OpenWrt Forum Archive

Topic: Create a custom CFE for BCM6358 + BCM5325

The content of this topic has been archived between 14 Apr 2018 and 17 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,

with all the hassle with the pid2 in the CFE of the WAG160Nv2 I wonder if it possible to get a custom CFE for this hardware?
It currently runs "CFE version 1.0.37-5.4". The hardware contains:

- SoC BCM6358
- Ethernet Switch BCM5325
- 4MB Flash
- 32MB RAM

Due to the limited flash size, the CFE must fit into 64KB.

Open question is how the ethernet switch is connected with the SoC, i.e. which GPIO is tied to the reset pin of the switch and which interface is used to setup the switch (SPI or MDIO).

Is the source code for the CFE available and has anyone compiled it for a hardware with BCM6358+BCM5325?
If we find another router which uses the same GPIO for the switch reset, will its CFE be able to cope with a flash chip of a different size? 4MB is rather unusual for a router with a BCM6358, most others have at least 8MB.

Does anyone know how to compress a CFE? We may simply patch the current one and remove the pid2 test.

Regards,
jal2

Yes, it's possible. I already did it for the Homehub2a.

It's easy to know which GPIO is conected to the reset# switch pin. In Openwrt just put every GPIO on low state, when the switch stops working that's the GPIO of the reset pin (if any is connected to reset#). AFAIK BCM5325 are always connected via MDIO, even those with the SPI pins wired.

I think I can build a CFE for your board. Just tell me the GPIOs for the reset button, BCM5325 reset# pin (if any), and relevan leds like power led.

The wiki says the board ID is 96358GW, and the RAM is 32MB (1chip).

These data should be enough. Just tell me if you're still interested.

Regards.

(Last edited by danitool on 7 Dec 2015, 02:14)

@danitool,

for the hh2a, we have the situation that it always boots to CFE, and does not continue to boot the OpenWRT unless you press the rest button.
Could it be that the CFE is very quick to test the 'Find Handset' GPI, and it's not yet stable?
Do you still have your build environment for this CFE?

more info here: http://openwrt.ebilan.co.uk/viewtopic.p … p=763#p763

best regards,

Simon

(Last edited by simonh on 30 Dec 2015, 10:35)

Hi, simonh. The behavior you're describing doesn't make much sense to me. Hope this stuff will help you to solve it.

https://drive.google.com/file/d/0B-EMoB … sp=sharing

Probably the best idea is to use the reset instead phone button. I never had this router, I just use the phone button because the tester, who helped me to bring support for the homehub2a, requested this specific feature, but he never complained about this issue you described.

Regards.

thanks danitool, taking a look at the patch file, seems there are multiple definitions for multiple boards for the HHV2A.
I wonder if I have a different variety to the original one it was tested on.
I've not tried to build yet, but do I take it that the folder structure is self-contained, and should build on almost any x86 linux without 'installation'?

(Last edited by simonh on 3 Jan 2016, 23:26)

There are multiple boards because they were for testing the Homehub with other firmwares/boards ID. Only the one with the board ID HOMEHUB2A
is valid for Openwrt.

For building there is a script, and all is contained in the same directory without absolute paths, this way you don't need to spread files across your system.

(Last edited by danitool on 3 Jan 2016, 23:43)

I build CFE for HG553 from HOMEHUB2 source code. In build.sh file change BoardID=HW553 and my MAC address. CFE work OK but Dlink firmware ROLEO crash.

OpenWrt AA 12.09 work OK - USB, Wifi, Ethernet but no work LED's.

I want to add support for LED on HG553 (HW553). In the source code, I found information in file:

/cfe_bcm63xx/cfe/cfe/arch/mips/board/bcm63xx_ram/src/bcm63xx_devs.c

//setLedOn(BP_GPIO_6_AL); //HG556a, enable gpio6, otherwise leds won't work

I checked it and HG553 also need to set GPIO 6 Active Low for LED's working. If goto CFE, run command:

gpioset 6 off

and boot OpenWrt then RED POWER LED lights up and management of LED's works ;-)

I need help how fix source code CFE to set GPIO 6 Active Low.

My post on eko.one.pl: vodafone HG553

Thx.

Edited
--------

To LED's work need simply uncomment this line in source code smile smile:
/cfe_bcm63xx/cfe/cfe/arch/mips/board/bcm63xx_ram/src/bcm63xx_devs.c

//setLedOn(BP_GPIO_6_AL); //HG556a, enable gpio6, otherwise leds won't work

Tested CC 15.05.1 with this new CFE: cfe_gpio6_token.bin

WARNING!!! This CFE has added token and possible upgrade from WEB Upgrade 192.168.1.1 (pressed reset 15 sec while power). Please make backup CFE first e.g. from OpenWrt:

dd if=/dev/mtd0 of=/tmp/cfe.bin

then copy cfe.bin over WinSCP

putty.log:

Pulling BCM5325 out of reset (GPIO15 ON)......done


CFE version 1.0.37-6.4 for BCM96358 (32bit,SP,BE)
Build Date: Tue Aug 23 03:16:28 CEST 2016 (root@debian)
Copyright (C) 2000-2005 Broadcom Corporation.

Boot Address 0xbe000000

Initializing Arena.
Initializing Devices.
Parallel flash device: name AM29LV320MT, id 0x2201, size 16384KB

Now initializing the switch...
GPIO_MODE_EMAC2_MII_CLK_INV pinmux enabled
Setting BCM5325 managed mode
    B53_SWITCH_MODE = 0x6
    new B53_SWITCH_MODE = 0x7
    REG_MII_PORT_CONTROL = 0x0
    new REG_MII_PORT_CONTROL = 0x1c
    B53_GLOBAL_CONFIG = 0x0
    new B53_GLOBAL_CONFIG = 0x80
    REG_VLAN_CTRL5 = 0x0
    new REG_VLAN_CTRL5 = 0x3
done
Setting BCM5325 unmanaged mode
    B53_SWITCH_MODE = 0x7
    new B53_SWITCH_MODE = 0x6
    B53_GLOBAL_CONFIG = 0x80
    new B53_GLOBAL_CONFIG = 0x0
done
Clearing B53_PORT_CTRL(i) registers at ports 0, 1, 2, 3, 4, 5, 6, 7, 8,  done
B53_PORT_OVERRIDE_CTRL = 0x9f
...done

CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz
Total memory: 67108864 bytes (64MB)

Total memory used by CFE:  0x80401000 - 0x80528880 (1210496)
Initialized Data:          0x8041D980 - 0x8041FF80 (9728)
BSS Area:                  0x8041FF80 - 0x80426880 (26880)
Local Heap:                0x80426880 - 0x80526880 (1048576)
Stack Area:                0x80526880 - 0x80528880 (8192)
Text (code) segment:       0x80401000 - 0x8041D974 (117108)
Boot area (physical):      0x00529000 - 0x00569000
Relocation Factor:         I:00000000 - D:00000000

Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Board Id Name                     : HW553  
Psi size in KB                    : 24
Number of MAC Addresses (1-32)    : 4  
Base MAC Address                  : 00:24:89:57:44:82  
Ethernet PHY Type                 : Internal
Memory size in MB                 : 64
CMT Thread Number                 : 0

***  Press any key to stop auto run (1 seconds) ***
 Auto run second count down: 110
Code Address: 0x80A00000, Entry Address: 0x80a00000
Decompression OK!
Entry at 0x80a00000
Closing network.
Starting program at 0x80a00000

(Last edited by Gelip on 8 Sep 2016, 17:38)

Hi, do you have HG553 working fine with this cfe?
Can you tell me how to flash it?

I flashed openwrt on my hg553, but it is unstable, it works only at first boot, next reboots the router does not respond aymore... i cannot undesrtand the reason! Maybe a cfe probelm....

blueven wrote:

Hi, do you have HG553 working fine with this cfe?
Can you tell me how to flash it?

I flashed openwrt on my hg553, but it is unstable, it works only at first boot, next reboots the router does not respond aymore... i cannot undesrtand the reason! Maybe a cfe probelm....

Yes, OpenWrt 15.05.1 working OK with this CFE. What version OpenWrt you use? What version CFE is flashed? Does work OEM Web upgrade - Turn on the system while holding the reset for 30 sec. and go to http://192.168.1.1 ???

