www.8devices.com
View unanswered posts | View active topics It is currently 30 Oct 2014, 22:50



Reply to topic  [ 13 posts ]  Go to page 1, 2  Next
 Carambola2 USB Booting 
Author Message

Joined: 27 May 2013, 14:45
Posts: 11
I have just discovered that the internal ROM of AR9331 has code to boot from USB instead of serial SPI.
As discribed in AR9331 datasheet pulling down GPIO1 at powerup trig this feature...
Does someone has more information about that and how to exploit it ?
Question for 8devices 's people... Do you use the feature to upload the serial flash or do you use JTAG ?

Here is the log from Uart...

Hornet USB booting...
VID=0xcf3,PID=0x9330
iManufacturer=0x10,iProduct=0x20,iSerialNumber=0x30
bMaxPower=0xfa
-> COLD_START
bUSBPhyBias=0x3
RUN
Default State
HS
HS
HS
HS
HS


12 Sep 2013, 13:09
Profile

Joined: 21 Aug 2013, 21:21
Posts: 88
zorromymy wrote:
...

hmmm, it sounds interesting... is the USB slave device detected by a linux host? if yes, then what type of device file assigned to it? ttyUSBn, hidraw, etc? and what happens if You simply send the uboot image by cat command to the device file - i wonder if it works or not :idea:


12 Sep 2013, 21:37
Profile

Joined: 27 May 2013, 14:45
Posts: 11
Don't know, if USB configures as host or device...
Probably "Host" because of GPIO13 (High level by default on Carambola2, see AR9331 datasheet).
I try to attach USB-Key... Log on uart stops after "RUN" line until the key is removed
I try to attach USB-Serial... same behaviour...
I try to attach to a Host... No reaction !

Will try faking a VID=0xcf3,PID=0x9330 device...

Is the boot rom memory mapped when running from SPI ?
in that case, reversing the code may help...

I suppose the code is loaded by Atheros because you can trig the same log from TpLink MR3220
Any chance to get this information from Atheros ?

regards


13 Sep 2013, 08:31
Profile

Joined: 27 May 2013, 14:45
Posts: 11
One more step...
Pulling down GPIO1 (SPI/ROM) and GPIO13 (HOST/DEVICE) at powerup configures the AR9331 as a device. It registers (as expected) as VID=0xcf3,PID=0x9330 device on the desktop...


13 Sep 2013, 09:02
Profile

Joined: 21 Aug 2013, 21:21
Posts: 88
zorromymy wrote:
One more step...
Pulling down GPIO1 (SPI/ROM) and GPIO13 (HOST/DEVICE) at powerup configures the AR9331 as a device. It registers (as expected) as VID=0xcf3,PID=0x9330 device on the desktop...

do You mean windows or linux desktop? in case of linux, what can You find in dmesg? are there any device file assigned to the new usb device?


13 Sep 2013, 09:15
Profile

Joined: 21 Aug 2013, 21:21
Posts: 88
there is an additional configuration function on GPIO16, called "FW_DOWNLOAD" - but its already set to low:USB mode - i think its a bootlader mode selector for internal ROM mode: You can switch between USB bootloader and wired network (MDIO) bootloader mode

if You set it to high, then You should see different mode on UART console during startup


13 Sep 2013, 09:51
Profile

Joined: 27 May 2013, 14:45
Posts: 11
Here is the linux dmesg log...

[ 1.526243] usb 1-1: new high-speed USB device number 2 using ehci_hcd
[ 1.873459] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9330
[ 1.873473] usb 1-1: New USB device strings: Mfr=16, Product=32, SerialNumber=48
[ 1.873484] usb 1-1: Product: USB2.0 WLAN
[ 1.873493] usb 1-1: Manufacturer: ATHEROS
[ 1.873503] usb 1-1: SerialNumber: 12345


13 Sep 2013, 12:13
Profile

Joined: 27 May 2013, 14:45
Posts: 11
Yes, GPIO16 High + GPIO1 Low start MDIO mode...
Here is the uart output:

MAC booting...
ROM>:mdio download ready


13 Sep 2013, 12:30
Profile
8devices
8devices

Joined: 07 Dec 2011, 16:01
Posts: 431
Location: Lithuania
zorromymy wrote:
I have just discovered that the internal ROM of AR9331 has code to boot from USB instead of serial SPI.
As discribed in AR9331 datasheet pulling down GPIO1 at powerup trig this feature...
Does someone has more information about that and how to exploit it ?
Question for 8devices 's people... Do you use the feature to upload the serial flash or do you use JTAG ?


Hi,
we don't use this feature.
For manufacturing we are using spi chip programmer (BeeProg).


13 Sep 2013, 14:09
Profile

Joined: 27 May 2013, 14:45
Posts: 11
Quote:
For manufacturing we are using spi chip programmer (BeeProg).


Do you progam the Flash in-situ or before soldering process ?
In-situ programming requires Hi-Z from AR9331 if you don't want to stress (conflict with) GPIO pins.
My understanding is that only JTAG can switch SPI pins to Hi-Z. Reset won't.


13 Sep 2013, 14:48
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 13 posts ]  Go to page 1, 2  Next

Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron

Protected by Anti-Spam ACP Powered by phpBB® Forum Software © phpBB Group
Designed by ST Software.