Hi,

I broke CFE on that PON router [and currently having no output on console] and attempting to recover. JTAG pinout is not known, so I am currently looking in a different direction.

First thing to mention: there is a NAND flash. Am I right that there should be some software that executes before [broken] CFE and copies CFE from [from a disk-alike-block] NAND to RAM?
Next thing what I've noticed: after turning on the router there is a carrier on LAN1 and LAN2 (and LEDs are flashing on activity), but no carrier on LAN2 and LAN4. Does that prove that something has been executed and initialized LAN1 and LAN2?
What is known about that pre-cfe-nand-to-ram loading software? Where it resides? (hardcoded in CPU or in blocks marked as bad in NAND even? If so, how it loads?) Can I interact with it somehow (for restoring CFE)?

As I understand, there is no documentation on BCM chips (at least for this generation)? For what words to google?

Thanks.

I'm sure you tried the empty header points (at the right middle of the PCB under the big blue capacitator under the red power knob)?

Couldn't get in neither :-(

Well, do you know there are several revisions of F660 - one is Broadcom based, the other is some ARM?

By "getting in" do you mean you cannot find console in F660/Broadcom? Or getting in via JTAG?

I have a bunch of F660's with broken optical modules.

I managed to get in via telnet.  I'm happy, it's what I was looking for.

Seems mine is a ARM version.

FWIW:

BusyBox v1.01 (2013.06.05-06:24+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # cat /proc/cpuinfo 
Processor       : ARM926EJ-S rev 1 (v5l)
BogoMIPS        : 996.14
Features        : swp half thumb fastmult edsp 
CPU implementer : 0x56
CPU architecture: 5TE
CPU variant     : 0x2
CPU part        : 0x131
CPU revision    : 1
Cache type      : write-back
Cache clean     : cp15 c7 ops
Cache lockdown  : format C
Cache format    : Harvard
I size          : 16384
I assoc         : 4
I line length   : 32
I sets          : 128
D size          : 16384
D assoc         : 4
D line length   : 32
D sets          : 128

Hardware        : Feroceon-KW2
Revision        : 0000
Serial          : 0000000000000000
/ # mount
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw)
/dev/mtdblock2 on /tagparam type jffs2 (rw)
tmpfs on /var type tmpfs (rw)
/dev/mtdblock5 on /userconfig type jffs2 (rw)
none on /proc/bus/usb type usbfs (rw)
/ # df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/mtdblock2            4096       432      3664  11% /tagparam
tmpfs                    15360        88     15272   1% /var
/dev/mtdblock5            8192       624      7568   8% /userconfig
/ # cat /proc/filesystems 
nodev   sysfs
nodev   rootfs
nodev   bdev
nodev   proc
nodev   sockfs
nodev   pipefs
nodev   futexfs
nodev   tmpfs
nodev   inotifyfs
nodev   eventpollfs
nodev   devpts
nodev   ramfs
        vfat
        ntfs
        jffs2
nodev   fuse
        fuseblk
nodev   fusectl
nodev   usbfs
/ # 

if it is a broadcom, there maybe be a way to load something to ram.
u need to solder to serial pinout, and look at log.
before power , press and keep pressed wps button, and then power, u will see an xmodem query, if not see that, ur device is bricked for good.
i have an 660, also bricked, but mine is deep bricked, cannot press wps.

look how it works.

there is a cferom, who low initialize device, that cferom copy cferam to ram and execute from there.

i think u need to upload this file to ram via xmodem.

https://www.dropbox.com/s/r5dcnchwr45qi … 1.bin?dl=0

if someone discover jtag for this bcm6818, ill be interested to test.