Topic: Adding ZyXEL VMG5313-B30A support

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

danijel.tudek

17 Sep 2016, 15:00

Hi!
I have a ZyXEL VMG5313-B30A router.
It's based on BCM63168, has XDSL support up to VDSL2 17a profile (BCM6302), 128MiB of DDR3 RAM and 128MiB of flash - surprisingly lot for an budget ISP's router.

I got the source for the latest firmware. Unfortunately I can't post links yet so for now, take a look at the wiki page I wrote today.
Surprise - with the exception of one instance of deprecated Perl syntax used in kernel, there are absolutely no other errors and build succeeds! On my notebook's i5-3337U it compiles under 12 minutes.
As expected, the flashed image doesn't exactly work - Web GUI never shows up, and /dev/console is broken so nothing can be debugged.
However, I'm not interested in modifying original FW so I didn't investigate why it happens - I want OpenWRT to boot.

ATSE doesn't work, but I managed to find the correct ATEN password:

ATEN 1, 10F0A563

After that, I set EngDbgFlag to 1 with ATWZ, and now it boots with red power LED and CFE happily tries to boot/flash anything I serve over TFTP/xmodem.
I even replaced CFE, although it fails to flash any which doesn't have "Release" in its name.

Trying to boot any OpenWrt kernel results in this:

Loading 192.168.1.16:vmlinux ...
Finished loading 3681300 bytes
Code Address: 0x00000000, Entry Address: 0x00000000
Failed on decompression.  Corrupted image?

Trying to flash OpenWrt generated CFE image results in:

Firmware tag version [0] is not compatible with the current Tag version [6].

Going further, I found the actual commands executed by Makefile:

/home/danijel/src/vmg5313/bcm963xx_4.12L.06B_consumer_release/bcm963xx_router/hostTools/bcmZyNandImageBuilder --output bcmVMG5313-B30A_fs_kernel_NAND128 --chip 63268 --board "963168_VMG5313" --internalversion="1.00(AATS.1)C0" --externalversion="1.00(AATS.1)C0" --modelid="4517" --cmodelid="4517" --cfefile /home/danijel/src/vmg5313/bcm963xx_4.12L.06B_consumer_release/bcm963xx_router/targets/cfe/cfe63268nand128.bin --imgdefaultfile="config.rom" --romdsig 0 --romdfile="" --rootfsfile rootfs128kb.img

 ######build_image : IMAGE_BASE[bfc00000]##
 ######build_image : fskerneladdr[bfc20000]##

19 85 e0 1 0 0 0 2b 
3e 42 24 27 0 0 0 1 
0 0 0 0 0 0 0 2 
57 dd 41 ee 3 4 0 0 
7d b1 ee 2c 55 66 83 ff 
62 69 6e 0 19 85 e0 2 
0 0 0 44 a4 ef 22 3e 
0 0 0 2 0 0 0 1 
 ######build_image : fsCrc[11be27]##tagVersion 6
signiture_1 MSTC_4517
signiture_2 ver. 2.0
chipId 63268
boardId 963168_VMG5313
bigEndian 1
totalImageLen 23199744
cfeAddress 0, 0x00000000
cfeLen 0
rootfsAddress 3217293312, 0xBFC20000
rootfsLen 23199744
kernelAddress 0, 0xC1240000
kernelLen 0
tagValidationToken [27be1100]
imgdefLen 21767
imgDef imageValidationToken 7b7edc84
imgDef tagValidationToken a090ba61
romdLen 
signatureRomd 
romd imageValidationToken ffffffff
romd tagValidationToken f5a834a1
bcmZyNandImageBuilder
    Model Id                      : 4517
    Custom Model Id               : 4517
    File tag size                 : 256
    Root filesystem image size    : 23199744
    ImageDefault image size       : 21767
    ROM-D signature               : 0
    Combined image file size      : 23221831

