CFE save command(s)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13027
Location: Behind The Reset Button

PostPosted: Mon Jun 21, 2010 23:24    Post subject: CFE save command(s) Reply with quote
I'm trying to figure out how to use serial console and grab sections of the flash chip.. Not going so well.

Boot says: Flash device: 0x800000 at 0x1c000000

So I figure that is the length & address of the flash chip.. No..

CFE> ^C
CFE> ifconfig eth0 -addr=192.168.254.140 -mask=255.255.255.0 -gw=192.168.254.100
Device eth0: hwaddr 00-1A-70-FD-EE-02, ipaddr 192.168.254.140, mask 255.255.255.0
gateway 192.168.254.100, nameserver not set
*** command status = 0

CFE> help save

SUMMARY

Save a region of memory to a remote file via TFTP

USAGE

save [-options] host:filename startaddr length


*** command status = 0
CFE> save 192.168.254.100 : test.bin 0x1c000000 0x800000

Returns the following... then the router boots:

**Exception 8: EPC=8070E204, Cause=00008008 (TLBMissRd)
RA=807183BC, VAddr=00000000


0 ($00) = 00000000 AT ($01) = 80730000
v0 ($02) = 00000002 v1 ($03) = 00000001
a0 ($04) = 00000000 a1 ($05) = 00000002
a2 ($06) = 807519A2 a3 ($07) = 00000032
t0 ($0Cool = 80739018 t1 ($09) = 00000010
t2 ($10) = 00000104 t3 ($11) = 00000001
t4 ($12) = B8000000 t5 ($13) = 000001E4
t6 ($14) = 807970B0 t7 ($15) = 00000000
s0 ($16) = 00000000 s1 ($17) = 80751970
s2 ($1Cool = 80739158 s3 ($19) = 00000000
s4 ($20) = 8073936A s5 ($21) = 066FF300
s6 ($22) = B8000090 s7 ($23) = B8000094
t8 ($24) = 02000000 t9 ($25) = 00000000
k0 ($26) = 807561CC k1 ($27) = 00000000
gp ($2Cool = 80736860 sp ($29) = 80797358
fp ($30) = 00000000 ra ($31) = 807183BC


boots here

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Wed Sep 24 02:39:52 EDT 2008 (tornado@dd-wrt.com)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

****************************

So.. There is no help available for [-options] and the old cfe documentation I have doesn't give too much info for the save command.

Can anybody give me a hand?

The router I am using for this is a TM with a dd-wrt cfe running dd-wrt. This is to get it figured out.. Incase I trash this router, I can recover it.. I need this procedure for another device that has no jtag.

I've tried it every which way.. leaving out the proceding 0x~, no space before or after the colon ":".. I crashing and burning..

_________________
[Moderator Deleted] Shocked
Sponsor
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13027
Location: Behind The Reset Button

PostPosted: Mon Jun 21, 2010 23:56    Post subject: Reply with quote
Returns the following... then the router boots:

**Exception 8: EPC=8070E204, Cause=00008008 (TLBMissRd)
RA=807183BC, VAddr=00000000


Does RA mean "real address" and VAaddr mean "virtual address"?

_________________
[Moderator Deleted] Shocked
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7626

PostPosted: Tue Jun 22, 2010 0:37    Post subject: Reply with quote
ra = returnaddress ie pointing back to the routine calling the code that crashed.

try to use 0xbc000000 instead of 0x1c000000.

tftp.exe and tftp2.exe can only send, you need to install tftpd32 or Solarwinds tftp server which both can receive.

_________________
Kernel panic: Aiee, killing interrupt handler!
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13027
Location: Behind The Reset Button

PostPosted: Tue Jun 22, 2010 2:02    Post subject: Reply with quote
LOM wrote:
ra = returnaddress ie pointing back to the routine calling the code that crashed.

try to use 0xbc000000 instead of 0x1c000000.

tftp.exe and tftp2.exe can only send, you need to install tftpd32 or Solarwinds tftp server which both can receive.


