Hello all,
Finaly I am successfull to load the bootloader in my rt3052 based router.
and after that I loaded the openwrt on it, now every thing is working.
Thanks openwrt and DDwrt ppl.
-----my router Aztech HW550-3G, RT3052F,spansion s29GL064 Flash-----
I modified RT3052.cfg for detection of flash and CPU as well.
then loaded u-boot.bin to starting loaction of flash.
then when rebooted, I got serial console working.
then I loaded new uboot_64mb.bin from openwrt via TFTP
and
If you ppl need my modified RT3052.cfg let me Know.
Remember -I used Parallel Port DLC5 type self made cable.
Thanks again.
# flash size will be probed
set _FLASHNAME $_CHIPNAME.flash
# format flash bank name driver base size chip_width bus_width target
flash bank $_FLASHNAME cfi 0xBF000000 8388608 2 2 $_TARGETNAME
#flash bank $_FLASHNAME cfi 0x0 8388608 2 2 $_TARGETNAME
echo "allocating work area"
$_TARGETNAME configure -work-area-phys 0x80040000 -work-area-size 4096
echo "allocation complete"
#Folloing code may not work, in that case you need to manually reset init
#and manually load your u-boot.bin at starting address (0x0) of flash (not RAM).
#starting Address of flash can be found in old dump of serial console or at ddwrt forum/openwrt forum
$_TARGETNAME configure -event reset-init {
#reset
echo "halting the target!!!!!!!!!!!!!!!!!!!!!!!!!!!"
halt
echo "init SDRAM controller..........................@@@@@@@@@@@@@@@@@@@@"
mww 0x10000300 0xd1825272
mww 0x10000304 0xe0120300
echo "Find flash..."
flash probe 0
echo "Load u-boot .."
load_image uboot_aztc.bin 0x80000000 bin
# resume 0x80000000
}
By the way ppl means PEOPLE!
note: I used home made parallel port jtag(DLC5)
and latest OPENOCD for above job.
Thanks, apart from successfully rewriting bootloader, I would like to know if you by change did some other tests with openocd and what where your conclusions. I.e. if 0x80000000 address is equivalent to 0x0, if flash probe worked with 0xBF000000 and also on 0x1F000000, if you had to modify configuration registers, resuming/halting cpu
Actually I don't remember, but from if halt cpu and reset cpu no problem.
just make sure that your flash is writable.
u have to disable write protect on flash first.
use openocd documentation.
few steps I remember is as below
1. connect target to parallel port
2. open 2 command prompt windows
3. type down your command in one window as follows
openocd -f new_rt3052.cfg -c "gdb_memory_map enable" -c "gdb_flash_program enable"
please note that "gdb_memory_map enable" -c "gdb_flash_program enable" in command is used for enabling flash write
(dont press Enter for now)
4. insert power to target system and immediately press enter to above command.
let the open ocd proceed when finished it will pause at some place and no activity will be there.
5. Now open second command prompt window and type following command and press Enter
telnet localhost 4444
6. try to find flash with command "flash probe 0" in telnet
7. if flash is ok then it will show details of flash.
(after this I tried to load uboot in memory and run from there... it runs but I can see nothing on my serial port....Actually I expected boot menu to appear and select tftp transfer ...but no serial output at all)
8.from bootconsole msg -- openwrt (hw550-3g) I found that start of adress of flash is.....0xBF000000
Set info->start[0]=BF000000
flash_protect ON: from 0xBF000000 to 0xBF02110F
flash_protect ON: from 0xBF030000 to 0xBF030FFF
============================================
Ralink UBoot Version: 3.6.0.0
--------------------------------------------
ASIC 3052_MP2 (Port5<->None)
DRAM component: 128 Mbits SDR
DRAM bus: 32 bit
Total memory: 32 MBytes
Flash component: NOR Flash
Date:Feb 28 2012 Time:23:11:29
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384
##### The CPU freq = 384 MHZ ####
I will find an if possible I will upload openocd log for full explanation.
Lucky... I found the Telnet LOG.
please check smily point for further clarity.
[code]
Open On-Chip Debugger
> reset init
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127, part: 0x3052, ver
: 0x1)
timed out while waiting for target halted
TARGET: rt3052.cpu - Not halted
in procedure 'reset'
Halt timed out, wake up GDB.
> reset halt
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127, part: 0x3052, ver
: 0x1)
timed out while waiting for target halted
TARGET: rt3052.cpu - Not halted
in procedure 'reset'
Halt timed out, wake up GDB.
> halt
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0x9f000380
> reset init
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127, part: 0x3052, ver
: 0x1)
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0x9f000380
halting the target!!!!!!!!!!!!!!!!!!!!!!!!!!!
init SDRAM controller..........................@@@@@@@@@@@@@@@@@@@@
Find flash...
Flash Manufacturer/Device: 0x0001 0x227e
Flash Manufacturer/Device: 0x0001 0x227e
flash 'cfi' found at 0xbf000000
Load u-boot ..
135440 bytes written at address 0x80000000
downloaded 135440 bytes in 6.549418s (20.195 KiB/s)
> reset init
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127, part: 0x3052, ver
: 0x1)
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0x9f000380
halting the target!!!!!!!!!!!!!!!!!!!!!!!!!!!
init SDRAM controller..........................@@@@@@@@@@@@@@@@@@@@
Find flash...
Flash Manufacturer/Device: 0x0001 0x227e
flash 'cfi' found at 0xbf000000
Load u-boot ..
135440 bytes written at address 0x80000000
downloaded 135440 bytes in 7.070166s (18.708 KiB/s)
> flash protect 0 0 1 off
protect: cfi primary command set 2 unsupported
cleared protection for sectors 0 through 1 on flash bank 0
> flash erase_sector 0 0 1
erased sectors 0 through 1 on flash bank 0 in 0.210302s
> flash write_bank 0 u-boot.bin 0x0
target state: halted
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040108
target state: halted
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040108
target state: halted
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040108
target state: halted
.
.
.
.
.
..
.
.
wrote 135440 bytes from file u-boot.bin to flash bank 0 at offset 0x00000000 in
72.694527s (1.819 KiB/s)
> flash protect 0 0 1 on
protect: cfi primary command set 2 unsupported
set protection for sectors 0 through 1 on flash bank 0
> reset run
target state: halted
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040108
> halt
> halt
>
Connection to host lost.
[code]
so I think flash is written at 0x0
and it worked too.
Thanks, apart from successfully rewriting bootloader, I would like to know if you by change did some other tests with openocd and what where your conclusions. I.e. if 0x80000000 address is equivalent to 0x0, if flash probe worked with 0xBF000000 and also on 0x1F000000, if you had to modify configuration registers, resuming/halting cpu
1.As far as I know that 0x80000000 is RAM address and not Flash address.
2.sorry, I dint checked flash prob at 0x1F000000.
3. No config. register changes required to modify
if u enabling Flash write in GDB by using commands at start up of OPENOCD
My router continues damaged. I think the problem is in the RAM Chip. I stored it with similar other routers until some new idea to test arise by chance or I bear up desoldering Ram chip and soldering another one if I get some flux like here http://www.dd-wrt.com/wiki/index.php/DIR-320_64_Mb_RAM_Upgrade or took it to somebody with better tools.
If you saved any interesting link and don't mind to share it I would take a look.
I only used telnet connection to OpenOCD, not GDB, what GDB front end did you use?
My router continues damaged. I think the problem is in the RAM Chip. I stored it with similar other routers until some new idea to test arise by chance or I bear up desoldering Ram chip and soldering another one if I get some flux like here http://www.dd-wrt.com/wiki/index.php/DIR-320_64_Mb_RAM_Upgrade or took it to somebody with better tools.
If you saved any interesting link and don't mind to share it I would take a look.
I only used telnet connection to OpenOCD, not GDB, what GDB front end did you use?
Thanks
Hi,
GDB is backend,
we only use telnet for all the commands.
I unbricked my router(Aztech-hw550-3g) with telnet only.
But i think in background openocd uses GDB.
As I told in my first post here that I am not an expert!
but managed to unbrick my router.
The funny thing is that my router was stricken by Thunderbolt. its 4ports out of total 5 Ethernet port was burnt out ie. found black smoked area in the pcb at Ethernet and wan port!!!!
only one port was operating and wifi was working so this router is no good value for me, but that was good opportunity for me to experiment all the thing I can!
while experimenting I accidentally bricked the it, cause not setting up tftp and trying to load u-boot!!!!!
but now its working with one port ethernet and wifi.
One more thing.
If you able initialize any thing in RAM by using
Hi,
a friend asked me to recover a router Aztech HW550-3G. I tried using the serial port but died. It seems to have skipped the bootloader. reading your post I procured openocd and cable dlc5 but I can not start it. Please, can you help me?
Hi, you shall provide more information, what responses/output did you get, have you read jtag wiki pages and or used jtag before?, have you make or buy the cable
You need a physical parallel port to use the xillink dlc5 parallel port. Do not use it with usb to parallel adapters.
i make the cable. using openocd and the Rt3052 cfg file provided in this thread obtain error in recognising (0x1f instead of 0x10), but later i send a detailed response (at work at the moment). Obviously i used jtag or usb. First i attempt via serial but the sistem do nothing. I never used seriusly jtag
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
parport port = 0x0
adapter speed: 500 kHz
adapter_nsrst_delay: 100
jtag_ntrst_delay: 100
on
allocating work area
allocation complete
Warn : No parport port specified, using default '0x378' (LPT1)
Info : clock speed 500 kHz
Error: JTAG scan chain interrogation failed: all ones
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Error: rt3052.cpu: IR capture error; saw 0x1f not 0x01
Warn : Bypassing JTAG setup events due to errors
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
target state: halted
target halted in MIPS32 mode due to undefined, pc: 0x00000000
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
target state: halted
I suppose was uncorrectly connected.
Can you suggest me a valid, and possibly unexspensive , jtag usb interface?
The dlc5 cable homemade was unstable and ugly
Thanks
Ok
Made wiggler cable and boot recovered.
Now, what can i do to load linux image?
I connect serial port, switch on the router and push "2", but no way to load via tftp connection.
Help, thanks
openocd -f new_rt3052.cfg -c "gdb_memory_map enable" -c "gdb_flash_program enable"
, jtag usb interface?
