Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:toh:arcadyan:astoria:prv3399b-e-lt [2021/09/27 11:29] – [Serial] mandrake-lee | inbox:toh:arcadyan:astoria:prv3399b-e-lt [2021/10/17 08:25] – [Info] mandrake-lee | ||
|---|---|---|---|
| Line 115: | Line 115: | ||
| ^ System-On-Chip | ^ System-On-Chip | ||
| ^ CPU/ | ^ CPU/ | ||
| - | ^ Flash-Chip | + | ^ Flash-Chip |
| - | ^ Flash size | 128 MiB (NAND) | + | ^ Flash size | 128 MiB (NAND) |
| ^ RAM | 256 MiB | | ^ RAM | 256 MiB | | ||
| ^ Wireless | ^ Wireless | ||
| Line 154: | Line 154: | ||
| ==== Opening the case ==== | ==== Opening the case ==== | ||
| - | <WRAP BOX> | + | You will need a phillips screwdriver. |
| - | FIXME //Describe what needs to be done to open the device, | + | - Remove 4x screws at the bottom of the device |
| - | </ | + | - Detach from rear to front, the upper case from the bottom case |
| ==== Serial ==== | ==== Serial ==== | ||
| Line 162: | Line 162: | ||
| **WARNING** This device has 2 sets of UART, one dedicated to the early boot i.e. bootloader, and the second for the operating system (OS) itself e.g. linux. | **WARNING** This device has 2 sets of UART, one dedicated to the early boot i.e. bootloader, and the second for the operating system (OS) itself e.g. linux. | ||
| + | |||
| + | The Tx pin for the OS, needed in order to reach Busybox, hasn't been discovered. It might be hard cancelled via resistor or soft cancelled via boot parameter. | ||
| See photo below for the pinout of the Serial Port of this specific device:\\ | See photo below for the pinout of the Serial Port of this specific device:\\ | ||
| Line 175: | Line 177: | ||
| **This is not confirmed** but there' | **This is not confirmed** but there' | ||
| {{ : | {{ : | ||
| + | |||
| + | |||
| + | ==== HACKS ==== | ||
| + | === Soft hacks === | ||
| + | |||
| + | == Access to web CFE == | ||
| + | First, you will need to gain access to the bootloader CFE and stop the countdown. | ||
| + | |||
| + | Once there, use your browser to reach: | ||
| + | < | ||
| + | |||
| + | A fancy menu will pop-up as below: | ||
| + | {{ : | ||
| + | |||
| + | |||
| + | == Enable CFE countdown == | ||
| + | - First you need to have access to the CFE. You might need this [[#Access to CFE menu|hack]] | ||
| + | - Now enter command " | ||
| + | - Select "Boot Image" 2 | ||
| + | - Leave the rest of parameters untouched by pressing " | ||
| + | |||
| + | |||
| + | === Hard hacks === | ||
| + | During boot, specific NAND flash pins can be shorcircuited in order to provoke a boot fail and therefore access to bootloader. | ||
| + | |||
| + | | {{: | ||
| + | |||
| + | == Access to CFE menu == | ||
| + | This hack will need some training and skill. Don't give up! | ||
| + | Basically, we will let the system jump to CFE bootloader and corrupt the loading of any further image from NAND flash. | ||
| + | |||
| + | - Switch on the device | ||
| + | - Let system jump to the " | ||
| + | - Now shortcircuit pins 8&9. See diagram at the bottom. Use the tip of a needle, thin screwdriver, | ||
| + | - After success, error messages will pop up and you will have access to the CFE command line as follows | ||
| + | |||
| + | <WRAP bootlog> | ||
| + | < | ||
| + | ---- | ||
| + | HELO | ||
| + | ZBSS | ||
| + | RAMI | ||
| + | |||
| + | Copyright (C) 2019 Arcadyan Technology. | ||
| + | |||
| + | NANDFLASH: | ||
| + | DEVICE ID: 0x98f18015f2, | ||
| + | block: 128KB(1024), | ||
| + | nandflash_bbt_scan_block: | ||
| + | |||
| + | NVRAM(0) MAGIC checking passed! | ||
| + | NVRAM(0) CRC checking passed! | ||
| + | total 10 of NVRAM(0) entries loaded | ||
| + | |||
| + | NVRAM(1) MAGIC checking passed! | ||
| + | NVRAM(1) CRC checking passed! | ||
| + | total 10 of NVRAM(1) entries loaded | ||
| + | |||
| + | BOOTLOADER version 1.2.4 for PRV3397B_E_LT | ||
| + | Build Date: Tue Apr 25 13:45:35 2017 (tinghung_chen@buildbed) | ||
| + | |||
| + | Chip ID: BCM68380B0 MIPS: 600MHz, DDR: 533MHz, Bus: 240MHz, RDP: 800MHz | ||
| + | Memory Test Passed! | ||
| + | Total Memory: 268435456 bytes (256MB) | ||
| + | *** Press any key to stop auto run (0 seconds) *** | ||
| + | Auto run second count down: 0 | ||
| + | Loading secondary image ... | ||
| + | ERROR: data is invalid and not correctable at offset 0x2b00000 | ||
| + | Could not read from flash: CFE error -4 | ||
| + | enable IH Wan-Wan forwarding... | ||
| + | data_path_go Done!! | ||
| + | Set EMAC4 as RGMII | ||
| + | Creating CPU ring for queue number 0 with 32 packets descriptor=0x8b58cb60 | ||
| + | Done initializing Ring 0 Base=0xad0141e0K End=0xad0143e0K calculated entries= 32 RDD Base=0x0d0141e0K descriptor=0x8b58cb60 | ||
| + | Open PHY 1 on MAC 0 : link state = Down | ||
| + | Open PHY 2 on MAC 1 : link state = Down | ||
| + | Open PHY 3 on MAC 2 : link state = Down | ||
| + | Open PHY 4 on MAC 3 : link state = Down | ||
| + | Open PHY 0 on MAC 4 : link state = Down | ||
| + | web info: Waiting for connection on socket 0. | ||
| + | PRV3397B_E_LT> | ||
| + | </ | ||
| + | </ | ||
| + | \\ | ||
| + | **Congratulations!** Now you can consider enabling the bootloader countdown and therefore have CFE always reachable. See [[#Enable CFE countdown|this]] | ||
| + | |||
| + | {{ : | ||
| + | |||
| + | ==== CFE menu ==== | ||
| + | Using the CFE hack above, now you can enter the menu of the bootloader: | ||
| + | |||
| + | This is a piece of obscured software; seems an Arcadyan customized version of the CFE with little options. | ||
| + | |||
| + | < | ||
| + | RV3397B_E_LT> | ||
| + | Available commands: | ||
| + | |||
| + | sc Update certificate | ||
| + | show devices | ||
| + | erasepart | ||
| + | m | ||
| + | c | ||
| + | uc Update certificate file | ||
| + | u | ||
| + | br Boot program from 1st/2nd cferam2 | ||
| + | r Reset the board | ||
| + | help Obtain help for CFE commands | ||
| + | |||
| + | </ | ||
| + | |||
| + | ===== Flash partition ===== | ||
| + | ==== OEM partition ==== | ||
| + | As reported by bootloader: | ||
| + | < | ||
| + | PRV3397B_E_LT> | ||
| + | Device Name Description | ||
| + | ------------------- | ||
| + | uart0 BCM63xx DUART channel 0 | ||
| + | nandflash0.bootldr | ||
| + | nandflash0.ca | ||
| + | nandflash0.manufac | ||
| + | nandflash0.nvram | ||
| + | nandflash0.pri_boot | ||
| + | nandflash0.pri_linu | ||
| + | nandflash0.pri_root | ||
| + | nandflash0.sec_boot | ||
| + | nandflash0.sec_linu | ||
| + | nandflash0.sec_root | ||
| + | nandflash0.pri_cfg | ||
| + | nandflash0.sec_cfg | ||
| + | nandflash0.softrip | ||
| + | nandflash0.softuser | ||
| + | nandflash0.ubifs | ||
| + | nandflash0.oops_dat | ||
| + | eth0 | ||
| + | | ||
| + | Yø | ||
| + | *** command status = 0 | ||
| + | PRV3397B_E_LT> | ||
| + | </ | ||
| ===== Bootlogs ===== | ===== Bootlogs ===== | ||