Can read but can't write to flash memory

Open source ARM Debugger

Moderator: phalanx

Can read but can't write to flash memory

Postby johnpaul » Tue Aug 29, 2017 6:04 am

I recently bricked my Netgear DG834v3 router whilst trying to install OpenWrt.

I am attempting to reflash the bootloader with JTAG by bitbanging over the GPIO pins on my Raspberry Pi, but I'm a complete OpenOCD newbie and I'm having problems.

I seem to be able to read the flash memory fine:

Code: Select all
$ sudo openocd -f rpi-jtag.cfg -f board/netgear-dg834v3.cfg -f tools/firmware-recovery.tcl -c "dump_part loader loader.bin"
Open On-Chip Debugger 0.10.0+dev-00172-g7719e96 (2017-08-25-17:24)
Licensed under GNU GPL v2
For bug reports, read
   http://openocd.org/doc/doxygen/bugs.html
BCM2835 GPIO config: tck = 11, tms = 25, tdi = 10, tdo = 9
BCM2835 GPIO config: trst = 7
trst_only separate trst_push_pull
jtag


Firmware recovery helpers
Use -c firmware_help to get help

adapter speed: 1000 kHz

Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : JTAG only mode enabled (specify swclk and swdio gpio to add SWD mode)
Info : clock speed 1006 kHz
Info : JTAG tap: ti-ar7.cpu tap/device found: 0x0000100f (mfg: 0x007 (Hitachi), part: 0x0001, ver: 0x0)
MIPS32 only implemented
Info : JTAG tap: ti-ar7.cpu tap/device found: 0x0000100f (mfg: 0x007 (Hitachi), part: 0x0001, ver: 0x0)
target halted in MIPS32 mode due to debug-request, pc: 0x941a2348
dumped 131072 bytes in 50.461006s (2.537 KiB/s)


But it doesn't seem to let me write to it:

Code: Select all
$ sudo openocd -f rpi-jtag.cfg -f board/netgear-dg834v3.cfg -f tools/firmware-recovery.tcl -c "flash_part loader loader.bin"
Open On-Chip Debugger 0.10.0+dev-00172-g7719e96 (2017-08-25-17:24)
Licensed under GNU GPL v2
For bug reports, read
   http://openocd.org/doc/doxygen/bugs.html
BCM2835 GPIO config: tck = 11, tms = 25, tdi = 10, tdo = 9
BCM2835 GPIO config: trst = 7
trst_only separate trst_push_pull
jtag


Firmware recovery helpers
Use -c firmware_help to get help

adapter speed: 1000 kHz

Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : JTAG only mode enabled (specify swclk and swdio gpio to add SWD mode)
Info : clock speed 1006 kHz
Info : JTAG tap: ti-ar7.cpu tap/device found: 0x0000100f (mfg: 0x007 (Hitachi), part: 0x0001, ver: 0x0)
MIPS32 only implemented
Info : JTAG tap: ti-ar7.cpu tap/device found: 0x0000100f (mfg: 0x007 (Hitachi), part: 0x0001, ver: 0x0)
target halted in MIPS32 mode due to debug-request, pc: 0x941a234c
auto erase enabled
Info : Flash Manufacturer/Device: 0x9000 0x4080
Error: fast_data (0x8000008c) is within write area (0x8000010c-0x8000030c).
Error: Change work-area-phys or load_image address!
Warn : Falling back to non-bulk write
Error: timed out while waiting for target halted
target halted in MIPS32 mode due to debug-request, pc: 0x941a2348
Error: error writing to flash at address 0x90000000 at offset 0x00000000


The firmware recovery tool is running this command in the background:

Code: Select all
flash write_image erase loader.bin 0x90000000 bin


I tried the 'unlock' flag as well but that didn't seem to help:

Code: Select all
flash write_image erase unlock loader.bin 0x90000000 bin
auto erase enabled
auto unlock enabled
protect: cfi primary command set 2 unsupported
fast_data (0x8000008c) is within write area (0x8000010c-0x8000030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
timed out while waiting for target halted
target halted in MIPS32 mode due to debug-request, pc: 0x941a234c
error writing to flash at address 0x90000000 at offset 0x00000000


Am I doing something wrong? Can someone give me a pointer?
If anyone needs any more info don't hesitate to ask. I have access to the serial console as well if that helps.
johnpaul
 
Posts: 1
Joined: Tue Aug 29, 2017 3:43 am


Return to OpenOCD

Who is online

Users browsing this forum: No registered users and 2 guests