Debricking the BMC

From RCS Wiki
Revision as of 14:41, 19 January 2020 by TimothyPearson (talk | contribs)
Jump to navigation Jump to search

Purpose

This guide explains how to debrick the BMC when the BMC has been rendered inoperable, for example due to a defective firmware update.

Applicability

All RCS OpenPOWER systems.

Overview

There are three means of debricking the BMC:

  • Remove the BMC SPI flash chip and reflash it with a flash programmer
    • Note: flashrom versions earlier than 1.1 do not support the BMC flash chip
  • Flash new BMC firmware via U-Boot TFTP (requires that U-Boot is still intact on the flash)
  • Flash new BMC firmware via serial port (requires proprietary BMC chip vendor tool)

Reset persistent storage

This is applicable if somehow the persistent storage (SSH keys, passwords, IPMI error logs, etc.) has been corrupted, but the read only data (U-boot, kernel, initramfs) are all intact. This is also the easiest and least invasive recovery method if you have forgotten the BMC password.

From the U-boot prompt on the BMC serial console, run the following (must be run quickly, to avoid watchdog timeouts):

printenv

Look at the bootargs command, set the same environment variable but insert overlay-filesystem-in-ram before the "rw" keyword.

Example for Blackbird HW version 1.01:

setenv bootargs console=ttyS4,115200n8 root=/dev/ram overlay-filesystem-in-ram rw

Then run boot to continue the boot process.

This will start the BMC with default settings, but the existing persistent data has not yet been cleared. To clear it, log in as root, then run:

flash_eraseall /dev/mtd/rwfs

reboot

Flash new BMC firmware via U-Boot TFTP

Note: While these instructions have been successfully applied in practice, they are still preliminary. Ask questions in IRC if you are unclear on what to do!

In the event of a failure when updating the BMC, but with a functioning U-boot, you can still recover by using U-Boot to manually bootstrap the BMC by manually loading a boot image over the network or the BMC serial port.

If your BMC flash is corrupted to the extent that U-Boot does not load properly, these instructions will not work; you will need to remove and reflash the BMC flash chip externally, or flash new firmware via serial port.

  • Prepare a TFTP server, and place image-bmc, image-rofs, and image-kernel in the root.
  • Connect a serial console to the BMC serial port (J7701, serial port bracket required). The serial port configuration is 115200,8n1.
  • Disconnect and reconnect power to the machine to force a BMC restart. Press a key to interrupt auto-boot when prompted.
  • If you are having trouble with U-Boot resetting while you are trying to run these steps, have a slow network, or you are going to be loading over serial, you can disable the FPGA watchdog.
  • Run dhcp x.x.x.x:image-bmc, replacing the IP address of your TFTP server. This will load a copy of the stock boot image into RAM.
  • Run bootm 83080000. This will prepare and boot off of the loaded virtual image.
  • If your rofs partition is not functional, you will be dropped into the systemd emergency shell at this point. Try both the password you set as well as the default 0penBmc, it may be one or the other depending on the state of the rwfs partition. If it boots up properly instead of dropping you into the emergency shell, the problem is probably in your kernel partition and you can retry flashing your image-kernel using the normal procedure. (The rest of these instructions are for the systemd emergency shell.)
  • mount -t tmpfs none /tmp
  • run udhcpc to get an IP address. (TODO: verify that this is the actual command that you run. Do you have to specify the network interface too?)
  • cd /tmp
  • tftp -g -r image-rofs x.x.x.x
  • tftp -g -r image-kernel x.x.x.x
  • IMPORTANT: Use md5sum, sha1sum, or sha256sum to verify successful transfer of image-rofs and image-kernel! tftp is a very barebones protocol and relies on transport layer checksumming, which is optional and not always available in UDP!
  • Verify that the output of cat /sys/class/mtd/mtd3/name is kernel and the output of cat /sys/class/mtd/mtd4/name is rofs. We will be flashing mtd partitions directly in the next step and this is the last chance to verify that they will be flashed to the correct partition.
  • flashcp -v image-kernel /dev/mtd3
  • flashcp -v image-rofs /dev/mtd4
  • (TODO: Describe how to reset rwfs in case it was damaged as well?) note: the kernel param for bypassing rwfs is "overlay-filesystem-in-ram". Append it to the existing boot-args before running the bootm command. This can also be used as part of a password reset procedure.
  • After the flash is complete, you can run restart the BMC and it should boot successfully.
  • (TODO: Discussion of using Kermit to upload the image without network access) note: I (Bdragon) have successfully done a ram-only boot using cu's built in xmodem support (escape sequence ~X) to do an image transfer into RAM over the BMC serial interface.
  • (TODO: Discuss using u-boot's built in cmp tool to perform basic validation of the u-boot image against a second copy loaded into RAM.)
  • (TODO: Load recovery images over USB?) note: The onboard USB port is connected to the USB switch after all, so this might be problematic.
  • (TODO: Discussion of u-boot memory map) Short version is: flash lives at 0x20000000 and default base address for the memory loading tools is 0x83000000. So add 0x63000000 to any flash address to get the eqivilent address for an image-bmc file loaded into RAM. For example, the bootable image of a loaded image-bmc is at 0x83080000.

Flash new BMC firmware via serial port

This method was discovered by Centurion Dan as an alternative to pulling and reflashing the BMC SPI chip after a failed update had corrupted/wiped U-Boot.

Tools required:

  • BMC serial port
  • An x86 computer with a serial port (usb to serial works fine) - preferably running linux.

Software:

 ASPEED SOC Flash Utility --- The utility has been moved to Document Download Page for ASPEED registered developers to access.

Procedure:

  1. Unzip the SOC FLASH Utility on your other computer, and unzip the appropriate SOC Flash Utility bundle for that computer.
  2. Extract the BMC firmware bundle.
  3. Run the following command ./socflash -s option=u comport="4" cs=0 if=image-u-boot gpio_b=S71 gpio_a=S70 option=f
    • You can drop the option=f for a slower but verified write process
    • if your serial interface can handle the baudrate 921600 add the parameter: baudrate=921600
    • if you want to see what is going on, you can strace it by prepending: strace -e trace=open,close,read,write to the command above.
  4. Be Patient: it took me about 45 minutes to complete the flash process.

Notes:

  • gpio_b=S71 and gpio_a=S70 are used to turn off the fpga watchdog timer before the flash process and then re-enables it after it's completed.