Topic: OpenWRT on BT Home Hub 2A

The content of this topic has been archived between 31 Mar 2018 and 16 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 2

Post #1

daemon123

30 Jun 2014, 06:31

Hi,
referering to pages

http://wiki.openwrt.org/toh/wip
http://www.psidoc.com/showthread.php/43 … me-Hub-2.0 (site down)
http://wiki.openwrt.org/toh/bt/homehub_v2a

specially the last link, where the details of the router is given, below the oem boot log there is OpenWRT boot log.

Starting the kernel @ 0x801f20b0 
memsize=0x3F7D000[    0.000000] Linux version 3.0.18 (user1@debian) (gcc version 4.5.4 20120201 (prerelease) (Linaro GCC 4.5-2012.02) ) #1 Sat Mar 24 09:57:43 GMT 2012
[    0.000000] Detected Broadcom 0x6358 CPU revision a1
[    0.000000] CPU frequency is 300 MHz
[    0.000000] 128MB of RAM installed
[    0.000000] registering 40 GPIOs
[    0.000000] enabling icache and dcache
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 0002a010 (Broadcom BMIPS4350)
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] User-defined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Zone PFN ranges:
[    0.000000]   Normal   0x00000000 -> 0x00004000
[    0.000000] Movable zone start PFN for each node
[    0.000000] early_node_map[1] active PFN ranges
[    0.000000]     0: 0x00000000 -> 0x00004000
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200 mem=64M
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Primary instruction cache 32kB, VIPT, 2-way, linesize 16 bytes.
[    0.000000] Primary data cache 16kB, 2-way, VIPT, cache aliases, linesize 16 bytes
[    0.000000] Memory: 62360k/65536k available (1957k kernel code, 3176k reserved, 327k data, 136k init, 0k highmem)
[    0.000000] NR_IRQS:128
[    0.000000] Calibrating delay loop... 298.32 BogoMIPS (lpj=1167360)
[    0.054687] pid_max: default: 32768 minimum: 301
[    0.054687] Mount-cache hash table entries: 512
[    0.070312] NET: Registered protocol family 16
[    0.093750] registering PCI controller with io_map_base unset
[    0.117187] bio: create slab <bio-0> at 0
[    0.140625] pci 0000:00:01.0: BAR 0: assigned [mem 0x30000000-0x30003fff]
[    0.148437] pci 0000:00:01.0: BAR 0: set to [mem 0x30000000-0x30003fff] (PCI address [0x30000000-0x30003fff])
[    0.156250] Switching to clocksource MIPS
[    0.164062] Switched to NOHz mode on CPU #0
[    0.171875] NET: Registered protocol family 2
[    0.171875] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.179687] TCP established hash table entries: 2048 (order: 2, 16384 bytes)
[    0.187500] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[    0.195312] TCP: Hash tables configured (established 2048 bind 2048)
[    0.203125] TCP reno registered
[    0.203125] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.210937] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.218750] NET: Registered protocol family 1
[    0.234375] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.234375] JFFS2 version 2.2 (NAND) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.250000] msgmni has been set to 121
[    0.250000] io scheduler noop registered (default)
[    0.257812] bcm63xx_uart.0: ttyS0 at MMIO 0xfffe0100 (irq = 10) is a bcm63xx_uart
[    0.265625] console [ttyS0] enabled, bootconsole disabled
[    0.265625] console [ttyS0] enabled, bootconsole disabled
[    0.281250] gpiodev: gpio device registered with major 254
[    0.289062] bcm963xx-flash bcm963xx-flash.0: 0x01000000 at 0x1e000000
[    0.296875] bcm963xx: Found 1 x16 devices at 0x0 in 16-bit bank. Manufacturer ID 0x000020 Chip ID 0x00227e
[    0.312500] Amd/Fujitsu Extended Query Table at 0x0040
[    0.312500]   Amd/Fujitsu Extended Query version 1.3.
[    0.320312] number of CFI chips: 1
[    0.320312] bcm963xx_flash: Read Signature value of 
[    0.328125] bcm963xx_flash: assuming RedBoot bootloader
[    0.335937] bcm963xx_flash: Support extended flash 0x01000000 at 0xbe000000
[    0.343750] Searching for RedBoot partition table in bcm963xx at offset 0xfe0000
[    0.382812] Creating 5 MTD partitions on "bcm963xx":
[    0.390625] 0x000000000000-0x000000020000 : "RedBoot"
[    0.398437] 0x000000020000-0x000000100000 : "kernel_fs"
[    0.414062] 0x000000100000-0x000000320000 : "root_fs"
[    0.421875] 0x000000320000-0x000000fe0000 : "rootfs_data"
[    0.429687] 0x000000fe0000-0x000000fef000 : "FIS directory"
[    0.445312] bcm63xx-spi bcm63xx-spi.0: at 0xfffe0800 (irq 9, FIFOs size 542) v0.1.2
[    0.460937] bcm63xx_enet MII bus: probed
[    0.476562] input: gpio-buttons as /devices/platform/gpio-buttons.0/input/input0
[    0.484375] bcm63xx-wdt bcm63xx-wdt.0:  started, timer margin: 30 sec
[    0.515625] TCP cubic registered
[    0.515625] NET: Registered protocol family 17
[    0.523437] lib80211: common routines for IEEE802.11 drivers
[    0.539062] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[    0.546875] Freeing unused kernel memory: 136k freed
awk: /proc/cpuinfo: No such file or directory
[    3.703125] eth1: link forced UP - 100/full - flow control off/off
[    3.945312] roboswitch: Probing device eth0: 
[    3.945312] roboswitch: [/media/scratch/trunk-31059/build_dir/linux-brcm63xx/kmod-switch/switch-robo.c:121] SIOCGETCPHYRD failed!
[    3.960937] roboswitch: [/media/scratch/trunk-31059/build_dir/linux-brcm63xx/kmod-switch/switch-robo.c:121] SIOCGETCPHYRD failed!
[    3.968750] No Robo switch in managed mode found, phy_id = 0xffffffff
[    3.976562] roboswitch: Probing device eth1: found a 5325! It's a 5350.
- preinit -
Press the [f] key and hit [enter] to enter failsafe mode
- regular preinit -
[    9.984375] JFFS2 notice: (396) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
switching to jffs2
- init -

