Open SambasOnFire opened 4 years ago
csersoft
commented
4 years ago I have not tested it on the 8247H. On the 8245H, there are some things to do to perform JTAG debugging. You can refer to: https://blog.csersoft.net/archives/121 https://blog.csersoft.net/archives/147
csersoft
commented
4 years ago In the case of normal boot, uboot and kernel will disable JTAG.
SambasOnFire
commented
4 years ago I had already followed the previous steps! did a test, changed cortex_a to cortex_m, now I get this message.
openocd -f /usr/local/share/openocd/scripts/interface/ftdi/c232hm-edhsl-0.cfg -f hi_sd5115_openocd_config/hi_sd5115_jtag.cfg -c "adapter_khz 1000" Open On-Chip Debugger 0.10.0+dev-00954-gded67990 (2019-10-27-00:52) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html sd5115_help adapter speed: 1000 kHz
Info : Listening on port 16666 for tcl connections Info : Listening on port 14444 for telnet connections Info : clock speed 1000 kHz Info : JTAG tap: sd5115.cpu tap/device found: 0x4ba00477 (mfg: 0x23b (ARM Ltd.), part: 0xba00, ver: 0x4) Error: Could not find MEM-AP to control the core Info : Listening on port 3333 for gdb connections Info : accepting 'telnet' connection on tcp/14444 Error: Target not examined yet
csersoft
commented
4 years ago The core of sd5115 is cortex-A, not cortex-M. What is the device c232hm-edhsl-0.cfg?
SambasOnFire
commented
4 years ago Bus 008 Device 002: ID 0403:6014 Future Technology Devices International, Ltd FT232H Single HS USB-UART/FIFO IC Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0403 Future Technology Devices International, Ltd idProduct 0x6014 FT232H Single HS USB-UART/FIFO IC bcdDevice 9.00 iManufacturer 1 FTDI iProduct 2 Single RS232-HS iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA
https://www.ftdichip.com/Support/Documents/DataSheets/Cables/DS_C232HM_MPSSE_CABLE.PDF
csersoft
commented
4 years ago OpenOCD supports FT232H based devices.
csersoft
commented
4 years ago Is there a pull-up DBGSEL pin?
SambasOnFire
commented
4 years ago Yes, I connected it direct to vcc pin 3.3v. Another thing I noticed, jtag is only active for a few seconds after power on, then it's deadweight!
csersoft
commented
4 years ago Yes, I connected it direct to vcc pin 3.3v. Another thing I noticed, jtag is only active for a few seconds after power on, then it's deadweight!
This is because uboot and kernel will disable JTAG! Reference: https://github.com/csersoft/hi_sd5115_openocd_config/issues/1
Need to write cracked uboot (will not be able to boot the system), or damage uboot. Cracked uboot Download: 8245H_R16_UB_PAT_FULL.zip
csersoft
commented
4 years ago Or, when the device is powered on, pull up the CE pin of Nand Flash to 3.3V, so that the CPU cannot boot from Flash. On the HG8245H, there is a resistor R1542 near the power LED on the back of the motherboard. Here is the CE pin of Falsh, which can be shorted to 3.3V here to prevent booting from Flash.
There are two ways to short-circuit:
SambasOnFire
commented
4 years ago I searched for the R1542 and didn't see it, maybe I'm blind!:) https://ibb.co/Tgj2Wyk
csersoft
commented
4 years ago I searched for the R1542 and didn't see it, maybe I'm blind!:) https://ibb.co/Tgj2Wyk
The focus is not on R1542, it is the CE pin of Nand Flash. R1542 is the resistor on the HG8245H that pulls up the CE pin. The numbers are not necessarily the same on the 8247H.
SambasOnFire
commented
4 years ago Cool, now is better!
sd5115_hwinit DSCR_DTR_RX_FULL, dscr 0x4b086003 sd5115.cpu rev 1, partnum c09, arch f, variant 4, implementor 41 sd5115.cpu: MPIDR level2 0, cluster 0, core 0, multi core, no SMT target halted in ARM state due to debug-request, current mode: Undefined instruction cpsr: 0x000001db pc: 0x00000004 MMU: disabled, D-Cache: disabled, I-Cache: disabled target halted in ARM state due to debug-request, current mode: Undefined instruction cpsr: 0x000001db pc: 0x00000004 MMU: disabled, D-Cache: disabled, I-Cache: disabled Info: (arm mrc 15 0 0 0 5) & 0xf == 0 . Info: call offset 0x6EC . Info: call offset 0x700 . Info: call offset 0x710 . Info: call offset 0xFAD4 . Info: call offset 0xFCD4 . Info: call offset 0xFAF4 . Info: call offset 0xFBD8 . Info: call offset 0xFED4 (init dram). Info: init dram... Hardware initialization is complete!
