OpenWrt Forum Archive

Topic: Porting to new hardware: vmlinux boots, but flashed .trx not

The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello,

I'm new to this forum, currently trying to get OpenWrt running on a Huawei E970 wireless gateway.
The device has a Broadcom BCM5354 SoC and uses CFE.

What I've done so far:
* found and connected a serial console to access CFE's commandline
* successfully flashed the original firmware via CFE to have a working fallback
* created a new brcm47xx image using image builder

Now, when I flash the *-squashfs.trx onto the router, upon booting it says "Decompressing......done", then just reboots CFE. The commandline I used:
CFE> flash -noheader 192.168.1.5:openwrt-brcm47xx-squashfs.trx flash1.trx

Just for a test, I successfully booted the new kernel from tftp:

CFE> boot -addr=80001000 -max=3000000 192.168.1.5:vmlinux
Loader:raw Filesys:tftp Dev:eth0 File:192.168.1.5:vmlinux Options:(null)
Loading: ........... 2893968 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
Linux version 2.6.32.27 (jow@nd-build-02.linux-appliance.net) (gcc version 4.3.3 (GCC) ) #11 Sun Oct 30 19:48:44 CET 2011
CPU revision is: 00029029 (Broadcom BCM3302)
...

It got until (I think) it wanted to mount the root fs which obviously cannot succeed.
Here the last lines of its output:

flash init: 0x1c000000 0x02000000
Physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank
CFI mfr 0x00000001
CFI id  0x00001a01
Amd/Fujitsu Extended Query Table at 0x0040
  Amd/Fujitsu Extended Query version 1.3.
Physically mapped flash: Swapping erase regions for broken CFI table.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Flash device: 0x400000 at 0x1fc00000
bootloader size: 262144
Updating TRX offsets and length:
old trx = [0x0000001c, 0x000b21e0, 0x00000000], len=0x00285000 crc32=0xa1bf49ce
new trx = [0x0000001c, 0x000b21e0, 0x00000000], len=0x000b21e0 crc32=0x669b3aff
Decompressing...........done


CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: <C8><FD>  2<D4><C2> 13 14:50:54 CST 2008 (w114501@localhost.localdomain)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.


After that the original firmware in flash was broken (I assume because of the "Updating TRX" above?).


Does anybody have an idea what could be going wrong?
My goal is to create a working openwrt image which can be flashed to the router device.

Hello,

investigated it some more, it seems there are 2 distinct problems:

1) lzma-loader fails to load the kernel (just reboots into CFE). I also tried loader.elf instead of loader.gz:

CFE> boot -elf flash0.os:
Loader:elf Filesys:raw Dev:flash0.os File: Options:(null)
Loading: 0x80000000/8188 Entry at 0x80001000
Closing network.
Starting program at 0x80001000
Decompressing...........done

(CFE reboots)

btw, where does the Decompressing.....done message come from? from CFE or from the lzma-loader?

As mentioned before, the uncompressed vmlinux does boot:

CFE> boot -elf flash0.os:
Loader:elf Filesys:raw Dev:flash0.os File: Options:(null)
Loading: 0x80001000/2893968 0x802c3890/137344 Entry at 0x80005270
Closing network.
Starting program at 0x80005270
Linux version 2.6.32.27 (jow@nd-build-02.linux-appliance.net) (gcc version 4.3.3 (GCC) ) #11 Sun Oct 30 19:48:44 CET 2011

2) kernel seems to crash when writing to flash: when booting the kernel it still reboots after the "Updating TRX offsets and length:" message. I found that after that, the first 64kB behind the bootloader are all 0xFFs thus I'm not able to boot until reflashing the image.

Anybody an idea why it crashes on writing?
And why does it update TRX offsets anyway?

Thanks in advance.

Now, I've downloaded Buildroot from trunk and created an image with that. Unfortunately, it still crashes.

By modifying target/linux/brcm47xx/image/Makefile I created an image without lzma-loader and with a gzipped kernel: this one boots, up to the point where it says "updating TRX":

...
serial8250.0: ttyS0 at MMIO 0xb8000300 (irq = 3) is a U6_16550A
serial8250.0: ttyS1 at MMIO 0xb8000400 (irq = 3) is a U6_16550A
bcm47xx_pflash: flash init: 0x1c000000 0x02000000
Physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank. Manufacturer ID 0x000001 Chip ID 0x001a01
Amd/Fujitsu Extended Query Table at 0x0040
  Amd/Fujitsu Extended Query version 1.3.
Physically mapped flash: Swapping erase regions for top-boot CFI table.
number of CFI chips: 1
bcm47xx_pflash: Flash device: 0x2000000 at 0x1fc00000
bcm47xx_part: bootloader size: 262144
bcm47xx_part: Looking for dual image
bcm47xx_part: TRX offset : 0
bcm47xx_part: Updating TRX offsets and length:
bcm47xx_part: old trx = [0x0000001c, 0x0012cc00, 0x00000000], len=0x002e1000 crc32=0x729db7c4
bcm47xx_part: new trx = [0x0000001c, 0x0012cc00, 0x00000000], len=0x0012cc00 crc32=0x48f25a83


CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
[then, CFE restarts...]

