[Problem gelöst, FBF neu geflasht über JTag] FBF7050, adam2 Bootloader deadlock?
- Ersteller feadi
- Erstellt am
Hello, I'm trying to restore bootloader on a Fritz!Box Fon ATA using EJTAG
I followed the page http://feadispace.fe.funpic.de/FBF7050/
I buyed this interface based on 74HC244
http://cgi.ebay.it/ws/eBayISAPI.dll?ViewItem&rd=1&item=260159253447&ssPageName=STRK:MEWN:IT&ih=016
I connected
TRST connected to 3v3 with 100 Ohm
TDI (pin 2)
TDO (pin 13)
TMS (pin 4)
TCK (pin 3)
3V3
GND
I made the connection and I'm tryig to use
E:\incoming\Fritz>wrt54g-v4.8.exe -probeonly
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000001000000001111 (0000100F)
*** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 11111111111111111111111111111110 (FFFFFFFE)
- EJTAG Version ....... : Unknown (7 is a reserved value)
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ...
<blocked>
E:\incoming\Fritz>wrt54g-v4.8.exe -flash:custom /skipdetect /instrlen:5 /
90000000 /start:90000000 /length:10000
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 11111111111111111111111111111110 (FFFFFFFE)
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 11111111111111111111111111111110 (FFFFFFFE)
- EJTAG Version ....... : Unknown (7 is a reserved value)
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ...
<blocked>
Can someone give me an help?
Thanks
Stefano
I followed the page http://feadispace.fe.funpic.de/FBF7050/
I buyed this interface based on 74HC244
http://cgi.ebay.it/ws/eBayISAPI.dll?ViewItem&rd=1&item=260159253447&ssPageName=STRK:MEWN:IT&ih=016
I connected
TRST connected to 3v3 with 100 Ohm
TDI (pin 2)
TDO (pin 13)
TMS (pin 4)
TCK (pin 3)
3V3
GND
I made the connection and I'm tryig to use
E:\incoming\Fritz>wrt54g-v4.8.exe -probeonly
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000001000000001111 (0000100F)
*** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 11111111111111111111111111111110 (FFFFFFFE)
- EJTAG Version ....... : Unknown (7 is a reserved value)
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ...
<blocked>
E:\incoming\Fritz>wrt54g-v4.8.exe -flash:custom /skipdetect /instrlen:5 /
90000000 /start:90000000 /length:10000
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 11111111111111111111111111111110 (FFFFFFFE)
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 11111111111111111111111111111110 (FFFFFFFE)
- EJTAG Version ....... : Unknown (7 is a reserved value)
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ...
<blocked>
Can someone give me an help?
Thanks
Stefano
Zuletzt bearbeitet:
Hi you
Here is the tools I use for JTAG on Fritz.
Please read the PDF file...
The information is collected in this forum and form nice person in the forum
http://www.speedyshare.com/132406535.html
Regards
Flemming.
Here is the tools I use for JTAG on Fritz.
Please read the PDF file...
The information is collected in this forum and form nice person in the forum
http://www.speedyshare.com/132406535.html
Regards
Flemming.
Zuletzt bearbeitet:
Ciao Stefano,
try this:
- connect pc&interface, interface&FBF
- poweron FBF
- start Feadi-Jtag.exe
- press '6' <return>
What happend?
best regards
- Feadi
try this:
- connect pc&interface, interface&FBF
- poweron FBF
- start Feadi-Jtag.exe
- press '6' <return>
What happend?
best regards
- Feadi
@flemse
Hi.
According to your PDF, TCK is not connected at all.
Is it right?
Regars.
Stefano
Hi.
According to your PDF, TCK is not connected at all.
Is it right?
Regars.
Stefano
Zuletzt bearbeitet:
Ok, thank you.
Then I make some modification to can use my JTAG interface.
1) TRST -> 100Ohm GND
2) cTRST -> 100Ohm GND
JTAG - FBF
TMS - TDI (pin 2)
TCK - TCK (pin 3)
TDO - cTDO (pin 13)
TDI - TMS (pin 4)
3V3 - 3V3
GND - GND
GND - TRST (100 Ohm)
GND - cTRST (100 Ohm)
This is because my JTAG use pin 2 and 4 form parallel interface are swapped
see the diagram attached to my previus post.
Thanks.
Stefano
Then I make some modification to can use my JTAG interface.
1) TRST -> 100Ohm GND
2) cTRST -> 100Ohm GND
JTAG - FBF
TMS - TDI (pin 2)
TCK - TCK (pin 3)
TDO - cTDO (pin 13)
TDI - TMS (pin 4)
3V3 - 3V3
GND - GND
GND - TRST (100 Ohm)
GND - cTRST (100 Ohm)
This is because my JTAG use pin 2 and 4 form parallel interface are swapped
see the diagram attached to my previus post.
Thanks.
Stefano
Hi.
I can see you have found the hw error in your i/f and know you must swap pin 4 and 2.
I think it will work now.
Flemming
I can see you have found the hw error in your i/f
and know you must swap pin 4 and 2.I think it will work now.
Flemming
First of all sorry because i don't speak German, only Portuguese and English...
I need help (Someone recommended me Mr. Flemse !!) because i have a Fritz!box 7140 Annex B version AOL in German, and i tried to change it to English last version and Annex A, in order to work here in Portugal.
After read some "milions" of threads and topics, i followed this one:
So I won't take any responsibility for what you are doing.
First you have to double check where exactly the bootloader in your fritz is located. Therefore do the following:
Code: [Download] [Nascondi] [Select]
Code: [Download] [Mostra]
~ $ cat /proc/mtd
dev: size erasesize name
mtd0: 00800000 00010000 "phys_mapped_flash"
mtd1: 006ccb00 00010000 "filesystem"
mtd2: 00770000 00010000 "kernel"
mtd3: 00010000 00010000 "bootloader"
mtd4: 00040000 00010000 "tffs (1)"
mtd5: 00040000 00010000 "tffs (2)"
mtd6: 00200000 00010000 "jffs2"
mtd7: 00570000 00010000 "Kernel without jffs2"
As you see the bootloader is actually located on the mtd3 block (but you have to try this command on your machine. It may be on a different location). Now you can overwrite it with your own bootloader.
So, assuming the bootloader is on the mtd3 block, place your bootloader in the tftp server default directory, rename it mtd3.bin, start your tftp server (I recommend Solarwinds) and type the following:
tftp -g -l /var/mtd3.bin -r mtd3.bin <ip as appears on the tftp server window>
With this command you have transfered the bootloader in a temporary directory. Please double check it is actually there:
$ cd /var
/var $ ls -la
Code: [Download] [Nascondi] [Select]
Code: [Download] [Mostra]
drwxr-xr-x 9 root root 0 Sep 21 20:35 .
drwxrwxrwx 1 root root 90 Sep 21 18:58 ..
lrwxrwxrwx 1 root root 19 Jan 1 2000 TZ -> /etc/default.049/TZ
-rw-r--r-- 1 root root 0 Jan 1 2000 USB-proc-bus-usb-001-001-hub-001
-rw-r--r-- 1 root root 1951 Jan 1 2000 config.def
lrwxrwxrwx 1 root root 27 Jan 1 2000 default -> /etc/default.Fritz_Box_7141
-rw-r--r-- 1 root root 420 Jan 1 2000 devices
-rw-r--r-- 1 root root 934 Sep 21 20:32 env
-rw-r--r-- 1 root root 4060 Jan 1 2000 env.cache
drwxr-xr-x 2 root root 0 Sep 21 20:32 flash
lrwxrwxrwx 1 root root 34 Jan 1 2000 flash.html -> /var/html/html/de/tools/flash.html
lrwxrwxrwx 1 root root 31 Jan 1 2000 fx_moh -> /etc/default.049/fx_moh.default
lrwxrwxrwx 1 root root 12 Jan 1 2000 html -> /usr/www/avm
-rw-r--r-- 1 root root 4 Jan 1 2000 led
drwxr-xr-x 2 root root 0 Jan 1 2000 lock
drwxr-xr-x 2 root root 0 Jan 1 2000 log
drwxr-xr-x 10 root root 0 Jan 1 2000 mod
-rw-r--r-- 1 root root 65536 Sep 21 20:35 mtd3.bin
-rwxr-xr-x 1 root root 624 Jul 10 13:47 post_install
drwxr-xr-x 2 root root 0 Jan 1 2000 run
drwxr-xr-x 3 root root 0 Jan 1 2000 spool
lrwxrwxrwx 1 root root 4 Jan 1 2000 sysfs -> /sys
drwxr-xr-x 4 root root 0 Sep 21 19:10 tmp
You can see the mtd3.bin (whose size is 65536) is actually there. Now you can enter the potentially dangerous command.
Again, you do it at your own risk So keep your fingers crossed and enter:
cat /var/mtd.3.bin > /dev/mtdblock3
It will take a couple of seconds. Now you can reboot and hope that everything went fine.
The problem is that after that i got no access to the Fritz, neither by Ftp nor by Telnet.
I also tried to use a recover image, but it just couldn't find my Fritz.
By the way, the ip on the Laptop used in all this process was always the 192.168.178.23, and now is 169.254.194.20, but if i run a ipconfig /all, i can't see the Fritz.
Also i have never got again the Wan light on. Now the only light i see is the Power one, and is always blinking.
Someone can HELP me ???
Thanks, Crake.
I need help (Someone recommended me Mr. Flemse !!) because i have a Fritz!box 7140 Annex B version AOL in German, and i tried to change it to English last version and Annex A, in order to work here in Portugal.
After read some "milions" of threads and topics, i followed this one:
So I won't take any responsibility for what you are doing.
First you have to double check where exactly the bootloader in your fritz is located. Therefore do the following:
Code: [Download] [Nascondi] [Select]
Code: [Download] [Mostra]
~ $ cat /proc/mtd
dev: size erasesize name
mtd0: 00800000 00010000 "phys_mapped_flash"
mtd1: 006ccb00 00010000 "filesystem"
mtd2: 00770000 00010000 "kernel"
mtd3: 00010000 00010000 "bootloader"
mtd4: 00040000 00010000 "tffs (1)"
mtd5: 00040000 00010000 "tffs (2)"
mtd6: 00200000 00010000 "jffs2"
mtd7: 00570000 00010000 "Kernel without jffs2"
As you see the bootloader is actually located on the mtd3 block (but you have to try this command on your machine. It may be on a different location). Now you can overwrite it with your own bootloader.
So, assuming the bootloader is on the mtd3 block, place your bootloader in the tftp server default directory, rename it mtd3.bin, start your tftp server (I recommend Solarwinds) and type the following:
tftp -g -l /var/mtd3.bin -r mtd3.bin <ip as appears on the tftp server window>
With this command you have transfered the bootloader in a temporary directory. Please double check it is actually there:
$ cd /var
/var $ ls -la
Code: [Download] [Nascondi] [Select]
Code: [Download] [Mostra]
drwxr-xr-x 9 root root 0 Sep 21 20:35 .
drwxrwxrwx 1 root root 90 Sep 21 18:58 ..
