Como ejemplo, utilizaremos un router Comtrend CT-5361, necesitaremos nuestro firmware de elección, (el original o cualquier otro, por ejemplo, openwrt-96348GW-11-generic-squashfs-cfe, aunque este firmware no dispone del microcódigo que arranca la ADSL), el fichero CFE.BIN, que hemos compilado en entradas anteriores y el software zTAG en su última versión, (en nuestro caso 1v8).
Necesitaremos un cable CA-42 o un DKU-5 modificado y nuestro cable JTAG. Vamos a actualizar la CFE, para ello conectaremos el acceso a consola:
Y el conexionado de Jtag:
Donde indica <10Ω, yo he soldado un puente de hilo, y funciona correctamente.
Una vez rascado y soldado:
Como no tenemos un conector formal de JTAG, el pin de VCC, lo he extraído de:
Ya que este cable no tiene resistencias en todos los pines, es muy aconsejable conectar el puerto paralelo del cable JTAG con el PC apagado.
Conectamos el acceso a consola a nuestro USB, a través de un cable CA-42 o DKU-5 modificado, y el cable JTAG a los pines del router.
Arrancamos el router.
Y con la consola conectada a 155200, 8,n,1,none:
CFE version 1.0.37-0.7-1 for BCM96348 (32bit,SP,BE)
Build Date: Thu Apr 28 12:04:28 CST 2005 (root@jyang.linux.comtrend.com)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.
Initializing Arena.
Initializing Devices.
CPU type 0x29107: 256MHz, Bus: 128MHz, Ref: 32MHz
Total memory used by CFE: 0x80401000 - 0x80522DF0 (1187312)
Initialized Data: 0x8041AF10 - 0x8041C790 (6272)
BSS Area: 0x8041C790 - 0x80420DF0 (18016)
Local Heap: 0x80420DF0 - 0x80520DF0 (1048576)
Stack Area: 0x80520DF0 - 0x80522DF0 (8192)
Text (code) segment: 0x80401000 - 0x8041AF0C (106252)
Boot area (physical): 0x00523000 - 0x00563000
Relocation Factor: I:00000000 - D:00000000
Board IP address :192.168.1.1:ffffff00
Host IP address :192.168.1.100
Gateway IP address :
Run from flash/host (f/h) :f
Default host run file name :vmlinux
Default host flash file name :bcm963xx_fs_kernel
Boot delay (0-9 seconds) :9
Board Id Name :96348GW-11
Psi size in KB :24
Number of MAC Addresses (1-32) :11
Base MAC Address :00:1d:20:0e:e3:4a
Ethernet PHY Type :Internal
Memory size in MB :16
*** Press any key to stop auto run (9 seconds) ***
Apuntar el Board Id Name, Number of MAC Addresses y sobre todo la Base Mac Address.
Utilizaremos el programa zTAG en su última versión, la 1v8, (en esta fecha).
Abrimos una ventana MS-DOS, y lanzamos el programa zTAG:
C:\zjtag-1.8>zjtag -probeonly /cable:4
==============================================
zJTAG EJTAG Debrick Utility v1.8 RC3
==============================================
cableid=4, cabletype=1
Selected port = 0x378
Detected IR chain length = 32
There are 1 device(s) in the JTAG chain
IDCODE for device 1 is 0x0634817F (IR length:1)
Probing bus ... Done
Defined IR Length is 5 bits
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101001000000101111111 (0x0634817F)
*** Found a Broadcom manufactured BCM6348 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (0x00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 1FC00009
MPI register show Flash Access Base Addr : 1FC00000
Probing Flash at Address: 0x1FC00000 ...
Detected Chip ID (VenID:DevID = DA7E : 0A00)
*** Found a CFI Compatiable Flash Chip from Winbond
*** REQUESTED OPERATION IS COMPLETE ***
C:\zjtag-1.8>
Ya hemos comprobado que nos reconoce la CPU y la memoria flash, ahora vamos a realizar un backup del CFE original:
C:zjtag-1.8>zjtag -backup:cfe /cable:4 ============================================== zJTAG EJTAG Debrick Utility v1.8 RC3 ============================================== cableid=4, cabletype=1 Selected port = 0x378 Detected IR chain length = 32 There are 1 device(s) in the JTAG chain IDCODE for device 1 is 0x0634817F (IR length:1) Probing bus ... Done Defined IR Length is 5 bits CPU assumed running under BIG endian CPU Chip ID: 00000110001101001000000101111111 (0x0634817F) *** Found a Broadcom manufactured BCM6348 REV 01 CPU *** - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (0x00800904) - EJTAG Version ....... : 1 or 2.0 - EJTAG DMA Support ... : Yes - EJTAG Implementation flags: R4k MIPS32 Issuing Processor / Peripheral Reset ... Done Enabling Memory Writes ... Done Halting Processor ... <Processor Entered Debug Mode!> ... Done Clearing Watchdog ... Done Loading CPU Configuration Code ... Skipped Detecting Flash Base Address... Read MPI register value : 1FC00009 MPI register show Flash Access Base Addr : 1FC00000 Probing Flash at Address: 0x1FC00000 ... Detected Chip ID (VenID:DevID = DA7E : 0A00) *** Found a CFI Compatiable Flash Chip from Winbond - Flash Chip Window Start .... : 1FC00000 - Flash Chip Window Length ... : 00400000 - Selected Area Start ........ : 1FC00000 - Selected Area Length ....... : 00040000 *** You Selected to Backup the CFE.BIN *** ========================= Backup Routine Started ========================= Saving CFE.BIN.SAVED_20150119_104939 to Disk... Done (CFE.BIN.SAVED_20150119_104939 saved to Disk OK) bytes written: 262144 ========================= Backup Routine Complete ========================= elapsed time: 68 seconds *** REQUESTED OPERATION IS COMPLETE *** C:\zjtag-1.8>
Nos ha realizado un backup de nuestra CFE, en el fichero CFE.BIN.SAVED_20150119_104939
Ahora con nuestro fichero compilado CFE.BIN dentro del directorio del zJTAG, vamos a grabar la flash.
C:\zjtag-1.8>zjtag -flash:cfe /cable:4
==============================================
zJTAG EJTAG Debrick Utility v1.8 RC3
==============================================
cableid=4, cabletype=1
Selected port = 0x378
Detected IR chain length = 32
There are 1 device(s) in the JTAG chain
IDCODE for device 1 is 0x0634817F (IR length:1)
Probing bus ... Done
Defined IR Length is 5 bits
CPU assumed running under BIG endian
CPU Chip ID: 00000110001101001000000101111111 (0x0634817F)
*** Found a Broadcom manufactured BCM6348 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (0x00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 1FC00009
MPI register show Flash Access Base Addr : 1FC00000
Probing Flash at Address: 0x1FC00000 ...
Detected Chip ID (VenID:DevID = DA7E : 0A00)
*** Found a CFI Compatiable Flash Chip from Winbond
- Flash Chip Window Start .... : 1FC00000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 1FC00000
- Selected Area Length ....... : 00040000
*** You Selected to Flash the CFE.BIN ***
=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 11
Erasing block: 1 (addr = 1FC00000)...Done
Erasing block: 2 (addr = 1FC02000)...Done
Erasing block: 3 (addr = 1FC04000)...Done
Erasing block: 4 (addr = 1FC06000)...Done
Erasing block: 5 (addr = 1FC08000)...Done
Erasing block: 6 (addr = 1FC0A000)...Done
Erasing block: 7 (addr = 1FC0C000)...Done
Erasing block: 8 (addr = 1FC0E000)...Done
Erasing block: 9 (addr = 1FC10000)...Done
Erasing block: 10 (addr = 1FC20000)...Done
Erasing block: 11 (addr = 1FC30000)...Done
Loading CFE.BIN to Flash Memory...
Done (CFE.BIN loaded into Flash Memory OK)
=========================
Flashing Routine Complete
=========================
elapsed time: 138 seconds
*** REQUESTED OPERATION IS COMPLETE ***
C:\zjtag-1.8>
Una vez finalizado, apagamos y volvemos a encender el router:
CFE version 1.0.37-6.4 for BCM96348 (32bit,SP,BE) Build Date: mié ene 21 15:10:59 CET 2015 (didac@kaos.es) Copyright (C) 2000-2005 Broadcom Corporation. Parallel flash device: name AM29LV320MB, id 0x2200, size 4096KB Default host flash fi *** Board is not initialized properly *** *** Upgrading NVRAM (version 253635900 to version 5) *** *** command status = 0 *** Board is not initialized properly *** Available commands: w, e, Press: <enter> to use current valuehelp '-' to go previous parameter*** command status = -1 '.' to clear the current value commands: 'x' to exit this comman Use default boot line parameters: e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_kernel d=1 p=0 ** Flash image not found. ** Board IP address : 192.168.1.1:ffffff00 Host IP address : 192.168.1.100 Gateway IP address : Run from flash/host (f/h) : f Default host run file name : vmlinux Default host flash file name : bcm963xx_fs_kernel Boot delay (0-9 seconds) : 1 Board Id (0-7) : 96348GW-11 Number of MAC Addresses (1-32) : 11 Base MAC Address : 00:1d:20:0e:e3:4a PSI Size (1-64) KBytes : 24 web info: Waiting for connection on socket 0. CFE>
Al arrancar, el nuevo CFE, nos pide alguna configuración, cuyo datos hemos dicho que apuntásemos.
Abrir con nuestro explorador la dirección http://192.168.1.1 y subimos el fichero del firmware.
Una vez realizada la actualización del firmware, y tras la carga completa, veremos en nuestra consola:
BusyBox v1.22.1 (2014-09-21 03:26:30 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
BARRIER BREAKER (14.07, r42625)
-----------------------------------------------------
* 1/2 oz Galliano Pour all ingredients into
* 4 oz cold Coffee an irish coffee mug filled
* 1 1/2 oz Dark Rum with crushed ice. Stir.
* 2 tsp. Creme de Cacao
Espero sea de utilidad esta entrada.
