Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

H8247H #3

Open
SambasOnFire opened this issue Nov 4, 2019 · 26 comments
Open

H8247H #3

SambasOnFire opened this issue Nov 4, 2019 · 26 comments

Comments

@SambasOnFire
Copy link

Hi, have some problems, I think is clock speed...
c232hm-edhsl-0.cfg
interface ftdi
ftdi_vid_pid 0x0403 0x6014
ftdi_device_desc "Single RS232-HS"
adapter_khz 2000
ftdi_layout_init 0x0008 0x400b
####################################

Open On-Chip Debugger 0.10.0+dev-00954-gded67990 (2019-10-27-00:52)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
sd5115_help
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 2000 kHz
Info : JTAG tap: sd5115.cpu tap/device found: 0x4ba00477 (mfg: 0x23b (ARM Ltd.), part: 0xba00, ver: 0x4)
Info : sd5115.cpu: hardware has 6 breakpoints, 4 watchpoints
Info : Listening on port 3333 for gdb connections
Error: Invalid ACK (7) in DAP response
Error: JTAG-DP STICKY ERROR
Polling target sd5115.cpu failed, trying to reexamine
Error: Invalid ACK (7) in DAP response
@csersoft
Copy link
Owner

csersoft commented Nov 6, 2019

I have not tested it on the 8247H. On the 8245H, there are some things to do to perform JTAG debugging.
You can refer to:
https://blog.csersoft.net/archives/121
https://blog.csersoft.net/archives/147

@csersoft
Copy link
Owner

csersoft commented Nov 6, 2019

In the case of normal boot, uboot and kernel will disable JTAG.

@SambasOnFire
Copy link
Author

I had already followed the previous steps!
did a test, changed cortex_a to cortex_m, now I get this message.

openocd -f /usr/local/share/openocd/scripts/interface/ftdi/c232hm-edhsl-0.cfg -f hi_sd5115_openocd_config/hi_sd5115_jtag.cfg -c "adapter_khz 1000"
Open On-Chip Debugger 0.10.0+dev-00954-gded67990 (2019-10-27-00:52)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
sd5115_help
adapter speed: 1000 kHz

Info : Listening on port 16666 for tcl connections
Info : Listening on port 14444 for telnet connections
Info : clock speed 1000 kHz
Info : JTAG tap: sd5115.cpu tap/device found: 0x4ba00477 (mfg: 0x23b (ARM Ltd.), part: 0xba00, ver: 0x4)
Error: Could not find MEM-AP to control the core
Info : Listening on port 3333 for gdb connections
Info : accepting 'telnet' connection on tcp/14444
Error: Target not examined yet

@csersoft
Copy link
Owner

The core of sd5115 is cortex-A, not cortex-M.
What is the device c232hm-edhsl-0.cfg?

@SambasOnFire
Copy link
Author

Bus 008 Device 002: ID 0403:6014 Future Technology Devices International, Ltd FT232H Single HS USB-UART/FIFO IC Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0403 Future Technology Devices International, Ltd idProduct 0x6014 FT232H Single HS USB-UART/FIFO IC bcdDevice 9.00 iManufacturer 1 FTDI iProduct 2 Single RS232-HS iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA
https://www.ftdichip.com/Support/Documents/DataSheets/Cables/DS_C232HM_MPSSE_CABLE.PDF

@csersoft
Copy link
Owner

OpenOCD supports FT232H based devices.

@csersoft
Copy link
Owner

Is there a pull-up DBGSEL pin?

@SambasOnFire
Copy link
Author

Yes, I connected it direct to vcc pin 3.3v.
Another thing I noticed, jtag is only active for a few seconds after power on, then it's deadweight!

@csersoft
Copy link
Owner

csersoft commented Nov 14, 2019
edited
Loading

Yes, I connected it direct to vcc pin 3.3v.
Another thing I noticed, jtag is only active for a few seconds after power on, then it's deadweight!

This is because uboot and kernel will disable JTAG!
Reference: #1

Need to write cracked uboot (will not be able to boot the system), or damage uboot.
Cracked uboot Download: 8245H_R16_UB_PAT_FULL.zip

@csersoft
Copy link
Owner

Or, when the device is powered on, pull up the CE pin of Nand Flash to 3.3V, so that the CPU cannot boot from Flash.
On the HG8245H, there is a resistor R1542 near the power LED on the back of the motherboard. Here is the CE pin of Falsh, which can be shorted to 3.3V here to prevent booting from Flash.

There are two ways to short-circuit:

  1. Short the CE pin before powering up, so that the CPU cannot find any bootable code.
  2. After about 2~4 seconds after power-on (the specific time needs to be tested, it needs to be accurately grasped), short the CE pin. At this point the CPU should have loaded StartCode, but can't find Uboot, so JTAG will not be closed.

@SambasOnFire
Copy link
Author

SambasOnFire commented Nov 24, 2019
edited
Loading

I searched for the R1542 and didn't see it, maybe I'm blind!:)
https://ibb.co/Tgj2Wyk

@csersoft
Copy link
Owner

I searched for the R1542 and didn't see it, maybe I'm blind!:)
https://ibb.co/Tgj2Wyk

The focus is not on R1542, it is the CE pin of Nand Flash.
R1542 is the resistor on the HG8245H that pulls up the CE pin.
The numbers are not necessarily the same on the 8247H.

@SambasOnFire
Copy link
Author

Cool, now is better!

sd5115_hwinit
DSCR_DTR_RX_FULL, dscr 0x4b086003
sd5115.cpu rev 1, partnum c09, arch f, variant 4, implementor 41
sd5115.cpu: MPIDR level2 0, cluster 0, core 0, multi core, no SMT
target halted in ARM state due to debug-request, current mode: Undefined instruction
cpsr: 0x000001db pc: 0x00000004
MMU: disabled, D-Cache: disabled, I-Cache: disabled
target halted in ARM state due to debug-request, current mode: Undefined instruction
cpsr: 0x000001db pc: 0x00000004
MMU: disabled, D-Cache: disabled, I-Cache: disabled
Info: (arm mrc 15 0 0 0 5) & 0xf == 0 .
Info: call offset 0x6EC .
Info: call offset 0x700 .
Info: call offset 0x710 .
Info: call offset 0xFAD4 .
Info: call offset 0xFCD4 .
Info: call offset 0xFAF4 .
Info: call offset 0xFBD8 .
Info: call offset 0xFED4 (init dram).
Info: init dram...
Hardware initialization is complete!

@SambasOnFire
Copy link
Author

HuaWei StartCode 2012.02 (R13C10 Apr 22 2014 - 18:06:02)

NAND: Nand(Hardware): 128 MiB
startcode select the uboot to load
the high RAM is :8080103c
startcode uboot boot count:-2102258872
Slave struct initializtion success!!
Use the UbootA to load first
Start from UbootA ERROR, Change to UbootB
Both UbootA and UbootB are wrong, load it by JTAG!

U-Boot 2010.03 (R16C10 Jul 14 2016 - 14:19:37)

DRAM: 128 MB
Boot From NAND flash
Chip Type is SD5115T
NAND: Special Nand id table Version 1.23
Nand ID: 0x98 0xD1 0x90 0x15 0x76 0x14 0x01 0x00
ECC Match pagesize:2K, oobzie:64, ecctype:4bit
Nand(Hardware): Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit
128 MiB
Using default environment

In: serial
Out: serial
Err: serial
MEM_MODE = MEM!
[main.c__6080]::CRC:0x4290109c, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, f
0x000000100000-0x000008000000 : "mtd=1"
UBI: attaching mtd1 to ubi0
slave_paramA in flash, CRC:0xffffffff, Magic1:0xffffffff, Magic2:0xffffffff, cof
MAGIC1: 0xffffffff, MAGIC2: 0xffffffff, the magic is error!!!
slave_paramB in flash, CRC:0xffffffff, Magic1:0xffffffff, Magic2:0xffffffff, cof
MAGIC1: 0xffffffff, MAGIC2: 0xffffffff, the magic is error!!!
Slave struct initializtion success!!
Start from main system(0x0)!
CRC:0x4290109c, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x00
Both A and B area maybe error!!
hisilicon #

I maked stupid mistake, erased Nand, now kernel image gone!