lrwxrwxrwx 1 root root 19 Jan 1 2000 TZ -> /etc/default.049/TZ
-rw-r--r-- 1 root root 0 Jan 1 2000 USB-proc-bus-usb-001-001-hub-001
-rw-r--r-- 1 root root 1951 Jan 1 2000 config.def
lrwxrwxrwx 1 root root 27 Jan 1 2000 default -> /etc/default.Fritz_Box_7141
-rw-r--r-- 1 root root 420 Jan 1 2000 devices
-rw-r--r-- 1 root root 934 Sep 21 20:32 env
-rw-r--r-- 1 root root 4060 Jan 1 2000 env.cache
drwxr-xr-x 2 root root 0 Sep 21 20:32 flash
lrwxrwxrwx 1 root root 34 Jan 1 2000 flash.html -> /var/html/html/de/tools/flash.html
lrwxrwxrwx 1 root root 31 Jan 1 2000 fx_moh -> /etc/default.049/fx_moh.default
lrwxrwxrwx 1 root root 12 Jan 1 2000 html -> /usr/www/avm
-rw-r--r-- 1 root root 4 Jan 1 2000 led
drwxr-xr-x 2 root root 0 Jan 1 2000 lock
drwxr-xr-x 2 root root 0 Jan 1 2000 log
drwxr-xr-x 10 root root 0 Jan 1 2000 mod
-rw-r--r-- 1 root root 65536 Sep 21 20:35 mtd3.bin
-rwxr-xr-x 1 root root 624 Jul 10 13:47 post_install
drwxr-xr-x 2 root root 0 Jan 1 2000 run
drwxr-xr-x 3 root root 0 Jan 1 2000 spool
lrwxrwxrwx 1 root root 4 Jan 1 2000 sysfs -> /sys
drwxr-xr-x 4 root root 0 Sep 21 19:10 tmp
You can see the mtd3.bin (whose size is 65536) is actually there. Now you can enter the potentially dangerous command.
Again, you do it at your own risk So keep your fingers crossed and enter:
cat /var/mtd.3.bin > /dev/mtdblock3
It will take a couple of seconds. Now you can reboot and hope that everything went fine.
The problem is that after that i got no access to the Fritz, neither by Ftp nor by Telnet.
I also tried to use a recover image, but it just couldn't find my Fritz.
By the way, the ip on the Laptop used in all this process was always the 192.168.178.23, and now is 169.254.194.20, but if i run a ipconfig /all, i can't see the Fritz.
Also i have never got again the Wan light on. Now the only light i see is the Power one, and is always blinking.
Someone can HELP me ???
Thanks, Crake.
@ feadi
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
regards
stefano
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
IR length: 0
warning: no chain detected
regards
stefano
@flemse
Hi. I updated the i/f.
I check it with jtag -jtag and it's ok. TDO always the time is 1
but if a do jtag -probeonly i get
=================================================
WRT54G/GS EJTAG Debrick Utility v4.8(mod version)
===============================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 11111111111111111111111111111111 (FFFFFFFF)
*** Unknown or NO CPU Chip ID Detected ***
*** Possible Causes:
1) WRT54G/GS is not Connected.
2) WRT54G/GS is not Powered On.
3) Improper JTAG Cable.
4) Unrecognized CPU Chip ID.
any idea?
regards.
stefano
Hi. I updated the i/f.
I check it with jtag -jtag and it's ok. TDO always the time is 1
but if a do jtag -probeonly i get
=================================================
WRT54G/GS EJTAG Debrick Utility v4.8(mod version)
===============================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 11111111111111111111111111111111 (FFFFFFFF)
*** Unknown or NO CPU Chip ID Detected ***
*** Possible Causes:
1) WRT54G/GS is not Connected.
2) WRT54G/GS is not Powered On.
3) Improper JTAG Cable.
4) Unrecognized CPU Chip ID.
any idea?
regards.
stefano
Hi there.
the i/f is not working if
TRST -> GND (100 Ohm)
however it is partially working if
TSRT -> 3V3 (100 Ohm)
jtag.exe -flash:custom /instrlen:5 /window:90000000 /star
t:903C0000 /length:20000
=================================================
WRT54G/GS EJTAG Debrick Utility v4.8(mod version)
===============================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000001000000001111 (0000100F)
*** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 01000001010000000100000000000000 (41404000)
- EJTAG Version ....... : 2.6
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Probing Flash at (Flash Window: 0x90000000) ...(blocked here)
the flash on box is MX29LV320ATTC-70 (4MB)
@feadi
IR length: 5
IR length: 5
IR length: 5
IR length: 5
IR length: 5
I tried to select the flash manually using /fc:27 28 29 30 31 32 62 63
and writing the environment on custom.bin (1.640 byte) prepared using mktffs.pl
I got this, after the program crash
wrt54g.exe -flash:custom /instrlen:5 /window:90000000 /st
art:903C0000 /length:20000 /fc:62
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000001000000001111 (0000100F)
*** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 01000001010000000100000000000000 (41404000)
- EJTAG Version ....... : 2.6
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Manual Flash Selection ... Done
Flash Vendor ID: 00000000000000000000000000000100 (00000004)
Flash Device ID: 00000000000000000010001001010011 (00002253)
*** Manually Selected a MBM29DL320BE 2Mx16 BotB (4MB) Flash Chip ***
- Flash Chip Window Start .... : 90000000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 903c0000
- Selected Area Length ....... : 00020000
*** You Selected to Flash the CUSTOM.BIN ***
=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 2
Erasing block: 68 (addr = 903c0000)...Done
Erasing block: 69 (addr = 903d0000)...Done
Loading CUSTOM.BIN to Flash Memory...
[ 0% Flashed] 903c0000: 00040001 feffffff 00040100
CRASH
wrt54g.exe -flash:custom /instrlen:5 /window:90000000 /st
art:903C0000 /length:20000 /fc:63
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000001000000001111 (0000100F)
*** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 01000001010000000100000000000000 (41404000)
- EJTAG Version ....... : 2.6
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Manual Flash Selection ... Done
Flash Vendor ID: 00000000000000000000000000000100 (00000004)
Flash Device ID: 00000000000000000010001001010000 (00002250)
*** Manually Selected a MBM29DL320TE 2Mx16 TopB (4MB) Flash Chip ***
- Flash Chip Window Start .... : 90000000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 903c0000
- Selected Area Length ....... : 00020000
*** You Selected to Flash the CUSTOM.BIN ***
=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 2
Erasing block: 68 (addr = 903c0000)... BLOCKED
E:\incoming\Fritz\JTAG>wrt54g.exe -flash:custom /instrlen:5 /window:90000000 /st
art:903C0000 /length:668 /fc:29
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000001000000001111 (0000100F)
*** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 01000001010000000100000000000000 (41404000)
- EJTAG Version ....... : 2.6
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Manual Flash Selection ... Done
Flash Vendor ID: 00000000000000000000000011000010 (000000C2)
Flash Device ID: 00000000000000000010001010101000 (000022A8)
*** Manually Selected a MX29LV320B 2Mx16 BotB (4MB) Flash Chip ***
- Flash Chip Window Start .... : 90000000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 903c0000
- Selected Area Length ....... : 00000668
*** You Selected to Flash the CUSTOM.BIN ***
=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 1
Erasing block: 68 (addr = 903c0000)...Done
Loading CUSTOM.BIN to Flash Memory...
[ 0% Flashed] 903c0000: 00040001 feffffff 00040100
CRASH
any idea?
regards
stefano
the i/f is not working if
TRST -> GND (100 Ohm)
however it is partially working if
TSRT -> 3V3 (100 Ohm)
jtag.exe -flash:custom /instrlen:5 /window:90000000 /star
t:903C0000 /length:20000
=================================================
WRT54G/GS EJTAG Debrick Utility v4.8(mod version)
===============================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000001000000001111 (0000100F)
*** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 01000001010000000100000000000000 (41404000)
- EJTAG Version ....... : 2.6
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Probing Flash at (Flash Window: 0x90000000) ...(blocked here)
the flash on box is MX29LV320ATTC-70 (4MB)
@feadi
IR length: 5
IR length: 5
IR length: 5
IR length: 5
IR length: 5
I tried to select the flash manually using /fc:27 28 29 30 31 32 62 63
and writing the environment on custom.bin (1.640 byte) prepared using mktffs.pl
I got this, after the program crash
wrt54g.exe -flash:custom /instrlen:5 /window:90000000 /st
art:903C0000 /length:20000 /fc:62
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000001000000001111 (0000100F)
*** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 01000001010000000100000000000000 (41404000)
- EJTAG Version ....... : 2.6
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Manual Flash Selection ... Done
Flash Vendor ID: 00000000000000000000000000000100 (00000004)
Flash Device ID: 00000000000000000010001001010011 (00002253)
*** Manually Selected a MBM29DL320BE 2Mx16 BotB (4MB) Flash Chip ***
- Flash Chip Window Start .... : 90000000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 903c0000
- Selected Area Length ....... : 00020000
*** You Selected to Flash the CUSTOM.BIN ***
=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 2
Erasing block: 68 (addr = 903c0000)...Done
Erasing block: 69 (addr = 903d0000)...Done
Loading CUSTOM.BIN to Flash Memory...
