Hello All,

I am looking for assistance in flashing a boot loader on my wzr-hp-g300nh v1 router.

I was attempting a serial based recovery and did an "erase all" think it would not affect the bootloader.. :-(

so, I have a http://dangerousprototypes.com/docs/Bus_Blaster and Adafruit FTDI Friend connected to the board, I am using openocd (first time user) on Ubuntu 14.4.

and it is working based on I used some of the commands in this post.. http://u-boot.10912.n7.nabble.com/U-Boo … 41814.html

now the question is what are the steps to flash my backed up made via "dd if=/dev/mtdblock/0 >cfe-backup.bin" using bash scrip by Ross Smith II.

Not sure what else is need? Any assistance would be appropriated..

Cheers,
Pasquale

(Last edited by pusky on 29 Aug 2014, 02:18)

Ok have been searching the internet for help no success yet..

Did find that this router has some similarity http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd
What concerns me now is the W A R N I N G
At the moment it is NOT possible to UNBRICK the router by JTAG (no write access to flashrom).

Can anyone confirm this for routers with AR9132 rev 2 and ST 25P64V6P can not restore the bootloader via jtag?

Well will keep searching someone out there must have done this?

Thanks

This may well be true that you cannot cannot write directly into your flash with Openocd commands if your flash model is not currently supported by openocd - see:
http://openocd.sourceforge.net/doc/html … gcommands.

But if the case you would have the source code of a version of u-boot capable of flashing your flash, you should be able to:

- recompile u-boot so that it would run from DRAM instead of flash (RAM relocatable version)
- use openocd commands  to configure your DRAM controller, see examples of  mww commands for ar9331 and
  one DRAM model here:
  https://github.com/pepe2k/u-boot_mod/issues/2

  You need to know what is the starting address of your DRAM, its model or having the source code for a u-boot working on
  your router , and then use mvm commands for configuring the DRAM controller until you will be able to write/read say a four
  byte value at the first address of your DRAM.
 
  If you have the source for a u-boot working with your router, it does contain the exact  DRAM initialization code you need
  to configure the ar9332 DRAM controller from openocd using mvm commands.

- download your u-boot into DRAM using openocd,
- start u-boot,
- finaly use it to flash whatever you have to flash, assuming this can be done from your u-boot.

I have done this successfully on other platforms.

By the way, I just got an ar9331 router module and am starting climbing the MIPS/Atheros SoC  learning curve:
If you can provide me with a link to the source code of a version of u-boot known  to be working on your router, I would be
willing to help you investigate further.

I am used to recompile u-boot as well and could make the changes for getting a RAM relocated version.

ps: could you confirm the following source code is the one for your router (http://opensource.buffalo.jp/gpl_wireless.html) ?

Platform:
WZR-HP-G300NH, WZR-HP-G301NH

gpl_wzr-hp-g300nh_160.tar.gz(83,317,838 Bytes)
gpl_b_wzr-hp-g300nh.tgz(8,640,959 Bytes)

Update
    2010/02/19

(Last edited by Frant on 30 Aug 2014, 18:27)

Hello,
That would be great, i too would like to learn more but am very green in this world.. i will do more reading and searching regarding the u-boot source for the wzr-hp-g300nh.. and yes the source your referanced is the one i am interested in.

I posted to this list trying to find possible source http://lists.denx.de/pipermail/u-boot/2 … 41119.html it looks like someone was trying already..

Cheers,

(Last edited by pusky on 30 Aug 2014, 18:36)

Hello Frant,

OK, here is were you will see how green I am..

my router has a AR9132 and you mention a AR9331 and most of the the info I found and am using is around an AR71xx.cfg.... Can you point me to info to understand the differences..

recently got introduced to FPGA and SoC, but am at the very early stages of learning... I have a PapilioPro  development board to learn from..

I am new to Atheros SoCs, but my understanding is that all those processors are similar at some points:

The exact values to be used are those used by u-boot in those two files:

Uboot_for_WZR-HP-G300NH/boot/u-boot/cpu/mips/ar7100/meminit.c
Uboot_for_WZR-HP-G300NH/boot/u-boot/board/ar7100/ap83/ap83.c

By the way, I was able to compile Uboot_for_WZR-HP-G300NH using the following commands:

CROSS_COMPILE=mips-linux- ARCH=mips make WZR-HP-G300NH_EU_config
CROSS_COMPILE=mips-linux- ARCH=mips make

Using a mips-linux toolchain I got from here:
http://downloads.openwrt.org/kamikaze/8 … 64.tar.bz2

I had to back-port some tftp code from mainline u-boot 2014-4 since one line in tftp.c was not compiling anymore
with gcc-4.1.2:

diff -r -u Uboot_for_WZR-HP-G300NH/boot/u-boot/modify_buffalo/net/tftp.c Uboot_for_WZR-HP-G300NH.gcc-4.1.2/boot/u-boot/modify_buffalo/net/tftp.c
--- Uboot_for_WZR-HP-G300NH/boot/u-boot/modify_buffalo/net/tftp.c   2009-09-01 11:00:00.000000000 -0400
+++ Uboot_for_WZR-HP-G300NH.gcc-4.1.2/boot/u-boot/modify_buffalo/net/tftp.c 2014-08-30 14:43:26.849469502 -0400
@@ -500,6 +500,7 @@
uchar * pkt, unsigned dest, unsigned src, unsigned len)
{
    ushort proto;
+    ushort* s;
    volatile IP_t *ip = (volatile IP_t *)(pkt - IP_HDR_SIZE);

@@ -515,7 +516,12 @@
    }
    len -= 2;
    /* warning: don't use increment (++) in ntohs() macros!! */
-   proto = *((ushort *)pkt)++;
+   /* gcc-3.4.4-2.16.1  code: proto = *((ushort *)pkt)++; */
+    /* was replaced by code used in equivalent file of mainstream u-boot 2014-04 */
+    s = (ushort*)pkt;
+    proto = *s++;
+    pkt = (uchar *)s;
+
    switch (ntohs(proto)) {
    case TFTP_WRQ:
        TftpClientPort = src;

Here are the files resulting from the build process:

ll u-boot*
-rwxrwxr-x 1 frant frant 729099 Aug 30 14:43 u-boot*
-rwxrwxr-x 1 frant frant 229736 Aug 30 14:43 u-boot.bin*
-rw-rw-r-- 1 frant frant 177533 Aug 30 14:43 u-boot.map
-rwxrwxr-x 1 frant frant 689330 Aug 30 14:43 u-boot.srec*

I just need to modify the u-boot linker script so that it will be relocated in DRAM.

Since the u-boot problem may well be solved (it will not until it will run on your router), focus should now shift to PLL and DRAM controller configuration using openocd.

1) do you know the DRAM memory layout for your router ?
2) are you confortable enough for experimenting with mvm openocd commands you will infere from meminit.c and ap83.c, or would you need my help for building the set of mvm commands ?

Just let me know.

(Last edited by Frant on 30 Aug 2014, 20:31)

Wow Frant your good....

Here is some info from my router before I did an "erase all" thinking it would not touch the bootloader.. hope it helps...

ar7100> imls
Image at BE060000:
   Image Name:   MIPS Linux Kernel Image
   Created:      2014-06-23   1:09:34 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1297888 Bytes =  1.2 MB
   Load Address: 80060000
   Entry Point:  800686d0
   Verifying Checksum ... OK
   Bank # 1: Name: AMD-SPANSION Flash id: 0x1227E, Size: 33554432 bytes.

ar7100> mtdparts default
ar7100> fsinfo
### filesystem type is JFFS2
Scanning JFFS2 FS:  done.
Compression: NONE
        frag count: 0
        compressed sum: 0
        uncompressed sum: 0
Compression: ZERO
        frag count: 0
        compressed sum: 0
        uncompressed sum: 0
Compression: RTIME
        frag count: 0
        compressed sum: 0
        uncompressed sum: 0
Compression: RUBINMIPS
        frag count: 0
        compressed sum: 0
        uncompressed sum: 0
Compression: COPY
        frag count: 0
        compressed sum: 0
        uncompressed sum: 0
Compression: DYNRUBIN
        frag count: 0
        compressed sum: 0
        uncompressed sum: 0
Compression: ZLIB
        frag count: 0
        compressed sum: 0
        uncompressed sum: 0
ar7100> mtdparts

device nor0 <ar9100-nor0>, # parts = 4
#: name                        size            offset          mask_flags
0: rootfs                      0x00400000      0x00000000      0
1: u-boot                      0x00040000      0x00400000      0
2: u-boot-env                  0x00020000      0x00440000      0
3: uImage                      0x00100000      0x00460000      0

active partition: nor0,0 - (rootfs) 0x00400000 @ 0x00000000

defaults:
mtdids  : nor0=ar9100-nor0
mtdparts: mtdparts=ar9100-nor0:4096k(rootfs),256k(u-boot),128k(u-boot-env),1024k(uImage)

ar7100> printenv
bootargs=console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ar9100-nor0:256k(u-boot),128k(u-boot-env),1024k(uImage),31104k(rootfs),128k@32640k(ART),128k@32512k(properties)
bootcmd=bootm 0xbe060000
bootdelay=4
baudrate=115200
ethaddr=02:AA:BB:CC:DD:1A
ipaddr=192.168.11.1
serverip=192.168.11.2
tmp_ram=81F00000
tmp_bottom=83F00000
fw_eaddr=BE060000 BFFDFFFF
uboot_eaddr=BE000000 BE03FFFF
u_fw=erase $fw_eaddr; cp.b $fileaddr BE060000 $filesize; bootm BE060000;
ut_fw=tftp $tmp_ram firmware.bin; erase $fw_eaddr; cp.b $fileaddr BE060000 $filesize; bootm BE060000;
ut_uboot=tftp $tmp_ram u-boot.bin; protect off $uboot_eaddr; erase $uboot_eaddr; cp.b $fileaddr BE000000 $filesize;
melco_id=RD_BB08009
tftp_wait=4
uboot_ethaddr=02:AA:BB:CC:DD:1A
DEF-p_wireless_ath0_11bg-authmode=psk
DEF-p_wireless_ath0_11bg-crypto=tkip+aes
DEF-p_wireless_ath0_11bg-authmode_ex=mixed-psk
buf_ver=1.07
build_date=Dec 21 2009 - 10:37:30
buf_crc=060F07D5
hw_rev=0
pincode=72169384
custom_id=0
DEF-p_wireless_ath0_11bg-wpapsk=33fjr47pbmm9x
region=US
accept_open_rt_fmt=1
stdin=serial
stdout=serial
stderr=serial
loadaddr=81F00000
mtdids=nor0=ar9100-nor0
mtdparts=mtdparts=ar9100-nor0:4096k(rootfs),256k(u-boot),128k(u-boot-env),1024k(uImage)
partition=nor0,0
mtddevnum=0
mtddevname=rootfs
ethact=eth0

Environment size: 1300/131068 bytes

BUFFALO U-BOOT Ver 1.07
AP83--539 (ar9100) U-boot 0.0.12
64 MB
Memory Test (address line)
Memory Test start(0x00000000) end(0x04000000) size(67108864)
Data line test start:0x00000000 pattern 0x00000001 0x00000003 0x00000007 0x0000000F 0x00000005 0x00000015 0x00000055 0xAAAAAAAA
Address line test start:0x00000000 len:0x4000000 pattern 0xAAAAAAAA 0x55555555
Fill test patnum:5
fill Pattern 5555AAAA  Writing...   Reading...
fill Pattern AAAA5555  Writing...   Reading...
fill Pattern 0000FFFF  Writing...   Reading...
fill Pattern FFFF0000  Writing...   Reading...
fill Pattern AAAAAAAA  Writing...   Reading...
Top of RAM usable for U-Boot at: 84000000
Reserving 275k for U-Boot at: 83fb8000
Reserving 256k for malloc() at: 83f78000
Reserving 44 Bytes for Board Info at: 83f77fd4
Reserving 36 Bytes for Global Data at: 83f77fb0
Reserving 128k for boot params() at: 83f57fb0
Stack Pointer at: 83f57f98
Now running in RAM - U-Boot at: 83fb8000
Dev ID2:2222
Dev ID3:2201
Name: AMD-SPANSION Flash id: 0x1227E, Size: 33554432 bytes.
Flash: 32 MB
In:    serial
Out:   serial
Err:   serial
Memory Test
uboot use  83F57FB0 - 84000000
Memory Test start(80000000) end(83F00000) size(03F00000)
Pattern 00000000  Writing...  Reading...
Memory Test OK
### buf_ver=[1.07] U-Boot Ver.=[1.07]
### build_date(env)=[Dec 21 2009 - 10:37:30] build_date(bin)=[Dec 21 2009 - 10:37:30]
ag7100_enet_initialize...
: cfg1 0xf cfg2 0x7114
RTL8366 series driver, reading model-id...
  ID:0x6027, REV:0x6
rtl8366sr_phy_setup  ethUnit=0
Realtek 8366SR switch ID 0x8366
Realtek Greeen Ethernet Setup
eth0: 02:aa:bb:cc:dd:1a
eth0 up
: cfg1 0xf cfg2 0x7114
RTL8366 series driver, reading model-id...
eth1: 02:aa:bb:cc:dd:1a
eth1 up
eth0  02:AA:BB:CC:DD:1A
, eth1  02:AA:BB:CC:DD:1A

Trying eth0
eth0 is duplex
ag7100_check_link: _100BASET
dup 1 speed 100
CFG_PLL_FREQ=5
CFG_HZ=bebc200
cpu pll=1050
eth pll=1032
eth0 clk pll=13000a44
eth0 mii=12
eth0 cfg1=f
eth0 cfg2=7115
eth0 fcfg_0=1d1f00
eth0 fcfg_1=7ff0000
eth0 fcfg_2=fff
eth0 fcfg_3=780008
eth0 fcfg_4=3ffff
eth0 fcfg_5=3ffff

ar7100> erase BE060000 BFFDFFFF
Erase Flash from 0xbe060000 to 0xbffdffff in Bank # 1 First 0x3 last 0xfe                                                                                                                                                                100%
Erased 252 sectors

ar7100> cp.b 81f00000 be060000 460000
Copy to Flash...
Copy 4587520 byte to Flash...                                                                                                                                                                                                           100%
done
   
ar7100> bootm BE060000
## Booting image at be060000 ...
   Image Name:   MIPS OpenWrt Linux-2.6.32.27
   Created:      2011-12-21   1:03:07 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    894165 Bytes = 873.2 kB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 67108864

Starting kernel ...

Linux version 2.6.32.27 (jow@nd-build-02.linux-appliance.net) (gcc version 4.3.3 (GCC) ) #5 Wed Dec 21 01:59:33 CET 2011
bootconsole [early0] enabled
CPU revision is: 00019374 (MIPS 24Kc)
Atheros AR9132 rev 2, CPU:400.000 MHz, AHB:200.000 MHz, DDR:400.000 MHz
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: rootfstype=squashfs,yaffs,jffs2 noinitrd console=ttyS0,115200 board=WZR-HP-G300NH
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 61692k/65536k available (2126k kernel code, 3772k reserved, 423k data, 152k init, 0k highmem)
SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Hierarchical RCU implementation.
NR_IRQS:56
Calibrating delay loop... 266.24 BogoMIPS (lpj=1331200)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
MIPS: machine is Buffalo WZR-HP-G300NH
Found an RTL8366S switch
bio: create slab <bio-0> at 0
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
yaffs Dec 10 2011 18:14:12 Installing.
msgmni has been set to 120
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
ar91xx-flash ar91xx-flash: 02000000 at 1e000000
ar91xx-flash: Found 1 x16 devices at 0x0 in 16-bit bank
CFI mfr 0x00000001
CFI id  0x00002201
Amd/Fujitsu Extended Query Table at 0x0040
  Amd/Fujitsu Extended Query version 1.3.
ar91xx-flash: CFI does not contain boot bank location. Assuming top.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
ar91xx-flash ar91xx-flash: using static partition mapping
Creating 7 MTD partitions on "ar91xx-flash":
0x000000000000-0x000000040000 : "u-boot"
0x000000040000-0x000000060000 : "u-boot-env"
0x000000060000-0x000000160000 : "kernel"
0x000000160000-0x000001fc0000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
split_squashfs: no squashfs found in "ar91xx-flash"
0x000001fc0000-0x000001fe0000 : "user_property"
0x000001fe0000-0x000002000000 : "art"
0x000000060000-0x000001fc0000 : "firmware"
Atheros AR71xx SPI Controller driver version 0.2.4
Realtek RTL8366S ethernet switch driver version 0.2.2
rtl8366s rtl8366s: using GPIO pins 19 (SDA) and 20 (SCK)
rtl8366s rtl8366s: RTL8366 ver. 1 chip found
rtl8366s: probed
eth0: Atheros AG71xx at 0xb9000000, irq 4
eth1: Atheros AG71xx at 0xba000000, irq 5
Atheros AR71xx hardware watchdog driver version 0.1.0
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
yaffs: dev is 32505859 name is "mtdblock3"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 31.3, "mtdblock3"
yaffs: MTD device is not NAND it's type 3
jffs2_scan_eraseblock(): End of filesystem marker found at 0x340000
jffs2_build_filesystem(): unlocking the mtd device... done.
jffs2_build_filesystem(): erasing all blocks after the end marker... done.
VFS: Mounted root (jffs2 filesystem) readonly on device 31:3.
Freeing unused kernel memory: 152k freed
Please be patient, while OpenWrt loads ...
input: gpio-buttons as /devices/platform/gpio-buttons/input/input0
Button Hotplug driver version 0.3.1
eth0: link up (1000Mbps/Full duplex)
- preinit -
Registered led device: wzr-hp-g300nh:orange:security
Registered led device: wzr-hp-g300nh:green:wireless
Registered led device: wzr-hp-g300nh:green:router
Registered led device: wzr-hp-g300nh:red:diag
Registered led device: wzr-hp-g300nh:blue:usb
Press the [f] key and hit [enter] to enter failsafe mode
- regular preinit -
- init -
eth0: link down

Please press Enter to activate this console. eth0: link up (1000Mbps/Full duplex)
device eth0 entered promiscuous mode
br-lan: port 1(eth0) entering forwarding state
Compat-wireless backport release: compat-wireless-2011-11-08-1-g4ab9b62
Backport based on wireless-testing.git master-2011-11-15
cfg80211: Calling CRDA to update world regulatory domain
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: World regulatory domain updated:
cfg80211:     (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
cfg80211:     (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
cfg80211:     (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
cfg80211:     (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
cfg80211:     (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
cfg80211:     (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
ath: Bad EEPROM checksum 0x0 or revision 0x000f
ath: Unable to initialize hardware; initialization status: -22
ath9k ath9k: failed to initialize device
ath9k: probe of ath9k failed with error -22
PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ar71xx-ehci ar71xx-ehci: Atheros AR91xx built-in EHCI controller
ar71xx-ehci ar71xx-ehci: new USB bus registered, assigned bus number 1
ar71xx-ehci ar71xx-ehci: irq 3, io mem 0x1b000000
ar71xx-ehci ar71xx-ehci: USB 2.0 started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
nf_conntrack version 0.5.0 (967 buckets, 3868 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver

BusyBox v1.15.3 (2011-11-24 00:44:20 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
Backfire (10.03.1, r29592) ------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua
  * 1/3 shot Bailey's  on the bottom, then Bailey's,
  * 1/3 shot Vodka     then Vodka.
---------------------------------------------------
root@OpenWrt:/#

It does: Memory Test start(0x00000000) end(0x04000000) size(67108864), i.e. 64Mb RAM starting at 0x00000000.

Are you familiar with openocd memory access commands ? if not, you need to learn them for next steps:
http://openocd.sourceforge.net/doc/html … mands.html

Basically, CPU registers for this SoC are mapped into memory addressable space. You need to go though initialization code
contained in meminit.c and ap83.c and convert statements such as:

ar7100_reg_wr (AR7100_DDR_TAP_CONTROL0, 0x0);

into an equivalent openocd mww command.

In the u-boot code, we can see:
#define AR7100_DDR_TAP_CONTROL0    AR7100_DDR_CTL_BASE+0x1c
#define AR7100_DDR_CTL_BASE             AR7100_APB_BASE+0x00000000
#define AR7100_APB_BASE                     0x18000000  /* 384M */

That is, the openocd mww command equivalent to ar7100_reg_wr (AR7100_DDR_TAP_CONTROL0, 0x0)
should be:

mww 0x1800001c  0x0

Since    AR7100_APB_BASE + AR7100_DDR_CTL_BASE + AR7100_DDR_TAP_CONTROL0 is 0x1800001c.
This is an example, I would need to check, but this is the general idea.

By going trough meminit.c and ap83.c PLL and DRAm initialization code, you should end up having a AR9132 .cfg that will
allow transferring u-boot into your DRAM.

You can use https://github.com/pepe2k/u-boot_mod/issues/2 as an example of what your final file should look like.

Does this make sense ?

One hint that will help readingn the u-boot code:

Uboot_for_WZR-HP-G300NH/boot/u-boot$ ./include/config.h
Uboot_for_WZR-HP-G300NH/boot/u-boot$ ./include/configs/WZR-HP-G300NH.h

were created during u-boot configuration and gives the  defines that are used in u-boot code.

(Last edited by Frant on 30 Aug 2014, 21:12)

Hi Frant,

Great work...
I do have a question though, I noticed the following from the log I posted.
I see this reference to memory...
Memory Test start(0x00000000) end(0x04000000) size(67108864)

but I also see referaces here....

Top of RAM usable for U-Boot at: 84000000
Reserving 275k for U-Boot at: 83fb8000
Reserving 256k for malloc() at: 83f78000
Reserving 44 Bytes for Board Info at: 83f77fd4
Reserving 36 Bytes for Global Data at: 83f77fb0
Reserving 128k for boot params() at: 83f57fb0
Stack Pointer at: 83f57f98
Now running in RAM - U-Boot at: 83fb8000

and here...

Memory Test start(80000000) end(83F00000) size(03F00000)

I am away from home right now and I can not check the source.. But is it possible it starts at 0x80000000?
When I get home I will look at the source you reference..
Just starting to learn the openocd commands, but ready to learn and test on my bricked router..

Thank you for this help..

(Last edited by pusky on 31 Aug 2014, 14:28)

Hi Frant,

Sorry my main ASUS router went down last night and just got it back up.. most likely due to last nights thunderstorms, it just lost its configuration... go figure..

Ok will look at what you sent me yesterday and let you know how it goes..

FYI

Did the following and got bad results, will do further research....

Downloaded the mips-linux toolchain you recomended from here http://downloads.openwrt.org/kamikaze/8 … 64.tar.bz2

I extracted  the content of the tar file OpenWrt-SDK-atheros-for-Linux-x86_64.tar.bz2 then extracted
the content of gpl_b_wzr-hp-g300nh.tgz and moved the folders boot/ & build/ from Uboot_for_WZR-HP-G300NH to the packages folder as you can see below..

pusky@pusky-server:~/workingfolder/router/wzr-hp-g300nh/src/OpenWrt-SDK-atheros-for-Linux-x86_64/package$ ls -l
total 16
drwxr-xr-x  4 pusky pusky 4096 Feb  4  2010 build
-rw-r--r--  1 pusky pusky 2035 Nov 30  2009 Makefile
-rw-r--r--  1 pusky pusky 2511 Nov 30  2009 rules.mk
drwxr-xr-x 27 pusky pusky 4096 Jan 27  2010 u-boot

when I execute just make I get

make: *** No rule to make target `/.build', needed by `package/cleanup'.  Stop.

if I execute your  command I get
CROSS_COMPILE=mips-linux- ARCH=mips make WZR-HP-G300NH_EU_config
CROSS_COMPILE=mips-linux- ARCH=mips make

CROSS_COMPILE=mips-linux- ARCH=mips make WZR-HP-G300NH_EU_config
make: *** No rule to make target `WZR-HP-G300NH_EU_config'.  Stop.

