#18496: SFR Neufbox NB6V support and possibly new CFE image tag
---------------------------------------+----------------------------------
Reporter: hello@… | Owner: developers
Type: defect | Status: new
Priority: normal | Milestone: Chaos Calmer (trunk)
Component: packages | Version: Trunk
Keywords: cfe neufbox nb6v BCM63268 |
---------------------------------------+----------------------------------
Hello,
could you please add support for the NB6V ? It's an evolution of the NB6
with a BCM63268 chipset, with what I think is a new CFE image format never
seen before.
I'm able to boot the latest OpenWRT via TFTP with the BCM63XX target,
generic subtarget (SMP errors out at compile time) and SFR Neufbox6
profile by modifying the "expected_cpu_id" of "board_nb6" to "0x63268" in
"board_bcm963xx.c" (otherwise it panics because the CPUID isn't correct)
and building an ELF uncompressed image, here's the boot log including the
command I use to manually load the image in RAM instead of flashing it
(disregard the modified CFE parameters, I had to change its IP and default
boot file) :
{{{
HELO
CPUI
L1CI
HELO
CPUI
L1CI
DRAM
----
PHYS
STRF
400H
PHYE
DDR2
SIZ4
SIZ3
SIZ2
DINT
USYN
LSYN
MFAS
LMBE
RACE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
NAN0
BT01
0001
NAN9
BT01
0992
NAN9
NAN3
RFS2
NAN5
CFE version 1.0.38-112.70 for BCM963268 (32bit,SP,BE)
Build Date: Fri Oct 18 19:11:22 CEST 2013 (gmu@gmu-thinkpad)
Copyright (C) 2000-2011 Broadcom Corporation.
boot...
NAND flash device: name ST NAND512W3A2CN6, id 0x2076 block 16KB size
65536KB
RTL: chip 6000.1000 probed
TX/RX delay set on switch side!
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000
Board IP address : 192.168.1.2
Host IP address : 192.168.1.10
Gateway IP address :
Run from flash/host (f/h) : h
Default host run file name : openwrt
Default host flash file name : v
Boot delay (0-9 seconds) : 5
Boot image (0=latest, 1=previous) : 0
Board Id (0-13) : NB6V-FXC-r0
Number of MAC Addresses (1-32) : 10
Base MAC Address : XX:XX:XX:XX:XX
PSI Size (1-64) KBytes : 24
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Main Thread Number [0|1] : 0
*** Press any key to stop auto run (5 seconds) ***
Auto run second count down: 5
CFE> r 192.168.1.10:openwrt-brcm63xx-generic-loader-initramfs-nb6.elf
0x80010000/2976116 Entry at 0x80010000
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x80010000
OpenWrt kernel loader for BCM63XX
Copyright (C) 2011 Gabor Juhos <juh...@openwrt.org>
Copyright (C) 2014 Jonas Gorski <j...@openwrt.org>
Decompressing kernel... done!
blasting from 0x80010000 to 0x0096cc4f (0x80010000 - 0x8097cc50)
Starting kernel at 80010000...
[ 0.000000] Linux version 3.14.25 (andre@Sanctuary) (gcc version 4.8.3
(Open4
[ 0.000000] Detected Broadcom 0x63268 CPU revision d0
[ 0.000000] CPU frequency is 400 MHz
[ 0.000000] 128MB of RAM installed
[ 0.000000] registering 52 GPIOs
[ 0.000000] board_bcm963xx: Boot address 0xb8000000
[ 0.000000] board_bcm963xx: CFE version: unknown
[ 0.000000] bcm63xx_nvram: nvram checksum failed, contents may be
invalid (e)
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0002a080 (Broadcom BMIPS4350)
[ 0.000000] board: board name: NB6
[ 0.000000] MIPS: machine is SFR neufbox 6 (Sercomm)
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x07ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x07ffffff]
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 16
bytes.
[ 0.000000] Primary data cache 32kB, 2-way, VIPT, cache aliases,
linesize 16s
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on.
Total pa2
[ 0.000000] Kernel command line: root=/dev/mtdblock2
rootfstype=squashfs,jf0
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536
bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768
bytes)
[ 0.000000] Memory: 118944K/131072K available (2539K kernel code, 137K
rwdat)
[ 0.000000] NR_IRQS:256
[ 0.000000] Calibrating delay loop... 397.82 BogoMIPS (lpj=795648)
[ 0.032000] pid_max: default: 32768 minimum: 301
[ 0.036000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.040000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096
bytes)
[ 0.048000] NET: Registered protocol family 16
[ 0.056000] unsupported NAND flash detected
[ 0.068000] bio: create slab <bio-0> at 0
[ 0.076000] Switched to clocksource MIPS
[ 0.084000] NET: Registered protocol family 2
[ 0.092000] TCP established hash table entries: 1024 (order: 0, 4096
bytes)
[ 0.096000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.104000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.112000] TCP: reno registered
[ 0.116000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.120000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.128000] NET: Registered protocol family 1
[ 0.336000] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.344000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.352000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME)
(CMODE_PRIORI.
