CPEi25150 jffs2 address is wrong.

[cpe]

I can read the valid jffs2 at 0xBC8E0000 but the program is looking at 0x918E0000 which appears to be part of the first flash image. After 0x91000000 the reader appears to wrap back to the beginning.

I can read the jffs manually with a GETRAM bc8e0000 720000 but cannot write the jffs2.

BTW just want to say usbjtagnt is a great jtag reader.

[usbbdm]

I can read the valid jffs2 at 0xBC8E0000 but the program is looking at 0x918E0000 which appears to be part of the first flash image. After 0x91000000 the reader appears to wrap back to the beginning.

I can read the jffs manually with a GETRAM bc8e0000 720000 but cannot write the jffs2.

BTW just want to say usbjtagnt is a great jtag reader.

Make a good backup. Can you enter TRAP ON?
Type "program" without any parameter. Then try to read again. If so you might be able to write the flash.

[cpe]

The problem is that a backup is not of the whole flash. The jffs tab is downloading flash starting at 908E0000 this is in the middle of firmware image a. The jffs partition is available at bc8e0000 and is not being downloaded. When I download the jffs2 from bc8e0000 720000, whether or not I edit it, and try to upload it to jffs tab I get a corrupted firmware image a. When I try to write it back to bc8e0000 I get a can't find the memory in the configuration.

Edit: Here's some info on the flash layout from hxxp:// ta. failte .romhat .net/ clear / notes.txt

Code: Select all

Accessible address space:
0x00000000 - 0x80000000         kuseg MMU mapped
0x80000000 - 0xA0000000         kseg0 unmapped
0xA0000000 - 0xC0000000         kseg1 unmapped, uncached
    0xA0000000 - 0xAC000000             on-chip RAM and registers
        0xA0000000 - 0xA0001000 4K-byte RAM
        0xA8610E00                      ttyS0 (irq = 15)
        0xA8611A00                      SYS_CONFIG (BOOT) Register (tnetv1060_datasheet.pdf page44)
    0xB0000000 - 0xC0000000             on-board EMIF
        0xB0000000 - 0xB2000000 EM_CS0 asynchronous memory (flash) (32M-byte addressability)
            0xB0000000 - 0xB0020000     Bootloader
                0xB000E740 - 0xB0011631 vocabulary
                0xB001B3F0 - 0xB001C1B0 stage2?
            0xB0020000 - 0xB0040000     Bootloader config (contains useful addresses)

            0xB0040000 - 0xB0C40000     IMAGE_A (generic-02.00.10.05.36-r10611350080910-0.0.0-r080910.img)
                0xB0040000 - 0xB0040110 partition table (http://wiki.openwrt.org/OpenWrtDocs/Hardware/Linksys/WRTP54G#line-435)
                0xB0060000 - 0xB00E8353 kernel partition
                0xB0100000 - 0xB0971FFF root partition (squashfs)
                0xB0972000 - 0xB0972113 ssh-rsa signature?

            0xB0C40000 - 0xB0C60000     CONFIG_A
            0xB0C60000 - 0xB0C80000     CONFIG_B
            0xB0C80000 - 0xB0CA0000     FNE_CERTS
            0xB0CA0000 - 0xB0CC0000     DEV_CERTS
            0xB0CC0000 - 0xB0CE0000     FACTORY_DEF

            0xB0CE0000 - 0xB18E0000     IMAGE_B (generic-02.00.10.05.48-r10611350081219-0.0.0-r081219.img)
                0xB0CE0000 - 0xB0CE0110 partition table (http://wiki.openwrt.org/OpenWrtDocs/Hardware/Linksys/WRTP54G#line-435)
                0xB0D00000 - 0xB0D838B8 kernel partition
                0xB0DA0000 - 0xB16BEFFF root partition (squashfs)
                0xB16BF000 - 0xB16BF113 ssh-rsa signature?
                PROBLEM: 0xB1000000 is a mirror of 0xB0000000
                SOLUTION: use 0xBC000000 for second half of flash

            0xB18E0000 - 0xB2000000     JFFS2

        0xB4000000 - ?xB8000000 EM_CS1 SDRAM (64M-byte addressability)
            0xB40000 - 0xB455EE00ish    ??
            0xB70000 - 0xB855F000ish    ??
        ?xB8000000 - ?xBC000000 EM_CS2 SDRAM (64M-byte addressability)
        0xBC000000 - 0xBD000000 EM_CS3 asynchronous memory (16M-byte addressability)
        0xBD000000 - 0xBE000000 EM_CS4 asynchronous memory (16M-byte addressability)
        0xBE000000 - 0xBF000000 EM_CS5 asynchronous memory (16M-byte addressability)
        0xBFC00000 - 0xBFC01000 on-chip 4K-byte ROM

0xC0000000 - 0xE0000000         kseg2 Kernel virtual address space (mapped)
0xE0000000 - 0x00000000         kseg3 Kernel virtual address space (mapped)

[usbbdm]

My XML is based on how JTAG reads it. I think in this case the memory of bc8e0000 can be programmed via JTAG using 0x908e0000.

Just use command
peek 908e0000
peek bc8e0000
you should get the same value.

[cpe]

Middle of firmware img a
-PEEK 908e0000
Peeked Address=0x908E0000 Data=0x9A20B226

JFFS tab Start address
-PEEK 918e0000
Peeked Address=0x918E0000 Data=0x9A20B226

Real JFFS2 start address
-PEEK bc8e0000
Peeked Address=0xBC8E0000 Data=0x20031985

See the value in bc8e0000 that's the magic for a jffs2

[usbbdm]

Middle of firmware img a
-PEEK 908e0000
Peeked Address=0x908E0000 Data=0x9A20B226

JFFS tab Start address
-PEEK 918e0000
Peeked Address=0x918E0000 Data=0x9A20B226

Real JFFS2 start address
-PEEK bc8e0000
Peeked Address=0xBC8E0000 Data=0x20031985

See the value in bc8e0000 that's the magic for a jffs2

If you want setup teamviewer and I can take a look. It must be simple XML change or just program to the right section.

[cpe]

May not need to setup teamviewer. I just did this:

PEEK 9c8e0000 and got
Peeked Address=0x9C8E0000 Data=0x20031985

The crux of the problem with the current xml is this but translated to your base address:
PROBLEM: 0xB1000000 is a mirror of 0xB0000000
SOLUTION: use 0xBC000000 for second half of flash

This means jffs2 and maybe imageb are corrupt on read and write. I think changing the xml for jffs2 to 9c8e0000 will fix jffs2. I'll try that but I'm not sure of image b(not that it really matters for my application).

EDIT:
I can confirm getram 9c8e0000 720000 gets me the correct jffs2 image. I changed the xml target to 9c8e0000 for jffs2 but after restarting and reloading the config profile the jffs2 tab shows 918e0000