Posted: Mon Aug 27, 2012 2:55 Post subject: [SOLVED] [Belkin F7D8301/F7D4301] Unbricking CFE with JTAG
Router: Belkin F7D8301 (aka F7D4301)
Chipset: Broadcom BCM4716 Rev 1 CPU
NVRAM chip: According to InfoDepot the 4301 has cFeon EN29LV640B-90TIP 189D04A F918TDA (not sure of BotB or TopBIt'S BotB)
(tjtag added support for this flash ~v3.0.1-RC1)
While adding certificates to the GUI I inadvertently bricked the router. I have a CLONE router next to it and can get backups of everything - I have CFE.bin already.
LAN/WAN links do not go up (cable disconnected). Because of this I cannot ping router on 192.168.2.*/1.* subnets, cannot gain access to the CFE webserver by holding WPS button while booting. A 30/30/30 reset doesn't fix it. Because of this,I believe the CFE to be corrupted.
I used a serial TTL probe (Rx only) I had lying around to observe what was going on. It appears CFE is stuck in some kind of boot loop. Because of this, I think EVEN IF I had a Tx/Rx TTL I couldn't press "spacebar" to get into CFE prompt.
<Hook up Serial TTL to header. View using PUTTY. Plug in router:>
Quote:
Decompressing...done
Decompressing...done
Init Arena
Init Devs.
Boot partition size = 131072(0x20000)
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.128.0
CPU type 0x19740: 453MHz
Tot mem: 65536 KBytes
Everything in italics keeps repeating forever. CPU heats up very quickly to the touch.
I then made a unbuffered Xilinx DLC5 JTAG cable as per the directions HERE and HERE. I followed Redhawk0's instrucitons HERE to leave pin 12 unconnected/floating. I also added a 100-ohm pulldown resistor between VCC (pin 14) and pin (1) as suggested. Connections are quadruple checked.
However, Tornado's TJTAG did not initially detect it. I received a "CPU Chip ID: 11111111111111111111111111111111 (FFFFFFFF) *** Unknown or NO CPU Chip ID Detected ***" error even after loading GiveIO.sys and making sure I was ECP on 378 with Use Any IRQ. Only tjtagv2 (old!!) detected the chip ID properly - but it didn't have the table coding for it. (I believe there was a bug with unbuffered cable support in versions 3.0RC1-3.02-RC5?)
I managed to get tjtag-3.0.2-win32 (v3.0.2.1) and 3.0.2-RC2 to recognize the chip by adding the command line flag "tjtag3.exe -probeonly /cable:dlc5". (If I omit /nobreak, it properly freezes the processor in the Serial TTY - no more looping)
Detected IR chain length = 32
Number of device(s) = 1
IDCODE for device 1 is 0x1471617F
Idcode 0x1471617f IR Length 32
Jtag is in LV mode
switching to MIPS mode 1
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000010001100000101111111 (0008C17F)
*** Found a Broadcom BCM4716 Rev 1 CPU in MIPS MODE chip ***
- EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
- EJTAG Version ....... : 3.1
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32
Intial value of Control register is 000000CC
Intial value of status register is 00000077
01110111 (00000077)
Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 0
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x000000CC
value of status register after init 0x00000077
system reset complete
Chip ID 4716
Chip Rev 1
Package Options a
Number of Cores 9
Core Revision 79
Core Type 710
Core Vendor ID 19a10000
Flash Type 700
Flash Type = PFLASH
Flash bus is 8 bits
Dest is bits 0
Flash is byteswapped 0
Endian Type is LE 0
PLL Type 00000000
Enter Flash Probe
Probing Flash at (Flash Window: 0x1fc00000) ...
Enter SPI Flash Probe
Enter SPI Flash Probe
Enter SPI Flash Probe
Enter SPI Flash Probe
Done
*** Unknown or NO Flash Chip Detected ***
*** REQUESTED OPERATION IS COMPLETE ***
HOWEVER, my big problem now is I can't get it to recognize the flash chip. I've tried brute forcing it a bit with /byte_mode and /erase, but if it ever goes into non-DMA mode (/nodma or automatically) it freezes at "Init PrAcc ...". I need to use /DMA to get it to work.
Detected IR chain length = 5
Number of device(s) = 1
IDCODE for device 1 is 0x0008C17F
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000010001100000101111111 (0008C17F)
*** Found a Broadcom BCM4716 Rev 1 CPU in MIPS MODE chip ***
- EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
- EJTAG Version ....... : 3.1
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32
Intial value of Control register is 000000CC
Intial value of status register is 00000077
01110111 (00000077)
Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 0
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x000000CC
value of status register after init 0x00000077
system reset complete
Problem is, I can't FLASH anything in DMA mode, or erase, even using force /fc:107 or 108, timing/unplugging and plugging back in. At most it erases 4-5 blocks then freezes. If I try to use /cfe:backup, I get all Zeroes.
Obviously, I can't flash the CFE/kernel/wholeflash backups. If anyone knows how to flash this thing with JTAG, please post. I'd really appreciate your help.
Detected IR chain length = 5
Number of device(s) = 1
IDCODE for device 1 is 0x0008C17F
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000010001100000101111111 (0008C17F)
*** Found a Broadcom BCM4716 Rev 1 CPU in MIPS MODE chip ***
- EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
- EJTAG Version ....... : 3.1
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32
*** DMA Mode Forced On ***
Intial value of Control register is 000000CC
Intial value of status register is 00000077
01110111 (00000077)
Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 0
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x000000CC
value of status register after init 0x00000077
system reset complete
Chip ID 0
Chip Rev 0
Package Options 0
Number of Cores 0
Core Revision 15
Core Type 0
Core Vendor ID 0
Flash Type 0
Flash Type = FLASH_NONE
Flash bus is 8 bits
Dest is bits 0
Flash is byteswapped 0
Endian Type is LE 0
PLL Type 00000000
spi_flash_read 0x1FC00000
spi_flash_mmr 0x00000000
spi_flash_mmr_size 0x00000000
spi_flash_ctl 0x18000040
spi_flash_opcode 0x18000044
spi_flash_data 0x18000048
spi_ctl_start 0x80000000
spi_ctl_busy 0x80000000
Enter Flash Probe
(Joking, put the pitchforks down... will post fix soon.)
Quote:
Must do TWO steps to flash/erase. If you let it try to autoerase during flash command it will freeze.
If you use DMA mode, it will APPEAR to flash but actually do nothing. Can be verified by erasing with /nodma /byte_mode, writing with /dma /noerase, and -backup:nvram to still see 00000's. (You cannot use byte_mode with DMA, freezes.)
Must unplug, replug 1s before running commands, or spam commands multiple times using ctrl+c until they "take".
^^ takes 2 hours. Freezes (!!!) randomly if there is bad cableing/interference. Wrap cable in mylar bag, turn off nearby wifi cards, and use Task Manager to set tjtag3.exe to "HIGH" priority so it goes OK.
Will get lots of "read errors" at 75%+ flash since CFE is smaller than flashing window. tJTAG zeroes (fffff's) out the extra space.
Mac address is stored in 7 places. 4 in ASCII as "11:22:33:44:55:66", once as "11-22-33-44-55-66", three times at very end of cfe as HEX 112233445566.
Guest wireless pass, WPA pin, SSID, etc needs to be searched and edited in from base of sticker of source router.
Intial value of Control register is 0000000C
Intial value of status register is 000000FF
11111111 (000000FF)
Status bit 7 Busy Inverted pin 11 = 0
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 1
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x0000000C
value of status register after init 0x000000FF
system reset complete
Detected IR chain length = 1000
Number of device(s) = 1000
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** Unknown or NO CPU Chip ID Detected ***
*** Possible Causes:
1) Device is not Connected.
2) Device is not Powered On.
3) Improper JTAG Cable.
4) Unrecognized CPU Chip ID.