I have a tftp server running.. It makes the file, but it is zero bytes big..

Where does 0xbc000000 come from?

Thanks..

_________________
[Moderator Deleted] Shocked
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7626

PostPosted: Tue Jun 22, 2010 2:14    Post subject: Reply with quote
barryware wrote:
LOM wrote:
ra = returnaddress ie pointing back to the routine calling the code that crashed.

try to use 0xbc000000 instead of 0x1c000000.

tftp.exe and tftp2.exe can only send, you need to install tftpd32 or Solarwinds tftp server which both can receive.


I have a tftp server running.. It makes the file, but it is zero bytes big..

Where does 0xbc000000 come from?

Thanks..


No crash this time?
0xbc000000 is the same address but in cached kseg1 instead of uncached kseg0.
user space vs system space to simplify the explanation.
You can also try 0x9c000000 which is uncached kseg1.

Another test is to try to save from ram to see if there's some problem with the save command reading from flash, 0x80300000 or 0x80700000 for instance.

Zero byte filelength, it may be the 0 in 0x for the length, try to use decimal value for length.

_________________
Kernel panic: Aiee, killing interrupt handler!
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7626

PostPosted: Tue Jun 22, 2010 6:28    Post subject: Reply with quote
Checked the documentation for the save command, values are hexadecimal but without a 0x in front of them.


CFE> save host:file_name 80000000 1000
4096 bytes written to host:filename
*** command status = 0

Edit:
Tried it, works on my "E2000"

save 192.168.1.131:wholeflash.bin bc000000 800000

_________________
Kernel panic: Aiee, killing interrupt handler!
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13027
Location: Behind The Reset Button

PostPosted: Tue Jun 22, 2010 12:59    Post subject: Reply with quote
LOM wrote:
Checked the documentation for the save command, values are hexadecimal but without a 0x in front of them.


CFE> save host:file_name 80000000 1000
4096 bytes written to host:filename
*** command status = 0

Edit:
Tried it, works on my "E2000"

save 192.168.1.131:wholeflash.bin bc000000 800000


Thanks.. I'll give it another go when I get home. Wasn't able to get back at it last night.. The power went out. Still out..

_________________
[Moderator Deleted] Shocked
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7626

PostPosted: Tue Jun 22, 2010 13:12    Post subject: Reply with quote
No spaces (as in your example above) in host:filename
_________________
Kernel panic: Aiee, killing interrupt handler!
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13027
Location: Behind The Reset Button

PostPosted: Tue Jun 22, 2010 15:11    Post subject: Reply with quote
LOM wrote:
No spaces (as in your example above) in host:filename


I tried it different ways.. Looks like my problem was the beginning address.. How do you know these things? Shocked

I read the broadcom cfe documentation I have which is also on the tftp server under information library.. When ever I run across something of use to the forum like chip data sheets, hard to find docs, etc, I put it there.

Anyway.. I read that from cover to cover. It does say to specify a hex address by using 0x. It is an old doc (2003) and is mainly for the 12xx processors.

It also says to see the LOAD command for the options as they are the same but I don't think those options would apply to a SAVE (-elf, -raw, etc)

I spent a couple of hours looking for a newer doc but came up empty.

_________________
[Moderator Deleted] Shocked
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13027
Location: Behind The Reset Button

PostPosted: Tue Jun 22, 2010 23:56    Post subject: Reply with quote
@LOM... Very cool.. Thank you very much..

Still wanna know how you derived that starting address.. Confused

I used a GL this time.. The TM does not have a stock cfe so I was thinking maybe something may have been missing.

***********************************************

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Tue Jun 20 16:22:41 CST 2006 (root@localhost.localdomain)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena
Initializing Devices.

