Anhang | Größe |
|---|---|
460.6 KB | |
292.22 KB |
XXX Todo
WR6640Sg
The Silvercrest Super G Wireless Router is based on an Atheros System on Chip (SoC). So it's a candidate for the OpenWrt AtherosPort.
Hardware
Info
Architecture | MIPS 4KEc, BigEndian |
|---|---|
Vendor | Targa (Silvercrest, sold by Lidl) |
Bootloader | PMon ? |
System-On-Chip | Atheros AR2313A |
CPU Speed | 184 MHz |
Flash | 2 Mb, MX29LV160 |
RAM | 16 Mb |
Wireless | Integrated Atheros 802.11b/g, AR2112A |
Ethernet | 5 x RJ45 (4 Lan, 1 Wan) |
Ethernet Switch | Marvell 88E6060 |
USB | No |
Serial | Yes |
JTAG | Yes |
12V power supply
Antenna
SPI-Bus ???
Power Requirements:
12V power supply, internally this is regulated to 3.3V by a switched regulator. Device starts up at >=7.5v, to get wireless working it needs >=10V. This device needs only ~3.5W of power, so it's well suited for solarpowered/batterypowered applications (like the 4Km wireless link i've built).
Serial Port
The RS232 port is using 3.3V TTL signals, we have to use a level shifter like the Maxim Max232. In addition i'm using a RS232USB converter to connect it to my PC (linux+minicom).
Serial settings are 56700-8-N-1.
PINS:+---+|TXD|+---+|RXD|+---+|GND|+---+| |+---+|VCC| 3.3V+---+
JTAG
There is a 14 pin unpopulated JTAG header, pin assignment:
XXX todo
Original software
Bootlog Original "PMon" bootloader
00005850Copyright (c) 2003 Xavi Corporation.Chip select 0, Flash chip MXIC CFI-160 bottom, address 0xbfc00000, size2MBytesSlot 0, blocks 0, sector size = 0x4000, num of sectors = 1Slot 0, blocks 1, sector size = 0x2000, num of sectors = 2Slot 0, blocks 2, sector size = 0x8000, num of sectors = 1Slot 0, blocks 3, sector size = 0x10000, num of sectors = 31CPU type ATHEROS 5312. ErrorEPC (may be PC before reset): bfc006c0.CPU clock frequency 180 MHz. Avail RAM 16022 KBytes.PMON version 6.8.858 [EB], Mon Jul 5 16:11:38 CST 2004IP address 192.168.1.1Type 'h' for on-line help.*** Press ^C to abort auto run (3 seconds) ***Auto run second count down: 1break!XGATE> hload load memory from hostport h The help commandhelp The help command ? The help commandcopy copy memory g start execution (go) sym define symbol set display/set variable d display memory dump send srecs/binary to hostportping send ping request to hostportXGATE>
Backup flash
Upload entire flash with PMon/tftp:
XGATE> dump -B 0xbfc00000 0x200000Uploading to ethernet1, ^C to abortSwitch is set for 100 Mbps Full DuplexDumped data from bfc00000 to bfdfffff, length 200000 (2097152 decimal)XGATE>
Flash layout
Flash size is 2Mb, we have 32 blocks of 64k size:
----------------------------------------------------------------------------------------| Offset | Abs. Offs. | Size | Blocks | Content |----------------------------------------------------------------------------------------| 0x000000 | 0xBFC00000 | 128 kb | 2 | Board Config, PMon Bootloader |----------------------------------------------------------------------------------------| 0x020000 | 0xBFC20000 | 1792 kb | 28 | Linux with embedded rootfs (initramdisk) |----------------------------------------------------------------------------------------| 0x1E0000 | 0xBFDE0000 | 64 kb | 1 | NVRam |----------------------------------------------------------------------------------------| 0x1F0000 | 0xBFDF0000 | 64 kb | 1 | Radio Config |----------------------------------------------------------------------------------------
Auto download
If the bootloader doesn't find a valid linux image in flash it enters a "Auto download" mode. It tries to download and install a image from tftp. The vendor supplied images (for example WR-6640Sg-2.02TGF6.6640g.bin) can be used to restore the linux mtd-partition.
