Re: TRENDnet AC2600 (TEW-827DRU)

My OEM GPL dump build just finished successfully (apparently).

I had tried to build it earlier on my Debian Unstable desktop, but it failed with various issues. I set up a KVM instance of Ubuntu 14.04 and now it looks like it finished.

I would love to rebuild uboot and try a few things, but I don't know any way of switching/fixing it without a jtag, and I know have one that will work with this platform. Maybe I'll have to order one and find out if that jtag on the board really works (I suspect it does).

Re: TRENDnet AC2600 (TEW-827DRU)

In the GPL dump, there are some interesting files under qsdk_gpl/cameo/feeds/own/cameo-project/TEW-827DRU

There is a changelog file and some interesting info about how Cameo does their product/device builds.

Re: TRENDnet AC2600 (TEW-827DRU)

I was able to tftp over a kernel from the LEDE snapshots and boot it.

So, something is wrong with the way that I'm generating that kernel image.

I am going to check my build makefiles. I'm certain I've done something stupid.

Re: TRENDnet AC2600 (TEW-827DRU)

My kernel booting problem was caused by something upstream. I rebased my branch and it is booting now.

Re: TRENDnet AC2600 (TEW-827DRU)

[    3.781281] ubi0: attaching mtd11
[    3.835287] UBI: EOF marker found, PEBs from 40 will be erased
[    3.835449] ubi0: scanning is finished
[    3.840103] ubi0 error: ubi_read_volume_table: the layout volume was not found
[    3.844130] ubi0 error: ubi_attach_mtd_dev: failed to attach mtd11, error -22
[    3.850959] UBI error: cannot attach mtd11
[    3.858228] hctosys: unable to open rtc device (rtc0)
[    3.869569] VFS: Cannot open root device "ubi0:rootfs" or unknown-block(31,11): error -2

The UBI it not getting attached right. I may need to look at the kernel code.

I don't think this is related to the fact that we have an smem/mtdpart named "rootfs" AND a UBI volume named "rootfs". Thx again Cameo/TRENDnet/QCA/whoever.

56 (edited by jmomo 2016-08-10 11:40:19)

Re: TRENDnet AC2600 (TEW-827DRU)

smeminfo vs mtdparts

(IPQ) # smeminfo
smem: SMEM_PARTITION_TABLE_OFFSET failed
flash_type:             0x2
flash_index:            0x0
flash_chip_select:      0x0
flash_block_size:       0x20000
partition table offset 0x0
No.: Name             Attributes            Start             Size
  0: 0:SBL1           0x0000ffff              0x0          0x40000
  1: 0:MIBIB          0x0000ffff          0x40000         0x140000
  2: 0:SBL2           0x0000ffff         0x180000         0x140000
  3: 0:SBL3           0x0000ffff         0x2c0000         0x280000
  4: 0:DDRCONFIG      0x0000ffff         0x540000         0x120000
  5: 0:SSD            0x0000ffff         0x660000         0x120000
  6: 0:TZ             0x0000ffff         0x780000         0x280000
  7: 0:RPM            0x0000ffff         0xa00000         0x280000
  8: 0:APPSBL         0x0000ffff        0x53a0000         0x500000
  9: 0:APPSBLENV      0x0000ffff        0x1180000          0x80000
 10: 0:ART            0x0000ffff        0x1200000         0x140000
 11: rootfs           0x0000ffff        0x58a0000        0x4000000
 12: 0:BOOTCONFIG     0x0000ffff        0x5340000          0x60000
 13: 0:APPSBL_1       0x0000ffff         0xc80000         0x500000
 14: rootfs_1         0x0000ffff        0x1340000        0x4000000

Notice how the partition ID/number is out of order from the real byte order/address on the storage device. rootfs is mtd11.



(IPQ) # mtdparts

device nand0 <nand0>, # parts = 15
 #: name                size            offset          mask_flags
 0: 0:SBL1              0x00040000      0x00000000      0
 1: 0:MIBIB             0x00140000      0x00040000      0
 2: 0:SBL2              0x00140000      0x00180000      0
 3: 0:SBL3              0x00280000      0x002c0000      0
 4: 0:DDRCONFIG         0x00120000      0x00540000      0
 5: 0:SSD               0x00120000      0x00660000      0
 6: 0:TZ                0x00280000      0x00780000      0
 7: 0:RPM               0x00280000      0x00a00000      0
 8: 0:APPSBL_1          0x00500000      0x00c80000      0
 9: 0:APPSBLENV         0x00080000      0x01180000      0
10: 0:ART               0x00140000      0x01200000      0
11: rootfs_1            0x04000000      0x01340000      0
12: 0:BOOTCONFIG        0x00060000      0x05340000      0
13: 0:APPSBL            0x00500000      0x053a0000      0
14: rootfs              0x04000000      0x058a0000      0

active partition: nand0,0 - (0:SBL1) 0x00040000 @ 0x00000000

defaults:
mtdids  : none
mtdparts: none
(IPQ) # 

MTD parts doesn't have an independant ID/number when defining partitions, so rootfs is now mtd14.

This device doesn't have mtdparts defined. I did that manually, and I guess I could remove it from the uboot env. It's useful/required for attaching the UBI.

So, how does the thing even boot from the UBI if it doesn't have a defined mtd table, you ask? "bootipq" sets it as part of it's boot process.


Extra links on the subject:

http://lists.infradead.org/pipermail/li … 61151.html

https://www.kernel.org/doc/Documentatio … _nandc.txt

57 (edited by jmomo 2016-08-10 12:10:15)

Re: TRENDnet AC2600 (TEW-827DRU)

My UBI problem might be a known issue:

https://lists.openwrt.org/pipermail/ope … 42030.html

Also notes regarding UBI partitions being named "rootfs":

Notable patch regarding SMEM partitions, "rootfs" names, etc
    ./target/linux/ipq806x/patches-4.4/302-mtd-qcom-smem-rename-rootfs-ubi.patch
    https://lists.openwrt.org/pipermail/ope … 35323.html

    This patch may be broken since the partition isn't being renamed. Or maybe it only triggers for the AP148. Not sure.

58 (edited by jmomo 2016-08-11 00:46:16)

Re: TRENDnet AC2600 (TEW-827DRU)

Yep, it's the same issue that Ram noted in his patch

https://patchwork.ozlabs.org/patch/657285/

If uboot attaches the UBI , then the kernel sees it as malformed and can't use it.

I don't know what the solution for this one will be. Our kernel is in the UBI, so we can't ignore it.

Re: TRENDnet AC2600 (TEW-827DRU)

Just found this awhile ago:
https://patchwork.ozlabs.org/patch/509468/

Going to try ripping out some of those UBI patches and recompile. Especially the ones added since 12.09.

60 (edited by jmomo 2016-09-14 01:13:41)

Re: TRENDnet AC2600 (TEW-827DRU)

Confirmed that the 494-mtd-ubi-add-EOF-marker-support.patch was the problem. Hopefully the OpenWRT/LEDE guys got the message that this thing needs to get ripped out. Hopefully the systems which depend upon it can figure out another fix for their issue that doesn't break anything else.

--

UPDATE: The "mtd-ubi-add-EOF-marker-support.patch" issue has been fixed in LEDE as of commit d27bce8d28eb129af0abd9c80a7756301b7d588a (r1588)

commit d27bce8d28eb129af0abd9c80a7756301b7d588a
Author: Felix Fietkau <nbd@nbd.name>
Date:   Mon Sep 12 18:20:50 2016 +0200

    build: drop UBI EOF marker from images by default
   
    Only add them where they are actually required.
    Should help with compatibility issues with stock U-Boot images that
    access UBI
   
    Signed-off-by: Felix Fietkau <nbd@nbd.name>

61 (edited by jmomo 2016-08-12 08:01:29)

Re: TRENDnet AC2600 (TEW-827DRU)

I fked it.

I did this in the flash script:
nand write ${fileaddr} ${BOOTCONFIG_nand_addr} ${0x800}

That "${0x800}" should have been "0x800". u-boot interpreted the non-existent environment variable to mean "0xacc0000", and then it proceeded to overwrite the next 180MB of flash, which happend to include APPSBL and rootfs.

The bootconfig I had flashed was configured for APPSBL and rootfs to be the active partitions, so now the system fails to boot and I get nothing on the console.

