Sunray SOLO3 (Solo SE) jtag

gjstroom

Registered
Messages
100
I have a broken Sunray SOLO3.
It looks like a problem with the flash module, I exchanged it with the module of a working SOLO3, and then the box just works.
Probably a faulty Samsung k9f2g08u0c.
Anyone knows how to jtag this box ? It has a BCM7241.
Or maybe a flash module for sale ?
 

gjstroom

Registered
Messages
100
Broadbandstudio BCM97241 does not exist ?

I managed to build a rs232 cable, the rs232 signal is present on the RJ11 connector where you can connect the external IR receiver.
conn_rj12m.gif

Code:
 1    LED
 2    Ground
 3    IR-Data (5V-TTL)
 4    +5V (Power IR-reciever) 47Ohm resistor
 5    RS232-DTX (Box-Output)
 6    RS232-DRX (Box-Input)
db9-pinout.gif

Connect the following:
Code:
RJ11     DB9
2          5
5          2
6          3

This is all output the box gives:
Code:
BCM74290010

M0080080000CZP#@

BCM97241B0 CFE v3.16, CFE core v3.45, Endian Mode: Little
BCM7241B2 CFE Build Date: Tue, Jun 24, 2014  3:15:47 PM   11.316.01 Vuplus team
Copyright (C) Broadcom Corporation.

The weird part is sometimes the box moves on flashing, but this happens mostly when it has been powered off for some time:
Code:
BCM74290010

M0080080000CZP#@

BCM97241B0 CFE v3.16, CFE core v3.45, Endian Mode: Little
BCM7241B2 CFE Build Date: Tue, Jun 24, 2014  3:15:47 PM   11.316.01 Vuplus team
Copyright (C) Broadcom Corporation.

CPU speed:            1305MHz
DDR Frequency:        800 MHz
DDR Mode:             DDR3
Total memory:         1024MB
DDR Width:            32
SCB clock:            277 MHz
RTS Version:          20121205235404_7241
Boot Device:          NAND
Total flash:          256MB

Initializing USB.
USB: Locating Class 09 Vendor 0000 Product 0000: USB Root Hub
USB: Locating Class 09 Vendor 0000 Product 0000: USB Root Hub
USB: Locating Class 09 Vendor 0000 Product 0000: USB Root Hub
USB: Locating Class 09 Vendor 0000 Product 0000: USB Root Hub

CFE initialized.
USB: Device disconnected from bus 0 hub 1 port 1
USB: New device connected to bus 0 hub 1 port 1
USB: Resetting device on bus 0 hub 1 port 1
USB: Locating Class 08 Vendor 090C Product 1000: Mass-Storage Device
USBMASS: Unit 0 connected
waiting for usb...done
checking usb
Found high priority Mass Storage bus = 0, index  = 0
checking front key
readFrontKey 0 0
Checking usbdisk0:/vuplus/solose/ignore.update......NO
Checking usbdisk0:/vuplus/solose/force.update......YES
Checking usbdisk0:/vuplus/solose/cfe_cfe_auto.bin......NO
Checking usbdisk0:/vuplus/solose/root_cfe_auto.bin......YES
Checking usbdisk0:/vuplus/solose/splash_cfe_auto.bin......YES
Checking usbdisk0:/vuplus/solose/kernel_cfe_auto.bin......YES
Checking usbdisk0:/vuplus/solose/reboot.update......NO
Update
Reading usbdisk0:/vuplus/solose/cfe_cfe_auto.bin:  Skipping...: File not found
Reading usbdisk0:/vuplus/solose/initrd_cfe_auto.bin:  Done. 5986485 bytes read

Programming...
done. 5986485 bytes written
Reading usbdisk0:/vuplus/solose/splash_cfe_auto.bin:  Done. 1036856 bytes read

Programming...
done. 1036856 bytes written
Reading usbdisk0:/vuplus/solose/kernel_cfe_auto.bin:  Done. 4119464 bytes read

Programming...
done. 4119464 bytes written
Checking usbdisk0:/vuplus/solose/root_cfe_auto.bin......YES
Loader:elf Filesys:raw Dev:flash0.initrd File: Options:bmem=192M@64M bmem=160M@512M
Loading: 0x80001000/12670464 0x80c16600/114576 Entry address is 0x804595d0
Starting program at 0x804595d0

Linux version 3.3.8-2.0-g298276c-dirty (shcheong@ubuntu) (gcc version 4.5.3 (Broadcom stbgcc-4.5.3-2.4) ) #17 SMP Fri Aug 21 19:31:02 KST 2015
Fetching vars from bootloader... found 14 vars.
Options: moca=0 sata=1 pcie=0 usb=1
Using 1024 MB + 0 MB RAM (from CFE)
bootconsole [early0] enabled
CPU revision is: 00025a11 (Broadcom BMIPS5000)
FPU revision is: 00130001
Determined physical RAM map:
 memory: 10000000 @ 00000000 (usable)
 memory: 30000000 @ 20000000 (usable)
bmem: adding 192 MB RESERVED region at 64 MB (0x0c000000@0x04000000)
bmem: adding 160 MB RESERVED region at 512 MB (0x0a000000@0x20000000)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00050000
Movable zone start PFN for each node
Early memory PFN ranges
    0: 0x00000000 -> 0x00010000
    0: 0x00020000 -> 0x00050000
PERCPU: Embedded 7 pages/cpu @8180a000 s5632 r8192 d14848 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 259584
Kernel command line: bmem=192M@64M bmem=160M@512M
PID hash table entries: 4096 (order: 2, 16384 bytes)
Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
Primary instruction cache 32kB, physically tagged, 4-way, linesize 64 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
MIPS secondary cache 256kB, 8-way, linesize 128 bytes.
Memory: 666552k/1048576k available (4534k kernel code, 382024k reserved, 1103k data, 6736k init, 0k highmem)
Hierarchical RCU implementation.
NR_IRQS:160
Measuring MIPS counter frequency...
Detected MIPS clock frequency: 1305 MHz (163.133 MHz counter)
Console: colour dummy device 80x25
Calibrating delay loop... 869.37 BogoMIPS (lpj=434688)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
SMP: Booting CPU1...
CPU revision is: 00025a11 (Broadcom BMIPS5000)
FPU revision is: 00130001
Primary instruction cache 32kB, physically tagged, 4-way, linesize 64 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
MIPS secondary cache 256kB, 8-way, linesize 128 bytes.
SMP: CPU1 is running
Brought up 2 CPUs
NET: Registered protocol family 16
USB0: power enable is active high; overcurrent is active low
USB1: power enable is active high; overcurrent is active low
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Switching to clocksource wktmr
NET: Registered protocol family 2
IP route cache hash table entries: 32768 (order: 5, 131072 bytes)
TCP established hash table entries: 131072 (order: 8, 1048576 bytes)
TCP bind hash table entries: 65536 (order: 7, 524288 bytes)
TCP: Hash tables configured (established 131072 bind 65536)
TCP reno registered
UDP hash table entries: 512 (order: 2, 16384 bytes)
UDP-Lite hash table entries: 512 (order: 2, 16384 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.18)
msgmni has been set to 1301
io scheduler noop registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
console [ttyS0] enabled, bootconsole disabled 52) is a 16550A
console [ttyS0] enabled, bootconsole disabled
serial8250.0: ttyS1 at MMIO 0x10406740 (irq = 53) is a 16550A
libscan: scanning eraseblock 1799 -- 100 % complete  a 1aseblock 738 -- 41 % complete
ubiformat: 1790 eraseblocks have valid erase counter, mean value is 16
ubiformat: 10 bad eraseblocks found, numbers: 38, 1390, 1792, 1793, 1794, 1795, 1796, 1797, 1798, 1799
ubiformat: flashing eraseblock 1174 -- 100 % complete
ubiformat: formatting eraseblock 1799 -- 100 % complete
Turning on LED
Update complete
Turning on LED
Update complete
Turning off LED
Looks fine, but after a powercycle nothing happens.

It's about this flash module, definitely another pcb layout as the Sunray Solo2 box.

Top (K9F2G08U0C-SCB0 2Gb nand flash memory)
yks5pRy.jpg


Bottom (EPM3064A CPLD - Complex Programmable Logic Devices)
6SkGrx2.jpg
 

gjstroom

Registered
Messages
100
I made some progress in my quest to program a virgin K9F2G08U0C-SCB0 chip.

For this I need the the dump of a working box, lucky I have 2 :)
I seems you can interrupt the bootloader when you hook up a serial console (putty/teraterm/hyperterm/minicom etc), just press control-c some times when text appears in your console.
Code:
BCM74290010

M0080080000CZP#@

BCM97241B0 CFE v3.16, CFE core v3.45, Endian Mode: Little
BCM7241B2 CFE Build Date: Tue, Jun 24, 2014  3:15:47 PM   11.316.01 Vuplus team
Copyright (C) Broadcom Corporation.