Host-Side:
> atftp 192.168.1.1 tftp> mode Current mode is octet. put WR-6640Sg-2.02TGF6.6640g.bin
AP-Side:
*** Press ^C to abort auto run (3 seconds) *** Auto run second count down: 0 Switch is set for 100 Mbps Full Duplex Downloading image from ethernet1, ^C to abort Loaded data from 80100000 to 802b8853, length 1b8854 (1804372 decimal) Write firmware image to flash.. *........................... Write image header to flash.. * *** Write firmware image done *** !
Vendor Image format
The .bin image contains a 256 byte heder and a g-zipped linux kernel, to extract the kernel do:
dd if=WR-6640Sg-2.02TGF6.6640g.bin bs=256 skip=1 of=WR-6640Sg-2.02TGF6.6640g.image.gz
Extract initial ramdisk from kernel unzipped image:
Bootlog says: ... Initial ramdisk at: 0x802e2000 (946176 bytes) ..., loadaddress is 0x80100000.
Offset of ramdisk from image start: 0x802e2000 - 0x80100000
> dd if=WR-6640Sg-2.02TGF6.6640g.image of=ramdisk.gz bs=256 skip=7712 count=3696 > gunzip ramdisk.gz > losetup /dev/loop0 ramdisk > mount -oloop /dev/loop0 /mnt/misc > ls /mnt/misc bin dev etc lost+found proc sbin upnp var web
The header format is not known, but its content is used by pmon and it refuses to install a self-made image (version and crc mismatches …).
I tried to install the g-zipped linux image directly into its mtd-partition with no luck:
> atftp 192.168.1.1 tftp> mode Current mode is octet. tftp> put WR-6640Sg-2.02TGF6.6640g.image.gz Downloading image from ethernet1, ^C to abort Loaded data from 80100000 to 802b8753, length 1b8754 (1804116 decimal) copy -f 80100000 bfc20000 1b8754
XXX wie geth's weiter, meldungen?
TFTP download of new firmware
A vendor firmare image can be pushed to the AP within the first 3 seconds after reboot.
Bootlog Original Linux
Note: we can do a reboot in PMon by issuing a "go" command, address is the location of the bootloader in flash:
XGATE> g 0xbfc0000000005850Copyright (c) 2003 Xavi CorporationChip select 0, Flash chip MXIC CFI-160 bottom, address 0xbfc00000, size 2MBytesSlot 0, blocks 0, sector size = 0x4000, num of sectors = 1Slot 0, blocks 1, sector size = 0x2000, num of sectors = 2Slot 0, blocks 2, sector size = 0x8000, num of sectors = 1Slot 0, blocks 3, sector size = 0x10000, num of sectors = 31CPU type ATHEROS 5312. ErrorEPC (may be PC before reset): bfc006c0.CPU clock frequency 180 MHz. Avail RAM 16022 KBytes.PMON version 6.8.858 [EB], Mon Jul 5 16:11:38 CST 2004IP address 192.168.1.1Type 'h' for on-line help.*** Press ^C to abort auto run (3 seconds) ***Auto run second count down: 0found image at 0xbfc20000, length 0x1b8754Inflating image at bfc20000 to 80100000block 1block 2block 3block 4block 5block 6block 7block 8block 9block 10block 11block 12block 13block 14block 15block 16block 17block 18block 19block 20block 21block 22block 23block 24block 25block 26block 27block 28block 29block 30block 31block 32block 33block 34block 35block 36block 37block 38block 39block 40block 41block 42block 43block 44block 45block 46block 47block 48block 49block 50block 51block 52block 53block 54block 55block 56block 57Total blocks 57original crc 0xff2cdbeb and length 0x2c9000UART clock set to 2812500LINUX started...CPU revision is: 0001800aPrimary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.Primary data cache 16kB 4-way, linesize 16 bytes.Linux version 2.4.23-rc1 (ken@V_Server1) (gcc version 3.3.2) #1 Fri Jan 14 13:38:08 CST 2005Clock