[ 0% Flashed] 903c0000: 00040001 feffffff 00040100
CRASH
wrt54g.exe -flash:custom /instrlen:5 /window:90000000 /st
art:903C0000 /length:20000 /fc:63
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000001000000001111 (0000100F)
*** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 01000001010000000100000000000000 (41404000)
- EJTAG Version ....... : 2.6
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Manual Flash Selection ... Done
Flash Vendor ID: 00000000000000000000000000000100 (00000004)
Flash Device ID: 00000000000000000010001001010000 (00002250)
*** Manually Selected a MBM29DL320TE 2Mx16 TopB (4MB) Flash Chip ***
- Flash Chip Window Start .... : 90000000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 903c0000
- Selected Area Length ....... : 00020000
*** You Selected to Flash the CUSTOM.BIN ***
=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 2
Erasing block: 68 (addr = 903c0000)... BLOCKED
E:\incoming\Fritz\JTAG>wrt54g.exe -flash:custom /instrlen:5 /window:90000000 /st
art:903C0000 /length:668 /fc:29
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000001000000001111 (0000100F)
*** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 01000001010000000100000000000000 (41404000)
- EJTAG Version ....... : 2.6
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Manual Flash Selection ... Done
Flash Vendor ID: 00000000000000000000000011000010 (000000C2)
Flash Device ID: 00000000000000000010001010101000 (000022A8)
*** Manually Selected a MX29LV320B 2Mx16 BotB (4MB) Flash Chip ***
- Flash Chip Window Start .... : 90000000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 903c0000
- Selected Area Length ....... : 00000668
*** You Selected to Flash the CUSTOM.BIN ***
=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 1
Erasing block: 68 (addr = 903c0000)...Done
Loading CUSTOM.BIN to Flash Memory...
[ 0% Flashed] 903c0000: 00040001 feffffff 00040100
CRASH
any idea?
regards
stefano
Zuletzt bearbeitet:
Hi
You wrote:
[I check it with jtag -jtag and it's ok. TDO always the time is 1]
_
And I'am a little confused about it... Because the TDO is a input. It can only change if you connect it to 3v3 or Gnd! Or to one of the output(TDI, TMS, TCK)
Please check your I/F one more time!!!
1) Fire up jtag test function one more time jtag.exe -jtag
2)Connect TDI and TDO. Toggle the TDI signal with the keyboard key 1.
3)Connect TCK and TDO. Toggle the TCK signal with the keyboard key 2.
4)Connect TMS and TDO. Toggle the TMS signal with the keyboard key 3.
**In all test the TDO MUST toggle with the output!!!!**
Regards
Flemming
You wrote:
[I check it with jtag -jtag and it's ok. TDO always the time is 1]
_
And I'am a little confused about it... Because the TDO is a input. It can only change if you connect it to 3v3 or Gnd! Or to one of the output(TDI, TMS, TCK)
Please check your I/F one more time!!!
1) Fire up jtag test function one more time jtag.exe -jtag
2)Connect TDI and TDO. Toggle the TDI signal with the keyboard key 1.
3)Connect TCK and TDO. Toggle the TCK signal with the keyboard key 2.
4)Connect TMS and TDO. Toggle the TMS signal with the keyboard key 3.
**In all test the TDO MUST toggle with the output!!!!**
Regards
Flemming
Hi flemming
thank you for your help.
The i/f seems to be working, as you can see from the outputs I posted.
The problem is the flash memory.
The program loops checking the flash type and if I force the type with fc the program loops on writing or crashes. I posted all the outputs.
Thanks again.
PS the cable I'm using is...
JTAG - FBF
TMS - TDI (pin 2)
TCK - TCK (pin 3)
TDO - cTDO (pin 13)
TDI - TMS (pin 4)
3V3 - 3V3
GND - GND
3V3 - TRST (100 Ohm)
null - cTRST
thank you for your help.
The i/f seems to be working, as you can see from the outputs I posted.
The problem is the flash memory.
The program loops checking the flash type and if I force the type with fc the program loops on writing or crashes. I posted all the outputs.
Thanks again.
PS the cable I'm using is...
JTAG - FBF
TMS - TDI (pin 2)
TCK - TCK (pin 3)
TDO - cTDO (pin 13)
TDI - TMS (pin 4)
3V3 - 3V3
GND - GND
3V3 - TRST (100 Ohm)
null - cTRST
Ciao Stefano,
try again to flash your FBF, but place the powercord as far away from the interface as possible. possibly your interface have a very bad 'noise immunity', and the powercord emmits some noise.
regards
- Feadi
try again to flash your FBF, but place the powercord as far away from the interface as possible. possibly your interface have a very bad 'noise immunity', and the powercord emmits some noise.
regards
- Feadi
Ciao Feadi,
I tried. Same result.
I think that wrt54g doesn't know my flash chip MX29LV320ATTC-70.
If I attempt to force flash type I get looping or crashing. See my previous post.
Thanks a lot for your support.
stefano
I tried. Same result.
I think that wrt54g doesn't know my flash chip MX29LV320ATTC-70.
If I attempt to force flash type I get looping or crashing. See my previous post.
Thanks a lot for your support.
stefano
Hi @stefano.
Long time ago i hawe a lot problem with my JTAG I/F.
But when I made the JTAG I/F from @feadi with the hct573 it all worked!
Maybe try it....
p.s. wrong in my pdf, TRST/cTRST must go to 3V3, as you point out in #135. Sory!
Regards
Flemming.
Long time ago i hawe a lot problem with my JTAG I/F.
But when I made the JTAG I/F from @feadi with the hct573 it all worked!
Maybe try it....
p.s. wrong in my pdf, TRST/cTRST must go to 3V3, as you point out in #135. Sory!
Regards
Flemming.
Zuletzt bearbeitet:
Hi @flemming.
the cable that feadi suggests is this
FBF - CABLE
TDI -> TDI
cTDO -> TDO
TMS -> TMS
TCK -> TCK
3v3 -> 300 Ohm -> TRST
3v3 -> 300 Ohm -> cTRST
and it's different from yours... (TRST and cTRST)
HC573 and HC244 would be equivalent, I think.
regards
stefano
the cable that feadi suggests is this
FBF - CABLE
TDI -> TDI
cTDO -> TDO
TMS -> TMS
TCK -> TCK
3v3 -> 300 Ohm -> TRST
3v3 -> 300 Ohm -> cTRST
and it's different from yours... (TRST and cTRST)
HC573 and HC244 would be equivalent, I think.
regards
stefano
Hi
Yes correct I just wrote it in #138. My mistake.
But my JTAG I/F is made correct and TRST/cTRST is connected to 3V3. I,am sorry.
Flemming
Yes correct I just wrote it in #138. My mistake.
But my JTAG I/F is made correct and TRST/cTRST is connected to 3V3. I,am sorry.
Flemming
Neueste Beiträge
-
FRITZ!Box 7590 AX / FRITZ!OS 8.00 vom 16.09.2024
- Letzte: spike01
-
[Sammlung] Wireguard VPN von AVM ab FW 7.39- Letzte: christian1297
-
[Problem] FritzBox 7590 2,4GHz WLAN nur noch sehr sehr schwach
- Letzte: maciboy
-
1750E bootloop
- Letzte: scolopender
-
1&1 Glasfaser 600 - erreiche die Werte nicht
- Letzte: Karrel
-
1&1 Glasfaser 1000 - Upload 500, nur 485 im Test?
- Letzte: Karrel