Difference between revisions of "Debricking the BMC"
JeremyRand (talk | contribs) (→Flash new BMC firmware via U-Boot TFTP: Factor out default password) |
|||
Line 52: | Line 52: | ||
* Run <code>dhcp x.x.x.x:image-bmc</code>, replacing the IP address of your TFTP server. This will load a copy of the stock boot image into RAM. | * Run <code>dhcp x.x.x.x:image-bmc</code>, replacing the IP address of your TFTP server. This will load a copy of the stock boot image into RAM. | ||
* Run <code>bootm 83080000</code>. This will prepare and boot off of the loaded virtual image. | * Run <code>bootm 83080000</code>. This will prepare and boot off of the loaded virtual image. | ||
− | * If your rofs partition is not functional, you will be dropped into the systemd emergency shell at this point. Try both the password you set as well as the default | + | * If your rofs partition is not functional, you will be dropped into the systemd emergency shell at this point. Try both the password you set as well as the [[BMC Default Password|default password]], it may be one or the other depending on the state of the rwfs partition. If it boots up properly instead of dropping you into the emergency shell, the problem is probably in your kernel partition and you can retry flashing your <code>image-kernel</code> using the normal procedure. (The rest of these instructions are for the systemd emergency shell.) |
* <code>mount -t tmpfs none /tmp</code> | * <code>mount -t tmpfs none /tmp</code> | ||
* run <code>udhcpc</code> to get an IP address. (TODO: verify that this is the actual command that you run. Do you have to specify the network interface too?) | * run <code>udhcpc</code> to get an IP address. (TODO: verify that this is the actual command that you run. Do you have to specify the network interface too?) |
Revision as of 19:29, 4 September 2022
Contents
Purpose
This guide explains how to debrick the BMC when the BMC has been rendered inoperable, for example due to a defective firmware update.
Applicability
All RCS OpenPOWER systems.
Overview
There are three means of debricking the BMC:
- Remove the BMC SPI flash chip and reflash it with a flash programmer
- Note: flashrom versions earlier than 1.1 do not support the BMC flash chip
- Flash new BMC firmware via U-Boot TFTP (requires that U-Boot is still intact on the flash)
- Flash new BMC firmware via serial port (requires proprietary BMC chip vendor tool)
Reset persistent storage
This is applicable if somehow the persistent storage (SSH keys, passwords, IPMI error logs, etc.) has been corrupted, but the read only data (U-boot, kernel, initramfs) are all intact. This is also the easiest and least invasive recovery method if you have forgotten the BMC password.
From the U-boot prompt on the BMC serial console, run the following (must be run quickly, to avoid watchdog timeouts):
printenv
Look at the bootargs command, set the same environment variable but insert overlay-filesystem-in-ram
before the rw
keyword.
Example for Blackbird HW version 1.01:
setenv bootargs console=ttyS4,115200n8 root=/dev/ram overlay-filesystem-in-ram rw
Then run boot
to continue the boot process.
This will start the BMC with default settings, but the existing persistent data has not yet been cleared. To clear it, log in as root, then run:
flash_eraseall /dev/mtd/rwfs
reboot
Flash new BMC firmware via U-Boot TFTP
Note: While these instructions have been successfully applied in practice, they are still preliminary. Ask questions in IRC if you are unclear on what to do!
In the event of a failure when updating the BMC, but with a functioning U-boot, you can still recover by using U-Boot to manually bootstrap the BMC by manually loading a boot image over the network or the BMC serial port.
If your BMC flash is corrupted to the extent that U-Boot does not load properly, these instructions will not work; you will need to remove and reflash the BMC flash chip externally, or flash new firmware via serial port.
- Prepare a TFTP server, and place
image-bmc
,image-rofs
, andimage-kernel
in the root.
- Connect a serial console to the BMC serial port (J7701, serial port bracket required). The serial port configuration is 115200,8n1.
- Disconnect and reconnect power to the machine to force a BMC restart. Press a key to interrupt auto-boot when prompted.
- If you are having trouble with U-Boot resetting while you are trying to run these steps, have a slow network, or you are going to be loading over serial, you can disable the FPGA watchdog.
- Run
dhcp x.x.x.x:image-bmc
, replacing the IP address of your TFTP server. This will load a copy of the stock boot image into RAM. - Run
bootm 83080000
. This will prepare and boot off of the loaded virtual image. - If your rofs partition is not functional, you will be dropped into the systemd emergency shell at this point. Try both the password you set as well as the default password, it may be one or the other depending on the state of the rwfs partition. If it boots up properly instead of dropping you into the emergency shell, the problem is probably in your kernel partition and you can retry flashing your
image-kernel
using the normal procedure. (The rest of these instructions are for the systemd emergency shell.) mount -t tmpfs none /tmp
- run
udhcpc
to get an IP address. (TODO: verify that this is the actual command that you run. Do you have to specify the network interface too?) cd /tmp
tftp -g -r image-rofs x.x.x.x
tftp -g -r image-kernel x.x.x.x
- IMPORTANT: Use
md5sum
,sha1sum
, orsha256sum
to verify successful transfer of image-rofs and image-kernel! tftp is a very barebones protocol and relies on transport layer checksumming, which is optional and not always available in UDP! - Verify that the output of
cat /sys/class/mtd/mtd3/name
iskernel
and the output ofcat /sys/class/mtd/mtd4/name
isrofs
. We will be flashing mtd partitions directly in the next step and this is the last chance to verify that they will be flashed to the correct partition. flashcp -v image-kernel /dev/mtd3
flashcp -v image-rofs /dev/mtd4
- (TODO: Describe how to reset rwfs in case it was damaged as well?) note: the kernel param for bypassing rwfs is "overlay-filesystem-in-ram". Append it to the existing boot-args before running the bootm command. This can also be used as part of a password reset procedure.
- After the flash is complete, you can run restart the BMC and it should boot successfully.
- (TODO: Discussion of using Kermit to upload the image without network access) note: I (Bdragon) have successfully done a ram-only boot using cu's built in xmodem support (escape sequence ~X) to do an image transfer into RAM over the BMC serial interface.
- (TODO: Discuss using u-boot's built in cmp tool to perform basic validation of the u-boot image against a second copy loaded into RAM.)
- (TODO: Load recovery images over USB?) note: The onboard USB port is connected to the USB switch after all, so this might be problematic.
- (TODO: Discussion of u-boot memory map) Short version is: flash lives at 0x20000000 and default base address for the memory loading tools is 0x83000000. So add 0x63000000 to any flash address to get the eqivilent address for an image-bmc file loaded into RAM. For example, the bootable image of a loaded image-bmc is at 0x83080000.
Flash new BMC firmware via serial port (Open Source Method)
Tools required:
- BMC serial port
- A secure computer with a serial port (usb to serial works fine) - preferably running linux (Linux on POWER is fine).
Software:
- flashrom with serial ASpeed flash support from [1]
- BMC Firmware bundle: Talos_II/Firmware Firmware BMC System Package 1.06 2a92dec044239591244b6ed69c3fac162a6b9ea4
Procedure:
- Build flashrom on your Linux or BSD PC.
- Extract the BMC firmware bundle.
- Set the FPGA RUN/RESET switch to RESET.
- On a Blackbird, this switch is located roughly between the flash chips and the PCIe slots. If you have a GPU installed in the x16 slot, you may need to remove it.
- Apply standby power to the mainboard
- Run the following command ./flashrom --verbose --programmer 'ast2400:serial=/dev/ttyUSB0,cpu=halt,spibus=0' -c MX25L25635F/MX25L25645E/MX25L25665E -w image-bmc
- if your serial interface can handle the baudrate 921600 add the parameter: high_speed_uart=true
- NOTE: If you are using updated firmware (Talos II/Lite 2.0 beta firmware or later) or are using a Blackbird, U-boot will shut down access to this interface after about 3 seconds of standby power, so you will need to run the command *immediately* after plugging in the power supply to bypass this.
- Be Patient: this will take a *long* time.
- Once the flash has been verified, set the FPGA RUN/RESET switch to RUN.
Flash new BMC firmware via serial port (Proprietary Method)
This method was discovered by Centurion Dan as an alternative to pulling and reflashing the BMC SPI chip after a failed update had corrupted/wiped U-Boot.
Tools required:
- BMC serial port
- An x86 computer with a serial port (usb to serial works fine) - preferably running linux.
Software:
- Proprietary SOC Flash Utility from Aspeed Technology's Support Page: at least version 1.18.00. Since version 1.20.x Aspeed requires being registered as developer to download this util:
ASPEED SOC Flash Utility --- The utility has been moved to Document Download Page for ASPEED registered developers to access.
- BMC Firmware bundle: Talos_II/Firmware Firmware BMC System Package 1.06 2a92dec044239591244b6ed69c3fac162a6b9ea4
Procedure:
- Unzip the SOC FLASH Utility on your other computer, and unzip the appropriate SOC Flash Utility bundle for that computer.
- Extract the BMC firmware bundle.
- Run the following command ./socflash -s option=u comport="4" cs=0 if=image-u-boot gpio_b=S71 gpio_a=S70 option=f
- You can drop the option=f for a slower but verified write process
- if your serial interface can handle the baudrate 921600 add the parameter: baudrate=921600
- if you want to see what is going on, you can strace it by prepending: strace -e trace=open,close,read,write to the command above.
- NOTE: If you are using updated firmware (Talos II/Lite 2.0 beta firmware or later) or are using a Blackbird, U-boot will shut down access to this interface after about 3 seconds of standby power, so you will need to run the command *immediately* after plugging in the power supply to bypass this.
- Be Patient: it took me about 45 minutes to complete the flash process.
Notes:
- gpio_b=S71 and gpio_a=S70 are used to turn off the fpga watchdog timer before the flash process and then re-enables it after it's completed.
- On a Blackbird, replace gpio_b=S71 with gpio_b=G01 and gpio_a=S70 with gpio_a=G00. Due to the new HDMI interface, the BMC watchdog GPIO was moved to a different pin on the AST2500.