OpenWrt Forum Archive

Topic: OpenWRT for Atheros based devices...

The content of this topic has been archived between 26 Apr 2018 and 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I have managed to compile openwrt for Atheros, but now i need some help with REDBOOT.
Can anyone help me?

I hope this help...

Its a dump of a working SMC WEBT-G with its original firm...


ar531xPlus rev 0x00000087 boot loader startup...
Flash initialized
SDRAM initialized
Cache initialized

Copy program from 0xbfc00000 to 0x80520000, length 0x0000c70c bytes ... done
Jump to SDRAM 0x80520cb4 [0x10000008, 0x00000000, 0x00000000]
Clear BSS section ... done
Stack: 0x8053e530
Heap: 0x8053e540






=======================================================================

Wireless Access Point WA4001C Loader V0.03 build Mar 29 2005 15:45:48

                  Arcadyan Technology Corporation

=======================================================================



Flash Found. It is 2MB Flash....



Copying boot params.....DONE

cpuFreq=240000000 sysFreq=60000000 cntFreq=120000000



Press any key to enter command mode ...

Memory Checking from 0xa0000000 to 0xa03fffff

Pattern [ 0x00000000 ] ........................

Pattern [ 0xffffffff ] ........................

Pattern [ 0xaaaaaaaa ] ........................

Pattern [ 0x55555555 ] ........................

Pattern [   serial   ] ........................

Address Overlap Test ......................

Passed.



Checking Valid Image in Flash...

Passed.



Unzipping program from bank 2...failed(04)

Try to find image for running...

Valid Code found in the Flash



Unzipping program from bank 3...........................................................................................................................................................................................done

I am going to run the Code image from 80001000








firmware startup...
Stack: 0x807a5980
Heap: 0x807a5990
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17_special/ar5315/gpio.c: feed_watchdog is called??
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17_special/ar5315/gpio.c: setGpio is called??
##### _ftext      = 0x80001000
##### _fdata      = 0x80121F10
##### __bss_start = 0x8013DA48
##### end        = 0x80795980
##### Backup Data from 0x80121F10 to 0x807B5980 length=0001BB38
[CGI] Web SDRAM area is from 0XBFC40000H

install_exception
Installing TLB Refill exception handler from 8000A310 to 80000000, size=184
Installing General exception handler from 8000A3C8 to 80000180, size=216
Installing Interrupt exception handler from 8000A4A0 to 80000200, size=160
misc_int_init
mips_int_enable : 0x00000400
Connect the AHB interrupt
sysBoardDataInit
Init the GPIOs !!!
Enable arbitration for SOC devices !!!
cpuFreq=184000000 sysFreq=40000000 cntFreq=92000000
AR531X_TIMER=00061A6C
AR531X_RELOAD=00061A80
AR531X_IMR=00000028
mips_cp0_status=10000401
mips_cp0_cause=30800000
[INIT] MTinitialize ..
Runtime code version: V1.07.2
System startup...
[INIT] MTmeminit ..
[INIT] check COLOR 0 ..
soho initialize COLOR1 : 409600
[INIT] soho initialize COLOR2 : 25480
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17_special/ar5315/gpio.c: feed_watchdog is called??

Flash Found. It is 2MB Flash....
Set flash memory layout to Runcode version: V1.07.2
Runcode date: Jul 14 2006 17:10:07
Bootcode version: V0.03
Serial number: J631006911
Hardware version: 01
sizeof(struct III_Config_t) is 28624
!![E-CFG-VER] Configuration data version mismatch!!
!![E-CFG-VER] Adapting factory defaults!!
!![E-CFG-VER] Reconfiguration required!!
!!No configuration file present!!
!!! Invalid wireless channel range 0 ~ 0
!!! Use default value 1 ~ 13
default route: 0.0.0.0
BufferInit:
BUF_HDR_SZ=32 BUF_ALIGN_SZ=12 BUFFER_OFFSET=96
BUF_BUFSZ0=384 BUF_BUFSZ1=3264
NUM_OF_B0=200 NUM_OF_B1=900
BUF_POOL0_SZ=83200 BUF_POOL1_SZ=2966400
sizeof(BUFFER0)=416,sizeof(BUFFER1)=3296
*BUF0=0x8066ce2c *BUF1=0x80398a9c
Altgn *BUF0=0x8066ce30 *BUF1=0x80398aa0
End at BUF0:0x80681330, BUF1:0x8066ce20

