Discussion:
[Isl3893-devel] MSI RG54G2 JTAG Flash programming
ikon
2009-01-25 19:17:58 UTC
Permalink
Hi,

my MSI RG54G2 is unable to boot since this morning.
I cannot connect to the IP of the router via cable nor wifi.

Power LED is on, but all other LEDs flash every 2-3 seconds
for few miliseconds.
It seems like Flash corruption - boot fails.
When RESET button is pressed WLAN LED flashes
until power is removed.

Is there any way how to reprogram original firmware
while flash chip is in-system?
Does anybody have any experience with JTAG on RG54G2?

Thanks for your help in advance.

Best regards,
Imrich
Benjamin Henrion
2009-01-26 13:36:51 UTC
Permalink
Post by ikon
Hi,
my MSI RG54G2 is unable to boot since this morning.
I cannot connect to the IP of the router via cable nor wifi.
Power LED is on, but all other LEDs flash every 2-3 seconds
for few miliseconds.
It seems like Flash corruption - boot fails.
When RESET button is pressed WLAN LED flashes
until power is removed.
Is there any way how to reprogram original firmware
while flash chip is in-system?
Does anybody have any experience with JTAG on RG54G2?
I still have to test JTAG on isl3893 based devices, but tomorrow I am
working on a JTAG session in the evening.

I will try to get JTAG access on some device I have here.

BTW, does the RG54G2 runs linux?
--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
Imrich Konkol
2009-01-26 15:18:09 UTC
Permalink
Post by Benjamin Henrion
Post by ikon
Hi,
my MSI RG54G2 is unable to boot since this morning.
I cannot connect to the IP of the router via cable nor wifi.
Power LED is on, but all other LEDs flash every 2-3 seconds
for few miliseconds.
It seems like Flash corruption - boot fails.
When RESET button is pressed WLAN LED flashes
until power is removed.
Is there any way how to reprogram original firmware
while flash chip is in-system?
Does anybody have any experience with JTAG on RG54G2?
I still have to test JTAG on isl3893 based devices, but tomorrow I am
working on a JTAG session in the evening.
I will try to get JTAG access on some device I have here.
BTW, does the RG54G2 runs linux?
Hi Benjamin,

I'm not sure what OS is running on RG54G2, but read on some forums there is some
violation of GPL. So I guess some Linux is in there.

In addition, I don't have any information of JP1 and JP2, which is JTAG and if
these is any serial port available for reflashing the firmware.

Thanks for testing JTAG and posting your results.

Best regards,
Imrich
Benjamin Henrion
2009-01-26 15:25:14 UTC
Permalink
Post by Imrich Konkol
Post by Benjamin Henrion
Post by ikon
Hi,
my MSI RG54G2 is unable to boot since this morning.
I cannot connect to the IP of the router via cable nor wifi.
Power LED is on, but all other LEDs flash every 2-3 seconds
for few miliseconds.
It seems like Flash corruption - boot fails.
When RESET button is pressed WLAN LED flashes
until power is removed.
Is there any way how to reprogram original firmware
while flash chip is in-system?
Does anybody have any experience with JTAG on RG54G2?
I still have to test JTAG on isl3893 based devices, but tomorrow I am
working on a JTAG session in the evening.
I will try to get JTAG access on some device I have here.
BTW, does the RG54G2 runs linux?
Hi Benjamin,
I'm not sure what OS is running on RG54G2, but read on some forums there is some
violation of GPL. So I guess some Linux is in there.
In addition, I don't have any information of JP1 and JP2, which is JTAG and if
these is any serial port available for reflashing the firmware.
Thanks for testing JTAG and posting your results.
Otherwise, there might be some "reset button" you could press for
20secs or more at boot, it might wipe out some bad config you might
have done.

There is also some minimal image somewhee you could give to the
bootloader if you have a serial console:

http://isl3893.sourceforge.net/download/firmware/siemens-wlanap600rp/apfw.minimal.img