rate set to 180000000Determined physical RAM map: memory: 00001000 @ 00000000 (reserved) memory: 000ff000 @ 00001000 (ROM data) memory: 002f3000 @ 00100000 (reserved) memory: 00bf2b00 @ 003f3000 (usable)Initial ramdisk at: 0x802e2000 (946176 bytes)On node 0 totalpages: 4069zone(0): 4069 pages.zone(1): 0 pages.zone(2): 0 pages.Kernel command line: ip=::::XGATE:eth0:none:100fs console=ttyS0,57600calculating r4koff... 000dbba0(900000)CPU frequency 180.00 MHzUsing 90.000 MHz high precision timer.Calibrating delay loop... 179.81 BogoMIPSMemory: 12048k/12232k available (1741k kernel code, 184k reserved, 1016k data, 76k init, 0k highmem)Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)Inode cache hash table entries: 1024 (order: 1, 8192 bytes)Mount cache hash table entries: 512 (order: 0, 4096 bytes)Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)Page-cache hash table entries: 4096 (order: 2, 16384 bytes)Checking for 'wait' instruction... available.POSIX conformance testing by UNIFIXLinux NET4.0 for Linux 2.4Based upon Swansea University Computer Society NET3.039Initializing RT netlink socketStarting kswapdSerial driver version 5.05c (2001-07-08) with no serial options enabledttyS00 at 0xbc000003 (irq = 37) is a 16550Aatherosboard: ar531x_board_init entryGeneric MIPS RTC Driver v1.0ar531x_eth.c:v1.0, Mar 15, 2004 XAVi Technologies Corp., www.xavi.comRAMDISK driver initialized: 16 RAM disks of 3072K size 1024 blocksizeAR5312 version 0x5 revision 0x0PPP generic driver version 2.4.2b_flash flash device: bfc00000 at 200000 Amd/Fujitsu Extended Query Table v1.0 at 0x0040number of CFI chips: 1cfi_cmdset_0002: Disabling fast programming due to code brokenness.Creating 3 MTD partitions on "flash0":0x00000000-0x00020000 : "pmon"0x00020000-0x001e0000 : "linux image"0x001e0000-0x001f0000 : "nvram data storage"WatchDog starting-45...NET4: Linux TCP/IP 1.0 for NET4.0IP Protocols: ICMP, UDP, TCP, IGMPIP: routing cache hash table of 512 buckets, 4KbytesTCP: Hash tables configured (established 512 bind 1024)eth1: Switch is set for 100 Mbps Full DuplexIP-Config: Incomplete network configuration information.ip_conntrack version 2.1 (127 buckets, 1016 max) - 352 bytes per conntrackinit: ip_nat_quake3init: ip_nat_mmsinit: ip_conntrack_h323register h225 conntrack moduleip_ct_h323 help registering helper callback=80266b68init: ip_nat_h323register h225 nat help moduleinit: ip_conntrack_proto_greinit: ip_nat_proto_greinit: ip_conntrack_quake3ip_ct_quake3 help registering helper callback=80268270init: ip_conntrack_pptpip_ct_pptp help registering helper callback=802685bcinit: ip_conntrack_mmsip_ct_mms help registering helper callback=80268df4init: ip_conntrack_aoeiiip_tables: (C) 2000-2002 Netfilter core teaminit: ip_nat_standaloneipt_timer loadingURLBLK initipt_inbox loadingNET4: Unix domain sockets 1.0/SMP for Linux NET4.0.NET4: Ethernet Bridge 008 for NET4.0RAMDISK: Compressed image found at block 0Freeing initrd memory: 924k freedVFS: Mounted root (ext2 filesystem) readonly.Freeing prom memory: 1020kb freedFreeing unused kernel memory: 76k freedStarting /etc/rcMount ramdisk as /varMount /procCreate /var/tmp/Create /var/run/utmpEnabling IP forwarding# nvram_retrieve_vars: total nvram data size = 4291nvram_retrieve_vars: app id = 1, nvram data size = 542nvram_retrieve_vars: app id = 2, nvram data size = 94nvram_retrieve_vars: app id = 3, nvram data size = 