SparkFun Forums 

Where electronics enthusiasts find answers.

Open source ARM Debugger
By johnpaul
#195979
I recently bricked my Netgear DG834v3 router whilst trying to install OpenWrt.

I am attempting to reflash the bootloader with JTAG by bitbanging over the GPIO pins on my Raspberry Pi, but I'm a complete OpenOCD newbie and I'm having problems.

I seem to be able to read the flash memory fine:
Code: Select all
$ sudo openocd -f rpi-jtag.cfg -f board/netgear-dg834v3.cfg -f tools/firmware-recovery.tcl -c "dump_part loader loader.bin"
Open On-Chip Debugger 0.10.0+dev-00172-g7719e96 (2017-08-25-17:24)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
BCM2835 GPIO config: tck = 11, tms = 25, tdi = 10, tdo = 9
BCM2835 GPIO config: trst = 7
trst_only separate trst_push_pull
jtag


Firmware recovery helpers
Use -c firmware_help to get help

adapter speed: 1000 kHz

Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : JTAG only mode enabled (specify swclk and swdio gpio to add SWD mode)
Info : clock speed 1006 kHz
Info : JTAG tap: ti-ar7.cpu tap/device found: 0x0000100f (mfg: 0x007 (Hitachi), part: 0x0001, ver: 0x0)
MIPS32 only implemented
Info : JTAG tap: ti-ar7.cpu tap/device found: 0x0000100f (mfg: 0x007 (Hitachi), part: 0x0001, ver: 0x0)
target halted in MIPS32 mode due to debug-request, pc: 0x941a2348
dumped 131072 bytes in 50.461006s (2.537 KiB/s)
But it doesn't seem to let me write to it:
Code: Select all
$ sudo openocd -f rpi-jtag.cfg -f board/netgear-dg834v3.cfg -f tools/firmware-recovery.tcl -c "flash_part loader loader.bin"
Open On-Chip Debugger 0.10.0+dev-00172-g7719e96 (2017-08-25-17:24)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
BCM2835 GPIO config: tck = 11, tms = 25, tdi = 10, tdo = 9
BCM2835 GPIO config: trst = 7
trst_only separate trst_push_pull
jtag


Firmware recovery helpers
Use -c firmware_help to get help

adapter speed: 1000 kHz

Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : JTAG only mode enabled (specify swclk and swdio gpio to add SWD mode)
Info : clock speed 1006 kHz
Info : JTAG tap: ti-ar7.cpu tap/device found: 0x0000100f (mfg: 0x007 (Hitachi), part: 0x0001, ver: 0x0)
MIPS32 only implemented
Info : JTAG tap: ti-ar7.cpu tap/device found: 0x0000100f (mfg: 0x007 (Hitachi), part: 0x0001, ver: 0x0)
target halted in MIPS32 mode due to debug-request, pc: 0x941a234c
auto erase enabled
Info : Flash Manufacturer/Device: 0x9000 0x4080
Error: fast_data (0x8000008c) is within write area (0x8000010c-0x8000030c).
Error: Change work-area-phys or load_image address!
Warn : Falling back to non-bulk write
Error: timed out while waiting for target halted
target halted in MIPS32 mode due to debug-request, pc: 0x941a2348
Error: error writing to flash at address 0x90000000 at offset 0x00000000
The firmware recovery tool is running this command in the background:
Code: Select all
flash write_image erase loader.bin 0x90000000 bin
I tried the 'unlock' flag as well but that didn't seem to help:
Code: Select all
flash write_image erase unlock loader.bin 0x90000000 bin
auto erase enabled
auto unlock enabled
protect: cfi primary command set 2 unsupported
fast_data (0x8000008c) is within write area (0x8000010c-0x8000030c).
Change work-area-phys or load_image address!
Falling back to non-bulk write
timed out while waiting for target halted
target halted in MIPS32 mode due to debug-request, pc: 0x941a234c
error writing to flash at address 0x90000000 at offset 0x00000000
Am I doing something wrong? Can someone give me a pointer?
If anyone needs any more info don't hesitate to ask. I have access to the serial console as well if that helps.