Tuesday, September 29, 2009

How to TFTP firmware to your WRT54G2

In order to tftp the firmware you had created, you will need to tftp into the chip. First, open a terminal and continuous ping 192.168.1.1 and you will notice that the TTL is 100. During the normal ping reply will be 64. Keep this terminal on while open another new terminal.

Try to erase the nvram and kernel with the JTAG cable. I am still not sure yet and I will post more on this part. AsI had done many trial and errors before getting into this stage.

This new terminal will be flashing the firmware into the wireless router. The command is something like below:
root@node01:~/> atftp --trace --option "timeout 1" --option "mode octet" --put --local-file openwrt-xxx-x.x-xxx.bin 192.168.1.1

Leave the terminal open and turn off the wireless router and wait for a few seconds before turn it on. Once the tftp is ready, you will see the terminal dumping out lots of information out.

You can actually open another terminal and run your minicom for monitoring the process. At least you are not working in blind.

The output will be something like below:
Decompressing..........done


CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Thu Oct 30 16:02:09 EDT 2008 (tornado@dd-wrt.com)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena
Initializing Devices.
Boot partition size = 131072(0x20000)
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 4.150.10.5
CPU type 0x29029: 240MHz
Total memory: 16384 KBytes

Total memory used by CFE:  0x80700000 - 0x807977D0 (620496)
Initialized Data:          0x8072E860 - 0x80730FB0 (10064)
BSS Area:                  0x80730FB0 - 0x807317D0 (2080)
Local Heap:                0x807317D0 - 0x807957D0 (409600)
Stack Area:                0x807957D0 - 0x807977D0 (8192)
Text (code) segment:       0x80700000 - 0x8072E860 (190560)
Boot area (physical):      0x00798000 - 0x007D8000
Relocation Factor:         I:00000000 - D:00000000

Device eth0:  hwaddr 00-23-69-F8-07-AF, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: Failed.
Could not load :: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3768 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
Linux version 2.6.28.10 (bert@Node01) (gcc version 4.1.2) #7 Tue Sep 29 14:16:43 MYT 2009
CPU revision is: 00029029 (Broadcom BCM3302)
ssb: Core 0 found: ChipCommon (cc 0x800, rev 0x14, vendor 0x4243)
ssb: Core 1 found: Fast Ethernet (cc 0x806, rev 0x09, vendor 0x4243)
ssb: Core 2 found: MIPS 3302 (cc 0x816, rev 0x08, vendor 0x4243)
ssb: Core 3 found: USB 2.0 Host (cc 0x819, rev 0x02, vendor 0x4243)
ssb: Core 4 found: MEMC SDRAM (cc 0x80F, rev 0x04, vendor 0x4243)
ssb: Core 5 found: IEEE 802.11 (cc 0x812, rev 0x0D, vendor 0x4243)
ssb: Core 6 found: Roboswitch (cc 0x81C, rev 0x02, vendor 0x4243)
ssb: Initializing MIPS core...
ssb: core 0x0800, irq : 2(S)  3* 4  5  6  D  I
ssb: core 0x0806, irq : 2(S)  3  4* 5  6  D  I
ssb: core 0x0816, irq : 2(S)  3  4  5* 6  D  I
ssb: core 0x0819, irq : 2(S)  3  4  5  6* D  I
ssb: core 0x080f, irq : 2(S)  3  4  5  6  D  I*
ssb: core 0x0812, irq : 2(S)* 3  4  5  6  D  I
ssb: core 0x081c, irq : 2(S)  3  4  5  6  D  I*
ssb: set_irq: core 0x0806, irq 4 => 4
ssb: set_irq: core 0x0816, irq 5 => 2
ssb: set_irq: core 0x0812, irq 2 => 5
ssb: after irq reconfiguration
ssb: core 0x0800, irq : 2(S)  3* 4  5  6  D  I
ssb: core 0x0806, irq : 2(S)  3  4* 5  6  D  I
ssb: core 0x0816, irq : 2(S)* 3  4  5  6  D  I
ssb: core 0x0819, irq : 2(S)  3  4  5  6* D  I
ssb: core 0x080f, irq : 2(S)  3  4  5  6  D  I*
ssb: core 0x0812, irq : 2(S)  3  4  5* 6  D  I
ssb: core 0x081c, irq : 2(S)  3  4  5  6  D  I*
ssb: Sonics Silicon Backplane found at address 0x18000000
Serial init done.
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00001000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00001000
Built 1 zonelists in Zone order, mobility grouping off.  Total pages: 4064
Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
Primary instruction cache 16kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 16kB, 2-way, VIPT, cache aliases, linesize 16 bytes
PID hash table entries: 64 (order: 6, 256 bytes)
console [ttyS0] enabled
Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
Memory: 13488k/16384k available (2153k kernel code, 2896k reserved, 312k data, 136k init, 0k highmem)
Calibrating delay loop... 239.10 BogoMIPS (lpj=478208)
Mount-cache hash table entries: 512
net_namespace: 428 bytes
NET: Registered protocol family 16
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP reno registered
NET: Registered protocol family 1
detected lzma initramfs
initramfs: LZMA lc=1,lp=2,pb=2,origSize=512
squashfs: version 3.0 (2006/03/15) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  �© 2001-2006 Red Hat, Inc.
msgmni has been set to 26
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver2 ports, IRQ sharing enabled
serial8250: ttyS0 at MMIO 0xb8000300 (irq = 3) is a 16550A
serial8250: ttyS1 at MMIO 0xb8000400 (irq = 3) is a 16550A
serial8250.0: ttyS0 at MMIO 0xb8000300 (irq = 3) is a 16550A
serial8250.0: ttyS1 at MMIO 0xb8000400 (irq = 3) is a 16550A
b44.c:v2.0
eth0: Broadcom 44xx/47xx 10/100BaseT Ethernet 00:23:69:f8:07:af
flash init: 0x1c000000 0x02000000
Physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
Physically mapped flash: JEDEC Device ID is 0x22C4. Assuming broken CFI table.
Physically mapped flash: Swapping erase regions for broken CFI table.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Flash device: 0x200000 at 0x1fc00000
bootloader size: 131072
Creating 4 MTD partitions on "Physically mapped flash":
0x00000000-0x00020000 : "cfe"
0x00020000-0x001f0000 : "linux"
0x000ed800-0x001f0000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
mtd: partition "rootfs" set to be root filesystem
mtd: partition "rootfs_data" created automatically, ofs=1E0000, len=10000
0x001e0000-0x001f0000 : "rootfs_data"
0x001f0000-0x00200000 : "nvram"
BCM47xx Watchdog Timer enabled (30 seconds, nowayout)
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 136k freed
Please be patient, while OpenWrt loads ...
- preinit -
Press CTRL-C for failsafe
diag: Router model not detected.
b44: eth0: Link is up at 100 Mbps, full duplex.
b44: eth0: Flow control is off for TX and off for RX.
b44: eth0: powering down PHY
jffs2 not ready yet; using ramdisk
mini_fo: using base directory: /
mini_fo: using storage directory: /tmp/root
- init -

Anyway, my version still having some bugs as I am trying to develop a working firmware. At least now is booting with some status. ;)

1 comment:

juankd said...

Hi compa, i work with de wrt micro in wrt54g2 and i like flash this router with openwrt! Is posible the firmware upgrade for GUI or Console, and your how to fuction actually?

Please helpme
excuse my bad english i is colombian.

Tanks bye.