Bootloop Investigation for Netgear R8300 and R8500 routers

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4  Next
Author Message
tasman_shn
DD-WRT Novice


Joined: 12 Aug 2018
Posts: 9

PostPosted: Sun Aug 12, 2018 0:58    Post subject: Reply with quote
As information I use R8500-MP1 Made in China
Sponsor
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7209
Location: Columbus, Ohio

PostPosted: Sun Aug 12, 2018 1:17    Post subject: Reply with quote
Everyone should avoid the r8500.
_________________
I am far from a guru, I'm barely a novice.
deslatha
DD-WRT User


Joined: 12 Jul 2016
Posts: 187

PostPosted: Sun Aug 12, 2018 3:04    Post subject: Reply with quote
There are 2 ways to fix it. As switch still working but just disable only one 5ghz wl.
1. Copy and install eeprom on Fm ic (behind on the left of PEX8603).
2. implent code into FW.
Each router have specific code for switch to 2nd 5ghz wl. If then default to first 5ghz and disable the 2nd one.
here the software for dev:https://www.broadcom.com/products/pcie-switches-bridges/software-dev-kit



PEX8603_config.png
 Description:
 Filesize:  273.88 KB
 Viewed:  4928 Time(s)

PEX8603_config.png


routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Mon Aug 13, 2018 17:06    Post subject: Reply with quote
deslatha -
Can you give more info on what you mean exactly? I am not following.

It seems for many people, either one or the other 4366's is not being enabled (perhaps missing firmware?).

Are you suggesting writing some "fixup code"?
Ja
DD-WRT Novice


Joined: 13 Aug 2018
Posts: 11

PostPosted: Mon Aug 13, 2018 17:07    Post subject: Reply with quote
Hi
I have the same MP2 router and it turns on properly only on software R8500-V1.0.0.28_1.0.15 but does not work wifi [neither 2 nor 5 GHz]


I think it is a hardware problem. Perhaps only PEX8603 is damaged


This system is on BGA.



I would have to have copies of a flash router that works S34ML01G200 1Gb / 128MB

I have a programmer to upload.


I checked the bone and there are no bad blocks. She is not a problem. Maybe someone in the forum can do a flash copy of the router?

I will try to buy such a reliable router and flash flash [with substitution mtd4]

I think, however, that it would not do anything [the problem lies in some layout on the PCB]


Sorry for my bad English.


He also noticed that in the copy of the router [128MB] no data mtd7: 002c0000 00020000 "T_Meter1"
mtd8: 002c0000,00020000 "T_Meter2"
Maybe someone knows what it is?
deslatha
DD-WRT User


Joined: 12 Jul 2016
Posts: 187

PostPosted: Mon Aug 13, 2018 21:20    Post subject: Reply with quote
Normal BCM 47xx Soc haves 3 pci-e, one for 2.4 ghz then another one for 5ghz. Because cut cost and efficiency , it used only 1 sdram at 32 or 64MB x 16 bit x 8 banks; then you see, arm cortex cpu is 32 bit, that means 32 i/o data line. But router only used 1 sdram ic with 16 i/o data line.(a mystery in computer x86). that is the bottom neck. So a 5ghz wl chip can transmit max 5GT. If the router has another one 5ghz then data rate will be spit into 2.5GT. In order to increase and maintain max data rate transmit then a pci-e switch need to be put in. As a doc say: 1 5ghz wl still get 5GT and the other is 2.5 GT which total 7.5GT(ASM1182e = 1x PCIe Gen.2 >>> 2x PCIe Gen.2 (packet switch) . also this concept cutting edge of technology is very well useful in future. But heat issues alway is a problem until interact of gravity unlock.
back to topic, we need to confirm that PEX 8603 is only disable or lock up. just copy whole img of working and original router then clone to bad one. if it work then the pci-e switch is disable. also ea9500 have same hardware , then you may be compare fw of 2 and find down what happen. that is easy way. Running software PEX8603 for debug may be last choice if you are a engineering tech.
Ja
DD-WRT Novice


Joined: 13 Aug 2018
Posts: 11

PostPosted: Mon Aug 13, 2018 21:43    Post subject: Reply with quote
I have a programmer but I need to buy a working router somewhere
As copying nand flash will not give anything is a pcb failure [processor or PEX8603]
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Mon Aug 13, 2018 22:00    Post subject: Reply with quote
So, I would be willing to try to write entire image to flash from a known good one; however, I do not have a known good unit that functions with stock firmware to get a source full image from. I did take the mtd partitions (less mtd1 and mtd4) and write each of those to the 16 other partitions (that was posted above) on the unit I have here. So, mtd1 is nvram of course, and mtd4 is boarddata...and I do have a good clone of my mtd4 of my unit. So short of nvram variables which were cleared, that is all pretty close to a full image restore that I could do with what I have. I anyone is willing to share a full image dump from a fully working unit, I am happy to try.

So, from the logs at boot, it is hard to say specifically that the pci-e switch is the cause. It seems like one of the bcm4366 chips is not recognized due to the mis-id of the chips Broadcom but perhaps it is in addition to the pci-e switch.

Not sure that ea9500 is same exact hardware - main stuff yes - but it has less ram for example. I am not sure how the PEX8603 would be disabled if one radio works for many folks?
Ja
DD-WRT Novice


Joined: 13 Aug 2018
Posts: 11

PostPosted: Mon Aug 13, 2018 22:21    Post subject: Reply with quote
There are additional areas in the NAND memory that can not be copied with the dd command

Locked reading

It must be only a 1: 1 copy of NAND flash


I do not know if there is a possibility of copying by CFE? Dumping?
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Tue Aug 14, 2018 20:53    Post subject: Reply with quote
I am not in front of router or main pc right now but as I recall, I think you can do it from CFE with something similar to below:

CFE> save <host_ip>:wholeflash.bin <start> <length>

where host_ip is running a tftpd server
and start and length are mapped flash memory position start and length is length of entire flash memory.

again - going by memory and not is front of computer - so mileage may vary. Smile
Ja
DD-WRT Novice


Joined: 13 Aug 2018
Posts: 11

PostPosted: Wed Aug 15, 2018 5:39    Post subject: Reply with quote
Yes, I know, but there is not much data compared to the copy of the programmer, so this option does not give anything


I will try to buy a router somewhere and how to make copies of it. If it does not work, the problem lies in the hardware on [pcb]
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Wed Aug 22, 2018 1:15    Post subject: Reply with quote
deslatha wrote:
There are 2 ways to fix it. As switch still working but just disable only one 5ghz wl.
1. Copy and install eeprom on Fm ic (behind on the left of PEX8603).
2. implent code into FW.
Each router have specific code for switch to 2nd 5ghz wl. If then default to first 5ghz and disable the 2nd one.
here the software for dev:https://www.broadcom.com/products/pcie-switches-bridges/software-dev-kit


Is it possible to determine the configuration for that eeprom from the PEX doc links you posted? Of course I am making the assumption that the contents are merely config/register settings needed to properly put the PEX into the proper state and not any type of custom firmware code. Is that about right?
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Thu Aug 23, 2018 3:07    Post subject: Reply with quote
Had a few minutes, hoping to spur some conversation and get to the solution on these R8500 beasts.

Here is the relevant verbose portion of lspci for the PEX 8603 on these units:

0002:01:00.0 PCI bridge: PLX Technology, Inc. PEX 8603 3-lane, 3-Port PCI Express Gen 2 (5.0 GT/s) Switch (rev ab) (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0
Memory at 21800000 (32-bit, non-prefetchable) [size=16K]
Bus: primary=01, secondary=02, subordinate=04, sec-latency=0
Memory behind bridge: 20000000-217fffff
Prefetchable memory behind bridge: 0000000021a00000-0000000021cfffff
Capabilities: [40] Power Management version 3
Capabilities: [48] MSI: Enable- Count=1/4 Maskable+ 64bit+
Capabilities: [68] Express Upstream Port, MSI 00
Capabilities: [a4] Subsystem: PLX Technology, Inc. PEX 8603 3-lane, 3-Port PCI Express Gen 2 (5.0 GT/s) Switch
Capabilities: [100] Device Serial Number ab-86-02-10-b5-df-0e-00
Capabilities: [fb4] Advanced Error Reporting
Capabilities: [138] Power Budgeting <?>
Capabilities: [148] Virtual Channel
Capabilities: [950] Vendor Specific Information: ID=0001 Rev=0 Len=028 <?>
Kernel driver in use: pcieport

0002:02:01.0 PCI bridge: PLX Technology, Inc. PEX 8603 3-lane, 3-Port PCI Express Gen 2 (5.0 GT/s) Switch (rev ab) (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0
Bus: primary=02, secondary=03, subordinate=03, sec-latency=0
Memory behind bridge: 20000000-20bfffff
Prefetchable memory behind bridge: 0000000021a00000-0000000021bfffff
Capabilities: [40] Power Management version 3
Capabilities: [48] MSI: Enable- Count=1/4 Maskable+ 64bit+
Capabilities: [68] Express Downstream Port (Slot+), MSI 00
Capabilities: [a4] Subsystem: PLX Technology, Inc. PEX 8603 3-lane, 3-Port PCI Express Gen 2 (5.0 GT/s) Switch
Capabilities: [100] Device Serial Number ab-86-02-10-b5-df-0e-00
Capabilities: [fb4] Advanced Error Reporting
Capabilities: [148] Virtual Channel
Capabilities: [520] Access Control Services
Capabilities: [950] Vendor Specific Information: ID=0001 Rev=0 Len=028 <?>
Kernel driver in use: pcieport

0002:02:02.0 PCI bridge: PLX Technology, Inc. PEX 8603 3-lane, 3-Port PCI Express Gen 2 (5.0 GT/s) Switch (rev ab) (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0
Bus: primary=02, secondary=04, subordinate=04, sec-latency=0
Memory behind bridge: 20c00000-217fffff
Prefetchable memory behind bridge: 0000000021c00000-0000000021cfffff
Capabilities: [40] Power Management version 3
Capabilities: [48] MSI: Enable- Count=1/4 Maskable+ 64bit+
Capabilities: [68] Express Downstream Port (Slot+), MSI 00
Capabilities: [a4] Subsystem: PLX Technology, Inc. PEX 8603 3-lane, 3-Port PCI Express Gen 2 (5.0 GT/s) Switch
Capabilities: [100] Device Serial Number ab-86-02-10-b5-df-0e-00
Capabilities: [fb4] Advanced Error Reporting
Capabilities: [148] Virtual Channel
Capabilities: [520] Access Control Services
Capabilities: [950] Vendor Specific Information: ID=0001 Rev=0 Len=028 <?>
Kernel driver in use: pcieport

And here is an interesting link on using the setpci commands to read/write to a fw eeprom using the PEX controller.

http://billauer.co.il/blog/2015/10/linux-plx-avago-pcie-switch-eeprom/

Does the following indicate a misconfigured PEX as Deslatha suggested?

wl_module_init: passivemode set to 0x0
wl_module_init: txworkq set to 0x0
PCI: Enabling device 0001:01:00.0 (0140 -> 0142)
External imprecise Data abort at addr=0x7f400000, fsr=0x1406, pc=0x802241c4 lr=0x801fea3c ignored.
External imprecise Data abort at addr=0x7f400000, fsr=0x1406, pc=0x802241c4 lr=0x801fea3c ignored.
wl driver 7.14.89.21 (r524987) failed with code 1
PCI: Enabling device 0002:03:00.0 (0140 -> 0142)
wl driver 7.14.89.21 (r524987) failed with code 1
PCI: Enabling device 0002:04:00.0 (0140 -> 0142)
wl driver 7.14.89.21 (r524987) failed with code 1
External imprecise Data abort at addr=0x7f600000, fsr=0x1406, pc=0x802241c4 lr=0x7f46b0bc ignored.
External imprecise Data abort at addr=0x7f600000, fsr=0x1406, pc=0x802241c4 lr=0x7f46acf0 ignored.
External imprecise Data abort at addr=0x7f600000, fsr=0x1406, pc=0x802241c4 lr=0x7f46acf0 ignored.
External imprecise Data abort at addr=0x7f600000, fsr=0x1406, pc=0x802241c4 lr=0x7f46acf0 ignored.
External imprecise Data abort at addr=0x7f600000, fsr=0x1406, pc=0x802241c4 lr=0x7f473794 ignored.
External imprecise Data abort at addr=0x7f600000, fsr=0x1406, pc=0x802241c4 lr=0x7f46acf0 ignored.
External imprecise Data abort at addr=0x7f600000, fsr=0x1406, pc=0x802241c4 lr=0x7f46acf0 ignored.
External imprecise Data abort at addr=0x8a910000, fsr=0x1406, pc=0x802241c4 lr=0x7f46b0bc ignored.

Would love to get to the bottom of this!
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Thu Aug 23, 2018 18:36    Post subject: Reply with quote
Kong, Deslatha, and Ja ...

Take a read through this if you have not already seen the thread. Sounds very much like what may be occurring here on some variants (i.e. MP2) of the R8300/R8500 Vietnams units:

http://patchwork.ozlabs.org/patch/448328/

It discusses the R8000; however the R8300/R8500 use the same PEX 8603 chip.

"The Netgear R8000 has a PEX8603 connected to the BCM53012 and if
it isn't configured during the bus scan the PCI layer goes crazy
trying to configure phantom devices."

Now looking at the some of the code (still reviewing), depending on the model, the proper setup of the downstream WL chips may not have occurred at time of PCI scan resulting in spazzing out and failure to properly register a particular WL chip/radio.

Furthermore, I actually witnessed this last night (me testing a theory), that improperly configuring one of the WL chips, can (and did last night) cause an inadvertent write to one or more areas on the nand chip and starting tossing out all kinds of corruption. In turn that produced a boot loop. I think this may ultimately be what be are seeing.

Take a look and give any thoughts if you can.
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Thu Aug 23, 2018 20:35    Post subject: Reply with quote
I got a laugh out of this... (from Netgear's source code):

Code:
/*foxconn Han edited start, 10/01/2015
 *when R8500 didn't recognize all 3 interface, then do the software reboot*/
int isDhdReady()
{


... Thanks Netgear! don't fix the real problem - just reboot, rinse repeat.
(and screw over everyone that paid good money for these routers) Very Happy
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 2 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum