Westell 7500 based on bcm4318 and bcm6358

Etn45p4m
2009-08-24
2013-07-26
  • Etn45p4m

    Etn45p4m - 2009-08-24

    Hi all,
    this is my first experience with flash programming, so I apologize in advance
    for any inaccuracy or mistake in what I write.
    I have a Westell versalink 7500 router based on BCM6358 and I would like to have
    a backup of the firmware before starting to modify it.
    Urjtag was complaining because there was no support for BCM4318 so I copied the
    definition as follows (I am not at all sure it is correct):

    diff -Naur urjtag-0.10/data/broadcom/bcm4318/bcm4318 urjtag-0.10-patched/data/broadcom/bcm4318/bcm4318
    --- urjtag-0.10/data/broadcom/bcm4318/bcm4318   1970-01-01 01:00:00.000000000 +0100
    +++ urjtag-0.10-patched/data/broadcom/bcm4318/bcm4318   2009-08-24 15:17:04.910096447 +0200
    @@ -0,0 +1,53 @@
    +# This program is free software; you can redistribute it and/or
    +# modify it under the terms of the GNU General Public License
    +# as published by the Free Software Foundation; either version 2
    +# of the License, or (at your option) any later version.
    +#
    +# This program is distributed in the hope that it will be useful,
    +# but WITHOUT ANY WARRANTY; without even the implied warranty of
    +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    +# GNU General Public License for more details.
    +#
    +# You should have received a copy of the GNU General Public License
    +# along with this program; if not, write to the Free Software
    +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
    +# 02111-1307, USA.
    +
    +register       BR               1
    +register       BSR              1
    +register       DIR             32
    +register       EJIMPCODE       32
    +register       EJADDRESS       32
    +register       EJDATA          32
    +register       EJCONTROL       32
    +register       EJALL           96
    +#register      EJFASTDATA      33
    +
    +instruction length 5
    +
    +instruction    BYPASS          11111   BR
    +instruction    SAMPLE/PRELOAD  00010   BSR
    +instruction    IDCODE          00001   DIR
    +instruction    EJTAG_IMPCODE   00011   EJIMPCODE
    +instruction    EJTAG_ADDRESS   01000   EJADDRESS
    +instruction    EJTAG_DATA      01001   EJDATA
    +instruction    EJTAG_CONTROL   01010   EJCONTROL
    +instruction    EJTAG_ALL       01011   EJALL
    +instruction    EJTAGBOOT       01100   BR
    +instruction    NORMALBOOT      01101   BR
    +#instruction   EJTAG_FASTDATA  01110   EJFASTDATA
    +
    +endian big
    +initbus ejtag_dma
    +
    diff -Naur urjtag-0.10/data/broadcom/bcm4318/STEPPINGS urjtag-0.10-patched/data/broadcom/bcm4318/STEPPINGS
    --- urjtag-0.10/data/broadcom/bcm4318/STEPPINGS 1970-01-01 01:00:00.000000000 +0100
    +++ urjtag-0.10-patched/data/broadcom/bcm4318/STEPPINGS 2009-08-24 15:17:04.910096447 +0200
    @@ -0,0 +1,22 @@
    +# This program is free software; you can redistribute it and/or
    +# modify it under the terms of the GNU General Public License
    +# as published by the Free Software Foundation; either version 2
    +# of the License, or (at your option) any later version.
    +#
    +# This program is distributed in the hope that it will be useful,
    +# but WITHOUT ANY WARRANTY; without even the implied warranty of
    +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    +# GNU General Public License for more details.
    +#
    +# You should have received a copy of the GNU General Public License
    +# along with this program; if not, write to the Free Software
    +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
    +# 02111-1307, USA.
    +
    +0010   bcm4318 V1
    +
    diff -Naur urjtag-0.10/data/broadcom/PARTS urjtag-0.10-patched/data/broadcom/PARTS
    --- urjtag-0.10/data/broadcom/PARTS     2009-04-17 22:24:11.000000000 +0200
    +++ urjtag-0.10-patched/data/broadcom/PARTS     2009-08-24 15:17:04.910096447 +0200
    @@ -27,3 +27,4 @@
    0101010000100001       bcm5421s        BCM5421S
    0100011100010010       bcm4712         BCM4712
    0110001101011000       bcm6358         BCM6358
    +0100001100011000       bcm4318         BCM4318

    So this is now the output of urjtag:

    # jtag

    UrJTAG 0.10 #1502
    Copyright (C) 2002, 2003 ETC s.r.o.
    Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

    UrJTAG is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
    There is absolutely no warranty for UrJTAG.