Please press Enter to activate this console. [   13.156250] Compat-wireless backport release: compat-wireless-2012-02-27-1-r31059
[   13.164062] Backport based on wireless-testing.git master-2012-02-27
[   13.250000] cfg80211: Calling CRDA to update world regulatory domain
[   14.281250] SCSI subsystem initialized
[   14.437500] cfg80211: World regulatory domain updated:
[   14.437500] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   14.453125] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   14.460937] cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   14.468750] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   14.476562] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   14.484375] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   14.789062] usbcore: registered new interface driver usbfs
[   14.796875] usbcore: registered new interface driver hub
[   14.804687] usbcore: registered new device driver usb
[   15.593750] Broadcom 43xx driver loaded [ Features: PL ]
[   15.804687] Button Hotplug driver version 0.4.1
[   16.742187] NTFS driver 2.1.30 [Flags: R/O MODULE].
[   17.132812] loop: module loaded
[   17.804687] ip_tables: (C) 2000-2006 Netfilter Core Team
[   18.601562] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[   18.609375] bcm63xx_ehci bcm63xx_ehci.0: BCM63XX integrated EHCI controller
[   18.617187] bcm63xx_ehci bcm63xx_ehci.0: new USB bus registered, assigned bus number 1
[   18.656250] bcm63xx_ehci bcm63xx_ehci.0: irq 18, io mem 0xfffe1300
[   18.671875] bcm63xx_ehci bcm63xx_ehci.0: USB 2.0 started, EHCI 1.00, overcurrent ignored
[   18.679687] hub 1-0:1.0: USB hub found
[   18.687500] hub 1-0:1.0: 2 ports detected
[   18.882812] nf_conntrack version 0.5.0 (976 buckets, 3904 max)
[   20.664062] xt_time: kernel timezone is -0000
[   21.375000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[   21.382812] bcm63xx_ohci bcm63xx_ohci.0: BCM63XX integrated OHCI controller
[   21.390625] bcm63xx_ohci bcm63xx_ohci.0: new USB bus registered, assigned bus number 2
[   21.398437] bcm63xx_ohci bcm63xx_ohci.0: irq 13, io mem 0xfffe1400
[   21.476562] hub 2-0:1.0: USB hub found
[   21.484375] hub 2-0:1.0: 1 port detected
[   21.539062] Initializing USB Mass Storage driver...
[   21.539062] usbcore: registered new interface driver usb-storage
[   21.546875] USB Mass Storage support registered.
[   32.507812] bcm63xx_enet bcm63xx_enet.0: attached PHY at address 1 [Broadcom BCM63XX (2)]


BusyBox v1.19.4 (2012-03-23 20:38:41 GMT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 ATTITUDE ADJUSTMENT (bleeding edge, r31059) ----------
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice
 -----------------------------------------------------
root@OpenWrt:/#

and here is the interesting bit

[    0.382812] Creating 5 MTD partitions on "bcm963xx":
[    0.390625] 0x000000000000-0x000000020000 : "RedBoot"
[    0.398437] 0x000000020000-0x000000100000 : "kernel_fs"
[    0.414062] 0x000000100000-0x000000320000 : "root_fs"
[    0.421875] 0x000000320000-0x000000fe0000 : "rootfs_data"
[    0.429687] 0x000000fe0000-0x000000fef000 : "FIS directory"

[ 0.390625] 0x000000000000-0x000000020000 : "RedBoot"

it is using redboot, but i cannot find any link for the redboot or instructions for flashing OpenWRT.

P.S.
I can JTAG to router

Post #2

daemon123

11 Jul 2014, 16:55

bumping

anyone ?

Post #3

danitool

12 Jul 2014, 11:16

It isn't using RedBoot, the person who was able to boot OpenWrt in the Homehub2a just created a fake redboot partition table using the original bootloader. He didn't go further due several drawbacks.

I think to boot CFE in this router is possible. The HG556a CFE may work with this router. Also there are chances to build a CFE specific for this board with its own board ID. I don't own this router so I can't test it.

Backup the Homehube bootloader and give the HG556a CFE a try.
https://docs.google.com/uc?export=downl … UdIOExiRzg

Post #4

daemon123

12 Jul 2014, 16:26

thanks for replying,

i tried a few cfes from hg553, but it gave flash id not supported, as strangely enough i have a BT HH2A with differnt flash chip.

will try the CFE you provided, and will report here,
here is the bootlog of my BT HH 2A

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.06.28 19:37:12 =~=~=~=~=~=~=~=~=~=~=~=
DDR2 test...
VCDL test

Decompressing Bootloader................................

Version BL: 1.1.1
Reading cpu info...........bcm96358 tp0 revision 1
MIPS is in Big endian mode 
Icache : 32Kb         Icachelinesize : 16 bytes 
Dcache : 16Kb          Dcachelinesize : 16 bytes 
BCM config reg CP0 : e30e1006 
        Instruction cache enabled
        Data cache enabled
        Data cache is nonblocking
C0_CONFIG reg = 80008083
        standard TLB config
        Cacheable, write-back

Multicore enable; Booting Linux kernel

pfuncjmp = A0001840
Reading cpu info...........bcm96358 tp0 revision 1
MIPS is in Big endian mode 
Icache : 16Kb         Icachelinesize : 16 bytes 
Dcache : 16Kb          Dcachelinesize : 16 bytes 
BCM config reg CP0 : 230e1006 
        Data cache is nonblocking
C0_CONFIG reg = 80008082
        standard TLB config
        Noncacheable


JTAG select tp0
BOOTING THE THOMSON LINUX KERNEL

Starting the kernel @ 0x801ea018 
memsize=0x3F7D000serial initialized
Linux version 2.6.8.1 (buildmgm@edgmwbuild07.edegem.eu.thmulti.com) (gcc version 3.4.6) #1 Fri Apr 15 07:39:12 CEST 2011

CPU revision is: 0002a010

bcm63xx : initiazation of mpi bus ...............

Determined physical RAM map:

 memory: 03f7d000 @ 00002000 (usable)

On node 0 totalpages: 16255

  DMA zone: 4096 pages, LIFO batch:1

  Normal zone: 12159 pages, LIFO batch:2

  HighMem zone: 0 pages, LIFO batch:1

Built 1 zonelists

Kernel command line: root=/dev/mtdblock1 rootfstype=squashfs

brcm mips: enabling icache and dcache...

Primary instruction cache 32kB, physically tagged, 2-way, linesize 16 bytes.

Primary data cache 16kB 2-way, linesize 16 bytes.

PID hash table entries: 256 (order 8: 2048 bytes)

Using 150.000 MHz high precision timer.

Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)

Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)

Allocating memory for DSP module core and initialization code

Allocated DSP module memory - CORE=0x81099bc0 SIZE=900000, INIT=0x81175760 SIZE=5000

Memory: 61336k/65012k available (1439k kernel code, 3608k reserved, 452k data, 68k init, 0k highmem)

Calibrating delay loop... 297.98 BogoMIPS

Mount-cache hash table entries: 512 (order: 0, 4096 bytes)

Checking for 'wait' instruction...  available.

NET: Registered protocol family 16

usbcore: registered new driver usbfs

usbcore: registered new driver hub

Bluetooth: Core ver 2.6

NET: Registered protocol family 31

Bluetooth: HCI device and connection manager initialized

Bluetooth: HCI socket layer initialized

inotify device minor=63

squashfs: version 3.3 (2007/10/31) Phillip Lougher

squashfs: LZMA suppport for slax.org by jro

JFFS2 version 2.2. (C) 2001-2003 Red Hat, Inc.

bcm963xx_serial driver v2.0

BTHub: initialize parser

Using noop io scheduler

Thomson Speedtouch flash mapping

flash: Found 1 x16 devices at 0x0 in 16-bit bank

 Amd/Fujitsu Extended Query Table at 0x0040

flash: CFI does not contain boot bank location. Assuming top.

number of CFI chips: 1

cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.

flash mapping initialized

parse_bthub_partitions (block_size: 131072)

bthub: user partition is created

bthub: header of CORE partition is detected

bthub: kernel is at offset (be1a001a), size (96a15)

corefs_pattern: info is at offset (bea03004), size (4) including a header of (4)

corefs_pattern: ds is at offset (bea03008), size (24) including a header of (4)

bthub: a signature has been stored

bthub: SquashFS is expected at be237000, found magic is 71736873

bthub: SquashFS (start: be237000, size 1e9000)

bthub: SquashFS is expected at be420000, found magic is 71736873

bthub: SquashFS (start: be420000, size 600000)

bthub: header of EXTENDED partitin is detected

extended_pattern: info is at offset (bea22004), size (4) including a header of (4)

extended_pattern: ds is at offset (bea22008), size (24) including a header of (4)

bthub: a signature has been stored

bthub: SquashFS is expected at bea21000, found magic is 71736873

bthub: SquashFS (start: bea21000, size 1f000)

bthub mtd: user (be020000, 160000), write(1), sdram(0)

bthub mtd: rootfs (be420000, 600000), write(0), sdram(0)

bthub mtd: modfs (be237000, 1e9000), write(0), sdram(0)

bthub mtd: extfs (bea21000, 1f000), write(0), sdram(0)

bthub mtd: extended (bea20000, 5e0000), write(1), sdram(0)

bthub mtd: flash (be000000, 1000000), write(1), sdram(0)

PT: creating a tree under /proc...

   [ flash ]

     [ user ]

     [ core ]

       [ corefs ]

         [ kernel ]

         [ modfs ]

       [ rootfs ]

     [ extended ]

       [ extfs ]

PT: done.

6 BTHub partitions found on MTD device flash

Creating 6 MTD partitions on "flash":

0x00020000-0x00180000 : "user"

0x00420000-0x00a20000 : "rootfs"

0x00237000-0x00420000 : "modfs"

0x00a21000-0x00a40000 : "extfs"

0x00a20000-0x01000000 : "extended"

0x00000000-0x01000000 : "flash"

Bluetooth: HCI UART driver ver 2.1

Bluetooth: HCI H4 protocol initialized

Bluetooth: HCI BCSP protocol initialized

brcmboard: brcm_board_init entry

NET: Registered protocol family 2

IP: routing cache hash table of 512 buckets, 4Kbytes

TCP: Hash tables configured (established 4096 bind 8192)

NET: Registered protocol family 1

NET: Registered protocol family 17

NET: Registered protocol family 15

VFS: Mounted root (squashfs filesystem) readonly.

Freeing unused kernel memory: 68k freed


init started:  BusyBox v1.00 (2011.04.15-05:41+0000) multi-call binary


init started:  BusyBox v1.00 (2011.04.15-05:41+0000) multi-call binary


Starting pid 40, console /dev/ttyS0: '/etc/init.d/rcS'

Algorithmics/MIPS FPU Emulator v1.5

Using /nmon/nmon.ko

nmon: module license 'unspecified' taints kernel.

Button: Character device registered successfully.

AnnexCParam=0x00000000 AnnexAParam=0x00000000 adsl2=0x00000000

pSdramPHY=0xA3FFFFF8, 0x4BE5 0x16AD1E6F

[BCM ADSL] Firmware load : 431156 431156 LMEM=(0xFFF00000, 49488) SDRAM=(0xA3FA0000, 381660)

AdslCoreHwReset: AdslOemDataAddr = 0xA3FFC1C4

AnnexCParam=0x00000000 AnnexAParam=0x00000000 adsl2=0x00000000

ADSL PHY version is A2pBT010i.d20h

b6w_init

mpi: No Card is in the PCMCIA slot

mpi: device 0x4322 found in PCI slot 1, function 0

wl: srom not detected, using main memory mapped srom info (wombo board)


IPSecControl Character device registered successfully.

NET: Registered protocol family 3

NET: Registered protocol family 9

NET: Registered protocol family 4

NET: Registered protocol family 5

NET: Registered protocol family 18

NET: Registered protocol family 25

Using /lib/modules/tty_spi.ko

usage: insmod tty_spi speed n

CS=2 date: Apr 15 2011 time: 07:51:38, speed 1

Using /lib/modules/krtp.ko

krtp ver 2.8 softdsp-vad-multiline-wb (Apr 15 2011 07:49:40)

Using /lib/modules/dspdd.ko

load dspdd.ko: core_size=825584, init_size=0

DSP Driver: DSP init stub

Using /lib/modules/endpointdd.ko

Endpoint: endpoint_init entry

Endpoint: endpoint_init COMPLETED

Using /lib/modules/bt_reset.ko

Using /lib/modules/2.6.8.1/kernel/net/bluetooth/l2cap.ko

Bluetooth: L2CAP ver 2.3

Bluetooth: L2CAP socket layer initialized

Device ikanos not present.


Starting pid 197, console /dev/ttyS0: '/etc/init.d/rc'

Switching to RUNLEVEL 1 ...

MDG on SPI

MDG version: 40-1, expect 40-1

RAD : rad started.....


RAD : Reading /etc/rad.conf

RAD : found entry 1, path /usr/bin/upnp_dect_ui

RAD : found entry 2, path /usr/bin/gw_numberL2C

RAD : found entry 3, path /usr/bin/loader_alertL2C

RAD : found entry 4, path /usr/bin/TI_number_menu

RAD : found entry 5, path /usr/bin/hyper_accept

RAD : found entry 6, path /usr/bin/send_base_IP_address

RAD : found entry 7, path /usr/bin/osis_channel_conf

RAD : found entry 8, path /usr/bin/osis_wizard

RAD : found entry 9, path /usr/bin/npab_connect


RAD : Reading /etc/hsupd.conf

RAD : found entry 1, path /usr/bin/hyper_update

RAD : found entry 2, path /usr/bin/hs_eep_update

RAD : Waiting for connection on psm :

RAD : A01

RAD : A06

Writing /var/run/rad.pid

linux application start ...

wait for linux_appl to initialize (1)

wait for linux_appl to initialize (2)


************* ERROR RECORD *************

000000:00:00.000000

Application NMON started after POWERON.

****************** END *****************


appl_init: build verified 

dip_init() : button[FACTORY_RESET] has number[1]

wait for linux_appl to initialize (3)

wait for linux_appl to initialize (4)

End of initialisation

 start storagepl ...

 storagepl is started 

Using /lib/modules/2.6.8.1/kernel/drivers/usb/host/ohci-hcd.ko

ohci_hcd: 2004 Feb 02 USB 1.1 'Open' Host Controller (OHCI) Driver (PCI)

ohci_hcd: block sizes: ed 64 td 64

PCI: Enabling device 0000:00:09.0 (0000 -> 0002)

ohci_hcd 0000:00:09.0: PCI device 14e4:6300 (Broadcom Corporation)

PCI: Setting latency timer of device 0000:00:09.0 to 64

ohci_hcd 0000:00:09.0: irq 13, pci mem c01d7400

ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 1

hub 1-0:1.0: USB hub found

hub 1-0:1.0: 2 ports detected

Using /lib/modules/2.6.8.1/kernel/drivers/usb/host/ehci-hcd.ko

PCI: Enabling device 0000:00:0a.0 (0000 -> 0002)

ehci_hcd 0000:00:0a.0: PCI device 14e4:6300 (Broadcom Corporation)

PCI: Setting latency timer of device 0000:00:0a.0 to 64

ehci_hcd 0000:00:0a.0: irq 18, pci mem c0224300

ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 2

PCI: cache line size of 32 is not supported by device 0000:00:0a.0

ehci_hcd 0000:00:0a.0: USB f.f enabled, EHCI 1.00, driver 2004-May-10

hub 2-0:1.0: USB hub found

hub 2-0:1.0: 2 ports detected

Using /lib/modules/2.6.8.1/kernel/drivers/usb/class/usblp.ko

usblp: falsely claims to have parameter proto_bias

usbcore: registered new driver usblp

drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver

modprobe: module usbserial not found.

modprobe: failed to load module usbserial

Using /lib/modules/2.6.8.1/kernel/drivers/scsi/scsi_mod.ko

SCSI subsystem initialized

hub 2-0:1.0: over-current change on port 2

Using /lib/modules/2.6.8.1/kernel/drivers/scsi/sd_mod.ko

Using /lib/modules/2.6.8.1/kernel/drivers/usb/storage/usb-storage.ko

Initializing USB Mass Storage driver...

usbcore: registered new driver usb-storage

USB Mass Storage support registered.

Using /lib/modules/2.6.8.1/kernel/fs/fat/fat.ko

Using /lib/modules/2.6.8.1/kernel/fs/vfat/vfat.ko

Using /lib/modules/2.6.8.1/kernel/fs/msdos/msdos.ko

Using /lib/modules/2.6.8.1/kernel/fs/nls/nls_cp437.ko

Using /lib/modules/2.6.8.1/kernel/fs/nls/nls_iso8859-1.ko

mount all usbdisks not implemented !

Name: /etc/usbmgr/usbmgr.conf

Load_from_file: /etc/usbmgr/preload.conf

checkd start ...

checkd: daemonized with blocked parent process

checkd: parent process released.

linuxappl: start loading after [  3003ms ]

---- WL firmwarecode (0--1-0-0)

kernel::endpoint_open

kernel::endpoint_open COMPLETED

[adsl] trace = 5 0

[LED] led_drv_init() userspace

S67stopload: wait until configuration load reaches phase 9...

ADSL configuration:

    adslmultimode = adsl2plus 

    syslog = disabled 

stopping the pureftp-server ... 

the pureftp-server is stopped

stopping the pure-authd ...

the pure-authd is stopped

HAUSWARE HOST LIBRARY => BUILD DATE = Jul  4 2008, BUILD TIME = 15:17:51

*** gStartRxDesc[0] = 0xA0E35000 
*** gBufferSizeBytes = 1280 
*** gStartTxDesc[0] = 0xA0DD1000 
hal6358PcmInit 260 nextTxDesc = 0xA0DD1000 
hal6358PcmInit 260 nextTxDesc = 0xA0DD1008 
hal6358PcmInit 264 Ownership for TX desc not set. Use this buffer. 
PERF->IrqMask   = 0xA8060427 
PERF->IrqMask1  = 0x00800000 
Starting su_interface ...

su_interface: running

Starting la_interface ...

la_interface: running

btagent start ...


Username : aaddmmiinn

Password : 

Invalid username/password.

Username : aaddmmiinn

Password : 0*1*M*4*S*Z*8*E*

Invalid username/password.

Username :

and here is the jtag output which shows the flash chip

brjtag -backup:custom /window:1E000000 /start:1E000000 /length:000FE4C 


        =============================================== 
         Broadcom EJTAG Debrick Utility v2.0.5-hugebird 
        =============================================== 


Probing bus ... Done 

Detected IR Length is 5 

CPU assumed running under BIG endian 

CPU Chip ID: 00000110001101011000000101111111 (0635817F) 
*** Found a Broadcom manufactured BCM6358 REV 01 CPU *** 

    - EJTAG IMPCODE ....... : 00000000100000011000100100000100 (00818904) 
    - EJTAG Version ....... : 1 or 2.0 
    - EJTAG DMA Support ... : Yes 
    - EJTAG Implementation flags: R4k MIPS16 MIPS32 

Issuing Processor / Peripheral Reset ... Done 
Enabling Memory Writes ... Done 
Halting Processor ... <Processor> ... Done 
Clearing Watchdog ... Done 
Loading CPU Configuration Code ... Skipped 

Probing Flash at Address: 0x1E000000 ... 
Detected pFlash Chip ID (VenID:DevID = 207E : 2100) 
*** Found a (16MB) CFI Compatiable Flash Chip from ST/Numonyx 

    - Flash Chip Window Start .... : 1E000000 
    - Flash Chip Window Length ... : 01000000 
    - Selected Area Start ........ : 1E000000 
    - Selected Area Length ....... : 0000FE4C 

*** You Selected to Backup the CUSTOM.BIN *** 

========================= 
Backup Routine Started 
========================= 

Saving CUSTOM.BIN.SAVED_20140629_185100 to Disk... 
Done  (CUSTOM.BIN.SAVED_20140629_185100 saved to Disk OK) 

bytes written: 65100 
========================= 
Backup Routine Complete 
========================= 
elapsed time: 18 seconds 


 *** REQUESTED OPERATION IS COMPLETE ***

Post #5

daemon123

6 Aug 2014, 18:01

danitool wrote:

It isn't using RedBoot, the person who was able to boot OpenWrt in the Homehub2a just created a fake redboot partition table using the original bootloader. He didn't go further due several drawbacks.
I think to boot CFE in this router is possible. The HG556a CFE may work with this router. Also there are chances to build a CFE specific for this board with its own board ID. I don't own this router so I can't test it.
Backup the Homehube bootloader and give the HG556a CFE a try.
https://docs.google.com/uc?export=downl … UdIOExiRzg

both of them result in brick

i tried the version uploaded by florian but it says 027a flash not supported

Post #6

danitool

3 Feb 2015, 13:02

Hi, I found some stuff in my HDD for this device. I'm not the autor, this was given by the person who was able to run Openwrt when the PsiDoc forum was active.

openwrt-for-hh2a.zip

It seems they are patches and an image builder to generate a firmware compatible with the original bootloader. Looks too hackish because It uses fake Redboot partitions. It has some drawbacks like incorrect RAM memory detection and other things I don't remember. Doesn't look easy to deal by this way of installing OpenWRt.

This work was made long time ago, then it might be valid for Openwrt Attitude adjustment. And for flashing the built firmware a JTAG cable is absolutely required.

Could be much more simple if you could replace the original bootloader by CFE. Then making a working firmware will be a piece of cake, and installing/upgrading firmwares won't require JTAG nor serial cable.

Regards

Post #7

danitool

7 Feb 2015, 01:06

I've built a CFE that should be compatible with the homehub 2a

CUSTOM.BIN

I tested this bootloader in my HG556a, just to check the the bootloader was ok to run in a BCM6358 board. Flashed with zjtag (v1.8) using this command

./zjtag -flash:custom /window:1e000000 /start:1e000000 /length:20000 /nompi /wiggler /BE

flashing procedure didn't take more than 4 minutes. I noticed sometimes I need it to flash it twice (probably caused by the previous sane bootloader running and doing nasty things).

I don't own a homehub 2A, but with the daemon123's help, he did many tests until I got the CFE 100% working. With the BCM5325 switch working, ping ok and able to upload firmwares via CFE web interfaces for upgrading (this was the hard part).

If you test this CFE, and for some reason the flash ID is a rare one not recognized, just paste here the output, and I'll fix the problem.

(Last edited by danitool on 17 Mar 2015, 21:41)

Post #8

danitool

17 Mar 2015, 21:52

Finally we have a fully featured CFE for the Homehub 2a, and a prebuilt firmware based on Barrier Breaker. Link:

OpenWrt-HH2A-Barrier_Breaker_14.07-CFE.zip

Leds still need further work. Probably I'll send a patch to the mailing list to get official support for the next OpenWrt versions.

Regards.
dani

Post #9

zx82

7 Jul 2015, 12:12

Hi,

Thanks dani, daemon123, psidoc and everyone else for their work, which will hopefully divert hundreds of these units away from landfill. Sure, you might be able to get a C.H.I.P. for $9 next year (maybe, plus $25 shipping) but ISP-supplied, subsidised routers are in plentiful supply and can be picked up for a barely more than postage on eBay. I think this might be the first time a UK mass-ISP-provided unit has gained OpenWRT support?

I saw this progress so saved a few of these units from the bin recently. I've never had need to JTAG anything before so don't have kit, so I just used what I had handy, which is a Raspberry Pi, with tjtag-pi. Some observations of varying specificity:

If you want to have permanent JTAG access to more than just one unit, eBay has 8-pin JST 1mm pitch cable assembly/socket pairs in a bag of 10 for £5, which saves a little over getting the same bits from Farnell or RS. Quite a few routers use this type and they're also used on the Sparkfun Mega Pro Mini, so you may find use for the rest. If not, give the spares away here or donate them to your local hackspace.
Soldering to the JTAG pads is not much fun unless you're suitably equipped and have dexterous steady hands. Consider finding someone to do it for you, maybe at a hackspace. With a sufficiently accurate template you might be able to avoid soldering by making a little clip-on jig with pogo pins, but you might need to make use of the unpopulated capacitor pads nearby to squeeze it all in.
The serial port pinout on the wiki is wrong (probably untouched from the template) as of revision 2015-06-08. I'll fix it and upload a photo for clarity soon, but from top to bottom the pins are VCC (3V3), GND, TX, RX. As usual, you probably don't need VCC.
If you connect to the router's serial port using an RPi, be sure to either leave the router's RX disconnected or disable the RPi's default of logging syslog to it (and maybe running a getty on it?) first. Otherwise the router's CFE will see syslog and getty output and get terribly confused.
I'm sure this advice is everywhere but it bears repeating: it's really useful to take a whole-flash backup BEFORE you flash anything! Having a known-good image to return to can make debugging much easier.
dani's CFE boots my unit with Spansion flash, but not a unit with ST/Numonyx flash (the latter hangs after "Initializing Devices.")
oxplot's tjtag-pi works to flash these units (I needed the /nodma flag), but seems to transform the binary before flashing it; specifically, each uint16 in dani's CFE image needs to be byteswapped (resulting md5sum starts 7f7dcd973...). This may well be a bug in tjtag-pi. Since the RPi route may well be more popular than wigglers or FTDIs, it might be worth uploading a fudged binary.
oxplot's tjtag-pi knows about Spansion flash but seems to need to be patched in order to flash units with ST/Numonyx flash. I'll push the (one line) patch upstream once the CFE boot problem is sorted.
You don't need to solder/connect nTRST. The board pulls it high internally, and oxplot's tjtag-pi doesn't support it or touch it. One less fiddly pin.
The first time you flash dani's CFE image, presumably because BT layouts/signatures don't match what this CFE build expects, it'll stay in CFE and drop to waiting for HTTP (or TFTP?) upload of a firmware.
Owing to the above, the booting of dani's CFE is unfortunately indistinguishable from a bad flash: in both cases all five LEDs stay on solid blue. It's really worth populating the serial port so you can distinguish these situations. Perhaps it'd be good to patch dani's CFE to frob an LED to indicate a successful flash?

