Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
inbox:toh:arcadyan:astoria:prv3399b-e-lt [2021/09/27 11:29] – [Serial] mandrake-leeinbox:toh:arcadyan:astoria:prv3399b-e-lt [2021/10/17 08:25] – [Info] mandrake-lee
Line 115: Line 115:
 ^ System-On-Chip   | BCM68380 - MIPS 24K V4.12   | ^ System-On-Chip   | BCM68380 - MIPS 24K V4.12   |
 ^ CPU/Speed        | 600 MHz                          | ^ CPU/Speed        | 600 MHz                          |
-^ Flash-Chip       | Toshiba TC58BVG033HTA00                  +^ Flash-Chip       | Toshiba/Kioxia [[https://business.kioxia.com/info/docget.jsp?did=14875&prodName=TC58BVG0S3HTA00|TC58BVG033HTA00]] \\ Winbond [[https://www.winbond.com/resource-files/W25X05CL_G%2008012019.pdf|W25x05CLSNFG]]                 
-^ Flash size       | 128 MiB (NAND)                           |+^ Flash size       | 128 MiB (NAND) \\ 512 KiB (NOR)                       |
 ^ RAM              | 256 MiB                           | ^ RAM              | 256 MiB                           |
 ^ Wireless         | BCM4321 2.4GHz 802.11bgn & Quantenna QT3740BC  | ^ Wireless         | BCM4321 2.4GHz 802.11bgn & Quantenna QT3740BC  |
Line 154: Line 154:
 ==== Opening the case ==== ==== Opening the case ====
  
-<WRAP BOX> +You will need a phillips screwdriver. 
-FIXME //Describe what needs to be done to open the device, e.g. remove rubber feet, adhesive labels, screws, ...// +  - Remove 4x screws at the bottom of the device 
-</WRAP>+  - Detach from rear to frontthe upper case from the bottom case
  
 ==== Serial ==== ==== Serial ====
Line 162: Line 162:
  
 **WARNING** This device has 2 sets of UART, one dedicated to the early boot i.e. bootloader, and the second for the operating system (OS) itself e.g. linux. **WARNING** This device has 2 sets of UART, one dedicated to the early boot i.e. bootloader, and the second for the operating system (OS) itself e.g. linux.
 +
 +The Tx pin for the OS, needed in order to reach Busybox, hasn't been discovered. It might be hard cancelled via resistor or soft cancelled via boot parameter.
  
 See photo below for the pinout of the Serial Port of this specific device:\\ See photo below for the pinout of the Serial Port of this specific device:\\
Line 175: Line 177:
 **This is not confirmed** but there're several unpopulated pins on the board. Some of them are known to be UART, it might be well that the rest of them are for JTAG:\\ **This is not confirmed** but there're several unpopulated pins on the board. Some of them are known to be UART, it might be well that the rest of them are for JTAG:\\
 {{ :media:arcadyan:prv3399b:prv3399b_uart_jtag_and_flash_hack.jpg?direct&400 |}} {{ :media:arcadyan:prv3399b:prv3399b_uart_jtag_and_flash_hack.jpg?direct&400 |}}
 +
 +
 +==== HACKS ====
 +=== Soft hacks ===
 +
 +== Access to web CFE ==
 +First, you will need to gain access to the bootloader CFE and stop the countdown.
 +
 +Once there, use your browser to reach:
 +<code>192.168.1.1</code>
 +
 +A fancy menu will pop-up as below:
 +{{ :media:arcadyan:prv3399b:prv3399b_cfe_web_backdoor.jpg?direct&400 |}}
 +
 +
 +== Enable CFE countdown ==
 +  - First you need to have access to the CFE. You might need this [[#Access to CFE menu|hack]]
 +  - Now enter command "c"
 +  - Select "Boot Image" 2
 +  - Leave the rest of parameters untouched by pressing "intro"
 +
 +
 +=== Hard hacks ===
 +During boot, specific NAND flash pins can be shorcircuited in order to provoke a boot fail and therefore access to bootloader.
 +
 +| {{:meta:icons:tango:48px-dialog-warning.svg.png?nolink}} | **WARNING:** This method is considered to be safe but use at your own discretion.\\ |
 +
 +== Access to CFE menu ==
 +This hack will need some training and skill. Don't give up!
 +Basically, we will let the system jump to CFE bootloader and corrupt the loading of any further image from NAND flash.
 +
 +  - Switch on the device
 +  - Let system jump to the "Copyright" line
 +  - Now shortcircuit pins 8&9. See diagram at the bottom. Use the tip of a needle, thin screwdriver, etc
 +  - After success, error messages will pop up and you will have access to the CFE command line as follows
 +
 +<WRAP bootlog>
 +<nowiki>
 +----
 +HELO
 +ZBSS
 +RAMI
 +
 +Copyright (C) 2019 Arcadyan Technology.
 +
 +NANDFLASH:
 +    DEVICE ID: 0x98f18015f2, size: 131072KB, type: SLC
 +    block: 128KB(1024), page: 2KB, oob: 64Bytes
 +nandflash_bbt_scan_block: detect bad block marker @ 0x6000000
 +
 +NVRAM(0) MAGIC checking passed!
 +NVRAM(0) CRC checking passed!
 +total 10 of NVRAM(0) entries loaded
 +
 +NVRAM(1) MAGIC checking passed!
 +NVRAM(1) CRC checking passed!
 +total 10 of NVRAM(1) entries loaded
 +
 +BOOTLOADER version 1.2.4 for PRV3397B_E_LT
 +Build Date: Tue Apr 25 13:45:35 2017 (tinghung_chen@buildbed)
 +
 +Chip ID: BCM68380B0 MIPS: 600MHz, DDR: 533MHz, Bus: 240MHz, RDP: 800MHz
 +Memory Test Passed!
 +Total Memory: 268435456 bytes (256MB)
 +*** Press any key to stop auto run (0 seconds) ***
 +Auto run second count down: 0
 +Loading secondary image ...
 +ERROR: data is invalid and not correctable at offset 0x2b00000
 +Could not read from flash: CFE error -4
 +enable IH Wan-Wan forwarding...
 +data_path_go Done!!
 +Set EMAC4 as RGMII
 +Creating CPU ring for queue number 0 with 32 packets descriptor=0x8b58cb60
 + Done initializing Ring 0 Base=0xad0141e0K End=0xad0143e0K calculated entries= 32 RDD Base=0x0d0141e0K descriptor=0x8b58cb60
 +Open PHY 1 on MAC 0 : link state = Down
 +Open PHY 2 on MAC 1 : link state = Down
 +Open PHY 3 on MAC 2 : link state = Down
 +Open PHY 4 on MAC 3 : link state = Down
 +Open PHY 0 on MAC 4 : link state = Down
 +web info: Waiting for connection on socket 0.
 +PRV3397B_E_LT>
 +</nowiki>
 +</WRAP>
 +\\
 +**Congratulations!** Now you can consider enabling the bootloader countdown and therefore have CFE always reachable. See [[#Enable CFE countdown|this]]
 +
 +{{ :media:arcadyan:prv3399b:prv3399b_uart_jtag_and_flash_hack.jpg?direct&400 |}}
 +
 +==== CFE menu ====
 +Using the CFE hack above, now you can enter the menu of the bootloader:
 +
 +This is a piece of obscured software; seems an Arcadyan customized version of the CFE with little options.
 +
 +<code>
 +RV3397B_E_LT>  help
 +Available commands:
 +
 +sc                  Update certificate
 +show devices        Display information about the installed devices.
 +erasepart           Erase the specified partition
 +m                   Change the board's manufacture setting
 +c                   Change the board's setting
 +uc                  Update certificate file
 +u                   Update 1st/2nd flash image or bootloader
 +br                  Boot program from 1st/2nd cferam2
 +r                   Reset the board
 +help                Obtain help for CFE commands
 +
 +</code>
 +
 +===== Flash partition =====
 +==== OEM partition ====
 +As reported by bootloader:
 +<code>
 +PRV3397B_E_LT>show devices
 +Device Name          Description
 +-------------------  ---------------------------------------------------------
 +uart0                BCM63xx DUART channel 0
 +nandflash0.bootldr   offset 00000000 size 512KB
 +nandflash0.ca        offset 00080000 size 512KB
 +nandflash0.manufac   offset 00100000 size 512KB
 +nandflash0.nvram     offset 00180000 size 512KB
 +nandflash0.pri_boot  offset 00200000 size 512KB
 +nandflash0.pri_linu  offset 00280000 size 5120KB
 +nandflash0.pri_root  offset 00780000 size 35840KB
 +nandflash0.sec_boot  offset 02A80000 size 512KB
 +nandflash0.sec_linu  offset 02B00000 size 5120KB
 +nandflash0.sec_root  offset 03000000 size 35840KB
 +nandflash0.pri_cfg   offset 05300000 size 512KB
 +nandflash0.sec_cfg   offset 05380000 size 512KB
 +nandflash0.softrip   offset 05400000 size 512KB
 +nandflash0.softuser  offset 05480000 size 512KB
 +nandflash0.ubifs     offset 05500000 size 43008KB
 +nandflash0.oops_dat  offset 07F00000 size 1024KB
 +eth0
 +                     YàYYYE$
 +                            Yø
 +*** command status = 0
 +PRV3397B_E_LT>
 +</code>
  
 ===== Bootlogs ===== ===== Bootlogs =====
  • Last modified: 2022/10/28 08:50
  • by danitool