    WARNING: UrJTAG may damage your hardware!
    Type "quit" to exit, "help" for help.

    jtag> cable ea253 parallel 0x378
    Initializing parallel port at 0x378
    jtag> detect
    IR length: 13
    Chain length: 2
    Device Id: 00100100001100011000000101111111 (0x000000002431817F)
      Manufacturer: Broadcom
      Part(0):         BCM4318
      Stepping:     V1
      Filename:     /usr/share/urjtag/broadcom/bcm4318/bcm4318
    Device Id: 00000110001101011000000101111111 (0x000000000635817F)
      Manufacturer: Broadcom
      Part(1):         BCM6358
      Stepping:     V1
      Filename:     /usr/share/urjtag/broadcom/bcm6358/bcm6358
    Initialized bus 1, active bus 0
    ImpCode=00000000000000000000000000000000
    EJTAG version: <= 2.0
    EJTAG Implementation flags: R4k DMA MIPS32
    Clear memory protection bit in DCR
    Clear Watchdog
    Potential flash base address: [0x0], [0x0]
    Processor successfully switched in debug mode.
    ImpCode=00000000000010010000000000000000
    EJTAG version: <= 2.0
    EJTAG Implementation flags: R4k MIPS16 DMA MIPS32
    Clear memory protection bit in DCR
    Clear Watchdog
    Potential flash base address: [0x418200], [0x418200]
    Processor successfully switched in debug mode.
    jtag> print
    No. Manufacturer              Part                 Stepping Instruction          Register
    ------------------------------------------------------------------------------------------------------------------
       1 Broadcom                  BCM6358              V1       EJTAG_CONTROL        EJCONTROL

    Active bus:
    *0: EJTAG compatible bus driver via DMA (JTAG part No. 0)
            start: 0x00000000, length: 0x1E000000, data width: 32 bit, (USEG : User addresses)
            start: 0x1E000000, length: 0x02000000, data width: 16 bit, (FLASH : Addresses in flash (boot=0x1FC000000))
            start: 0x20000000, length: 0x60000000, data width: 32 bit, (USEG : User addresses)
            start: 0x80000000, length: 0x20000000, data width: 32 bit, (KSEG0: Kernel Unmapped Cached)
            start: 0xA0000000, length: 0x20000000, data width: 32 bit, (KSEG1: Kernel Unmapped Uncached)
            start: 0xC0000000, length: 0x20000000, data width: 32 bit, (SSEG : Supervisor Mapped)
            start: 0xE0000000, length: 0x20000000, data width: 32 bit, (KSEG3: Kernel Mapped)
    jtag> detectflash 0x418200
    dev ID=418200   man ID=418200
    amd_detect: mid 418200, did 418200
    Flash not found!
    jtag> detectflash 0
    dev ID=418200   man ID=418200
    amd_detect: mid 418200, did 418200
    Flash not found!
    jtag> bus 1
    jtag> print
    No. Manufacturer              Part                 Stepping Instruction          Register
    ------------------------------------------------------------------------------------------------------------------
       1 Broadcom                  BCM6358              V1       EJTAG_CONTROL        EJCONTROL

