First try to support CPE210 v2 - will not boot

CSG · August 11, 2017, 12:44pm

Hi,

I am trying to add LEDE support to my CPE210v2 device. I did some changes to the LEDE source, compiled and flashed it to the device. Unfortunately, it won't boot the new firmware. Returning to the stock fw is no problem, it can be flashed via TFTP. My target is to boot LEDE.

This is bootloader output via serial port:

U-Boot 1.1.4-g30d8afa8-dirty (Nov  1 2016 - 17:38:05)

ap143-2.0 - Honey Bee 2.0

DRAM:  64 MB
Flash Manuf Id 0xc�, DeviceId0 0x40, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_in�tialize...
a�h_gmac_enet_initialize: reset mask:c02200 
Scorpion ---->S27 PHY�
S27 reg init
: cfg1 0x800c0000 cfg2 0x7114
eth0: ba:be:fa�ce:08:41
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_p�y_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
Honey Bee ---->  MAC 1 S27 PHY *
S27 reg init
ATHRS27: resetting s27
ATHRS27: s27 reset do�e
: cfg1 0x800c0000 cfg2 0x7214
eth1: ba:be:fa:ce:08:41
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_�PEC_STAUS 0 :10
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
at�rs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :10
athrs27_phy_setup ATH�_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :�0
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setu� ATHR_PHY_SPEC_STAUS 3 :10
eth1 up
eth0, eth1
Setting 0x�81162c0 to 0x4081a100
is button pressed? 0
Autobooting in 1 seconds
## Booting ima�e at 9f040000 ...
   Uncompressing Kernel Image ... OK
�
 Starting kernel ...

Nothing happens afterwards. Only the LAN-LED is lit. I assume the bootloader tries to jump to the kernel at an incorrect start address. This is what I would like to resolve in this thread.

These are my changes to the LEDE source:
[lededir]/target/linux/ar71xx/image/tp-link.mk:

--- a/target/linux/ar71xx/image/tp-link.mk
+++ b/target/linux/ar71xx/image/tp-link.mk
@@ -224,6 +224,14 @@ define Device/cpe210-220-v1
   TPLINK_BOARD_ID := CPE210
 endef
 
+define Device/cpe210-220-v2
+  $(Device/cpe510-520-v1)
+  MTDPARTS := "ath-nor0:128k(u-boot),64k(pation-table),64k(product-info),1536k(kernel),6144k(rootfs),192k(config),64k(ART)"
+  DEVICE_TITLE := TP-LINK CPE210/220 v2
+  BOARDNAME := CPE210
+  TPLINK_BOARD_ID := CPE210v2
+endef
+
 define Device/wbs210-v1
   $(Device/cpe510-520-v1)
   DEVICE_TITLE := TP-LINK WBS210 v1
@@ -237,7 +245,7 @@ define Device/wbs510-v1
   BOARDNAME := WBS510
   TPLINK_BOARD_ID := WBS510
 endef
-TARGET_DEVICES += cpe210-220-v1 cpe510-520-v1 wbs210-v1 wbs510-v1
+TARGET_DEVICES += cpe210-220-v1 cpe210-220-v2 cpe510-520-v1 wbs210-v1 wbs510-v1

I read the MTDPARTS variable from the stock firmware. The LEDE definition for CPE210v1 starts with MTDPARTS := spi0.0:128k(u-boot)ro ...

In [lededir]/tools/firmware-utils/src/tplink-safeloader.c I added this:

--- a/tools/firmware-utils/src/tplink-safeloader.c
+++ b/tools/firmware-utils/src/tplink-safeloader.c
@@ -154,6 +154,38 @@ static struct device_info boards[] = {
                .last_sysupgrade_partition = "file-system",
        },
 
+       {
+               .id     = "CPE210v2",
+               .vendor = "CPE210(TP-LINK|EU|N300-2):2.0",
+               .support_list =
+                       "SupportList:\r\n"
+                       "CPE210(TP-LINK|EU|N300-2|45550000):2.0\r\n",
+               .support_trail = '\xff',
+               .soft_ver = NULL,
+
+               .partitions = {
+                       {"fs-uboot", 0x00000, 0x20000},
+                       {"partition-table", 0x20000, 0x02000},
+                       {"default-mac", 0x30000, 0x00020},
+                       {"product-info", 0x31100, 0x00100},
+                       {"device-info",0x31400, 0x00400},
+                       {"signature", 0x32000, 0x00400},
+                       {"device-id", 0x33000, 0x00100},
+                       {"os-image", 0x40000, 0x170000},
+                       {"soft-version", 0x1b0000, 0x00100},
+                       {"support-list", 0x1b1000, 0x01000},
+                       {"file-system", 0x1c0000, 0x600000},
+                       {"user-config", 0x7c0000, 0x10000},
+                       {"default-config", 0x7d0000, 0x10000},
+                       {"log", 0x7e0000, 0x10000},
+                       {"radio", 0x7f0000, 0x10000},
+                       {NULL, 0, 0}
+               },
+
+               .first_sysupgrade_partition = "os-image",
+               .last_sysupgrade_partition = "file-system",
+       },
+
        /** Firmware layout for the CPE510/520 */
        {
                .id     = "CPE510",

I read the partition table from /dev/mtd2 which is the "partition table" partition. It does not differ much from the partition table used in CPE210v1.

What I am still unsure about

In tp-link.mk: Does the BOARDNAME or TPLINK_BOARD_ID variable refer to the corresponding entry in tplink-safeloader.c?
Is it necessary to change the tplink-safeloader.c anyway? According to the OpenWrt wiki the CPE210v1 bootloader identifies itself with:

TP-LINK SafeLoader (Build time: Jan 14 2015 - 11:01:05) CPU: 560MHz AHB: 225MHz DDR: 64MB Performing LED check.. PASS Press CTRL+B to enter SafeLoader

The CPE210v2 bootloader however starts with a plain Uboot message:

U-Boot 1.1.4-g30d8afa8-dirty (Nov 1 2016 - 17:38:05)
ap143-2.0 - Honey Bee 2.0

More info
Log of the OEM firmware booting: https://nopaste.me/view/0ffded29

#Output of /proc/cmdline:

# cat /proc/cmdline
console=ttyS0,115200 root=31:04 rootfstype=squashfs init=/init mtdparts=ath-nor0:128k(u-boot),64k(pation-table),64k(product-info),1536k(kernel),6144k(rootfs),192k(config),64k(ART) mem=64M

Output of /proc/cpuinfo

# cat /proc/cpuinfo
system type		: QCA953x
processor		: 0
cpu model		: MIPS 24Kc V7.4
BogoMIPS		: 432.12
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 16
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0ff8, 0x02b4, 0x0a50, 0x0490]
ASEs implemented	: mips16
shadow register sets	: 1
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

Output of /proc/devices:

# cat /proc/devices
Character devices:
  1 mem
  4 ttyS
  5 /dev/tty
  5 /dev/console
  5 /dev/ptmx
 10 misc
 77 ATH_GPIOC
 90 mtd
108 ppp
128 ptm
136 pts
238 ar7100_gpio_chrdev
239 ar7240_flash_chrdev

Block devices:
259 blkext
 31 mtdblock

What to do now?

I would like to understand how this works, so I can maybe add support to another device in the future. Are there any tips you can give me on how to proceed? I would love to see my CPE210v2 running with LEDE.

Thanks in advance.

robimarko · September 4, 2017, 1:41pm

I am also in need of LEDE support for CPE210 v2.
It looks like you are only one to make a progress.

Are you sure that your version is EU because there is also UN version which can be seen in stock firmware header.
Stock header dump:
CPE210(TP-LINK|EU|N300-2):2.0
CPE210(TP-LINK|UN|N300-2):2.0
CPE210(TP-LINK|UN|N300-2|00000000):2.0
CPE210(TP-LINK|US|N300-2|55530000):2.0
CPE210(TP-LINK|EU|N300-2|45550000):2.0
Can you try adding UN also to tplink-safeloader.c in same manner as v1 has it.

Also,what do your MTD partitions look like?

Do you maybe have git repo for me to look?

tiefpunkt · September 14, 2017, 11:30pm

Just wondering, the v1 and v1.1 were based around the AR9344, but v2 seems to be based on QCA9531. Are you sure you can just reuse the v1.x sources for that?

CSG · September 15, 2017, 8:07am

Hi,
thank you for your replies. i am currently on vacation and did not look in this forum.
I didn't creat a git repo for it, because this was just my first try ever to add LEDE support to a device.

I posted a list of mtd partitions in this thread: Support for Tp link CPE210 v2.0

robimarko · September 15, 2017, 10:19am

No we cant since GPIO-s also changed.
Some progress was made,but serial console refuses to work

robimarko · September 18, 2017, 12:17pm

Any interest on helping me?
It aint gonna fix itself.
Pretty much everything is ready(In theory) but still as soon as kernel starts loading serial output dies.
Even when I manually load kernel over tftp and boot it serial works till just after it is enabled in log.

Code resides here:https://github.com/robimarko/source/tree/CPE-210v2

MartinS · September 21, 2017, 5:46pm

Did you made any more Progress on this? I would really like this router to be supported, but i think i dont have the experience nor knowledge to add it. Nevertheless i tried anyways and got the same point you did.
As far as i understand is that chip is able to map any output functionality to any GPIO Pin. Maybe the Serial Hardware is internally connected to the wrong pins or no pins at all (by default the UART is not connected).
According to my testing the TX header ping is connected to GPIO_10 and RX to GPIO_9, but for the RX i think the board misses R108 for a Voltage divider (at least mine does, maybe 1k Ohm). After adding the 1k at R108 on my board, i can type to the login promt on the serial, dont know the login user/pass.
I looked at your code and i think some of your LED pins are wrong. I measured the external button to be connected to GPIO_17 and the LAN Led to GPIO_11.
All according to this Datasheet https://github.com/Deoptim/atheros/blob/master/QCA9531_nowatermark.pdf (the QCA9531 is aperently identical as the QCA9533)

robimarko · September 21, 2017, 6:40pm

Unfortunately not.
Yes, for TX to work you either need a small resistor or you can just bridge the pads next to existing resistor.
Username is root and password is 5up, but you cant do much with it since even dd is not included in precompiled tools.

I know some GPIO pins are wrong, that is really a small thing to fix.
I will change them in the code to ones you determined.
Just to clear my confusion, for LAN0(Only LAN) LED you traced the first LED in the array or second one?
Because they are using the same LED array like in v1 so they don't use the first LED at all.

Yes, QCA9533 is equal to QCA9531 minus USB support.

Serial should be enabled by default, but like you said maybe GPIO pins in 8250 driver that gets included in dev-eth are wrong.

We could take a look at that.
Thanks for trying, you are the first one to actually do something.

MartinS · September 21, 2017, 7:00pm

There are 7 light pipes but only 6 leds under them, the left one is missing. From left the first is just power, not connected to the main chip, the next one is the LAN one. Then the four for wifi strength.

robimarko · September 21, 2017, 7:02pm

Awesome, I was using GPL source for determining LED GPIOs.
Also K1SEGADDR for LAN na Wireless MAC adress is incorrect.
Did you check other LEDs?
Will change those.

I am certain that we could do a lot more together then everyone separately.

P.S: Nice DIP adapter for SPI flash.
Did you maybe take a full flash dump?

MartinS · September 21, 2017, 7:19pm

Here you go: https://martin-sc.de/random_stuff/cpe210_flashdump_oem.bin It was dumed right after a fresh flash of the oem firmware. Mainly to have a backup in case i brick the thing.

robimarko · September 21, 2017, 7:30pm

Awesome, I only backuped u-boot since stock firmware does not include dd and cat will only get you so far.
Now we have a way to recover if anything goes wrong.

I am looking into serial_8250.h which is driver responsible for serial.
Unfortunately, no GPIOs are defined there.

GPL source confirms that for QCA953X GPIO 9 and 10 are used for serial

/* enable UART block, takes away GPIO 10 and 9 */
void ath_gpio_enable_uart(void)
{
ath_reg_rmw_set(ATH_GPIO_FUNCTIONS, ATH_GPIO_FUNCTION_UART_EN);
ath_reg_rmw_clear(ATH_GPIO_OE, 1 << 9);
ath_reg_rmw_set(ATH_GPIO_OE, 1 << 10);
}

And source of serial not working is found.
https://github.com/lede-project/source/blob/master/target/linux/ar71xx/patches-4.4/520-MIPS-ath79-enable-UART-function.patch

MartinS · September 21, 2017, 9:18pm

I think there is nothing wrong with the serial. I think the kernel is not starting or not even loading. I hooked up my scope to the SPI Bus and there is no activity after "Autobooting in 1 seconds", besides some very short bursts (never long enought to load the whole kernel). The OEM Firmware has much more.
The red arrow indicates approximately the time when "Autobooting in 1 seconds" came through the serial.

LEDE: cpe210_spi_lede

OEM: cpe210_spi_oem

I think there is something wrong with the format, location or compression of the kernel in flash memory.

Here are binwalk outputs of the flash chip dumps. One with LEDE the other with the OEM firmware:
I dont understand a lot of this but maybe they help.

