cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29679
Views
11
Helpful
22
Replies

Lets figure out the U-BOOT flash procedure together. (TAC UNLOCKED)

FIX A PC
Level 1
Level 1

Ok guys so i noticed on all the wave 2+ APs cisco are now using the U-boot bootloader and documentation for it is little to none. 

I have a good amount of experience recovering and restoring APs. When i deploy APs for clients i prefer to format the flash and reinstall the newest IOS from scratch via TFTP or Xmodem send file command.

Ive been searching through some of the U-Boot commands and see it is possible to set environment variables just like the old SET command and i also see tftp boot options etc....

 

So it seems to be it is very possible to reflash the new APs using UBOOT and it looks like this bootloader is even more capable than the old one.  This is a pretty important procedure for me to learn and i will be on this issue till i get it solved hopefully. Ive seen a few post and others complaining about the new bootloader commands. Some of them getting further than others. 

I have found a very helpful Youtube video on the bootloader from the Linux foundation but other than that i cant seem to find much. 

 

Going to be going through this video and playing with commands for a bit.

 

Currently looking for how to format the internal flash via U-BOOT if anyone knows the process please let me know it will save me alot of time. 

 

Anyway i know some of you have gotten further than others on this. 

 

I will be actively updating this topic with advances i found in restoring bricked APs with UBOOT

 

I figured out some of the TFTP commands but iam looking still looking for how to format the flash.  

 

I will also be making a tutorial on this process as soon as i have it figured out. 

https://www.youtube.com/watch?v=INWghYZH3hI&t=6s

 

Available commands in air-cap3802i-b-k9 that i have obtained (believed to be TAC unlocked) 9/11/2021

SatR - Sample At Reset sub-system
active_units- print active units on board
askenv - get environment variables from stdin
base - print or set address offset
bdinfo - print Board Info structure
boardinit- Downlod and execute board initialization script
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
bootz - boot Linux zImage image from memory
bubt - bubt - Burn an image on the Boot flash device.

chpart - change active partition
clear_board_env- Clears board env
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
date - get/set/reset date & time
ddrPhyRead- ddrPhyRead - Read DDR PHY register

ddrPhyWrite- ddrPhyWrite - Write DDR PHY register

dhcp - boot image via network using DHCP/TFTP protocol
dma - dma - Perform DMA using the XOR engine

dump_board_env- Dump board env
dump_emserial- Dump EM unique serial number
echo - echo args to console
editenv - edit environment variable
efuse - eFuse manipulation subsystem for secure boot mode
env - environment handling commands
exit - exit script
ext2load- load binary file from a Ext2 filesystem
ext2ls - list files in a directory (default /)
ext4load- load binary file from a Ext4 filesystem
ext4ls - list files in a directory (default /)
ext4write- create a file in the root directory
false - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
fdt - flattened device tree utility commands
fipsalgval- run algorithm validation on test vector bibnar in memory, default:20 00000 (0x02000000)
fsinfo - print information about filesystems
fsload - load binary file from a filesystem image
go - start application at address 'addr'
help - print command description/usage
i2c - I2C sub-system
iminfo - print header information for application image
imxtract- extract a part of a multi-image
init_aquantia_phy-

init_aquantia_phy -- DEFAULT AQ_FW_LOADADDR=0x4000000


ir - ir - reading and changing MV internal register values.

itest - return true/false on integer compare
ledstate- Set Led State
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loadx - load binary file over serial line (xmodem mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
ls - list files in a directory (default /)
map - map - Display address decode windows

md - memory display
me - me - PCIe master enable

mm - memory modify (auto-incrementing address)
mp - mp - map PCIe BAR

mtdparts- define flash/nand partitions
mtest - simple RAM read/write test
mvEthPortCounters- Port counter

mvEthPortMcastShow- Port multicast counter

mvEthPortRegs- Neta register values

mvEthPortRmonCounters- Port RMON counter

mvEthPortUcastShow- Port unicast counter

mvEthRegs- Neta register values

mvNetComplexNssSelect- Neta register values

mvNetaGmacRegs- Neta register values

mvNetaPortRegs- Neta register values

mvNetaPortStatus- Neta register values

mvsource- mvsource - Burn a script image on flash device.

