Accessing Linksys E4200 SPI Flash via JTAG

Open source ARM Debugger

Moderator: phalanx

Post Reply
Posts: 1
Joined: Sat Jan 17, 2015 8:30 pm

Accessing Linksys E4200 SPI Flash via JTAG

Post by quarky » Sat Jan 17, 2015 8:48 pm


I bricked my Linksys E4200 v1.0 router and bought the Tumpa Lite adapter to try to un-brick the router via JTAG. I managed to connect to the router via JTAG and OpenOCD v0.8 managed to detect the router's BCM4718 router.

I need to erase the route's NVRAM stored in the router's flash memory (I think) but OpenOCD does not seem to be able to detect the SPI flash (it's a Winbond W25Q128BV flash chip) that the router is using.

I've created a board config file in the 'scripts/board' directory as below:

# Linksys E4200 v1.0

source [find target/bcm4718.cfg]

set partition_list {
CFE { Bootloader 0x1c000000 0x00040000 }
firmware { "Kernel+rootfs" 0x1c040000 0x00fb0000 }
nvram { "Config space" 0x1cff0000 0x00010000 }

# External 16MB SPI Flash (WinBond W25Q128BV)
flash bank $_FLASHNAME stmsmi 0x1c000000 0 0 0 $_TARGETNAME

I've also created a openocd.cfg file as below:

adapter_khz 10

source [find interface/ftdi/tumpa-lite.cfg]
source [find board/linksys-e4200.cfg]

I've tried the 'cfi' and 'smtsmi' drivers but both does not seem to be able to detect the flash chip.

Below are outputs of what I've tried using the 'stmsmi' driver:

Open On-Chip Debugger 0.8.0 (2014-04-28-08:39)
Licensed under GNU GPL v2
For bug reports, read
adapter speed: 10 kHz
Info : only one transport option; autoselect 'jtag'
Forcing reset_config to none to prevent OpenOCD from pulling SRST after the switch from LV is already performed
none separate
Info : clock speed 10 kHz
Info : JTAG tap: bcm4718-lv.tap tap/device found: 0x1471617f (mfg: 0x0bf, part: 0x4716, ver: 0x1)
Info : JTAG tap: bcm4718-lv.tap disabled
Info : JTAG tap: bcm4718.cpu enabled
Info : accepting 'telnet' connection from 4444
#0 : bcm4718.flash (stmsmi) at 0x1c000000, size 0x00000000, buswidth 0, chipwidth 0
{name stmsmi base 469762048 size 0 bus_width 0 chip_width 0}

Would appreciate if anyone who have experience using OpenOCD on a Linksys E4200 can help provide some pointers to move me along in the right direction.

Is SPI flash chip even supported by OpenOCD?


Hong Hui

Post Reply