Getting an old Cisco 2911 running with OpenWrt

Reading this thread makes me want to bust out the 2911 and start hammering away at it. I remember this device has ROMMON, but does anyone know if it has X/YModem capabilities to push an image via console instead of using flashusb or tftp. This may allow the binary to be pushed without the verification process rejecting it? I may be in the bathroom spit-balling on this one, so don't give me a swirlie if I'm way off. :rofl:

I know the Cisco switches from around this generation are accessible in this manner. (I know from experience, long story... So all I will say is CCNA studies.)

2 Likes

Here you go pal :slight_smile:

1 Like

Ok, I have a "fix-build" branch in my fork.

I have no way to test it today - and can't test it on most of those devices, however it produces a binary.

To add 2911, a new block is needed in the Makefile - if it's similar to C1700, I guess that's the one to copy.

The settings that may need to be changed include
MACHCODE which likely needs to be the same as the value in an IOS image that loads correctly - apparently ROMMON checks this on load
ARCH needs to be set to a value related to the CPU - I made a guess at this stage.
see https://gcc.gnu.org/onlinedocs/gcc/RS_002f6000-and-PowerPC-Options.html for possible values.

EDIT: Actually to create a new router entry, it's also necessary to oopy a bunch of source files, so it may be simpler to just use the existing C1700 for now, until the codebase can be reorganised

I don't know if the TEXTADDR and LOADADDR make any sense yet, if the values don't work, it may be possible to use values from the headers in the IOS image.

I added you to my forked repo so you can tinker on the branch if you like

Sounds great!
In the past i was able to get the C3600 code running without issues, with the hello.c program but not the CILO itself due to the compiling issues.
The MACHCODE get's displayed when you try to run it first on IOS, then it says: binary is not matching $MACHCODE, and then you can modify it and it works.

1 Like

I was able to build the C3600 target successfully, which is the same architecture as the 2911 Cisco router.

chairman@compile-ubuntu:/tmp/cilo$ make
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -Iinclude/ -Imach/c3600 -Iinclude/mach/c3600 -c string.c
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -Iinclude/ -Imach/c3600 -Iinclude/mach/c3600 -c main.c
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -Iinclude/ -Imach/c3600 -Iinclude/mach/c3600 -c ciloio.c
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -Iinclude/ -Imach/c3600 -Iinclude/mach/c3600 -c printf.c
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -Iinclude/ -Imach/c3600 -Iinclude/mach/c3600 -c elf_loader.c
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -Iinclude/ -Imach/c3600 -Iinclude/mach/c3600 -c lzma_loader.c
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -Iinclude/ -Imach/c3600 -Iinclude/mach/c3600 -c LzmaDecode.c
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
Making all in mach/c3600...
make[1]: Entering directory '/tmp/cilo/mach/c3600'
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -I../../include -D__ASSEMBLY__-xassembler-with-cpp -traditional-cpp -c start.S
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
In file included from start.S:6:
../../include/asm/regdef.h:15: warning: "_MIPS_SIM" redefined
   15 | #define _MIPS_SIM _MIPS_SIM_ABI32
      | 
<built-in>: note: this is the location of the previous definition
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -I../../include -c promlib.c
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
promlib.c: In function 'c_baud':
promlib.c:204:1: warning: control reaches end of non-void function [-Wreturn-type]
  204 | }
      | ^
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -I../../include -c platform.c
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -mno-abicalls -fno-builtin -fomit-frame-pointer -fno-pic -fno-stack-protector -Wall -march=mips32 -DLOADADDR=0x80028000 -I../../include -c platio.c
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
make[1]: Leaving directory '/tmp/cilo/mach/c3600'
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-gcc -Ttext 0x80008000 -Wl,--omagic -nostartfiles -nostdlib -Wl,--discard-all -Wl,--strip-all --entry _start -march=mips32 string.o main.o ciloio.o printf.o elf_loader.o lzma_loader.o LzmaDecode.o mach/c3600/promlib.o mach/c3600/start.o mach/c3600/platio.o mach/c3600/platform.o -o ciscoload.elf
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
mipsel-openwrt-linux-musl-gcc: warning: environment variable 'STAGING_DIR' not defined
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-objcopy --strip-unneeded --alt-machine-code 0x34 ciscoload.elf ciscoload.bin
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-objcopy: this target does not support 52 alternative machine codes
/tmp/openwrt/staging_dir/toolchain-mipsel_24kc_gcc-13.3.0_musl/bin/mipsel-openwrt-linux-musl-objcopy: treating that number as an absolute e_machine value instead
chairman@compile-ubuntu:/tmp/cilo$ ls
COPYING      LzmaDecode.c  Makefile  TODO      ciloio.o       ciscoload.elf  elf_loader.c  elftool  lzma_loader.c  mach    main.o    printf.o  string.o
DEVELOPMENT  LzmaDecode.o  README    ciloio.c  ciscoload.bin  elf2mzip       elf_loader.o  include  lzma_loader.o  main.c  printf.c  string.c
chairman@compile-ubuntu:/tmp/cilo$ binwalk ciscoload.

General Error: Cannot open file ciscoload. (CWD: /tmp/cilo) : [Errno 2] No such file or directory: 'ciscoload.'

chairman@compile-ubuntu:/tmp/cilo$ binwalk ciscoload.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 32-bit LSB executable, Motorola Coldfire, version 1 (SYSV)
22128         0x5670          LZMA compressed data, properties: 0x5D, dictionary size: 0 bytes, missing uncompressed size

chairman@compile-ubuntu:/tmp/cilo$ 

1 Like

Cool.
I guess the next step is to see if the router will load the image.

On my side, I have been tinkering, learning how to use rommon, relearning ios ios and made some progress with my inventory of Cisco devices ( c1811, c1921, c1941 ) to get them accessible for testing, dumping boot logs, sh platform collecting the machine id's etc

I tried to boot with the image, but it failed, and it seems that in my build I ended up with too many program headers.