@crazygsm
Copy link

crazygsm commented Dec 2, 2019

what you did to erase Nand?

@SambasOnFire
Copy link
Author

I typed cmd nand erase, the good is i dont need use again CE pin...

MEM_MODE = MEM!
<-------------------------FLASH��FORMAT-------------------------->
1 erase the whole flash ----- command : nand erase
2 format flash to ubi type ----- command : formatdisk
3 load the startcode ----- command : loadstartcode
4 load the uboot ----- command : loaduboot
<-------------------------FLASH��FORMAT-------------------------->
hisilicon #

@csersoft
Copy link
Owner

csersoft commented Dec 3, 2019

I typed cmd nand erase, the good is i dont need use again CE pin...

MEM_MODE = MEM!
<-------------------------FLASH��FORMAT-------------------------->
1 erase the whole flash ----- command : nand erase
2 format flash to ubi type ----- command : formatdisk
3 load the startcode ----- command : loadstartcode
4 load the uboot ----- command : loaduboot
<-------------------------FLASH��FORMAT-------------------------->
hisilicon #

There are ways to recover, and the process is more complicated.
The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.

@csersoft
Copy link
Owner

csersoft commented Dec 3, 2019

It is recommended to use the FT2232H module, because the FT2232H has a maximum JTAG clock speed of 30MHz.

@crazygsm
Copy link

crazygsm commented Dec 3, 2019
edited
Loading

There are ways to recover, and the process is more complicated.
The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.

Hi csersoft,

How you load the mtd dump inside?
using TFTP or same method as your changed load using jtag?

@SambasOnFire
Copy link
Author

I typed cmd nand erase, the good is i dont need use again CE pin...
MEM_MODE = MEM!
<-------------------------FLASH��FORMAT-------------------------->
1 erase the whole flash ----- command : nand erase
2 format flash to ubi type ----- command : formatdisk
3 load the startcode ----- command : loadstartcode
4 load the uboot ----- command : loaduboot
<-------------------------FLASH��FORMAT-------------------------->
hisilicon #

There are ways to recover, and the process is more complicated.
The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.

Bad news is I did not make any backup.
Maybe @crazygsm can help me.

@crazygsm
Copy link

crazygsm commented Dec 3, 2019

I typed cmd nand erase, the good is i dont need use again CE pin...
MEM_MODE = MEM!
<-------------------------FLASH��FORMAT-------------------------->
1 erase the whole flash ----- command : nand erase
2 format flash to ubi type ----- command : formatdisk
3 load the startcode ----- command : loadstartcode
4 load the uboot ----- command : loaduboot
<-------------------------FLASH��FORMAT-------------------------->
hisilicon #

There are ways to recover, and the process is more complicated.
The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.

Bad news is I did not make any backup.
Maybe @crazygsm can help me.

Never managed to reach that point and already discarded my HW as I quit my development due lack of time, just asking due curiosity.

But maybe you can load a backup from HG8245H or similar hw (same SOIC) the hardware is very similar, probably some functions could not work but probably you can boot.

@SambasOnFire
Copy link
Author

I typed cmd nand erase, the good is i dont need use again CE pin...
MEM_MODE = MEM!
<-------------------------FLASH��FORMAT-------------------------->
1 erase the whole flash ----- command : nand erase
2 format flash to ubi type ----- command : formatdisk
3 load the startcode ----- command : loadstartcode
4 load the uboot ----- command : loaduboot
<-------------------------FLASH��FORMAT-------------------------->
hisilicon #

There are ways to recover, and the process is more complicated.
The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.

Bad news is I did not make any backup.
Maybe @crazygsm can help me.

Never managed to reach that point and already discarded my HW as I quit my development due lack of time, just asking due curiosity.

But maybe you can load a backup from HG8245H or similar hw (same SOIC) the hardware is very similar, probably some functions could not work but probably you can boot.

Only need nand dump, I think your have this.

@csersoft
Copy link
Owner

csersoft commented Dec 4, 2019
edited
Loading

There are ways to recover, and the process is more complicated.
The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.

Hi csersoft,

How you load the mtd dump inside?
using TFTP or same method as your changed load using jtag?

Ethernet seems to be unavailable on the UBoot console. I used the load_image command of OpenOCD to write the dump file into memory, and then in the UBoot console, I wrote it back to flash.

@csersoft
Copy link
Owner

csersoft commented Dec 4, 2019
edited
Loading

I typed cmd nand erase, the good is i dont need use again CE pin...
MEM_MODE = MEM!
<-------------------------FLASH��FORMAT-------------------------->
1 erase the whole flash ----- command : nand erase
2 format flash to ubi type ----- command : formatdisk
3 load the startcode ----- command : loadstartcode
4 load the uboot ----- command : loaduboot
<-------------------------FLASH��FORMAT-------------------------->
hisilicon #

There are ways to recover, and the process is more complicated.
The backup mtd dump file can be written to a memory address (for example: 0x84000000) through JTAG. Then write the data in the memory to flash through the uboot console.

Bad news is I did not make any backup.
Maybe @crazygsm can help me.

Never managed to reach that point and already discarded my HW as I quit my development due lack of time, just asking due curiosity.
But maybe you can load a backup from HG8245H or similar hw (same SOIC) the hardware is very similar, probably some functions could not work but probably you can boot.

Only need nand dump, I think your have this.

Most mtd partitions can be extracted from the firmware, such as (ubootA, ubootB, kernelA, kernelB, rootfsA, rootfsB). Some partition firmware does not exist, you need to find the backup yourself, such as (slave_paramA, slave_paramB, jffs2).

The mtd partition table of a conventional Huawei ONT is as follows:

mtd0: = "startcode"
mtd1: = "ubifs"
mtd2: = "reserved"
mtd3: = "ubootA"
mtd4: = "ubootB"
mtd5: = "flash_configA"
mtd6: = "flash_configB"
mtd7: = "slave_paramA"
mtd8: = "slave_paramB"
mtd9: = "kernelA"
mtd10: = "kernelB"
mtd11: = "rootfsA"
mtd12: = "rootfsB"
mtd13: = "wifi_paramA"
mtd14: = "wifi_paramB"
mtd15: = "system_param"
mtd16: = "file_system"
mtd17: = "frameworkA"
mtd18: = "frameworkB"
mtd19: = "apps"
ubi0_13 = "jffs2"

@SambasOnFire
Copy link
Author

device nand0 , # parts = 2
#: name size offset mask_flags
0: startcode 0x00100000 0x00000000 0
1: ubifs 0x07f00000 0x00100000 0

NAND erase: device 0 offset 0x100000, size 0x7f00000
Erasing at 0x7fe0000 -- 100% complete.
OK
0x000000100000-0x000008000000 : "mtd=1"
UBI: attaching mtd1 to ubi0
UBI: empty MTD device detected
UBI: create volume table (copy #1)
UBI: create volume table (copy #2)
Creating dynamic volume ubootA of size 524288
Creating dynamic volume ubootB of size 524288
Creating dynamic volume flash_configA of size 131072
Creating dynamic volume flash_configB of size 131072
Creating dynamic volume slave_paramA of size 131072
Creating dynamic volume slave_paramB of size 131072
Creating dynamic volume kernelA of size 3145728
Creating dynamic volume kernelB of size 3145728
Creating dynamic volume rootfsA of size 29360128
Creating dynamic volume rootfsB of size 29360128
Creating dynamic volume wifi_paramA of size 131072
Creating dynamic volume wifi_paramB of size 131072
Creating dynamic volume system_param of size 131072
Creating dynamic volume file_system of size 20971520

I tried to dump nand, after some time (60MB) openocd returns an error.

@SambasOnFire
Copy link
Author

I caught startcode of sd5115t, and has some parts different of your!
startcode.bin.gz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@crazygsm @csersoft @SambasOnFire