1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Got to console; boot_wait is ON but still no go. Corrupt CFE?

Discussion in 'Cisco/Linksys Wireless Routers' started by ds18s20, Sep 7, 2011.

  1. ds18s20

    ds18s20 LI Guru Member

    I do have console access, I do have boot_wait set to ON and I can verify that with nvram show but the box does NOT stop for the wait and hence it is NOT possible to ping and load new firware.

    Could the CFE be bad and hence jtag blues?

    here is my console output:

    CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
    Build Date: Tue Aug  3 20:42:46 CST 2004 (root@me)
    Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.
    Initializing Arena.
    Initializing Devices.
    No DPN
    et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller
    rndis0: Broadcom USB RNDIS Network Adapter (P-t-P)
    CPU type 0x29007: 200MHz
    Total memory: 0x1000000 bytes (16MB)
    Total memory used by CFE:  0x80300000 - 0x8043DF50 (1302352)
    Initialized Data:          0x803381C0 - 0x8033A570 (9136)
    BSS Area:                  0x8033A570 - 0x8033BF50 (6624)
    Local Heap:                0x8033BF50 - 0x8043BF50 (1048576)
    Stack Area:                0x8043BF50 - 0x8043DF50 (8192)
    Text (code) segment:      0x80300000 - 0x803381C0 (229824)
    Boot area (physical):      0x0043E000 - 0x0047E000
    Relocation Factor:        I:00000000 - D:00000000
    Boot version: v3.3
    The boot is CFE
    mac_init(): Find mac [00:12:17:0B:73:8A] in location 1
    No eou key find
    Device eth0:  hwaddr 00-12-17-0B-73-8A, ipaddr, mask
            gateway not set, nameserver not set
    Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
    Loading: ...... 1630208 bytes read
    Entry at 0x80001000
    Closing network.
    Starting program at 0x80001000
    CPU revision is: 00029007
    Primary instruction cache 8kb, linesize 16 bytes (2 ways)
    Primary data cache 4kb, linesize 16 bytes (2 ways)
    Linux version 2.4.20 (crazy@sw1) (gcc version 3.2.3 with Broadcom modifications)
    #5 Tue Jul 12 05:10:48 HKT 2011
    Setting the PFC value as 0x15
    Determined physical RAM map:
    memory: 01000000 @ 00000000 (usable)
    On node 0 totalpages: 4096
    zone(0): 4096 pages.
    zone(1): 0 pages.
    zone(2): 0 pages.
    Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
    CPU: BCM4712 rev 1 at 200 MHz
    Calibrating delay loop... 199.47 BogoMIPS
    Memory: 14372k/16384k available (1395k kernel code, 2012k reserved, 112k data, 6
    8k init, 0k highmem)
    Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
    Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
    Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
    Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
    Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
    Checking for 'wait' instruction...  unavailable.
    POSIX conformance testing by UNIFIX
    PCI: Disabled
    PCI: Fixing up bus 0
    Linux NET4.0 for Linux 2.4
    Based upon Swansea University Computer Society NET3.039
    Initializing RT netlink socket
    Starting kswapd
    devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
    devfs: boot_options: 0x1
    pty: 256 Unix98 ptys configured
    Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI en
    ttyS00 at 0xb8000300 (irq = 3) is a 16550A
    ttyS01 at 0xb8000400 (irq = 0) is a 16550A
    HDLC line discipline: version $Revision: $, maxframe=4096
    N_HDLC line discipline registered.
    PPP generic driver version 2.4.2
    Flash device: 0x400000 at 0x1c000000
    Physically mapped flash: squashfs filesystem found at block 940
    le32_to_cpu(trx->magic)=0x30524448 trx->magic=0x30524448
    bcm947xx_parts[1].offset=0x0 trx->offsets[1]=0x1 off
    off=0xeb0d4 off1=0x400000 size=0x400000
    (Not Found Lang Block)off=0xeb0d4 off1=0x3a0000 size=0x400000
    nvram: offset=0x3f0000 size=0x10000
    Creating 5 MTD partitions on "Physically mapped flash":
    0x00000000-0x00040000 : "boot"
    0x00040000-0x003a0000 : "linux"
    0x000eb0d4-0x003a0000 : "rootfs"
    mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-o
    0x003a0000-0x003f0000 : "lang"
    0x003f0000-0x00400000 : "nvram"
    sflash: found no supported devices
    NET4: Linux TCP/IP 1.0 for NET4.0
    IP Protocols: ICMP, UDP, TCP, IGMP
    IP: routing cache hash table of 512 buckets, 4Kbytes
    TCP: Hash tables configured (established 1024 bind 2048)
    Linux IP multicast router 0.06 plus PIM-SM
    ip_conntrack version 2.1 (128 buckets, 1024 max) - 344 bytes per conntrack
    ip_conntrack_rtsp v0.01 loading
    ip_nat_rtsp v0.01 loading
    ip_tables: (C) 2000-2002 Netfilter core team
    ipt_time loading
    NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
    NET4: Ethernet Bridge 008 for NET4.0
    802.1Q VLAN Support v1.7 Ben Greear <greearb@candelatech.com>
    All bugs added by David S. Miller <davem@redhat.com>
    cramfs: wrong magic
    VFS: Mounted root (squashfs filesystem) readonly.
    Mounted devfs on /dev
    Freeing unused kernel memory: 68k freed
    SQUASHFS error: Can't find a SQUASHFS superblock on mtdblock(31,3)
    ret = -1
    www -> /www
    mount: No such file or directory
    Language Package: R
    modules[0]=et buf=[et ]
    modules[1]=ctmisc buf=[et ctmisc ]
    modules[2]=port_based_qos_mod buf=[et ctmisc port_based_qos_mod ]
    modules[3]=wl buf=[et ctmisc port_based_qos_mod wl ]
    Needed modules: et ctmisc port_based_qos_mod wl
    Using /lib/modules/2.4.20/kernel/drivers/net/et/et.o
    eth0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller
    insmod: ctmisc.o: no module by that name found
    Using /lib/modules/2.4.20/kernel/drivers/net/port_based_qos/port_based_qos_mod.o
    Initializing port_based_qos_mod driver 0.0.1
    Using /lib/modules/2.4.20/kernel/drivers/net/wl/wl.o
    eth1: Broadcom BCM4320 802.11 Wireless Controller
    Algorithmics/MIPS FPU Emulator v1.5
    Unable to handle kernel paging request at virtual address 00000008, epc == c001d
    030, ra == c001b124
    Oops in fault.c::do_page_fault, line 192:
    $0 : 00000000 1000fc00 c001d028 80ffc4a0 00000000 00000010 00000000 80cc1dd8
    $8 : 0000000f 80ffef44 00000000 00000000 7fff7e80 2ab0841c 00000000 00400700
    $16: 00000010 c001e1e8 00000000 0000000f 80fb8400 8009cfa4 80011044 80cc1dda
    $24: 00000000 2ab30d30                  80cc0000 80cc1d78 c001b130 c001b124
    Hi : 00000000
    Lo : 00000d60
    epc  : c001d030    Not tainted
    Status: 1000fc02
    Cause : 00000008
    Process et (pid: 16, stackpage=80cc0000)
    Stack:    8017fbf4 000001d2 8017fe24 00424a80 7fff6568 80030208 00003731
    1000939c c001b124 00000041 2ab7da20 00000000 001c9603 80e0b560 80cc1dda
    80e0b560 c001d1e0 10008100 80f451bc 8002fe0c 80f451a0 2ab7d000 80cc1dda
    800274dc 00000000 37363534 80ffef40 80fb8400 00000000 80fc0860 00000004
    80cc1e90 80cc1e90 00000000 7fff6568 c0019180 800a1afc 46454443 4a494847
    4e4d4c4b ...
    Call Trace:  [<80030208>] [<c001b124>] [<c001d1e0>] [<8002fe0c>] [<800274dc>]
    [<c0019180>] [<800a1afc>] [<c0018354>] [<800bcb88>] [<800bcdec>] [<80136398>]
    [<8004ded4>] [<801063b4>] [<800b3214>] [<800482f0>] [<800b37fc>] [<800085a4>]
    Code: 27bd0038  27bdffd8  afbf0020 <8c870008> 24030002  afa30010  8ce2000c  30a5
    00ff  30c600ff
    Hit enter to continue...
  2. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Your CFE is probably okay... It's showing MAC addresses in that output so the CFE is still there... I've never read of one getting corrupted, usually just totally wiped (by accident) from people...
  3. ds18s20

    ds18s20 LI Guru Member

    well I must say this looks like a bug with the CFE boot_wait algorythm. If it finds any image to boot from it does NOT wait at all. In my case the image was found but corrupt so CFE never waited to tftp - it loaded the image and did JPM to the begining address only to crash later.

    What I did is I wiped the image from the CFE command line and only then did CFE actually wait for tftp and I could load another firmware image. So it seems to me that as long as seemily valid image is found within the kernel flash space the boot_wait is ignored and that image is jumped to regadless of what happens next. In my case "next" was a crash and that completed the loop of not being able to load a good firmware.

    So in summary the solution: erase linux and reboot; no image found and CFE does wait for tftp (provided of course that nvram boot_wait is set to ON)
  4. ds18s20

    ds18s20 LI Guru Member

    to be clear, the console command which wipes the kernel in my version of CFE is this:
    mtd erase linux
  5. ds18s20

    ds18s20 LI Guru Member

    Anyone looking for good working CFE, here is mine:

    C:\temp\HairyDairyMaid_WRT54G_Debrick_Utility_v45\windows>WRT54G -backup:cfe /no
    reset /nobreak /silent
    WRT54G/GS EJTAG Debrick Utility v4.5
    Probing bus ... Done
    Instruction Length set to 8
    CPU Chip ID: 00010100011100010010000101111111 (1471217F)
    *** Found a Broadcom BCM4712 Rev 1 CPU chip ***
        - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
        - EJTAG Version ....... : 1 or 2.0
        - EJTAG DMA Support ... : Yes
    Issuing Processor / Peripheral Reset ... Skipped
    Enabling Memory Writes ... Done
    Halting Processor ... Skipped
    Clearing Watchdog ... Done
    Probing Flash at (Flash Window: 0x1fc00000) ... Done
    Flash Vendor ID: 00000000000000000000000010001001 (00000089)
    Flash Device ID: 00000000000000001000100011000101 (000088C5)
    *** Found a Intel 28F320C3 2Mx16 BotB  (4MB) Flash Chip ***
        - Flash Chip Window Start .... : 1fc00000
        - Flash Chip Window Length ... : 00400000
        - Selected Area Start ........ : 1fc00000
        - Selected Area Length ....... : 00040000
    *** You Selected to Backup the CFE.BIN ***
    Backup Routine Started
    Saving CFE.BIN.SAVED_20070114_193336 to Disk...
    Done  (CFE.BIN.SAVED_20070114_193336 saved to Disk OK)
    bytes written: 262144
    Backup Routine Complete
    elapsed time: 84 seconds
  6. tekara

    tekara Networkin' Nut Member

    What version WRT is your CFE from?

Share This Page