--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
Ruben Faelens
2009-01-26 19:29:27 UTC
Permalink
You should REALLY try to connect a serial console. If you have an
oscilloscope, try testing out various empty PCB pin header connections and
look for a typical serial signal. Don't forget the MAX232!
For example:
Loading Image...
Try all the pin headers, including the ones where no parts have been placed
(the soldering pads left of the right bottom grey capacitator)
Post by Imrich Konkol
Post by Imrich Konkol
Post by Benjamin Henrion
Post by ikon
Hi,
my MSI RG54G2 is unable to boot since this morning.
I cannot connect to the IP of the router via cable nor wifi.
Power LED is on, but all other LEDs flash every 2-3 seconds
for few miliseconds.
It seems like Flash corruption - boot fails.
When RESET button is pressed WLAN LED flashes
until power is removed.
Is there any way how to reprogram original firmware
while flash chip is in-system?
Does anybody have any experience with JTAG on RG54G2?
I still have to test JTAG on isl3893 based devices, but tomorrow I am
working on a JTAG session in the evening.
I will try to get JTAG access on some device I have here.
BTW, does the RG54G2 runs linux?
Hi Benjamin,
I'm not sure what OS is running on RG54G2, but read on some forums there
is some
Post by Imrich Konkol
violation of GPL. So I guess some Linux is in there.
In addition, I don't have any information of JP1 and JP2, which is JTAG
and if
Post by Imrich Konkol
these is any serial port available for reflashing the firmware.
Thanks for testing JTAG and posting your results.
Otherwise, there might be some "reset button" you could press for
20secs or more at boot, it might wipe out some bad config you might
have done.
There is also some minimal image somewhee you could give to the
http://isl3893.sourceforge.net/download/firmware/siemens-wlanap600rp/apfw.minimal.img
--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
------------------------------------------------------------------------------
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Isl3893-devel mailing list
https://lists.sourceforge.net/lists/listinfo/isl3893-devel
Imrich Konkol
2009-01-30 11:28:37 UTC
Permalink
Post by Ruben Faelens
You should REALLY try to connect a serial console. If you have an
oscilloscope, try testing out various empty PCB pin header connections and look
for a typical serial signal. Don't forget the MAX232!For
example:http://isl3893.sourceforge.net/intersil-39300.gifTry all the pin
headers, including the ones where no parts have been placed (the soldering pads
left of the right bottom grey capacitator)


Hi all,

I'm back with my investigation.
I found serial port on PCB pin header JP2.

The connection is in attachment 1. I use standard Nokia cable as RS-232 level
converter.

After connecting the terminal, I could see the boot loader repeating
same message and AP was rebooting over and over again (attachment 2).

After long push of reset button prompt to enter password appeared (attachment 3)
I tried all possible combinations, but this seems to be vendor specific.

So I followed the procedure for flashing the firmware and tried apfw.minimal.
I could boot linux, but no newtork nor wireless adapters have been found
(attachment 4)
The network bridge in this model is RTL8305.

The logical step was to restore original firmware. But MSI or Minitar
is providing only some strange version of firmware which is not binary image of
flash memory.
The extension is GZH, but gunzip cannot do anything wiht it.

What needs to be done to flash this firmware?
Or is there any way if I have the same piece of harware to get the the binary
image from it? Of course without removing any chips or doing big hardware
changes.

Thanks for your help.

Best regards,
Imrich

-------------------------------------------------

Attachment 1:
-------------------------------------------------
JP2 serial port pinout
======================
1>
3V3 ---[] O--- NC
RxD ---O O--- NC
TxD ---O O--- NC
NC ---O O--- NC
GND ---O O--- NC

Serial port settings: 115200,8N1,no flow control
-------------------------------------------------

Attachment 2:
-------------------------------------------------
Rescueing Boot for the ISL3893, version 0.5.3.0
Copyright (C) 1993-2002 Intersil Americas Inc. All Rights Reserved.
No valid MacAddress found in PDA, defaulting to 02.10.91.38.93.00
Forcing soft reset from Bootloaderđ
Rescueing Boot for the ISL3893, version 0.5.3.0
Copyright (C) 1993-2002 Intersil Americas Inc. All Rights Reserved.
No valid MacAddress found in PDA, defaulting to 02.10.91.38.93.00

Boot: start searching for image... Found
Boot: Checking Image CRC32... Okay.
.

