[Problem gelöst, FBF neu geflasht über JTag] FBF7050, adam2 Bootloader deadlock?

[el_valiente]

There is already a Windows Version available of wrtjp.5.1.

That's great!
Congratulations and thanks, Jpascher!

You don't need the internal connections if you use the wrtjp.5.1.

I don't understand!?!
Even when using wrtjp.5.1, one needs to do some welding, in order to connect the JTAG interface to the right tracks (i.e. internal connections). Isn't that right?
.

 

[Jpascher]

Yes you need to connect to the board as you did describe.

But if one uses a older tool that is not capable of finding multiple chips in a chain one has to find the internal connection so only one chip is visible on the Chain.

 

[el_valiente]

... But if one uses a older tool that is not capable of finding multiple chips in a chain one has to find the internal connection ...

You refer to TDO versus cTDO, right?
In the original JTAG tool by HairyDairyMaid (wrt54g) you must identify TDO and connect to it, seeing only the first device in the chain (the CPU).
In your tool (wrtjp.5.1), you may connect either to TDO or to cTDO. In the latter case, your tool identifies all devices in the chain and one is able to connect to each of them.
In principle, this is also possible using wrt.exe by Feadi, but your tool is more comfortable (and perhaps a little faster?).

Any way: Regarding the problem of naf71, he must identify the tracks at the front side of the print, in order to connect his JTAG interface to the right connexions.
.

 

[Jpascher]

Yes correct.

If one knows witch parameters to use for feadis wrt.exe there is no obvious reason way one should use the wrtjp.5.1.
There are many improvements made to wrtjp.5.1 but in the end, less is sometimes more.

(Feadi never published the source of his changes to HairyDairyMaidy 4.8 Version. My adaptions ware made on base of HairyDairyMaidy Version 4.8 and the Application Notes published by Xilinx http://www.xilinx.com/support/documentation/application_notes/xapp058.pdf
http://www.xilinx.com/support/documentation/application_notes/xapp424.pdf
See also: ftp://ftp.xilinx.com/pub/swhelp/cpld/eisp_pc.zip)

If one has a print without knowing the parameters wrtjp.5.1 will usually identify and readout the chips found.
A new parameter (/check) was added so one can double check reading and check on ever rif the written byte was written correctly. Only in use if PrAcc read writes are used. DMA read write don't work on AVM routers anyway. This option is not set by default because it makes reading and writing much slower.
Cabling should be much less critical as it is with wrt.exe or any older HaryDaryMad tool.
Sometimes older tools just exit with a segmentation fault, because the PrAcc read or write routine had no checking for addressing overflow. Or some routine just did a endless loop without timeout if wrong information was read from the buss.
There may still be space to improve or enhance this software.

EDIT2:
Reading 0x1000 Bytes takes 11 seconds and with wrt.exe 15 seconds.
Writing 0x1000 Bytes takes 80 seconds and with wrt.exe 104 seconds.
So it is actually a bit faster as the older reading or writing routines.

Linux Version is slower as the Windows Version, if low level port routines would be in assembler this could be as fast as windows version.
Reading 0x1000 Bytes takes 16 seconds.
Writing 0x1000 Bytes takes 115 seconds.

And don't forget that the tool has built in debugging (Option /debug2) down to every single bit read or written to the EJTAG bus. This is not important if everything is working but if one wants to learn how EJTAG is functioning or find out what is not running proper then one can do debugging with some background information on this subject.

So for persons who would like to understand how JTAG is working it would be a very nice tool.

Option /test is very good suitable to do single stepping on the JTAG bass as well.
And it is usable to check the wiring in combination with a logic-tester or multimeter or Oscilloscope.
Test option /test clocking can be used to find the Chain TDO wire on the print by searching for hot spots while looking for a clock signal.

 

[el_valiente]

There are many improvements made to wrtjp.5.1 ...

Thank you for this great overwiev of the features in wrtjp.5.1

.

 

[Jpascher]

Link zur Zusammenfassung: LINK zur Zusammenfassung
Link zu BILDERN
Link zu Anschlussbelegung
Vielleicht machst du das auch auf englisch genauso oder man könnte das ins wiki auf wehavefun einfügen.

 

[el_valiente]

Vielleicht machst du das auch auf englisch genauso ...

Die [post=1372336]Zusammenfassung[/post] gibts jetzt auch auf englisch
.

 

[Jpascher]

Danke!

Hab auch noch nachgebesset, nun ist die Geschwindigkeit etwas schneller als bei wrt.exe

Links siehe: Hier

 

[el_valiente]

Was ist los mit dem Feadi Link ?

Habe wieder mal eine FB mit JTAG retten müssen.
Dabei fiel mir auf, dass der Link von Feadi am Anfang dieses Threads nicht mehr funktioniert (http://feadispace.funpic.de).
Weiss jemand etwas Genaueres dazu?

