip ID (MfrID:DevID = 0000 : 8000)
Detected Chip ID (VenID:DevID = 0000 : 8000)
Read Array Starting from offset
Array = 0x0000
Array = 0x0000
Array = 0x0000
Read Array Starting from offset
Array = 0x0000
Array = 0x0000
Array = 0x0000
Read Array Starting from offset
Array = 0x0000
Array = 0x0000
Array = 0x0000
Read Array Starting from offset
Array = 0x0000
Array = 0x0000
Array = 0x0000
*** Unknown or NO Flash Chip Detected ***
*** REQUESTED OPERATION IS COMPLETE ***
D:\jtag> D:\jtag>brjtag -probeonly /verbose /fc:099
===============================================
Broadcom EJTAG Debrick Utility v1.9o-hugebird
===============================================
Probing bus ... Done
Detected IR Length is 5
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom manufactured BCM6358 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS16 MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 06008000
MPI register show Flash Access Base Addr : 06008000
Matching Flash Chip (VenID:DevID = 007F : 227E)
*** Manually Selected a EON EN29LV640H/L Uni (8MB) from EON
*** REQUESTED OPERATION IS COMPLETE ***
D:\jtag> 通电瞬间的结果,好像还没有完全认出FLASH,FLASH是 EN29LV640H
D:\jtag>brjtag -probeonly /verbose
===============================================
Broadcom EJTAG Debrick Utility v1.9o-hugebird
===============================================
Probing bus ... Done
Detected IR Length is 5
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom manufactured BCM6358 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS16 MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 2000001E
MPI register show Flash Access Base Addr : 00000000
Probing Flash at Address: 0x00000000 ...
Read raw Chip ID (MfrID:DevID = 0000 : 001E)
Detected Chip ID (VenID:DevID = 0000 : 001E)
Read Array Starting from offset
Array = 0x0000
Array = 0x001E
Array = 0x0000
Read Array Starting from offset
Array = 0x0000
Array = 0x001E
Array = 0x0000
Read Array Starting from offset
Array = 0x0000
Array = 0x001E
Array = 0x0000
Read Array Starting from offset
Array = 0x0000
Array = 0x001E
Array = 0x0000
*** Unknown or NO Flash Chip Detected ***
*** REQUESTED OPERATION IS COMPLETE *** hugebird 发表于 2011-2-16 22:43 static/image/common/back.gif
CFE没坏,直接从cfe的web里面升级固件应该就可以恢复了。
可能EON的flash有扇区保护,需要加高压才可以解除 ...
flash有扇区保护,我换成别的FLASH芯片(如ST的 S29GL064M90TFIR4,家里有两片新的)再刷,行吗?如果加高压如何操作,
CFE没坏的话,那我以前备份的CFE对不对也不知道了,
flash有扇区保护,那我用wholeFLASH刷是不是也是白忙活?
从cfe的web里面升级固件,也试过,但是不知道具体的网页地址,192.168.1.1根本进不去,
页:
[1]
2