[SOLVED] [Belkin F7D8301/F7D4301] Unbricking CFE with JTAG

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
HMkX2
DD-WRT Novice


Joined: 29 Jul 2012
Posts: 20

PostPosted: Mon Aug 27, 2012 2:55    Post subject: [SOLVED] [Belkin F7D8301/F7D4301] Unbricking CFE with JTAG Reply with quote
Router: Belkin F7D8301 (aka F7D4301)
Chipset: Broadcom BCM4716 Rev 1 CPU
NVRAM chip: According to InfoDepot the 4301 has cFeon EN29LV640B-90TIP 189D04A F918TDA (not sure of BotB or TopB It'S BotB)
(tjtag added support for this flash ~v3.0.1-RC1)

While adding certificates to the GUI I inadvertently bricked the router. I have a CLONE router next to it and can get backups of everything - I have CFE.bin already.

LAN/WAN links do not go up (cable disconnected). Because of this I cannot ping router on 192.168.2.*/1.* subnets, cannot gain access to the CFE webserver by holding WPS button while booting. A 30/30/30 reset doesn't fix it. Because of this,I believe the CFE to be corrupted.

I used a serial TTL probe (Rx only) I had lying around to observe what was going on. It appears CFE is stuck in some kind of boot loop. Because of this, I think EVEN IF I had a Tx/Rx TTL I couldn't press "spacebar" to get into CFE prompt.

<Hook up Serial TTL to header. View using PUTTY. Plug in router:>
Quote:
Decompressing...done
Decompressing...done
Init Arena
Init Devs.
Boot partition size = 131072(0x20000)
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.128.0
CPU type 0x19740: 453MHz
Tot mem: 65536 KBytes

CFE mem: 0x80700000 - 0x8079A570 (632176)
Data: 0x80731660 - 0x80733A20 (9152)
BSS: 0x80733A20 - 0x80734570 (2896)
Heap: 0x80734570 - 0x80798570 (409600)
Stack: 0x80798570 - 0x8079A570 (8192)
Text: 0x80700000 - 0x80731660 (202336)


Copying boot params.....DONEDecompressing...done
Init Arena
Init Devs.
Boot partition size = 131072(0x20000)
<...etc etc etc etc...>


Everything in italics keeps repeating forever. CPU heats up very quickly to the touch.

I then made a unbuffered Xilinx DLC5 JTAG cable as per the directions HERE and HERE. I followed Redhawk0's instrucitons HERE to leave pin 12 unconnected/floating. I also added a 100-ohm pulldown resistor between VCC (pin 14) and pin (1) as suggested. Connections are quadruple checked.

However, Tornado's TJTAG did not initially detect it. I received a "CPU Chip ID: 11111111111111111111111111111111 (FFFFFFFF) *** Unknown or NO CPU Chip ID Detected ***" error even after loading GiveIO.sys and making sure I was ECP on 378 with Use Any IRQ. Only tjtagv2 (old!!) detected the chip ID properly - but it didn't have the table coding for it. (I believe there was a bug with unbuffered cable support in versions 3.0RC1-3.02-RC5?)

I managed to get tjtag-3.0.2-win32 (v3.0.2.1) and 3.0.2-RC2 to recognize the chip by adding the command line flag "tjtag3.exe -probeonly /cable:dlc5". (If I omit /nobreak, it properly freezes the processor in the Serial TTY - no more looping)

Quote:
================================================
EJTAG Debrick Utility v3.0.2.1 Tornado-MOD
================================================

Selected port = 0x378

Detected IR chain length = 32
Number of device(s) = 1

IDCODE for device 1 is 0x1471617F

Idcode 0x1471617f IR Length 32
Jtag is in LV mode
switching to MIPS mode 1
Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000000000010001100000101111111 (0008C17F)
*** Found a Broadcom BCM4716 Rev 1 CPU in MIPS MODE chip ***

- EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
- EJTAG Version ....... : 3.1
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32

Intial value of Control register is 000000CC
Intial value of status register is 00000077
01110111 (00000077)

Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 0
* means low = true, e.g., *Error

VCC connected
values of Control register after init 0x000000CC
value of status register after init 0x00000077
system reset complete

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Init PrAcc ... Done
Clearing Watchdog ... Done


Chip ID 4716
Chip Rev 1
Package Options a
Number of Cores 9
Core Revision 79
Core Type 710
Core Vendor ID 19a10000
Flash Type 700
Flash Type = PFLASH
Flash bus is 8 bits
Dest is bits 0
Flash is byteswapped 0
Endian Type is LE 0
PLL Type 00000000
Enter Flash Probe

Probing Flash at (Flash Window: 0x1fc00000) ...
Enter SPI Flash Probe
Enter SPI Flash Probe
Enter SPI Flash Probe
Enter SPI Flash Probe
Done

*** Unknown or NO Flash Chip Detected ***

*** REQUESTED OPERATION IS COMPLETE ***


HOWEVER, my big problem now is I can't get it to recognize the flash chip. I've tried brute forcing it a bit with /byte_mode and /erase, but if it ever goes into non-DMA mode (/nodma or automatically) it freezes at "Init PrAcc ...". I need to use /DMA to get it to work.

