not-so-mini tut
first off
we all know you might break your device doing this so take the usual warnings and precautions and dont blame me if something goes wrong
You will need a computer runining linux. Redhat is reccomended but i use debian personally, with the rpm package installed.
a tftp server
a soldering iron
25 pin d sub male connector (thats the printer one)
4 100ohm resistors (brown black brown)
some sort of serial level shifter you could use a max232 or a pl2303 google for them you will need one. -Tip- i use a pl2303 from an old mobile phone datacable.
tjtag - http://www.tiaowiki.com/download//file.php?id=24
refer to ali1234's pic here, https://forum.openwrt.org/viewtopic.php … 35#p105535
you only need to bridge r91 and r98 for the serial (bottom pic)
its up to you if you want to make some sort of header like ali did (top pic). it is better because you can just unplug it and use it again later.
use the diagram posted by alromh87 here, https://forum.openwrt.org/viewtopic.php … 82#p101182 to build your jtag cable, keep it shorter than about 6 inches
dont worry about the 5th resistor to the serial port.
the parellel port is pictured as if your'e looking into the pc printer port and the jtag one like looking at the chip side of the board with the ethernet connectors at the bottom, like ali's pic.
connect the level shifter between the pc and routers serial port
cd to wherever tjtag lives
plug in your jtag cable.
test it
tjtag -probeonly /fc:85
did it say:
Failed to open /dev/parport0: No such file or directory?
do this:
rmmod lp
modprobe parport
mknod /dev/parport0 c 99 0 -m 666
while your at it, if you have the pl2303
modprobe pl2303
mknod /dev/ttyUSB0 c 188 0 -m 666
test again,
tjtag -probeonly /fc:85
should say,
==============================================
EJTAG Debrick Utility v3.0.1 Tornado-MOD
==============================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000110001100111000000101111111 (0633817F)
*** Found a Broadcom BCM6338 Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Manual Flash Selection ... Done
Flash Vendor ID: 00000000000000000000000101111110 (0000017E)
Flash Device ID: 00000000000000000001101000000000 (00001A00)
*** Manually Selected a Spansion S29GL032M BotB (4MB) Flash Chip ***
- Flash Chip Window Start .... : 1fc00000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 00000000
- Selected Area Length ....... : 00000000
*** REQUESTED OPERATION IS COMPLETE ***
crack open your favourite terminal emulator - speed 9600 and have a last look at what you cant do with thomsonware
(you have to reboot your router as the jtag command will have froze it)
get the source -
ftp://ftp.dlink.ru/pub/ADSL/GPL_source_ … ase.tar.gz
untar it in /opt you should get 3 files:
bcm963xx_3.12L.01_consumer.tar.gz
bcm963xx_uclibc_crosstools_3.4.2_0.9.27.tar.gz
consumer_install
if you dont have Redhat linux you might need to change the line in consumer_install that says
rpm -ivh --force uclibc-crosstools*.rpm
to
rpm -ivh --nodeps uclibc-crosstools*.rpm
now run ./consumer_install
do the obvious
you should get in /opt, two directories -
toolchains - this is the cross compiler, tools and libraries, you shouldnt need to touch this
bcm963xx_router - this is the source for the firmware - you can change pretty much everything in here apart from broadcoms proprietary stuff
so,
cd /opt/bcm963xx_router
to build a straight firmware type,
make PROFILE=96338GWS
This might take a while so, in the meantime,
open another terminal
cd to tjtag
you really want to be making a backup of your current firmware
tjtag3 -backup:wholeflash /fc:85 /bypass /st5
the /bypass /st5 are needed on either read or write but im not sure which or if its both so use them anyway
this will take short while
then
you will need this cfe http://rapidshare.com/files/406151637/cfe.bin.zip
extract it into the tjtag folder
and only if you're ready to blow the thomsonware away,
./tjtag3 -flash:cfe /fc:85 /bypass /st5
that wont take long
when its finished reboot the router
watch the terminal - you might need to change your terminal program's settings to 115200 8N1
now you should have a menu,
for the board choose 0
set the amount of mac addresses you want
and the base mac address
and i think the board resets here
when it comes back type,
c
set your ip address
set your pc address
leave gateway
just leave defaults for everything else, im going on memory so i might not have this in the right order.
now the router should be waiting for a firmware
if your firmware has finished building find the firmware image in /opt/bcm963xx_router/images
transfer this to your tftp server and type into the router terminal
flashimage address.of.tftp.server:firmware_image_name
let it flash and reboot
user: admin
password: admin
notice how the eth0 interface downed ive fixed mine by commenting out the brooadcom configuration manager 'cfm' lines from /opt/bcm963xx_router/targets/96338GWS/96338GWS and
creating my own startup in place of /opt/bcm963xx_router/targets/fs.src/etc/profile - be careful of this one you need to keep the 'if' loop or everytime the shell times out the router will think its just booted.
a few other things,
never do a straight make clean on the source, it will break it. use make PROFILE=96338GWS clean
busybox can be configured,
cd /opt/bcm963xx_router/userapps/opensource/busybox
make menuconfig
load an alternate configuration file
brcm.config
remember to save alternate config file to the same file after configuring
take this bit with a pinch of salt -
you can configure the kernel via make menuconfig but that seems to break things,
instead theres a file /opt/bcm963xx_router/hostTools/scripts/defconfig-bcm.template you have to edit this manually, however,
theres another /opt/bcm963xx_router/targets/96338GWS/96338GWS settings in here override the ones in the first file.
also theres a script at/opt/bcm963xx_router/hostTools/scripts/gendefconfig that changes the kernel config.
all these together get mangled up and turned into the kernel .config
i dont think this should go on the wiki yet,
at least until we have a better understanding of the device.
theres gpio definitions in /opt/bcm963xx_router/shared/opensource/boardparms/bcm963xx/boardparms.c - search for 96338W theyre under there
the wlan doesn't seem to be transmitting at a propper level - i havn't got around to checking registers and srom yet though.
id like to make use of the led on the front button, it is connected directly to the wifi chip.
a few gpios - i might not be entirely right on these
2L ethernet green
2H broadband
4H internet red
5H internet green
wifi is hardwired - green on, red data
Any questions or suggestions? Feel free to pm me.
Thanks
(Last edited by routednbooted on 12 Jul 2010, 06:05)