Memory address prefix

[tatel]

I was debricking and old TP-Link router via serial console+tftp. I used commands like:

Code: [Select]

erase 0x9f020000 +0x7c0000
I know that this is erasing a memory range beginning at 9f020000; the end is 7c0000 bytes after the initial address.

I also know that the first 128KiB of flash are reserved for the U-boot partition: and that these 128 KiB translate in hex as 20000

So I guess 9f0 is the prefix and 20000 the offset

But, for the life of me, I can't figure where the 9f0 prefix comes from.

I would greatly appreciate any pointers

[magic]

Not 100% sure, but could it simply be the address where flash is mapped into the CPU's memory address space?

It's common for such mapping to exist, and it will appear at some fixed (for a given CPU type or router model) address, usually far away from zero, usually in the upper half of the address space - above 0x80000000.

[Benta]

You'll need to look at either the address-decoding hardware or (if the system has one) the setup of the MMU.
It's very common to boot from ROM at address 0x0 and after initial setup remap the ROM to somewhere else in the memory map.

[tatel]

You'll need to look at either the address-decoding hardware or (if the system has one) the setup of the MMU.
It's very common to boot from ROM at address 0x0 and after initial setup remap the ROM to somewhere else in the memory map.

I woul like to know the name of that address-decoding hardware. Would do some Google search for it

Architecture is mips_24kc. CPU is Qualcomm Atheros QCA9558

FWIW, here are the commands used:

Code: [Select]

ap135> tftp 0x80060000 wr1043nv2_tp_recovery.bin
ap135> erase 0x9f020000 +0x7c0000
ap135> cp.b 0x80060000 0x9f020000 0x7c0000
ap135> boot.m 0x9f020000
As I understand it:
Download binary image, put it at address 0x80060000
Erase memory range from address 0x9f020000 to 0x9f020000+0x7c0000
copy what is at address 0x80060000 at address 0x9f020000 size is 0x7c0000
boot with image located at address 0x9f020000

Firmware image has to go right after U-boot partition (128 KiB). So I guess 0x9f020000 maps that. Is this right?

Flash layout attached.

I would love to know how  memory addresses are calculated from the flash layout data

[Benta]

You're floating at the firmware/software level. I'm talking hardware.
But as usual with Qualcomm, trying to get a data sheet is hopeless.

[tatel]

Thank you, but I can't really say answer is helpful.

Could you give some link to any documentation you consider relevant?

Looking around I fell over this serie of YT videos by Ben Eater, I'll have a look at it

https://www.youtube.com/playlist?list=PLowKtXNTBypFbtuVMUVXNR0z1mu7dp7eH