Favours to ask of dani or others:

Is the source of that CFE build posted somewhere? Having the CFE as open as OpenWRT would make the system that bit more open and empower motivated geeks to make minor tweaks for things like alternate flash parts.
Could that CFE build flash an LED or something to confirm a good flash? (Or, could we have the source and I'll have a go?)
What needs to be done to support alternate flash parts like the ST one? (Or, could we have the source and I'll have a go?)

Thanks!

Post #10

sp8826

28 Jul 2015, 13:41

Hi,

I would like connect my HH with UART (BT HomeHub 2.0 Type A rev 2)

...but the picture is not really clear

http://wiki.openwrt.org/_media/media/to … tok=271bf0

Is it possible to give the correct pinout please ?

Thanks

Post #11

zx82

4 Aug 2015, 13:15

sp8826 wrote:

Is it possible to give the correct pinout please ?

Added a picture and corrected the text on the wiki page. Happy soldering!

Post #12

zx82

4 Aug 2015, 16:15

In case it's a useful breadcrumb to others: I suspect dani's CFE doesn't listen on the serial port, just transmits, despite prompts. I tried the other day and couldn't elicit any response, but the usual boot debug stuff scrolled by OK. I did probe for dry joints and sanity-checked the FTDI on something else. Might be useful for folks to report whether you can/can't interact with dani's CFE over serial (on a Spansion unit that gets that far!).

Post #13

zx82

8 Aug 2015, 05:07

On my units with ST/Numonyx flash that hung at "Initializing Devices" I think the problem was the specific flash part: apparently the M29W128GL doesn't accept the generic reset which CFE uses when asking the part for ID [1], so the chip treats the CFI auto-select command as a plain flash read. The result won't match a known part so flash init fails. (CFE then hangs trying to use non-existent SPI flash instead, but that's another issue.)

One quick and dirty fix is to initialise flashFamily with FLASH_AMD in shared/opensource/flash/cfiflash.c, so that pre-ID resets are done in AMD style. This CFE image uses this approach, and has been tested on an ST/Numonyx unit but should boot a Spansion unit too (my Spansion unit is busy, so a success report from another Spansion-owning user would be very welcome!).

Maybe a neater way would be to make the generic reset use F0, FF, F0 instead of just F0, FF, but without checking a bunch of datasheets for other parts I'm not sure that's any more portable.

[1] This might be related to http://sourceforge.net/p/openocd/mailma … /28340380/

(Last edited by zx82 on 10 Aug 2015, 15:45)

Post #14

Kaar3l

19 Jan 2016, 18:12

I have thomson tg784, that has very similar hardware. I downloaded zx82 allflash cfe and it seems to work. Now problem is with the firmware flashing. The tg784 doesn't have the button that should be pressed. So I thought that maybe I should copy together cfe+firmware.
I tried: made 6MB file, then copied CFE to 0x00000 position at the beginning of the file. Then copied the openwrt image to 0x10000 location and flashed the fullflash. Didn't work. Does anyone have a fullflash backup of openwrt?

Getting the serial work:

Post #15

danitool

19 Jan 2016, 20:42

Kaar3l wrote:

I have thomson tg784, that has very similar hardware. I downloaded zx82 allflash cfe and it seems to work. Now problem is with the firmware flashing. The tg784 doesn't have the button that should be pressed. So I thought that maybe I should copy together cfe+firmware.
I tried: made 6MB file, then copied CFE to 0x00000 position at the beginning of the file. Then copied the openwrt image to 0x10000 location and flashed the fullflash. Didn't work. Does anyone have a fullflash backup of openwrt?
Getting the serial work:

You should flash the firmware at offset 0x20000. BTW if you can't stop the bootloader with the button you should be able to stop it pressing any key in the serial console, and then flash the firmware via web interface or tftp.

Post #16

Kaar3l

21 Jan 2016, 07:20

danitool wrote:

Kaar3l wrote:
I have thomson tg784, that has very similar hardware. I downloaded zx82 allflash cfe and it seems to work. Now problem is with the firmware flashing. The tg784 doesn't have the button that should be pressed. So I thought that maybe I should copy together cfe+firmware.
I tried: made 6MB file, then copied CFE to 0x00000 position at the beginning of the file. Then copied the openwrt image to 0x10000 location and flashed the fullflash. Didn't work. Does anyone have a fullflash backup of openwrt?
Getting the serial work:

You should flash the firmware at offset 0x20000. BTW if you can't stop the bootloader with the button you should be able to stop it pressing any key in the serial console, and then flash the firmware via web interface or tftp.

I flashed firmware to 0x20000, but it still didn't work. I will make wholeflash backup of my other router and then test that router. I may have some hardware problem, because this router didn't work with original firmware.

Post #17

gomme600

13 Mar 2016, 12:53

Hello everyone. I have brick my home hub 2 (All blue lights on, no serial connection) and have connected the Jtag, unfortunatly, no matter which CUSTOM.BIN I flash it doesn't work. I am using pi-tjtag on my raspberry pi. I flashes ok but the router still won't boot. I read in this thread that I have to byte swap "each uint16" but I have no idea how to do that! Also using the /nodma flag freeses the flashing procedure. Can anyone help me out please? Maybe upload a WHOLEFLASH.BIN if possible. Or if not help me out with this Byte Swapping thing! Thanks!

Post #18

zx82

13 Mar 2016, 13:29

gomme600 wrote:

I have brick my home hub 2

Just to be sure, it's definitely a Type A, right?

Are you certain JTAG is working? A reasonable acid test is: does it announce that it found bcm96358 or BCM6358?

What's the brand of flash in your unit? ST? Numonyx? Spansion? Something else?

Here's my previously posted CFE that should work on any unit, halfword-swapped for oxplot/tjtag-pi.

Here's danitool's original CFE which probably only works on units with Spansion flash, halfword-swapped for oxplot/tjtag-pi.

Post #19

gomme600

13 Mar 2016, 13:39

zx82 wrote:

gomme600 wrote:
I have brick my home hub 2
Just to be sure, it's definitely a Type A, right?
Are you certain JTAG is working? A reasonable acid test is: does it announce that it found bcm96358 or BCM6358?
What's the brand of flash in your unit? ST? Numonyx? Spansion? Something else?
Here's my previously posted CFE that should work on any unit, halfword-swapped for oxplot/tjtag-pi.
Here's danitool's original CFE which probably only works on units with Spansion flash, halfword-swapped for oxplot/tjtag-pi.

Definatly type A. It sais BCM6358 Rev 1 CPU chip. I have a Spansion Flash unit. I'm using this command: "sudo ./tjtag -flash:custom /window:1e000000 /start:1e000000 /length:20000 /wiggler /bypass" to flash and none of the CFE's you provided above worked... thanks for the quick reply.

Post #20

zx82

13 Mar 2016, 14:39

gomme600 wrote:

Definatly type A. It sais BCM6358 Rev 1 CPU chip. I have a Spansion Flash unit.

Thanks, good to get that out of the way.

gomme600 wrote:

none of the CFE's you provided above worked... thanks for the quick reply.

OK. I remember having to do several experiments, swapping words/halfwords, to work around tjtag-pi's manipulation (it's easier to give people a modified image than a patched tjtag-pi). I'll dig out the Pi image I used and see if I can reconfirm that halfword swapping is the permutation required, but that'll have to wait a few days. In the meantime, could you say exactly how the CFEs didn't work? Presumably if you went to the effort of connecting JTAG, you also have serial; what output do you see with each image? No output at all suggests incorrectly ordered bytes. But if you're seeing some output and CFE just isn't seeing a valid firmware, it'll quietly wait for you to upload some (maybe wanting to be interrupted by serial input/pressing of a button to prefer web upload).

To clarify, a wholeflash won't help (and will just increase the number of magical binaries floating around) if the byte-ordering thing isn't sorted.

Any reason you're using /wiggler? Superficially it seems that's a remnant from tjtag on other platforms and just hasn't been removed. Unless you know better, I'd recommend dropping it for tjtag-pi, since I'm not sure how it might affect the flashing.

The README suggests /noemw if you see hangs. Did you try that instead of/as well as /nodma?

Post #21

zx82

13 Mar 2016, 14:44

Come to think of it I don't recall using /bypass either, if memory serves.

Post #22

gomme600

13 Mar 2016, 22:05

zx82 wrote:

gomme600 wrote:
Definatly type A. It sais BCM6358 Rev 1 CPU chip. I have a Spansion Flash unit.
Thanks, good to get that out of the way.
gomme600 wrote:
none of the CFE's you provided above worked... thanks for the quick reply.
OK. I remember having to do several experiments, swapping words/halfwords, to work around tjtag-pi's manipulation (it's easier to give people a modified image than a patched tjtag-pi). I'll dig out the Pi image I used and see if I can reconfirm that halfword swapping is the permutation required, but that'll have to wait a few days. In the meantime, could you say exactly how the CFEs didn't work? Presumably if you went to the effort of connecting JTAG, you also have serial; what output do you see with each image? No output at all suggests incorrectly ordered bytes. But if you're seeing some output and CFE just isn't seeing a valid firmware, it'll quietly wait for you to upload some (maybe wanting to be interrupted by serial input/pressing of a button to prefer web upload).
To clarify, a wholeflash won't help (and will just increase the number of magical binaries floating around) if the byte-ordering thing isn't sorted.
Any reason you're using /wiggler? Superficially it seems that's a remnant from tjtag on other platforms and just hasn't been removed. Unless you know better, I'd recommend dropping it for tjtag-pi, since I'm not sure how it might affect the flashing.
The README suggests /noemw if you see hangs. Did you try that instead of/as well as /nodma?

Thanks for trying to find the image! ;-) Right, so the CFE's don't work at all unfortunately, no serial output and no ethernt connectivity at all... (Just to confirm, I have to connect my serial tx wire to rx on the board, and vice versa? That is how I have done it before and it seems logical. Oh and the serial adapter does work, I tried shorting tx and rx and I see what I type in minicom.)

About the flags, I'm using /wiggler because it was specified on the wiki (https://wiki.openwrt.org/toh/bt/homehub … bootloader).
I have also tried different combinations of /noemw and /nodma. Whenever I use /nodma it freezes before it even starts to flash.

Finally I am using /bypass because without it the flashing freezes at 1%, not sure why because I can flash my (broken) backup without that flag. (Backup it broken because I did it after flashing the new CFE, oops!!)

Thanks again for the help so far! Tomorrow I can give you the exact output of different commands if it helps. (Gone 10 here, I live in France)

Post #23

gomme600

14 Mar 2016, 18:54

zx82 wrote:

gomme600 wrote:
Definatly type A. It sais BCM6358 Rev 1 CPU chip. I have a Spansion Flash unit.
Thanks, good to get that out of the way.
gomme600 wrote:
none of the CFE's you provided above worked... thanks for the quick reply.
OK. I remember having to do several experiments, swapping words/halfwords, to work around tjtag-pi's manipulation (it's easier to give people a modified image than a patched tjtag-pi). I'll dig out the Pi image I used and see if I can reconfirm that halfword swapping is the permutation required, but that'll have to wait a few days. In the meantime, could you say exactly how the CFEs didn't work? Presumably if you went to the effort of connecting JTAG, you also have serial; what output do you see with each image? No output at all suggests incorrectly ordered bytes. But if you're seeing some output and CFE just isn't seeing a valid firmware, it'll quietly wait for you to upload some (maybe wanting to be interrupted by serial input/pressing of a button to prefer web upload).
To clarify, a wholeflash won't help (and will just increase the number of magical binaries floating around) if the byte-ordering thing isn't sorted.
Any reason you're using /wiggler? Superficially it seems that's a remnant from tjtag on other platforms and just hasn't been removed. Unless you know better, I'd recommend dropping it for tjtag-pi, since I'm not sure how it might affect the flashing.
The README suggests /noemw if you see hangs. Did you try that instead of/as well as /nodma?

Right so I have taken another look at it. First of all, for serial I am using 9600bauds, hardware flow control off. I have also tried different baudrates and with hardware flow control on. I have never got a serial output no matter what I have tried.

Some other things I have noticed: When flashing, the procedure speeds up at around 60% and usually finishes between 12 and 18 seconds. (Don't know if this is normal).

-erase:wholeflash is buggy: Freeze at «Erasing block: 81 (addr = 1fa00000)...» For a long time, then freeze at «Erasing block: 87» which finishes in a read error, finaly it completes at block 128.
I find this strange because the original firmware was working fine so I can assume that the flash memory is OK.

Now here are the various commands and their outcome:

sudo ./tjtag -flash:custom /window:1e000000 /start:1e000000 /length:20000

Freeze at «0% Flashed» (Depends on which CUSTOM.BIN I am flashing, sometimes it freezes at 1%).

sudo ./tjtag -flash:custom /window:1e000000 /start:1e000000 /length:20000 /bypass

Flashed OK, but no serial output.

sudo ./tjtag -flash:custom /window:1e000000 /start:1e000000 /length:20000 /noemw

Freeze at «0% Flashed» (Depends on which CUSTOM.BIN I am flashing, sometimes it freezes at 1%).

sudo ./tjtag -flash:custom /window:1e000000 /start:1e000000 /length:20000 /nodma

Freeze at «Halting Processor … <Processor did NOT enter Debug Mode!> … Done»
(This is also the same with /noemw added)

sudo ./tjtag -flash:custom /window:1e000000 /start:1e000000 /length:20000 /nodma /nocwd

Freeze at «Probing Flash at (Flash Window: 0x1e000000) …»

Post #24

zx82

21 Mar 2016, 19:49

gomme600 wrote:

Right so I have taken another look at it. First of all, for serial I am using 9600bauds, hardware flow control off.

You definitely want 115200 to communicate with CFE. You definitely want hardware flow control off, since there are no pins (brought out) on the device for flow control.

gomme600 wrote:

Some other things I have noticed: When flashing, the procedure speeds up at around 60% and usually finishes between 12 and 18 seconds. (Don't know if this is normal).

Flashing the CFE on my Spansion unit takes ~1m20, for what that's worth, although that's on an RPi B 1.0 which may be slower for some reason.

gomme600 wrote:

-erase:wholeflash is buggy:

Never used it. I think the normal -flash procedure has an implicit erase.

gomme600 wrote:

Now here are the various commands and their outcome:

Stick with what works, I guess. For me what worked was /nodma, with the same window/start/length. Without /nodma I'd reliably see a hang at 0x6A0.

gomme600 wrote:

Freeze at «Halting Processor … <Processor did NOT enter Debug Mode!> … Done»

Saw that from time to time; if I recall correctly the only reliable way to get around it was to power-cycle the unit, but in some situations /reboot would be enough. Maybe tjtag sometimes left the CPU in an inconsistent state or something.

To confirm, having looked on my RPi: the image that works for me via tjtag has md5sum 906cebfc82efc881ea16f0f3501ba82b. Kaar3l suggested in an earlier post that it worked for him too, albeit on slightly different hardware.

So, I think:

check the md5sum of the image you're trying to flash (just run md5sum on it)
once you've confirmed it matches mine, power-cycle the unit before trying with /nodma but no other flags
if that works, try talking to it at 115200

And see where we stand. If that doesn't work, I think the next step is to confirm flashing is working at all, by pulling the image back off the unit with -backup:custom and checking it matches what we're trying to flash, to eliminate flash defects or JTAG flashing errors. IIRC it won't match by default, because tjtag rearranges bytes, but we can at least confirm the rearranged image comes back as expected.

Failing that, I wonder whether it might be better to try OpenOCD.

gomme600 wrote:

I live in France

Howcome you have a BTHH there?

Post #25

gomme600

22 Mar 2016, 19:02

zx82 wrote:

gomme600 wrote:
Right so I have taken another look at it. First of all, for serial I am using 9600bauds, hardware flow control off.
You definitely want 115200 to communicate with CFE. You definitely want hardware flow control off, since there are no pins (brought out) on the device for flow control.
gomme600 wrote:
Some other things I have noticed: When flashing, the procedure speeds up at around 60% and usually finishes between 12 and 18 seconds. (Don't know if this is normal).
Flashing the CFE on my Spansion unit takes ~1m20, for what that's worth, although that's on an RPi B 1.0 which may be slower for some reason.
gomme600 wrote:
-erase:wholeflash is buggy:
Never used it. I think the normal -flash procedure has an implicit erase.
gomme600 wrote:
Now here are the various commands and their outcome:
Stick with what works, I guess. For me what worked was /nodma, with the same window/start/length. Without /nodma I'd reliably see a hang at 0x6A0.
gomme600 wrote:
Freeze at «Halting Processor … <Processor did NOT enter Debug Mode!> … Done»
Saw that from time to time; if I recall correctly the only reliable way to get around it was to power-cycle the unit, but in some situations /reboot would be enough. Maybe tjtag sometimes left the CPU in an inconsistent state or something.
To confirm, having looked on my RPi: the image that works for me via tjtag has md5sum 906cebfc82efc881ea16f0f3501ba82b. Kaar3l suggested in an earlier post that it worked for him too, albeit on slightly different hardware.
So, I think:
check the md5sum of the image you're trying to flash (just run md5sum on it)
once you've confirmed it matches mine, power-cycle the unit before trying with /nodma but no other flags
if that works, try talking to it at 115200
And see where we stand. If that doesn't work, I think the next step is to confirm flashing is working at all, by pulling the image back off the unit with -backup:custom and checking it matches what we're trying to flash, to eliminate flash defects or JTAG flashing errors. IIRC it won't match by default, because tjtag rearranges bytes, but we can at least confirm the rearranged image comes back as expected.
Failing that, I wonder whether it might be better to try OpenOCD.
gomme600 wrote:
I live in France
Howcome you have a BTHH there?

Ok, so I checked the md5sum. It matches on the file I am trying to flash. Tried flashing again, had to use /bypass and it flashes in 18 seconds (I also have a raspberry pi B original version, 512MB ram), I find this weird and am wondering if it's not part of the problem...
I get nothing on the serial port still. This all seems very strange to me.
Anyway I have done a backup of the same CUSTOM.BIN, here is the file: http://www.mediafire.com/download/qad3j … BACKUP.BIN
It is 128KB instead of 62KB, again I don't understand?

And about the BT Home Hub in France, I was looking for old routers a while ago, got this one of a friend in England.

Page 1 of 2