Hi, i was on AA and i flashed with mtd your CFE, and i can confirm that because i made dd and compared it.
Then, i made sysupgrade to 15.05.1.

Result is that now i cannot ping anymore the box, and reset for 30 seconds doesn't work anymore!!!
I can see blue led fixed after some seconds, main and LAN. But after some minutes it reboots automatically, because i can see leds goes off and again on.

(Last edited by blueven on 14 Nov 2016, 04:33)

blueven wrote:

Then, i made sysupgrade to 15.05.1

Do you have a TTL cable for serial console? In my CFE not working reset 30 but working serial console. Buy TTL cable or flash back original CFE. Next go into CFE with reset 30 and flash CC:
https://wiki.openwrt.org/_media/media/doc/cfe63xx_web-upgrade.png

From what i know, CFE is only flashable with jtag, not serial!

(Last edited by blueven on 14 Nov 2016, 11:05)

blueven wrote:

From what i know, CFE is only flashable with jtag, not serial!

If you have flashed my CFE is you can change them from the CFE using a serial console :-):
http://savepic.net/8523842m.png
Also possible flash from original CFE from reset 30 (Web upgrade page).

Gelip wrote:

Tested CC 15.05.1 with this new CFE: cfe_gpio6_token.bin

WARNING!!! This CFE has added token and possible upgrade from WEB Upgrade 192.168.1.1 (pressed reset 15 sec while power).

Token provides the ability to flash CFE from the CFE:
bcm63xx - Its any way to replace CFE in CFE?

P.S. I make new CFE CMT 0 & 1, please read this post:
vodafone HG553

(Last edited by Gelip on 14 Nov 2016, 19:50)

Gelip wrote:
blueven wrote:

From what i know, CFE is only flashable with jtag, not serial!

If you have flashed my CFE is you can change them from the CFE using a serial console :-):
http://savepic.net/8523842m.png
Also possible flash from original CFE from reset 30 (Web upgrade page).

Gelip wrote:

Tested CC 15.05.1 with this new CFE: cfe_gpio6_token.bin

WARNING!!! This CFE has added token and possible upgrade from WEB Upgrade 192.168.1.1 (pressed reset 15 sec while power).

Token provides the ability to flash CFE from the CFE:
bcm63xx - Its any way to replace CFE in CFE?

P.S. I make new CFE CMT 0 & 1, please read this post:
vodafone HG553


You're totally right the broadcom token utility provides a way to make a flasheable image to the offset 0x0 where the bootloader lives. However when flashing does the CFE takes the previous config at the NVRAM? IIRC the answer is no. Unless you embedded the nvram in the CFE you built, it will keep awaiting for a new configuration, and from the point of view of an user without an UART serial adapter this is like a brick.

Another way to flash CFE keeping the previous NVRAM config at the router is to make a dummy firmware, with CFE at the begining, and some trailing zero bytes (zeroed firmware) at the end. In this case the new CFE doesn't need to have any NVRAM embedded. CFE will upgrade the new CFE keeping the original NVRAM, and since the firmware is zeroed, after finishing the flashing procecure it will keep awaiting for a new firmware.

(Last edited by danitool on 14 Nov 2016, 20:02)

danitool wrote:

Unless you embedded the nvram in the CFE you built, it will keep awaiting for a new configuration, and from the point of view of an user without an UART serial adapter this is like a brick.

Right - my CFE have serial console only access and not work Reset 30 like in original CFE. Maybe you know how to modify the source code of the CFE HOMEHUB2A to act reset 30?

(Last edited by Gelip on 14 Nov 2016, 20:24)

Do you mean entering failsafe by pressing the reset button and waiting 30 seconds? it's already implemented in the source code. You only need to define your gpio number that matches the reset button at the boards parameters file.

I was able to restore original unlocked CFE using jtag.
Anyway, latest openwrt version CC , doesn't work neither with this nor with your CFE. I can't understand the reason!

EDIT: no one version of openwrt is working in my hg553!

What could be the reason? maybe corrupted nvram?
If i remember correctly, when i was on openwrt with previous cfe, i made an erase nvram from it. Could be a problem or nvram is inside CFE?

Is there a way i can get your CFE with your NVRAM too? I think is NVRAM the trouble here...

(Last edited by blueven on 15 Nov 2016, 04:14)

Do you have a UART cable to hook up to the serial console? If yes flash my CFE, go to CFE and erase all flash with command e:

CFE> e help
Erase [n]vram, [p]ersistent storage or [a]ll flash except bootrom
usage: e [n/p/a]
*** command status = 0

Next reboot HG553 and config Board ID: HW553, number MAC adresses e.g. 4 and change MAC address such that what you have on a label on the rear panel. Now flash OpenWrt CC from Web upgrade page. I use version CHAOS CALMER (15.05.1, r48532) - It works very well.

(Last edited by Gelip on 15 Nov 2016, 07:12)

Could you please tell me exactly wich commads should i use? How config board id, MAC number, MAC etc?

Maybe we have different hw revision of hg553? My serial starts with 301338k..., yours?

EDIT: i checked the cfe.bin i restored with an hex editor, and i can read HW553 and correct serial. Only MAC address is different, but from what i know there is no check on MAC address for booting correctly.

(Last edited by blueven on 15 Nov 2016, 12:06)

OK, but this is off-topic. Send me your e-mail. You need to have cable UART for serial console.

(Last edited by Gelip on 15 Nov 2016, 19:32)

Gelip wrote:

OK, but this is off-topic. Send me your e-mail. You need to have cable UART for serial console.

My email: antonio.84 at email.it. In two days i'll get uart cable.

(Last edited by blueven on 15 Nov 2016, 23:14)

danitool wrote:

Do you mean entering failsafe by pressing the reset button and waiting 30 seconds? it's already implemented in the source code. You only need to define your gpio number that matches the reset button at the boards parameters file.

I found source code - file boardparms.c for HG553: hg556a_source ... boardparms.c
and copy line:

BP_GPIO_37_AL,                         /* usGpioPressAndHoldReset */

to HOMEHUB2A source code by danitool:
shared/opensource/boardparms/bcm963xx/boardparms.c

Now RESET 30 works and runs CFE and we have access to OEM Update page http://192.168.1.1 smile

Note1: To run CFE just press RESET about 6 seconds, no need 30
Note2: While pressing reset CFE restore factory settings e.g. IP 192.168.1.1

Pulling BCM5325 out of reset (GPIO15 ON)......done


CFE version 1.0.37-6.4 for BCM96358 (32bit,SP,BE)
Build Date: Wed Nov 16 12:12:12 CET 2016 (root@debian)
Copyright (C) 2016

Boot Address 0xbe000000

Initializing Arena.
Initializing Devices.
Parallel flash device: name AM29LV320MT, id 0x2201, size 16384KB

Now initializing the switch......done

CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz
Total memory: 67108864 bytes (64MB)

Total memory used by CFE:  0x80401000 - 0x80528AD0 (1211088)
Initialized Data:          0x8041DBB0 - 0x804201D0 (9760)
BSS Area:                  0x804201D0 - 0x80426AD0 (26880)
Local Heap:                0x80426AD0 - 0x80526AD0 (1048576)
Stack Area:                0x80526AD0 - 0x80528AD0 (8192)
Text (code) segment:       0x80401000 - 0x8041DBA4 (117668)
Boot area (physical):      0x00529000 - 0x00569000
Relocation Factor:         I:00000000 - D:00000000


*** Restore to Factory Default Setting ***


*** Break into CFE console ***

Board IP address                  : 192.168.1.1:ffffff00
Host IP address                   : 192.168.1.100
Gateway IP address                :
Run from flash/host (f/h)         : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 1
Board Id Name                     : HW553
Psi size in KB                    : 24
Number of MAC Addresses (1-32)    : 4
Base MAC Address                  : 00:24:89:57:44:82
Ethernet PHY Type                 : Internal
Memory size in MB                 : 64
CMT Thread Number                 : 1

web info: Waiting for connection on socket 0.
CFE> 

This is CFE with NVRAM embed, working serial console, reset 6 while power, leds, use cpu1 (CMT1), removed some of the information displayed on startup and it has added token to flash from CFE:
cfe_nvr_led_cmt1_reset_token.rar

(Last edited by Gelip on 19 Nov 2016, 17:50)

Gelip wrote:
danitool wrote:

Do you mean entering failsafe by pressing the reset button and waiting 30 seconds? it's already implemented in the source code. You only need to define your gpio number that matches the reset button at the boards parameters file.

I found source code - file boardparms.c for HG553: hg556a_source ... boardparms.c
and copy line:

BP_GPIO_37_AL,                         /* usGpioPressAndHoldReset */

to HOMEHUB2A source code by danitool:
shared/opensource/boardparms/bcm963xx/boardparms.c

Now RESET 30 works and runs CFE and we have access to OEM Update page http://192.168.1.1 smile

Note1: To run CFE just press RESET about 6 seconds, no need 30
Note2: While pressing reset CFE restore factory settings e.g. IP 192.168.1.1

Pulling BCM5325 out of reset (GPIO15 ON)......done


CFE version 1.0.37-6.4 for BCM96358 (32bit,SP,BE)
Build Date: Wed Nov 16 12:12:12 CET 2016 (root@debian)
Copyright (C) 2016 mrgelip@gmail.com

Boot Address 0xbe000000

Initializing Arena.
Initializing Devices.
Parallel flash device: name AM29LV320MT, id 0x2201, size 16384KB

Now initializing the switch......done

CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz
Total memory: 67108864 bytes (64MB)

Total memory used by CFE:  0x80401000 - 0x80528AD0 (1211088)
Initialized Data:          0x8041DBB0 - 0x804201D0 (9760)
BSS Area:                  0x804201D0 - 0x80426AD0 (26880)
Local Heap:                0x80426AD0 - 0x80526AD0 (1048576)
Stack Area:                0x80526AD0 - 0x80528AD0 (8192)
Text (code) segment:       0x80401000 - 0x8041DBA4 (117668)
Boot area (physical):      0x00529000 - 0x00569000
Relocation Factor:         I:00000000 - D:00000000


*** Restore to Factory Default Setting ***


*** Break into CFE console ***

Board IP address                  : 192.168.1.1:ffffff00
Host IP address                   : 192.168.1.100
Gateway IP address                :
Run from flash/host (f/h)         : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 1
Board Id Name                     : HW553
Psi size in KB                    : 24
Number of MAC Addresses (1-32)    : 4
Base MAC Address                  : 00:24:89:57:44:82
Ethernet PHY Type                 : Internal
Memory size in MB                 : 64
CMT Thread Number                 : 1

web info: Waiting for connection on socket 0.
CFE> 

This is CFE with NVRAM embed, working serial console, reset 6 while power, leds, use cpu1 (CMT1), removed some of the information displayed on startup and it has added token to flash from CFE:
cfe_nvr_led_cmt1_reset_token.rar

You should also remove

Pulling BCM5325 out of reset (GPIO15 ON)......done

since this is a specific initialization of HomeHub2A, which boot as default with the switch in a reset state, but AFAIK this isn't the case of the HG533 router. And probably spite it's harmless there is no need to reinitialize the switch at the low level required in the HomeHub2, therefore using initialization of the switch as in the original code should be enough.

danitool wrote:

You should also remove

Pulling BCM5325 out of reset (GPIO15 ON)......done

since this is a specific initialization of HomeHub2A, which boot as default with the switch in a reset state, but AFAIK this isn't the case of the HG533 router. And probably spite it's harmless there is no need to reinitialize the switch at the low level required in the HomeHub2, therefore using initialization of the switch as in the original code should be enough.

OK, fixed: cfe_nvr_led_cmt1_reset_token_fix.rar

RESET while power up works but always restore default IP 192.168.1.1:

*** Restore to Factory Default Setting ***

*** Break into CFE console ***

How do the RESET not restored the factory default settings only break into CFE console?

Gelip wrote:

How do the RESET not restored the factory default settings only break into CFE console?

Not sure, it depends on the implementation done by the manufacturer. Usually restoring factory defaults means erasing the PSI partition (called nvram in openwrt), which are a couple of blocks at the end of the flash and used for storing settings in the original firmware.

I don't remember the behavior of this CFE. Probably restoring the default IP for CFE was made for ensuring you always could have the default IP available, for the cases you forgot the custom IP,  or if the device is being configured by another owner.

(Last edited by danitool on 6 Dec 2016, 16:31)