Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
toh:tp-link:tl-mr3420:debrick.using.jtag [2018/05/31 18:29] – patchwork.. bugger google benryanautoh:tp-link:tl-mr3420:debrick.using.jtag [2018/06/02 01:38] – link fixed tmomas
Line 1: Line 1:
-FIXME ** This page is not fully translated, yet. Please help completing the translation. ** \\ // (remove this paragraph once the translation is finished) // +====== Example of repairing the router via JTAG (ar724x) ======
- +
-===== Example of repairing the router via JTAG (ar724x) =====+
  
 ** Note: ** The list of routers on which the main configuration file for OpenOCD should work, in fact, can be much larger (almost all AR724x processors). However, for each platform ((Device with a specific architecture used by NOR / NAND / DDR memory, number of indicators, buttons, their attachment to GPIO numbers, etc. For example, here the platform is considered - AP99)), an appropriate loader, modified so that it can be downloaded from SDRAM memory - without loss of functionality. ** Note: ** The list of routers on which the main configuration file for OpenOCD should work, in fact, can be much larger (almost all AR724x processors). However, for each platform ((Device with a specific architecture used by NOR / NAND / DDR memory, number of indicators, buttons, their attachment to GPIO numbers, etc. For example, here the platform is considered - AP99)), an appropriate loader, modified so that it can be downloaded from SDRAM memory - without loss of functionality.
  
-==== Hardware ====+===== Hardware =====
  
-=== JTAG on the processor ===+==== JTAG on the processor ====
 -> [[docs: techref: hardware: port.jtag]] -> [[docs: techref: hardware: port.jtag]]
 The pinout of the [[http://www.linux-mips.org/wiki/JTAG|EJTAG v3.1]] interface on the AR724x looks like this: The pinout of the [[http://www.linux-mips.org/wiki/JTAG|EJTAG v3.1]] interface on the AR724x looks like this:
 ^ JTAG Common Name ^ AR724x Pin ^ Connector EJTAG for DIR-615 Ex ^ ^ JTAG Common Name ^ AR724x Pin ^ Connector EJTAG for DIR-615 Ex ^
-<del> EJTAG_SEL </ del> // (do not use) // | 79 | {{: media: dlink: dir-615: e4-photos: d-link.dir-615e4-jtag.jpg? 400}} | + <del> EJTAG_SEL </del> //(do not use) // | 79 | {{: media: dlink: dir-615: e4-photos: d-link.dir-615e4-jtag.jpg? 400}} | 
-** TDI ** | 81 | ::: | + ** TDI ** | 81 | ::: | 
-** TDO ** | 82 | ::: | + ** TDO ** | 82 | ::: | 
-** TMS ** | 84 | ::: | + ** TMS ** | 84 | ::: | 
-** TCK ** | 85 | ::: | + ** TCK ** | 85 | ::: | 
-<del> RST </ del> // (do not use) // | 93 | ::: |+ <del> RST </del> //(do not use)// | 93 | ::: |
  
 If there is no marking of the reference of the processor feet on the board, then one can use this orientation: \\ If there is no marking of the reference of the processor feet on the board, then one can use this orientation: \\
Line 23: Line 21:
 \\ \\
  
-=== Connecting to JTAG ===+==== Connecting to JTAG ====
  
 ** Note: ** Debugging and testing (for writing this instruction) was performed with a working loader, so it was necessary to temporarily disable the flash memory of the device (** CS0 ** => 3.3V), so that the device initialization and boot process was interrupted in the bootloader, there may be an instruction to disable the JTAG port to release the GPIO line). ** Note: ** Debugging and testing (for writing this instruction) was performed with a working loader, so it was necessary to temporarily disable the flash memory of the device (** CS0 ** => 3.3V), so that the device initialization and boot process was interrupted in the bootloader, there may be an instruction to disable the JTAG port to release the GPIO line).
  
-** EJTAG_SEL ** pin - AR724 ** 0 ** / AR724 ** 1 ** / AR724 ** 2 ** Considering that EJTAG connector is not displayed on many devices - the logical state of this pin does not have a specific role for JTAG operation protocol. It's enough to interrupt the device boot from the flash memory, described in the above way. And if you consider that you are reading this manual - most likely, your device does not boot properly.+** EJTAG_SEL ** pin - AR724**0**/AR724**1**/AR724**2** Considering that EJTAG connector is not displayed on many devices - the logical state of this pin does not have a specific role for JTAG operation protocol. It's enough to interrupt the device boot from the flash memory, described in the above way. And if you consider that you are reading this manual - most likely, your device does not boot properly.
  
-** RST ** pin - AR724 ** 0 ** / AR724 ** 1 ** / AR724 ** 2 ** completely resets the processor, i.e. including the recorded CPU initialization registers, this state is equivalent to disconnecting power from the device - therefore, we will not ** use this pin ** either.+** RST ** pin - AR724**0**/ AR724**1**/ AR724**2** completely resets the processor, i.e. including the recorded CPU initialization registers, this state is equivalent to disconnecting power from the device - therefore, we will not ** use this pin ** either.
  
 -> [[docs: techref: hardware: port.jtag.cables]] -> [[docs: techref: hardware: port.jtag.cables]]
Line 36: Line 34:
 In the example presented in this section, the connection was made through the old and slow JTAG adapter for the LPT port - [[http://ciclamab.altervista.org/hard_corpo_jtag.htm|Wiggler( without the buffer)]]. The design of this adapter is extremely simple. In the example presented in this section, the connection was made through the old and slow JTAG adapter for the LPT port - [[http://ciclamab.altervista.org/hard_corpo_jtag.htm|Wiggler( without the buffer)]]. The design of this adapter is extremely simple.
  
-==== The software part ====+===== The software part =====
  
 The program part contains a list of programs that will be needed during debugging and recovery through the JTAG interface. Also, this part contains a list of used OpenOCD commands and a configuration file for AR724x processors. The program part contains a list of programs that will be needed during debugging and recovery through the JTAG interface. Also, this part contains a list of used OpenOCD commands and a configuration file for AR724x processors.
  
-=== Programs for working with JTAG ===+==== Programs for working with JTAG ====
  
-  * ** OpenOCD ** ((If necessary, you can replace it with ** OCD Commander **, but remember that there is another format for sending registers to the processor, so the config file needs to be changed to this format.)) - [[http: //dangerousprototypes.com/docs/Compile_OpenOCD_for_Windows|How to build OpenOCD for Windows in Linux OS environment]], [[http://kazus.ru/forums/attachment.php?attachmentid=7775&d=1273832853How to assemble OpenOCD for Windows in Windows OS environment]] (in Russian). \\ You can also use the [[http://www.freddiechopin.info/en/download/category/4-openocd|last stable]] version of OpenOCD, built for Windows (the program includes almost all JTAG adapters).+  * ** OpenOCD ** ((If necessary, you can replace it with ** OCD Commander **, but remember that there is another format for sending registers to the processor, so the config file needs to be changed to this format.)) - [[http://dangerousprototypes.com/docs/Compile_OpenOCD_for_Windows|How to build OpenOCD for Windows in Linux OS environment]], [[http://kazus.ru/forums/attachment.php?attachmentid=7775&d=1273832853|How to assemble OpenOCD for Windows in Windows OS environment]] (in Russian). \\ You can also use the [[http://www.freddiechopin.info/en/download/category/4-openocd|last stable]] version of OpenOCD, built for Windows (the program includes almost all JTAG adapters).
  
  
   * ** PuTTY ** - '' telnet '' console. This console is also used to connect to the router through the serial port.   * ** PuTTY ** - '' telnet '' console. This console is also used to connect to the router through the serial port.
  
-  * ** [[# # init-ar7240.cfg | init-ar7240.cfg]] ** - config. file for the OpenOCD program and your device (config file, you need to copy it to the OpenOCD program folder as target / init-ar7240.cfg).+  * ** [[# # init-ar7240.cfg | init-ar7240.cfg]] ** - config. file for the OpenOCD program and your device (config file, you need to copy it to the OpenOCD program folder as target /init-ar7240.cfg).
  
   * ** [[http://www.mediafire.com/download/8pajc4hjppw6yja/8Muboot_RAM_version.bin|8Muboot_RAM_version.bin]] ** is a boot loader that can be run in SDRAM memory via JTAG (thanks to a member of the OpenWRT forum with a nickname ** tthrx **)   * ** [[http://www.mediafire.com/download/8pajc4hjppw6yja/8Muboot_RAM_version.bin|8Muboot_RAM_version.bin]] ** is a boot loader that can be run in SDRAM memory via JTAG (thanks to a member of the OpenWRT forum with a nickname ** tthrx **)
  
-  * ** backup.bin ** - a conditional bootloader or another piece of flash data that needs to be restored. \\ ** Note: ** Note that the bootloader stores information about the MAC address (TP-Link: U-boot MAC offset 0x01fc00 (value in HEX format))) and the PIN code (TP-Link: U -boot PIN offset 0x01fe00 (value in Dec format))) of the device. You should also know that used ** +* ** backup.bin ** - a conditional bootloader or another piece of flash data that needs to be restored. \\ \\ ** Note: ** Note that the bootloader stores information about the MAC address (TP-Link: U-boot MAC offset 0x01fc00 (value in HEX format))) and the PIN code (TP-Link: U -boot PIN offset 0x01fe00 (value in Dec format))) of the device. It should also be aware that the ** art ** section used with EEPROM information for the wireless communication chip must match the wireless chip of the device being restored. \\ For example: ** art ** section of MR3420 router (WiFi Chip: AR9287) does not fit to MR3220 router (WiFi Chip: AR9285) and vice versa.
- +
-* ** backup.bin ** - a conditional bootloader or another piece of flash data that needs to be restored. \\ ** Note: ** Note that the bootloader stores information about the MAC address (TP-Link: U-boot MAC offset 0x01fc00 (value in HEX format))) and the PIN code (TP-Link: U -boot PIN offset 0x01fe00 (value in Dec format))) of the device. It should also be aware that the ** art ** section used with EEPROM information for the wireless communication chip must match the wireless chip of the device being restored. \\ For example: ** art ** section of MR3420 router (WiFi Chip: AR9287) does not fit to MR3220 router (WiFi Chip: AR9285) and vice versa.+
  
-=== The OpenOCD commands used ===+==== The OpenOCD commands used ====
  
-<code> reset </ code> +<code> reset </code> 
-// In the example presented in this section, the command is used as - identification of the identifier and device status, not more. Usually, when this command is executed, the ** nSRST ** is activated, but in our case ** RST ** pin is not the same .//+//In the example presented in this section, the command is used as - identification of the identifier and device status, not more. Usually, when this command is executed, the ** nSRST ** is activated, but in our case ** RST ** pin is not the same .//
  
 \\ \\
  
-<code> halt </ code>+<code> halt </code>
 // Put the processor into debugging mode (accepting commands) .// // Put the processor into debugging mode (accepting commands) .//
  
 \\ \\
  
-<code> reset init </ code>+<code> reset init </code>
 // After executing this command, the script for this event (enclosed in braces) will be executed, which is in the config. file (sending commands to the processor) .// // After executing this command, the script for this event (enclosed in braces) will be executed, which is in the config. file (sending commands to the processor) .//
  
Line 74: Line 70:
 <code> <code>
 dump_image <file name> <start address in memory area or flash drive> <size> dump_image <file name> <start address in memory area or flash drive> <size>
-</ code>+</code>
 // This command saves the dump ** from ** the device's memory / flash drive to a file. The command can be executed before the processor and the device memory are initialized. To read flash memory, use the address '' 0x9f000000 '' // // This command saves the dump ** from ** the device's memory / flash drive to a file. The command can be executed before the processor and the device memory are initialized. To read flash memory, use the address '' 0x9f000000 '' //
  
Line 81: Line 77:
 <code> <code>
 load_image <file name> <address in memory area only> <file format> load_image <file name> <address in memory area only> <file format>
-</ code>+</code>
 // This command loads the ** file into ** the device memory. The command must be executed ** after ** initializing the processor and device memory. // // This command loads the ** file into ** the device memory. The command must be executed ** after ** initializing the processor and device memory. //
  
Line 88: Line 84:
 <code> <code>
 resume <address in memory area or flash drive> resume <address in memory area or flash drive>
-</ code>+</code>
 // This command starts the loader, analog ** go ** in uboot'e // // This command starts the loader, analog ** go ** in uboot'e //
  
 \\ \\
  
-== init-ar7240.cfg ==+=== init-ar7240.cfg ===
 <code> <code>
 # Atheros AR724x MIPS 24Kc SoC. # Atheros AR724x MIPS 24Kc SoC.
Line 174: Line 170:
 # serial SPI capable flash # serial SPI capable flash
 # flash bank <driver> <base> <size> <chip_width> <bus_width> # flash bank <driver> <base> <size> <chip_width> <bus_width>
-</ code>+</code>
  
 \\ \\
Line 189: Line 185:
 openocd-0.5.0.exe -f interface / parport.cfg -f target / init-ar7240.cfg openocd-0.5.0.exe -f interface / parport.cfg -f target / init-ar7240.cfg
 pause pause
-</ code> // If you use another JTAG adapter, then the name ** parport.cfg ** should be changed to the appropriate configuration file name for your JTAG adapter. //+</code> // If you use another JTAG adapter, then the name ** parport.cfg ** should be changed to the appropriate configuration file name for your JTAG adapter. //
  
   * Connect JTAG to the computer and ** disconnected ** the router.   * Connect JTAG to the computer and ** disconnected ** the router.
Line 217: Line 213:
 Info: JTAG tap: ar724x.cpu tap / device found: 0x00000001 (mfg: 0x000, part: 0x0000, ver: 0x0) Info: JTAG tap: ar724x.cpu tap / device found: 0x00000001 (mfg: 0x000, part: 0x0000, ver: 0x0)
 Info: accepting 'telnet' connection from 4444 Info: accepting 'telnet' connection from 4444
-</ code> // If it was not possible to determine the identifier at once, try going to the next item and typing "'' reset ''" in the console. If the program does not detect the processor identifier anyway, you need to check the connection of the JTAG cable for possible errors, and the cause of the problem can be the length of the cable used. //+</code> // If it was not possible to determine the identifier at once, try going to the next item and typing "'' reset ''" in the console. If the program does not detect the processor identifier anyway, you need to check the connection of the JTAG cable for possible errors, and the cause of the problem can be the length of the cable used. //
  
   * If everything went well, you need to start the console '' telnet '' or another window ** PuTTY ** using the address '' 127.0.0.1:4444 '', after connecting to the console, the input line should appear: <code>   * If everything went well, you need to start the console '' telnet '' or another window ** PuTTY ** using the address '' 127.0.0.1:4444 '', after connecting to the console, the input line should appear: <code>
 Open On-Chip Debugger Open On-Chip Debugger
 > >
-</ code> \\+</code> \\
       * Then enter the commands: \\ \\ <code>       * Then enter the commands: \\ \\ <code>
 > reset > reset
 JTAG tap: ar724x.cpu tap / device found: 0x00000001 (mfg: 0x000, part: 0x0000, ver: 0x0) JTAG tap: ar724x.cpu tap / device found: 0x00000001 (mfg: 0x000, part: 0x0000, ver: 0x0)
 > >
-</ code> // This command should not affect the state of the processor. ** RST ** us we do not handle. However, the command once again determines the identifier and the state of the processor. // \\ \\ \\ <code>+</code> // This command should not affect the state of the processor. ** RST ** us we do not handle. However, the command once again determines the identifier and the state of the processor. // \\ \\ \\ <code>
 > halt > halt
 target state: halted target state: halted
 target halted in MIPS32 mode due to debug-request, pc: 0xbfc03860 target halted in MIPS32 mode due to debug-request, pc: 0xbfc03860
 > >
-</ code> // This command switches the processor from the "running" state to the "halted" state - in this state, the processor receives commands from the operator .// \\ \\ \\ <code>+</code> // This command switches the processor from the "running" state to the "halted" state - in this state, the processor receives commands from the operator .// \\ \\ \\ <code>
 > reset init > reset init
 JTAG tap: ar724x.cpu tap / device found: 0x00000001 (mfg: 0x000, part: 0x0000, ver: 0x0) JTAG tap: ar724x.cpu tap / device found: 0x00000001 (mfg: 0x000, part: 0x0000, ver: 0x0)
Line 238: Line 234:
 target halted in MIPS32 mode due to debug-request, pc: 0xbffd0ac0 target halted in MIPS32 mode due to debug-request, pc: 0xbffd0ac0
 > >
-</ code> // Initialize the main script in the configuration file ** [[# init-ar7240.cfg | init-ar7240.cfg]] **. In this case, the script sent a group of prisoners' commands to curly braces for the '' init '' event. After that, we can fully work with the processor and device memory. // \\ \\ \\ <code>+</code> // Initialize the main script in the configuration file ** [[# init-ar7240.cfg | init-ar7240.cfg]] **. In this case, the script sent a group of prisoners' commands to curly braces for the '' init '' event. After that, we can fully work with the processor and device memory. // \\ \\ \\ <code>
 > load_image backup_uboot.bin 0x81000000 bin > load_image backup_uboot.bin 0x81000000 bin
 131072 bytes written at address 0x81000000 131072 bytes written at address 0x81000000
Line 249: Line 245:
 downloaded 262144 bytes in 21.639999s (11.830 KiB / s) downloaded 262144 bytes in 21.639999s (11.830 KiB / s)
 > >
-</ code> // We load in advance somewhere into the memory, the loader ** u-boot ** and ** art ** section - later, this data will need to be copied to the flash memory. \\ The main thing we do is we load ** 8Muboot_RAM_version.bin ** the loader into the memory area 0x80000000 - the loader was compiled with reference to this address. // \\ \\ ** Note: ** It is possible to do only with the loader ** 8Muboot_RAM_version.bin ** (in the memory area 0x80000000) - using this bootloader, you can flash the flash using [[: en: toh: tp-link: tl-mr3420 # firmware.with the help.tftp | tftp method]] . \\ You should know the features of tftp, in this bootloader:+</code> // We load in advance somewhere into the memory, the loader ** u-boot ** and ** art ** section - later, this data will need to be copied to the flash memory. \\ The main thing we do is we load ** 8Muboot_RAM_version.bin ** the loader into the memory area 0x80000000 - the loader was compiled with reference to this address. // \\ \\ ** Note: ** It is possible to do only with the loader ** 8Muboot_RAM_version.bin ** (in the memory area 0x80000000) - using this bootloader, you can flash the flash using [[: en: toh: tp-link: tl-mr3420 # firmware.with the help.tftp | tftp method]] . \\ You should know the features of tftp, in this bootloader:
         * To access the bootloader, you need to enter ** tt **         * To access the bootloader, you need to enter ** tt **
         * The IP address of the computer, at the same time, should be - 192.168.1.23 (or use the '' setenv '' command to change the value of '' serverip '').         * The IP address of the computer, at the same time, should be - 192.168.1.23 (or use the '' setenv '' command to change the value of '' serverip '').
       * The following command will start the loader from the SDRAM area of ​​the memory, simultaneously with this process, another console should be started ** PuTTY **, configured on the serial port: <code>       * The following command will start the loader from the SDRAM area of ​​the memory, simultaneously with this process, another console should be started ** PuTTY **, configured on the serial port: <code>
 resume 0x80000000 resume 0x80000000
-</ code> // The loader will try to load ** firmware ** from the flash memory to prevent a failure (and as a result, the reboot of the router) - when the window "Autoboot in .." appears in the window, you need to quickly write in the console ** tt **. // \\ \\+</code> // The loader will try to load ** firmware ** from the flash memory to prevent a failure (and as a result, the reboot of the router) - when the window "Autoboot in .." appears in the window, you need to quickly write in the console ** tt **.// \\ \\
  