SambasOnFire
commented
4 years ago HuaWei StartCode 2012.02 (R13C10 Apr 22 2014 - 18:06:02)
NAND: Nand(Hardware): 128 MiB
startcode select the uboot to load
the high RAM is :8080103c
startcode uboot boot count:-2102258872
Slave struct initializtion success!!
Use the UbootA to load first
Start from UbootA ERROR, Change to UbootB
Both UbootA and UbootB are wrong, load it by JTAG!
U-Boot 2010.03 (R16C10 Jul 14 2016 - 14:19:37)
DRAM: 128 MB
Boot From NAND flash
Chip Type is SD5115T
NAND: Special Nand id table Version 1.23
Nand ID: 0x98 0xD1 0x90 0x15 0x76 0x14 0x01 0x00
ECC Match pagesize:2K, oobzie:64, ecctype:4bit
Nand(Hardware): Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit
128 MiB
Using default environment
In: serial
Out: serial
Err: serial
MEM_MODE = MEM!
[main.c__6080]::CRC:0x4290109c, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, f
0x000000100000-0x000008000000 : "mtd=1"
UBI: attaching mtd1 to ubi0
slave_paramA in flash, CRC:0xffffffff, Magic1:0xffffffff, Magic2:0xffffffff, cof
MAGIC1: 0xffffffff, MAGIC2: 0xffffffff, the magic is error!!!
slave_paramB in flash, CRC:0xffffffff, Magic1:0xffffffff, Magic2:0xffffffff, cof
MAGIC1: 0xffffffff, MAGIC2: 0xffffffff, the magic is error!!!
Slave struct initializtion success!!
Start from main system(0x0)!
CRC:0x4290109c, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x00
Both A and B area maybe error!!
hisilicon #
I maked stupid mistake, erased Nand, now kernel image gone!
crazygsm
commented
4 years ago what you did to erase Nand?
SambasOnFire
commented
4 years ago I typed cmd nand erase, the good is i dont need use again CE pin...
MEM_MODE = MEM!
<-------------------------FLASH��FORMAT-------------------------->
1 erase the whole flash ----- command : nand erase
2 format flash to ubi type ----- command : formatdisk
3 load the startcode ----- command : loadstartcode
4 load the uboot ----- command : loaduboot
<-------------------------FLASH��FORMAT-------------------------->
hisilicon #
csersoft
commented
4 years ago I typed cmd nand erase, the good is i dont need use again CE pin...
MEM_MODE = MEM! <-------------------------FLASH��FORMAT--------------------------> 1 erase the whole flash ----- command : nand erase 2 format flash to ubi type ----- command : formatdisk 3 load the startcode ----- command : loadstartcode 4 load the uboot ----- command : loaduboot <-------------------------FLASH��FORMAT--------------------------> hisilicon #
There are ways to recover, and the process is more complicated. The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.
csersoft
commented
4 years ago It is recommended to use the FT2232H module, because the FT2232H has a maximum JTAG clock speed of 30MHz.
crazygsm
commented
4 years ago There are ways to recover, and the process is more complicated. The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.
Hi csersoft,
How you load the mtd dump inside? using TFTP or same method as your changed load using jtag?
SambasOnFire
commented
4 years ago I typed cmd nand erase, the good is i dont need use again CE pin... MEM_MODE = MEM! <-------------------------FLASH��FORMAT--------------------------> 1 erase the whole flash ----- command : nand erase 2 format flash to ubi type ----- command : formatdisk 3 load the startcode ----- command : loadstartcode 4 load the uboot ----- command : loaduboot <-------------------------FLASH��FORMAT--------------------------> hisilicon #
There are ways to recover, and the process is more complicated. The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.
Bad news is I did not make any backup. Maybe @crazygsm can help me.
crazygsm
commented
4 years ago I typed cmd nand erase, the good is i dont need use again CE pin... MEM_MODE = MEM! <-------------------------FLASH��FORMAT--------------------------> 1 erase the whole flash ----- command : nand erase 2 format flash to ubi type ----- command : formatdisk 3 load the startcode ----- command : loadstartcode 4 load the uboot ----- command : loaduboot <-------------------------FLASH��FORMAT--------------------------> hisilicon #
There are ways to recover, and the process is more complicated. The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.
Bad news is I did not make any backup. Maybe @crazygsm can help me.
Never managed to reach that point and already discarded my HW as I quit my development due lack of time, just asking due curiosity.
But maybe you can load a backup from HG8245H or similar hw (same SOIC) the hardware is very similar, probably some functions could not work but probably you can boot.
SambasOnFire
commented
4 years ago I typed cmd nand erase, the good is i dont need use again CE pin... MEM_MODE = MEM! <-------------------------FLASH��FORMAT--------------------------> 1 erase the whole flash ----- command : nand erase 2 format flash to ubi type ----- command : formatdisk 3 load the startcode ----- command : loadstartcode 4 load the uboot ----- command : loaduboot <-------------------------FLASH��FORMAT--------------------------> hisilicon #
There are ways to recover, and the process is more complicated. The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.
Bad news is I did not make any backup. Maybe @crazygsm can help me.
Never managed to reach that point and already discarded my HW as I quit my development due lack of time, just asking due curiosity.
But maybe you can load a backup from HG8245H or similar hw (same SOIC) the hardware is very similar, probably some functions could not work but probably you can boot.
Only need nand dump, I think your have this.
csersoft
commented
4 years ago There are ways to recover, and the process is more complicated. The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.
Hi csersoft,
How you load the mtd dump inside? using TFTP or same method as your changed load using jtag?
Ethernet seems to be unavailable on the UBoot console. I used the load_image command of OpenOCD to write the dump file into memory, and then in the UBoot console, I wrote it back to flash.
csersoft
commented
4 years ago I typed cmd nand erase, the good is i dont need use again CE pin... MEM_MODE = MEM! <-------------------------FLASH��FORMAT--------------------------> 1 erase the whole flash ----- command : nand erase 2 format flash to ubi type ----- command : formatdisk 3 load the startcode ----- command : loadstartcode 4 load the uboot ----- command : loaduboot <-------------------------FLASH��FORMAT--------------------------> hisilicon #
There are ways to recover, and the process is more complicated. The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.
Bad news is I did not make any backup. Maybe @crazygsm can help me.
Never managed to reach that point and already discarded my HW as I quit my development due lack of time, just asking due curiosity. But maybe you can load a backup from HG8245H or similar hw (same SOIC) the hardware is very similar, probably some functions could not work but probably you can boot.
Only need nand dump, I think your have this.
Most mtd partitions can be extracted from the firmware, such as (ubootA, ubootB, kernelA, kernelB, rootfsA, rootfsB). Some partition firmware does not exist, you need to find the backup yourself, such as (slave_paramA, slave_paramB, jffs2).
The mtd partition table of a conventional Huawei ONT is as follows:
mtd0: = "startcode"
mtd1: = "ubifs"
mtd2: = "reserved"
mtd3: = "ubootA"
mtd4: = "ubootB"
mtd5: = "flash_configA"
mtd6: = "flash_configB"
mtd7: = "slave_paramA"
mtd8: = "slave_paramB"
mtd9: = "kernelA"
mtd10: = "kernelB"
mtd11: = "rootfsA"
mtd12: = "rootfsB"
mtd13: = "wifi_paramA"
mtd14: = "wifi_paramB"
mtd15: = "system_param"
mtd16: = "file_system"
mtd17: = "frameworkA"
mtd18: = "frameworkB"
mtd19: = "apps"
ubi0_13 = "jffs2"device nand0
0: startcode 0x00100000 0x00000000 0
1: ubifs 0x07f00000 0x00100000 0
NAND erase: device 0 offset 0x100000, size 0x7f00000
Erasing at 0x7fe0000 -- 100% complete.
OK
0x000000100000-0x000008000000 : "mtd=1"
UBI: attaching mtd1 to ubi0
UBI: empty MTD device detected
UBI: create volume table (copy #1)
UBI: create volume table (copy #2)
Creating dynamic volume ubootA of size 524288
Creating dynamic volume ubootB of size 524288
Creating dynamic volume flash_configA of size 131072
Creating dynamic volume flash_configB of size 131072
Creating dynamic volume slave_paramA of size 131072
Creating dynamic volume slave_paramB of size 131072
Creating dynamic volume kernelA of size 3145728
Creating dynamic volume kernelB of size 3145728
Creating dynamic volume rootfsA of size 29360128
Creating dynamic volume rootfsB of size 29360128
Creating dynamic volume wifi_paramA of size 131072
Creating dynamic volume wifi_paramB of size 131072
Creating dynamic volume system_param of size 131072
Creating dynamic volume file_system of size 20971520
I tried to dump nand, after some time (60MB) openocd returns an error.
SambasOnFire
commented
4 years ago I caught startcode of sd5115t, and has some parts different of your! startcode.bin.gz
Hi, have some problems, I think is clock speed... c232hm-edhsl-0.cfg interface ftdi ftdi_vid_pid 0x0403 0x6014 ftdi_device_desc "Single RS232-HS" adapter_khz 2000 ftdi_layout_init 0x0008 0x400b ####################################
Open On-Chip Debugger 0.10.0+dev-00954-gded67990 (2019-10-27-00:52) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html sd5115_help Info : Listening on port 6666 for tcl connections Info : Listening on port 4444 for telnet connections Info : clock speed 2000 kHz Info : JTAG tap: sd5115.cpu tap/device found: 0x4ba00477 (mfg: 0x23b (ARM Ltd.), part: 0xba00, ver: 0x4) Info : sd5115.cpu: hardware has 6 breakpoints, 4 watchpoints Info : Listening on port 3333 for gdb connections Error: Invalid ACK (7) in DAP response Error: JTAG-DP STICKY ERROR Polling target sd5115.cpu failed, trying to reexamine Error: Invalid ACK (7) in DAP response