Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| toh:meraki:mr18:jtag [2020/04/13 09:11] – [JTAG connection (OpenOCD)] mh | toh:meraki:mr18:jtag [2021/09/06 23:21] – [Uploading a kernel] dddamion | ||
|---|---|---|---|
| Line 57: | Line 57: | ||
| Note that TX and RX are symmetrical; | Note that TX and RX are symmetrical; | ||
| - | We can now view the console of the MR18. Run the following command on the Raspberry Pi: | + | We can now view the console of the MR18. Run the following command on the Raspberry Pi. |
| < | < | ||
| $ sudo apt install picocom | $ sudo apt install picocom | ||
| - | $ sudo picocom --baud 115200 / | + | $ sudo picocom --baud 115200 |
| </ | </ | ||
| Line 83: | Line 83: | ||
| | 26 | JTAG 1 | nTRST | | | 26 | JTAG 1 | nTRST | | ||
| - | The actual mapping is derived from the description in OpenOCD' | + | The actual mapping is derived from the description in OpenOCD' |
| < | < | ||
| $ apt install openocd | $ apt install openocd | ||
| $ cd ~ | $ cd ~ | ||
| - | $ cp / | + | $ cp / |
| </ | </ | ||
| Line 95: | Line 95: | ||
| < | < | ||
| bcm2835gpio_trst_num 7 | bcm2835gpio_trst_num 7 | ||
| + | </ | ||
| + | |||
| + | Note that the raspberrypi-native.cfg is written for the Raspberry Pi models 1 and zero. Modify the peripheral address and speed coefficients to match your Raspberry Pi model as follow: | ||
| + | |||
| + | RPI 1A/A+/B/B+ with 700 MHz base clock | ||
| + | < | ||
| + | bcm2835gpio_peripheral_base 0x20000000 | ||
| + | bcm2835gpio_speed_coeffs 113714 28 | ||
| + | </ | ||
| + | |||
| + | RPI 2B with 900 MHz base clock | ||
| + | < | ||
| + | bcm2835gpio_peripheral_base 0x3E000000 | ||
| + | bcm2835gpio_speed_coeffs 146203 36 | ||
| + | </ | ||
| + | |||
| + | RPI 3B with 1200 MHz base clock | ||
| + | < | ||
| + | bcm2835gpio_peripheral_base 0x3E000000 | ||
| + | bcm2835gpio_speed_coeffs 194938 48 | ||
| + | </ | ||
| + | |||
| + | RPI 3B+ with 1400 MHz base clock (despite the higher clock seems to be the same as RPi 3B) | ||
| + | < | ||
| + | bcm2835gpio_peripheral_base 0x3E000000 | ||
| + | bcm2835gpio_speed_coeffs 194938 48 | ||
| + | </ | ||
| + | |||
| + | RPI 4 with 1500 MHz base clock | ||
| + | < | ||
| + | bcm2835gpio_peripheral_base 0xFE000000 | ||
| + | bcm2835gpio_speed_coeffs 236181 60 | ||
| </ | </ | ||
| Line 148: | Line 180: | ||
| Our plan to upload this code into the RAM of the device, and then point the CPU at it to execute, much like a bootloader would. | Our plan to upload this code into the RAM of the device, and then point the CPU at it to execute, much like a bootloader would. | ||
| - | Firstly, we need to catch the boot process early. This is important, as we need to boot our own kernel before any hardware peripherals in the device have begun to initialise. | + | Firstly, we need to catch the boot process early. This is important, as we need to boot our own kernel before any hardware peripherals in the device have begun to initialize, but late enough that the processor has been set up correctly by the existing Meraki bootloader. |
| + | |||
| + | On some devices this time window is very small. | ||
| + | Reports show the place to interrupt the boot process is during '' | ||
| + | |||
| + | [[https:// | ||
| + | Note: It appears to be impossible to get the correct timing if using POE. | ||
| Provide power to the MR18 and at that exact moment, run OpenOCD: | Provide power to the MR18 and at that exact moment, run OpenOCD: | ||
| Line 158: | Line 196: | ||
| We're looking to interrupt the device very early in its boot sequence. You should be able to ' | We're looking to interrupt the device very early in its boot sequence. You should be able to ' | ||
| - | Now execute the following commands, one by one, by hand on the OpenOCD command line which is started by connecting | + | Now execute the following commands, one by one, by hand on the OpenOCD command line which is started by connecting |
| < | < | ||
| Line 165: | Line 203: | ||
| </ | </ | ||
| - | First, disable the hardware watchdog, which will re-set the device automatically if it thinks the Cisco operating system has crashed (as is the case when the device is halted): | + | First, disable the hardware watchdog, which normally is there to re-set the device automatically if it thinks the Cisco operating system has crashed (and it will detect this when the device is halted): |
| < | < | ||
| Line 174: | Line 212: | ||
| < | < | ||
| - | > load_image | + | > load_image openwrt-ar71xx-nand-mr18-initramfs-kernel.bin 0x8005FC00 |
| + | </ | ||
| + | It should return something along the lines of: | ||
| + | '' | ||
| + | < | ||
| > verify_image openwrt-ar71xx-nand-mr18-initramfs-kernel.bin 0x8005FC00 | > verify_image openwrt-ar71xx-nand-mr18-initramfs-kernel.bin 0x8005FC00 | ||
| </ | </ | ||
| + | Again you should be able to see something like this: | ||
| + | '' | ||
| Now reset some registers and execute the kernel: | Now reset some registers and execute the kernel: | ||
| Line 192: | Line 236: | ||
| === Troubleshooting === | === Troubleshooting === | ||
| - | I found the process above can be someone | + | I found the process above can be somewhat |
| < | < | ||
| Line 233: | Line 277: | ||
| === Installation using " | === Installation using " | ||
| - | This didn't appear to work, so falling back to the web interface is necessary. The output is: | + | For the sake of automation it would have been nice to do the installation on the command line. But this didn't appear to work, so falling back to the web interface is necessary. The output is: |
| < | < | ||