Quote:
tjtag3.exe -probeonly /cable:dlc5

================================================
EJTAG Debrick Utility v3.0.2.1 Tornado-MOD
================================================

Selected port = 0x378

Detected IR chain length = 5
Number of device(s) = 1

IDCODE for device 1 is 0x0008C17F

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000000000010001100000101111111 (0008C17F)
*** Found a Broadcom BCM4716 Rev 1 CPU in MIPS MODE chip ***

- EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
- EJTAG Version ....... : 3.1
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32

Intial value of Control register is 000000CC
Intial value of status register is 00000077
01110111 (00000077)

Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 0
* means low = true, e.g., *Error

VCC connected
values of Control register after init 0x000000CC
value of status register after init 0x00000077
system reset complete

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Init PrAcc ...


Problem is, I can't FLASH anything in DMA mode, or erase, even using force /fc:107 or 108, timing/unplugging and plugging back in. At most it erases 4-5 blocks then freezes. If I try to use /cfe:backup, I get all Zeroes.

Obviously, I can't flash the CFE/kernel/wholeflash backups. If anyone knows how to flash this thing with JTAG, please post. I'd really appreciate your help.

-HMkX2 CORE

Here is myflash_debug if it helps:

Quote:
tjtag3.exe -probeonly /dma /cable:dlc5 /flash_debug

================================================
EJTAG Debrick Utility v3.0.2.1 Tornado-MOD
================================================

Selected port = 0x378

Detected IR chain length = 5
Number of device(s) = 1

IDCODE for device 1 is 0x0008C17F

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000000000010001100000101111111 (0008C17F)
*** Found a Broadcom BCM4716 Rev 1 CPU in MIPS MODE chip ***

- EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
- EJTAG Version ....... : 3.1
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32
*** DMA Mode Forced On ***

Intial value of Control register is 000000CC
Intial value of status register is 00000077
01110111 (00000077)

Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 0
* means low = true, e.g., *Error

VCC connected
values of Control register after init 0x000000CC
value of status register after init 0x00000077
system reset complete

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Init PrAcc ... Skipped
Clearing Watchdog ... Done


Chip ID 0
Chip Rev 0
Package Options 0
Number of Cores 0
Core Revision 15
Core Type 0
Core Vendor ID 0
Flash Type 0
Flash Type = FLASH_NONE
Flash bus is 8 bits
Dest is bits 0
Flash is byteswapped 0
Endian Type is LE 0
PLL Type 00000000
spi_flash_read 0x1FC00000
spi_flash_mmr 0x00000000
spi_flash_mmr_size 0x00000000
spi_flash_ctl 0x18000040
spi_flash_opcode 0x18000044
spi_flash_data 0x18000048
spi_ctl_start 0x80000000
spi_ctl_busy 0x80000000
Enter Flash Probe

Probing Flash at (Flash Window: 0x1fc00000) ...

Byte Debug AMD Vendid-1 : 00000000000000001001000010010000 (00009090)
Byte Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Byte Debug AMD Vendid-2 : 00000000000000001001000010010000 (00009090)
Byte Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug AMD Vendid-3 : 00000000000000001001000010010000 (00009090)
Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug AMD Vendid-4 : 00000000000000000000000010010000 (00000090)
Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug SST Vendid : 00000000000000000000000010010000 (00000090)
Debug SST Devdid : 00000000000000000000000000000000 (00000000)

Debug BSC-SCS Vendid :00000000000000000000000010010000 (00000090)
Debug BSC-SCS Devdid :00000000000000000000000000000000 (00000000)
Enter SPI Flash Probe
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGWRITE32 ADDR MMR+REG 0x18000044 DATA 0x0000049F
SPI_FLASH_OPCODE 0x18000044 PTR_OPCODE 0x0000049F
REGWRITE32 ADDR MMR+REG 0x18000040 DATA 0x8000049F
SPI_FLASH_CTL SEND -> 0x18000040 reg 0x8000049F
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x8000049F
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000048 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGWRITE32 ADDR MMR+REG 0x18000044 DATA 0x00000490
SPI_FLASH_OPCODE 0x18000044 PTR_OPCODE 0x00000490
REGWRITE32 ADDR MMR+REG 0x18000040 DATA 0x80000490
SPI_FLASH_CTL SEND -> 0x18000040 reg 0x80000490
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x80000490
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000048 data 0x00000000

Debug SPI id : 00000000000000000000000000000000 (00000000)