    Active bus:
    *1: EJTAG compatible bus driver via DMA (JTAG part No. 1)
            start: 0x00000000, length: 0x1E000000, data width: 32 bit, (USEG : User addresses)
            start: 0x1E000000, length: 0x02000000, data width: 16 bit, (FLASH : Addresses in flash (boot=0x1FC000000))
            start: 0x20000000, length: 0x60000000, data width: 32 bit, (USEG : User addresses)
            start: 0x80000000, length: 0x20000000, data width: 32 bit, (KSEG0: Kernel Unmapped Cached)
            start: 0xA0000000, length: 0x20000000, data width: 32 bit, (KSEG1: Kernel Unmapped Uncached)
            start: 0xC0000000, length: 0x20000000, data width: 32 bit, (SSEG : Supervisor Mapped)
            start: 0xE0000000, length: 0x20000000, data width: 32 bit, (KSEG3: Kernel Mapped)
    jtag> detectflash 0
    dev ID=418200   man ID=418200
    amd_detect: mid 418200, did 418200
    Flash not found!
    jtag> detectflash 0x418200
    dev ID=418200   man ID=418200
    amd_detect: mid 418200, did 418200
    Flash not found!

    I am stuck at this point. Any attempt to read the flash will result in something like this:
    # xxd read.bin
    0000000: 0041 8200 0041 8200 0041 8200 0041 8200  .A...A...A...A..
    0000010: 0041 8200 0041 8200 0041 8200 0041 8200  .A...A...A...A..
    0000020: 0041 8200 0041 8200 0041 8200 0041 8200  .A...A...A...A..
    0000030: 0041 8200 0041 8200 0041 8200 0041 8200  .A...A...A...A..

    There should be 2 flash chip on the board with the following ID number on them:
    M29W320 and M29W160.
    From the bootloader one can deduce:
    Bootloader>flashlayout

      +++++ Flash Layout +++++
    BE000000  Start of flash
    FFFFFFFF  App2 part 2 (split)
    BE000000  Boot loader image
    BE01FE74  Boot headers
    BE01FFE8  System header
    BE020000  Flash file system start
    BE22F3C0  Flash file system, file area end
    BE23FFFF  Flash file system end
    BE2430C6  Main app (headers + image)
    BE5FFFFF  End of flash

    Any suggestion?
    Thanks

     
    • Kolja Waschk

      Kolja Waschk - 2009-08-24

      Hi,
      maybe you can "see" the flash mapped somewhere else, e.g.  try "detectflash 0x1e000000"?
      Kolja

       
    • Etn45p4m

      Etn45p4m - 2009-08-24

      Hi,
      I get the same result with 0x1e000000. Since I have no idea on a reasonable address for the flash to be mapped to I tried a little randomly with no result.
      Is there any way to compute a probable address?
      Thanks

       
    • Kolja Waschk

      Kolja Waschk - 2009-08-24

      The ejtag_dma bus driver (AFAIK) interprets 0x1E000000 as the base for a 16 bit wide external flash. At least the "first" flash (connected to the first chipselect pin) should be visible there. Because the two chips are of different size, I assume they're connected "one after another" with 16 bit bus width (0xBE000000 + 32 MBit = 0xBE400000, + another 16 MBit = 0xBE600000). So the other one could be visible at 0x1E400000. Or 0x1E200000. I have no clue yet why you can't detect either at 0x1E000000 though. At that point in time when you tried to detectflash, the bootloader already is up?

       
    • Etn45p4m

      Etn45p4m - 2009-08-26

      None of those values works...
      the bootloader is running but the os is not loaded yet.
      will this make any difference? I assume that it is possible to reflash the entire system even if the bootloader is completely messed up so why is its state interesting?
      Thank

       
    • Etn45p4m

      Etn45p4m - 2009-08-26

      Maybe a stupid idea: is it possible, having two chip in the jtag chain and since flash seems to be connected to the second one, that I have to skip a certain amount (which?) to arrive at the beginning of the 2nd processor addressing space?
      Is it possible to exclude bcm4318 from the chain?
      I hope my questions are not as dumb as they sounds
      Thanks

       
  • DanMan32

    DanMan32 - 2013-06-28

    Hi all,
    I have a bricked Westell 7500 that I am trying to revive, as I had the misfortune of compiling and installing the firmware located on Westell's website.

