Some instruction to connect UART to CIP XM-JPR2-R

Van-Toan Ha

Van-Toan Ha

n3wb
Dec 15, 2017
2
0
Hi everybody,
I am working on a CIP XM-JPR2-R. After working around with nmap, I can see no terminal port is opened. I want to connect to any serial interface, modify somethings to open telnet, or extract firmware for further. I took some figures of this, please give me some instruction about serial type, cable, etc.

Dropbox - XM-JPR2-R
 
My guess - and it is just a guess - is that the serial interface connections are the 3 pads at the circuit board corner near the ribbon cable.
What you will likely need to communicate with it is a 'USB to serial TTL convertor' - search your favourite on-line store for 'PL2303HX based USB to serial TTL convertor'.
 
At now, I could open serial terminal via USB UART CP2102 Connector. I have tried to config network, but Hisicon Ethernet seem down, or did not load on boot.
There are some output I have captured
System startup


U-Boot 2010.06 (Aug 03 2017 - 09:43:03)

Check Flash Memory Controller v100 ... Found
SPI Nor(cs 0) ID: 0xc2 0x20 0x17
Block:64KB Chip:8MB Name:"MX25L6406E"
at hifmc100_setTB() mid:0xc2,chipsize:0x800000 <no>.
at xm_get_macronix_type() cr:0x8.
lk[8 => 0x800000]
SPI Nor total size: 8MB
In: serial
Out: serial
Err: serial
Press Ctrl+C to stop autoboot
CFG_BOOT_ADDR:0x58050000
8192 KiB hi_fmc at 0:0 is now current device

### boot load complete: 1709608 bytes loaded to 0x82000000
### SAVE TO 80008000 !
## Booting kernel from Legacy Image at 82000000 ...
Image Name: linux
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1709544 Bytes = 1.6 MiB
Load Address: 80008000
Entry Point: 80008000
Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.

Ctrl + C

xmtech # help
? - alias for 'help'
base - print or set address offset
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr - ddr training function
fload - fload - load binary file from a filesystem image for system boot

flwrite - SPI flash sub-system
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
lip - lip - set local ip address but not save to flash

loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
mac - mac - set mac address and save to flash

md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtest - simple RAM read/write test
mw - memory write (fill)
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
sip - sip - set server ip address but not save to flash

tftp - tftp - download or upload image via network using TFTP protocol
version - print monitor version
xmtech #

xmtech # printenv
bootcmd=setenv setargs setenv bootargs ${bootargs};run setargs;fload;bootm 0x82000000
bootdelay=1
baudrate=115200
bootfile="uImage"
da=mw.b 0x82000000 ff 1000000;tftp 0x82000000 u-boot.bin.img;sf probe 0;flwrite
du=mw.b 0x82000000 ff 1000000;tftp 0x82000000 user-x.cramfs.img;sf probe 0;flwrite
dr=mw.b 0x82000000 ff 1000000;tftp 0x82000000 romfs-x.cramfs.img;sf probe 0;flwrite
dw=mw.b 0x82000000 ff 1000000;tftp 0x82000000 web-x.cramfs.img;sf probe 0;flwrite
dl=mw.b 0x82000000 ff 1000000;tftp 0x82000000 logo-x.cramfs.img;sf probe 0;flwrite
dc=mw.b 0x82000000 ff 1000000;tftp 0x82000000 custom-x.cramfs.img;sf probe 0;flwrite
up=mw.b 0x82000000 ff 1000000;tftp 0x82000000 update.img;sf probe 0;flwrite
ua=mw.b 0x82000000 ff 1000000;tftp 0x82000000 upall_verify.img;sf probe 0;flwrite
tk=mw.b 0x82000000 ff 1000000;tftp 0x82000000 uImage; bootm 0x82000000
dd=mw.b 0x82000000 ff 1000000;tftp 0x82000000 mtd-x.jffs2.img;sf probe 0;flwrite
ipaddr=192.168.1.10
serverip=192.168.1.1
netmask=255.255.255.0
gatewayip=192.168.0.1
bootargs=mem=${osmem} console=ttyAMA0,115200 root=/dev/mtdblock1 rootfstype=cramfs mtdparts=hi_sfc:320K(boot),3520K(romfs),2560K(user),1152K(web),320K(custom),320K(mtd)
ethaddr=00:12:16:db:b6:bc
NID=0x030a
muxctl0=0x200f0074
muxval0=0
gpio0=0x01
gpioval0=0x1
muxctl1=0x200f0078
muxval1=0
gpio1=0x02
gpioval1=0x0
muxctl2=0x200f0098
muxval2=0
gpio2=0x17
gpioval2=0x0
muxctl3=0x200f006c
muxval3=0
gpio3=0x46
gpioval3=0x0
osmem=37M
sensortype=0x0028
appSystemLanguage=English
appVideoStandard=PAL
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06 (Aug 03 2017 - 09:43:03)

Environment size: 1611/65532 bytes

setenv ipaddr 192.168.0.111
sip 192.168.0.102
setenv netmask 255.255.255.0
setenv gatewayip 192.168.0.1

xmtech # ping 8.8.8.8
Hisilicon ETH net controler
MAC: 00-12-16-DB-B6-BC
PHY not link.
ping failed; host 8.8.8.8 is not alive

My CIP does not have any RJ45 ethernet port. It communicate via wifi, P2P. How I can extract firmware via tftp without RJ45 cable?
 
Last edited:
You must log in or register to reply here.
Top Bottom