No DPN
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.37.0
CPU type 0x29008: 200MHz
Total memory: 16384 KBytes

Total memory used by CFE: 0x80300000 - 0x803A39C0 (670144)
Initialized Data: 0x803398D0 - 0x8033BFE0 (10000)
BSS Area: 0x8033BFE0 - 0x8033D9C0 (6624)
Local Heap: 0x8033D9C0 - 0x803A19C0 (409600)
Stack Area: 0x803A19C0 - 0x803A39C0 (8192)
Text (code) segment: 0x80300000 - 0x803398D0 (235728)
Boot area (physical): 0x003A4000 - 0x003E4000
Relocation Factor: I:00000000 - D:00000000

Boot version: v3.7
The boot is CFE

mac_init(): Find mac [00:21:29:C3:34:B9] in location 0
Nothing...

eou_key_init(): Find key pair in location 4
The eou device id is same
The eou public key is same
The eou private key is same
Device eth0: hwaddr 00-21-29-C3-34-B9, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Automatic startup canceled via Ctrl-C

CFE> ^C

CFE> ifconfig eth0 -addr=192.168.254.140 -mask=255.255.255.0 -gw=192.168.254.100

Device eth0: hwaddr 00-21-29-C3-34-B9, ipaddr 192.168.254.140, mask 255.255.255.0
gateway 192.168.254.100, nameserver not set
*** command status = 0

CFE> save 192.168.254.100:wholeflash.bin bc000000 400000

4194304 bytes written to 192.168.254.100:wholeflash.bin
*** command status = 0
CFE>

:D

Now we need a virgin 600 Wink

_________________
[Moderator Deleted] Shocked
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2430
Location: Third Rock from the Sun

PostPosted: Wed Jun 23, 2010 1:19    Post subject: Reply with quote
barryware wrote:
@LOM... Very cool.. Thank you very much..

Still wanna know how you derived that starting address.. Confused


Me too! Very Happy


And is the starting address different for each router?

_________________
Peacock Thread-FAQ -- Firmware Recommendations -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13027
Location: Behind The Reset Button

PostPosted: Wed Jun 23, 2010 2:14    Post subject: Reply with quote
Dark_Shadow wrote:
barryware wrote:
@LOM... Very cool.. Thank you very much..

Still wanna know how you derived that starting address.. Confused


Me too! Very Happy


And is the starting address different for each router?


yea.. you have a 3300 that may be running.. but you gotta button it up.

See where this is going?

The boys in the atheros forum are wiping out their caldata partition on the 3700's and making the 2.4ghz radio unusable.

We need a virgin 600 to get the factory partition from.

Grabbing a whole flash via serial is good stuff for devices that have no supported jtag..

_________________
[Moderator Deleted] Shocked
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7626

PostPosted: Wed Jun 23, 2010 5:17    Post subject: Reply with quote
Dark_Shadow wrote:
barryware wrote:
@LOM... Very cool.. Thank you very much..

Still wanna know how you derived that starting address.. Confused


Me too! Very Happy


And is the starting address different for each router?


Ehh? Very Happy Ok guys, don't blame me, you asked for it...

The flash resides at the physical address 1c000000, that is known from before, right?

The address space of the mips cpu is divided into segments, kseg0 from address 0 to 7fffffff and kseg1 from 80000000 to ffffffff.
Everything in kseg0 is also present in kseg1 but there are different access rights between these segments.
kseg0 is system space and kseg1 is user space and user programs running in kseg1 are prevented from accessing kseg0 directly.

The segments are then further split into cached and non-cached addresses and the split point is after 0x20000000.

So 1c000000 in un-cached kseg0 is also available at 3c000000 in cached kseg0 and at 9c000000 in uncached kseg1 and at bc000000 in cached kseg1.

See the mips programming manual for further references.. Cool

And yes, all our Broadcom based routers are using those addresses so what barryware now succeded with can be used for dumping cfe's, nvram data, or wholeflash on all of them.
There may be some cfe's with a broken or removed save command though.

Serial connection rulez!!

_________________
Kernel panic: Aiee, killing interrupt handler!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum