search

Anime4000 / RTL960x

Hacking V2801F, TWCGPON657 & DFP-34X-2C2 GPON ONU SFP Stick to suite your ISP Fiber
The Unlicense
607 stars 107 forks source link

Two Firmwares on DFP-34X-2C2 #40

Open 3ooabkhxtn opened 2 years ago

3ooabkhxtn commented 2 years ago

Hey guys, I habe another question,

my DFP-34X-2C2 seems to have two firmware versions. It is booting into 210702, but in the bootargs it mentions also 220304.

Haven't read about that anywhere else already, so I thought I share the info.

Haven't yet figured out fully how to switch. Have only a dump from my nv getenv. But could not test, as my stick is not running right now.

Full dump:

# nv getenv
Valid environment: 2
b0=setenv bootargs ${bootargs_base} ${mtdparts0} ${rst2dfl_flg}; bootm ${img0_kernel}
b1=setenv bootargs ${bootargs_base} ${mtdparts1} ${rst2dfl_flg}; bootm ${img1_kernel}
baudrate=115200
boot_by_commit=if itest.s ${sw_commit} == 0;then run set_act0;run b0;else run set_act1;run b1;fi
boot_by_tryactive=if itest.s ${sw_tryactive} == 0;then setenv sw_tryactive 2;setenv sw_active 0;saveenv;run en_wdt;run b0;else setenv sw_tryactive 2;setenv sw_active 1;saveenv;run en_wdt;run b1;fi
bootargs_base=console=ttyS0,115200
bootcmd=if itest.s ${sw_tryactive} == 2; then run boot_by_commit;else run boot_by_tryactive;fi
bootdelay=5
en_wdt=mw b8003268 e7c00000
erase_cfgfs=sf erase ${fl_cfgfs} +${fl_cfgfs_sz}
erase_env=sf erase ${fl_env} +${fl_env_sz};sf erase ${fl_env2} +${fl_env_sz}
ethact=LUNA GMAC 
ethaddr=XX:XX:XX:XX:XX:XX
fileaddr=80000000
filesize=39A800
fl_boot_sz=40000
fl_cfgfs=44000
fl_cfgfs_sz=3c000
fl_env=40000
fl_env2=42000
fl_env_sz=2000
fl_kernel1=80000
fl_kernel1_sz=14c000
fl_kernel2=440000
fl_kernel2_sz=14c000
fl_rootfs1=1cc000
fl_rootfs1_sz=274000
fl_rootfs2=58c000
fl_rootfs2_sz=274000
fx1000_init=mw bb000084 00000048
img0_kernel=94080000
img1_kernel=94440000
ipaddr=192.168.1.3
mtdparts0=mtdparts=rtk_spi_nor_mtd:256K(boot),8K(env),8K(env2),240K(config),1328K(k0)ro,2512K(r0)ro,1328K(k1),2512K(r1),4K@0ro,4K@0ro,4K@0ro,4K@0ro,1328K@512K(linux),2512K@1840K(rootfs) root=31:5
mtdparts1=mtdparts=rtk_spi_nor_mtd:256K(boot),8K(env),8K(env2),240K(config),1328K(k0),2512K(r0),1328K(k1)ro,2512K(r1)ro,4K@0ro,4K@0ro,4K@0ro,4K@0ro,1328K@4352K(linux),2512K@5680K(rootfs) root=31:7
mupgrade_en=1
netmask=255.255.255.0
serverip=192.168.1.101
set_act0=if itest.s ${sw_active} != 0;then setenv sw_active 0;saveenv;fi
set_act1=if itest.s ${sw_active} != 1;then setenv sw_active 1;saveenv;fi
sgmii_init=mw bb000084 00000044
stderr=serial
stdin=serial
stdout=serial
sw_active=1
sw_commit=1
sw_crc0=5bfcffa5
sw_crc1=5bfcffa5
sw_tryactive=2
sw_valid1=1
sw_version0=V1.0-220304
sw_version1=V1.0-210702
tftp_base=80000000
upb=tftp ${tftp_base} plr.img && crc32 ${fileaddr} ${filesize} && sf erase 0 +${fl_boot_sz} && sf write ${fileaddr} 0 ${filesize}
upe=tftp ${tftp_base} uboot-env-98d-eng.bin && sf erase ${fl_env} +${fl_env_sz} && sf write ${fileaddr} ${fl_env} ${fl_env_sz} && sf erase ${fl_env2} +${fl_env_sz} && sf write ${fileaddr} ${fl_env2} ${fl_env_sz}
upk=tftp ${tftp_base} uImage && crc32 ${fileaddr} ${filesize} && sf erase ${fl_kernel1} +${fl_kernel1_sz} && sf write ${fileaddr} ${fl_kernel1} ${filesize}
upk1=tftp ${tftp_base} uImage && crc32 ${fileaddr} ${filesize} && sf erase ${fl_kernel2} +${fl_kernel2_sz} && sf write ${fileaddr} ${fl_kernel2} ${filesize}
upr=tftp ${tftp_base} rootfs && crc32 ${fileaddr} ${filesize} && sf erase ${fl_rootfs1} +${fl_rootfs1_sz} && sf write ${fileaddr} ${fl_rootfs1} ${filesize}
upr1=tftp ${tftp_base} rootfs && crc32 ${fileaddr} ${filesize} && sf erase ${fl_rootfs2} +${fl_rootfs2_sz} && sf write ${fileaddr} ${fl_rootfs2} ${filesize}
upt=tftp 80000000 img.tar && upimgtar ${fileaddr} ${filesize}
upv=tftp 80000000 vm.img;upvmimg ${fileaddr}
yk=loady 80000000 && cp.b 80000000 81000000 ${filesize} && cmp.b 80000000 81000000 ${filesize} && sf erase ${fl_kernel1} +${fl_kernel1_sz} && sf write 80000000 ${fl_kernel1} ${filesize}
yr=loady 80000000 && cp.b 80000000 81000000 ${filesize} && cmp.b 80000000 81000000 ${filesize} && sf erase ${fl_rootfs1} +${fl_rootfs1_sz} && sf write 80000000 ${fl_rootfs1} ${filesize}
yu=loady 80000000 && cp.b 80000000 81000000 ${filesize} && cmp.b 80000000 81000000 ${filesize} && sf erase 0 +${fl_boot_sz} && sf write 80000000 0 ${filesize}
sw_valid0=0
3ooabkhxtn commented 2 years ago