 ==== Work in the bootloader U-boot ==== ==== Work in the bootloader U-boot ====
Line 265: Line 261:
 Erased 2 sectors Erased 2 sectors
 AR7241 # AR7241 #
-</ code> // Erase the area in the flash memory for the boot loader ** u-boot **. //+</code> // Erase the area in the flash memory for the boot loader ** u-boot **.//
  
 \\ \\
Line 274: Line 270:
 done done
 AR7241 # AR7241 #
-</ code> // Copy from the SDRAM area of ​​the memory, previously written ** u-boot ** bootloader, into the flash memory .//+</code> // Copy from the SDRAM area of ​​the memory, previously written ** u-boot ** bootloader, into the flash memory .//
  
 \\ \\
Line 284: Line 280:
 Erased 1 sectors Erased 1 sectors
 AR7241 # AR7241 #
-</ code> // Erase the area in the flash memory for the ** art ** section (flash memory ** 4M **) .//+</code> // Erase the area in the flash memory for the ** art ** section (flash memory ** 4M **) .//
  
 \\ \\
Line 293: Line 289:
 done done
 AR7241 # AR7241 #
-</ code> // Copy from the SDRAM area of ​​the memory, previously written ** art ** section, into the flash memory .//+</code> // Copy from the SDRAM area of ​​the memory, previously written ** art ** section, into the flash memory .//
  
  
Line 302: Line 298:
 ===== More Information ===== ===== More Information =====
  
-Universal loader [[docs: techref: bootloader: myloader # myloram | Myloram]] for Compex devices based on AR71xx and AR724x processors. The loader can work on third-party devices with these processors. Description of device recovery in the corresponding instructions by reference.+Universal loader [[docs:techref:bootloader:myloader#myloram|Myloram]] for Compex devices based on AR71xx and AR724x processors. The loader can work on third-party devices with these processors. Description of device recovery in the corresponding instructions by reference.
  • Last modified: 2019/09/02 20:25
  • by tmomas