183nvram_retrieve_vars: app id = 4, nvram data size = 490NULLnvram_retrieve_vars: app id = 5, nvram data size = 294nvram_retrieve_vars: app id = 6, nvram data size = 113nvram_retrieve_vars: app id = 10, nvram data size = 164nvram_retrieve_vars: app id = 9, nvraeth1: Switch is set for 100 Mbps Full Duplexm data size = 564nvram_retrieve_vars: app id = 12, nvram data size = 118nvram_retrieve_vars: app id = 11, nvram data size = 266nvram_retrieve_vars: app id = 8, nvram data size = 266nvram_retrieve_vars: app id = 13, nvram data size = 132nvram_retrieve_vars: app id = 14, nvram data size = 474nvram_retrieve_vars: app id = 15, nvram data sizedevice eth0 entered promiscuous mode = 535br0: port 1(eth0) entering learning statebr0: port 1(eth0) entering forwarding statebr0: topology change detected, propagatingdevice wlan1 entered promiscuous modeWLAN: channel = 11Reading Configuration File "/var/apcfg".apcfg: read # = Copyright (c) 2002 Atheros Communications, Inc., All Rights Reservedapcfg: read # = DO NOT EDIT -- This configuration file is automatically generated by the Access Pointapcfg: read magic = Ar52xxAPapcfg: read CountryCode = 276apcfg: read WirelessMode = 11gapcfg: read autochanselect = Disableapcfg: read RadioChannel = 2462apcfg: read DataRate = bestapcfg: read ssid = WR-6640Sgapcfg: read ssidSuppress = Disableapcfg: read Keytable = 6apcfg: read Keyentrymethod = asciiapcfg: read Key = 1 104 wwwwwwwwwwwwwapcfg: read Key = 2 104 wwwwwwwwwwwwwapcfg: read Key = 3 104 wwwwwwwwwwwwwapcfg: read Key = 4 104 wwwwwwwwwwwwwapcfg: read DefaultKey = 1apcfg: read Keysource = flashapcfg: read encryption = Disableapcfg: read cipher = autoapcfg: read AuthenticationType = Open-Systemapcfg: read RADIUSaddr =apcfg: read RADIUSport = 1812apcfg: read RADIUSsecret =apcfg: read passphraseKey =apcfg: read groupKeyUpdateInterval = 1800ar5hwcQueueCreate : Queue Head = 0x80450000, Queue Tail = 0x80457f80ar5hwcQueueCreate : Queue Head = 0x800b0000, Queue Tail = 0x800b7f80ar5hwcQueueCreate : Queue Head = 0x80088000, Queue Tail = 0x8008ff80ar5hwcQueueCreate : Queue Head = 0x80d7c000, Queue Tail = 0x80d7ff80wireless access point starting...wlan1 ReadyReadysta_proc_init: ==> startsta_proc_init: <== endbr0: port 2(wlan1) entering learning stateFirewall Initializing...br0: port 2(wlan1) entering forwarding statebr0: topology change detected, propagatingFirewall Setup...Virtual Server Initializing...Access Control List Initializing...Content Filter Initializing...Hex:0x1Hex:0x0Hex:0x0Hex:0x0Syslog Initializing...close Remote Logplog->slog_pid=121xsyslogd started.close Remote Logwlan1 beacon transmission problem at beacon #10! - no SWBAs seen!Enter resetwlanwlan1 beacon transmission problem at beacon #0! - no SWBAs seen!# uname -auname: not found# uptimeuptime: not found# lsapcfg hosts log rad-dict run sys tmp wan# cd /# lsbin etc proc upnp webdev lost+found sbin var#
Why not using the original PMon bootloader
pmon hat alle notwendigen kommandos, tftp-load, flash write, exec (go)
wir wissen nicht genau, wie die linux-startadresse anzugeben ist, go
startet anscheinend genau an der angegebenen addresse
offen ist, ob der linux kernel die mtd partitionen richtig erkennt,
linux benutzt anscheinend die redboot fis kennung.
Installing OpenWrt with RedBoot
Reflash the RedBoot Config from SSH...
=
QoS
Dynamic DNS
WiFi
Hardware Hacks
Spannungsmessung mit hilfe zweier GPIO ports, xxx todo
Tags: