WAG325N用JTAG线刷CFE的诡异现象!!!!

smallfish001

用JTAG线刷这个帖子里的https://www.chinadsl.net/thread-38685-1-1.html
公版CFE1.0.37-11.3，64KB刷了177S，速度太慢了，最奇怪的是刷完后用TTL线查看，还是原来的CFE!!没刷成功
然后直接用BRJTAG清除CFE和NVRAM，都显示成功，再用TTL线查看还是老样子！！等于没清除！！

太奇怪了，
下面是BRJTAG清除的记录：
D:\jtag>brjtag -erase:cfe
        ===============================================
         Broadcom EJTAG Debrick Utility v1.9o-hugebird
        ===============================================
Probing bus ... Done
Detected IR Length is 5
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom manufactured BCM6358 REV 01 CPU ***
    - EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS16 MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 1F80000A
MPI register show Flash Access Base Addr : 1F800000
Probing Flash at Address: 0x1F800000 ...
Detected Chip ID (VenID:DevID = 007F : 227E)
*** Found a CFI Compatiable Flash Chip from EON
    - Flash Chip Window Start .... : 1F800000
    - Flash Chip Window Length ... : 00800000
    - Selected Area Start ........ : 1F800000
    - Selected Area Length ....... : 00040000
*** You Selected to Erase the CFE.BIN ***
=========================
Erasing Routine Started
=========================
Total Blocks to Erase: 4
Erasing block: 1 (addr = 1F800000)...Done
Erasing block: 2 (addr = 1F810000)...Done
Erasing block: 3 (addr = 1F820000)...Done
Erasing block: 4 (addr = 1F830000)...Done
=========================
Erasing Routine Complete
=========================
elapsed time: 2 seconds

*** REQUESTED OPERATION IS COMPLETE ***

D:\jtag>brjtag -erase:nvram
        ===============================================
         Broadcom EJTAG Debrick Utility v1.9o-hugebird
        ===============================================
Probing bus ... Done
Detected IR Length is 5
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom manufactured BCM6358 REV 01 CPU ***
    - EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS16 MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 1F80000A
MPI register show Flash Access Base Addr : 1F800000
Probing Flash at Address: 0x1F800000 ...
Detected Chip ID (VenID:DevID = 007F : 227E)
*** Found a CFI Compatiable Flash Chip from EON
    - Flash Chip Window Start .... : 1F800000
    - Flash Chip Window Length ... : 00800000
    - Selected Area Start ........ : 1FFF0000
    - Selected Area Length ....... : 00010000
*** You Selected to Erase the NVRAM.BIN ***
=========================
Erasing Routine Started
=========================
Total Blocks to Erase: 1
Erasing block: 128 (addr = 1FFF0000)...Done
=========================
Erasing Routine Complete
=========================
elapsed time: 0 seconds

*** REQUESTED OPERATION IS COMPLETE ***


下面是TTL的启动结果：
CFE version 1.0.37-5.4 for BCM96358 (32bit,SP,BE)
Build Date: 浜?11鏈? 7 17:06:48 CST 2006 (wanles@localhost.localdomain)
Copyright (C) 2000-2005 Broadcom Corporation.
Boot Address 0xbf800000
Initializing Arena.
Initializing Devices.
Parallel flash device: name EON FLASH, id 0x0000, size 8192KB
CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz
Total memory: 33554432 bytes (32MB)
Total memory used by CFE:  0x80401000 - 0x80527450 (1205328)
Initialized Data:          0x8041D1C0 - 0x8041EBD0 (6672)
BSS Area:                  0x8041EBD0 - 0x80425450 (26752)
Local Heap:                0x80425450 - 0x80525450 (1048576)
Stack Area:                0x80525450 - 0x80527450 (8192)
Text (code) segment:       0x80401000 - 0x8041D1BC (115132)
Boot area (physical):      0x00528000 - 0x00568000
Relocation Factor:         I:00000000 - D:00000000
Board IP address                  : 192.168.1.1  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Board Id Name                     : 96358GW  
Psi size in KB                    : 24
Number of MAC Addresses (1-32)    : 10  
Base MAC Address                  : 00:1d:7e:ad:fd:ad  
Ethernet PHY Type                 : Internal
Memory size in MB                 : 32
CMT Thread Number                 : 0
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Code Address: 0xFF00FF45, Entry Address: 0xc0959e00
Failed on decompression.  Corrupted image?
web info: Waiting for connection on socket 0.
CFE>

是不是这个猫的CFE储存地址和常见的不一样啊？？

请大家帮看看，给点建议，我都不知道该怎么办了

smallfish001

我想刷WHOLEFLASH，中途停止，验证一下，看看能不能把CFE刷掉，但是不太敢刷了，第一，时间太长了，按这个速度算得6个多小时，第二，万一真的刷掉了，这个CFE的备份我还没有（虽然用JTAG备份过，但是我怀疑根本没有备份成功），就只能刷WHOLEFLASH了，而且官方的固件我也不知道里面有没有CFE，如果没有的话，刷WHOLEFLASH估计也还是砖头一块。

smallfish001

这个猫的官方固件用BRFWMOD认不出来
显示如下：
E:\d>brfwmod -showinfo -i 1.bin

===============================================================
   Broadcom ADSL FW Image De/Compress Utility v1.7a-hugebird
           Supprot CFE nvram format (Broadcom rev.3)
===============================================================

Warning!...Source TAG Checksum not match.


============Decoding Tag Information=============
    Tag Ver signature   = ''
    SIG1(comany info)   = ''
    SIG2(FW version)    = ''
    Chip ID             = ''
    Board ID            = ''
    FW endianess        = Big Endian
    No CFE in Image
    No RootFS in Image
    No Kernel in Image
    Total Image length  = 0x00000000
=================================================



*** REQUESTED OPERATION IS COMPLETE, Bye! ***


E:\d>

smallfish001

http://downloads.linksysbycisco. ... ETSI-1.00.12_fw.zip

固件官方地址，帮我分析下看看有没有CFE，有的话，我就可以刷WHOLFLASHL恢复了，
现在的CFE支持的命令虽然少，但是至少还有希望
此CFE 支持的命令如下：

CFE> help
Available commands:

assign              sercomm assign mode
download            sercomm download
r                   Run program from flash image or from host depend on [f/h] flag
reset               Reset the board
help                Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** command status = 0
CFE>

smallfish001

官方固件用ultraedit打开查看，文件头有64KB的“00”或者说“.”
64KB以后才是正常的固件

hugebird

CFE没坏，直接从cfe的web里面升级固件应该就可以恢复了。
可能EON的flash有扇区保护，需要加高压才可以解除保护进行编程操作，这个就比较特殊了。
贴一下
brjtag -probeonly /verbose
显示的内容

smallfish001

brjtag -probeonly /verbose
显示的内容如下：

D:\jtag>brjtag -probeonly /verbose

        ===============================================
         Broadcom EJTAG Debrick Utility v1.9o-hugebird
        ===============================================


Probing bus ... Done

Detected IR Length is 5

CPU assumed running under BIG endian

CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom manufactured BCM6358 REV 01 CPU ***

    - EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS16 MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 06008000
MPI register show Flash Access Base Addr : 06008000

Probing Flash at Address: 0x06008000 ...
Read raw Chip ID (MfrID:DevID = 0000 : 8000)
Detected Chip ID (VenID:DevID = 0000 : 8000)


Read Array Starting from offset [0x0010]
Array[0x10] = 0x0000
Array[0x11] = 0x0000
Array[0x12] = 0x0000


Read Array Starting from offset [0x0010]
Array[0x10] = 0x0000
Array[0x11] = 0x0000
Array[0x12] = 0x0000


Read Array Starting from offset [0x0010]
Array[0x10] = 0x0000
Array[0x11] = 0x0000
Array[0x12] = 0x0000


Read Array Starting from offset [0x0010]
Array[0x10] = 0x0000
Array[0x11] = 0x0000
Array[0x12] = 0x0000
*** Unknown or NO Flash Chip Detected ***


*** REQUESTED OPERATION IS COMPLETE ***


D:\jtag>

smallfish001

D:\jtag>brjtag -probeonly /verbose /fc:099

        ===============================================
         Broadcom EJTAG Debrick Utility v1.9o-hugebird
        ===============================================


Probing bus ... Done

Detected IR Length is 5

CPU assumed running under BIG endian

CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom manufactured BCM6358 REV 01 CPU ***

    - EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS16 MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 06008000
MPI register show Flash Access Base Addr : 06008000
Matching Flash Chip (VenID:DevID = 007F : 227E)

*** Manually Selected a EON EN29LV640H/L Uni       (8MB) from EON



*** REQUESTED OPERATION IS COMPLETE ***


D:\jtag>

smallfish001

通电瞬间的结果，好像还没有完全认出FLASH，FLASH是 EN29LV640H
D:\jtag>brjtag -probeonly /verbose

        ===============================================
         Broadcom EJTAG Debrick Utility v1.9o-hugebird
        ===============================================


Probing bus ... Done

Detected IR Length is 5

CPU assumed running under BIG endian

CPU Chip ID: 00000110001101011000000101111111 (0635817F)
*** Found a Broadcom manufactured BCM6358 REV 01 CPU ***

    - EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS16 MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 2000001E
MPI register show Flash Access Base Addr : 00000000

Probing Flash at Address: 0x00000000 ...
Read raw Chip ID (MfrID:DevID = 0000 : 001E)
Detected Chip ID (VenID:DevID = 0000 : 001E)


Read Array Starting from offset [0x0010]
Array[0x10] = 0x0000
Array[0x11] = 0x001E
Array[0x12] = 0x0000


Read Array Starting from offset [0x0010]
Array[0x10] = 0x0000
Array[0x11] = 0x001E
Array[0x12] = 0x0000


Read Array Starting from offset [0x0010]
Array[0x10] = 0x0000
Array[0x11] = 0x001E
Array[0x12] = 0x0000


Read Array Starting from offset [0x0010]
Array[0x10] = 0x0000
Array[0x11] = 0x001E
Array[0x12] = 0x0000
*** Unknown or NO Flash Chip Detected ***


*** REQUESTED OPERATION IS COMPLETE ***

smallfish001

hugebird 发表于 2011-2-16 22:43
CFE没坏，直接从cfe的web里面升级固件应该就可以恢复了。
可能EON的flash有扇区保护，需要加高压才可以解除 ...

flash有扇区保护，我换成别的FLASH芯片（如ST的 S29GL064M90TFIR4，家里有两片新的）再刷，行吗？如果加高压如何操作，
CFE没坏的话，那我以前备份的CFE对不对也不知道了，
flash有扇区保护，那我用wholeFLASH刷是不是也是白忙活？
从cfe的web里面升级固件，也试过，但是不知道具体的网页地址，192.168.1.1根本进不去，