How to install OpenWrt firmware on AV4202N xDSL router after replacing CFE via JTAG.
Currently, although the BCM63xx platform is supported by OpenWrt, there are no releases for this device. Neither LEDE Project has released a stable build for this device, but they are offering a development snapshot [3]. The problem with LEDE snapshots is that they don't work out of the box without additional software packages (you don’t get any web interface).
But, LEDE can’t be installed on the device due to the locked bootloader. This article will show you how to use JTAG to install a different bootloader that can be used to flash OpenWRT/LEDE firmware. Part 2 details LEDE configuration and internet connection.
Note! If the mentioned device was offered to you by an ISP for xDSL internet access, doing what is described next will void the warranty of the device and make it unusable. You should not attempt to change firmware in this situation. Third party firmware does not support xDSL!
Connections
To start you will need both JTAG port access and serial port access. You can start by soldering pinheaders on J5 (2x3 pinheader, 2.54 mm pitch – this is the serial port, with 3.3V TTL levels) and on J2 (2x7 pinheader, 2.54 mm pitch – standard MIPS EJTAG port, with 3.3 V levels).AV4202N serial port (OpenWRT TOH [1]) |
AV4202N JTAG port (JTAG on LinuxMIPS wiki [2]) |
Replace CFE
The original bootloader (CFE) responds to commands sent via serial port and allows firmware images to be installed (only signed images, not OpenWRT/LEDE). Somehow, I managed to break it with a crappy serial cable and some power cycling before making a backup of it. So I started to look for alternative bootloaders. Although I couldn’t find the original CFE, I managed to find a CFE from a router with the same SoC [4]. I’m talking about Netgear DGND3700 (download here the binary image, ready for flashing).I successfully flashed a new CFE using UrJTAG and zJTAG. There are some issues with this SoC. First of all, it does not identify itself (IDCODE) before setting instruction length and both tools presented here read IDCODE before setting instruction length. This breaks further JTAG commands because software can’t identify the CPU. So, the registers need to be set manually in UrJTAG (standard MIPS registers) and CPU identification needs to be skipped in zJTAG. The other issue with this SoC is that it doesn’t support DMA mode; only PrAcc which is slower (flashing 128 kbytes of CFE takes 15-20 minutes).
Let’s start! Connect the router to a JTAG adapter (I’ve used an older computer with parallel port and Wiggler adapter) and power up the router. If you want to use UrJTAG, here are all commands [5] (you can put these lines in a text file and use the include command in UrJTAG or you can write them one at a time). Adjust the cable command for your adapter. Ignore unknown device errors produced by detect.
cable wiggler parallel 0x378 endian big detect register BR 1 register DIR 32 register EJIMPCODE 32 register EJADDRESS 32 register EJDATA 32 register EJCONTROL 32 register EJALL 96 instruction length 5 instruction BYPASS 11111 BR instruction IDCODE 00001 DIR instruction EJTAG_IMPCODE 00011 EJIMPCODE instruction EJTAG_ADDRESS 01000 EJADDRESS instruction EJTAG_DATA 01001 EJDATA instruction EJTAG_CONTROL 01010 EJCONTROL instruction EJTAG_ALL 01011 EJALL initbus ejtag detectflash 0x38000000Now you can use the standard memory read/write routines. CFE is at the beginning, so the base address is 0x38000000 and size is 0x20000. Read/flash operations are:
readmem 0x38000000 0x020000 cfe_backup.bin flashmem 0x38000000 cfe_new.binOr, if you prefer zJTAG, these are the commands to read, erase and flash the CFE. The parameters are for Wiggler cable.
zjtag -backup:custom /BE /instrlen:5 /nodma /noreset /skipdetect /wiggler /window:38000000 /start:38000000 /length:20000 zjtag -erase:custom /BE /instrlen:5 /nodma /noreset /skipdetect /wiggler /window:38000000 /start:38000000 /length:20000 zjtag -flash:custom /BE /instrlen:5 /nodma /noreset /skipdetect /wiggler /window:38000000 /start:38000000 /length:20000For the flash to work, the CFE must be named CUSTOM.BIN and placed in the working directory (i.e. the folder you are running zJTAG from). Once you hit Enter, the process starts. You need to wait about 5 minutes for a read and 15 minutes for a flash write. This is the output in my case. After it finishes power cycle the device with the serial cable connected and a serial terminal started (i.e. PuTTY).
============================================== zJTAG EJTAG Debrick Utility v1.8 RC3 ============================================== cable=wiggler, cabletype=3 Selected port = 0x378 Detected IR chain length = 32 There are 1 device(s) in the JTAG chain IDCODE for device 1 is 0xFFFFFFFF (IR length:1) Probing bus ... Done Instruction Length manually set to 5 CPU assumed running under BIG endian CPU Chip ID: 00000110001101101000000101111111 (0x0636817F) CPU Manufacturer :Broadcom(ID=0x17E) CPU Device ID :6368 CPU Revision :1 *** CHIP DETECTION OVERRIDDEN *** - EJTAG IMPCODE ....... : 00000000100000011000100100000100 (0x00818904) - EJTAG Version ....... : 1 or 2.0 - EJTAG DMA Support ... : Yes - EJTAG Implementation flags: R4k MIPS16 MIPS32 *** DMA Mode Forced Off *** Issuing Processor / Peripheral Reset ... Skipped Enabling Memory Writes ... Done Halting Processor ...... Done Clearing Watchdog ... Done Loading CPU Configuration Code ... Skipped Probing Flash at Address: 0x38000000 ... Detected Chip ID (VenID:DevID = 017E : 2101) *** Found a CFI Compatiable Flash Chip from AMD/Spansion - Flash Chip Window Start .... : 38000000 - Flash Chip Window Length ... : 01000000 - Selected Area Start ........ : 38000000 - Selected Area Length ....... : 00020000 *** You Selected to Flash the CUSTOM.BIN *** ========================= Flashing Routine Started ========================= Total Blocks to Erase: 1 Erasing block: 1 (addr = 38000000)...Done Loading CUSTOM.BIN to Flash Memory... Done (CUSTOM.BIN loaded into Flash Memory OK) ========================= Flashing Routine Complete ========================= elapsed time: 832 seconds *** REQUESTED OPERATION IS COMPLETE ***
Configure CFE
You need serial port to configure CFE (set board parameters). The Netgear CFE does not auto configure itself and will not boot at all – so if you don’t use the serial connection, the router will appear bricked and it is unusable. Once you power up the device you should see the following in the serial console.CFE version 1.0.37-104.4 for BCM96368 (32bit,SP,BE) Build Date: Mon Nov 2 14:16:18 PST 2009 (root@localhost) Copyright (C) 2000-2009 Broadcom Corporation. Parallel flash device: name AM29LV320MT, id 0x2201 size 16384KB *** Board is not initialized properly *** *** Upgrading NVRAM (version 253635900 to version 5) *** *** Board is not initialized properly *** Press:You are now in the CFE console. It asks for a board ID. For the AV4202N device, boards MBG, MNG and AVNG have the best functionality (some LEDs light up, the switch works). I’m using 96368MNG (8). You will notice that while the bootloader is running (before the firmware loads), the wrong LED lights up. There’s nothing you can do about this; don’t worry – once the firmware boots it will take control of LEDs. The important thing is that the switch is working and you can access the CFE via TCP and install LEDE. Continue configuration by entering respective board number and hit Enter. The default number of MAC addresses for this router is 16. Write the base MAC address from the back label of the case. Leave the remaining options with default values.to use current value '-' to go previous parameter '.' to clear the current value 'x' to exit this command 96368VVW ------- 0 96368MVWG ------- 1 96368SV2 ------- 2 96368MBG ------- 3 96368NTR ------- 4 96368MBG6b ------- 5 96368VVWB ------- 6 96368MVWGB ------- 7 96368MNG ------- 8 96368MBG6302 ------- 9 96368MVWGJ ------- 10 96367AVNG ------- 11 Board Id (0-11) :
Once you finish the configuration, the device reboots.
LEDE installation
You don’t need the JTAG connection anymore. Power cycle the device and access the serial CFE console (quickly after power up press any keys in serial terminal). You can also enter CFE console by powering up the device while holding down reset button. Before installing LEDE, I suggest erasing the entire flash. In the serial terminal press e a, then y when asked to confirm.On your computer set the wired adapter to static IP 192.168.1.2, gateway 255.255.255.0 and default gateway 192.168.1.1. Open a browser and go to http://192.168.1.1. You should see the CFE web interface where you can load the LEDE firmware image.
CFE web interface |
If you still have the serial console open, you will see:
web info: Upload 3538948 bytes, Broadcom image format. CFE> Flashing root file system and kernel at 0xb8020000: ............................ . *** Image flash done *** ! Resetting board…The second part of this tutorial covers setting up LEDE. For now, you should set the wired network back to DHCP (automatic IP address).
Links
- OpenWRT Table of Hardware. ADB P.DG AV4202N.
- LinuxMIPS Wiki. JTAG.
- LEDE Project. Downloads.
- NETGEAR Open Source Code for Programmers (GPL). DGND3700.
- OpenWRT Table of Hardware. Huawei Echolife HG622.
Thank you for the guide.
ReplyDeletei got 3 modems(A1 Austria Branded) for free and will try it.
just waiting for my jtag cable to arrive
It would be nice if you could make a backup of the original bootloader and send it to me. Somehow I lost the original bootloader. What JTAG cable will you be using?
Deletevery good guide , I tried by urjtage by your script and get soc info , but my device is bcm6368 + nand flash
ReplyDelete(thomson cpe tg788 ) , the only jtag tool can deal with nand flash I think openocd but unfortunately it cannot accept mips registers manually , do you have a solution for me , thanks
Unfortunately I have no idea about using openocd with MIPS.
Deletethanks for reply , can you guide me to a jtag tool can control nand flash board , thanks
DeleteI managed to flash the bootloader using openocd and a stm32 as the jtag adapter.
DeleteOne strange thing I saw, was that the flash was at location 0xb8000000.
Here is the board config I used:
--------
set _CHIPNAME bcm6368
set _CPUID 0x0636817F
#adapter_khz 1000
jtag newtap $_CHIPNAME cpu -irlen 5 -ircapture 0x1 -irmask 0x1f -expected-id $_CPUID
set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME mips_m4k -endian big -chain-position $_TARGETNAME
set partition_list {
CFE { Bootloader 0xb8000000 0x00020000 }
}
set _FLASHNAME $_CHIPNAME.flash
flash bank $_FLASHNAME cfi 0xb8000000 0x1000000 2 2 $_TARGETNAME
--------
openocd should be able to detect a valid flash using the command:
flash probe 0
after that the image can be flashed using:
flash write_image erase cfe_file.bin 0xb8000000 bin
Hi,
ReplyDeleteI lost my cfe Backup, can someone send it to me?
thanks
You can download the CFE of DGND3700, which is compatible with av4202n. The download link is in this post.
DeleteI tried to restore the original Telekom Austria firmware an it doesn't boot (it crashes with a kernel panic) with that cfe, so i wanted to try it with a backupd cfe, but i don't find mine anymore
DeleteI don't have the original CFE and I couldn't find it in any official firmware. You could try asking on OoenWRT forums, maybe someone will make a backup of the original CFE and share it.
DeleteOr is it possible to extract the original CFE from a firmware update file?
ReplyDeletethanks
Thank you very much for the tutorial, even now in 2024. Worked with PIC18F14K50 JTAG UsbBlaster. I got two of these routers from trash, so I wanted to play with them. The original bootloader is very suspicious. I managed to brick both of them in like 5 minutes of testing UART. Maybe the bootloader had some self destruct system :D.
ReplyDelete