Rescueing Boot for the ISL3893, version 0.5.3.0
Copyright (C) 1993-2002 Intersil Americas Inc. All Rights Reserved.
No valid MacAddress found in PDA, defaulting to 02.10.91.38.93.00
Forcing soft reset from Bootloaderđ
Rescueing Boot for the ISL3893, version 0.5.3.0
Copyright (C) 1993-2002 Intersil Americas Inc. All Rights Reserved.
No valid MacAddress found in PDA, defaulting to 02.10.91.38.93.00

Boot: start searching for image... Found
Boot: Checking Image CRC32... Okay.
CRC32... Okay.

etc...
-------------------------------------------------

Attachment 3:
-------------------------------------------------
Boot: start searching for image... Found
Boot: Checking Image CRC32... Okay.
Ä‘password:
-------------------------------------------------

Attachment 4:
-------------------------------------------------
Rescueing Boot for the ISL3893, version 0.5.3.0
Copyright (C) 1993-2002 Intersil Americas Inc. All Rights Reserved.
No valid MacAddress found in PDA, defaulting to 02.10.91.38.93.00
Forcing soft reset from Bootloader?
Rescueing Boot for the ISL3893, version 0.5.3.0
Copyright (C) 1993-2002 Intersil Americas Inc. All Rights Reserved.
No valid MacAddress found in PDA, defaulting to 02.10.91.38.93.00
Entering recovery mode.
Trying ethernet...
Using Static IP address 192.0.2.93
apipa: got IP address 169.254.129.129
dhcp: got IP address 192.0.2.93, leasetime = -1, t1 = 4294966, t2 = 4294966
valid_bootrecord() -> ERROR: Illegal code
valid_bootrecord() -> ERROR: Illegal code
valid_bootrecord() -> ERROR: Illegal code
valid_bootrecord() -> ERROR: Illegal code
valid_bootrecord() -> ERROR: Illegal code
valid_bootrecord() -> ERROR: Illegal code
valid_bootrecord() -> ERROR: Illegal code
valid_bootrecord() -> ERROR: Illegal code
XXXXXXXXXXXXXXXXXXCRC check ok

OKA
Uncompressing Linux (bzip2)... done, booting the kernel.
Linux version 2.4.19-uc1 (***@atlas) (gcc version 2.95.3.2 20010315 (release)) #
2 Fri Jul 29 21:43:51 CEST 2005
Processor: ARM ARM946 revision 1
Architecture: ISL3893
Boot Struct at 0003f000
Boot parameter block at 0003ffc8
SRAM size 0x7b7b40
On node 0 totalpages: 2039
zone(0): 0 pages.
zone(1): 2039 pages.
zone(2): 0 pages.
Kernel command line:
Calibrating delay loop... 72.29 BogoMIPS
Memory: 7MB = 7MB total
Memory: 4920KB available (1248K code, 1583K data, 44K init)
Dentry cache hash table entries: 1024 (order: 1, 8192 bytes)
Inode cache hash table entries: 512 (order: 0, 4096 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 2048 (order: 1, 8192 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Invalid Boot Parameter Block 0003ffc8 (magic 0)
Starting kswapd
JFFS version 1.0, (C) 1999, 2000 Axis Communications AB
pty: 256 Unix98 ptys configured
ISL3893 UART serial driver version 1.0 (2002-07-11) with no serial options enabl
ed
ttyS00 at 0xc0000500 (irq = 8) is a ISL3893 UART
dev_elem, type 2, mtu 1568, head 224, tail 32
eth0: Prism Embedded MVC v2 packet IF version 0.4.0.0 found,<3>Couldn't get MAC
address for eth0 from PDA... aborting...
dev_elem, type 1, mtu 1568, head 224, tail 32
eth1: Prism Embedded MVC v2 packet IF version 0.4.0.0 found,<3>Couldn't get MAC
address for eth1 from PDA... aborting...
dev_elem, type 2, mtu 1568, head 224, tail 32
eth2: Prism Embedded MVC v2 packet IF version 0.4.0.0 found,<3>Couldn't get MAC
address for eth2 from PDA... aborting...
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 2 disk images:
0: 186AA4-2B3EA3 [VIRTUAL 186AA4-2B3EA3] (RO)
1: 812AA00-83801FF [VIRTUAL 812AA00-83801FF] (RO)
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
physmap flash device: 400000 at 8000000
Amd/Fujitsu Extended Query Table v1.0 at 0x0040
number of CFI chips: 1
Creating 3 MTD partitions on "Physically mapped flash":
0x00000000-0x00010000 : "Bootloader"
0x00010000-0x00380000 : "Access Point Firmware"
mtd: partition "Access Point Firmware" extends beyond the end of device "Physica
lly mapped flash" -- size truncated to 0x1f0000
0x00380000-0x00200000 : "Flash Filesystem"
mtd: partition "Flash Filesystem" is out of reach -- disabled
Division by zero in kernel.
Function entered at [<00052404>] from [<00163db8>]
Function entered at [<000f2b7c>] from [<0004786c>]
Function entered at [<00047790>] from [<00040688>]
r5 = 0004AD90 r4 = 0004AD2C
Function entered at [<0004066c>] from [<000406cc>]
r5 = 0030F100 r4 = 002C8738
Function entered at [<000406a0>] from [<0004b04c>]
Function entered at [<0004b03c>] from [<0004ed74>]
r7 = 002BFB94 r6 = 002BFB98 r5 = 0030F100 r4 = 002C8738
Division by zero in kernel.
Function entered at [<00052404>] from [<00163db8>]
Function entered at [<000f2b7c>] from [<0004786c>]
Function entered at [<00047790>] from [<00040688>]
r5 = 0004AD90 r4 = 0004AD2C
Function entered at [<0004066c>] from [<000406cc>]
r5 = 0030F100 r4 = 002C8738
Function entered at [<000406a0>] from [<0004b04c>]
Function entered at [<0004b03c>] from [<0004ed74>]
r7 = 002BFB94 r6 = 002BFB98 r5 = 0030F100 r4 = 002C8738
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 512)
ip_conntrack (63 buckets, 504 max)
PPTP netfilter connection tracking: registered
PPTP netfilter NAT helper: registered
ip_tables: (C) 2000-2002 Netfilter core team
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
cramfs: wrong magic
JFFS: Trying to mount a non-mtd device.
VFS: Mounted root (romfs filesystem) readonly.
Mounting proc on /proc
init started: BusyBox v0.51 (2005.07.29-19:38+0000) multi-call binary
jffs_scan_flash(): Did not find even a single chunk of free space. This is BAD!
# SIOCSIFADDR: No such device
SIOCGIFFLAGS: No such device

# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

#
-------------------------------------------------
Erich Schubert
2009-01-30 12:01:53 UTC
Permalink
Hello,
Post by Imrich Konkol
0x00000000-0x00010000 : "Bootloader"
0x00010000-0x00380000 : "Access Point Firmware"
mtd: partition "Access Point Firmware" extends beyond the end of device "Physica
lly mapped flash" -- size truncated to 0x1f0000
0x00380000-0x00200000 : "Flash Filesystem"
mtd: partition "Flash Filesystem" is out of reach -- disabled
Division by zero in kernel.
That might indicate that your accesspoint has a smaller flash chip only.
I remember having seen some reports on isl3893 based devices that were
not running Linux and only had a smaller flash chip. You might still be
able to get Linux on there (not sure how small you can get), but you'll
have to choose a different partitioning and generated the appropriate
images yourself.

If I recall it corretly (that was like 5 years ago?), it was maybe the
3com devices. You could try a firmware for these devices instead (the
web page should have the model numbers that are isl3893 based).

Regards,
erich
Imrich Konkol
2009-01-30 13:18:57 UTC
Permalink
Hello Erich,
Post by Erich Schubert
That might indicate that your accesspoint has a smaller flash chip only.
I remember having seen some reports on isl3893 based devices that were
not running Linux and only had a smaller flash chip. You might still be
able to get Linux on there (not sure how small you can get), but you'll
have to choose a different partitioning and generated the appropriate
images yourself.
Yes, definitely. The flash is 29LV160BB - 8Mb flash (2M x 32 bits) -
as described in hacking page
(http://satin.sensation.net.au/rowan/MSI-RG54G2-hack.html)
Post by Erich Schubert
If I recall it corretly (that was like 5 years ago?), it was maybe the
3com devices. You could try a firmware for these devices instead (the
web page should have the model numbers that are isl3893 based).
My current goal is to restore the basic functionality on my AP.
For this I need binary image of original firmware.
Then I can play with Linux bit more.

Do you have any advice in this area?
How to convert .gzh file to .bin?

Thanks.

Best regards,
Imrich
Erich Schubert
2009-01-30 13:43:50 UTC
Permalink
Hello Imrich,
Post by Imrich Konkol
Yes, definitely. The flash is 29LV160BB - 8Mb flash (2M x 32 bits) -
as described in hacking page
(http://satin.sensation.net.au/rowan/MSI-RG54G2-hack.html)
Actually, Googling for that number returned be 16 mbit, which would be
2 MB Flash. I think most isl3893 devices had 4 MB Flash, which would
explain why you got that error.

As for the .gzh file: Judging from the recovery section of the manual
for that 'similar' access point, it is the raw firmware image, you do
not need to do anything to it. It seems as if they changed the magic
header, so they might have modified the low level boot loader of the AP.

Did you try recovery with the MSI firmware?
http://global.msi.com.tw/index.php?func=downloaddetail&type=firmware&maincat_no=131&prod_no=91

Do the same thing like you did with the .img file.

Regards,
Erich
Imrich Konkol
2009-01-30 13:59:43 UTC
Permalink
Hello,
Post by Erich Schubert
Actually, Googling for that number returned be 16 mbit, which would be
2 MB Flash. I think most isl3893 devices had 4 MB Flash, which would
explain why you got that error.
I took the description from hacking web page,
but the final capacity is 2M in my undestanding.
Post by Erich Schubert
Did you try recovery with the MSI firmware?
http://global.msi.com.tw/index.php?func=downloaddetail&type=firmware&maincat_no=131&prod_no=91

I've downloaded lot of firmware versions for MSI nad Minitar. All are .gzh files.
This is not binary image I can flash.
When I issue "tftp -i 192.0.2.93 PUT firmware.gzh" I always get error.

When I open the file in hex editor I see completely different file structure for
.bin and .gzh.
I can see meaningful sections in .img file.
Lines: xMVC, xSYS and other readable strings.

The .gzh file structure is different. I see just raw data very similar to ZIP
file, but initial line is not ZIP compatible and unzip cannot read it.

If I type Linux 'file' command, I just get: "firmware.gzh: data"

Best regards,
Imrich
Ruben Faelens
2009-01-30 14:52:32 UTC
Permalink
Post by Erich Schubert
Hello,
Post by Erich Schubert
Actually, Googling for that number returned be 16 mbit, which would be
2 MB Flash. I think most isl3893 devices had 4 MB Flash, which would
explain why you got that error.
I took the description from hacking web page,
but the final capacity is 2M in my undestanding.
Post by Erich Schubert
Did you try recovery with the MSI firmware?
http://global.msi.com.tw/index.php?func=downloaddetail&type=firmware&maincat_no=131&prod_no=91
I've downloaded lot of firmware versions for MSI nad Minitar. All are .gzh files.
This is not binary image I can flash.
When I issue "tftp -i 192.0.2.93 PUT firmware.gzh" I always get error.
When I open the file in hex editor I see completely different file structure for
.bin and .gzh.
I can see meaningful sections in .img file.
Lines: xMVC, xSYS and other readable strings.
The .gzh file structure is different. I see just raw data very similar to ZIP
file, but initial line is not ZIP compatible and unzip cannot read it.
If I type Linux 'file' command, I just get: "firmware.gzh: data"
Best regards,
Imrich
Don't forget that some manufacturers dumben down their user, and call
the web pages used to configure the AP "firmware". I think Eric provided
you with the best course of action: try some of the 3com firmware and
hope that they used the same switch chips...
ulf kypke
2009-01-30 15:32:58 UTC
Permalink
hi, folks
nice to see, that all you still reading the mailing list - even after
5 years of isl3893 hacking - haha
benjamin and i remade the website last year, so more pictures more
infos are on isl3893.wikidot.com
the msi device has only 2megabyte of flash. and using a rtl switch chip.
bye ulf
Post by Ruben Faelens
Post by Erich Schubert
Hello,
Post by Erich Schubert
Actually, Googling for that number returned be 16 mbit, which would be
2 MB Flash. I think most isl3893 devices had 4 MB Flash, which would
explain why you got that error.
I took the description from hacking web page,
but the final capacity is 2M in my undestanding.
Post by Erich Schubert
Did you try recovery with the MSI firmware?
http://global.msi.com.tw/index.php?func=downloaddetail&type=firmware&maincat_no=131&prod_no=91
I've downloaded lot of firmware versions for MSI nad Minitar. All are .gzh files.
This is not binary image I can flash.
When I issue "tftp -i 192.0.2.93 PUT firmware.gzh" I always get error.
When I open the file in hex editor I see completely different file structure for
.bin and .gzh.
I can see meaningful sections in .img file.
Lines: xMVC, xSYS and other readable strings.
The .gzh file structure is different. I see just raw data very similar to ZIP
file, but initial line is not ZIP compatible and unzip cannot read it.
If I type Linux 'file' command, I just get: "firmware.gzh: data"
Best regards,
Imrich
Don't forget that some manufacturers dumben down their user, and call
the web pages used to configure the AP "firmware". I think Eric provided
you with the best course of action: try some of the 3com firmware and
hope that they used the same switch chips...
------------------------------------------------------------------------------
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Isl3893-devel mailing list
https://lists.sourceforge.net/lists/listinfo/isl3893-devel
Loading...