How do you JTAG the WNR854T router?

Post by **usbbdm** » Sun Dec 02, 2012 2:31 pm

That area is for ram. Not flash. That is why you get 0xaaa. If it is flash area you would get flash detected. Check the memory map and change to the xml.

LightworkerNaven · Post by **LightworkerNaven** » Sun Dec 02, 2012 3:08 pm

I meant that I'd boundary scan with the unit XML. This is for the flash. However, unless I add those IDs to a new flash in the XML, I get unknown flash IDs.

Code: Select all

<Test>
   <Name>WNR854T</Name>
   <Cat>Router</Cat>
   <Protocol>ARM7</Protocol>
   <SubProtocol>ARM926</SubProtocol>
   <Endian>Little</Endian>
   <IRLength>4</IRLength>
   <Programram>0x7FFFFF</Programram>
   <Memorys>
      <Memory>
         <Name>Image0</Name>
         <Type>1</Type>
         <Address>0x0</Address>
         <Size>0x7FFFFF</Size>
      </Memory>
   </Memorys>
</Test>

Post by **usbbdm** » Sun Dec 02, 2012 5:25 pm

Oh man. I told you it is ARM9 and you still use ARM7. I sent you a video about BEFW11S4. Why not open that XML and take look first?

LightworkerNaven · Post by **LightworkerNaven** » Sun Dec 02, 2012 5:47 pm

I copied it from the thread instead of my XML. My XML says this:

Code: Select all

<Test>
   <Name>WNR854T</Name>
   <Cat>Router</Cat>
   <Protocol>ARM9</Protocol>
   <SubProtocol>ARM926</SubProtocol>
   <Endian>Little</Endian>
   <IRLength>4</IRLength>
   <Programram>0x2000000</Programram>
   <Memorys>
      <Memory>
         <Name>Image0</Name>
         <Type>1</Type>
         <Address>0x40000</Address>
         <Size>0x800000</Size>
      </Memory>
   </Memorys>
</Test>

Post by **usbbdm** » Sun Dec 02, 2012 6:15 pm

Then where x40000 comes from? You need to study where is your flash. That is the key.
In order to have fast programming working 0x7FFFFF looks also wrong.

merkin · Post by **merkin** » Sun Dec 02, 2012 6:26 pm

look here
http://www.wdscript.fr/index.php?q=english/node/106

physmap platform flash device: 00800000 at f4000000

Creating 4 MTD partitions on "physmap-flash.0":
[ 19.082148] 0x000000000000-0x000000100000 : "kernel"
[ 19.089683] 0x000000100000-0x000000760000 : "rootfs"
[ 19.097267] mtd: partition "rootfs" set to be root filesystem
[ 19.103045] mtd: partition "rootfs_data" created automatically, ofs=2E0000, len=480000
[ 19.111100] 0x0000002e0000-0x000000760000 : "rootfs_data"
[ 19.119053] 0x000000760000-0x0000007a0000 : "uboot"
[ 19.126592] 0x000000000000-0x000000760000 : "image"

physmap-flash.0: Found 1 x16 devices at 0x0 in 16-bit bank. Manufacturer ID 0x000089 Chip ID 0x000017

Where did you find "program ram" address in your xml?

Try this xml to backup whole flash

<Test>
<Name>WNR854T</Name>
<Cat>Router</Cat>
<IRLength>4</IRLength>
<Protocol>ARM9</Protocol>
<SubProtocol>ARM946</SubProtocol>
<Endian>Little</Endian>
<Programram>0xd0000100</Programram>
<Memorys>
<Memory>
<Name>whole flash</Name>
<Type>1</Type>
<Address>0xf4000000</Address>
<Size>0x800000</Size>
</Memory>
</Memorys>
</Test>

And make sure CFI is ENABLED.

Do not edit flash.xml. You do not understand.

Post by **usbbdm** » Sun Dec 02, 2012 6:34 pm

merkin wrote:look here
http://www.wdscript.fr/index.php?q=english/node/106

Where did you find "program ram" address in your xml?

Try this xml to backup whole flash

And make sure CFI is ENABLED.

Do not edit flash.xml. You do not understand.

Good point. This will most likely to work.

LightworkerNaven · Post by **LightworkerNaven** » Sun Dec 02, 2012 8:10 pm

Its ARM 926 not ARM 946 says Open WRT. You're right that I don't know how to find the memory addresses. That's why I keep asking someone to teach me, but that part wasn't ever taught to me. How do you activate CFI? Instead of giving the commands usage when I type CFI, it just goes into the console, so I have no idea how to use many of the commands in the list.

Here's what's in the XML for the unit.

Code: Select all

<Test>
 <Name>WNR854T</Name>
 <Cat>Router</Cat>
 <IRLength>4</IRLength>
 <Protocol>ARM9</Protocol>
 <SubProtocol>ARM926</SubProtocol>
 <Endian>Little</Endian>
 <Programram>0xd0000100</Programram>
 <Memorys>
  <Memory>
   <Name>whole flash</Name>
   <Type>1</Type>
   <Address>0xf4000000</Address>
   <Size>0x800000</Size>
  </Memory>
 </Memorys>
</Test>

merkin · Post by **merkin** » Sun Dec 02, 2012 8:30 pm

cfi 1

detect

flshdct whole flash

hit f2

hit ctrl+s

The reality is support some expect is not the support they are going to get.

Good luck, nothing personal. Everyone learns the hard way, but at least we learn.

Post by **usbbdm** » Sun Dec 02, 2012 8:33 pm

LightworkerNaven wrote:Its ARM 926 not ARM 946 says Open WRT. You're right that I don't know how to find the memory addresses. That's why I keep asking someone to teach me, but that part wasn't ever taught to me. How do you activate CFI? Instead of giving the commands usage when I type CFI, it just goes into the console, so I have no idea how to use many of the commands in the list.

Here's what's in the XML for the unit.
Code: Select all
<Test>
 <Name>WNR854T</Name>
 <Cat>Router</Cat>
 <IRLength>4</IRLength>
 <Protocol>ARM9</Protocol>
 <SubProtocol>ARM926</SubProtocol>
 <Endian>Little</Endian>
 <Programram>0xd0000100</Programram>
 <Memorys>
  <Memory>
   <Name>whole flash</Name>
   <Type>1</Type>
   <Address>0xf4000000</Address>
   <Size>0x800000</Size>
  </Memory>
 </Memorys>
</Test>

You need to study the target. Like merkin had done, search the internet or get it from the boot console. Each target has different memory configuration. There is no "for all" method to find memory map.

LightworkerNaven · Post by **LightworkerNaven** » Mon Dec 03, 2012 9:37 am

OK so I did that and this is what it says.

Code: Select all

Copyright (C) 2010,2011,2012
USB JTAG NT    0.57
Target: WNR854T
-cfi 1
-detect
IDCODE 07926041
STi (ARM926)
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 0aaa,0004
-flshdct whole flash
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 0aaa,0004

My XML hasn't changed since the last time I posted it with Merkin's updates.

Also, before I update it, would this be the correct partitioning of the flash? I translated it from Merkin's first post.

Code: Select all

<Test>
 <Name>WNR854T</Name>
 <Cat>Router</Cat>
 <IRLength>4</IRLength>
 <Protocol>ARM9</Protocol>
 <SubProtocol>ARM926</SubProtocol>
 <Endian>Little</Endian>
 <Programram>0xd0000100</Programram>
 <Memorys>
  <Memory>
   <Name>Kernal</Name>
   <Type>1</Type>
   <Address>0xf4000000</Address>
   <Size>0x100000</Size>
  </Memory>
  <Memory>
   <Name>Root FS</Name>
   <Type>1</Type>
   <Address>0xf4100000</Address>
   <Size>0x660000</Size>
  </Memory>
  <Memory>
   <Name>Root FS Data</Name>
   <Type>1</Type>
   <Address>0xf42e0000</Address>
   <Size>0x480000</Size>
  </Memory>
  <Memory>
   <Name>uBoot</Name>
   <Type>1</Type>
   <Address>0xf4760000</Address>
   <Size>0x400000</Size>
  </Memory>
  <Memory>
   <Name>Image0</Name>
   <Type>1</Type>
   <Address>0xf4000000</Address>
   <Size>0x760000</Size>
  </Memory>
  <Memory>
   <Name>All Flash</Name>
   <Type>1</Type>
   <Address>0xf4000000</Address>
   <Size>0x800000</Size>
  </Memory>
 </Memorys>
</Test>

Post by **usbbdm** » Mon Dec 03, 2012 10:33 am

I think you need to read the manual (pdf).
What is "flshdct whole flash"? Where does command come from?

If you do not know where the memory map is, find it some where like (openwrt) forum.

I do not own the router so I cannot say where is the right memory map. I do not that "flshdct whole flash" makes no sense to me.

Merkin's XML has some issue. There should not be any space in the tab name. It is impossible to search the memory by tab if the tab name has space in there.

So <Name>Root FS</Name> should be <Name>RootFS</Name>.

If you think 0xf4000000 is the flash you can use command
"flshdct f4000000" (Again this can be found in the user manual).

LightworkerNaven · Post by **LightworkerNaven** » Mon Dec 03, 2012 11:00 am

OK, let's tackle one thing at a time. First let's get it to recognize the flash chip before we find memory addresses further. I need to get past this bit.

Code: Select all

IDCODE 07926041
STi (ARM926)
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 0aaa,0004

This is the full output:

Code: Select all

Copyright (C) 2010,2011,2012
USB JTAG NT    0.57
Target: WNR854T
-cfi 1
-detect
IDCODE 07926041
STi (ARM926)
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 0aaa,0004
-flshdct f4000000
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 0aaa,0004

Also, its a Marvell chip, not STi, so something is really off. Marvell made the proc.

Post by **usbbdm** » Mon Dec 03, 2012 12:26 pm

LightworkerNaven wrote:OK, let's tackle one thing at a time. First let's get it to recognize the flash chip before we find memory addresses further. I need to get past this bit.
Code: Select all
IDCODE 07926041
STi (ARM926)
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 0aaa,0004
This is the full output:
Code: Select all
Copyright (C) 2010,2011,2012
USB JTAG NT    0.57
Target: WNR854T
-cfi 1
-detect
IDCODE 07926041
STi (ARM926)
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 0aaa,0004
-flshdct f4000000
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 0aaa,0004
Also, its a Marvell chip, not STi, so something is really off. Marvell made the proc.

The Detect Sti is not is the software. It is defined in Vender.xml. Again you need to define it properly.
If you do not get f4000000 as flash it might not be. When you get aaa 004 to it looks like a RAM area.

Post by **usbbdm** » Mon Dec 03, 2012 12:28 pm

If your router is bricked try speed 2 and see if it makes any difference.

How do you JTAG the WNR854T router?

Who is online