buffer0 pointer init OK!
buffer1 pointer init OK!
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=0)> ifp->add_default_route:0
Interface 0 ip = 127.0.0.1

ar531xmac_init: ifno=1, initstr=UNIT=0 VLAN=-1
D:/Projects/ttf2004/source/firmware/hardware/ar5312/ar531xbsp.c:sysEnetInit is called
ae531xEndLoad: loading device ...
ae531xEndLoad: unit=0, pDmaBuf=0xa02a98c4, dmaBufSize=8976, txDescCount=192, rxDescCount=256, clCount=512
ae531xEndLoad: System param: mac=b0500000, dma=b0501000, ivec=4, ilev=1000
ae531xEndLoad: Flash ea = 00:13:f7:44:25:d3
ae0 qt = 1, buf begin = 80000000, buf end = 80000000
ae0 qt = 1, drsc begin = a02a98d0, desc end = a02aa7bc
Tx Queue b=0xa02a98d0, e=0xa02aa7bc, c=0xa02a98d0, s@c=0x       0
ae0 qt = 2, buf begin = 80398b02, buf end = 80465e22
ae0 qt = 2, drsc begin = a02aa7d0, desc end = a02abbbc
Rx Queue b=0xa02aa7d0, e=0xa02abbbc, c=0xa02aa7d0, s@c=0x80000000
ae531xMemInit: Memory setup complete.
Found PHY enet0: Altima AC101L model 0x12 revision 0x1
eth0: Phy reset complete, starting auto-negotiation...
ALTM_PHY_CONTROL               = 3100
ALTM_PHY_STATUS                = 7849
ALTM_PHY_ID1                   = 0022
ALTM_PHY_ID2                   = 5521
ALTM_AUTONEG_ADVERT            = 01E1
ALTM_LINK_PARTNER_ABILITY      = 0001
ALTM_AUTONEG_EXPANSION         = 0004
ALTM_NEXT_PAGE_TRANSMIT        = 2001
ALTM_BT_INT_LEVEL_CONTROL      = 1800
ALTM_INT_CONTROL_STATUS        = 0000
ALTM_DIAGNOSTIC                = 0010
ALTM_POWER_LOOPBACK            = 0000
ALTM_CABLE_MEASUREMENT_CONTROL = C0EE
ALTM_RECEIVE_ERROR_COUNTER     = 0000
ALTM_POWER_MANAGEMENT          = 01FF
ALTM_OPERATION_MODE            = 8040
ALTM_CRC_FOR_RECENT_RCVD_PKT   = 0000
eth0: Phy Status=7849
eth0: duplex 0, link 1
ae_SetMacFromPhy: enet0 as half duplex, 10Mbps
ae0: setting TXDP=0xa02a98d0 RXDP=0xa02aa7d0
ae0 Verify MAC address 44F71300 0000D325
  sb = 00 13 F7 44 25 D3
ae531xRxFilterConfig: MacControl = 1084000C
ae531xEndLoad: Done loading, pDrvCtrl=802A96BC txQ=802A96E8 rxQ=802A96FC
ar531xmac_init: enet0 set to NORMAL mode

  DmaStatus  = 0x       0
  DmaBusMode = 0x    2084
  DmaRxBase  = 0x  2aa7d0
  DmaTxBase  = 0x  2a98d0
  DmaControl = 0x  200000
  DmaIntr    = 0x       0
  MacControl = 0x1084000c
  MacAddrHi  = 0x    d325
  MacAddrLo  = 0x44f71300
  MacVlan1   = 0x    8100
  MacVlan2   = 0x       0

Rx Queue b=0xa02aa7d0, e=0xa02abbbc, c=0xa02aa7d0, s@c=0x80000000
Current Rx buffer = 0x       0
Tx Queue b=0xa02a98d0, e=0xa02aa7bc, c=0xa02a98d0, s@c=0x       0
Current Tx buffer = 0x       0
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=1)> ifp->add_default_route:1
ae531xRxFilterConfig: MacControl = 1084000C
Interface 1 ip = 192.168.2.25

