Tuesday, December 10, 2013

Device dead after firmware upgrade

In the last post I build a firmware for our cute little device. And as always, I try my luck first, and then fix the errors afterwards. Not totally unexpected, after flashing my new firmware there were little response from the device afterwards. So I guess this is what we call a bricked device. This wasn't totally unexpected since we can see from the source that the firmware update is a part of the uClinux image.

So finally its time for me to actually own the device, and void the warranty. 3 plastic hooks on each side of the case, and a little bit of work and it opens. Inside we find 3 sets of test pads. So this should be possible to fix somehow.

A quick look at the chips inside. We see that the SoC is a MT7620, and its connected to a H5PS5162GFR 512Mb DDR2 SDRAM, and we can also see some other chips, but those should be unimportant to us.

From the MT7620 datasheet we can find that we have two interesting sets of ports.


UART:

TP15 - I don't know where this goes, and it doesn't really matter for us
TP16 - TX
TP17 - RX
TX18 - GNX

Ethernet:
TP5-8
Uncertain on whats needed for a breakout cable here.

I'm uncertain if the JTAG pins are connected or not, and I don't even know if the chip even have the ports in JTAG mode since they share port with the ethernet leds. But then again, I'm pretty certain we won't need JTAG for this.

I pull out a USB to TTL adapter and try my luck. A few guesses, and I get a serial console with the settings 57600-8-N-1.

And this is the output:
============================================
Ralink UBoot Version: 4.1.1.0
--------------------------------------------
ASIC 7620_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Apr 10 2013  Time:15:50:37
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 580 MHZ ####
 estimate memory size =64 Mbytes

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.
 0
  
3: System Boot system code via Flash.
## Booting image at bc050000 ...
raspi_read: from:50000 len:40
   Image Name:   Linux Kernel Image
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    6274935 Bytes =  6 MB
   Load Address: 80000000
   Entry Point:  8000c310
raspi_read: from:50040 len:5fbf77
   Verifying Checksum ... Bad Data CRC

I guess the firmware image wasn't that good after all. First step is create a semi permanent way to recover when our firmware fails, and afterwards we can start to make our own firmware again. I'm pretty comfortable pressing the pins against the pads while using a serial terminal, but when transferring the firmware I think I'm better of soldering on some pins to the device. Or maybe some short breadboard cables and a little dash of hot glue gun would do the trick. Who knows, maybe i can fit some external connector later on.

Next post will hopefully be on how to fix up the rest, and get back to stock firmware.

If anyone request it I can provide pictures of the components, but its well marked and should be easy to find.

1 comment: