Install OpenWrt on P.RG AV4202N router

 Posted by:   Posted on:   Updated on:  2020-09-06T13:37:22Z

How to install OpenWrt firmware on AV4202N xDSL router after replacing CFE via JTAG.

AV4202N is an xDSL modem and WiFi router based on the BCM6368 SoC manufactured by Broadcom. The CPU has 2 cores running at 400 MHz, with 64 MB RAM and 16 MB flash memory. It also has 2 USB 2.0 ports and 2 WiFi internal antennas.

Currently, although the BCM63xx platform is supported by OpenWrt, there are no releases for this device. Neither LEDE Project has released a stable build for this device, but they are offering a development snapshot [3]. The problem with LEDE snapshots is that they don't work out of the box without additional software packages (you don’t get any web interface).

But, LEDE can’t be installed on the device due to the locked bootloader. This article will show you how to use JTAG to install a different bootloader that can be used to flash OpenWRT/LEDE firmware. Part 2 details LEDE configuration and internet connection.

Note! If the mentioned device was offered to you by an ISP for xDSL internet access, doing what is described next will void the warranty of the device and make it unusable. You should not attempt to change firmware in this situation. Third party firmware does not support xDSL!
Install OpenWRT/LEDE on P.RG AV4202N router

Connections

To start you will need both JTAG port access and serial port access. You can start by soldering pinheaders on J5 (2x3 pinheader, 2.54 mm pitch – this is the serial port, with 3.3V TTL levels) and on J2 (2x7 pinheader, 2.54 mm pitch – standard MIPS EJTAG port, with 3.3 V levels).

AV4202N serial port
AV4202N serial port (OpenWRT TOH [1])
AV4202N JTAG port
AV4202N JTAG port (JTAG on LinuxMIPS wiki [2])

Replace CFE

The original bootloader (CFE) responds to commands sent via serial port and allows firmware images to be installed (only signed images, not OpenWRT/LEDE). Somehow, I managed to break it with a crappy serial cable and some power cycling before making a backup of it. So I started to look for alternative bootloaders. Although I couldn’t find the original CFE, I managed to find a CFE from a router with the same SoC [4]. I’m talking about Netgear DGND3700 (download here the binary image, ready for flashing).

I successfully flashed a new CFE using UrJTAG and zJTAG. There are some issues with this SoC. First of all, it does not identify itself (IDCODE) before setting instruction length and both tools presented here read IDCODE before setting instruction length. This breaks further JTAG commands because software can’t identify the CPU. So, the registers need to be set manually in UrJTAG (standard MIPS registers) and CPU identification needs to be skipped in zJTAG. The other issue with this SoC is that it doesn’t support DMA mode; only PrAcc which is slower (flashing 128 kbytes of CFE takes 15-20 minutes).

Let’s start! Connect the router to a JTAG adapter (I’ve used an older computer with parallel port and Wiggler adapter) and power up the router. If you want to use UrJTAG, here are all commands [5] (you can put these lines in a text file and use the include command in UrJTAG or you can write them one at a time). Adjust the cable command for your adapter. Ignore unknown device errors produced by detect.
cable wiggler parallel 0x378
endian big
detect

register BR         1
register DIR  32
register EJIMPCODE 32
register EJADDRESS 32
register EJDATA  32
register EJCONTROL 32
register EJALL  96

instruction length 5
instruction BYPASS  11111 BR
instruction IDCODE  00001 DIR
instruction EJTAG_IMPCODE 00011 EJIMPCODE
instruction EJTAG_ADDRESS 01000 EJADDRESS
instruction EJTAG_DATA 01001 EJDATA
instruction EJTAG_CONTROL 01010 EJCONTROL
instruction EJTAG_ALL 01011 EJALL

initbus ejtag

detectflash 0x38000000
Now you can use the standard memory read/write routines. CFE is at the beginning, so the base address is 0x38000000 and size is 0x20000. Read/flash operations are:
readmem 0x38000000 0x020000 cfe_backup.bin
flashmem 0x38000000 cfe_new.bin
Or, if you prefer zJTAG, these are the commands to read, erase and flash the CFE. The parameters are for Wiggler cable.
zjtag -backup:custom /BE /instrlen:5 /nodma /noreset /skipdetect /wiggler /window:38000000 /start:38000000 /length:20000