Made also a rewrite in pseudo python code of the boot process.

For better reading. sw_commit seems to be the main variable, which forces the switch.

bootargs_base = "console=ttyS0,115200"
mtdparts0     = "mtdparts=rtk_spi_nor_mtd:256K(boot),8K(env),8K(env2),240K(config),1328K(k0)ro,2512K(r0)ro,1328K(k1),2512K(r1),4K@0ro,4K@0ro,4K@0ro,4K@0ro,1328K@512K(linux),2512K@1840K(rootfs) root=31:5"
mtdparts1     = "mtdparts=rtk_spi_nor_mtd:256K(boot),8K(env),8K(env2),240K(config),1328K(k0),2512K(r0),1328K(k1)ro,2512K(r1)ro,4K@0ro,4K@0ro,4K@0ro,4K@0ro,1328K@4352K(linux),2512K@5680K(rootfs) root=31:7"
rst2dfl_flg   = "???"
img0_kernel   = "94080000"
img1_kernel   = "94440000"
bootargs      = ""

sw_active = 1
sw_commit = 1
sw_tryactive = 1

def saveenv():
    print("Write to Flash")

def en_wdt():
    print("mw b8003268 e7c00000")

def b0():
    bootargs = bootargs_base + " " + mtdparts0 + " " + rst2dfl_flg + "; bootm " + img0_kernel
    print(bootargs)

def b1():
    bootargs = bootargs_base + " " + mtdparts1 + " " + rst2dfl_flg + "; bootm " + img1_kernel
    print(bootargs)

def set_act0():
    global sw_active
    if (sw_active != 0):
        sw_active = 0
        print("sw_active: X -> 0")
        saveenv()

def set_act1():
    global sw_active
    if (sw_active != 1):
        sw_active = 1
        print("sw_active: X -> 1")
        saveenv()

def boot_by_commit():
    global sw_commit
    if (sw_commit == 0):
        set_act0()
        b0()
    else:
        set_act1()
        b1()

def boot_by_tryactive():
    global sw_tryactive
    global sw_active
    if (sw_tryactive == 0):
        sw_tryactive = 2
        print("sw_tryactive: X -> 2")
        sw_active = 0
        print("sw_active: X -> 0")
        saveenv()
        en_wdt()
        b0()
    else:
        sw_tryactive = 2
        print("sw_tryactive: X -> 2")
        sw_active = 1
        print("sw_active: X -> 1")
        saveenv()
        en_wdt()
        b1()

def bootcmd():
    if (sw_tryactive == 2):
        boot_by_commit()
    else:
        boot_by_tryactive()

if __name__ == '__main__':
    print("Preboot Values:")
    print("sw_active: " + str(sw_active))
    print("sw_commit: " + str(sw_commit))
    print("sw_tryactive: " + str(sw_tryactive))
    print()
    bootcmd()
    print()
    print("Afterboot Values:")
    print("sw_active: " + str(sw_active))
    print("sw_commit: " + str(sw_commit))
    print("sw_tryactive: " + str(sw_tryactive))
3ooabkhxtn commented 2 years ago

Set sw_tryactive to 0. After next boot, it booted up firmware 220304 (slot 0)

# nv setenv sw_tryactive 0
# reboot

Rebooting again started firmware 210702 (slot 1)

Setting sw_commit to 0 and rebooting activated firmware firmware 220304 (slot 0). And now at every boot 220304 is booting.

# nv setenv sw_commit 0
# reboot

With firmware 220304 I got an emtpy MAC_KEY entry in my config and omci was not starting. I read out ethaddr with nv getenv and set ELAN_MAC_ADDR to the same mac address and then it was starting.

# nv getenv
...
ethaddr=XX:XX:XX:XX:XX:XX
...
# flash set ELAN_MAC_ADDR xxxxxxxxxxxx