Linksys BEFVP41

From Random Projects
Jump to: navigation, search
Linksys BEFVP41

The Linksys BEFVP41 (hardware version 2 in my case) is an "EtherFast(R) Cable/DSL VPN Router with 4-port switch".



Note: Photos also available in my respective flickr set.


The CN5 connector (unpopulated, you have to solder pin-headers yourself) contains UART RXD/TXD/GND pins you can use to get serial console access.

Pinout (from left to right): VCC (3.3V), RXD, TXD, ???, GND, GND.

As usual, you have to use some TTL (3.3V) serial cable, not a "real" serial port/cable on a PC, otherwise you will fry the chip. I'm using a standard FTDI TTL-232R-3V3 cable.


------- START AP --- IMG = VP21 ---- 

------- START watchdog timer----
pADEntry End 00497360

Bootloader commands

You can enter any unknown command (e.g. q) and then press enter to get into the bootloader shell.

Illigal command: q
Valid are :
  macst  -- Display MAC status
  nvsave  -- Save NV content
  tcache  -- Toggle cache
  mbuf  -- Show free memory buffer
  mread <address> <length>  -- Display memory content
  mwrite <address>   -- Write data to memory
  mcomp <address1> <address2> <length>  -- Compare memory content
  rpci <register offset> -- Display PCI Configure Register
  wpci <register offset>  -- Set PCI Configure Register
  cptest -- Estimate Duration of Different Copy Method
  ppkt <eth_no> <tx(1)/rx(0)> <length>  -- print packet
  stack -- show system stack info
  wdt -- on/off watch dog 
  wdtreset -- stop toggle watch dog 

MAC1: Rxisr:0,RxGood:0,WritE:9,Txgood:9 
   TxMax:1,TxBdmaNoQwn:0 gNTxBDPtr:770848 gCTxBDPtr:770848 TxFull:0
free_buff_no = 633, in list 633
USR Stack button 0022a1a4
USR Stack top 0020a1a4
USR Stack used top 00229b20, 0x684 byte
IRQ Stack button 002321a4
IRQ Stack top 0022e1a4
IRQ Stack used top 00232150, 0x54 byte
Watch Dog off 
Watch Dog on


The CN4 connector is a standard 2x10-pin ARM JTAG connector (2.54mm pitch). There are no pin-headers soldered-on, you have to add those yourself.


With a small patch, OpenOCD can talk to the S3C2510A01 (kinda). The chip is an ARM940T really (not ARM920T), which seems unsupported in OpenOCD so far. But they seem similar enough to make at least some things work.

$ openocd -f interface/jtagkey2.cfg -c 'adapter_khz 1000' -f target/samsung_s3c2510a.cfg
Open On-Chip Debugger 0.6.0-dev-00493-gd40cb56 (2012-04-01-21:27)
Licensed under GNU GPL v2
For bug reports, read
Info : only one transport option; autoselect 'jtag'
1000 kHz
trst_and_srst separate srst_gates_jtag trst_push_pull srst_open_drain
Info : max TCK change to: 30000 kHz
Info : clock speed 1000 kHz
Info : JTAG tap: s3c2510a.cpu tap/device found: 0x1094009d (mfg: 0x04e, part: 0x0940, ver: 0x1)
Info : Embedded ICE version 2
Info : s3c2510a.cpu: hardware has 2 breakpoint/watchpoint units

In another xterm run:

$ telnet 4444
Connected to
Escape character is '^]'.
Open On-Chip Debugger
> halt
> s3c2510a.cpu curstate

JTAG basics

> scan_chain
   TapName             Enabled  IdCode     Expected   IrLen IrCap IrMask
-- ------------------- -------- ---------- ---------- ----- ----- ------
 0 s3c2510a.cpu           Y     0x1094009d 0x1094009d     4 0x01  0x0f
> targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0* s3c2510a.cpu       arm920t    little s3c2510a.cpu       halted

NOR flash access

> flash probe 0
Flash Manufacturer/Device: 0x00c2 0x225b
flash 'cfi' found at 0x00000000
> flash banks
#0 : s3c2510a.extnorflash (cfi) at 0x00000000, size 0x00100000, buswidth 2, chipwidth 2
> flash list
{name cfi base 0 size 1048576 bus_width 2 chip_width 2}
> flash info 0
#0 : cfi at 0x00000000, size 0x00100000, buswidth 2, chipwidth 2
        #  0: 0x00000000 (0x4000 16kB) not protected
        #  1: 0x00004000 (0x2000 8kB) not protected
        #  2: 0x00006000 (0x2000 8kB) not protected
        #  3: 0x00008000 (0x8000 32kB) not protected
        #  4: 0x00010000 (0x10000 64kB) not protected
        #  5: 0x00020000 (0x10000 64kB) not protected
        #  6: 0x00030000 (0x10000 64kB) not protected
        #  7: 0x00040000 (0x10000 64kB) not protected
        #  8: 0x00050000 (0x10000 64kB) not protected
        #  9: 0x00060000 (0x10000 64kB) not protected
        # 10: 0x00070000 (0x10000 64kB) not protected
        # 11: 0x00080000 (0x10000 64kB) not protected
        # 12: 0x00090000 (0x10000 64kB) not protected
        # 13: 0x000a0000 (0x10000 64kB) not protected
        # 14: 0x000b0000 (0x10000 64kB) not protected
        # 15: 0x000c0000 (0x10000 64kB) not protected
        # 16: 0x000d0000 (0x10000 64kB) not protected
        # 17: 0x000e0000 (0x10000 64kB) not protected
        # 18: 0x000f0000 (0x10000 64kB) not protected

non-CFI flash: mfr: 0x00c2, id:0x225b

qry: 'QRY', pri_id: 0x0002, pri_addr: 0x0000, alt_id: 0x0000, alt_addr: 0x0000
Vcc min: 0.0, Vcc max: 0.0, Vpp min: 0.0, Vpp max: 0.0
typ. word write timeout: 1024 us, typ. buf write timeout: 8192 us, typ. block erase timeout: 8192 ms, typ. chip erase timeout: 65536 ms
max. word write timeout: 1024 us, max. buf write timeout: 8192 us, max. block erase timeout: 8192 ms, max. chip erase timeout: 65536 ms
size: 0x100000, interface desc: 2, max buffer write size: 0x1

Spansion primary algorithm extend information:
pri: 'PRI', version: 1.0
Silicon Rev.: 0x0, Address Sensitive unlock: 0x0
Erase Suspend: 0x0, Sector Protect: 0x0
VppMin: 0.0, VppMax: 0.0

Dumping the NOR flash contents

It seems you should not run flash probe 0 before doing this, there's probably something wrong in my current OpenOCD config. However, the command below works out of the box right after OpenOCD init/connection (without running any flash commands before), as the NOR flash is mapped to 0x00000000 from the start.

> dump_image linksys_befvp41_nor.dd 0x00000000 0x100000
dumped 1048576 bytes in 46.292549s (22.120 KiB/s)