Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
inbox:toh:arcadyan:astoria:prv3399b-e-lt [2021/09/29 15:37] – [HACKS] mandrake-leeinbox:toh:arcadyan:astoria:prv3399b-e-lt [2021/10/17 08:25] – [Info] mandrake-lee
Line 115: Line 115:
 ^ System-On-Chip   | BCM68380 - MIPS 24K V4.12   | ^ System-On-Chip   | BCM68380 - MIPS 24K V4.12   |
 ^ CPU/Speed        | 600 MHz                          | ^ CPU/Speed        | 600 MHz                          |
-^ Flash-Chip       | Toshiba TC58BVG033HTA00                  +^ Flash-Chip       | Toshiba/Kioxia [[https://business.kioxia.com/info/docget.jsp?did=14875&prodName=TC58BVG0S3HTA00|TC58BVG033HTA00]] \\ Winbond [[https://www.winbond.com/resource-files/W25X05CL_G%2008012019.pdf|W25x05CLSNFG]]                 
-^ Flash size       | 128 MiB (NAND)                           |+^ Flash size       | 128 MiB (NAND) \\ 512 KiB (NOR)                       |
 ^ RAM              | 256 MiB                           | ^ RAM              | 256 MiB                           |
 ^ Wireless         | BCM4321 2.4GHz 802.11bgn & Quantenna QT3740BC  | ^ Wireless         | BCM4321 2.4GHz 802.11bgn & Quantenna QT3740BC  |
Line 162: Line 162:
  
 **WARNING** This device has 2 sets of UART, one dedicated to the early boot i.e. bootloader, and the second for the operating system (OS) itself e.g. linux. **WARNING** This device has 2 sets of UART, one dedicated to the early boot i.e. bootloader, and the second for the operating system (OS) itself e.g. linux.
 +
 +The Tx pin for the OS, needed in order to reach Busybox, hasn't been discovered. It might be hard cancelled via resistor or soft cancelled via boot parameter.
  
 See photo below for the pinout of the Serial Port of this specific device:\\ See photo below for the pinout of the Serial Port of this specific device:\\
Line 191: Line 193:
  
 == Enable CFE countdown == == Enable CFE countdown ==
-  - First you need to have access to the CFE. You might need this hack+  - First you need to have access to the CFE. You might need this [[#Access to CFE menu|hack]]
   - Now enter command "c"   - Now enter command "c"
   - Select "Boot Image" 2   - Select "Boot Image" 2
Line 206: Line 208:
 Basically, we will let the system jump to CFE bootloader and corrupt the loading of any further image from NAND flash. Basically, we will let the system jump to CFE bootloader and corrupt the loading of any further image from NAND flash.
  
-  - Switch off the device+  - Switch on the device
   - Let system jump to the "Copyright" line   - Let system jump to the "Copyright" line
   - Now shortcircuit pins 8&9. See diagram at the bottom. Use the tip of a needle, thin screwdriver, etc   - Now shortcircuit pins 8&9. See diagram at the bottom. Use the tip of a needle, thin screwdriver, etc
Line 258: Line 260:
 </nowiki> </nowiki>
 </WRAP> </WRAP>
- +\\ 
-**Optionally** you can consider making the bootloader to countdown by default and then have CFE always reachable. See +**Congratulations!** Now you can consider enabling the bootloader countdown and therefore have CFE always reachable. See [[#Enable CFE countdown|this]]
  
 {{ :media:arcadyan:prv3399b:prv3399b_uart_jtag_and_flash_hack.jpg?direct&400 |}} {{ :media:arcadyan:prv3399b:prv3399b_uart_jtag_and_flash_hack.jpg?direct&400 |}}
 +
 +==== CFE menu ====
 +Using the CFE hack above, now you can enter the menu of the bootloader:
 +
 +This is a piece of obscured software; seems an Arcadyan customized version of the CFE with little options.
 +
 +<code>
 +RV3397B_E_LT>  help
 +Available commands:
 +
 +sc                  Update certificate
 +show devices        Display information about the installed devices.
 +erasepart           Erase the specified partition
 +m                   Change the board's manufacture setting
 +c                   Change the board's setting
 +uc                  Update certificate file
 +u                   Update 1st/2nd flash image or bootloader
 +br                  Boot program from 1st/2nd cferam2
 +r                   Reset the board
 +help                Obtain help for CFE commands
 +
 +</code>
 +
 +===== Flash partition =====
 +==== OEM partition ====
 +As reported by bootloader:
 +<code>
 +PRV3397B_E_LT>show devices
 +Device Name          Description
 +-------------------  ---------------------------------------------------------
 +uart0                BCM63xx DUART channel 0
 +nandflash0.bootldr   offset 00000000 size 512KB
 +nandflash0.ca        offset 00080000 size 512KB
 +nandflash0.manufac   offset 00100000 size 512KB
 +nandflash0.nvram     offset 00180000 size 512KB
 +nandflash0.pri_boot  offset 00200000 size 512KB
 +nandflash0.pri_linu  offset 00280000 size 5120KB
 +nandflash0.pri_root  offset 00780000 size 35840KB
 +nandflash0.sec_boot  offset 02A80000 size 512KB
 +nandflash0.sec_linu  offset 02B00000 size 5120KB
 +nandflash0.sec_root  offset 03000000 size 35840KB
 +nandflash0.pri_cfg   offset 05300000 size 512KB
 +nandflash0.sec_cfg   offset 05380000 size 512KB
 +nandflash0.softrip   offset 05400000 size 512KB
 +nandflash0.softuser  offset 05480000 size 512KB
 +nandflash0.ubifs     offset 05500000 size 43008KB
 +nandflash0.oops_dat  offset 07F00000 size 1024KB
 +eth0
 +                     YàYYYE$
 +                            Yø
 +*** command status = 0
 +PRV3397B_E_LT>
 +</code>
  
 ===== Bootlogs ===== ===== Bootlogs =====
  • Last modified: 2022/10/28 08:50
  • by danitool