[ 0.360000] msgmni has been set to 232
[ 0.364000] io scheduler noop registered
[ 0.368000] io scheduler deadline registered (default)
�[ 0.384000] console [ttyS0] enabled MMIO 0xb0000180 (irq = 13,
base_baud = t
[ 0.384000] console [ttyS0] enabled
[ 0.392000] bootconsole [early0] disabled
[ 0.392000] bootconsole [early0] disabled
[ 0.404000] bcm63xx-spi bcm63xx-spi: unable to request irq
[ 0.412000] bcm63xx-spi: probe of bcm63xx-spi failed with error -89
[ 0.420000] rtl8367 rtl8367: using GPIO pins 18 (SDA) and 20 (SCK)
[ 0.424000] rtl8367 rtl8367: unknown chip number (0000)
[ 0.432000] rtl8367 rtl8367: chip detection failed, err=-19
[ 0.476000] bcm63xx-wdt bcm63xx-wdt: started, timer margin: 30 sec
[ 0.480000] TCP: cubic registered
[ 0.484000] NET: Registered protocol family 17
[ 0.488000] 8021q: 802.1Q VLAN Support v1.8
[ 0.572000] Freeing unused kernel memory: 7468K (80335000 - 80a80000)
[ 0.636000] usbcore: registered new interface driver usbfs
[ 0.644000] usbcore: registered new interface driver hub
[ 0.648000] usbcore: registered new device driver usb
[ 0.660000] Button Hotplug driver version 0.4.1
[ 0.672000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 0.680000] ehci-platform: EHCI generic platform driver
[ 0.788000] ehci-platform ehci-platform: EHCI Host Controller
[ 0.792000] ehci-platform ehci-platform: new USB bus registered,
assigned bu1
[ 0.800000] ehci-platform ehci-platform: irq 18, io mem 0xb0002500
[ 0.820000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00,
overcurd
[ 0.828000] hub 1-0:1.0: USB hub found
[ 0.832000] hub 1-0:1.0: 2 ports detected
[ 0.840000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 0.848000] ohci-platform: OHCI generic platform driver
[ 0.856000] ohci-platform ohci-platform: Generic Platform OHCI
controller
[ 0.864000] ohci-platform ohci-platform: new USB bus registered,
assigned bu2
[ 0.872000] ohci-platform ohci-platform: irq 17, io mem 0xb0002600
[ 0.936000] hub 2-0:1.0: USB hub found
[ 0.940000] hub 2-0:1.0: 2 ports detected
[ 0.948000] input: gpio-keys-polled as /devices/platform/gpio-keys-
polled.0/0
[ 1.804000] random: mktemp urandom read with 13 bits of entropy
available
[ 7.536000] NET: Registered protocol family 10
[ 7.552000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 7.568000] Loading modules backported from Linux version
master-2014-11-04-2
[ 7.576000] Backport generated by backports.git
backports-20141023-2-g4ff890b
[ 7.588000] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 7.612000] nf_conntrack version 0.5.0 (1975 buckets, 7900 max)
[ 7.668000] xt_time: kernel timezone is -0000
[ 7.724000] cfg80211: Calling CRDA to update world regulatory domain
[ 7.736000] cfg80211: World regulatory domain updated:
[ 7.740000] cfg80211: DFS Master region: unset
[ 7.744000] cfg80211: (start_freq - end_freq @ bandwidth),
(max_antenna_ga)
[ 7.752000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A,
2000 )
[ 7.764000] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A,
2000 )
[ 7.772000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A,
2000 )
[ 7.780000] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A,
2000 )
[ 7.788000] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000
KHz A)
[ 7.796000] cfg80211: (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A,
2000)
[ 7.804000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A,
2000 )
[ 7.812000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz),
(N/A, 0)
[ 7.912000] PPP generic driver version 2.4.2
[ 7.920000] NET: Registered protocol family 24
[ 7.964000] Broadcom 43xx driver loaded [ Features: PNL ]
[ 31.264000] random: nonblocking pool is initialized
}}}
There is no more output after that and no response on the network either
(no ping, nothing); it's my first time using OpenWRT so I'm not sure if
this is the correct behavior, I guess it may have something to do with the
fact that I'm loading it from RAM and the /dev/mtd* still contains the
original SFR firmware, so OpenWRT doesn't find any of its files.
However, when I make a squashfs image for flashing the CFE doesn't like it
very much, see below when I attempt to flash it :
{{{
CFE> r 192.168.1.10:openwrt-NEUFBOX6-squashfs-cfe.bin
Loading 192.168.1.10:openwrt-NEUFBOX6-squashfs-cfe.bin ...
Finished loading 3145732 bytes
Try upgrade firmware....