mw - memory write (fill)
nand - NAND sub-system
nandboot- boot Linux from NAND partition
nboot - boot from NAND device
neta_dump- Neta register values

netboot - boot Linux from network using TFTP/bootp
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
pci - list and access PCI Configuration Space
pciePhyRead- phyRead - Read PCI-E Phy register

pciePhyWrite- pciePhyWrite - Write PCI-E Phy register

phyRead - phyRead - Read Phy register

phyWrite- phyWrite - Write Phy register

phy_fw_down_to_ram- phy_fw_down - Downloads x3220/3310 Ethernet transceiver PHY firmware to ram. Use .hdr file.

phy_fw_down_to_spi- phy_fw_down - Downloads x3220/3310 Ethernet transceiver PHY firmware to spi. Use .hdr as app and .bin file as slave

phy_type- phy_type - Return PHY type at port index

ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
prog_emblacklist- Program EM blacklist
prog_emcookie- Download and program EM cookie
prog_emeeprom- Program EM EEPROM with raw binary data
prog_emignore- Program EM ignore
prog_emserial- Program EM unique serial number
prog_emwhitelist- Program EM whitelist
prog_flags- Program board env flags
prog_phyfw- Download and program PHY firmware
progpid - Program PID cookie
pxe - commands to get and boot from pxe files
rcvr - rcvr - Start recovery process (with TFTP server)

reset - Perform RESET of the CPU
resetenv- resetenv - Erase environment sector to reset all variables to default.

run - run commands in an environment variable
saveenv - save environment variables to persistent storage
se - se - PCIe Slave enable

setenv - set environment variables
sf - SPI flash sub-system
sg - sg - scanning the PHYs status

showvar - print local hushshell variables
sleep - delay execution for some time
source - run script from memory
sp - scan and detect all devices on PCI-e interface
sspi - SPI utility command
switchCountersRead- switchCntPrint - Read switch port counters.

switchPhyRegRead- - Read switch register

switchPhyRegWrite- - Write switch register

switchRegRead- switchRegRead - Read switch register

switchRegWrite- switchRegWrite - Write switch register

sysboot - command to get and boot from syslinux files
temp - temp - Display the device temperature.

tempCmd0- tempCmd - This command allocated for monitor extinction

tempCmd1- tempCmd - This command allocated for monitor extinction

tempCmd2- tempCmd - This command allocated for monitor extinction

tempCmd3- tempCmd - This command allocated for monitor extinction

test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
training- training - prints the results of the DDR3 Training.

trainingStability- training - prints the results of the DDR3 Training.

true - do nothing, successfully
ts_report- ts_report - report touch screen coordinate

ts_test - ts_test - test touch screen

ubi - ubi commands
ubifsload- load file from an UBIFS filesystem
ubifsls - list files in a directory
ubifsmount- mount UBIFS volume
ubifsumount- unmount UBIFS volume
verify_bl- Cisco Bootloader signature verify
verify_lx- Cisco Image signature verify
version - print monitor, compiler and linker version
whoAmI - - reading CPU ID

xsmiPhyRead- xsmiPhyRead - Read Phy register through XSMI interface

xsmiPhyWrite- xsmiPhyWrite - Write Phy register through XSMI interface

 

 

Updated 9/11/2021

Setting environment variables to configure IP address prior to TFTP flash

setenv ipaddr 77.77.77.30   (Sets IP of AP)

setenv serverip 77.77.77.3  (Sets IP and netmask of server for file transfers)

setenv bootfile AIR-AP1850-K9-8-10-162-0.tar (sets the filename for the tftp boot command)

tftpboot (starts loading specified file from a running tftp server)

rcvr (Starts recovery process with tftp server, requires variables to be set)
setenv rcvr_image (Needed for rcvr to work properly)

set loadaddr (I believe 0x2000000 is the value that is supposed to be used when using rcvr, need confirmation)

 

 

 

Experience with Rcvr command

       Variables set

             setenv loadaddr  0x2000000

             setenv rcvr_image AIR-AP3800-K9-ME-8-10-162-0.tar

             setenv serverip 77.77.77.3

             setenv ipaddr 77.77.77.209

 

So after setting the 4 variables, rcvr seems to properly executing the command.  But it ends in signature verification..... any ideas?

 

 

High Performance Networking
Tutorial: Introduction to the Embedded Boot Loader U-boot - Behan Webster, Converse in Code
22 Replies 22

Leo Laohoo
Hall of Fame
Hall of Fame

@FIX A PC wrote:

I have a good amount of experience recovering and restoring APs. When i deploy APs for clients i prefer to format the flash and reinstall the newest IOS from scratch via TFTP or Xmodem send file command.


