[zoomx]

Con quali programmi? Perché mi par di ricordare di averlo sperimentato anche io con una VS1 ma non funzionò. E non mi ricordo con quale programma.

[larsen64it]

Openocd su meraki mr18. E questo è il bello delle doppie configurazioni di openocd. Che se non ti funziona una jtag, passi ad un'altra, lasciando inalterato la configurazione del target.

Edit. Forse ho capito il perché.  Come si legge anche sul link postato, l'altera deve essere collegata anche al VCC(nTRST)

Else the signals can not be detected by the JTAG adapter.

[Puccio823]

rieccomi, ieri ho provato openocd con il cavo dlc5 e la vodafone station che avevo già sbloccato per vedere se si connetteva, e ha funzionato
domani dissaldo il jtag e lo saldo sull'aztech per provare, ma non ho il file u-boot.bin e non sono riuscito a trovarlo su internet, qualcuno sà dove posso trovarlo?
non posso usare direttamente quello di 64MB che si trova sul sito di openwrt?

[larsen64it]

http://dword1511.info/dword/bootloaders/rt305x/
Puoi sempre provare, perso per perso avrai un brick di un ap  già briccato. Almeno sei sicuro che andrà a riscrivere esattamente sopra la tua partizione.

[Puccio823]

Ciao ragazzi, oggi ho dissaldato il jtag dlc5 e l'ho saldato sul Aztech
però non và 
https://photos.app.goo.gl/ZBnS7d5BtRqRyqaQA
ho usato questa guida  https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=943020e anche il file cfg che è presente ma nulla di fatto
domanda.....è il file target che non va o il cavo jtag?

[larsen64it]

Se il cavo funzionava prima, deve funzionare anche adesso, a meno di qualche saldatura sbagliata.
https://www.thezdi.com/blog/2019/6/6/mindshare-hardware-reversing-with-the-belkin-surf-n300-router
Nell'ultima parte troverai la parte per openocd in modo da interrogare la cpu.

[Puccio823]

Ciao  @larsen64it 
non ho capito  bene cosa ci dovrei fare con la guida, anche oggi ho fatto diverse prove
ma nulla, inizio a pensare che è il cavo che non và per questa cpu forse dovrei collegare TP10 (3.3VDC) con TP7 (JTAG_TRST_N) come in questa foto https://www.ilpuntotecnico.com/Site/wp-content/uploads/2017/04/Jtag_xilinx_07.png
solo che mi manca la resistenza da 100 om
nel frattempo ho anche fatto il flash dell st-link v2  ed è andato tutto bene
potrei provare anche questo, chissà
Ah...avevo letto da qualche parte che il file uboot.bin si può ricavare dal firmware, conosci guide in merito

[larsen64it]

Era per fare la prova usando la tua jtag e provando ad interrogare la cpu.
Puoi provare anche se sulla guida di dd-wdr non era menzionata.

Per il st-link v2  devi togliere la parte riguardante dlc5 dalla cfg che hai usato.

[Puccio823]

Rieccomi, ho saldato una resistenza da 100 om tra TP7 (JTAG_TRST_N) e TP10 (3,3 V CC) nell aztech e openocd lo riconosce
solo che adesso non ho un file uboot per RT3052
https://photos.app.goo.gl/cQn4CUxcekUxki5i7
 

[larsen64it]

Se guardi nel link che ti avevo mandato oltre ad alcuni bin di backup ci sono altri uboot compilati da SDK. come da file readme
ti dovrebbe servire quelli:
Raw image  : nor_VENDOR_PRODUCT_RAMSIZE_BUSWIDTH_LANPARTITION.bin
                               apsdkXXXX                  32              32                 lan o all

[Puccio823]

Ciao @larsen64it, inizi a essermi tanto simpatico 

ho scaricato e fatto prove con i file dal sito che mi hai suggerito, ma non cambia molto
ho salvato copia di tutta la procedura spero che la guardi con attenzione e mi dai delle dritte
perchè al primo comando halt  appare

Codice: [Seleziona]

MIPS32 with MIPS16 support implemented
target halted in MIPS32 mode due to debug-request, pc: 0x9f000380e al secondo reset halt invece

Codice: [Seleziona]

target halted in MIPS32 mode due to debug-request, pc: 0x80040000perchè cambia?
al comando flash write_bank 0 uboot.bin 0x0  la risposta seguente

Codice: [Seleziona]

fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address! indica che cerco di scrivere il file boot in un posto sbagliato?
eccolo tutto

Codice: [Seleziona]

Open On-Chip Debugger
> flash info 0
Target not halted
auto_probe failed

> reset init
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127 (MIPS Technologies
), part: 0x3052, ver: 0x1)
timed out while waiting for target halted
TARGET: rt3052.cpu - Not halted
Halt timed out, wake up GDB.
> flash info 0
Target not halted
auto_probe failed