zjtag -erase:custom /BE /instrlen:5 /nodma /noreset /skipdetect /wiggler /window:38000000 /start:38000000 /length:20000

zjtag -flash:custom /BE /instrlen:5 /nodma /noreset /skipdetect /wiggler /window:38000000 /start:38000000 /length:20000
For the flash to work, the CFE must be named CUSTOM.BIN and placed in the working directory (i.e. the folder you are running zJTAG from). Once you hit Enter, the process starts. You need to wait about 5 minutes for a read and 15 minutes for a flash write. This is the output in my case. After it finishes power cycle the device with the serial cable connected and a serial terminal started (i.e. PuTTY).
        ==============================================
               zJTAG EJTAG Debrick Utility v1.8 RC3
        ==============================================

cable=wiggler, cabletype=3

Selected port = 0x378

Detected IR chain length = 32

There are 1 device(s) in the JTAG chain
 IDCODE for device 1 is 0xFFFFFFFF (IR length:1)

Probing bus ... Done

Instruction Length manually set to 5

CPU assumed running under BIG endian

CPU Chip ID: 00000110001101101000000101111111 (0x0636817F)
    CPU Manufacturer :Broadcom(ID=0x17E)
    CPU Device ID :6368
    CPU Revision  :1

*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 00000000100000011000100100000100 (0x00818904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS16 MIPS32
    *** DMA Mode Forced Off ***

Issuing Processor / Peripheral Reset ... Skipped
Enabling Memory Writes ... Done
Halting Processor ...  ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped

Probing Flash at Address: 0x38000000 ...
Detected Chip ID (VenID:DevID = 017E : 2101)
*** Found a CFI Compatiable Flash Chip from AMD/Spansion

    - Flash Chip Window Start .... : 38000000
    - Flash Chip Window Length ... : 01000000
    - Selected Area Start ........ : 38000000
    - Selected Area Length ....... : 00020000

*** You Selected to Flash the CUSTOM.BIN ***

=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 1

Erasing block: 1 (addr = 38000000)...Done

Loading CUSTOM.BIN to Flash Memory...
Done  (CUSTOM.BIN loaded into Flash Memory OK)

=========================
Flashing Routine Complete
=========================
elapsed time: 832 seconds


 *** REQUESTED OPERATION IS COMPLETE ***

Configure CFE

You need serial port to configure CFE (set board parameters). The Netgear CFE does not auto configure itself and will not boot at all – so if you don’t use the serial connection, the router will appear bricked and it is unusable. Once you power up the device you should see the following in the serial console.
CFE version 1.0.37-104.4 for BCM96368 (32bit,SP,BE)
Build Date: Mon Nov  2 14:16:18 PST 2009 (root@localhost)
Copyright (C) 2000-2009 Broadcom Corporation.

Parallel flash device: name AM29LV320MT, id 0x2201 size 16384KB

*** Board is not initialized properly ***

*** Upgrading NVRAM (version 253635900 to version 5) ***


*** Board is not initialized properly ***

Press:   to use current value
        '-' to go previous parameter
        '.' to clear the current value
        'x' to exit this command
96368VVW         ------- 0
96368MVWG        ------- 1
96368SV2         ------- 2
96368MBG         ------- 3
96368NTR         ------- 4
96368MBG6b       ------- 5
96368VVWB        ------- 6
96368MVWGB       ------- 7
96368MNG         ------- 8
96368MBG6302     ------- 9
96368MVWGJ       ------- 10
96367AVNG        ------- 11
Board Id (0-11)                   :
You are now in the CFE console. It asks for a board ID. For the AV4202N device, boards MBG, MNG and AVNG have the best functionality (some LEDs light up, the switch works). I’m using 96368MNG (8). You will notice that while the bootloader is running (before the firmware loads), the wrong LED lights up. There’s nothing you can do about this; don’t worry – once the firmware boots it will take control of LEDs. The important thing is that the switch is working and you can access the CFE via TCP and install LEDE. Continue configuration by entering respective board number and hit Enter. The default number of MAC addresses for this router is 16. Write the base MAC address from the back label of the case. Leave the remaining options with default values.

Once you finish the configuration, the device reboots.

LEDE installation

You don’t need the JTAG connection anymore. Power cycle the device and access the serial CFE console (quickly after power up press any keys in serial terminal). You can also enter CFE console by powering up the device while holding down reset button. Before installing LEDE, I suggest erasing the entire flash. In the serial terminal press e a, then y when asked to confirm.

On your computer set the wired adapter to static IP 192.168.1.2, gateway 255.255.255.0 and default gateway 192.168.1.1. Open a browser and go to http://192.168.1.1. You should see the CFE web interface where you can load the LEDE firmware image.

CFE web interface
CFE web interface
Snapshots for AV4202N can be found here: generic or smp (direct links). If these links get outdated, go to LEDE Project Downloads, select release, target brcm63xx, generic or smp and look for filename starting with AV4202N.

If you still have the serial console open, you will see:
web info: Upload 3538948 bytes, Broadcom image format.
CFE>
Flashing root file system and kernel at 0xb8020000: ............................

.
*** Image flash done *** !

Resetting board…
The second part of this tutorial covers setting up LEDE. For now, you should set the wired network back to DHCP (automatic IP address).

Links

  1. OpenWRT Table of Hardware. ADB P.DG AV4202N.
  2. LinuxMIPS Wiki. JTAG.
  3. LEDE Project. Downloads.
  4. NETGEAR Open Source Code for Programmers (GPL). DGND3700.
  5. OpenWRT Table of Hardware. Huawei Echolife HG622.

11 comments :

  1. Thank you for the guide.
    i got 3 modems(A1 Austria Branded) for free and will try it.
    just waiting for my jtag cable to arrive

    ReplyDelete
    Replies
    1. It would be nice if you could make a backup of the original bootloader and send it to me. Somehow I lost the original bootloader. What JTAG cable will you be using?

      Delete
  2. very good guide , I tried by urjtage by your script and get soc info , but my device is bcm6368 + nand flash
    (thomson cpe tg788 ) , the only jtag tool can deal with nand flash I think openocd but unfortunately it cannot accept mips registers manually , do you have a solution for me , thanks

    ReplyDelete
    Replies
    1. Unfortunately I have no idea about using openocd with MIPS.

      Delete
    2. thanks for reply , can you guide me to a jtag tool can control nand flash board , thanks

      Delete
    3. I managed to flash the bootloader using openocd and a stm32 as the jtag adapter.
      One strange thing I saw, was that the flash was at location 0xb8000000.

      Here is the board config I used:
      --------
      set _CHIPNAME bcm6368
      set _CPUID 0x0636817F

      #adapter_khz 1000

      jtag newtap $_CHIPNAME cpu -irlen 5 -ircapture 0x1 -irmask 0x1f -expected-id $_CPUID

      set _TARGETNAME $_CHIPNAME.cpu
      target create $_TARGETNAME mips_m4k -endian big -chain-position $_TARGETNAME

      set partition_list {
      CFE { Bootloader 0xb8000000 0x00020000 }
      }

      set _FLASHNAME $_CHIPNAME.flash
      flash bank $_FLASHNAME cfi 0xb8000000 0x1000000 2 2 $_TARGETNAME
      --------

      openocd should be able to detect a valid flash using the command:
      flash probe 0

      after that the image can be flashed using:
      flash write_image erase cfe_file.bin 0xb8000000 bin

      Delete
  3. Hi,
    I lost my cfe Backup, can someone send it to me?
    thanks

    ReplyDelete
    Replies
    1. You can download the CFE of DGND3700, which is compatible with av4202n. The download link is in this post.

      Delete
    2. I tried to restore the original Telekom Austria firmware an it doesn't boot (it crashes with a kernel panic) with that cfe, so i wanted to try it with a backupd cfe, but i don't find mine anymore

      Delete
    3. I don't have the original CFE and I couldn't find it in any official firmware. You could try asking on OoenWRT forums, maybe someone will make a backup of the original CFE and share it.

      Delete
  4. Or is it possible to extract the original CFE from a firmware update file?
    thanks

    ReplyDelete

Please read the comments policy before publishing your comment.