Backup y actualización de CFE con zJTAG -COMTREND CT-5361

Como ejemplo, utilizaremos un router Comtrend CT-5361, necesitaremos nuestro firmware de elección, (el original o cualquier otro, por ejemplo, openwrt-96348GW-11-generic-squashfs-cfe, aunque este firmware no dispone del microcódigo que arranca la ADSL), el fichero CFE.BIN, que hemos compilado en entradas anteriores y el software zTAG en su última versión, (en nuestro caso 1v8).
 
Necesitaremos un cable CA-42 o un DKU-5 modificado y nuestro cable JTAG. Vamos a actualizar la CFE, para ello conectaremos el acceso a consola:
 
acceso-consola
 
Y el conexionado de Jtag:
 
ct-5361_jtag
 

Donde indica <10Ω, yo he soldado un puente de hilo, y funciona correctamente.

     Una vez rascado y soldado:

jtag-conectado
 
Como no tenemos un conector formal de JTAG, el pin de VCC, lo he extraído de:
 
 
Ya que este cable no tiene resistencias en todos los pines, es muy aconsejable conectar el puerto paralelo del cable JTAG con el PC apagado.

     Conectamos el acceso a consola a nuestro USB, a través de un cable CA-42 o DKU-5 modificado, y el cable JTAG a los pines del router.

     Arrancamos el router.

     Y con la consola conectada a 155200, 8,n,1,none:

     CFE version 1.0.37-0.7-1 for BCM96348 (32bit,SP,BE) 
    Build Date: Thu Apr 28 12:04:28 CST 2005 (root@jyang.linux.comtrend.com)
    Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.


    Initializing Arena.
    Initializing Devices.
    CPU type 0x29107: 256MHz, Bus: 128MHz, Ref: 32MHz


    Total memory used by CFE: 0x80401000 - 0x80522DF0 (1187312)
    Initialized Data:         0x8041AF10 - 0x8041C790 (6272)
    BSS Area:                 0x8041C790 - 0x80420DF0 (18016)
    Local Heap:               0x80420DF0 - 0x80520DF0 (1048576)
    Stack Area:               0x80520DF0 - 0x80522DF0 (8192)
    Text (code) segment:      0x80401000 - 0x8041AF0C (106252)
    Boot area (physical):     0x00523000 - 0x00563000
    Relocation Factor:        I:00000000 - D:00000000

    Board IP address               :192.168.1.1:ffffff00
    Host IP address                :192.168.1.100
    Gateway IP address :
    Run from flash/host (f/h)      :f
    Default host run file name     :vmlinux
    Default host flash file name   :bcm963xx_fs_kernel
    Boot delay (0-9 seconds)       :9
    Board Id Name                  :96348GW-11
    Psi size in KB                 :24
    Number of MAC Addresses (1-32) :11
    Base MAC Address               :00:1d:20:0e:e3:4a
    Ethernet PHY Type              :Internal
    Memory size in MB              :16

    *** Press any key to stop auto run (9 seconds) ***

Apuntar el Board Id Name, Number of MAC Addresses y sobre todo la Base Mac Address.

     Utilizaremos el programa zTAG en su última versión, la 1v8, (en esta fecha).

     Abrimos una ventana MS-DOS, y lanzamos el programa zTAG:

     C:\zjtag-1.8>zjtag -probeonly /cable:4
    ==============================================
    zJTAG EJTAG Debrick Utility v1.8 RC3
    ==============================================

    cableid=4, cabletype=1

    Selected port = 0x378

    Detected IR chain length = 32

    There are 1 device(s) in the JTAG chain
    IDCODE for device 1 is 0x0634817F (IR length:1)

    Probing bus ... Done

    Defined IR Length is 5 bits

    CPU assumed running under BIG endian

    CPU Chip ID: 00000110001101001000000101111111 (0x0634817F)
    *** Found a Broadcom manufactured BCM6348 REV 01 CPU ***

    - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (0x00800904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

    Issuing Processor / Peripheral Reset ... Done
    Enabling Memory Writes ... Done
    Halting Processor ... <Processor Entered Debug Mode!> ... Done
    Clearing Watchdog ... Done
    Loading CPU Configuration Code ... Skipped
    Detecting Flash Base Address...
    Read MPI register value : 1FC00009
    MPI register show Flash Access Base Addr : 1FC00000

    Probing Flash at Address: 0x1FC00000 ...
    Detected Chip ID (VenID:DevID = DA7E : 0A00)
    *** Found a CFI Compatiable Flash Chip from Winbond

    *** REQUESTED OPERATION IS COMPLETE ***

    C:\zjtag-1.8> 

 Ya hemos comprobado que nos reconoce la CPU y la memoria flash, ahora vamos a realizar un backup del CFE original:

C:zjtag-1.8>zjtag -backup:cfe /cable:4

==============================================
zJTAG EJTAG Debrick Utility v1.8 RC3
==============================================

cableid=4, cabletype=1

Selected port = 0x378

Detected IR chain length = 32

There are 1 device(s) in the JTAG chain
IDCODE for device 1 is 0x0634817F (IR length:1)

Probing bus ... Done

Defined IR Length is 5 bits

CPU assumed running under BIG endian

CPU Chip ID: 00000110001101001000000101111111 (0x0634817F)
*** Found a Broadcom manufactured BCM6348 REV 01 CPU ***

- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (0x00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Detecting Flash Base Address...
Read MPI register value : 1FC00009
MPI register show Flash Access Base Addr : 1FC00000

Probing Flash at Address: 0x1FC00000 ...
Detected Chip ID (VenID:DevID = DA7E : 0A00)
*** Found a CFI Compatiable Flash Chip from Winbond

- Flash Chip Window Start .... : 1FC00000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 1FC00000
- Selected Area Length ....... : 00040000

*** You Selected to Backup the CFE.BIN ***

=========================
Backup Routine Started
=========================

Saving CFE.BIN.SAVED_20150119_104939 to Disk...
Done (CFE.BIN.SAVED_20150119_104939 saved to Disk OK)

bytes written: 262144
=========================
Backup Routine Complete
=========================
elapsed time: 68 seconds

*** REQUESTED OPERATION IS COMPLETE ***

C:\zjtag-1.8> 

Nos ha realizado un backup de nuestra CFE, en el fichero CFE.BIN.SAVED_20150119_104939

     Ahora con nuestro fichero compilado CFE.BIN dentro del directorio del zJTAG, vamos a grabar la flash.

     C:\zjtag-1.8>zjtag -flash:cfe /cable:4

    ==============================================
    zJTAG EJTAG Debrick Utility v1.8 RC3
    ==============================================

    cableid=4, cabletype=1

    Selected port = 0x378

    Detected IR chain length = 32

    There are 1 device(s) in the JTAG chain
    IDCODE for device 1 is 0x0634817F (IR length:1)

    Probing bus ... Done

    Defined IR Length is 5 bits

    CPU assumed running under BIG endian

    CPU Chip ID: 00000110001101001000000101111111 (0x0634817F)
    *** Found a Broadcom manufactured BCM6348 REV 01 CPU ***

    - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (0x00800904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

    Issuing Processor / Peripheral Reset ... Done
    Enabling Memory Writes ... Done
    Halting Processor ... <Processor Entered Debug Mode!> ... Done
    Clearing Watchdog ... Done
    Loading CPU Configuration Code ... Skipped
    Detecting Flash Base Address...
    Read MPI register value : 1FC00009
    MPI register show Flash Access Base Addr : 1FC00000

    Probing Flash at Address: 0x1FC00000 ...
    Detected Chip ID (VenID:DevID = DA7E : 0A00)
    *** Found a CFI Compatiable Flash Chip from Winbond

    - Flash Chip Window Start .... : 1FC00000
    - Flash Chip Window Length ... : 00400000
    - Selected Area Start ........ : 1FC00000
    - Selected Area Length ....... : 00040000

    *** You Selected to Flash the CFE.BIN ***

    =========================
    Flashing Routine Started
    =========================
    Total Blocks to Erase: 11

    Erasing block: 1 (addr = 1FC00000)...Done
    Erasing block: 2 (addr = 1FC02000)...Done
    Erasing block: 3 (addr = 1FC04000)...Done
    Erasing block: 4 (addr = 1FC06000)...Done
    Erasing block: 5 (addr = 1FC08000)...Done
    Erasing block: 6 (addr = 1FC0A000)...Done
    Erasing block: 7 (addr = 1FC0C000)...Done
    Erasing block: 8 (addr = 1FC0E000)...Done
    Erasing block: 9 (addr = 1FC10000)...Done
    Erasing block: 10 (addr = 1FC20000)...Done
    Erasing block: 11 (addr = 1FC30000)...Done

    Loading CFE.BIN to Flash Memory...
    Done (CFE.BIN loaded into Flash Memory OK)

    =========================
    Flashing Routine Complete
    =========================
    elapsed time: 138 seconds 
    *** REQUESTED OPERATION IS COMPLETE ***

    C:\zjtag-1.8>

 Una vez finalizado, apagamos y volvemos a encender el router:

CFE version 1.0.37-6.4 for BCM96348 (32bit,SP,BE)
Build Date: mié ene 21 15:10:59 CET 2015 (didac@kaos.es)
Copyright (C) 2000-2005 Broadcom Corporation.

Parallel flash device: name AM29LV320MB, id 0x2200, size 4096KB
Default host flash fi

*** Board is not initialized properly ***

*** Upgrading NVRAM (version 253635900 to version 5) ***
*** command status = 0



*** Board is not initialized properly ***
Available commands: w, e,

Press: <enter> to use current valuehelp
'-' to go previous parameter*** command status = -1
'.' to clear the current value commands:

'x' to exit this comman

Use default boot line parameters: e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f
f=vmlinux i=bcm963xx_fs_kernel d=1 p=0

** Flash image not found. **

Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Board Id (0-7) : 96348GW-11
Number of MAC Addresses (1-32) : 11
Base MAC Address : 00:1d:20:0e:e3:4a
PSI Size (1-64) KBytes : 24

web info: Waiting for connection on socket 0.
CFE>

Al arrancar, el nuevo CFE, nos pide alguna configuración, cuyo datos hemos dicho que apuntásemos.

     Abrir con nuestro explorador la dirección http://192.168.1.1 y subimos el fichero del firmware.

     Una vez realizada la actualización del firmware, y tras la carga completa, veremos en nuestra consola:

BusyBox v1.22.1 (2014-09-21 03:26:30 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 BARRIER BREAKER (14.07, r42625)
 -----------------------------------------------------
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao

Espero sea de utilidad esta entrada.