    I bought a TUMPA cable, which provides USB based JTAG and TTL serial interface. The only two utilities that seem to support TUMPA in any way is zJTAG, and latest UrJTAG. zJTAG isn't too useful, since it doesn't support more than one device in the JTAG chain.
    UrJTag was a bit better, but didn't detect the flash at all, returning all zeros for its ID.
    For UrJTag,
    I didn't create a definition for the 4318 which I thought was the first device in the chain. UrJTag seemed to automatically connect to the 6538 even without the other defined, but maybe not as it seemed confused with the bus numbers ("bus 1" returned invalid bus number)
    Doesn't the 4318 have an IR length of 8, since the entire chain has len of 13, and the 6358 has len of 5?
    I updated the definition files, but still it isn't detecting the 4318.
    I even noted to change 0000 to 0010 in steppings for the 4318

    I am using Wordpad to edit the text files, since Notepad won't assume LF when only a CR exists at the end of the line. Also noticed that tabs were changed to spaces. Are either of these an issue?

     
  • DanMan32

    DanMan32 - 2013-06-28

    I must be missing a step. To test which folder jtag was reading, I renamed MANUFACTURERS in the folder at the root of my UrJTag folder, and in the one with the source files. JTAG was still able to at least pick up the 6358. DO I have to comnpletely recompile every time these files are changed? Or do I at least need to 'make install'?
    I am using Windows so it is a bit of a pain to have to run CYGWIN to reconfigure UrJTag.

    Even if I do get UrJTag to detect both devices and latch on to the 6358, there's still the issue of the flash. There must be a way to work it out, since others have been able to flash with a modified tJTag using the CUSTOM modifier for flash functions. From what I understand, the only modification to the tJTag was to skip over (BYPASS) the 4318 since normally the tJTag can't handle more than one part in the JTAG chain, and the 4318 is the first device in the chain.

    By the way, I keep getting multiple lines of "chain.c (###) Part 0 without active instruction". Now that i think of it, that's probably because the 4318 is yet undefined. I get about 6 of those per step, shouldn't I get 8 since the IR length of the 4318 is 8?

     
  • DanMan32

    DanMan32 - 2013-06-28

    OK, I found the active folder for the data files is \usr\local\share\urjtag off of the root of my cygwin install. Gee I wish (thought) that urjtag.exe would be a standalone utility after compile.
    With instruction length of 8 for the 4318, I got several 'invalid instruction length".
    So I set it to 5, seems to work better, detecting both parts. But then, where are the extra 3 bits going?
    When making changes, UrJtag would crash with a stack dump, but then seemed to go further without crashing after a couple tries.
    Mo more 'part 0 without active instruction' either.
    OK, now I am where others left off. This is probably where a 'custom' function for flash is needed. In the DD-WRT forum, it was indicated the Westell has a Samsung K8P3215 flash. Since I don't think UrJTag has a way to override the flash ID like you can with zJTag/tJTag, can't say there's a way to go further without some programming modification.

     
  • DanMan32

    DanMan32 - 2013-06-28

    I discovered a new development:
    Because of a bug in the firmware source listed in Westell's site for a 7500, the router reboots about every minute due to watchdog timeout.
    I can get into bootloader by hitting spacebar before kernel is loaded.

    With both parts set at instruction length 5, the first time I run detect, it crashes with a stack dump. If I run it again, I may get a clean showing of the devices, or I may get 'part 0 without active instruction'

    Seems the parts aren't always in stable states, particularly after detect.

    I tried looking at the code for zJTag, hoping I could patch it with the additions provided in tjtag_w7501, but the code used for USB based cables is vastly different in the zJtag, than it is for the parallel port handling. Too confusing for me to understand.

    Perhaps I can figure out how UrJtag interfaces to the FT2232, and adapt it into the tjtag_w7501.

    Now that I think of it, UrJTag doesn't show to be officially supporting TUMPA, so it is possible that UrJtag is putting TUMPA in an unstable state, rather than the Westell.