WFI TAG :
wfiVersion : 0x0
wfiChipId : 0x0
wfiFlashType : 0x0
wfiCrc : 0x00000000
wfiReserved : -559038242
Illegal whole flash image
Retry loading it as a compressed image.
Code Address: 0x36000000, Entry Address: 0x42726f61
LZMA: Prossible old LZMA format, trying to decompress..
}}}
No more output after that.
Compare with what happens when flashing the official SFR firmware -
http://download.nb6thd.neufbox.neuf.fr/nb6v_Version%203.3.9_bis/NB6V-
MAIN-R3.3.9 :
{{{
CFE> r 192.168.1.10:NB6V-MAIN-R3.3.9
Loading 192.168.1.10:NB6V-MAIN-R3.3.9 ...
Finished loading 10878996 bytes
Try upgrade firmware....
WFI TAG :
wfiVersion : 0x5700
wfiChipId : 0x63268
wfiFlashType : 0x2
wfiCrc : 0x8ade1314
wfiReserved : 0
We are gonna flash a image with SFR FIRMWARE
No NAND partition select, use the older : 1
Erasing previous partition
Erasing BBT
................................................................................
Gonna write sequence in OOB : 00 04
Success write sequence number in OOB
Flash FIRMWARE Sucess
Resetting board...
}}}
As you can see, it looks like the image tag/WFI tag generated by OpenWRT
isn't valid (the bootloader sees all its values as zeros) whereas the
official firmware's tag is read fine.
There are tutorials about extracting the rootfs of the official firmware
and then repacking it (I've done it and it works), it uses the "wfi-tag-
extract" utility -
http://svn.gna.org/svn/openbox4/trunk/firmware_3.x/tools/nb6v-wfi-tag-
extract/ - and the "wfi-tag-mk" utility -
http://svn.gna.org/svn/openbox4/trunk/firmware_3.x/tools/nb6v-wfi-tag-mk/
- to strip the WFI tag from the image (so that it can be extracted as a
normal jffs2) and the second utility is used to put back the stripped tag
once the new jffs2 has been made.
None of these utilities work on the images generated by OpenWRT, most
likely because the format has changed, also the "analyzetag" program
mentioned here : http://wiki.openwrt.org/_media/doc/techref/analyzetag.c
works fine with the OpenWRT generated image :
{{{
analyzetag -i openwrt-NEUFBOX6-squashfs-cfe.bin -t bc310
Broadcom image analyzer - v0.1.0
Copyright (C) 2009 Daniel Dickinson
Tag Version: 6
Signature 1: Broadcom Corporatio
Signature 2: ver. 2.0
Chip ID: 6362
Board ID: NB6-SER-r0
Bigendian: true
Image size: 002fff04, 3145476
CFE Address: 00000000, 0
CFE Length: 00000000, 0
Flash Root Address: bfc10100, 3217096960
Flash Root Length: 001e0004, 1966084
Flash Kernel Address: bfc10100, 3217096960
Flash Kernel Length: 0011ff00, 1179392
Vendor information: OpenWRT-r43530
Image CRC: 56d409a4 [Computed Value: 56d409a4]
Rootfs CRC: [Computed Value: f6df7306]
Image CRC from sections: 56d409a4 [Computed Value: bb92a660]
Header CRC: 84232b66 [Computed Value: 84232b66]
Kernel CRC: 9516b33b [Computed Value: 9516b33b]
Rootfs CRC: 0673dff6 [Computed Value: 0673dff6]
}}}
But the same command on the official firmware image outputs nonsense, no
matter what tag ID is used (the weird unicode characters are present in
the output) :
{{{
analyzetag -i NB6V-MAIN-R3.3.9 -t bc310
Broadcom image analyzer - v0.1.0
Copyright (C) 2009 Daniel Dickinson
Tag Version: ����
Signature 1:
Signature 2: Ram���
Chip ID: ��bin�
Board ID: ����
Bigendian: true
Image size: 00000000, 0
CFE Address: 00000000, 0
CFE Length: 00000000, 0
Flash Root Address: 00000000, 0
Flash Root Length: 00000000, 0
Flash Kernel Address: 00000000, 0
Flash Kernel Length: 00000000, 0
Vendor information:
Image CRC: 00001000 [Computed Value: ffffffff]
Rootfs CRC: [Computed Value: ffffffff]
Image CRC from sections: 00001000 [Computed Value: ffffffff]
Header CRC: 81400000 [Computed Value: 93caf56e]
Kernel CRC: 4717db37 [Computed Value: ffffffff]
Rootfs CRC: 00000000 [Computed Value: ffffffff]
}}}
If someone could take a look at the two wfi-tag utilities and reverse-
engineer the new tag format it would be perfect; I have two of these boxes
so feel free to send me image files if you want to test stuff.
Thanks. :)
--
Ticket URL: <https://dev.openwrt.org/ticket/18496>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
openwrt-tickets@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