> reset halt
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127 (MIPS Technologies
), part: 0x3052, ver: 0x1)
timed out while waiting for target halted
TARGET: rt3052.cpu - Not halted
Halt timed out, wake up GDB.
> halt
MIPS32 with MIPS16 support implemented
target halted in MIPS32 mode due to debug-request, pc: 0x9f000380
> reset init
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127 (MIPS Technologies
), part: 0x3052, ver: 0x1)
target halted in MIPS32 mode due to debug-request, pc: 0x9f000380
halting the target!!!!!!!!!!!!!!!!!!!!!!!!!!!
init SDRAM controller..........................@@@@@@@@@@@@@@@@@@@@
Find flash...
Flash Manufacturer/Device: 0x0001 0x227e
Load u-boot ..
couldn't open uboot_aztc.bin
Error executing event reset-init on target rt3052.cpu:
embedded:startup.tcl:279: Error:
in procedure 'ocd_process_reset'
in procedure 'ocd_process_reset_inner' called at file "embedded:startup.tcl", li
ne 279

> flash protect 0 0 1 off
protect: cfi primary command set 2 unsupported
cleared protection for sectors 0 through 1 on flash bank 0

> flash erase_sector 0 0 1
erased sectors 0 through 1 on flash bank 0 in 0.093750s

> flash write_bank 0 uboot.bin 0x0
fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040088
fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040088
fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040088
fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040088
fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040000
error writing to flash at address 0xbf000000 at offset 0x00000000

> reste init
invalid command name "reste"
> reset init
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127 (MIPS Technologies
), part: 0x3052, ver: 0x1)
timed out while waiting for target halted
TARGET: rt3052.cpu - Not halted
Halt timed out, wake up GDB.
> reset halt
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127 (MIPS Technologies
), part: 0x3052, ver: 0x1)
target halted in MIPS32 mode due to debug-request, pc: 0x80040000
> flash write_bank 0 uboot.bin 0x0
Target not halted
error writing to flash at address 0xbf000000 at offset 0x00000000

> reset halt
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127 (MIPS Technologies
), part: 0x3052, ver: 0x1)
timed out while waiting for target halted
TARGET: rt3052.cpu - Not halted
Halt timed out, wake up GDB.
> halt
target halted in MIPS32 mode due to debug-request, pc: 0x80040020
> reset init
JTAG tap: rt3052.cpu tap/device found: 0x1305224f (mfg: 0x127 (MIPS Technologies
), part: 0x3052, ver: 0x1)
target halted in MIPS32 mode due to debug-request, pc: 0x80040020
halting the target!!!!!!!!!!!!!!!!!!!!!!!!!!!
init SDRAM controller..........................@@@@@@@@@@@@@@@@@@@@
Find flash...
Flash Manufacturer/Device: 0x0001 0x227e
Load u-boot ..
couldn't open uboot_aztc.bin
Error executing event reset-init on target rt3052.cpu:
embedded:startup.tcl:279: Error:
in procedure 'ocd_process_reset'
in procedure 'ocd_process_reset_inner' called at file "embedded:startup.tcl", li
ne 279
> flash write_bank 0 uboot.bin 0x0
fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040088
fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040088
fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
target halted in MIPS32 mode due to target-not-halted, pc: 0x80040088
fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
timed out while waiting for target halted
target halted in MIPS32 mode due to debug-request, pc: 0x80040020
error writing to flash at address 0xbf000000 at offset 0x00000000

> flash info 0
#0 : cfi at 0xbf000000, size 0x00800000, buswidth 2, chipwidth 2
        #  0: 0x00000000 (0x2000 8kB) not protected
        #  1: 0x00002000 (0x2000 8kB) not protected
        #  2: 0x00004000 (0x2000 8kB) not protected
        #  3: 0x00006000 (0x2000 8kB) not protected
        #  4: 0x00008000 (0x2000 8kB) not protected
        #  5: 0x0000a000 (0x2000 8kB) not protected
        #  6: 0x0000c000 (0x2000 8kB) not protected
        #  7: 0x0000e000 (0x2000 8kB) not protected
        #  8: 0x00010000 (0x10000 64kB) not protected
        #  9: 0x00020000 (0x10000 64kB) not protected
        # 10: 0x00030000 (0x10000 64kB) not protected
        # 11: 0x00040000 (0x10000 64kB) not protected
        # 12: 0x00050000 (0x10000 64kB) not protected
        # 13: 0x00060000 (0x10000 64kB) not protected
        # 14: 0x00070000 (0x10000 64kB) not protected
        # 15: 0x00080000 (0x10000 64kB) not protected
        # 16: 0x00090000 (0x10000 64kB) not protected
        # 17: 0x000a0000 (0x10000 64kB) not protected
        # 18: 0x000b0000 (0x10000 64kB) not protected
        # 19: 0x000c0000 (0x10000 64kB) not protected
        # 20: 0x000d0000 (0x10000 64kB) not protected
        # 21: 0x000e0000 (0x10000 64kB) not protected
        # 22: 0x000f0000 (0x10000 64kB) not protected
        # 23: 0x00100000 (0x10000 64kB) not protected
        # 24: 0x00110000 (0x10000 64kB) not protected
        # 25: 0x00120000 (0x10000 64kB) not protected
        # 26: 0x00130000 (0x10000 64kB) not protected
        # 27: 0x00140000 (0x10000 64kB) not protected
        # 28: 0x00150000 (0x10000 64kB) not protected
        # 29: 0x00160000 (0x10000 64kB) not protected
        # 30: 0x00170000 (0x10000 64kB) not protected
        # 31: 0x00180000 (0x10000 64kB) not protected
        # 32: 0x00190000 (0x10000 64kB) not protected
        # 33: 0x001a0000 (0x10000 64kB) not protected
        # 34: 0x001b0000 (0x10000 64kB) not protected
        # 35: 0x001c0000 (0x10000 64kB) not protected
        # 36: 0x001d0000 (0x10000 64kB) not protected
        # 37: 0x001e0000 (0x10000 64kB) not protected
        # 38: 0x001f0000 (0x10000 64kB) not protected
        # 39: 0x00200000 (0x10000 64kB) not protected
        # 40: 0x00210000 (0x10000 64kB) not protected
        # 41: 0x00220000 (0x10000 64kB) not protected
        # 42: 0x00230000 (0x10000 64kB) not protected
        # 43: 0x00240000 (0x10000 64kB) not protected
        # 44: 0x00250000 (0x10000 64kB) not protected
        # 45: 0x00260000 (0x10000 64kB) not protected
        # 46: 0x00270000 (0x10000 64kB) not protected
        # 47: 0x00280000 (0x10000 64kB) not protected
        # 48: 0x00290000 (0x10000 64kB) not protected
        # 49: 0x002a0000 (0x10000 64kB) not protected
        # 50: 0x002b0000 (0x10000 64kB) not protected
        # 51: 0x002c0000 (0x10000 64kB) not protected
        # 52: 0x002d0000 (0x10000 64kB) not protected
        # 53: 0x002e0000 (0x10000 64kB) not protected
        # 54: 0x002f0000 (0x10000 64kB) not protected
        # 55: 0x00300000 (0x10000 64kB) not protected
        # 56: 0x00310000 (0x10000 64kB) not protected
        # 57: 0x00320000 (0x10000 64kB) not protected
        # 58: 0x00330000 (0x10000 64kB) not protected
        # 59: 0x00340000 (0x10000 64kB) not protected
        # 60: 0x00350000 (0x10000 64kB) not protected
        # 61: 0x00360000 (0x10000 64kB) not protected
        # 62: 0x00370000 (0x10000 64kB) not protected
        # 63: 0x00380000 (0x10000 64kB) not protected
        # 64: 0x00390000 (0x10000 64kB) not protected
        # 65: 0x003a0000 (0x10000 64kB) not protected
        # 66: 0x003b0000 (0x10000 64kB) not protected
        # 67: 0x003c0000 (0x10000 64kB) not protected
        # 68: 0x003d0000 (0x10000 64kB) not protected
        # 69: 0x003e0000 (0x10000 64kB) not protected
        # 70: 0x003f0000 (0x10000 64kB) not protected
        # 71: 0x00400000 (0x10000 64kB) not protected
        # 72: 0x00410000 (0x10000 64kB) not protected
        # 73: 0x00420000 (0x10000 64kB) not protected
        # 74: 0x00430000 (0x10000 64kB) not protected
        # 75: 0x00440000 (0x10000 64kB) not protected
        # 76: 0x00450000 (0x10000 64kB) not protected
        # 77: 0x00460000 (0x10000 64kB) not protected
        # 78: 0x00470000 (0x10000 64kB) not protected
        # 79: 0x00480000 (0x10000 64kB) not protected
        # 80: 0x00490000 (0x10000 64kB) not protected
        # 81: 0x004a0000 (0x10000 64kB) not protected
        # 82: 0x004b0000 (0x10000 64kB) not protected
        # 83: 0x004c0000 (0x10000 64kB) not protected
        # 84: 0x004d0000 (0x10000 64kB) not protected
        # 85: 0x004e0000 (0x10000 64kB) not protected
        # 86: 0x004f0000 (0x10000 64kB) not protected
        # 87: 0x00500000 (0x10000 64kB) not protected
        # 88: 0x00510000 (0x10000 64kB) not protected
        # 89: 0x00520000 (0x10000 64kB) not protected
        # 90: 0x00530000 (0x10000 64kB) not protected
        # 91: 0x00540000 (0x10000 64kB) not protected
        # 92: 0x00550000 (0x10000 64kB) not protected
        # 93: 0x00560000 (0x10000 64kB) not protected
        # 94: 0x00570000 (0x10000 64kB) not protected
        # 95: 0x00580000 (0x10000 64kB) not protected
        # 96: 0x00590000 (0x10000 64kB) not protected
        # 97: 0x005a0000 (0x10000 64kB) not protected
        # 98: 0x005b0000 (0x10000 64kB) not protected
        # 99: 0x005c0000 (0x10000 64kB) not protected
        #100: 0x005d0000 (0x10000 64kB) not protected
        #101: 0x005e0000 (0x10000 64kB) not protected
        #102: 0x005f0000 (0x10000 64kB) not protected
        #103: 0x00600000 (0x10000 64kB) not protected
        #104: 0x00610000 (0x10000 64kB) not protected
        #105: 0x00620000 (0x10000 64kB) not protected
        #106: 0x00630000 (0x10000 64kB) not protected
        #107: 0x00640000 (0x10000 64kB) not protected
        #108: 0x00650000 (0x10000 64kB) not protected
        #109: 0x00660000 (0x10000 64kB) not protected
        #110: 0x00670000 (0x10000 64kB) not protected
        #111: 0x00680000 (0x10000 64kB) not protected
        #112: 0x00690000 (0x10000 64kB) not protected
        #113: 0x006a0000 (0x10000 64kB) not protected
        #114: 0x006b0000 (0x10000 64kB) not protected
        #115: 0x006c0000 (0x10000 64kB) not protected
        #116: 0x006d0000 (0x10000 64kB) not protected
        #117: 0x006e0000 (0x10000 64kB) not protected
        #118: 0x006f0000 (0x10000 64kB) not protected
        #119: 0x00700000 (0x10000 64kB) not protected
        #120: 0x00710000 (0x10000 64kB) not protected
        #121: 0x00720000 (0x10000 64kB) not protected
        #122: 0x00730000 (0x10000 64kB) not protected
        #123: 0x00740000 (0x10000 64kB) not protected
        #124: 0x00750000 (0x10000 64kB) not protected
        #125: 0x00760000 (0x10000 64kB) not protected
        #126: 0x00770000 (0x10000 64kB) not protected
        #127: 0x00780000 (0x10000 64kB) not protected
        #128: 0x00790000 (0x10000 64kB) not protected
        #129: 0x007a0000 (0x10000 64kB) not protected
        #130: 0x007b0000 (0x10000 64kB) not protected
        #131: 0x007c0000 (0x10000 64kB) not protected
        #132: 0x007d0000 (0x10000 64kB) not protected
        #133: 0x007e0000 (0x10000 64kB) not protected
        #134: 0x007f0000 (0x10000 64kB) not protected

CFI flash: mfr: 0x0001, id:0x227e

qry: 'QRY', pri_id: 0x0002, pri_addr: 0x0040, alt_id: 0x0000, alt_addr: 0x0000
Vcc min: 2.7, Vcc max: 3.6, Vpp min: 0.0, Vpp max: 0.0
typ. word write timeout: 128 us, typ. buf write timeout: 128 us, typ. block eras
e timeout: 1024 ms, typ. chip erase timeout: 1 ms
max. word write timeout: 1024 us, max. buf write timeout: 4096 us, max. block er
ase timeout: 16384 ms, max. chip erase timeout: 1 ms
size: 0x800000, interface desc: 2, max buffer write size: 0x20

Spansion primary algorithm extend information:
pri: 'PRI', version: 1.3
Silicon Rev.: 0x4, Address Sensitive unlock: 0x0
Erase Suspend: 0x2, Sector Protect: 0x1
VppMin: 11.5, VppMax: 12.5


> halt
>se ti serve posso allegare il file target di openocd

[larsen64it]

Non è che sono un maestro, come te seguo le guide scritte da altri.

Codice: [Seleziona]

target halted in MIPS32 mode due to debug-request, pc: xxxxxxxxIndica che il comando per fermare il processore è andato a buon fine
xxxxxxxx varia ogni volta basta che non sia 0x00000000 (dovrebbe indicare che il processore è stato fermato ma non si è entrati in debug mode)

Codice: [Seleziona]

fast_data (0x8004008c) is within write area (0x8004010c-0x8004030c).
Change work-area-phys or load_image address!se non è preceduto da error dovrebbe significare che si è impostato la scrittura veloce (credo).
Da telnet vedo che i comandi reset non gli piacciono mentre halt va a buon fine.
P.S. Ma non perché non hai provato la configurazione postata su dd-wrt che sembra testata e funzionante?