admin
and your passwordI created a some hacks and patches that work around the some problems: https://github.com/fvollmer/GS108Tv2-openwrt. This is just a very crude hack and definitly needs a complete rewrite. Nonetheless it allows to boot openwrt without crashing (New boot log). I have yet to see what else is broken. It appears like the network isn't working, which is most likely due to the pci bus not working. There are some more (and better) patches needed for the ssb driver.
CFE> ifconfig eth0 -addr=192.168.0.10
CFE> boot -tftp -elf 192.168.0.9:/vmlinux-initramfs.elf
Or as a one-liner: ifconfig eth0 -addr=192.168.0.10;boot -tftp -elf 192.168.0.9:/vmlinux-initramfs.elf
ssb_irqflag
tries to acces SSB_TPSFLAG
and crashes the kernel.The stock firmware is based on the gpl licensed ecos operating system. These sources are provided by netgear. After some minor modifications (see commits at the github repository) I was able to build the sources using an old toolchain (recent versions are broken). I updated the build instruction to make building easier.
The device should be correctly initialized if we use the ecos source code. This means we can check if the ssb registers with an ecos applicaton. I build a quick test and compiled it with the example. According to the output the id high and low registers are 0. It looks like there simply isn't an id.
One idea for the mentioned SSB bus problem was that maybe there is some initialization wrong. Therefore I took a closer look at the boot an initialization process. This depends on the loaded packages. The configuration file should be mips_raptor_netgear.ecc
. The most important packages seem to be HAL_MIPS
, HAL_MIPS_BCM47xx
and HAL_MIPS_BCM953710
.
A rough overview of the boot and initialization process:
_start
at packages/hal/mips/arch/v2_0/src/vectors.S
hal_cpu_init
at packages/hal/mips/arch/v2_0/include/arch.inc
hal_diag_init
at packages/hal/mips/bcm953710/v2_0/src/hal_diag.c
hal_mmu_init
at packages/hal/mips/arch/v2_0/include/arch.inc
hal_fpu_init
at packages/hal/mips/arch/v2_0/include/arch.inc
hal_memc_init
at packages/hal/mips/bcm953710/v2_0/include/platform.inc
board_draminit
at packages/hal/mips/bcm953710/v2_0/src/sbsdram.S
hal_cache_init
at packages/hal/mips/bcm47xx/v2_0/include/variant.inc
hal_timer_init
at packages/hal/mips/arch/v2_0/include/arch.inc
hal_variant_init
at packages/hal/mips/bcm47xx/v2_0/src/var_misc.c
hal_platform_init
at packages/hal/mips/bcm953710/v2_0/src/plf_misc.c
sb_kattach
at packages/hal/mips/bcm953710/v2_0/src/sbutils.c
sb_doattach
at packages/hal/mips/bcm953710/v2_0/src/sbutils.c
sb_mips_init
at packages/hal/mips/bcm953710/v2_0/src/sbmips.c
Especially interesting appear board_draminit
and hal_platform_init
. The ecos system appears to allocate the cores staticallly at sb_doattach
.
make target/linux/install
to avoid recompiling everything. This way only the kernel is rebuild and a new image is created.The default exception handler looks like this:
**Exception 32: EPC=8027A97C, Cause=0000001C (BusErrD )
RA=8027D8F0, VAddr=00000000
0 ($00) = 00000000 AT ($01) = 10000000
v0 ($02) = B8000000 v1 ($03) = 806421E4
a0 ($04) = 8064223C a1 ($05) = B8005F18
a2 ($06) = 00000000 a3 ($07) = 000006E0
t0 ($08) = 00000000 t1 ($09) = 00000000
t2 ($10) = 00000007 t3 ($11) = 00000000
t4 ($12) = 0000002C t5 ($13) = 804B0000
t6 ($14) = 00000000 t7 ($15) = 00000000
s0 ($16) = 8064223C s1 ($17) = 8064223C
s2 ($18) = 806421E4 s3 ($19) = 00000006
s4 ($20) = 00000001 s5 ($21) = 00000001
s6 ($22) = 8064223C s7 ($23) = 804785C0
t8 ($24) = 00000002 t9 ($25) = 00000000
k0 ($26) = 804A0000 k1 ($27) = 804B0000
gp ($28) = 804A4000 sp ($29) = 804A5D38
fp ($30) = 80642218 ra ($31) = 8027D8F0
To better undertand the meaning of the registers please see MIPS calling convention. First four call arguments in $a0-$a3, return argument(s) in $v0-$v1.
EPC is the error programm counter, and RA is the return address. Both can be used with gdb to get information about the crash:
gdb ./build_dir/target-mips_mips32_musl/linux-brcm47xx_generic/vmlinux.debug
GNU gdb (Ubuntu 8.2.91.20190405-0ubuntu3) 8.2.91.20190405-git
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./build_dir/target-mips_mips32_musl/linux-brcm47xx_generic/vmlinux.debug...
(gdb) list *0x8027A97C
0x8027a97c is in ssb_host_soc_read32 (./arch/mips/include/asm/io.h:434).
429 __BUILD_MEMORY_PFX(, bwlq, type) \
430 __BUILD_MEMORY_PFX(__mem_, bwlq, type) \
431
432 BUILDIO_MEM(b, u8)
433 BUILDIO_MEM(w, u16)
434 BUILDIO_MEM(l, u32)
435 BUILDIO_MEM(q, u64)
436
437 #define __BUILD_IOPORT_PFX(bus, bwlq, type) \
438 __BUILD_IOPORT_SINGLE(bus, bwlq, type, ,) \
(gdb) list *0x8027D8F0
0x8027d8f0 is in ssb_sflash_cmd (./include/linux/ssb/ssb.h:599).
594 {
595 dev->ops->write16(dev, offset, value);
596 }
597 static inline void ssb_write32(struct ssb_device *dev, u16 offset, u32 value)
598 {
599 dev->ops->write32(dev, offset, value);
600 }
601 #ifdef CONFIG_SSB_BLOCKIO
602 static inline void ssb_block_read(struct ssb_device *dev, void *buffer,
603 size_t count, u16 offset, u8 reg_width)
(gdb)
The GS700TR appears to be especially interesting device. The source code release contains linux sources for the bcm56218
. These sources are very similar to the ecos sources and the ssb core mapping appears to be the same. Needs further investigation.
Thanks for the useful advices at the #openwrt-devel IRC channel. Especially to KanjiMonster who helped me with informations regarding the MIPS architecture and the SSB bus. The GS700TR sources were als discovered by KanjiMonster.