ae531xRxFilterConfig: MacControl = 1084000C
[HWLAN] ifno=3 irno=7 port=0x00000000
[HWLAN] semBCreate return 1 8029ce88, count 1
[HWLAN] pRadio->abolt = 00000000
[HWLAN] pRadio->abolt = 00000000
[HWLAN] gSetting.BasicRate=f
apCfgRemoteApMacAddrSet OK: MAC 00:00:00:00:00:00 on WLAN 0
apInit: Initialize Access Point.
[HWLAN] ar5hwcCreatePhy : ifno:3 pdevInfo=80310834, devno=1
[HWLAN] devno 1 pdevInfo 80310834
[HWLAN] Base address = b0000000, irq 3
Attach AR5212 0x13 0x80310834
[HWLAN] DOMAIN 00008210
[HWLAN] Set HWLAN MAC as LAN MAC ..
[HWLAN] MAC Address=00-13-F7=44-25-D3
[HWLAN] wlan1 revisions: mac 11.0 phy 4.8 analog 7.0 eeprom 5.2
### MAX ### Sending Power Strength = 19 dBm
[HWLAN] phwChannel 2437, channelFlags 00005400
[HWLAN] size of ATHEROS_DESC hardware part 32
[HWLAN] CACHE_LINE_SIZE 16, AR_DESC_SIZE 128
[HWLAN] AR_HEADER_SIZE 96, AR_BUF_SIZE 3196numDescriptors = 704
[HWLAN] wlan1: pDmaBuf=A013E480
[HWLAN] pMemBuf a013e480 pdevInfo->pDmaBuf a013e480
[HWLAN] semBCreate return 2 8029ce98, count 1
[HWLAN] ar5hwcQueueCreate: semaphore id 8029ce98
[HWLAN] semBCreate return 3 8029cea8, count 1
[HWLAN] ar5hwcQueueCreate: semaphore id 8029cea8
[HWLAN] semBCreate return 4 8029ceb8, count 1
[HWLAN] ar5hwcQueueCreate: semaphore id 8029ceb8
[HWLAN] semBCreate return 5 8029cec8, count 1
[HWLAN] ar5hwcQueueCreate: semaphore id 8029cec8
[HWLAN] pMemBuf a015a480, pdevInfo->pDmaBuf + pdevInfo->dmaBufSize a018c4a0
[HWLAN] muxDevLoad is called for vportNum 10000, loadfn 8005aa60, vportStr 16: 0: 1
[HWLAN] semBCreate return 6 8029ced8, count 1
[HWLAN] semBCreate return 7 8029cee8, count 1
ar5212Reset: maxCalCount 20
[HWLAN] ioctl CMD=0xb
mips_int_connect: ivec 3 ar5hwcInt 8003f568 pdevInfo 80310834
mips_int_enable : 0x00000C00
[HWLAN] bridgePortAdd : vp, 10000
[HWLAN] bridgePortAdd (base BSS) succeeded for vp1
[HWLAN] semBCreate return 8 8029cef8, count 0
[HWLAN] semBCreate return 9 8029cf08, count 0
[HWLAN] semBCreate return 10 8029cf18, count 1
[HWLAN] semBCreate return 11 8029cf28, count 1
[HWLAN] semBCreate return 12 8029cf38, count 0
[HWLAN] semBCreate return 13 8029cf48, count 1
[HWLAN] semBCreate return 14 8029cf58, count 1
[HWLAN] semBCreate return 15 8029cf68, count 0
[HWLAN] semBCreate return 16 8029cf78, count 1
[HWLAN] semBCreate return 17 8029cf88, count 1
[HWLAN] semBCreate return 18 8029cf98, count 0
[HWLAN] semBCreate return 19 8029cfa8, count 1
wlan1 added STA: 00:13:f7:44:25:d3 (1580)
[HWLAN] ifno=3 after call apInit() : .... bg 1 , a 0 ....
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17_special/ar5315/gpio.c: Hwlan_light_init is called??
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=3)> ifp->add_default_route:0
[HWLAN] hwlan_ioctl() ..
Interface 3 ip = 192.168.2.25

[HWLAN] hwlan_ioctl() ..
[HWLAN] ifno=6 irno=7 port=0x00000000
[WDS] init wds mac : 0000000000000
000000000000
[WDS] hwlanPCI_init() set ifp flag ..
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17_special/ar5315/gpio.c: Hwlan_light_init is called??
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=6)> ifp->add_default_route:0
[HWLAN] hwlan_ioctl() ..
Interface 6 ip = 192.168.2.25