******************************************
Automatic startup canceled via Ctrl-C
******************************************

CPU speed:            1305MHz
DDR Frequency:        800 MHz
DDR Mode:             DDR3
Total memory:         1024MB
DDR Width:            32
SCB clock:            277 MHz
RTS Version:          20121205235404_7241
Boot Device:          NAND
Total flash:          256MB

Initializing USB.
USB: Locating Class 09 Vendor 0000 Product 0000: USB Root Hub
USB: Locating Class 09 Vendor 0000 Product 0000: USB Root Hub
USB: Locating Class 09 Vendor 0000 Product 0000: USB Root Hub
USB: Locating Class 09 Vendor 0000 Product 0000: USB Root Hub

CFE initialized.
waiting for usb...done
checking usb
No Priority Usb
checking front key
readFrontKey 0 0
Checking usbdisk0:/vuplus/solose/ignore.update......NO
Checking usbdisk0:/vuplus/solose/force.update......NO
Checking usbdisk0:/vuplus/solose/cfe_cfe_auto.bin......NO
Checking usbdisk0:/vuplus/solose/root_cfe_auto.bin......NO
....NO
Checking usbdisk0:/vuplus/solose/splash_cfe_auto.bin......NO
Checking usbdisk0:/vuplus/solose/kernel_cfe_auto.bin......NO
Starting splash screen.
Found splash image - Width = 720 Height = 480
Non Interlaced Replace list 043f8100 0c800000Interlaced Replace list 043f86a0 0c8005a0
CFE>
Now we can enter the following commands
Code:
CFE> help
Available commands:

ts                  Time stamp utility
info                Show CFE configuration information
set console         Change the active console device
loop                Loop a command
reboot              Reboot the system
dir                 List the directory of a FAT file system
macprog             Program MAC addresses.
macprog2            Program a specific MAC address.
flash               Update a flash memory device
memtest             Test memory.
t                   Test contents of memory.
f                   Fill contents of memory.
e                   Modify contents of memory.
d                   Dump memory.
u                   Disassemble instructions.
batch               Load a batch file into memory and execute it
go                  Start a previously loaded program.
load                Load an executable file into memory without executing it
save                Save a region of memory to a remote file via TFTP
boot                Load an executable file into memory and execute it
ephycfg             Configure Ethernet PHY interface
ping                Ping a remote IP host.
ifconfig            Configure the Ethernet interface
sleep               Sleep for specified milliseconds.
waitusb             Wait for USB device to be installed.
show usb            Display devices connected to USB bus.
show heap           Display information about CFE's heap
show memory         Display the system physical memory map.
show devices        Display information about the installed devices.
testenv             Tests environment variable for various conditions. Default is test the existence of the variable
incenv              Increment an integer environment variable.
unsetenv            Delete an environment variable.
printenv            Display the environment variables
setenv              Set an environment variable.
help                Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** command status = 0
CFE>
One command in particular is interesting, the macprog2. With this command you can change the mac-address of the box, which is quite handy if you have more as one Solo SE on the same network, knowing that each box shares the same mac-address (00-DE-FA-11-80-00).
To change the mac-address to 00-DE-FA-11-80-01
Code:
macprog2 00-DE-FA-11-80-01
But the most interesting command is the save command, this allows you to save the memory content to a file by tftp. Which I need to program the nand.
For this to work you first need to initialize the network, I use dhcp, for static addresses you need some more commands, just type 'help ifconfig' for some info about this.
Code:
CFE> ephycfg

Please select the board PHY design for eth0 interface

1) Internal 10/100Mbps PHY (build-in PHY)
2) MII to external 10/100Mbps PHY (e.g. bcm53101E)
3) RGMII ID mode disabled for external 10/100/1000Mbps PHY (e.g. bcm5461x)
4) RGMII to external Gigabit Switch (e.g. bcm531x5)
5) RGMII ID mode disabled for external Gigabit Switch
6) RGMII to RGMII (e.g. STB<->3383)
Selection: 1
*** command status = 0
CFE> ifconfig -auto eth0
100 Mbps Full-Duplex
Device eth0:  hwaddr 00-DE-FA-11-80-00, ipaddr 192.168.0.248, mask 255.255.255.0
        gateway 192.168.0.1, nameserver 192.168.0.250, domain xxxxx
*** command status = 0
CFE>
You also need to start a tftp server on your client, I use Tftpd64.
Code:
CFE> save 192.168.0.10:wholeflash.bin 87000000 100000
1048576 bytes written to 192.168.0.10:wholeflash.bin
*** command status = 0
CFE>
This is where I am stuck right now, I can't find the right address where the nand is located.
Above file does list a part of the cfe (bootloader), but I am not sure if this is a ram part instead of the rom.

Who knows the right memory addresses where the nand is located ?

Found on the dd-wrt forum:
The address space of the mips cpu is divided into segments, kseg0 from address 0 to 7fffffff and kseg1 from 80000000 to ffffffff.
Everything in kseg0 is also present in kseg1 but there are different access rights between these segments.
kseg0 is system space and kseg1 is user space and user programs running in kseg1 are prevented from accessing kseg0 directly.

In the normal bootlog I find KSEG1 : 0x80000000
 
Top