If I could somehow switch over to APPSBL_1, I could recover, but there is no way for me to do that without being able to write to flash. I literally just need to flip one bit, ONE BIT, and I could boot again!  smile

Looks like I need to buy a jtag and see if this thing works.

Re: TRENDnet AC2600 (TEW-827DRU)

I know almost nothing about JTAG. Looks like I'm going to learn.

I think I have two options, so I'm not completely farked.

First is the JTAG. It's in the lower right corner of the board. 20 pins. I guess that's an ARM-20?:
http://www.jtagtest.com/pinouts/arm20

I need to figure out what kind of adapter should be used and I'll have to either make one or buy one.

The second option is that I could probably access the NAND flash chip directly, in situ. The chip is a BGA, which sucks, but the board has solder pads for what I think is a TSOP1. Also the top of the board has a bunch of pads that look interesting, so I think I could soldier in direct once I figure out the pins.

For direct flash access, I would also need some kind of adapter and software. I know about things like OpenOCD, but have never used it before.

If I could just flip 0x534001d from 0x00 to 0x01, we could boot again. Maybe if I squint REALLY hard and use the power of my mind....

Re: TRENDnet AC2600 (TEW-827DRU)

jmomo wrote:

I know almost nothing about JTAG. Looks like I'm going to learn.

I think I have two options, so I'm not completely farked.

First is the JTAG. It's in the lower right corner of the board. 20 pins. I guess that's an ARM-20?:
http://www.jtagtest.com/pinouts/arm20

I need to figure out what kind of adapter should be used and I'll have to either make one or buy one.

Yes, it's probably regular ARM JTAG interface, but the most important question is what voltage level you should use. AFAIK, I/O in IPQ806x SOCs works in 1.8 V domain which might be problematic for some JTAG adapters.

For adapters, take a look here: http://openocd.org/doc/html/Debug-Adapter-Hardware.html

You shouldn't have problems with recognize ARM type in JTAG, but the problem would be initializing clocks and other peripherals... and as it's common for Qualcomm Atheros, there is no publicly/officially available datasheet, tutorials, drivers, etc. for their WiSoCs.

jmomo wrote:

The second option is that I could probably access the NAND flash chip directly, in situ. The chip is a BGA, which sucks, but the board has solder pads for what I think is a TSOP1. Also the top of the board has a bunch of pads that look interesting, so I think I could soldier in direct once I figure out the pins.

For direct flash access, I would also need some kind of adapter and software. I know about things like OpenOCD, but have never used it before.

For me this approach sounds unreal. For NOR that would be possible and quite easy, but not with NAND.

jmomo wrote:

If I could just flip 0x534001d from 0x00 to 0x01, we could boot again. Maybe if I squint REALLY hard and use the power of my mind....

Does U-Boot in this device support writing in NAND (topic got very long and I haven't followed it, sorry if I'm asking something already answered somewhere here)? The approach to make change on FLASH is usually: copy block from NOR/NAND to RAM, overwrite what is needed there, erase block and copy updated content back from RAM.

Re: TRENDnet AC2600 (TEW-827DRU)

pepe2k wrote:

AFAIK, I/O in IPQ806x SOCs works in 1.8 V domain which might be problematic for some JTAG adapters.

Yes, I am also under the impression it's 1.8V for ipq806x.

pepe2k wrote:

For me this approach sounds unreal. For NOR that would be possible and quite easy, but not with NAND.

Thanks. I'll not spend too much time looking into that route then. I have no idea what difficulties might be involved.

pepe2k wrote:

Does U-Boot in this device support writing in NAND (topic got very long and I haven't followed it, sorry if I'm asking something already answered somewhere here)? The approach to make change on FLASH is usually: copy block from NOR/NAND to RAM, overwrite what is needed there, erase block and copy updated content back from RAM.

Yes, the u-boot has nand commands, but that's not the issue. I can't get into the active u-boot anymore. I get nothing on the console.

This system has two u-boot and ubi partitions on the NAND. It's part of some kind of "failsafe" system, so they are duplicates. Depending upon the byte in the bootconfig partition I mentioned above, it chooses which u-boot and ubi to use. The inactive/backup u-boot is still there on flash, but the active one has been wiped out. I have no way of flipping that bit anymore.

I need to go look into the OEM source code to make sure there isn't some way to flip that config to use the backup instead of the primary via holding down buttons during boot or something, but I doubt it. It's not a very good "failsafe" system given that I managed to break it and yet it's sitting there in a recoverable state, one bit away from working again.

Re: TRENDnet AC2600 (TEW-827DRU)

pepe2k wrote:

You shouldn't have problems with recognize ARM type in JTAG, but the problem would be initializing clocks and other peripherals... and as it's common for Qualcomm Atheros, there is no publicly/officially available datasheet, tutorials, drivers, etc. for their WiSoCs.

That would be in the BSDL file, right? I was reading some docs and watching some youtube videos on the subject earlier.

One of the reasons I chose this router/chip was because of how prolific/common it is. It's in a ton of routers, but also things like the Amazon Echo, Google On Hub, and a few other things. Hopefully someone somewhere has done some work on this and I can I get enough info to write to that flash again.

Oh, and thanks for your hints Pepe, I appreciate it.

Re: TRENDnet AC2600 (TEW-827DRU)

It looks like there are a variety of good jtag adapters for under $100 USD. Cost isn't really an issue for me, though I don't want to spend more than I have to. I wish I could get something local so I could get to work right away, but I'll probably have to order it and wait a week.

Following a couple of the traces for the jtag lead me straight to the CPU, so it's definitely 1.8V.

I strongly prefer to work under Linux but I could do Windows or Mac too.

Re: TRENDnet AC2600 (TEW-827DRU)

I will get one of these:
http://www.diygadget.com/tiao-usb-multi … erial.html

The Segger J-Link EDU looks okay too. I'll look at the software later and see if I like it. Apparently it supports Linux these days too.

And until it gets delivered I might play around with some of those parallel port wiggler mods.

And if all this fails, I know someone who can take care of this for me.

Re: TRENDnet AC2600 (TEW-827DRU)

jmomo wrote:
pepe2k wrote:

You shouldn't have problems with recognize ARM type in JTAG, but the problem would be initializing clocks and other peripherals... and as it's common for Qualcomm Atheros, there is no publicly/officially available datasheet, tutorials, drivers, etc. for their WiSoCs.

That would be in the BSDL file, right? I was reading some docs and watching some youtube videos on the subject earlier.[...]

Forget about BSDL - nobody will give it to you for QCA plus most of open JTAG software (ex. OpenOCD, UrJTAG) use different format files. Take a look at OpenOCD: http://openocd.org/doc/html/Config-File-Guidelines.html

What I wanted to say is that this SOC has common ARM core inside (ARMv7A), so there shouldn't be any problem with finding it in JTAG chain. But, "shouldn't" doesn't mean that you won't have problems and that would be just a start... to be able to make ex. NOR/NAND access, you will need some kind of low level initialization and probably some kind of drivers/code. Or, there is also different approach - initialize SOC with JTAG, put some code in RAM and execute it there (RAM version of U-Boot).

jmomo wrote:

Oh, and thanks for your hints Pepe, I appreciate it.

You're welcome. I hope you will finally make this device fully supported.

jmomo wrote:

I will get one of these:
http://www.diygadget.com/tiao-usb-multi … erial.html[...]

Seems OK, at least it has wide range of voltage level.

69 (edited by jmomo 2016-08-13 12:13:56)

Re: TRENDnet AC2600 (TEW-827DRU)

pepe2k wrote:

What I wanted to say is that this SOC has common ARM core inside (ARMv7A), so there shouldn't be any problem with finding it in JTAG chain. But, "shouldn't" doesn't mean that you won't have problems and that would be just a start... to be able to make ex. NOR/NAND access, you will need some kind of low level initialization and probably some kind of drivers/code. Or, there is also different approach - initialize SOC with JTAG, put some code in RAM and execute it there (RAM version of U-Boot).

Yes, I also read somewhere that I might just be able to send over enough code in RAM to either execute there, or cause a tftpboot of uboot, which would be great. That's definitely something I'll try if I am not able to read and write to the NAND. However, these QCA SoC's use a multi-stage boot (SBL), and I'm not sure I could actually load those in that way, and I don't think I have the source code for them.

It will probably be a week until the adapter comes in, so I'll spend that time figuring out how set up and edit a wiki page for the device, assemble all of my current documents and notes, and I can finish writing some of the code I had to produce to make the factory images work, which was a pain in the butt (UBI, multi-image FIT, Cameo signature).

Re: TRENDnet AC2600 (TEW-827DRU)

I received my little JTAG adapter today but I'll probably not have time to play with it until later next week.

71 (edited by jmomo 2016-08-22 03:04:35)

Re: TRENDnet AC2600 (TEW-827DRU)

Well, I'm not positively impressed with OpenOCD so far. Using it is messy. The documentation is both needlessly complicated and sparse of the kind of information I was looking for.

I think the worst thing so far is that it's too stupid to figure out when the user running the application has RW access to the Linux device. I have to chmod o+rw the USB device to get openocd to work with it... but most people (including the devs) seem to run it as root/sudo. Yea really.

I got out a multimeter and verified that Vcc on the jtag port is 1.8V. One thing to note is that pin 4, which I expected to be ground, is floating. Pings 6,8,10, etc are proper ground. I'm not sure if that's normal for ARM-20 jtag ports or not.

I've hooked up my TIAO JTAG device and moved the jumper to get power from the router. That seems to be working okay, but I have yet to get openocd working.

I did not find a ton of info when googling around for the ipq8064. However, I did find the data sheets for some similar chips, like the apq8064, which is the S4 Pro. The apq8064 has four cores at 1.5Ghz. The fab process is probably very different, only half the cores, and other components probably ripped out, but it's likely very similar.

I'm trying to scan the bus and I'm not getting anything....

http://openocd.zylin.com/#/c/3124/

This commit is for the apq8064 and some other chips. Apparently this chip and other ARM Cortex chips don't do set CSYSPWRUPACK as expected, so this patch is needed. I should take a look at this, but I'm WAYYYY outside my knowledge scope.... or in other words I don't know WTF I'm doing.

Also these may be relevant:
https://sourceforge.net/p/openocd/mailm … /32393550/
https://sourceforge.net/p/openocd/mailm … /34628924/
https://forum.gsmhosting.com/vbb/f664/r … x-1792364/
http://forum.xda-developers.com/showthr … ?t=2734774

Re: TRENDnet AC2600 (TEW-827DRU)

The Mikrotik RB3011 switch is based on the ipq8062, apparently.

http://forum.mikrotik.com/viewtopic.php … 53#p508841

Nice jtag port on that thing.

Re: TRENDnet AC2600 (TEW-827DRU)

This is the most helpful thing I think I've found in regards to understanding how to use OpenOCD with a new board:
http://www.ethernut.de/en/hardware/eir/openocd.html

Re: TRENDnet AC2600 (TEW-827DRU)

I have my first JTAG output:

-->openocd 
Open On-Chip Debugger 0.10.0-dev-00371-g81631e4 (2016-08-22-19:21)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.org/doc/doxygen/bugs.html
none separate
trst_and_srst separate srst_gates_jtag trst_push_pull srst_push_pull connect_deassert_srst
Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
RCLK - adaptive
Info : RCLK (adaptive clock speed)
Warn : There are no enabled taps.  AUTO PROBING MIGHT NOT WORK!!
Info : JTAG tap: auto0.tap tap/device found: 0x4ba00477 (mfg: 0x23b (ARM Ltd.), part: 0xba00, ver: 0x4)
Info : JTAG tap: auto1.tap tap/device found: 0x108100e1 (mfg: 0x070 (Qualcomm), part: 0x0810, ver: 0x1)
Warn : AUTO auto0.tap - use "jtag newtap auto0 tap -irlen 4 -expected-id 0x4ba00477"
Warn : AUTO auto1.tap - use "jtag newtap auto1 tap -irlen 11 -expected-id 0x108100e1"
Warn : gdb services need one or more targets defined

Re: TRENDnet AC2600 (TEW-827DRU)

For reference, I am getting help over on the openocd-devel and openocd-users lists.

Subject: Re: [OpenOCD-devel] QCA IPQ8064