Again, after that I find the first 64kiB behind CFE being erased so have to reflash.

As a test, I manually modified TRX headers (len and crc) so that the kernel doesn't have to update them. This one boots a little further, before crashing again:

...
bcm47xx_pflash: Flash device: 0x2000000 at 0x1fc00000
bcm47xx_part: bootloader size: 262144
bcm47xx_part: Looking for dual image
bcm47xx_part: TRX offset : 0
4 bcm47xx partitions found on MTD device Physically mapped flash
Creating 4 MTD partitions on "Physically mapped flash":
0x000000000000-0x000000040000 : "cfe"
0x000000040000-0x0000003f0000 : "linux"
0x00000016cc00-0x0000003f0000 : "rootfs"
mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-oy
mtd: partition "rootfs" set to be root filesystem
mtd: partition "rootfs_data" created automatically, ofs=2E0000, len=110000 
0x0000002e0000-0x0000003f0000 : "rootfs_data"
0x0000003f0000-0x000000400000 : "nvram"
bcm47xx_sflash: error registering platform driver: -19
b44: b44.c:v2.0
b44 ssb0:0: eth0: Broadcom 44xx/47xx 10/100BaseT Ethernet 00:90:4c:c0:85:59
BCM47xx Watchdog Timer enabled (30 seconds, nowayout)
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 156k freed


CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: ??  2?? 13 14:50:54 CST 2008 (w114501@localhost.localdomain)

Further, I noticed that the original firmware (uses a kernel 2.4.20) prints:

Flash device: 0x400000 at 0x1c000000

while openwrt kernel 2.6.32.27 from 10.03.1rc prints a different address in the "Flash device" line:

flash init: 0x1c000000 0x02000000
...
Flash device: 0x400000 at 0x1fc00000

kernel 3.0.9 from trunk is the same except that it reports a wrong size (0x2,000,000=32MB, 0x400,000=4MB is the correct size):

bcm47xx_pflash: Flash device: 0x2000000 at 0x1fc00000

However it seems the flash is visible under both address blocks, because in CFE:

save 192.168.1.5:f1 <addr> 400000

gives the same result for addr=bc000000 and bfc00000 (note that reading from e.g. 1fc00000 crashes CFE!)

To me it seems the crashes occur whenever the flash is to be accessed, either by lzma-loader or the kernel itself. Or am I on the wrong track?  And if not, what could be the cause?

Any suggestions appreciated (and sorry for the long post)...

Though no-one seems interested, just for the archive:  finally, I got OpenWrt running on the Huawei E970 (or, in my case labelled as T-Mobile web'n'walk Box IV)   :-)

Problem was that it has a hardware watchdog which needs a toggle on GPIO7 at least once a second or so. As a quick fix I put together a small kernel patch which adds a timer to regularly perform the GPIO toggle.

While this does work for me, I think it could get some cleanup... perhaps, is there already an infrastructure (related to watchdogs) where this could be attached to?
Are there other devices already supported by OpenWrt with a similar watchdog?

Mr. Delphi wrote:

Though no-one seems interested, just for the archive:  finally, I got OpenWrt running on the Huawei E970 (or, in my case labelled as T-Mobile web'n'walk Box IV)   :-)

I think the subject of your message thread is a little unclear as to the model and architecture, so the right people may not read it.

OpenWrt isn't yet supported on a lot of these CFE BCM947XX systems.  Linksys / Cisco E3000 and Asus RT-N16 are two such ones where some pieces are missing...

Keep it up to date.

are there some new information about running OpenWrt on Huawei E970 (T-Mobile Webnwalk Box 4)?

---------------------

Ich würde auf meinen Router auch gerne die OpenWrt Firmware installieren. Allerdings fehlt mir das know how sie selber zu kompilieren. Gibt es diese vielleicht als flashbares Image?

Hello,
I managed to put openwrt om my e970.
It seems to work, at least I can telnet to it!
But now I am stucked, Tkere is no Webinterface and I have no Idea how to go on...
Anybody an Idea?

@javaanse: Du hast geschrieben:
"Ich würde auf meinen Router auch gerne die OpenWrt Firmware installieren. Allerdings fehlt mir das know how sie selber zu kompilieren. Gibt es diese vielleicht als flashbares Image?"

Ich habe so eins, leider ohne Webinterface...

(Last edited by olli395 on 14 Apr 2012, 09:32)

The discussion might have continued from here.