Debug SPI Vendid : 00000000000000000000000000000000 (00000000)
Debug SPI Devdid : 00000000000000000000000000000000 (00000000)

Byte Debug AMD Vendid-1 : 00000000000000001001000010010000 (00009090)
Byte Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Byte Debug AMD Vendid-2 : 00000000000000001001000010010000 (00009090)
Byte Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug AMD Vendid-3 : 00000000000000001001000010010000 (00009090)
Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug AMD Vendid-4 : 00000000000000000000000010010000 (00000090)
Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug SST Vendid : 00000000000000000000000010010000 (00000090)
Debug SST Devdid : 00000000000000000000000000000000 (00000000)

Debug BSC-SCS Vendid :00000000000000000000000010010000 (00000090)
Debug BSC-SCS Devdid :00000000000000000000000000000000 (00000000)
Enter SPI Flash Probe
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGWRITE32 ADDR MMR+REG 0x18000044 DATA 0x0000049F
SPI_FLASH_OPCODE 0x18000044 PTR_OPCODE 0x0000049F
REGWRITE32 ADDR MMR+REG 0x18000040 DATA 0x8000049F
SPI_FLASH_CTL SEND -> 0x18000040 reg 0x8000049F
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x8000049F
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000048 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGWRITE32 ADDR MMR+REG 0x18000044 DATA 0x00000490
SPI_FLASH_OPCODE 0x18000044 PTR_OPCODE 0x00000490
REGWRITE32 ADDR MMR+REG 0x18000040 DATA 0x80000490
SPI_FLASH_CTL SEND -> 0x18000040 reg 0x80000490
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x80000490
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000048 data 0x00000000

Debug SPI id : 00000000000000000000000000000000 (00000000)

Debug SPI Vendid : 00000000000000000000000000000000 (00000000)
Debug SPI Devdid : 00000000000000000000000000000000 (00000000)

Byte Debug AMD Vendid-1 : 00000000000000001001000010010000 (00009090)
Byte Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Byte Debug AMD Vendid-2 : 00000000000000001001000010010000 (00009090)
Byte Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug AMD Vendid-3 : 00000000000000001001000010010000 (00009090)
Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug AMD Vendid-4 : 00000000000000000000000010010000 (00000090)
Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug SST Vendid : 00000000000000000000000010010000 (00000090)
Debug SST Devdid : 00000000000000000000000000000000 (00000000)

Debug BSC-SCS Vendid :00000000000000000000000010010000 (00000090)
Debug BSC-SCS Devdid :00000000000000000000000000000000 (00000000)
Enter SPI Flash Probe
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGWRITE32 ADDR MMR+REG 0x18000044 DATA 0x0000049F
SPI_FLASH_OPCODE 0x18000044 PTR_OPCODE 0x0000049F
REGWRITE32 ADDR MMR+REG 0x18000040 DATA 0x8000049F
SPI_FLASH_CTL SEND -> 0x18000040 reg 0x8000049F
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x8000049F
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000048 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGWRITE32 ADDR MMR+REG 0x18000044 DATA 0x00000490
SPI_FLASH_OPCODE 0x18000044 PTR_OPCODE 0x00000490
REGWRITE32 ADDR MMR+REG 0x18000040 DATA 0x80000490
SPI_FLASH_CTL SEND -> 0x18000040 reg 0x80000490
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x80000490
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000048 data 0x00000000

Debug SPI id : 00000000000000000000000000000000 (00000000)

Debug SPI Vendid : 00000000000000000000000000000000 (00000000)
Debug SPI Devdid : 00000000000000000000000000000000 (00000000)

Byte Debug AMD Vendid-1 : 00000000000000001001000010010000 (00009090)
Byte Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Byte Debug AMD Vendid-2 : 00000000000000001001000010010000 (00009090)
Byte Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug AMD Vendid-3 : 00000000000000001001000010010000 (00009090)
Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug AMD Vendid-4 : 00000000000000000000000010010000 (00000090)
Debug AMD Devdid : 00000000000000000000000000000000 (00000000)

Debug SST Vendid : 00000000000000000000000010010000 (00000090)
Debug SST Devdid : 00000000000000000000000000000000 (00000000)

Debug BSC-SCS Vendid :00000000000000000000000010010000 (00000090)
Debug BSC-SCS Devdid :00000000000000000000000000000000 (00000000)
Enter SPI Flash Probe
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGWRITE32 ADDR MMR+REG 0x18000044 DATA 0x0000049F
SPI_FLASH_OPCODE 0x18000044 PTR_OPCODE 0x0000049F
REGWRITE32 ADDR MMR+REG 0x18000040 DATA 0x8000049F
SPI_FLASH_CTL SEND -> 0x18000040 reg 0x8000049F
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x8000049F
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000048 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGWRITE32 ADDR MMR+REG 0x18000044 DATA 0x00000490
SPI_FLASH_OPCODE 0x18000044 PTR_OPCODE 0x00000490
REGWRITE32 ADDR MMR+REG 0x18000040 DATA 0x80000490
SPI_FLASH_CTL SEND -> 0x18000040 reg 0x80000490
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x80000490
REGREAD32 spi_flash_mmr+reg 0x18000040 data 0x00000000
REGREAD32 spi_flash_mmr+reg 0x18000048 data 0x00000000

Debug SPI id : 00000000000000000000000000000000 (00000000)

Debug SPI Vendid : 00000000000000000000000000000000 (00000000)
Debug SPI Devdid : 00000000000000000000000000000000 (00000000)
Done

*** Unknown or NO Flash Chip Detected ***

*** REQUESTED OPERATION IS COMPLETE ***


Last edited by HMkX2 on Tue Aug 28, 2012 3:00; edited 4 times in total
Sponsor
HMkX2
DD-WRT Novice


Joined: 29 Jul 2012
Posts: 20

PostPosted: Mon Aug 27, 2012 16:28    Post subject: Reply with quote
Nvm I fixed it.

(Joking, put the pitchforks down... will post fix soon.)

Quote:

Must do TWO steps to flash/erase. If you let it try to autoerase during flash command it will freeze.

If you use DMA mode, it will APPEAR to flash but actually do nothing. Can be verified by erasing with /nodma /byte_mode, writing with /dma /noerase, and -backup:nvram to still see 00000's. (You cannot use byte_mode with DMA, freezes.)

Must unplug, replug 1s before running commands, or spam commands multiple times using ctrl+c until they "take".



ERASE NVRAM:
tjtag3.exe -erase:nvram /cable:dlc5 /fc:108 /nodma /byte_mode

ERASE CFE
tjtag3.exe -erase:cfe /cable:dlc5 /fc:108 /nodma /byte_mode

FLASH CFE:
tjtag3.exe -flash:cfe /cable:dlc5 /fc:108 /nodma /byte_mode /nobreak /noreset /noerase

^^ takes 2 hours. Freezes (!!!) randomly if there is bad cableing/interference. Wrap cable in mylar bag, turn off nearby wifi cards, and use Task Manager to set tjtag3.exe to "HIGH" priority so it goes OK.

Will get lots of "read errors" at 75%+ flash since CFE is smaller than flashing window. tJTAG zeroes (fffff's) out the extra space.


Mac address is stored in 7 places. 4 in ASCII as "11:22:33:44:55:66", once as "11-22-33-44-55-66", three times at very end of cfe as HEX 112233445566.

Guest wireless pass, WPA pin, SSID, etc needs to be searched and edited in from base of sticker of source router.
HMkX2
DD-WRT Novice


Joined: 29 Jul 2012
Posts: 20

PostPosted: Tue Aug 28, 2012 2:52    Post subject: Reply with quote
Here is a genericized CFE.bin for the Belkin F7D8301 v1 router for the CFE collection project.


F7D8301v1-Generic-CFE.zip
 Description:
Belkin F7D8301 v1 CFE with documentation

Download
 Filename:  F7D8301v1-Generic-CFE.zip
 Filesize:  139.31 KB
 Downloaded:  848 Time(s)

arkwin
DD-WRT Novice


Joined: 22 Jun 2013
Posts: 1

PostPosted: Sun Jul 14, 2013 13:00    Post subject: Help needed! Reply with quote
Hi, I'm just a newbie in this stuff.

My Belkin F7D8301is pretty much dead beef now,
Flash a corrupted CFE and its just a useless thing Crying or Very sad

TIAO Universal JTAG through the wiggler cable attached TO the router

pinouts

Had I do something wrong??

Code:

root@root:~/tjtag-3.0.2-RC2# ./tjtag302RC2-1x32 -probeonly

==============================================
EJTAG Debrick Utility v3.0.2 RC2-1 Tornado-MOD 
==============================================

Intial value of Control register is 0000000C
Intial value of status register is  000000FF
11111111 (000000FF)

Status bit 7 Busy Inverted pin 11 = 0
Status bit 6 *Ack          pin 10 = 1
Status bit 5 Paper-out     pin 12 = 1
Status bit 4 Select        pin 13 = 1
Status bit 3 *Error        pin 15 = 1
* means low = true, e.g., *Error

VCC connected
values of Control register after init 0x0000000C
value of status register after init   0x000000FF
system reset complete

Detected IR chain length = 1000
Number of device(s) = 1000

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** Unknown or NO CPU Chip ID Detected ***

*** Possible Causes:
   1) Device is not Connected.
   2) Device is not Powered On.
   3) Improper JTAG Cable.
   4) Unrecognized CPU Chip ID.
 
[url]
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum