Actiontec T1200H - CFE nand with imagetag?

Hi everyone,

I have an Actiontec T1200H and most of the supported functionality is working. I am now trying to figure out what the openwrt nand layout is going to be and what the installation procedure is. The flash format is different from other bcm63xx devices and hopefully someone else has encountered it before.

In the OEM boot console the flash layout shows as follows:

Creating 6 MTD partitions on "brcmnand.0":
0x000000040000-0x000003d80000 : "rootfs"
0x000003da0000-0x000007ae0000 : "rootfs_update"
0x000007b00000-0x000007f00000 : "data"
0x000000000000-0x000000020000 : "nvram"
0x000000020000-0x000000040000 : "tag"
0x000003d80000-0x000003da0000 : "tag_update"

Digging through the GPL source, information related to the tag partitions can be found by searching for the AEI_CONFIG_JFFS define. The structure should be the standard Broadcom firmware header used in NOR flash devices . However, dumping the data shows that it's a bit different.

00020000: 1985 3700 3106 4130 3230 3131 0000 5432  ..7.1.A02011..T2
00020010: 3230 3048 2d33 312e 3132 384c 2e30 3700  200H-31.128L.07.
00020020: 0000 0000 0000 3633 3236 3800 5432 3230  ......63268.T220
00020030: 3048 0000 0000 0000 0000 0000 3100 3234  0H..........1.24
00020040: 3337 3933 3932 0000 3000 0000 0000 0000  379392..0.......
00020050: 0000 0000 3000 0000 0000 0000 0000 3332  ....0.........32
00020060: 3137 3033 3134 3234 0000 3234 3337 3933  17031424..243793
00020070: 3932 0000 3332 3431 3431 3038 3136 0000  92..3241410816..
00020080: 3000 0000 0000 0000 0000 0000 0000 5431  0.............T1
00020090: 3230 3048 2d33 312e 3132 384c 2e30 3700  200H-31.128L.07.
000200a0: 0000 0000 0000 0000 0000 0000 0000 b918  ................
000200b0: 052e e5b5 262b d61d 2375 f779 ce55 c7a1  ....&+..#u.y.U..
000200c0: 2a28 27b3 8fad bb41 6fae 18a3 2fd1 bb34  *('....Ao.../..4
000200d0: 00a0 ea26 98f0 caf6 23c1 752d 23c1 752d  ...&....#.u-#.u-
000200e0: ffff ffff 0000 0000 0000 0000 bf35 5b41  .............5[A
000200f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................

What's most interesting is that tagVersion seems to be a JFFS2 node header, so it's possible that the filesystem parser was designed to see this block but ignore it. The strange value in signiture_1 is part of an extra vendor verification.

Some old posts about the Actiontec F2250 (1, 2) show that it's a similar device with the same flash layout. The firmware image files have the same image tag prepended to the jffs data so it's probably necessary when flashing through CFE.

Given that info dump, I'm trying to find out the following to proceed:

Should the openwrt firmware partition use the whole NAND? I like idea of keeping the second vendor image as a backup cferam, and 64MB should be enough storage. However, I suspect that CFE will think that's newer and try to boot from it.

Does CFE verify the imagetag on boot or just when flashing? If I don't have to figure out how to update the tag partition when doing a sysupgrade that will make supporting this much simpler.

I think the installation for this is going to have to be done through an initramfs image, so it might not be worth the effort to get the build system to generate a tagged cfe image file.

I'd like to do some experimenting, but recovering the device is going to be a pain if I brick it. There's a 40 pin 2mm header that might have jtag signals on it, but it's blocked on one side by an RF shield. Desoldering the flash to reprogram it might be the same amount of work.