I am new to jtag and can't seem to get the arguments for setting up flash bank in order to write a cfe to a Macronix MX25L6405D. My current configuration is resulting in OpenOCD given an error:
Could not probe bank: no QRY
Error: auto_probe failed
As a learning project I am working on a bricked Linksys WRT320N which has a BCM4717 SoC. I am pretty sure awhile back I botched a flash command in cfe and overwrote it, so device has a blinking power light, no output on serial and no ping response.
I am using OpenOCD because it seems to be the only jtag tool with support for getting the SoC out of LV mode and into ejtag. I am using a raspberry pi 4 gpio as interface configured as follows:
$ cat ./rpi4.cfg
adapter driver bcm2835gpio
bcm2835gpio peripheral_base 0xFE000000
bcm2835gpio speed_coeffs 236181 60
bcm2835gpio jtag_nums 11 25 10 9
transport select jtag
jtag_rclk 1000
I am running OpenOCD using this config and the included target config for bcm4718 (which seems to get the SoC out of LV mode):
$ sudo openocd -f ./rpi4.cfg -f target/bcm4718.cfg
Open On-Chip Debugger 0.11.0+dev-00331-g53556fcde-dirty (2021-08-14-22:28)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
RCLK - adaptive
Forcing reset_config to none to prevent OpenOCD from pulling SRST after the switch from LV is already performed
switch_lv_to_ejtag
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : RCLK (adaptive clock speed) not supported - fallback to 1000 kHz
Info : JTAG tap: bcm4718-lv.tap tap/device found: 0x0008c17f (mfg: 0x0bf (Broadcom), part: 0x008c, ver: 0x0)
Info : JTAG tap: bcm4718-lv.tap disabled
Info : JTAG tap: bcm4718.cpu enabled
Info : starting gdb server for bcm4718.cpu on 3333
Info : Listening on port 3333 for gdb connections
With this setup the SoC seems to be responding as expected:
$ telnet localhost 4444
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
MIPS32 with MIPS16 support implemented
target halted in MIPS32 mode due to debug-request, pc: 0xbfc00380
> reset init
JTAG tap: bcm4718-lv.tap tap/device found: 0x0008c17f (mfg: 0x0bf (Broadcom), part: 0x008c, ver: 0x0)
JTAG tap: bcm4718-lv.tap disabled
JTAG tap: bcm4718.cpu enabled
target halted in MIPS32 mode due to debug-request, pc: 0xbfc00380
> scan_chain
TapName Enabled IdCode Expected IrLen IrCap IrMask
-- ------------------- -------- ---------- ---------- ----- ----- ------
0 bcm4718-lv.tap n 0x0008c17f 0x1471617f 32 0x01 0x1f
0x0008c17f
1 bcm4718.cpu Y 0x00000000 0x0008c17f 5 0x01 0x1f
At this point I realize a "flash bank" is needed to allow me to write the flash using routines provided in the tools/firmware-recovery.tcl file. Modeling off board/asus-rt-n16.cfg (a model which uses bcm4718 and also has a Macronix flash) which contains:
# External 32MB NOR Flash (Macronix MX29GL256EHTI2I-90Q)
set _FLASHNAME $_CHIPNAME.flash
flash bank $_FLASHNAME cfi 0xbc000000 0x02000000 1 1 $_TARGETNAME x16_as_x8
I corrected the flash size to 8mb and create wrt320n.cfg
set partition_list {
CFE { Bootloader 0xbc000000 0x00040000 }
}
source [find target/bcm4718.cfg]
set _FLASHNAME $_CHIPNAME.flash
flash bank $_FLASHNAME cfi 0xbc000000 0x00800000 1 1 $_TARGETNAME x16_as_x8
When using that config with firmware-recovery.tcl, "dump_part" seems to work. The error occurs using "flash_part" and "flash info". Here is what it looks like
> flash banks
#0 : bcm4718.flash (cfi) at 0xbc000000, size 0x00800000, buswidth 1, chipwidth 1
> flash info bcm4718.flash
Flash Manufacturer/Device: 0x0033 0x0030
Could not probe bank: no QRY
Try workaround w/0x555 instead of 0x55 to get QRY.
Could not probe bank: no QRY
auto_probe failed
>
So something with the configuration in "flash bank" is incorrect. I have tried removing "x16_as_x8" driver option with same results.
I am pretty stumped. If anyone has any pointers help me out I would appreciate hearing them, thanks!