APs with classic IOS were very easy to re-flash or re-load the IOS. 

Cisco has made it very difficult to do the same with APs running Cheetah OS.  A lot of the u-boot functions require TAC to generate a challenge token and when one is the field, it can take some time.  

My rule-of-thumb for Cheetah OS APs with corrupt OS is:  Contact Cisco TAC and RMA. 

FIX A PC
Level 1
Level 1

Ok guys i have obtained about 4 air-cap3802i-b-k9 APs, 2 of them being TAC unlocked i believe.......

So i have been working with the rcvr command and have made some progress..... 

when attempting to use loadaddr 0x3f9f8bb0 rcvr seems to stop during 15% of the file transfer and freeze.

when attempting to use the load addr 0x2000000 rcvr tftp seems to accept the file just file, it than starts booting but than eventually fails on signature verification. 

 

I know iam getting close here but iam not sure if iam using the correct load addr and or if the command is compatible with a tar file containing a full mobility image, i have also tried a light weight image as well. 

High Performance Networking

Did you ever solve this I am at the same point with a 3802e

RMA it, you have 10 years of warranty typically on those models.

hi - are you able to fix your issue? thanks and provide some background if you have fixed it? i have the same issue.

frankpicaport
Level 1
Level 1

I hope you could resolve this issue.

Im trying to resolve too, I will let you know inmediatly.

I see you dedication i this problem, is awsome XD. 

DivakaranV
Level 1
Level 1

Hi did we all resolved this section. I have 4800 series in capwap 8.7.106 which I wanted to move  away to mobility based. I downloaded the software but when I try to ap-type mobility or archive commend it always says the file corrupted. I tried all versions. In the beginning it says some same issue and I think we need to erase the flash format and load capwap other image like 8.3 or 8.5 and then convert to mobility image. I need some help how to delete existing portion reflash and start fresh from uboot. Can some one help

I had luck after downloading and installing LWAP version 15.3.3-JPN1 then upgrading to ME 8.10.on 3800 & 2800 APs. 

Good Luck ..

hi Razelle - can you please share me 15.3.3-JPN1 if possible to my email id? i do not have the support and unable to download. thanks

 

Hi, I can't do that you must have a valid service contract with Cisco. Sorry

thanks for the response and i am able resolve it now. thanks, how much normally that would cost to get a smart net support for individual account for only wireless devices. my existing authorization from my corporate account does not have that specific privilege for that models.. 

DivakaranV
Level 1
Level 1

thanks for your time to write on this. i tried different versions and for everything it says, the file is not authorized to run. when i check the date of the access in u-boot prompt, uboot>>date (enter)<-|

I get Date: 2036-09-18 (Thursday) Time 18:42:05

when i try to change the date with date comment and syntax is date [MMDDhhmm][[CC]YY][.ss] and I am in central and to change to current date and time i execute date 100211432023.21 but what i get again is   2036-09-18 (Thursday) Time 18:42:05

i am not able to chnage it. if we understand the images are signed and created with date validy and will that be an issue here and i am not able to change the date of the ap in U-Boot>> prompt. is there any thoughts and advise please? also i do not have contract with CISCO and can you share me the 15.3.3-JPN1 and my id is diva.varadam@gmail.com. thanks and appreicate your help.

Finally I am able to figure out the issue and resolved it. my AP was running 8.7.106 CAPWAP and when I try to upgrade to 8.10.XXX any version, it was throwing disk space error, insufficient space in part2 and unable to extract the tar file and the migration fails. So finally what I did upgraded the device to ap3g3 15.3.3.jpj3a and then to ME 8.10.185 and all went fine. i am able to configure the controller and the ap now and everything works fine. But in this process I bricked one the of 4800 while I upgrade the firmware and that AP is completely dead and no display however in POE switch port, i am able to see that the device is getting the power from the switch and some oneboard LED's are blinking while i connect the power. I am sure I screwed the UBOOT loader and is there any way that i can restore it? i tried all the reset factory options nothing worked. is there any hardware shop method to recover the flash and reflash it? the access point is 4800. 

How did you manage to upgrade when the device does not boot?

Review Cisco Networking for a $25 gift card