It's possible I broke the Makefile in my local tinkering as I was working on ways to remove so many manual edits and duplications for different architectures.

For reference, here is the boot attempt and error.
The sequence below is the process I used for booting over tftp, which may be useful to others.
Note the -r on tftpdnld -r which I didn't notice previously, allows for the loading direct to ram for execution rather than to a flash device.

Readonly ROMMON initialized
rommon 1 > IP_ADDRESS=192.168.1.26
rommon 2 > IP_SUBNET_MASK=255.255.255.0
rommon 3 > DEFAULT_GATEWAY=192.168.1.1
rommon 4 > TFTP_SERVER=192.168.1.21
rommon 5 > TFTP_VERBOSE=2
rommon 6 > TFTP_FILE=ciscoload-c1811.bin
rommon 7 > tftpdnld -r

          IP_ADDRESS: 192.168.1.26
      IP_SUBNET_MASK: 255.255.255.0
     DEFAULT_GATEWAY: 192.168.1.1
         TFTP_SERVER: 192.168.1.21
           TFTP_FILE: ciscoload-c1811.bin
        TFTP_MACADDR: 00:21:a0:f7:be:ba
        TFTP_VERBOSE: Verbose
    TFTP_RETRY_COUNT: 18
        TFTP_TIMEOUT: 7200
       TFTP_CHECKSUM: Yes
             FE_PORT: 0
       FE_SPEED_MODE: Auto Detect

Performing tftpdnld over Fast Enet.
Initializing interface.
Interface link state up (100MB/FD).
ARPing for 192.168.1.21
ARP reply for 192.168.1.21 received.  MAC address 00:e0:1b:7c:70:2b
Receiving ciscoload-c1811.bin from 192.168.1.21 !!!!
File reception completed.
TFTP flash copy: Invalid file header, copy terminated.
         Reason: Wrong target platform OR corrupt file.

         Err Code 0x5

Using readelf -a I can see that the number of Program Headers is 5 as below


(base) edmaher@edmaher-wfh:~/dev-cilo/cilo/out$ readelf -a ciscoload-c1811.bin
ELF Header:
  Magic:   7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, big endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           <unknown>: 0x93
  Version:                           0x1
  Entry point address:               0x8000c3b8
  Start of program headers:          52 (bytes into file)
  Start of section headers:          21800 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         5
  Size of section headers:           40 (bytes)
  Number of section headers:         9
  Section header string table index: 8

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        80008000 000100 004790 00 WAX  0   0 16
  [ 2] .note.gnu.build-i NOTE            100000d4 0000d4 000024 00   A  0   0  4
  [ 3] .rodata           PROGBITS        8000c790 004890 000566 00   A  0   0  4
  [ 4] .eh_frame_hdr     PROGBITS        8000ccf8 004df8 000184 00   A  0   0  4
  [ 5] .eh_frame         PROGBITS        8000ce7c 004f7c 000514 00   A  0   0  4
  [ 6] .comment          PROGBITS        00000000 005490 00002b 01  MS  0   0  1
  [ 7] .gnu.attributes   GNU_ATTRIBUTES  00000000 0054bb 000010 00      0   0  1
  [ 8] .shstrtab         STRTAB          00000000 0054cb 00005d 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x0000d4 0x100000d4 0x100000d4 0x00024 0x00024 R   0x4
  LOAD           0x000100 0x80008000 0x80008000 0x05390 0x05390 RWE 0x10
  NOTE           0x0000d4 0x100000d4 0x100000d4 0x00024 0x00024 R   0x4
  GNU_EH_FRAME   0x004df8 0x8000ccf8 0x8000ccf8 0x00184 0x00184 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10

 Section to Segment mapping:
  Segment Sections...
   00     .note.gnu.build-id
   01     .text .rodata .eh_frame_hdr .eh_frame
   02     .note.gnu.build-id
   03     .eh_frame_hdr
   04

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type <unknown>: 0x93 is not currently supported.

No version information found in this file.

Displaying notes found in: .note.gnu.build-id
  Owner                Data size        Description
  GNU                  0x00000014       NT_GNU_BUILD_ID (unique build ID bitstring)
    Build ID: cef73b4050f5424eb5b9bbefde83f1a2c4ee839e
Attribute Section: gnu
File Attributes
  Unknown GNU attribute:

(base) edmaher@edmaher-wfh:~/dev-cilo/cilo/out$ binwalk ciscoload-c1811.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 32-bit MSB executable, version 1 (SYSV)

How it should be

root@ds-iot1:/tftpboot# readelf -a c181x-advipservicesk9-mz.151-4.M1.bin
ELF Header:
  Magic:   7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, big endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           <unknown>: 0x93
  Version:                           0x1
  Entry point address:               0x80012000
  Start of program headers:          52 (bytes into file)
  Start of section headers:          84 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         1
  Size of section headers:           40 (bytes)
  Number of section headers:         8
  Section header string table index: 0

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0] <no-strings>      NULL            00000000 000000 000000 00      0   0  0
  [ 1] <no-strings>      PROGBITS        80012000 000194 005058 00 WAX  0   0  4
  [ 2] <no-strings>      PROGBITS        80017058 0051ec 001ce0 00   A  0   0  4
  [ 3] <no-strings>      PROGBITS        80018d38 006ecc 000904 00  WA  0   0  4
  [ 4] <no-strings>      PROGBITS        8001963c 0077d0 000014 00  WA  0   0  1
  [ 5] <no-strings>      PROGBITS        80019650 0077e4 0009b0 00  WA  0   0  4
  [ 6] <no-strings>      NOTE            81c2b8b8 1c19a4c 000034 00      0   0  4
  [ 7] <no-strings>      PROGBITS        8001a000 008194 1c118b8 00  WA  0   0  4
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  D (mbind), p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000194 0x80012000 0x80012000 0x1c198ee 0x1c43162 RWE 0x194

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type <unknown>: 0x93 is not currently supported.

No version information found in this file.