EDIT vom 22.10.2010:
Bin wieder mal (Not gedrungen) mit JTAG zu Wege und habe Feadis Link aufgerufen: Er funktioniert wieder!
.

 

[gdfath3r]

Sorry to ask (in englisch) , but I see that many of you understand and speak english, not me deutsch. Btw, I am hungarian.
So, shortly...I am seeking help from you guys.
I have Fritz!Box Fon Wlan 7170 avm04047 artikel nr.: 2000-2330 and I am looking for full firmware dump for this router. I would apreciate if can someone point me to jtag pinouts for this board, because I found that, has no pinouts similar wrt54g.

Danke Schön in advance,

Ernest

 

[MaxMuster]

In fact, there is a way quite more simple in order to get a full backup of your firmware. The box has an internal ftp server working for some seconds after power on or reboot. So you can connect to this server and save the "partitions" of the box, as described here in german, but you shoud be able to get the idea ;-).
After saving the mtd's, just concat them to get a full Image:

cat mtd2 mtd1 mtd3 mtd4 > image

To identify the jtag pinout, take a look at the picture of a 7050, the pinout is allmost the same...

Jörg

 

[gdfath3r]

My problem is, I cannot access the router from LAN port, doesnt matter what I do.
Maybe I will try JTAG, but I have to go for sure.

 

[MaxMuster]

It should be simple to reach the box following this advice: Start an inappropriate "recovery" (e.g. the one for the [/url=http://download.avm.de/fritz.box/fritzbox.fon_wlan_7050/x_misc/fritz.box_fon_wlan_7050.04.31.recover-image.exe]7050[/url] following the instruction (e.g. set the LAN-IP of your PC to 192.168.178.12 or so).
The programm will start, "complain" about the wrong version and exit.
But first it will do us two favors ;-):
- It sets the "FTP-IP" to 192.168.178.1
- It leaves the box in the "FTP-state", usually only available very few seconds after reboot of the box.

So after the recover exits, you should be able to reach the Box via FTP.

You may also find out the FTP IP address from the console or telnet if you check the environmet variable "my_ipaddress":

cat /proc/sys/urlader/environment | grep my_ip

Jörg

 

[adamgobi]

Hii all!
plase help my for my fritzz 7170

error from flash: MX29LV640MTTC-90G 4Mx16 (8MB)

C:\go\Wrt5.1>wrtjp.5.1.exe -probeonly

==================================================
WRT54G/GS/AVM/Speedport EJTAG Debrick Utility v5.1
==================================================

***-----------------------------------------------------------------***

Beginning dedect scan leangth...
Switch on power!...
Chain lenght: 14 IR-Chain: 00010010000011 (00000483)
Probing bus ...
Beginning scan chain auto-detection
Device number: '1' Chip ID: 00000000000000000001000000001111 (0000100F)
 *** Found a TI AR7WRD TNETD7200ZWD Rev 1 CPU chip ***
Device number: '2' Chip ID: 00001011011011000000000000101111 (0B6C002F)
 *** Found a 0B6C002F ????? chip ***
Device number: '3' Chip ID: 01000001110000100010000010010011 (41C22093)
 *** Found a XC3S500E FPGE chip ***
Done

Processing is stopped now, you must now specify new commandline options:
/skipdetect and /dev:XX with the device number of the CPU found.

 

[Jpascher]

Welcome!

First the output tells us that you have a working wiring, and that the device number you need is one.


How to go on?
Depends what you want to do?

 

[adamgobi]

I want to rewrite the bootloader this router not start,
want to know what are my chances of recovering this router?
Rewriting the bootloader is possible?
Where to find the boot file can be overwritten by JTAG?
What percent commands for rewriting the bootloader, the software can then rewrite it with TFTP?

 

[Jpascher]

Please make sure first that your Problem cant be solved with a different method like using a recover image.

Rewriting the boot loader is usual possible.
The File can be read from a working 7170, and may be someone has such a File for you.
After you have a usable boot loader you can use FTP or other methods to write the firmware.

 

[adamgobi]

Unfortunately I can not recover the picture work. All lights are off will not start any

Who can it a bootloader for 7170?
Correct boot partition is mtd3 0x90780000, 0x907C0000
And Comad flash for boootloader i'ts?
wrtjp.5.1 -flash:custom /bypass /skipdetect /window:90780000 /start:907C0000 /length:20000
yes?

Thanks

 

[Jpascher]

I dont have a saved boot-loader for 7170 so hopefully someone else will post you the boot-loader.

wrtjp.5.1 -flash:custom /bypass /skipdetect /window:90000000 /start:90000000 /length:10000

 

[adamgobi]

For bootloade i's good? [Edit Novize: Link deleted]