Broadcom路由DSL猫用的JTAG工具最新版

hugebird

2.0.1

增加BCM Chipc spi控制器支持，理论可以支持大部分wifi路由spi flash读写。

hugebird

春节这一周都用在这上面了，只有长假期间可以投入一下，平时实在找不到合适的时间。
wifi系列的spi flash估计基本都可以支持了，63x8的spi控制器有好几种，要再等等再说。
如果spi flash cfe出错，jtag无法进入debug模式，还需要按照短接的方法修正。
读写spi flash，建议用并口线，usbasp，stm32 这3个版本的硬件。ft2232和jlink由于不能进行实时轮询，不能进行批量读写，速度可能很慢，提醒大家注意下。

hugebird

sycy 发表于 2011-1-30 00:13
你好,老大,有个问题想请教一下:
WRT350N V1 的路由.用的是J-link.j-link 版本4.08

注意下是否提示“NOT enter Debug mode”，如果无法进入调试模式，可能是flash cfe代码写入有问题，采用OE接地方式加电，再进行jtag读写操作

uzer222

hi! i have some errors

brjtag -flash:cfe /cable:3

<code>

HID-Brjtag MCU ROM version: 1.04 on USBASP hardware!

Probing bus ... Done
Detected IR Length is 5
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom manufactured BCM6348 REV 01 CPU ***

    - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...0x1FC00000

Probing Flash at Address: 0x1FC00000 ...
Detected pFlash Chip ID (VenID:DevID = 00C2 : 22A8)
*** Found a (4MB) CFI Compatiable Flash Chip from Macronix

    - Flash Chip Window Start .... : 1FC00000
    - Flash Chip Window Length ... : 00400000
    - Selected Area Start ........ : 1FC00000
    - Selected Area Length ....... : 00040000

*** You Selected to Flash the CFE.BIN ***

=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 11

Erasing block: 1 (addr = 1FC00000)...Done
Erasing block: 2 (addr = 1FC02000)...Done
....
Erasing block: 8 (addr = 1FC0E000)...Done
Erasing block: 9 (addr = 1FC10000)...Done
Erasing block: 10 (addr = 1FC20000)...Done
Erasing block: 11 (addr = 1FC30000)...Done

Loading CFE.BIN to Flash Memory...
   3%   bytes = 8448
dma write not correctly !!
3809CCFD - FFFFCCFD
dma write not correctly !!
3E4F9D36 - 3E4FFFFF
   3%   bytes = 9248
dma write not correctly !!
777BED35 - FFFFED35
   4%   bytes = 12576
dma write not correctly !!
3F62309F - 3F62304F
   5%   bytes = 14304
dma write not correctly !!
2ADD073A - FFFF073A
   5%   bytes = 14688
dma write not correctly !!
1BA18939 - FFFF8939
   5%   bytes = 15008
dma write not correctly !!
EA50D8A4 - E6125EE0
   6%   bytes = 16128
dma write not correctly !!
C5A8B269 - C5A8FFFF
   6%   bytes = 16672
dma write not correctly !!
1C6D4CDF - 1C6D4C6F
   6%   bytes = 17184
dma write not correctly !!
B2CAB9DF - B2CAB96F
   7%   bytes = 20032
Done  (CFE.BIN loaded into Flash Memory OK)

=========================
Flashing Routine Complete
=========================
elapsed time: 101 seconds

*** REQUESTED OPERATION IS COMPLETE ***
</code>

hugebird

回复 uzer222 的帖子

The error info show partial write failure. May caused by not enough polling time delay for older MXIC flash chip. try add /L4:128 switch let polling time delay to 128us
>brjtag -flash:cfe /cable:3 /L4:128 /L1:5
or
> brjtag -flash:cfe /cable:3 /L9:1
or
> brjtag -flash:cfe /cable:3 /safemode

uzer222

回复 hugebird 的帖子

> brjtag -flash:cfe /cable:3 /L4:128 /L1:5     - this command makes much errors
> brjtag -flash:cfe /cable:3 /L9:1  - this -many
> brjtag -flash:cfe /cable:3 /safemode  - this ok

thanks!

maybe you know about this error? this error appears sometimes

> brjtag -probeonly /erasechip /port:e000

1. 
   
2.          Broadcom EJTAG Debrick Utility v2.0.1-hugebird
   
3. Probing bus ... Done
   
4. Detected IR Length is 5
   
5. CPU assumed running under BIG endian
   
6. 
   
7. CPU Chip ID: 00000110001101001000000101111111 (0634817F)
   
8. *** Found a Broadcom manufactured BCM6348 REV 01 CPU ***
   
9. 
   
10.     - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    
11.     - EJTAG Version ....... : 1 or 2.0
    
12.     - EJTAG DMA Support ... : Yes
    
13.     - EJTAG Implementation flags: R4k MIPS32
    
14. 
    
15. Issuing Processor / Peripheral Reset ... Done
    
16. Enabling Memory Writes ... Done
    
17. Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
    
18. Clearing Watchdog ... Done
    
19. Loading CPU Configuration Code ... Skipped
    
20. [b]Detecting Flash Base Address...Address invalid!, Skipped.[/b]
    
21. 
    
22. Probing Flash at Address: 0x1FC00000 ...
    
23. [b]Detected pFlash Chip ID (VenID:DevID = 0000 : 0000)[/b]
    
24. *** Unknown or NO Flash Chip Detected ***
    
25. *** REQUESTED OPERATION IS COMPLETE ***
    

复制代码

hugebird

回复 uzer222 的帖子

Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done

very common error,  avoid this error by optimizting the delay between power-on device and running brjtag command.
*) When using this utility, usually it is best to type the command line
            out, then power up the router, about 0.5 second delay, hit <ENTER>
             quickly to avoid bad CFE code lead to <CPU NOT enter Debug mode>
             or the CPUs watchdog interfering with the EJTAG operations.

If always not enter debug mode, Maybe the currupt CFE lead cpu reject jtag debugging. could short flash oe# pin to GND (shall OE# to vcc with a resistance, but oe# to gnd also works) before power-on device, prevent from boot code loading, then running brjtag. follow the pic show.

thethree

用 dma 写 wrt54gs 不工作:

1. 
   
2. c:\brjtag.exe -flash:cfe /noemw /cable:1
   
3. 
   
4.         ===============================================
   
5.          Broadcom EJTAG Debrick Utility v1.9o-hugebird
   
6.         ===============================================
   
7. 
   
8. 
   
9. Set I/O speed to 6000 KHz
   
10. 
    
11. USB TAP device has been initialized. Please confirm VREF signal connected!
    
12. Press any key to continue... ONCE target board is powered on!
    
13. 
    
14. Probing bus ... Done
    
15. 
    
16. Detected IR Length is 8
    
17. 
    
18. CPU assumed running under LITTLE endian
    
19. 
    
20. CPU Chip ID: 00010100011100010010000101111111 (1471217F)
    
21. *** Found a Broadcom manufactured BCM4712 REV 01 CPU ***
    
22. 
    
23.     - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    
24.     - EJTAG Version ....... : 1 or 2.0
    
25.     - EJTAG DMA Support ... : Yes
    
26.     - EJTAG Implementation flags: R4k MIPS32
    
27. 
    
28. Issuing Processor / Peripheral Reset ... Done
    
29. Enabling Memory Writes ... Skipped
    
30. Halting Processor ... <Processor Entered Debug Mode!> ... Done
    
31. Clearing Watchdog ... Done
    
32. Loading CPU Configuration Code ... Skipped
    
33. 
    
34. Probing Flash at Address: 0x1FC00000 ...
    
35. Detected Chip ID (VenID:DevID = 0089 : 0017)
    
36. *** Found a Intel 28F640J3 4Mx16       (8MB) Flash Chip from Intel
    
37. 
    
38.     - Flash Chip Window Start .... : 1C000000
    
39.     - Flash Chip Window Length ... : 00800000
    
40.     - Selected Area Start ........ : 1C000000
    
41.     - Selected Area Length ....... : 00040000
    
42. 
    
43. *** You Selected to Flash the CFE.BIN ***
    
44. 
    
45. =========================
    
46. Flashing Routine Started
    
47. =========================
    
48. Total Blocks to Erase: 2
    
49. 
    
