1 (edited by olegi 2006-02-08 20:34:24)

Topic: GN-B49G hacking ...

I have such device based on Brecis (PMC-Sierra) MSP2006 MIPS32 4Km processor (Linksys' Broadcom uses 4Kc). Tying to play with it.

There is console port inside GN-B49G in wich it is possible to check own programms after uploading it. Unfortunetly, this device uses bbload instead of PMON (like in Linksys and Asus). It is due to little flash - just 2Mb. BBLOAD takes 16Kb, PMON takes ~200Kb.
Thus, in case own kernel or root filesystem will not work, device will be bricked. So, it is needed to use EJTAG interface fore safe testing. Lucky, GN-B49G has EJTAG 2.6 14-pin interface pinouts inside like Linksys.

1 TRST (square pin) 2 GND
3 TDI 4 Not Connected
5 TDO 6 GND
7 TMS 8 GND
9 TCK 10 GND
11 RESET 12 Not Connected
13 DINT 14 VCC

i have used standard Xilinx DLC5 cable ("5 resistors"):

LPT ----------- EJTAG
2  <- 100?? -> 3 (TDI)
3  <- 100?? -> 9 (TCK)
4  <- 100?? -> 7 (TMS)
13 <- 100?? -> 5 (TDO)
20,25,GND <------> 6 (GND)
               on JTAG connect pins 1 <-100??-> 14

http://openwince.sourceforge.net/jtag/iPAQ-3600/images/interface.png
http://openwince.sourceforge.net/jtag/iPAQ-3600/images/14.jpg

than i have used jtag-0.6 utility http://www.amelek.gda.pl/rtl8181/jtag/ (patched by Marek - he added EJTAG support and it wrote descriptors for 3 MIPS32 CPUs).

Example of session without CPU data descriptor, because there is no BSDL sescriptor for MSP-2006. Commands below give info to write own descriptor:

jtag> cable parallel 0x378 DLC5
Initializing Xilinx DLC5 JTAG Parallel Cable III on parallel port at 0x378
jtag> detect
IR length: 5
Chain length: 1
Device Id: 00010000001000000010001011100001
  Unknown manufacturer!
chain.c(110) Part 0 without active instruction
chain.c(133) Part 0 without active instruction
chain.c(110) Part 0 without active instruction
jtag> instruction length 5
jtag> register IMP 32
jtag> instruction IMPCODE 00011 IMP
jtag> instruction IMPCODE
jtag> shift ir
jtag> shift dr
jtag> dr
01000001000000000100000000000000
jtag> discovery
Detecting IR length ... 5
Detecting DR length for IR 11111 ... 1
Detecting DR length for IR 00000 ... 1
Detecting DR length for IR 00001 ... 32
Detecting DR length for IR 00010 ... 1
Detecting DR length for IR 00011 ... 32
Detecting DR length for IR 00100 ... 1
Detecting DR length for IR 00101 ... 1
Detecting DR length for IR 00110 ... 1
Detecting DR length for IR 00111 ... 1
Detecting DR length for IR 01000 ... 32
Detecting DR length for IR 01001 ... 32
Detecting DR length for IR 01010 ... 32
Detecting DR length for IR 01011 ... 96
Detecting DR length for IR 01100 ... 1
Detecting DR length for IR 01101 ... 1
Detecting DR length for IR 01110 ... 33
Detecting DR length for IR 01111 ... 1
Detecting DR length for IR 10000 ... 1
Detecting DR length for IR 10001 ... 1
Detecting DR length for IR 10010 ... 1
Detecting DR length for IR 10011 ... 1
Detecting DR length for IR 10100 ... 1
Detecting DR length for IR 10101 ... 1
Detecting DR length for IR 10110 ... 1
Detecting DR length for IR 10111 ... 1
Detecting DR length for IR 11000 ... 1
Detecting DR length for IR 11001 ... 1
Detecting DR length for IR 11010 ... 1
Detecting DR length for IR 11011 ... 1
Detecting DR length for IR 11100 ... 1
Detecting DR length for IR 11101 ... 1
Detecting DR length for IR 11110 ... 1
jtag> instruction length 5
jtag> register ECR 32
jtag> instruction CONTROL 01010 ECR
jtag> instruction CONTROL
jtag> shift ir
jtag> shift dr
jtag> dr
01000000000001001100000000001000

01000001000000000100000000000000 means:
14 - "No EJTAG DMA support" - very badly, the only method of flashing is PrAcc. That's why EJTAG driver is needed, simple JTAG is not sufficient. WRT debrick utility uses DMA method, because Broadcom CPUs support it (it uses EJTAG 2.0 standart where DMA method obligatory).
16 - MIPS16e not supported
24 - DINTsup 1 supported
29-31 - EJTAGver Version 2.6

So there is a little info for writing description file for Brecis MSP2006. From "Device Id:" string above:
1) add string "00101110000 brecis Brecis (PMC-Sierra)" to data/MANUFACTURES
2) create data/brecis/PARTS file wich contains string:
0000001000000010 msp2006 MSP2006
3) create data/brecis/msp2006/steppings file with string:
0001 msp2006 1
4) From Linux sourses it identified as big endian, from "IR length:" i have instruction length. Create data/brecis/msp2006/msp2006 file (it describes commands wich EJTAG driver will use to control CPU), wich contains:

register    BR         1
register    BSR         1
register    DIR        32
register    EJIMPCODE    32
register    EJADDRESS    32
register    EJDATA        32
register    EJCONTROL    32
register    EJALL        96
register    EJFASTDATA    33
instruction length 5
instruction    BYPASS        11111    BR
instruction    SAMPLE/PRELOAD    00010    BSR
instruction    IDCODE        00001    DIR
instruction    EJTAG_IMPCODE    00011    EJIMPCODE
instruction    EJTAG_ADDRESS    01000    EJADDRESS
instruction    EJTAG_DATA    01001    EJDATA
instruction    EJTAG_CONTROL    01010    EJCONTROL
instruction    EJTAG_ALL    01011    EJALL
instruction    EJTAGBOOT    01100    BR
instruction    NORMALBOOT    01101    BR
instruction    EJTAG_FASTDATA    01110    EJFASTDATA
initbus ejtag
endian big

Commands wich show how to successfully read full flash. I have verified it by comparision with kernel, file system, romdisk and defaultmac parts of firmware wich i have uploaded in the router by official web-interface.

jtag> detect
IR length: 5
Chain length: 1
Device Id: 00010000001000000010001011100001
  Manufacturer: Brecis (PMC-Sierra)
  Part:         MSP2006
  Stepping:     1
  Filename:     /usr/local/share/jtag/brecis/msp2006/msp2006

jtag> detectflash 0x3fc00000
ImpCode=01000001000000000100000000000000
EJTAG version: 2.6
EJTAG Implementation flags: R4k DINTsup NoDMA MIPS32
Query identification string:
        Primary Algorithm Command Set and Control Interface ID Code: 0x0002 (AMD/Fujitsu Standard Command Set)
        Alternate Algorithm Command Set and Control Interface ID Code: 0x0000 (null)
Query system interface information:
        Vcc Logic Supply Minimum Write/Erase or Write voltage: 2700 mV
        Vcc Logic Supply Maximum Write/Erase or Write voltage: 3600 mV
        Vpp [Programming] Supply Minimum Write/Erase voltage: 0 mV
        Vpp [Programming] Supply Maximum Write/Erase voltage: 0 mV
        Typical timeout per single byte/word program: 16 us
        Typical timeout for maximum-size multi-byte program: 0 us
        Typical timeout per individual block erase: 1024 ms
        Typical timeout for full chip erase: 0 ms
        Maximum timeout for byte/word program: 512 us
        Maximum timeout for multi-byte program: 0 us
        Maximum timeout per individual block erase: 16384 ms
        Maximum timeout for chip erase: 0 ms
Device geometry definition:
        Device Size: 2097152 B (2048 KiB, 2 MiB)
        Flash Device Interface Code description: 0x0002 (x8/x16)
        Maximum number of bytes in multi-byte program: 1
        Number of Erase Block Regions within device: 4
        Erase Block Region Information:
                Region 0:
                        Erase Block Size: 16384 B (16 KiB)
                        Number of Erase Blocks: 1
                Region 1:
                        Erase Block Size: 8192 B (8 KiB)
                        Number of Erase Blocks: 2
                Region 2:
                        Erase Block Size: 32768 B (32 KiB)
                        Number of Erase Blocks: 1
                Region 3:
                        Erase Block Size: 65536 B (64 KiB)
                        Number of Erase Blocks: 31
jtag> readmem 0x3fc00000 0x200000 fullflash.bin
address: 0x3FC00000
length:  0x00200000
reading:
addr: 0x3FE00000
Done.

I have downloaded flash image to file fullflash.bin. It contains:
from offset 0xCBC - bbload
0x6000 - defaultmac.dat
0x8000 - ROMFS
0x10000 - kernel
0xF0000 - fs

Trying to write to flash:

jtag> readmem 0x3fc09000 0x1000 9000.bin
address: 0x3FC09000
length: 0x00001000
reading:
addr: 0x3FC0A000
Done.
jtag> flashmem 0x3fc09000 9000.bin
Chip: AMD Flash
Manufacturer: Unknown manufacturer (ID 0x3c1a)
Chip: Unknown (ID 0xbfc0)
Protected: 005a
program:
addr: 0x3FC09000
flash error

manufacturer ID ia shown as 3c1a, it must be 0001 and chip ID: bfc0, must be 2249 (wich is correct for AM29LV160DB chip). And errorneouse status "Protected 005a" instead of "Protected 0". Program reads begining of flash. It seems, flash does not correctly recognize commands in strange reason.

2 (edited by olegi 2006-02-08 20:36:15)

Re: GN-B49G hacking ...

Have successfully flashed device. It is possible now to safely develop custom firmware.

jtag> detect
jtag> detectflash 0x1fc00000
jtag> readmem 0x1fc09000 0x10 9000-5.bin
jtag> flashmem 0x1fc09000 9000-5.bin
bus_write: adr=0x1fc00aaa data=0x00aa00aa
bus_write: adr=0x1fc00554 data=0x00550055
bus_write: adr=0x1fc00aaa data=0x00900090
bus_read_start: adr=0x1fc00000
bus_read_end: data=0x00000001
bus_read_start: adr=0x1fc00002
bus_read_end: data=0x00000049
bus_read_start: adr=0x1fc00004
bus_read_end: data=0x00000000
bus_write: adr=0x1fc00000 data=0x00f000f0
[b]Chip: AMD Flash
        Manufacturer: AMD
        Chip: Unknown (ID 0x0049)
        Protected: 0000
program:
flash_unlock_block 0x1FC09000 IGNORE
 
block 3 unlocked
flash_erase_block 0x1FC09000
bus_write: adr=0x1fc00aaa data=0x00aa00aa
bus_write: adr=0x1fc00554 data=0x00550055
bus_write: adr=0x1fc00aaa data=0x00800080
bus_write: adr=0x1fc00aaa data=0x00aa00aa
bus_write: adr=0x1fc00554 data=0x00550055
bus_write: adr=0x1fc09000 data=0x00300030
bus_read_start: adr=0x1fc09000
bus_read_end: data=0x0000004c
...
flash_erase_block 0x1FC09000 DONE
bus_write: adr=0x1fc00000 data=0x00f000f0
erasing block 3: 0
bus_write: adr=0x1fc00aaa data=0x00aa00aa
bus_write: adr=0x1fc00554 data=0x00550055
bus_write: adr=0x1fc00aaa data=0x00a000a0
bus_write: adr=0x1fc09000 data=0x000000ff
bus_read_start: adr=0x1fc09000
bus_read_end: data=0x000000ff
bus_read_start: adr=0x1fc09000
bus_read_end: data=0x000000ff
bus_write: adr=0x1fc00aaa data=0x00aa00aa
bus_write: adr=0x1fc00554 data=0x00550055
bus_write: adr=0x1fc00aaa data=0x00a000a0
bus_write: adr=0x1fc09001 data=0x000000ff
bus_read_start: adr=0x1fc09001
bus_read_end: data=0x000000ff
bus_read_start: adr=0x1fc09001
bus_read_end: data=0x000000ff
bus_write: adr=0x1fc00aaa data=0x00aa00aa
bus_write: adr=0x1fc00554 data=0x00550055
bus_write: adr=0x1fc00aaa data=0x00a000a0
bus_write: adr=0x1fc09002 data=0x00000011
bus_read_start: adr=0x1fc09002
bus_read_end: data=0x00000011
bus_read_start: adr=0x1fc09002
bus_read_end: data=0x00000011
addr: 0x1FC09010 (done)
bus_write: adr=0x1fc00000 data=0x00f000f0
verify:
bus_read_start: adr=0x1fc09000
bus_read_end: data=0x000000ff
bus_read_start: adr=0x1fc09001
bus_read_end: data=0x000000ff
bus_read_start: adr=0x1fc09002
bus_read_end: data=0x00000011
 
Done.

Sources of flasher (it is jtag-tools) http://star.oai.pp.ru/jtag/jtag-brecis-ok.zip
JTAG driver was written by Marek Michalkiewicz http://www.amelek.gda.pl/rtl8181/jtag/ i just made little changes.

Re: GN-B49G hacking ...

Congrats olegi, nice job smile
I'm going to get one tomorrow, have you looked at its tarball already?

Re: GN-B49G hacking ...

At what price you'll get it?

i have compiled fimware make a little changes in bysybox and kernel - works correctly. I forced to remove upnp executables - it has no much space. Gigabyte uses busybox 0.6 - it does not contain telnetd. I plane to upgrade to busybox 1.1 when i'll have a free time.

5 (edited by wigyori 2006-02-08 19:50:37)

Re: GN-B49G hacking ...

I'm getting it second hand, at ~45 EUR. I plan to have a working environment first, then try to go for 2.6.15 support, at least up to a booting kernel. As I see, the devs reached a point that most of the packages compile with gcc4, resulting in smaller binaries, so I'll try to go for it. smile

6 (edited by olegi 2006-02-10 21:55:51)

Re: GN-B49G hacking ...

bbload and pmon sources with docs available in LevelOne FBR-1411TX sources: http://download.ddcasia.tw/level1/gpl/FBR-1411TX(GPL)_2005-11-29.zip