/home/danijel/src/vmg5313/bcm963xx_4.12L.06B_consumer_release/bcm963xx_router/hostTools/bcmZyNandImageBuilder --output bcmVMG5313-B30A_fs_kernel_NAND128 --chip 63268 --board "963168_VMG5313" --internalversion="1.00(AATS.1)C0" --externalversion="1.00(AATS.1)C0" --modelid="4517" --cmodelid="4517" --cfefile /home/danijel/src/vmg5313/bcm963xx_4.12L.06B_consumer_release/bcm963xx_router/targets/cfe/cfe63268nand128.bin --imgdefaultfile="config.rom" --romdsig 0 --romdfile="" --rootfsfile rootfs128kb.img

 ######build_image : IMAGE_BASE[bfc00000]##
 ######build_image : fskerneladdr[bfc20000]##

19 85 e0 1 0 0 0 2b 
3e 42 24 27 0 0 0 1 
0 0 0 0 0 0 0 2 
57 dd 41 ee 3 4 0 0 
7d b1 ee 2c 55 66 83 ff 
62 69 6e 0 19 85 e0 2 
0 0 0 44 a4 ef 22 3e 
0 0 0 2 0 0 0 1 
 ######build_image : fsCrc[11be27]##tagVersion 6
signiture_1 MSTC_4517
signiture_2 ver. 2.0
chipId 63268
boardId 963168_VMG5313
bigEndian 1
totalImageLen 23330816
cfeAddress 3217031168, 0xBFC00000
cfeLen 131072
rootfsAddress 3217293312, 0xBFC20000
rootfsLen 23199744
kernelAddress 0, 0xC1240000
kernelLen 0
tagValidationToken [27be1100]
imgdefLen 21767
imgDef imageValidationToken 7b7edc84
imgDef tagValidationToken a090ba61
romdLen 
signatureRomd 
romd imageValidationToken ffffffff
romd tagValidationToken f5a834a1
bcmZyNandImageBuilder
    Model Id                      : 4517
    Custom Model Id               : 4517
    CFE image size                : 131072
    File tag size                 : 256
    Root filesystem image size    : 23199744
    ImageDefault image size       : 21767
    ROM-D signature               : 0
    Combined image file size      : 23352903

/home/danijel/src/vmg5313/bcm963xx_4.12L.06B_consumer_release/bcm963xx_router/hostTools/createZyNandimg --boardid="963168_VMG5313" --voiceboardid="ZL88601" --numbermac=12 --macaddr="CC:5D:4E:00:00:01" --countrycode="FF" --tp=0 --psisize=128 --gponsn= --gponpw= --backuppsi="" --inputfile=bcmVMG5313-B30A_cfe_fs_kernel_NAND128 --outputfile=bcmVMG5313-B30A_flash_image_"963168_VMG5313"_NAND128
createimg: Creating image with the following inputs:
    Board id                : 963168_VMG5313
    Voice board id          : ZL88601
    Number of Mac Addresses : 12
    Base Mac Address:       : CC:5D:4E:00:00:01
    Country Code:           : ff
    Main Thread Number:     : 0
    PSI Size:               : 128
    USING BACKUP PSI:       : 0
    Input File Name         : bcmVMG5313-B30A_cfe_fs_kernel_NAND128
    Output File Name        : bcmVMG5313-B30A_flash_image_963168_VMG5313_NAND128

    Image components offsets
    cfe offset              : 0xbfc00000    -- Length: 131072
    file tag offset         : 0xbfc20000    -- Length: 131072
    rootfs offset           : 0xbfc40000    -- Length: 23199744
    imgdef offset           : 0xc1260020    -- Length: 21767

    rom-d offset            : 0xc1265527    -- Length: 0

    The size of the entire flash image is 23483687 bytes.
    The flash space remaining for a 2 MB flash part: -21386535 bytes.
    The flash space remaining for a 4 MB flash part: -19289383 bytes.

    bcmVMG5313-B30A_flash_image_963168_VMG5313_NAND128 flash image file is
    successfully created.

/home/danijel/src/vmg5313/bcm963xx_4.12L.06B_consumer_release/bcm963xx_router/hostTools/bcmZyNandImageBuilder --output bcmVMG5313-B30A_cfe_fs_kernel_NAND128_TE --chip 63268 --board "963168_VMG5313" --internalversion="1.00(AATS.1)C0" --externalversion="1.00(AATS.1)C0" --modelid="4517" --cmodelid="4517" --cfefile /home/danijel/src/vmg5313/bcm963xx_4.12L.06B_consumer_release/bcm963xx_router/targets/cfe/cfe63268nand128_TE.bin --imgdefaultfile="config.rom" --romdsig 0 --romdfile="" --rootfsfile rootfs128kb.img --include-cfe

 ######build_image : IMAGE_BASE[bfc00000]##
 ######build_image : fskerneladdr[bfc20000]##

19 85 e0 1 0 0 0 2b 
3e 42 24 27 0 0 0 1 
0 0 0 0 0 0 0 2 
57 dd 41 ee 3 4 0 0 
7d b1 ee 2c 55 66 83 ff 
62 69 6e 0 19 85 e0 2 
0 0 0 44 a4 ef 22 3e 
0 0 0 2 0 0 0 1 
 ######build_image : fsCrc[11be27]##tagVersion 6
signiture_1 MSTC_4517
signiture_2 ver. 2.0
chipId 63268
boardId 963168_VMG5313
bigEndian 1
totalImageLen 23330816
cfeAddress 3217031168, 0xBFC00000
cfeLen 131072
rootfsAddress 3217293312, 0xBFC20000
rootfsLen 23199744
kernelAddress 0, 0xC1240000
kernelLen 0
tagValidationToken [27be1100]
imgdefLen 21767
imgDef imageValidationToken 7b7edc84
imgDef tagValidationToken a090ba61
romdLen 
signatureRomd 
romd imageValidationToken ffffffff
romd tagValidationToken f5a834a1
bcmZyNandImageBuilder
    Model Id                      : 4517
    Custom Model Id               : 4517
    CFE image size                : 131072
    File tag size                 : 256
    Root filesystem image size    : 23199744
    ImageDefault image size       : 21767
    ROM-D signature               : 0
    Combined image file size      : 23352903

/home/danijel/src/vmg5313/bcm963xx_4.12L.06B_consumer_release/bcm963xx_router/hostTools/createZyNandimg --boardid="963168_VMG5313" --voiceboardid="ZL88601" --numbermac=12 --macaddr="CC:5D:4E:00:00:01" --countrycode="FF" --tp=0 --psisize=128 --gponsn= --gponpw= --backuppsi="" --inputfile=bcmVMG5313-B30A_cfe_fs_kernel_NAND128_TE --outputfile=bcmVMG5313-B30A_flash_image_"963168_VMG5313"_NAND128_TE
createimg: Creating image with the following inputs:
    Board id                : 963168_VMG5313
    Voice board id          : ZL88601
    Number of Mac Addresses : 12
    Base Mac Address:       : CC:5D:4E:00:00:01
    Country Code:           : ff
    Main Thread Number:     : 0
    PSI Size:               : 128
    USING BACKUP PSI:       : 0
    Input File Name         : bcmVMG5313-B30A_cfe_fs_kernel_NAND128_TE
    Output File Name        : bcmVMG5313-B30A_flash_image_963168_VMG5313_NAND128_TE

    Image components offsets
    cfe offset              : 0xbfc00000    -- Length: 131072
    file tag offset         : 0xbfc20000    -- Length: 131072
    rootfs offset           : 0xbfc40000    -- Length: 23199744
    imgdef offset           : 0xc1260020    -- Length: 21767

    rom-d offset            : 0xc1265527    -- Length: 0

    The size of the entire flash image is 23483687 bytes.
    The flash space remaining for a 2 MB flash part: -21386535 bytes.
    The flash space remaining for a 4 MB flash part: -19289383 bytes.

    bcmVMG5313-B30A_flash_image_963168_VMG5313_NAND128_TE flash image file is
    successfully created.

ima_len_no_oob 22935
#########################################
~~~~~the NAND information below list~~~~~
#########################################
the NAND_FLASH name is bcmVMG5313-B30A_flash_image_963168_VMG5313_NAND128_TE
the NAND_FLASH product version is 1.00(AATS.1)C0
the NAND_FLASH image version is 160917
the NAND_FLASH start_addr is 0x0
the NAND_FLASH system type is jffs2
the NAND_FLASH imgSize is 23483687
the NAND_FLASH imgQty is 1
the NAND_FLASH cleanmark is on
the NAND_FLASH partition size is 134217728
the NAND_FLASH page size is 2048
the NAND_FLASH oob size is 64
the NAND_FLASH block size is 128K
the NAND_FLASH oob placement is brcom
the NAND_FLASH oob ecc_algorithm is 512/3
the NAND_FLASH swap_flag is 0
the NAND_FLASH allow_bad_blocks is 512
addvtoken: Output file size = 23483707 with image crc = 0x47591f18

Done! Image VMG5313-B30A has been built in /home/danijel/src/vmg5313/bcm963xx_4.12L.06B_consumer_release/bcm963xx_router/targets/VMG5313-B30A.

So, the kernel is vmlinux.lz file placed on rootfs, and bcmZyNandImageBuilder and createZyNandimg tools do their magic to place the kernel correctly and indicate it in image header, which can't be read with any of the available tools.
Example:

Broadcom Consumer Router Firmware Header Dump
Version: 1.05
Copyright 2015-2016 TJ <hacker@iam.tj>
Licensed on the terms of the GNU General Public License version 3

Header Offset: 0x00000000 (0)
Image Offset:  0x00020000 (131072)
0000 Tag Version: 
0004 Signature 1:  (Model: )
0018 Signature 2: �
0026 Chip ID: 
002c Board ID: 
003c Big Endian: No
003e Image Len: 2x� (0x00000002)
0048 CFE Address: � (0x00000000)
0054 CFE Len: � (0x00000000)
005e Root FS Address: %
                       � (0x00000000)
� (0x00000000)n: 
0074 Kernel Address:  (0x00000000)
0080 Kernel Len:  (0x00000000)
008a Image Sequence: �$� !<� (0x00000000)
008e External Version:  !<�
00ae Internal Version: �!<�
00ce Image Next: 0
00d8 Image Validation Token: 0x3c1b8000
00ec Tag Validation Token:   0x04110001
     Calculated Image CRC32: 0x373a7c75
     Calculated Tag   CRC32: 0x1ffd2e13

Any clues or ideas, anyone?

Post #2

danijel.tudek

18 Sep 2016, 17:13

I added the board to the device tree and after disabling bcm63xx GPIO, the kernel gets to the point where it tries to open rootfs.

I also had to fix boot address to correctly read board ID in NVRAM. It's 0xB0000000, while it's 0xB8000000 on any other board. Flashing different CFE didn't change this.

0x80010000/4132276 0x80400db4/1308772 Entry at 0x80015020
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x80015020
[    0.000000] Linux version 4.1.23 (danijel@server) (gcc version 5.3.0 (OpenWrt GCC 5.3.0 r49395) ) #15 Sun Sep 18 16:10:12 UTC 2016
[    0.000000] Detected Broadcom 0x63268 CPU revision d0
[    0.000000] CPU frequency is 400 MHz
[    0.000000] 128MB of RAM installed
[    0.000000] board_bcm963xx: Boot address 0xb0000000
[    0.000000] board_bcm963xx: CFE version: unknown
[    0.000000] bcm63xx_nvram: nvram checksum failed, contents may be invalid (expected 228242a2, got ad9c31c0)
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0002a080 (Broadcom BMIPS4350)
[    0.000000] board: board name: 963168_VMG5313
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
[    0.000000] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line:  root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Memory: 124508K/131072K available (2954K kernel code, 136K rwdata, 712K rodata, 1308K init, 193K bss, 6564K reserved, 0K cma-reserved)
[    0.000000] NR_IRQS:256
[    0.000000] clocksource MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 9556302233 ns
[    0.000014] sched_clock: 32 bits at 200MHz, resolution 5ns, wraps every 10737418237ns
[    0.008554] Calibrating delay loop... 397.82 BogoMIPS (lpj=795648)
[    0.046812] pid_max: default: 32768 minimum: 301
[    0.052081] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.058857] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.070981] clocksource jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.082235] NET: Registered protocol family 16
[    0.089203] unsupported NAND flash detected
[    0.111906] Switched to clocksource MIPS
[    0.118668] NET: Registered protocol family 2
[    0.124904] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.132130] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.138684] TCP: Hash tables configured (established 1024 bind 1024)
[    0.145550] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.151590] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.158580] NET: Registered protocol family 1
[    0.164844] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.178278] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.184302] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.196854] io scheduler noop registered
[    0.200897] io scheduler deadline registered (default)
�[    0.216589] console [ttyS0] enabled MMIO 0xb0000180 (irq = 13, base_baud = 1562500) is a bcm63xx_uart
[    0.216589] console [ttyS0] enabled
[    0.223719] bootconsole [early0] disabled
[    0.223719] bootconsole [early0] disabled
[    0.236887] bcm63xx-spi bcm63xx-spi: at 0xb0000800 (irq 88, FIFOs size 542)
[    0.280522] b53_common: found switch: BCM63xx, rev 0
[    0.285986] bcm63xx-wdt bcm63xx-wdt:  started, timer margin: 30 sec
[    0.293712] NET: Registered protocol family 10
[    0.302241] NET: Registered protocol family 17
[    0.306911] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[    0.319916] 8021q: 802.1Q VLAN Support v1.8
[    0.327728] VFS: Cannot open root device "mtdblock2" or unknown-block(0,0): error -6
[    0.335710] Please append a correct "root=" boot option; here are the available partitions:
[    0.344274] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[    0.353756] ---[ end Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)

Any ideas why CFE hangs when I try to load anything other than "vmlinux.debug" and "vmlinux.elf"?
It just gets stuck on this:

Wait for Multiboot Service Packet...  1
 Port 0 link UP 
 0
0x80010000/8196020 HELO

UPDATE:
So, it seems that my CFE likes only elf images. However, it still can't load those with initramfs:

Wait for Multiboot Service Packet...  1
 Port 0 link UP 
 0
0x80010000/5355532 0x8052b80c/1265164

(Last edited by danijel.tudek on 18 Sep 2016, 18:02)

Post #3

kmottershead

21 Sep 2016, 06:36

It has been a while since I worked on building a new image so take this with a grain of salt...

Could the panic be caused by mtd blocks not defined properly? I can't seem to post links, but there was a thread I followed about booting on a Zyxel Q1000Z / P-870HNU-51c that really helped when I was getting OpenWrt to boot my Zyxel VSG1432. Are you building your own image? I seem to remember changing the mtd0 from 0x010000 to 0x020000 or something like that in the patch file.

Post #4

danijel.tudek

29 Sep 2016, 07:41

Thanks for the reply.
I didn't build any images yet because there are a lot of problems to resolve before trying to flash any images. Right now I'm loading zImage via tftp.

The biggest problem is that I didn't find any recent OpenWrt kernels which support NAND flash. This ZyXEL is using NAND flash exclusively, and the kernel will just fail with "unsupported NAND flash detected" if it doesn't find SPI or NOR flash, although wiki states that bcm63xx NAND is supported since kernel 4.2.

The discussion might have continued from here.

Page 1 of 1