     
  • DanMan32

    DanMan32 - 2013-06-28

    OK, I now have gotten a LOT further.
    Since the 4318 is not a CPU with flash attachted to it (I believe it is the WiFi chip, I took out all the ejtag info from its definition file.
    Detect then found potential flash base at 0x1e000000 (correct)
    Then did DetectFlash 0x1e000000, got:
    Query identification string:
    Primary Algorithm Command Set and Control Interface ID Code: 0x0002 (AMD
    /Fujitsu Standard Command Set)
    Alternate Algorithm Command Set and Control Interface ID Code: 0x0000 (n
    ull)
    Query system interface information:
    Vcc Logic Supply Minimum Write/Erase or Write voltage: 2700 mV
    Vcc Logic Supply Maximum Write/Erase or Write voltage: 3600 mV
    Vpp [Programming] Supply Minimum Write/Erase voltage: 0 mV
    Vpp [Programming] Supply Maximum Write/Erase voltage: 0 mV
    Typical timeout per single byte/word program: 128 us
    Typical timeout for maximum-size multi-byte program: 128 us
    Typical timeout per individual block erase: 1024 ms
    Typical timeout for full chip erase: 0 ms
    Maximum timeout for byte/word program: 1024 us
    Maximum timeout for multi-byte program: 4096 us
    Maximum timeout per individual block erase: 16384 ms
    Maximum timeout for chip erase: 0 ms
    Device geometry definition:
    Device Size: 4194304 B (4096 KiB, 4 MiB)
    Flash Device Interface Code description: 0x0002 (x8/x16)
    Maximum number of bytes in multi-byte program: 32
    Number of Erase Block Regions within device: 2
    Erase Block Region Information:
    Region 0:
    Erase Block Size: 8192 B (8 KiB)
    Number of Erase Blocks: 8
    Region 1:
    Erase Block Size: 65536 B (64 KiB)
    Number of Erase Blocks: 63
    Primary Vendor-Specific Extended Query:
    Major version number: 1
    Minor version number: 3
    Address Sensitive Unlock: Required
    Process Technology: CS99
    Erase Suspend: Read/write
    Sector Protect: 1 sectors per group
    Sector Temporary Unprotect: Not supported
    Sector Protect/Unprotect Scheme: 29BDS640 mode (Software Command Locking
    )
    Simultaneous Operation: Not supported
    Burst Mode Type: Supported
    Page Mode Type: 4 word Page
    ACC (Acceleration) Supply Minimum: 11500 mV
    ACC (Acceleration) Supply Maximum: 12500 mV
    Top/Bottom Sector Flag: Bottom boot device
    Program Suspend: Not supported

    Lets see if I can now update the flash.

     
  • DanMan32

    DanMan32 - 2013-06-28

    I managed to flash the CFE using concept found at:
    http://hanschan.no-ip.org:8080/wiki/index.php/Openwrt_on_Westell_7500

    but flash instruction for UrJTag is:
    flashmem 0x1e000000 ../cfe6358.bin (the bin file was in the parent folder from where I was running jtag)
    After router reboot, I got the generic CFE working.
    However jtag detect is still unstable. So far I could not get it to the point where I could flash openwrt-96358VW2-generic-squashfs-cfemod.bin
    Maybe I can TFTP it up.
    However I still find jtag unstable

     
  • DanMan32

    DanMan32 - 2013-06-28

    I was suprised UrJTag doesn't have a function to read and save flash. I was hoping to save the stock firmware (CFE and Kernel).

     
  • DanMan32

    DanMan32 - 2013-06-28

    Realized I can't TFTP up firmware; the router's switch isn't activated yet.

    After repeated trials, I managed to get it to start uploading the OpenWRT firmware, currently in progress.

    I'd really like to find out why UrJTag is unstable, particularly with Detect. Speed maybe? I know zJTag requires /L1:4, but it starts with 30Mhz, or 30000000 as UrJTag sees it. UrJTag shows default speed as 6000000 (6Mhz) which should be OK.
    I did play around with nTRST, both grounding it, and having the adapter control it. I didn't really notice any difference in behavior.

     
  • DanMan32

    DanMan32 - 2013-06-28

    OpenWRT is uploaded. As per the instructions on http://hanschan.no-ip.org:8080/wiki/index.php/Openwrt_on_Westell_7500 I enabled the switch, but the GPIO initialization for the switch doesn't persist on reboot. Found out the files in ETC are rewritable, unlike the stock kernel, so I should be able to add the needed commands in one of the initialization files, maybe System. Hopefully in a script that executes before the switch is automatically initialized.

    Didn't realize there was no web interface on these.

     
  • DanMan32

    DanMan32 - 2013-07-01

    Incidentally, I was able to get 'detect' more stable. Turns out BCM4318 does indeed have an instruction length of 8, but I forgot to edit the instruction bit lengths to 8 bits.
    Also removed the lines at the bottom that defined endian and ejtag mode. After all, the radio doesn't support ejtag:

    -endian big
    -initbus ejtag_dma

    Once I did that, UrJtag was much more stable in working with the 7500. The only issue was that I could only run 'detect' once. If done a second time, it somehow puts the CPU in an unstable state. I suspect the EJTag routines in UrJTag don't take into account that there's an extra bit in the data register chain on account of the bcm4318 being bypassed.

    Latest firmware openwrt-96358VW2-generic-squashfs-cfe.bin works without modded recompiling except for the switch remaining disabled. All you need to do is add the following line in the /etc/config/boot file just before the /etc/init.d modules are loaded:

    echo 1 >/sys/class/leds96358VW2:green:power/brightness

    This is because the switch is controlled by GPIO5, but in 96358VW2 GPIO5 is assigned to the power LED with the LED manager labelling it as 96358VW2:green:power and handling accordingly.

    Here's the working bcm4318 file (I tried attaching it to no avail):

    #
    # $Id: bcm4318 (based on BCM6358) 1487 2009-04-08 21:07:12Z arniml $
    #
    # JTAG declarations for Atheros AR2312
    # Also valid for Broadcom BCM6358 (J. Aube)
    #
    # Copyright (C) 2005 Marek Michalkiewicz
    #
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of the GNU General Public License
    # as published by the Free Software Foundation; either version 2
    # of the License, or (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program; if not, write to the Free Software
    # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
    # 02111-1307, USA.
    #
    # Written by Marek Michalkiewicz marekm@amelek.gda.pl, 2005.
    #

    register BR 1
    register BSR 1
    register DIR 32

    # EJTAG instruction registers which may not be valid here:
    # Doesn't work, remarking out
    #register EJIMPCODE 32
    #register EJADDRESS 32
    #register EJDATA 32
    #register EJCONTROL 32
    #register EJALL 96
    #register EJFASTDATA 33

    instruction length 8

    instruction BYPASS 11111111 BR
    instruction SAMPLE/PRELOAD 00000010 BSR
    instruction IDCODE 00000001 DIR
    instruction NORMALBOOT 00001101 BR

    # EJTAG instruction codes which may not be valid here:
    # doesn't work, remarking out
    #instruction EJTAG_IMPCODE 00000011 EJIMPCODE
    #instruction EJTAG_ADDRESS 00001000 EJADDRESS
    #instruction EJTAG_DATA 00001001 EJDATA
    #instruction EJTAG_CONTROL 00001010 EJCONTROL
    #instruction EJTAG_ALL 00001011 EJALL
    #instruction EJTAGBOOT 00001100 BR
    #instruction EJTAG_FASTDATA 00001110 EJFASTDATA

     
    Last edit: DanMan32 2013-07-01
    • DanMan32

      DanMan32 - 2013-07-26

      I went and bought a Westell 7501 to further develop OpenWRT to support the LEDs, only to find out the Broadcom CFE6358 doesn't support the flash chips on this particular board. Also discovered that the CFE6358 supports the flash on the 7500, but only recognizes the first flash, and so OpenWRT only sees 4MB of flash.

      Tried compiling RedBoot for 6358 using source with files for 6348 and making the necessary modifications, but can't get that to even start.

       

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks