Linksys BEFVP41
The Linksys BEFVP41 (hardware version 2 in my case) is an "EtherFast(R) Cable/DSL VPN Router with 4-port switch".
Contents
Hardware
- ARM9 CPU: Samsung S3C2510A01 (0506 K9C09)
- 6 port 10/100 Mb/s Single Chip Ethernet Switch Controller: Infineon ADM6996L (AA0451 HSS430007.1SL)
- 2M x 32 Synchronous DRAM (SDRAM), 166MHz: EtronTech EM638325TS-6 (I470803RJJ870.1)
- 8M-Bit [1Mx8/512K x16] CMOS Single Voltage 3V only Flash Memory (NOR flash): Macronix MX29LV800BBTC-90 (S04431 2K571900)
- 10/100 Base-T Ethernet Isolation Transformer: BothHand-USA TS6121CX (0510S)
- ?: 2x YCL PH202484 (0409)
- Quad 2-input AND gate: Philips 74LVC08AD (AP844 06 UnG04496)
- 150Khz, 3A PWM Buck DC/DC Converter: AnaChip AP1501-33 (04372)
- 1A Low Dropout Positive Adjustable or Fixed-Mode Regulator: AnaChip AP1117 (4LA)
- 10MHz crystal (for S3C2510A01): TXC BAy27 10.000
- 25MHz crystal (for ADM6996L): 25.0F4M
Photos
Device, top
Device, bottom
Device, front
Device, back
Label
PCB, front
PCB, back
Samsung S3C2510A01
Infineon ADM6996L
EtronTech EM638325TS-6
Macronix MX29LV800BBTC-90
BothHand-USA TS6121CX
Philips 74LVC08AD
YCL PH202484
AnaChip AP1117
AnaChip AP1501-33
Note: Photos also available in my respective flickr set.
UART
The CN5 connector (unpopulated, you have to solder pin-headers yourself) contains UART RXD/TXD/GND pins you can use to get serial console access.
Pinout (from left to right): VCC (3.3V), RXD, TXD, ???, GND, GND.
As usual, you have to use some TTL (3.3V) serial cable, not a "real" serial port/cable on a PC, otherwise you will fry the chip. I'm using a standard FTDI TTL-232R-3V3 cable.
Bootlog
------- START AP --- IMG = VP21 ---- ------- START watchdog timer---- pADEntry End 00497360
Bootloader commands
You can enter any unknown command (e.g. q) and then press enter to get into the bootloader shell.
q Illigal command: q Valid are : macst -- Display MAC status nvsave -- Save NV content tcache -- Toggle cache mbuf -- Show free memory buffer mread <address> <length> -- Display memory content mwrite <address> -- Write data to memory mcomp <address1> <address2> <length> -- Compare memory content rpci <register offset> -- Display PCI Configure Register wpci <register offset> -- Set PCI Configure Register cptest -- Estimate Duration of Different Copy Method ppkt <eth_no> <tx(1)/rx(0)> <length> -- print packet stack -- show system stack info wdt -- on/off watch dog wdtreset -- stop toggle watch dog CON>
CON>macst MAC1: Rxisr:0,RxGood:0,WritE:9,Txgood:9 BRxFull:0,BRxEly:0,Mac_Q_full:0,RxTmpCount:0 ErrorPacketCnt:0,RxMax:0,ForceBRxEn:0,TxRel:9 TxMax:1,TxBdmaNoQwn:0 gNTxBDPtr:770848 gCTxBDPtr:770848 TxFull:0
CON>mbuf free_buff_no = 633, in list 633
CON>stack USR Stack button 0022a1a4 USR Stack top 0020a1a4 USR Stack used top 00229b20, 0x684 byte IRQ Stack button 002321a4 IRQ Stack top 0022e1a4 IRQ Stack used top 00232150, 0x54 byte
CON>wdt Watch Dog off
CON>wdt Watch Dog on
JTAG
The CN4 connector is a standard 2x10-pin ARM JTAG connector (2.54mm pitch). There are no pin-headers soldered-on, you have to add those yourself.
OpenOCD
With a small patch, OpenOCD can talk to the S3C2510A01 (kinda). The chip is an ARM940T really (not ARM920T), which seems unsupported in OpenOCD so far. But they seem similar enough to make at least some things work.
$ openocd -f interface/jtagkey2.cfg -c 'adapter_khz 1000' -f target/samsung_s3c2510a.cfg
Open On-Chip Debugger 0.6.0-dev-00493-gd40cb56 (2012-04-01-21:27)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.sourceforge.net/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'jtag'
1000 kHz
trst_and_srst separate srst_gates_jtag trst_push_pull srst_open_drain
Info : max TCK change to: 30000 kHz
Info : clock speed 1000 kHz
Info : JTAG tap: s3c2510a.cpu tap/device found: 0x1094009d (mfg: 0x04e, part: 0x0940, ver: 0x1)
Info : Embedded ICE version 2
Info : s3c2510a.cpu: hardware has 2 breakpoint/watchpoint units
In another xterm run:
$ telnet 127.0.0.1 4444 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Open On-Chip Debugger
> halt
> s3c2510a.cpu curstate halted
JTAG basics
> scan_chain TapName Enabled IdCode Expected IrLen IrCap IrMask -- ------------------- -------- ---------- ---------- ----- ----- ------ 0 s3c2510a.cpu Y 0x1094009d 0x1094009d 4 0x01 0x0f
> targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0* s3c2510a.cpu arm920t little s3c2510a.cpu halted
NOR flash access
> flash probe 0 Flash Manufacturer/Device: 0x00c2 0x225b flash 'cfi' found at 0x00000000
> flash banks #0 : s3c2510a.extnorflash (cfi) at 0x00000000, size 0x00100000, buswidth 2, chipwidth 2
> flash list
{name cfi base 0 size 1048576 bus_width 2 chip_width 2}
> flash info 0
#0 : cfi at 0x00000000, size 0x00100000, buswidth 2, chipwidth 2
# 0: 0x00000000 (0x4000 16kB) not protected
# 1: 0x00004000 (0x2000 8kB) not protected
# 2: 0x00006000 (0x2000 8kB) not protected
# 3: 0x00008000 (0x8000 32kB) not protected
# 4: 0x00010000 (0x10000 64kB) not protected
# 5: 0x00020000 (0x10000 64kB) not protected
# 6: 0x00030000 (0x10000 64kB) not protected
# 7: 0x00040000 (0x10000 64kB) not protected
# 8: 0x00050000 (0x10000 64kB) not protected
# 9: 0x00060000 (0x10000 64kB) not protected
# 10: 0x00070000 (0x10000 64kB) not protected
# 11: 0x00080000 (0x10000 64kB) not protected
# 12: 0x00090000 (0x10000 64kB) not protected
# 13: 0x000a0000 (0x10000 64kB) not protected
# 14: 0x000b0000 (0x10000 64kB) not protected
# 15: 0x000c0000 (0x10000 64kB) not protected
# 16: 0x000d0000 (0x10000 64kB) not protected
# 17: 0x000e0000 (0x10000 64kB) not protected
# 18: 0x000f0000 (0x10000 64kB) not protected
non-CFI flash: mfr: 0x00c2, id:0x225b
qry: 'QRY', pri_id: 0x0002, pri_addr: 0x0000, alt_id: 0x0000, alt_addr: 0x0000
Vcc min: 0.0, Vcc max: 0.0, Vpp min: 0.0, Vpp max: 0.0
typ. word write timeout: 1024 us, typ. buf write timeout: 8192 us, typ. block erase timeout: 8192 ms, typ. chip erase timeout: 65536 ms
max. word write timeout: 1024 us, max. buf write timeout: 8192 us, max. block erase timeout: 8192 ms, max. chip erase timeout: 65536 ms
size: 0x100000, interface desc: 2, max buffer write size: 0x1
Spansion primary algorithm extend information:
pri: 'PRI', version: 1.0
Silicon Rev.: 0x0, Address Sensitive unlock: 0x0
Erase Suspend: 0x0, Sector Protect: 0x0
VppMin: 0.0, VppMax: 0.0
Dumping the NOR flash contents
It seems you should not run flash probe 0 before doing this, there's probably something wrong in my current OpenOCD config. However, the command below works out of the box right after OpenOCD init/connection (without running any flash commands before), as the NOR flash is mapped to 0x00000000 from the start.
> dump_image linksys_befvp41_nor.dd 0x00000000 0x100000 dumped 1048576 bytes in 46.292549s (22.120 KiB/s)
Resources
- DD-WRT Forum Forum: BEFVP41 problem
- OpenWrt Forum: Linksys BEFVP41 ready for OpenWRT?
- Meritech: S3C2510A
- Samsung Pumps Up Its ADSL Silicon With ARM9 Performance (S3C2510 accounce)
- Fudantech FD2510A-DevPlatform (PDF)
- picoOS (RTOS that's supposed to support the S3C2510A)