LEDE:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
12896         0x3260          U-Boot version string, "U-Boot 1.1.4-g30d8afa8-dirty (Nov  1 2016 - 17:38:13)"
12960         0x32A0          CRC32 polynomial table, big endian
14272         0x37C0          uImage header, header size: 64 bytes, header CRC: 0x80D80E48, created: 2016-11-01 09:38:14, image size: 56171 bytes, Data Address: 0x80010000, Entry Point: 0x80010000, data CRC: 0x1BA68293, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image"
14336         0x3800          LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 147756 bytes
262144        0x40000         ELF, 32-bit MSB MIPS-I executable, MIPS, version 1 (SYSV)
333564        0x516FC         Copyright string: "Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>"
333792        0x517E0         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4277100 bytes
1835008       0x1C0000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1902954 bytes, 697 inodes, blocksize: 262144 bytes, created: 2017-09-18 19:39:41

OEM:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
12896         0x3260          U-Boot version string, "U-Boot 1.1.4-g30d8afa8-dirty (Nov  1 2016 - 17:38:13)"
12960         0x32A0          CRC32 polynomial table, big endian
14272         0x37C0          uImage header, header size: 64 bytes, header CRC: 0x80D80E48, created: 2016-11-01 09:38:14, image size: 56171 bytes, Data Address: 0x80010000, Entry Point: 0x80010000, data CRC: 0x1BA68293, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image"
14336         0x3800          LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 147756 bytes
262144        0x40000         TP-Link firmware header, firmware version: 0.0.3, image version: "", product ID: 0x0, product version: 0, kernel load address: 0x0, kernel entry point: 0x80002000, kernel offset: 4063232, kernel length: 512, rootfs offset: 0, rootfs length: 1048576, bootloader offset: 2883584, bootloader length: 0
262656        0x40200         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2477544 bytes
1835008       0x1C0000        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3586688 bytes, 510 inodes, blocksize: 131072 bytes, created: 2017-06-09 08:05:00

robimarko · September 21, 2017, 9:27pm

Hm, it could be that firmware size may be wrong.
But I am comparing stock and LEDE and size looks correct.
Do you have bootargs?
I have them somewhere, but if you can copy yours it would be good.
We really need more experienced developer here
But from what I dug up serial is not enabled for QCA953X SoC in 2 patches and even in the kernel.

MartinS · September 21, 2017, 9:50pm

Bootargs? Where do you set them?
Do you have access to the uboot commandline?
Can you access it in the oem uboot or must i flash some kind of modifed uboot?

robimarko · September 21, 2017, 9:51pm

You can read them from stock u-boot.
Just keep quickly typing tpl until you see ap143> then just type printenv

robimarko · September 22, 2017, 9:27am

It looks like I was wrong about patch.
UART is added in QCA953X support patch
https://github.com/lede-project/source/blob/master/target/linux/ar71xx/patches-4.4/620-MIPS-ath79-add-support-for-QCA953x-SoC.patch#L169
https://github.com/lede-project/source/blob/master/target/linux/ar71xx/patches-4.4/620-MIPS-ath79-add-support-for-QCA953x-SoC.patch#L286

psyborg · September 22, 2017, 10:42am

i've had similar issues while switching between tplink/modified u-boot and LEDE/OpenWrt images on QCA9531 so i don't remember which combination did not work or for what reason but it might be related to console parameters:

CONSOLE := ttyATH0,115200

according to @pepe2k should be

CONSOLE := ttyS0,115200 for QCA953X and dropped completely as it's already set as default

it would hang after: [ 1.249998] bootconsole [early0] disabled

OpenWrt image (with ttyATH0) would not boot with tplink uboot but worked fine with modified uboot

robimarko · September 22, 2017, 10:48am

That does not really help since we don't have any kind of modified u-boot for v2.
But it looks like the biggest issue is that kernel does not actually start at all.

We have really hit a wall here

psyborg · September 22, 2017, 11:24am

you don't have +#include <linux/ar8216_platform.h> in board support file (did not verify if it is needed on qca953x), no registered leds or buttons from init function and you're initalizing mac there twice (ath79_init_mac(tmpmac, mac, 0);).

try comparing to my board support file to see if any differences made could get you any progress:https://github.com/lede-project/source/blob/63349fb26b3c69fbbe3e5fee119ace01f57cddaf/target/linux/ar71xx/files/arch/mips/ath79/mach-tl-mr22u.c