This has been produced by examining the configuration of the device while the original U-boot was running, not by reversing the binary image. The upshot of this is that all configuration has been for my device, and any variation in the chipsets (DRAM/PHY/etc) will not have been taken in to account. So whether this will work on any other device is hard to say (YMMV). So the usual boilerplate applies, no warranties implied or given.
The SOC provides 2 UARTs, one is available on the front panel (RJ45 connector), the other is connected to a 4 way header (J2).
J2
* 1 - Vcc (3.3V)
* 2 - RX
* 3 - TX
* 4 - GND
U-boot's console is on the primary UART (J2), config: 115200,8n1
It is highly recommended to have access to a JTAG adapter in case of failure. There is NO WAY TO RECOVER A BRICKED DEVICE without one (well that, or using a soldering iron and device programmer). Before starting, backing up the existing ROM is recommended, or at the very least everything from 0xfff00000 to capture U-boot and environment.
Assuming cross compilation:
CROSS_COMPILE=<_cross compiler prefix_> ARCH=powerpc make meru_ap320_defconfig
CROSS_COMPILE=<_cross compiler prefix_> ARCH=powerpc make
If there are no errors it should produce 'u-boot.bin', which needs to be copied on to the device either over the serial link (eg:loady), or by TFTP (eg:tftp). Once the binary is in memory, the U-boot flash sectors need their protection disabled and then the sectors need erasing. After that the binary can be copied from RAM in to flash ROM. So, using loady as an example:
javelin > protect off 0xfff00000 0xfff7ffff
Un-Protected 4 sectors
javelin > erase 0xfff00000 0xfff7ffff
.... done
Erased 4 sectors
javelin > loady
## Ready for binary (ymodem) download to 0x01200000 at 115200 bps...
Cde, 3210(SOH)/0(STX)/0(CAN) packets, 5 retries
## Total Size = 0x000643b6 = 410550 Bytes
javelin > cp.b 0x01200000 0xfff00000 0x000643b6
Copy to Flash... done
- 0xfff00000 is the start address of U-boot in the flash ROM (It is not the start address of the flash ROM).
- 0xfff7ffff end address of last sector to be unlocked/erased given the new binaries size. (sector size = 128k, 384k < 410k < 512k, so 4 sectors)
- cfi_flash driver randomly marks sectors as protected (work around, unlock set in U-boot environment which clears extraneous protected bits).
- Find/Implement GPIO switches.