[tcharron]

My parent's WRTSL54GS spontaneously died, and just sat there flashing its power light.

I installed a serial port monitor, and could see that it was in an infinite loop, rebooting over and over every 5 seconds.

Boot_wait is on, and I can get to a CFE> prompt and can install new images.

Every image I have tried (factory, dd-wrt v24 mini, openwrt) will flash properly, but not boot properly. There are about 20 lines from 'nvram show', and none seem wrong to me. -- What should I try next? JTAG is not too easy given it's a wrtsl54gs...

Thanks.

[Donny]

See note 6 of peacock thread sticky.

[redhawk0]

Did you clear the nvram.

Try "nvram erase" at the CFE> prompt.

See if it will boot up then...if not....

Then tftp the firmware to it again after the nvram is cleared.

redhawk

[tcharron]

I cleared nvram and had the same problems. Here is the CFE output. I am using dd-wrt v24 mini for the wrtsl54gs...

CFE> nvram show
os_ram_addr=80001000
il0macaddr=00:90:4c:5f:00:2a
boardrev=0x10
et0macaddr=00:18:F.:..:..:..
bootnv_ver=1
watchdog=5000
boot_wait=on
et0mdcport=0
reset_gpio=7
pmon_ver=CFE 3.91.38.0
os_flash_addr=bfc40000
sromrev=2
boardtype=0x042f
et1macaddr=00:90:4C:60:00:2B
lan_netmask=255.255.255.0
et1mdcport=1
wl0id=0x4320
ag0=255
wl0gpio2=0
wl0gpio3=0
wait_time=7
pa0itssit=62
cctl=0
pa0maxpwr=0x48
lan_ipaddr=192.168.1.1
clkfreq=264
aa0=3
sdram_config=0x0062
scratch=a0180000
ccode=0
boardflags=0x0018
sdram_refresh=0x0000
sdram_ncdl=0x10108
et0phyaddr=30
pa0b0=0x170c
pa0b1=0xfa24
pa0b2=0xfe70
sdram_init=0x000b
dl_ram_addr=a0001000
boot_ver=v3.5
et1phyaddr=5
boardnum=42
size: 685 bytes (32083 left)
*** command status = 0
CFE> reboot


CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 一 11月 7 19:02:17 CST 2005 (root@localhost)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena
Initializing Devices.

No DPN
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.38.0
rndis0: Broadcom USB RNDIS Network Adapter (P-t-P)
et1: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.38.0
CPU type 0x29006: 264MHz
Total memory: 32768 KBytes

Total memory used by CFE: 0x80300000 - 0x803A3890 (669840)
Initialized Data: 0x803397A0 - 0x8033BEB0 (10000)
BSS Area: 0x8033BEB0 - 0x8033D890 (6624)
Local Heap: 0x8033D890 - 0x803A1890 (409600)
Stack Area: 0x803A1890 - 0x803A3890 (8192)
Text (code) segment: 0x80300000 - 0x803397A0 (235424)
Boot area (physical): 0x003A4000 - 0x003E4000
Relocation Factor: I:00000000 - D:00000000

Boot version: v3.5
The boot is CFE

mac_init(): Find mac [00:18:F.:..:..:..] in location 0
Nothing...

No eou key find
Device eth0: hwaddr 00-18-F.-..-..-.., ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Reading :: Failed.: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 4500 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
CPU revision is: 00029006

Linux version 2.4.36 (root@dd-wrt) (gcc version 3.4.6 (OpenWrt-2.0)) #308 Sun Jul 27 16:11:05 CEST 2008

Setting the PFC to its default value

Determined physical RAM map:

memory: 02000000 @ 00000000 (usable)

On node 0 totalpages: 8192

zone(0): 8192 pages.

zone(1): 0 pages.

zone(2): 0 pages.

Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200

CPU: BCM4704 rev 9 at 264 MHz

Using 132.000 MHz high precision timer.

Calibrating delay loop... 263.78 BogoMIPS

Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)

Inode cache hash table entries: 2048 (order: 2, 16384 bytes)

Mount cache hash table entries: 512 (order: 0, 4096 bytes)

Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)

Page-cache hash table entries: 8192 (order: 3, 32768 bytes)

Checking for 'wait' instruction... unavailable.

POSIX conformance testing by UNIFIX

PCI: Initializing host

PCI: Fixing up bus 0

PCI: Fixing up bridge

PCI: Setting latency timer of device 01:00.0 to 64

PCI: Fixing up bus 1

Initializing RT netlink socket

Starting kswapd

devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)

devfs: boot_options: 0x1

squashfs: version 3.0 (2006/03/15) Phillip Lougher

pty: 256 Unix98 ptys configured

Serial driver version 5.05c (2001-07-0 with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled

ttyS00 at 0xb8000300 (irq = 3) is a 16550A

ttyS01 at 0xb8000400 (irq = 3) is a 16550A

PCI: Setting latency timer of device 00:01.0 to 64

PCI: Setting latency timer of device 00:02.0 to 64

PCI: Setting latency timer of device 01:01.0 to 64

PCI: Enabling device 01:01.0 (0004 -> 0006)

Data bus error, epc == 80213ad8, ra == 80218290

Oops in traps.c::do_be, line 385:

$0 : 00000000 1000fc00 00000000 00000011 80330800 0000039a 81077ca0 00000001

$8 : 0c020083 81077c70 00000360 1000fc01 00000002 00000360 00000004 00000001

$16: c0000ff8 80330800 00000000 00004318 8036000c 8036099c 00000001 00000000

$24: 00000000 8000c368 81076000 81077c90 80336460 80218290

Hi : 00020333

Lo : 48750000

epc : 80213ad8 Not tainted

Status: 1000fc03

Cause : 0000001c

PrId : 00029006

Process swapper (pid: 1, stackpage=81076000)

Stack: 8036000c 8036099c 18001000 80336460 00000001 80336460 18001000

80336460 80330800 80218290 00000673 00000001 802ab0e0 802cd9d0 fffffffb

00000007 81077d28 000014e4 00000000 81059860 00000020 81059858 00000003

00004318 80330400 00000000 80336460 0000002c 800fc43c 8021e094 00000000

80360000 80336460 0000010c c0000000 00004318 80330800 80336460 8036000c

8036099c ...

Call Trace: [<80218290>] [<800fc43c>] [<8021e094>] [<802190f0>] [<800fb414>]

[<80002800>] [<800b5068>] [<8000c368>] [<800230b4>] [<8000b72c>] [<80002000>]

[<8000b7b8>] [<8021e094>] [<80002000>] [<800ff430>] [<8021e75c>] [<8021f37c>]

[<80285f1f>] [<80132640>] [<8021f540>] [<800ff698>] [<80133238>] [<8005fab0>]

[<8013334c>] [<80001964>] [<80001964>] [<80001914>] [<800039a4>] [<80012160>]

[<8005f8e8>] [<80003994>]


Code: 2405039a 27a60010 24070001 <8e100000> 14400008 00000000 02001021 8fbf0024 8fb20020

Kernel panic: Attempted to kill init!

<0>Rebooting in 5 seconds..

[tcharron]

I compared the nvram settings to another working WRTSL54GS. Most of the nvram settings on the working router do not exist on the non-functioning one (as expected). All of the other settings were identical between the two routers except for these two:

Good WRTSL54GS
pa0maxpwr=251
sdram_ncdl=0x10208

Non-functioning WRTSL54GS
pa0maxpwr=0x48
sdram_ncdl=0x10108

What is the sdram_ncdl setting used for?

[tcharron]

I have cleared the nvram, and tftp'd several different binaries. They all hang. oops in traps.c::do_be: line 385; some are line 254.

I've tried dd-wrt v23; dd-wrt v24; eko 11650; openwrt; factory firmware. I've tried micro, mini, and mega. They all show errors like the above but won't boot without error.

The thing that seems to be in common is that the errors all occur one or two lines after "PCI: Enabling device 01:01.0 (0004 -> 0006). I get a lot of "data bus error" messages.

I'm wondering if this box has had a hardware failure of some kind -- perhaps the SDRAM or flash chip. The CFE "memtest" command seems to be ok though. I'm running out of ideas for what to try.

[redhawk0]

[tcharron]

I will send you the CFE.BIN from the working router.

I don't have jtag set up on this box (and think I mucked up the board so it may not be possible).

Is there any way to use the CFE> prompt to upgrade the CFE with a new one, using serial+ethernet rather than JTAG?