Displaying notes found in: <no-strings>
  Owner                Data size        Description
  CISCO SYSTEMS        0x00000018       Unknown note type: (0xfeedbac0)
   description data: fa de fa d1 00 00 00 18 d0 2e b2 31 b6 70 73 a8 b6 1a 52 88 5f 5f 7f fb

Ok, I have investigated further, it appears that there a number of Program Headers added to the elf binary by the linker.
In the MIPS case, these seem to have been added in 2014
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=351cdf24d223290b15fa991e5052ec9e9bd1e284

I tried removing the underlying segments with objcopy, which itself works, but unfortunately the Program Headers remain present in the binary with zero length.

mips-linux-gnu-objcopy -v --strip-unneeded --remove-section .MIPS.abiflags --remove-section .note.gnu.build-id --remove-section .reginfo --remove-section .gnu.attributes ciscoload.elf ciscoload.bin
(base) edmaher@edmaher-wfh:~/dev-cilo/cilo$ readelf -a ciscoload.bin
ELF Header:
  Magic:   7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, big endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           MIPS R3000
  Version:                           0x1
  Entry point address:               0x8000c480
  Start of program headers:          52 (bytes into file)
  Start of section headers:          21588 (bytes into file)
  Flags:                             0x70001001, noreorder, o32, mips32r2
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         5
  Size of section headers:           40 (bytes)
  Number of section headers:         7
  Section header string table index: 6

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        80008000 0000e0 0047f0 00 WAX  0   0 16
  [ 2] .rodata           PROGBITS        8000c7f0 0048d0 000560 00   A  0   0 16
  [ 3] .comment          PROGBITS        00000000 004e30 000029 01  MS  0   0  1
  [ 4] .pdr              PROGBITS        00000000 004e5c 0005c0 00      0   0  4
  [ 5] .mdebug.abi32     PROGBITS        00000000 00541c 000000 00      0   0  1
  [ 6] .shstrtab         STRTAB          00000000 00541c 000035 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  ABIFLAGS       0x000000 0x004000d8 0x00000000 0x00000 0x00000 R   0x4
  REGINFO        0x000000 0x004000f0 0x00000000 0x00000 0x00000 R   0x4
  LOAD           0x0000d4 0x004000d8 0x00000000 0x00000 0x00000 R   0x4
  LOAD           0x0000e0 0x80008000 0x80008000 0x04d50 0x04d50 RWE 0x10
  NOTE           0x000000 0x00400108 0x00000000 0x00000 0x00000 R   0x4

 Section to Segment mapping:
  Segment Sections...
   00
   01
   02
   03     .text .rodata
   04

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type MIPS R3000 is not currently supported.

No version information found in this file.

Still investigating to see if there is a simple way to supress the addition of these sections, or to remove them. One option seems to be a custom ld script.

Hey i hope you are doing fine.
I think i have messed up something, wasn't able to reproduce it, and my "successful" attempt was lacking the machine_id which was necessary due to some issue.
What do you think? I am currently doing some first attempts on getting u-boot compiled for the platform, i think it would be more suitable. It's also possible to get it compiled into a single-segment ELF. Maybe it's more appropriate to put our effort into this.

You can use a linker script like this one.

SECTIONS
{
  . = 0x10000;
  .text : { *(.text) }
  .data : { *(.data) }
  .bss : { *(.bss) }
}

Then something like this.
gcc -o output_file -Wl,-T,single_phdr.ld source_file.c

I missed these replies, and did some objcopy thing to try to remove the extra sections which was only 90% successful, and very messy, before finally cloning and modifying the default linker script.
I had to also add the unwanted sections to the "discard" section.
I simply cloned the default script because I don't fully understand everything it's doing yet.
I have pushed those changes to the branch in my fork.

Please try building the branch, as it should produce a viable result. Let me know some specifics about the issue or what local changes you are making.

I haven't looked at u-boot yet. it looks like there may be some benefits, but it is a lot more complex - but also with more useful capabilities like reading fat filesystems.

So, I think I will do some more basic work on cilo at this stage, try to fix it for powerpc, learn more things on the smaller codebase and see if I can use what I learn to look at u-boot.

I was also considering making a small platform detection utility - report cpu feature flags etc.

Sounds great, i will also take a look onto your code and platform.
U-boot the the single pane of glass regarding booting on embedded systems. OpenWrt also uses it for a lot of embedded devices.
But you are right, getting the CILO running is an important step in order to understand the underlying platform.
Where are you based? If it's in EU i can maybe send some routers to you as i have a lot of surplus of CIsco 2911 routers.

EDIT: Now i get the following after getting the correct e_machine code.

boot usbflash0:/ciscoload.bin
program load complete, entry point: 0x80903000, size: 0x4c4a0
loadprog: error - on load of image from file system with monlib
Image size (21904) does not match the expected size (21854)
boot: cannot load "usbflash0:/ciscoload.bin

I've added the elf2mzip part to a standalone git repo, we will need it, even if we go for u-boot.

I think we have to somehow check, how we can change the expected image size after running the linker, because i guess, the linker alters the file size.

1 Like

I had missed the mzip requirement. Currently trying to make progress with the powerpc elf image
I did, however, find this.

It's a devil to build in the current form, cmake is real pain to work with at times, but also the compile flags are out of date, but maybe some code can be recycled.

BTW: I am located in Australia, so shipping devices is likely quite pricey, not sure if it's necessary and there are a stack of old Cisco devices on ebay locally.

Ok, so I have reached the stage where I can execute a binary, and have it print a message to the console. This is useful because it proves that the image can be loaded, and code can be executed.

There were a number of bumps along the way,
I need to tidy the code somewhat and commit it to the branch.

The changes are only in the C1811 model specific code and build, but I learned a few things:

  1. The C1811 console UART registers are located at 0xFF704500, although the show platform says that's the aux UART
  2. The assembly code examples I found mostly had various discrepancies in register access - possibly different hardware
  3. There is no specific need for mzip as such at this stage - it is likely more important with larger images
Readonly ROMMON initialized
rommon 1 > IP_SUBNET_MASK=255.255.255.0
rommon 2 > IP_ADDRESS=192.168.1.26
rommon 3 > DEFAULT_GATEWAY=192.168.1.1
rommon 4 > TFTP_SERVER=192.168.1.21
rommon 5 > TFTP_FILE=ciscoload.bin
rommon 6 > TFTP_VERBOSE=2
rommon 7 > tftpdnld -r

          IP_ADDRESS: 192.168.1.26
      IP_SUBNET_MASK: 255.255.255.0
     DEFAULT_GATEWAY: 192.168.1.1
         TFTP_SERVER: 192.168.1.21
           TFTP_FILE: ciscoload.bin
        TFTP_MACADDR: 00:21:a0:f7:be:ba
        TFTP_VERBOSE: Verbose
    TFTP_RETRY_COUNT: 18
        TFTP_TIMEOUT: 7200
       TFTP_CHECKSUM: Yes
             FE_PORT: 0
       FE_SPEED_MODE: Auto Detect

Performing tftpdnld over Fast Enet.
Initializing interface.
Interface link state up (100MB/FD).
ARPing for 192.168.1.21
ARP reply for 192.168.1.21 received.  MAC address 00:e0:1b:7c:70:2b
Receiving ciscoload.bin from 192.168.1.21 !!!!
File reception completed.
Validating checksum.
Unable to locate checksum in image -- Skipping checksum test.

loading image ciscoload.bin
program load complete, entry point: 0x800163e8, size: 0x4da6
CILO Starting...

1 Like

Ok, so my progress is slowing. the goal was to find the Flash region and understand the silicon better, the various CCSR registers and subsystems.
I have deduced a lot of things about the SoC, despite the specific model not having public documentation - mostly by reconciling a similar PowerQUICC SoC documentation with the output of show platform and identification of on-board silicon.
I have been able to map some of the memory and devices out. It seems the PCI bus is used to service the USB controller - also usbflash filesystem appears to not be accessible in ROMMON in the 1811. I suspect this is because of the extra work or codebase size to implement PCI and EHCI logic is too much for ROMMON. Also why I am not keen to go that way in CILO - although the approach may work.
The on-chip ethernet could perhaps be useable, but again a lot of work.
I also have a decent understanding of the other silicon, but in many cases, I cannot be sure how the devices interface. an example is the Marvell switch which has an MDIO interface - no such interface is obvious on the SoC, I suspect it may use the SPI bus. The RTC is highly likely to use I2C as this native interface is available on both.
None of the large major chips, Marvell Switch, EHCI controller or onboard Flash appear to support JTAG - which is annoying as these have accessible pins which would have allowed me confirm 2 pins on the edge connector.

The issues are predominantly around access to the CF card flash.
I have deduced from the bootloader messages that the CF card is accessed via the Local bus using the on chip "UPM" module, however, the entire card space is not mapped, region is too small, suggesting it is paged in some way. I wrote some hex dump code in CILO to examine memory regions, although this approach is inconclusive - the contents does change when the flash is present or absent, I cannot see the filesystem or pattern I filled the card with.

I am considering:

  1. Dumping the TLB to console to find more memory regions and boundaries to explore
  2. Extracting the ROMMON/Onboard flash via the console to examine with other tools to see if I can deduce how ROMMON accesses the CF flash
  3. Formalise decode of the Control registers in code rather than pen and paper - remove error and make it reusable for other PowerQUICC platforms.

Ongoing work is to consolidate the information I have learned so far, the memory map, and tidy the memory dump code for CILO.

I am then looking to change direction and look at the MIPS routers I have - the 1921 and 1941

Wow! To be honest, thats really impressive!
Unfortunately i dont have that much knowledge doing this stuff.
Regarding the MIPS platform, i also have a Cisco 1921 router, it may be interesting developing for the same platform.
Regarding MIPS, do you think the Dynamips source code might be useful? Which is used to emulate a Cisco MIPS enviroment to run IOS images in GNS3.

What might be interesting, a lot of MIPS platforms are already implemented in u-boot, including MIPS Octeon III (Cisco 1900 and Cisco 2900 series.)

Hi,
I read the TLB entries successfully ( below )
The CF card remains tricky, but I am slowly understanding more about why.
Essentially there are several modes that can be used to access CF cards, and these seem to have memory mapped registers. One such mode is called "TrueIDE" which behaves exactly like an IDE drive, which is also surprisingly simple.
I believe the region used for the CF card interface is actually a bunch of memory-mapped registers, thus it's necessary to write to one or more of these locations to trigger a read, then read another location.

In theory, it's quite simple, in practice, it's complicated by not knowing what is going on. The size of the configured/mapped region may indicate one of the modes.

I also found the Freescale/PowerQUICC application note for CF interfacing, although I feel I am missing some understanding of how to access the device one it's configured.

Also some CF card information - there are many similar..

In any case, I think it's now a matter of getting all the jigsaw pieces to fit together.

On the subject of MIPS, I think both the 1921 and Dynamips platforms are probably a good idea. The Dynamips project seems to have a data/configuration mechanism for each hardware device - I expect that has the key information on the location of the key devices in the memory map.
I think the u-boot work will still need to be informed as to the basic location and form of the devices. Most of the hardware is somewhat pre PnP, where we need to know in advance the device type and an address in order to configure a driver. The show platform is sometimes useful - in the case of the 2911 dump above, it doesn't indicate many memory map addresses - perhaps the platform works a little differently ?

I'll have a look at the MIPS devices soon, just t
have the CF card itch to scratch

Reading TLB configs
MMUCFG: npids:3 pidsz:3 nent:1
TLB0: assoc:2 minsz:1 maxsz:1 iprot:0 nentry:256
Dumping TLB0, 256 entries
entry:0x000(000) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xE0000000 flags:0x0A rpn:0xE0000000 ua:0x00 perms:0x0F EQUAL mas0_hi:0x00000000 mas2_hi:0x00000000
entry:0x010(016) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xE0010000 flags:0x0A rpn:0xE0010000 ua:0x00 perms:0x0F EQUAL mas0_hi:0x00000000 mas2_hi:0x00010000
entry:0x020(032) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xE0020000 flags:0x0A rpn:0xE0020000 ua:0x00 perms:0x0F EQUAL mas0_hi:0x00000000 mas2_hi:0x00020000
entry:0x030(048) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xE0030000 flags:0x0A rpn:0xE0030000 ua:0x00 perms:0x0F EQUAL mas0_hi:0x00000000 mas2_hi:0x00030000
entry:0x031(049) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xE0031000 flags:0x0A rpn:0xE0031000 ua:0x00 perms:0x0F EQUAL mas0_hi:0x00000000 mas2_hi:0x00031000
entry:0x040(064) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xE0040000 flags:0x0A rpn:0xE0040000 ua:0x00 perms:0x0F EQUAL mas0_hi:0x00000000 mas2_hi:0x00040000
entry:0x050(080) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xE0050000 flags:0x0A rpn:0xE0050000 ua:0x00 perms:0x0F EQUAL mas0_hi:0x00000000 mas2_hi:0x00050000
entry:0x060(096) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xE0060000 flags:0x0A rpn:0xE0060000 ua:0x00 perms:0x0F EQUAL mas0_hi:0x00000000 mas2_hi:0x00060000
entry:0x070(112) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0070000 flags:0x04 rpn:0x00000000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00000000 mas2_hi:0x00070000
entry:0x071(113) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0071000 flags:0x04 rpn:0x00001000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00000000 mas2_hi:0x00071000
entry:0x079(121) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0079000 flags:0x0C rpn:0x00009000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00000000 mas2_hi:0x00079000
entry:0x080(128) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0080000 flags:0x04 rpn:0xFFFE0000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00000000
entry:0x081(129) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0081000 flags:0x04 rpn:0xFFFE1000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00001000
entry:0x082(130) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0082000 flags:0x04 rpn:0xFFFE2000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00002000
entry:0x083(131) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0083000 flags:0x04 rpn:0xFFFE3000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00003000
entry:0x084(132) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0084000 flags:0x04 rpn:0xFFFE4000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00004000
entry:0x085(133) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0085000 flags:0x04 rpn:0xFFFE5000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00005000
entry:0x086(134) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0086000 flags:0x04 rpn:0xFFFE6000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00006000
entry:0x087(135) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0087000 flags:0x04 rpn:0xFFFE7000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00007000
entry:0x088(136) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0088000 flags:0x04 rpn:0xFFFE8000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00008000
entry:0x089(137) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0089000 flags:0x04 rpn:0xFFFE9000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00009000
entry:0x08A(138) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF008A000 flags:0x04 rpn:0xFFFEA000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x0000A000
entry:0x08B(139) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF008B000 flags:0x04 rpn:0xFFFEB000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x0000B000
entry:0x08C(140) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF008C000 flags:0x04 rpn:0xFFFEC000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x0000C000
entry:0x08D(141) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF008D000 flags:0x04 rpn:0xFFFED000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x0000D000
entry:0x08E(142) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF008E000 flags:0x04 rpn:0xFFFEE000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x0000E000
entry:0x08F(143) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF008F000 flags:0x04 rpn:0xFFFEF000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x0000F000
entry:0x090(144) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0090000 flags:0x04 rpn:0xFFFF0000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00010000
entry:0x091(145) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0091000 flags:0x04 rpn:0xFFFF1000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00011000
entry:0x092(146) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0092000 flags:0x04 rpn:0xFFFF2000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00012000
entry:0x093(147) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0093000 flags:0x04 rpn:0xFFFF3000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00013000
entry:0x094(148) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0094000 flags:0x04 rpn:0xFFFF4000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00014000
entry:0x095(149) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0095000 flags:0x04 rpn:0xFFFF5000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00015000
entry:0x096(150) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0096000 flags:0x04 rpn:0xFFFF6000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00016000
entry:0x097(151) vld:1 iprot:0 tid:0 ts:0 tize:1 epn:0xF0097000 flags:0x04 rpn:0xFFFF7000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00017000
entry:0x0F0(240) vld:1 iprot:0 tid:0 ts:1 tize:1 epn:0xF0070000 flags:0x04 rpn:0x00000000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00070000
entry:0x0F1(241) vld:1 iprot:0 tid:0 ts:1 tize:1 epn:0xF0071000 flags:0x04 rpn:0x00001000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00071000
entry:0x0F9(249) vld:1 iprot:0 tid:0 ts:1 tize:1 epn:0xF0079000 flags:0x0C rpn:0x00009000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x00010000 mas2_hi:0x00079000
Dumping TLB1, 16 entries
entry:0x000(000) vld:1 iprot:1 tid:0 ts:0 tize:6 epn:0xFFC00000 flags:0x0A rpn:0xFFC00000 ua:0x00 perms:0x3F EQUAL mas0_hi:0x10000000 mas2_hi:0x00000000
entry:0x001(001) vld:1 iprot:1 tid:0 ts:1 tize:6 epn:0xFFC00000 flags:0x16 rpn:0xFFC00000 ua:0x00 perms:0x33 EQUAL mas0_hi:0x10010000 mas2_hi:0x00000000
entry:0x002(002) vld:1 iprot:1 tid:0 ts:0 tize:5 epn:0xFF700000 flags:0x0A rpn:0xFF700000 ua:0x00 perms:0x3F EQUAL mas0_hi:0x10020000 mas2_hi:0x00000000
entry:0x003(003) vld:1 iprot:1 tid:0 ts:1 tize:9 epn:0x80000000 flags:0x04 rpn:0x00000000 ua:0x00 perms:0x33 RELOCATED mas0_hi:0x10030000 mas2_hi:0x00000000
entry:0x004(004) vld:1 iprot:1 tid:0 ts:0 tize:9 epn:0x80000000 flags:0x04 rpn:0x00000000 ua:0x00 perms:0x3F RELOCATED mas0_hi:0x10040000 mas2_hi:0x00000000

Hey, how are you doing?
I will try to find out as much as possible. What exactly do you need?
That's for the 2911, does it help you in some way?

