[LEDE-DEV] VRV9510KWAC23

Mathias Kresin dev at kresin.me
Sun Aug 28 01:31:09 PDT 2016 

Am 27.08.2016 um 19:44 schrieb Juan Rios:
> Hello,
>    I managed to get this router and want to get lede on it. The hardware is this
>
> Lantiq VRX288 500Mhz
> 2 NANYA NT5TU128M8HE-AC  256MB RAM
> ZENTEL A501GA31ATS 8G 128MB NAND FLASH.
> Wireless 2.4Ghz BCM43222KFBG
> Wireless 5Ghz BCM4360KMLG
> VDSL/ADSL2+ XWAY VRX208
> 5 port GB Ethernet

I would suggest to check whether the wireless chips are supported by any 
open source driver and to decide afterwards if it's worth the time to 
work further on this device. Broadcom and open source (wireless) drivers 
is usually a story of pain.

> I already found serial port pins and got the console log. The log is
> almost silent. I managed to get to the brnboot shell short cutting
> pins in the flash but cant do a flash dump.

Next time please paste the serial logs anyway. Maybe someone else is 
able to spot something interesting.

>
> ERASE Flash
> ---------------------------------------
>     Area            Address      Length
> ---------------------------------------
> [0] Boot            0x00000000    1024K
> [1] Image 0         0x00100000   10240K
> [2] Image 1         0x00B00000   10240K
> [3] Configuration   0x01500000    2048K
> [4] Boot Params     0x01700000    2048K
> [5] Nvram           0x01900000    1024K
> [6] Cert            0x01A00000   32768K
> [7] EmergencyValue  0x03A00000    6144K
> [8] Configuration2  0x04000000    2048K
> [9] All area        0x00000000   67584K

I wouldn't trust this flash layout. Doesn't look right to me for a 128MB 
flash chip.

> If I try to read from above address the router gets locked.
>
> I can read from certain area like memory or 0xBC000000 or 0xBE000000
> but others locks the router.

You can not access the NAND flash via the system memory addresses. It 
only works for memory mapped flash like NOR. NAND is I/O mapped.

> The boot ask for a password and continues booting.
>
> The emergency boot kernel is openwrt 10.3

What is a emergency boot kernel? Are you talking about the recovery web 
interface you get when press and hold the reset button on power on? If 
they are using OpenWrt, they have to provide the GPL sources. Ask for them!

> I found out that short cutting R201 I get CFG 07 instead of CFG 06 so
> maybe UART Mode is R201 + R203 but not sure. Not quite sure to try
> it...

With Lantiq SoCs in NAND boot config it should be enough to bring one of 
the bootsel pins to GND to force the SoC into UART mode.

> I can load to memory using xmodem transfer and run but all I tried get
> locked without any output.
>
> What I want is first dump the current content of the flash. Any ideas?

You can try to build an ascii (UART) u-boot for this device. But this 
requires the correct GPIO settings and matching memory parameters for 
the RAM chip. Usually I'm extracting the RAM chip parameters from the 
brnboot binary. But this seams to me a "chicken or the egg" problem here.

What's more likely to work is to create a second stage (brnboot) u-boot 
which doesn't have to do the low level chip initialisation and can be 
started from the brnboot shell [1]. You can use the u-boot for the BT 
HomeHub 5A [2] as a beginning and add the missing SYS_BOOT_BRN stuff 
from the VGV7510KW22 [3]. This might allow you to dump the NAND from the 
second stage u-boot.

Mathias


[1] 
https://wiki.openwrt.org/toh/arcadyan/vgv7510kw22#starting_u-boot_from_brnboot
[2] 
https://github.com/danielschwierzeck/u-boot-lantiq/commit/84581834622d6e7e3ceaee08b2ef8bcce3c227f7
[3] 
https://github.com/danielschwierzeck/u-boot-lantiq/commit/899107f62ad97ba123f74f378179c765f8469e01

More information about the Lede-dev mailing list