[redhawk0]

[tcharron]

Mucked might be too strong a word. I have a lot of soldering experience, and know that I didn't damage anything other than the jtag pads.

There is no jtag port on this board, but the various lines are available via solder pads. Some of the solder pads lifted when I heated them - it seems that the solder pads are laid on top of the etch resist material, and the heat from the soldering iron causes them to come loose. I ended up exposing the electrical traces leading to the solder pads, and then soldering wire meant to be used in electrical windings (about 1/10th the diameter of a human hair) directly to that. It is a slow and tedious job (done entirely while wearing a jeweler's loupe) and I still have one line to complete before I can try to JTAG again.

The recycle boot and error messages occurred before I went anywhere near the JTAG pads.

The CFE/serial install seems like it should be doable. I was reading the CFE docs last night (a broadcom document), and while light on details, it seems like it should be possible. They went to all the effort of providing the serial interface - it would have been negligent not to build this capability in!

[redhawk0]

OK...check your PM box...and thank you for the cfe.

Yes...you are correct...if they go to all the trouble of putting in a Serial interface...then it would make sense that they have some way of communicating with the chip via serial/ethernet.

redhawk

[redhawk0]

This is a similar topic started yesterday....if this one goes somewhere...it might be a future resolution to your problem.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=47603

redhawk

[tcharron]

[tcharron]

I was able to figure out the relevant parts of the CFE source pretty quick. The current source code (v 1.4.2) includes explicit references to loading CFE over TFTP. My version is 1.0.37, but I'm hoping that this works there too. Here's what I've done:

1. Read CFE.PDF -- CFE funcitonal specification. One useful bit of information is on page 86 of 152:
"cfe.flash -- Flash update file (can be put on a TFTP server and downloaded to a target to update its flash"

2. Ok. Go and get the CFE source code. The makefile for cfe.flash is cfe_link.mk. It shows:

cfe.flash : cfe.bin mkflashimage swapflashimage
./mkflashimage -v ${ENDIAN} -B ${CFG_BOARDNAME} -V ${CFE_VER_MAJ}.${CFE_VER_MIN}.${CFE_VER_ECO} cfe.bin cfe.flash
$(OBJCOPY) --input-target=binary --output-target=srec cfe.flash cfe.flash.srec

- We don't need the serial records (.srec file)
- We have (or can extract a good ) cfe.bin.
- The swapflashimage is not needed
- So, to conver the cfe.bin to cfe.flash, we need mkflashimage.

3. mkflashimage is defined in cfe.mk...

mkflashimage : ${TOP}/hosttools/mkflashimage.c
$(HOST_CC) $(HOST_CFLAGS) -o mkflashimage -I${TOP}/include ${TOP}/hosttools/mkflashimage.c

4. mkflashimage.c

This code adds a 64 byte header to the CFE.BIN file that includes version number, target board type, checksums, andian state, etc. I didn't want to do this by hand, so decided to compile mkflashimage on my windows box.

Some very minor tweaks were required to get this to complile under windows.

- One important one was to make sure that the conversion of the input cfe.bin didn't convert every 0x0A character to 0x0D/0x0A (lf conversion to crlf) (I edited the 4th open statement)

My WRTsl54GS CFE prompt boots up with: "CFE version 1.0.37 for BCM947XX (32bit,SP,LE)"

This tells me it is little-endian, the version, and the board type.

mkflashimage.exe -v -EL -B "BCM947XX" -V 1.0.37 cfe.bin cfe.flash

Now I have a cfe.flash. I think I just need to boot into the CFE, and tftp this file to my box using the tftp command.

Before I do that, I'd like to confirm that my CFE is in fact corrupt. I'll need to use the SAVE command to extract 0xBFC40000 (I think) to a TFTP destination. Once I have that I can compare to a known good CFE file.

In the meantime, is anyone willing to try this tool and see if it works? I'm reluctant to use my device as a guinea pig since I don't have a working JTAG interface on it!

[tcharron]

While this tool may help others, it won't help me. I think that this router has developed a hardware problem. It has not booted properly since it was mailed to me by my parents.

I was able to extract the CFE and confirm that it matches the one in an identical router, except for the MAC address and Serial number.

I was also able to flash a new dd-wrt flash image and then extract it to confirm that the flash is still accepting writes properly.

I may try to replace the dram chip as that's the only other thing I can think of that is easy to check.