___________________ 
Digitally Signed Release Software 
program load complete, entry point: 0x81000000, size: 0x695fb18
Stack pointer       : 0x8EFFFF80
monstack            : 0x80FFFFC0
monra               : 0x80410474
edata : 0x8101B780
start : 0x8101B780
magic : 0xFEEDFACE
memsize             : 0x0F000000
uncomp_size         : 0x0D8FCFA8
comp_size           : 0x06944384
STACK_BYTES         : 0x00008000
COPY_CODE_BUF       : 0x00000800
_end                : 0x81047480
comp_checksum       : 0x604469BA
comp_checksum       : 0x604469BA
uncomp_checksum     : 0x172D556D
Self decompressing the image
Source elf_hdr->e_shnum = 0x0000000D
Setting up to copy ELF section 0x00000001
 to image_info section 0x00000001
 sh_name = 0x0000000B
 sh_type = 0x00000001
 sh_flags = 0x00000007
 sh_addr = 0x30000000
 sh_offset = 0x00001000
 sh_size = 0x07464000
 sh_link = 0x00000000
 sh_info = 0x00000000
 sh_addralign = 0x00002000
 sh_entsize = 0x00000000
Setting up to copy ELF section 0x00000002
 to image_info section 0x00000002
 sh_name = 0x00000011
 sh_type = 0x00000001
 sh_flags = 0x00000002
 sh_addr = 0x37464000
 sh_offset = 0x07465000
 sh_size = 0x02B87000
 sh_link = 0x00000000
 sh_info = 0x00000000
 sh_addralign = 0x00000008
 sh_entsize = 0x00000000
Setting up to copy ELF section 0x00000003
 to image_info section 0x00000003
 sh_name = 0x00000019
 sh_type = 0x00000001
 sh_flags = 0x00000002
 sh_addr = 0x39FEB000
 sh_offset = 0x09FEC000
 sh_size = 0x00000064
 sh_link = 0x00000000
 sh_info = 0x00000000
 sh_addralign = 0x00000004
 sh_entsize = 0x00000000
Setting up to copy ELF section 0x00000004
 to image_info section 0x00000004
 sh_name = 0x00000023
 sh_type = 0x00000001
 sh_flags = 0x00000002
 sh_addr = 0x39FEB064
 sh_offset = 0x09FEC064
 sh_size = 0x01BAEF9C
 sh_link = 0x00000000
 sh_info = 0x00000000
 sh_addralign = 0x00000004
 sh_entsize = 0x00000000
Setting up to copy ELF section 0x00000005
 to image_info section 0x00000005
 sh_name = 0x0000002D
 sh_type = 0x00000001
 sh_flags = 0x00000003
 sh_addr = 0x3BB9A000
 sh_offset = 0x0BB9B000
 sh_size = 0x011E24A0
 sh_link = 0x00000000
 sh_info = 0x00000000
 sh_addralign = 0x00000080
 sh_entsize = 0x00000000
Setting up to copy ELF section 0x00000006
 to image_info section 0x00000006
 sh_name = 0x00000033
 sh_type = 0x00000001
 sh_flags = 0x00000003
 sh_addr = 0x3CD7C4A0
 sh_offset = 0x0CD7D4A0
 sh_size = 0x00000020
 sh_link = 0x00000000
 sh_info = 0x00000000
 sh_addralign = 0x00000001
 sh_entsize = 0x00000000
Setting up to copy ELF section 0x00000007
 to image_info section 0x00000007
 sh_name = 0x0000003A
 sh_type = 0x00000001
 sh_flags = 0x10000003
 sh_addr = 0x3CD7C4C0
 sh_offset = 0x0CD7D4C0
 sh_size = 0x00000BA0
 sh_link = 0x00000000
 sh_info = 0x00000000
 sh_addralign = 0x00000010
 sh_entsize = 0x00000000
Setting up to copy ELF section 0x00000008
 to image_info section 0x00000008
 sh_name = 0x00000041
 sh_type = 0x00000001
 sh_flags = 0x10000003
 sh_addr = 0x3CD7D060
 sh_offset = 0x0CD7E060
 sh_size = 0x0000A320
 sh_link = 0x00000000
 sh_info = 0x00000000
 sh_addralign = 0x00000008
 sh_entsize = 0x00000000
cpu type                   : 0x00000042
uncomp_size                : 0x0D8FCFA8
monstack                   : 0x80FFFFC0

image_info.entry_point   = 0x30008F00
image_info.section_count = 0x00000009
image_info.monstack      = 0x80FFFFC0
image_info.monra         = 0x80410474
image_info.param0        = 0x00000002
image_info.param1        = 0x00000000
image_info.param2        = 0x80B0F770
image_info.param3        = 0x81000000
Section Index = 0x00000000
    source    = 0x00000000
    dest      = 0x00000000
    bytes     = 0x00000000
Section Index = 0x00000001
    source    = 0x81048580
    dest      = 0x30008F00
    bytes     = 0x07464000
Section Index = 0x00000002
    source    = 0x884AC580
    dest      = 0x3746CF00
    bytes     = 0x02B87000
Section Index = 0x00000003
    source    = 0x8B033580
    dest      = 0x39FF3F00
    bytes     = 0x00000064
Section Index = 0x00000004
    source    = 0x8B0335E4
    dest      = 0x39FF3F64
    bytes     = 0x01BAEF9C
Section Index = 0x00000005
    source    = 0x8CBE2580
    dest      = 0x3BBA2F00
    bytes     = 0x011E24A0
Section Index = 0x00000006
    source    = 0x8DDC4A20
    dest      = 0x3CD853A0
    bytes     = 0x00000020
Section Index = 0x00000007
    source    = 0x8DDC4A40
    dest      = 0x3CD853C0
    bytes     = 0x00000BA0
Section Index = 0x00000008
    source    = 0x8DDC55E0
    dest      = 0x3CD85F60
    bytes     = 0x0000A320

Smart Init is enabled
smart init is sizing iomem
                 TYPE      MEMORY_REQ
          HWIC Slot 0      0x00200000
          HWIC Slot 1      0x00200000
          HWIC Slot 2      0x00200000
    Onboard devices &
         buffer pools      0x0228F000 
-----------------------------------------------
               TOTAL:      0x0288F000

Rounded IOMEM up to: 44MB.
Using 8 percent iomem. [44MB/512MB]
Initializing DRAM
Clearing DRAM 1st 16MB..... done
Performing the Memory POST Test
Testing memory - L2 data cache ECC
Testing memory - L2 instruction cache ECC
Testing memory - ECC DDR memory
Memory POST Test Success


Memory tests are from 0x80403000 to 0x80503000
Testing memory - all 0xffffffff
Testing memory - data equals address
Testing memory - checkerboard
Testing memory - inverse checkerboard
Testing memory - all 0x00000000
Memory test complete -- PASS
Relocating the code to DRAM
Continue initializing the platform
Clearing the rest of 1st 256MB (240MB).....
Clearing next 256MB of On-board DRAM

Memory tests are from 0x80000000 to 0x80403000
Testing memory - all 0xffffffff
Testing memory - data equals address
Testing memory - checkerboard
Testing memory - inverse checkerboard
Testing memory - all 0x00000000
Memory test complete -- PASS

Memory tests are from 0x80803000 to 0x80B03000
Testing memory - all 0xffffffff
Testing memory - data equals address
Testing memory - checkerboard
Testing memory - inverse checkerboard
Testing memory - all 0x00000000
Memory test complete -- PASS

Memory tests are from 0x80B23F38 to 0x81000000
Testing memory - all 0xffffffff
Testing memory - data equals address
Testing memory - checkerboard
Testing memory - inverse checkerboard
Testing memory - all 0x00000000
Memory test complete -- PASS
Retrieve board id 4

------------------------------------------
Current Memory configuration is: 
On-board: Size =  512 MB: Start Phy Addr = 0x00000000_00000000
-------------------------------------------------
Main memory size: 512 MB in 72/-1(On-board/DIMM0) bit mode.
Available main memory starts at 0x81000000, size 507904KB
Smart Init is enabled.
NVRAM size: 256KB

Manufacturer's JEDEC ID code:
On-board: 

Did you try show memory summary already?

I think all the show platform commands might be useful.

Btw., how do you get rid of the GNU_STACK header?

I am currently in the process of creating a device tree for the Cisco 2900 platform (MIPS Octeon R4700)

That's the current state of my u-boot include/configs/cisco_2911.h

#ifndef __CONFIG_CISCO_2911_H
#define __CONFIG_CISCO_2911_H
#define CONFIG_SYS_SDRAM_BASE       0x21000000  /* Base address of DRAM */
#define CONFIG_SYS_SDRAM_SIZE       0x0C400000  /* Size of DRAM */
#define CONFIG_SYS_INIT_SP_ADDR     (CONFIG_SYS_SDRAM_BASE + 0x20000) /* Initial stack pointer */

#define CONFIG_SYS_TEXT_BASE        0x81000000  /* Base address where U-Boot is loaded */
#define CONFIG_SYS_LOAD_ADDR        0x82000000  /* Default load address for the kernel */
#define CONFIG_SYS_MALLOC_LEN       (32 * 1024 * 1024)  /* Memory allocated for malloc */
#define CONFIG_SYS_BOOTM_LEN        (64 * 1024 * 1024)  /* Memory allocated for bootm */

#define CONFIG_SYS_MONITOR_LEN      (256 * 1024)  /* Size of U-Boot monitor */

#define CONFIG_SYS_BAUDRATE_TABLE   { 115200, 230400, 460800, 921600 }

#define CONFIG_CMD_NET              /* Enable networking commands, if needed */
#define CONFIG_CMD_BOOTM            /* Enable bootm command for booting the kernel */
#define CONFIG_CMD_DHCP             /* Enable DHCP for network booting */

#define CONFIG_SYS_CONSOLE_INFO_QUIET  /* Suppress console info output */
#define CONFIG_SYS_CONSOLE_IS_IN_ENV    /* Console settings from environment */
#define CONFIG_SYS_DEVICE_NULLDEV       /* Disable some unnecessary devices */

/* Environment settings */
#define CONFIG_ENV_SIZE             (8 * 1024)  /* Environment size */
#define CONFIG_ENV_OFFSET           (0x100000)  /* Offset of environment in flash */

/* Miscellaneous */
#define CONFIG_BOOTDELAY            3  /* Boot delay in seconds */
#define CONFIG_BOOTCOMMAND          "bootm 0x82000000"  /* Default boot command */


#endif /* __CONFIG_CISCO_2911_H */

And my device tree.

/dts-v1/;

/ {
    #address-cells = <1>;
    #size-cells = <1>;
    compatible = "cisco,2911-router";
    model = "Cisco 2911";

    memory {
        device_type = "memory";
        reg = <0x21000000 0x0C400000>, // Main Memory 1: 196 MB
              <0x30000000 0x10000000>; // Main Memory 2: 256 MB
    };

    iomem@D400000 {
        compatible = "cisco,iomem";
        reg = <0x0D400000 0x02C00000>; // 44 MB IOMEM
    };

    rommon@20000000 {
        compatible = "cisco,rommon";
        reg = <0x20000000 0x01000000>; // 16 MB ROMMON
    };

    flash@0 {
        compatible = "cisco,ata-flash";
        reg = <0x80000000 0x0F400000>; // 250880K Bytes ATA CompactFlash
    };

    usbflash@0 {
        compatible = "cisco,usb-flash";
        reg = <0x81000000 0x9A200000>; // 2572272K Bytes USB Flash
    };

    nvram@0 {
        compatible = "cisco,nvram";
        reg = <0x82000000 0x0003FC00>; // 255K Bytes NVRAM
    };

    ethernet@0 {
        compatible = "cisco,ethernet";
        reg = <0x83000000 0x01000000>; // Ethernet Controller
        status = "okay";
    };

    gigabit-ethernet@0 {
        compatible = "cisco,sgmii";
        reg = <0x84000000 0x01000000>; // Start address for GigabitEthernet0/0
        mac-address = [fc 99 47 3b 30 18];
        phy-addr = <1>;
        status = "okay";
    };

    gigabit-ethernet@1 {
        compatible = "cisco,sgmii";
        reg = <0x85000000 0x01000000>; // Start address for GigabitEthernet0/1
        mac-address = [fc 99 47 3b 30 19];
        phy-addr = <2>;
        status = "okay";
    };

    gigabit-ethernet@2 {
        compatible = "cisco,sgmii";
        reg = <0x86000000 0x01000000>; // Start address for GigabitEthernet0/2
        mac-address = [fc 99 47 3b 30 1a];
        phy-addr = <3>;
        status = "okay";
    };

    dsl@0 {
        compatible = "cisco,ehwic-va-dsl-a";
        reg = <0x87000000 0x00100000>; // EHWIC-VA-DSL-A
        status = "okay";
    };

    serial@1 {
        compatible = "cisco,hwic-1t";
        reg = <0x88000000 0x00100000>; // HWIC-1T
        status = "okay";
    };

    bri@2 {
        compatible = "cisco,wic-1b-s/t-v3";
        reg = <0x89000000 0x00100000>; // WIC-1B-S/T-V3
        status = "okay";
    };

    power-supply@0 {
        compatible = "cisco,pwr-2911-poe";
        reg = <0x8A000000 0x00100000>; // Power Supply
        status = "okay";
    };

    soc {
        #address-cells = <1>;
        #size-cells = <1>;
        compatible = "simple-bus";
        ranges;

        uart@10000300 {
            compatible = "ns16550a";
            reg = <0x10000300 0x100>; // UART controller
            clock-frequency = <50000000>;
            interrupts = <2>;
        };

        timer@10000100 {
            compatible = "mips,r4700-timer";
            reg = <0x10000100 0x100>; // Timer
        };

        hsib@0 {
            compatible = "cisco,hsib";
            reg = <0x10FF0000 0x00008000>; // HSIB controller node 0
        };

        hsib@1 {
            compatible = "cisco,hsib";
            reg = <0x10FF1000 0x00008000>; // HSIB controller node 1
        };

        hsib@2 {
            compatible = "cisco,hsib";
            reg = <0x10FF2000 0x00008000>; // HSIB controller node 2
        };

        hsib@3 {
            compatible = "cisco,hsib";
            reg = <0x10FF3000 0x00008000>; // HSIB controller node 3
        };

        hsib@4 {
            compatible = "cisco,hsib";
            reg = <0x10FF4000 0x00008000>; // HSIB controller node 4
        };

        hsib@5 {
            compatible = "cisco,hsib";
            reg = <0x10FF5000 0x00008000>; // HSIB controller node 5
        };

        hsib@6 {
            compatible = "cisco,hsib";
            reg = <0x10FF6000 0x00008000>; // HSIB controller node 6
        };

        hsib@7 {
            compatible = "cisco,hsib";
            reg = <0x10FF7000 0x00008000>; // HSIB controller node 7
        };

        hwic@0 {
            compatible = "cisco,hwic";
            reg = <0x10FE0000 0x00004000>; // HWIC controller 0
        };

        hwic@1 {
            compatible = "cisco,hwic";
            reg = <0x10FE4000 0x00004000>; // HWIC controller 1
        };

        hwic@2 {
            compatible = "cisco,hwic";
            reg = <0x10FE8000 0x00004000>; // HWIC controller 2
        };

        hwic@3 {
            compatible = "cisco,hwic";
            reg = <0x10FEC000 0x00004000>; // HWIC controller 3
        };

        i2c@0 {
            compatible = "cisco,i2c";
            reg = <0x10910000 0x00010000>; // I2C controller 0
        };

        i2c@1 {
            compatible = "cisco,i2c";
            reg = <0x10920000 0x00010000>; // I2C controller 1
        };

        i2c@2 {
            compatible = "cisco,i2c";
            reg = <0x10930000 0x00010000>; // I2C controller 2
        };

        i2c@3 {
            compatible = "cisco,i2c";
            reg = <0x10940000 0x00010000>; // I2C controller 3
        };

        i2c@4 {
            compatible = "cisco,i2c";
            reg = <0x10950000 0x00010000>; // I2C controller 4
        };

        tdm@0 {
            compatible = "cisco,tdm";
            reg = <0x108A0000 0x00100000>; // TDM controller
        };
    };
};

Board init.

#include <common.h>
#include <init.h>
#include <asm/io.h>
#include <asm/arch/gpio.h>
#include <asm/arch/clock.h>
#include <asm/arch/eth.h>
#include <net.h>

DECLARE_GLOBAL_DATA_PTR;

/* DRAM initialization is often unnecessary if ROMMON has done it */
int dram_init(void)
{
    gd->ram_size = get_ram_size((long *)CONFIG_SYS_SDRAM_BASE, CONFIG_SYS_SDRAM_SIZE);
    return 0;
}

/* Board-specific initialization for U-Boot */
int board_init(void)
{
    /* Ensure console is ready */
    serial_initialize();

    /* Set up Ethernet for network booting, if needed */
    eth_initialize();

    return 0;
}

/* Late initialization tasks */
int board_late_init(void)
{
    /* Check boot source and prepare for OS boot */
    boot_source_init();

    /* Handle environment setup */
    env_relocate();

    return 0;
}

/* Handle reset requests */
void reset_cpu(ulong addr)
{
    /* Implement reset logic, if necessary */
}