CROSS_COMPILE=mips-linux- ARCH=mips make
make: *** No rule to make target `/.build', needed by `package/cleanup'.  Stop

based on my skill set I am use to just doing ./configure && make

Will do some reading on doing cross compiling and openwrt..

Cheers,

Resolved some of my issues I think,

moved the the build and boot to the root of OpenWrt-SDK-atheros-for-Linux-x86_64 folder
then went into the boot/u-boot folder and ran
CROSS_COMPILE=mips-linux- ARCH=mips make WZR-HP-G300NH_EU_config

which returned the following
Configuring for WZR-HP-G300NH board...

CROSS_COMPILE=mips-linux- ARCH=mips make

but am getting an
/bin/sh: 1: mips-linux-gcc: not found

getting closer..

going through the make files and I find that

export TOOLPATH=$(TOPDIR)/build/$(TOOLCHAIN)/$(TOOLARCH)/
export BOOTLOADERDIR=$(TOPDIR)/boot/redboot

export UBOOTDIR=$(TOPDIR)/boot/u-boot

its all a folder structure issue..

boy am I lost, can't figure out the folder structure... must be putting things in the wrong folders or thee are other configs I need to do..

Help..

Ok got it working...

had to make changes to to the make file and add
export PATH:=$(TOPDIR)/mips-linux/bin:${PATH}

now need to patch the tftp.c

Huston we have lift-off

ll u-boot*
-rwxrwxr-x 1 pusky pusky 733415 Aug 31 14:56 u-boot*
-rwxrwxr-x 1 pusky pusky 229736 Aug 31 14:56 u-boot.bin*
-rw-rw-r-- 1 pusky pusky 177402 Aug 31 14:56 u-boot.map
-rwxrwxr-x 1 pusky pusky 689330 Aug 31 14:56 u-boot.srec*

ok found the following in modify_buffalo/board/ar7100/WZR-HP-G300NH/config.mk

# ROM version
TEXT_BASE = 0xbe000000
SERIAL_FLASH = NO

# SDRAM version
#TEXT_BASE = 0xa1000000

export CONFIG_BUFFALO=y

so I assume that only changing the TEXT_BASE from 0xbe000000 to xa1000000 should give me a ram version..
no other coding changes needed, I hope, I am not a programmer..

Hi Frant,

working on the new AR9132.cfg for openocd..

having a problem understanding the following..

#define AR7100_RESET_DDR                    (1 << 16)

what does the (1<<16) mean? move 16 into that variable?

It means '1 shifted 16 times to the left', that is 0x100000000. Each time you shift by 1 to the left, you basically multiply by 2.
See http://en.wikipedia.org/wiki/Logical_shift.

Agree with you on  that changing the TEXT_BASE from 0xbe000000 to 0xa1000000 should give you a RAM-relocated version.
Please note that meminit.c and ap83.c are using  ar7100_reg_wr_nf()  ar7100_reg_wr() for writing a configuration word into a register. I am currently investigating what they are exactly doing.

Ok, I have written a small C program that uses u-boot include files and my own function versions of the following macros:
ar7100_reg_rd
ar7100_reg_wr_nf
ar7100_reg_wr

Basically, I replaced all three macros by functions printing openocd mww/mrw/sleep commands.

I then went to ap83.c and meminit.c and copied calls to macros into my program:

int main(int argc, char** argv)
{

    comment("ar7100_mem_config() - ar7100_ddr_initial_config()");
    ar7100_reg_wr_nf(AR7100_DDR_CONFIG, CFG_DDR_CONFIG_VAL);
    udelay(1000);
    ar7100_reg_wr_nf(AR7100_DDR_CONFIG2, CFG_DDR_CONFIG2_VAL);
    udelay(1000);
    ar7100_reg_wr_nf(AR7100_DDR_CONTROL, 0x8);
    udelay(1000);
    ar7100_reg_wr_nf(AR7100_DDR_MODE, CFG_DDR_MODE_VAL_INIT);
    udelay(1000);
    ar7100_reg_wr_nf(AR7100_DDR_CONTROL, 0x1);
    udelay(1000);
    ar7100_reg_wr_nf(AR7100_DDR_EXT_MODE, CFG_DDR_EXT_MODE_VAL);
    udelay(1000);
    ar7100_reg_wr_nf(AR7100_DDR_CONTROL, 0x2);
    udelay(1000);
    ar7100_reg_wr_nf(AR7100_DDR_CONTROL, 0x8);
    udelay(1000);
    ar7100_reg_wr_nf(AR7100_DDR_MODE, CFG_DDR_MODE_VAL);
    udelay(10000);
    ar7100_reg_wr_nf(AR7100_DDR_CONTROL, 0x1);
    udelay(1000);
    ar7100_reg_wr_nf(AR7100_DDR_REFRESH, CFG_DDR_REFRESH_VAL);
    udelay(1000);
    ar7100_reg_wr_nf(AR7100_DDR_RD_DATA_THIS_CYCLE, CFG_DDR_RD_DATA_THIS_CYCLE_VAL);
    udelay(1000);

    comment("ar7100_mem_config()");
    ar7100_reg_wr (AR7100_DDR_TAP_CONTROL0, 0x0);
    ar7100_reg_wr (AR7100_DDR_TAP_CONTROL1, 0x0);
    ar7100_reg_wr (AR7100_DDR_TAP_CONTROL2, 0x0);
    ar7100_reg_wr (AR7100_DDR_TAP_CONTROL3, 0x0);

#if 0
   // TODO: forging equivalent openocd commands and/or user procedure to perform what the code hereafter
   // is doing:

    i = *(volatile int *)0xb8050004;
    i = i & (~(1 << 25));
    *(volatile int *)0xb8050004 = i;
    while ((*(volatile int *)0xb8050004) & (1 << 17));

    i = *(volatile int *)0xb8050004;
    i = i & (~(1 << 16));
    *(volatile int *)0xb8050004 = i;
    while ((*(volatile int *)0xb8050004) & (1 << 17));

    i = *(volatile int *)0xb8050004;
    i = i | (0x3f << 19);
    *(volatile int *)0xb8050004 = i;
    udelay(100);

    *(volatile int *)0xb8050014 = 0x13000a44;
    *(volatile int *)0xb805001c = 0x00000909;
    udelay(100);

    i = *(volatile int *)0xb8050004;
    i = i & (~(0x3b << 19));
    *(volatile int *)0xb8050004 = i;
    udelay(100);

    i = *(volatile int *)0xb8050004;
    i = i | (0x3 << 20);
    *(volatile int *)0xb8050004 = i;
    udelay(100);

    i = *(volatile int *)0xb8050004;
    i = i & (~(0x3 << 20));
    *(volatile int *)0xb8050004 = i;
    udelay(100);

    /* Temp addition - check with Mani */
    *(volatile unsigned int *)0xb8080008 = 0x00000060;
    udelay(100);

#endif

    return EXIT_SUCCESS;
}

I got the following openocd commands:

# ar7100_mem_config() - ar7100_ddr_initial_config()
mww 0xb8000000 0x77bc8cd0
sleep 1
mww 0xb8000004 0x83d1f6a2
sleep 1
mww 0xb8000010 0x00000008
sleep 1
mww 0xb8000008 0x00000131
sleep 1
mww 0xb8000010 0x00000001
sleep 1
mww 0xb800000c 0x00000000
sleep 1
mww 0xb8000010 0x00000002
sleep 1
mww 0xb8000010 0x00000008
sleep 1
mww 0xb8000008 0x00000031
sleep 10
mww 0xb8000010 0x00000001
sleep 1
mww 0xb8000014 0x00004c00
sleep 1
mww 0xb8000018 0x0000ffff
sleep 1
# ar7100_mem_config()
mww 0xb800001c 0x00000000
mrw 0xb800001c
mww 0xb8000020 0x00000000
mrw 0xb8000020
mww 0xb8000024 0x00000000
mrw 0xb8000024
mww 0xb8000028 0x00000000
mrw 0xb8000028

Working on creating openocd commands/instructions for the u-boot initialization code that was not using the three macros.

If you wish, you could revisit the list of calls to the three macros I did in my program, and verify I did not make mistakes.
Look at ar7100_mem_config() function in ap83.c  and ar7100_ddr_initial_config() in meminit.c.

You can try the openocd commands above as well, but this may not suffice yet...

(Last edited by Frant on 1 Sep 2014, 00:45)

Also check out the lowlevel_init.S under u-boot/board/ar7100/common

following is my first run at the ar9132.cfg used info from  ap83.c meminit.c and lowlevel_init.S also needed info from ar7100_soc.h, at7100.h, config.h and WZR-HP-G300NH.h

note sure if I need to change the chip name from ar71xx to ar9132??
# Atheros AR71xx MIPS 24Kc SoC.
# tested on PB44 refererence board

adapter_nsrst_delay 100
jtag_ntrst_delay 100

reset_config trst_and_srst

set CHIPNAME ar71xx

jtag newtap $CHIPNAME cpu -irlen 5 -ircapture 0x1 -irmask 0x1f -expected-id 1

set TARGETNAME $CHIPNAME.cpu
target create $TARGETNAME mips_m4k -endian big -chain-position $TARGETNAME

$TARGETNAME configure -event reset-halt-post {
    #setup PLL to lowest common denominator 300/300/150 setting
    mww 0x18050000    0x80000
    mww 0x18050000    0x0
    mww 0x18050000    0xc00000
    mww 0x18050008    0x0
    mww 0x18050008    0x2  0x2

    #next command will reset for PLL changes to take effect
    mww 0x18050008 3        ;# set reset_switch and clock_switch (resets SoC)
}

$TARGETNAME configure -event reset-init {
    #complete pll initialization
    mww 0x18050000    0x80000
    mww 0x18050000    0x0
    mww 0x18050000    0xc00000
    mww 0x18050008    0x0
    mww 0x18050008    0x2  0x2

    #initialize_pll
    mww 0x18050000 0x20000 0x80000000
    mww 0x18050008 0x2
    mww 0x18050000 0x3ff   0x50
    mww 0x18050000 0x10000
    mww 0x18050008 0x0
    sleep 1

    mww 0x18050000 0x800f0080    ;# set sw_update bit
    mww 0x18050008 0        ;# clear reset_switch bit
    mww 0x18050000 0x800f00e8       ;# clr pwrdwn & bypass
    mww 0x18050008 1        ;# set clock_switch bit
    sleep 1                         ;# wait for lock

    # Setup DDR config and flash mapping
    mww 0x18060000 0x77bc8cd0       ;# DDR cfg cdl val (rst: 0x5bfc8d0)
    mww 0x18060004 0x83d1f6a2       ;# DDR cfg2 cdl val (rst: 0x80d106a8)

    mww 0x18060010 8        ;# force precharge all banks
    mww 0x18060008 0x131        ;# CFG_DDR_MODE_VAL_INIT
    mww 0x18060010 1         ;# force EMRS update cycle
    mww 0x1806000c 0                ;# clr ext. mode register
    mww 0x18060010 2         ;# force auto refresh all banks
    mww 0x18060010 8        ;# force precharge all banks
    mww 0x18060008 0x31             ;# set DDR mode value CAS=3
    mww 0x18060010 1         ;# force EMRS update cycle
    mww 0x18060014 0x4c00           ;# DDR refresh value ----
    mww 0x18060018 0xffff           ;# DDR Read Data This Cycle value (16bit: 0xffff)
    mww 0x1806001c 0x7              ;# delay added to the DQS line (normal = 7)
    mww 0x18060020 0
    mww 0x18060024 0
    mww 0x18060028 0
}

# setup working area somewhere in RAM
$TARGETNAME configure -work-area-phys 0xa0600000 -work-area-size 0x20000

# serial SPI capable flash
# flash bank <driver> <base> <size> <chip_width> <bus_width>
#set FLASHNAME $CHIPNAME.flash
#flash bank $FLASHNAME stmsmi 0xBE000000 0x02000000 0 0 $TARGETNAME

Great job, I would suggest not to change the chip's name for now.
You are right about  lowlevel_init.S .

You will now ar9132.cfg  is working when you will be able to write/read a value in RAM, i.e.

mww 0x00000000 0xA5A5A5A5
and re-read it with
mrw 0x00000000

(Last edited by Frant on 1 Sep 2014, 00:52)

ok tried it not working.. btw, the lines with two parameter arw wrong I think, I needed to AND them first to make one parameter.

when I do a load_image u-boot.bin 0x1a000000 and then a mdw 0x1a000000 I get all zeros..

> mdw 0x1a000000 30
0x1a000000: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x1a000020: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x1a000040: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x1a000060: 00000000 00000000 00000000 00000000 00000000 00000000
> load_image u-boot.bin 0x1a000000
229736 bytes written at address 0x1a000000
downloaded 229736 bytes in 1.265946s (177.220 KiB/s)
> mdw 0x1a000000 30               
0x1a000000: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x1a000020: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x1a000040: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x1a000060: 00000000 00000000 00000000 00000000 00000000 00000000

as part of ap83.c

there is a statement

#if 0
    ar7100_ddr_width_t width;
#endif

which is used in

width        = ar7100_ddr_get_width();

which is the code below from meminit.c .. does #if 0 get included or is that a way to comment out large parts of code?

ar7100_ddr_width_t
ar7100_ddr_get_width()
{
    volatile uint32_t *p = 0xa0000000, *p1 = 0xa0001000;
    uint32_t pat = 0x12345678, rd;

    *p  = pat;
    *p1 = 0;
    asm("sync");
    /*
     * discharge DQ[31:16]
     */
    rd  = *p;

    if (rd == pat)
        return AR7100_DDR_32B;

    if ((rd & 0xffff) == (pat & 0xffff))
        return AR7100_DDR_16B_LOW;

    if ((rd & 0xffff0000) == (pat & 0xffff0000))
        return AR7100_DDR_16B_HIGH;

    /*
     * If Some'n's hosed this early cant do much; silence the compiler
     */
    printf("something's wrong. rd %#x pat %#x\n", rd, pat);

    return AR7100_DDR_32B;
}

#if 0
/// some code
#endif

means code will never be executed  (expression 0 is always false fro the C pre-processor) - this is fine then.

I forgot to mention that once you will be able to configure the DRAM from openocd, you may have to comment-out PLL/DRAM initialization in your RAM-relocated u-boot: since it will execute from DRAM, keeping this code active could mean configuring DRAM while you are executing from it, which is not desirable.

You can comment-out large sections of code by using #ifdef 0 ... #endif.

Which lines with two arguments are you referring to ?

(Last edited by Frant on 1 Sep 2014, 02:42)