50. Erasing block: 1 (addr = 1C000000)...Done
    
51. Erasing block: 2 (addr = 1C020000)...Done
    
52. 
    
53. Loading CFE.BIN to Flash Memory...
    
54. 
    
55. dma write not correctly !!
    
56. 10000817 - 00800080
    
57. 
    
58. dma write not correctly !!
    
59. 00000000 - 00800080
    
60. 
    
61. dma write not correctly !!
    
62. 00000000 - 00800080
    
63. 
    
64. dma write not correctly !!
    
65. 00000000 - 00800080
    
66. 
    
67. dma write not correctly !!
    
68. 00000000 - 00800080
    
69. 
    
70. dma write not correctly !!
    
71. 00000000 - 00800080
    
72. 
    
73. dma write not correctly !!
    
74. 00000000 - 00800080

复制代码

不用 dma, 写到 89% 就停了：

1. c:\brjtag.exe -flash:cfe /noemw /nodma /cable:1
   
2. 
   
3.         ===============================================
   
4.          Broadcom EJTAG Debrick Utility v1.9o-hugebird
   
5.         ===============================================
   
6. 
   
7. 
   
8. Set I/O speed to 6000 KHz
   
9. 
   
10. USB TAP device has been initialized. Please confirm VREF signal connected!
    
11. Press any key to continue... ONCE target board is powered on!
    
12. 
    
13. Probing bus ... Done
    
14. 
    
15. Detected IR Length is 8
    
16. 
    
17. CPU assumed running under LITTLE endian
    
18. 
    
19. CPU Chip ID: 00010100011100010010000101111111 (1471217F)
    
20. *** Found a Broadcom manufactured BCM4712 REV 01 CPU ***
    
21. 
    
22.     - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    
23.     - EJTAG Version ....... : 1 or 2.0
    
24.     - EJTAG DMA Support ... : Yes
    
25.     - EJTAG Implementation flags: R4k MIPS32
    
26.     *** DMA Mode Forced Off ***
    
27. 
    
28. Issuing Processor / Peripheral Reset ... Done
    
29. Enabling Memory Writes ... Skipped
    
30. Halting Processor ... <Processor Entered Debug Mode!> ... Done
    
31. Clearing Watchdog ... Done
    
32. Loading CPU Configuration Code ... Skipped
    
33. 
    
34. Probing Flash at Address: 0x1FC00000 ...
    
35. Detected Chip ID (VenID:DevID = 0089 : 0017)
    
36. *** Found a CFI Compatiable Flash Chip from Intel
    
37. 
    
38.     - Flash Chip Window Start .... : 1C000000
    
39.     - Flash Chip Window Length ... : 00800000
    
40.     - Selected Area Start ........ : 1C000000
    
41.     - Selected Area Length ....... : 00040000
    
42. 
    
43. *** You Selected to Flash the CFE.BIN ***
    
44. 
    
45. =========================
    
46. Flashing Routine Started
    
47. =========================
    
48. Total Blocks to Erase: 2
    
49. 
    
50. Erasing block: 1 (addr = 1C000000)...Done
    
51. Erasing block: 2 (addr = 1C020000)...Done
    
52. 
    
53. Loading CFE.BIN to Flash Memory...
    
54. ^C89%   bytes = 234060
    
55. c:\>
    

复制代码

用 2.01 也是一样的结果。

有人试过吗？
谢谢！

hugebird

回复 hugebird 的帖子

2.02

- 修正2.01 引入的一个读取错误
-为hidbrjtag rom增加并行flash写入状态查询。一直以来并行flash写入是以精确延时来保证写入正确，在对较老设备进行写入时延时不好调整，2.02配合hidbrjtag rom可以查询flash的写入状态标志，从而可以有更好的兼容性。效率可能会比精确延时差。
通过/L4:128激活。

hugebird

回复 thethree 的帖子

手里没有intel芯片的设备，这部分从没测试过。
看你写入用6MHz，这个速度很难成功的。用/L1:xxx参数将速度降到2MHz一下为好。
ft2232, 可以用/L1:5 降到1MHz
或者用/L9:1选择安全写入脚本。

还有就是是否部分写入成功还是根本无法写入，给的信息太少，无法进行判断