[HWLAN] hwlan_ioctl() ..
[HWLAN] ifno=7 irno=7 port=0x00000000
[WDS] init wds mac : 1000000000000
000000000000
[WDS] hwlanPCI_init() set ifp flag ..
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17_special/ar5315/gpio.c: Hwlan_light_init is called??
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=7)> ifp->add_default_route:0
[HWLAN] hwlan_ioctl() ..
Interface 7 ip = 192.168.2.25

[HWLAN] hwlan_ioctl() ..
[HWLAN] ifno=8 irno=7 port=0x00000000
[WDS] init wds mac : 2000000000000
000000000000
[WDS] hwlanPCI_init() set ifp flag ..
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17_special/ar5315/gpio.c: Hwlan_light_init is called??
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=8)> ifp->add_default_route:0
[HWLAN] hwlan_ioctl() ..
Interface 8 ip = 192.168.2.25

[HWLAN] hwlan_ioctl() ..
[HWLAN] ifno=9 irno=7 port=0x00000000
[WDS] init wds mac : 3000000000000
000000000000
[WDS] hwlanPCI_init() set ifp flag ..
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17_special/ar5315/gpio.c: Hwlan_light_init is called??
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=9)> ifp->add_default_route:0
[HWLAN] hwlan_ioctl() ..
Interface 9 ip = 192.168.2.25

[HWLAN] hwlan_ioctl() ..
RUNTASK id=2 if_task if0...
RUNTASK id=3 if_task if1...
RUNTASK id=4 if_task if3...
RUNTASK id=5 if_task if6...
RUNTASK id=6 if_task if7...
RUNTASK id=7 if_task if8...
RUNTASK id=8 if_task if9...
RUNTASK id=9 timer_task...
RUNTASK id=10 main_8021x...
year=104,mon=11,day=18D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17_special/ar5315/gpio.c: feed_watchdog is called??
randomize ..
RUNTASK id=11 period_task...
RUNTASK id=12 dhcp_clt...on interface 2
httpd: listen at 192.168.2.25:80
HTTPD TIMER_RESOURCE:5, FS_RESOURCE:6
RUNTASK httpd...
DHCPD is Disabled
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17_special/ar5315/gpio.c: feed_watchdog is called??
Starting Multitask...
MTstart2() begin  ...

enet0 up
We just gained our first link(s) for MAC0
ae531xDmaIntEnable 0001a1e2
mips_int_enable : 0x00001C01
[HWLAN] Ready

This Device is AP

And this is a dump of a working La-Fonera, (Hardware is equal to SMC, but with more flash and ram)

+PHY ID is 0022:5521
Ethernet eth0: MAC address 00:18:84:XX:XX:XX
IP: 0.0.0.0/255.255.255.255, Gateway: 0.0.0.0
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version v1.3.0 - built 16:57:58, Aug 7 2006

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.

Board: ap51
RAM: 0x80000000-0x81000000, [0x80040450-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 1.000 seconds - enter ^C to abort
RedBoot> fis load -l vmlinux.bin.l7
Image loaded from 0x80041000-0x801ba000
RedBoot> exec
Now booting linux kernel:
Base address 0x80030000 Entry 0x80041000
Cmdline :
CPU revision is: 00019064

Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.

Primary data cache 16kB, 4-way, linesize 16 bytes.

Linux version 2.4.32 (iurgi@ropero) (gcc version 3.4.6 (OpenWrt-2.0)) #4 Thu Aug 17 21:48:03 UTC 2006

Determined physical RAM map:

memory: 01000000 @ 00000000 (usable)

On node 0 totalpages: 4096

zone(0): 4096 pages.

zone(1): 0 pages.

zone(2): 0 pages.

Kernel command line: console=ttyS0,9600 rootfstype=squashfs,jffs2

Using 92.000 MHz high precision timer.

Calibrating delay loop... 183.50 BogoMIPS

Memory: 14188k/16384k available (1327k kernel code, 2196k reserved, 92k data, 68k init, 0k highmem)

Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)

Inode cache hash table entries: 1024 (order: 1, 8192 bytes)

Mount cache hash table entries: 512 (order: 0, 4096 bytes)

Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)

Page-cache hash table entries: 4096 (order: 2, 16384 bytes)

Checking for 'wait' instruction... available.

POSIX conformance testing by UNIFIX

Linux NET4.0 for Linux 2.4

Based upon Swansea University Computer Society NET3.039

Initializing RT netlink socket

Starting kswapd

devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)

devfs: boot_options: 0x1

JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.

squashfs: version 3.0 (2006/03/15) Phillip Lougher

pty: 256 Unix98 ptys configured

Serial driver version 5.05c (2001-07-0 with no serial options enabled

ttyS00 at 0xb1100003 (irq = 37) is a 16550A

eth0: Dropping NETIF_F_SG since no checksum feature.

eth0: Atheros AR2313: 00:18:84:XX:XX:XX, irq 4

MTD driver for SPI flash.

spiflash: Probing for Serial flash ...

spiflash: Found SPI serial Flash.

8388608: size

Creating 8 MTD partitions on "spiflash":

0x00000000-0x00030000 : "RedBoot"

0x00030000-0x00720000 : "rootfs"

eth0: Configuring MAC for full duplex

0x001c0000-0x00720000 : "rootfs1"

0x00720000-0x00730000 : "config"

0x00730000-0x007e0000 : "vmlinux.bin.l7"

0x007e0000-0x007ef000 : "FIS directory"

mtd: partition "FIS directory" doesn't end on an erase block -- force read-only

0x007ef000-0x007f0000 : "RedBoot config"

mtd: partition "RedBoot config" doesn't start on an erase block boundary -- force read-only

0x007f0000-0x00800000 : "board_config"

Initializing Cryptographic API

NET4: Linux TCP/IP 1.0 for NET4.0

IP Protocols: ICMP, UDP, TCP, IGMP

IP: routing cache hash table of 512 buckets, 4Kbytes

TCP: Hash tables configured (established 1024 bind 2048)

ip_conntrack version 2.1 (5953 buckets, 5953 max) - 328 bytes per conntrack

ip_tables: (C) 2000-2002 Netfilter core team

NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.

NET4: Ethernet Bridge 008 for NET4.0

802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>

All bugs added by David S. Miller <davem@redhat.com>

VFS: Mounted root (squashfs filesystem) readonly.

Mounted devfs on /dev

Freeing unused kernel memory: 68k freed


init started: BusyBox v1.1.3 (2006.08.17-19:56+0000) multi-call binary
Algorithmics/MIPS FPU Emulator v1.5


Please press Enter to activate this console.


BusyBox v1.1.3 (2006.08.17-19:56+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______ _______ _______
| ____|| || _ |
| ____|| - || | | |
| | |_______||__| |__|
|___|

Fonera Firmware (Version 0.7.0 rev 2) -------------
*
* Based on OpenWrt - http://openwrt.org
* Powered Registering mini_fo version $Id$

by FON - http://www.fon.com
--mini_fo: using base directory: /

----------------mini_fo: using storage directory: /jffs

---------------------------------
root@(none):/# jffs2.bbc: SIZE compression mode activated.

wlan: 0.8.4.2 (0.9.0)

ath_hal: 0.9.17.1 (AR5212, AR5312, RF5112, RF2316, RF2317, TX_DESC_SWAP)

wlan: mac acl policy registered

ath_rate_sample: 1.2 (0.9.0)

ath_ahb: 0.9.4.5 (0.9.0)

ath_pci: switching rfkill capability off

wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps

wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps

wifi0: H/W encryption support: WEP AES AES_CCM TKIP

wifi0: mac 11.0 phy 4.8 radio 7.0

wifi0: Use hw queue 1 for WME_AC_BE traffic

wifi0: Use hw queue 0 for WME_AC_BK traffic

wifi0: Use hw queue 2 for WME_AC_VI traffic

wifi0: Use hw queue 3 for WME_AC_VO traffic

wifi0: Use hw queue 8 for CAB traffic

wifi0: Use hw queue 9 for beacons

wifi0: Atheros 2315 WiSoC: mem=0xb0000000, irq=3

Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky

device eth0 entered promiscuous mode

Bump!

I am trying hack the fonera device (FON2100). A have compiled de firmware from source code released from FON and i only have this:

Welcome to minicom 2.2

OPTIONS: I18n
Compiled on Oct 20 2006, 15:28:39.
Port /dev/ttyUSB0

                 Press CTRL-A Z for help on special keys

+PHY ID is 0022:5521
Ethernet eth0: MAC address 00:18:84:11:24:d0
IP: 0.0.0.0/255.255.255.255, Gateway: 0.0.0.0
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version v1.3.0 - built 16:57:58, Aug  7 2006

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.

Board: ap51
RAM: 0x80000000-0x81000000, [0x80040450-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 1.000 seconds - enter ^C to abort
^C
RedBoot>
RedBoot>
RedBoot> ip_address -l 192.168.11.111/24 -h 192.168.11.3
IP: 192.168.11.111/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.11.3
RedBoot> load -r -v -b 0x80041000 -m http -h 192.168.11.3 /vmlinux.lzma
-
Raw file loaded 0x80041000-0x800b267b, assumed entry at 0x80041000
RedBoot> cksum
Computing cksum for area 0x80041000-0x800b267c
POSIX cksum = 2748321357 464508 (0xa3d00e4d 0x0007167c)
RedBoot> fis create -b 0x80040450 -f 0xA8730000 -l 0x000B0000 -r 0x80041000 -e 0x80041000 vmlinux.bin.l7
An image named 'vmlinux.bin.l7' exists - continue (y/n)? n
RedBoot> fis delete vmlinux.bin.l7
Delete image 'vmlinux.bin.l7' - continue (y/n)? y
... Erase from 0xa8730000-0xa87e0000: ...........
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis create -b 0x80040450 -f 0xA8730000 -l 0x000B0000 -r 0x80041000 -e 0x80041000 vmlinux.bin.l7
... Erase from 0xa8730000-0xa87e0000: ...........
... Program from 0x80040450-0x800f0450 at 0xa8730000: ...........
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -v -b 0x80040450 -m http -h 192.168.11.3 /rootfs
-
Raw file loaded 0x80040450-0x801b0bdc, assumed entry at 0x80040450
RedBoot> cksum
Computing cksum for area 0x80040450-0x801b0bdd
POSIX cksum = 3971643833 1509261 (0xecba79b9 0x0017078d)
RedBoot> fis delete rootfs
Delete image 'rootfs' - continue (y/n)? y
... Erase from 0xa8030000-0xa8730000: .......................................................................................................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis create -b 0x80040450 -f 0xA8030000 -l 0x00700000 -e 0x00000000 rootfs
... Erase from 0xa8030000-0xa8730000: .......................................................................................................
... Program from 0x80040450-0x80740450 at 0xa8030000: .......................................................................................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset
+PHY ID is 0022:5521
Ethernet eth0: MAC address 00:18:84:11:24:d0
IP: 0.0.0.0/255.255.255.255, Gateway: 0.0.0.0
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version v1.3.0 - built 16:57:58, Aug  7 2006

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.

Board: ap51
RAM: 0x80000000-0x81000000, [0x80040450-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 1.000 seconds - enter ^C to abort
RedBoot> fis load -l vmlinux.bin.l7
too long file.
lzma_decode failed. res=1
RedBoot> exec
Now booting linux kernel:
Base address 0x80030000 Entry 0x80041000
Cmdline :
---------------------------------------------------------------RESET--------------------------------------------------
+PHY ID is 0022:5521
Ethernet eth0: MAC address 00:18:84:11:24:d0
IP: 0.0.0.0/255.255.255.255, Gateway: 0.0.0.0
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version v1.3.0 - built 16:57:58, Aug  7 2006

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.

Board: ap51
RAM: 0x80000000-0x81000000, [0x80040450-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 1.000 seconds - enter ^C to abort
^C
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0xA8000000  0x00030000  0x00000000
rootfs            0xA8030000  0xA8030000  0x00700000  0x00000000
vmlinux.bin.l7    0xA8730000  0x80041000  0x000B0000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000
RedBoot>



Could anyone help about this?  Anyone with a "virgin" fonera could post the output form "fis list" command in Redboot? Could anyone post a link to an openwrt ar531x architecture firmware?

Thanks. Regards.

I got my La Fonera a few days ago and set out to investigate it over the weekend.
I found a neat way of exploiting the webif/adv_wifi.sh script to inject commands over the built in webadmin (much simpler than using the (now fixed) bug in the FON-site scripts to inject commands), thereby simply starting the SSH-server in it.

I have not yet connected up a serial-cable to play with RedBoot or attempting to flash it in any way, but I have some addresses read out from the FIS-directory here, and also complete "mostly virgin" (except for some slight changes in the JFFS2-filesystem to activate SSH and disable running the updates fetched from FON) dumps of all mtdblock-devices. Just tell me if you want them.

The FIS-table has five entries and appears to be just as yours:

A800 0000 - A80 30000 (0003 0000 bytes) RedBoot
A87E F000 - A87F 0000 (0000 1000 bytes) RedBoot config
A87E 0000 - A87E F000 (0000 F000 bytes) FIS directory
A803 0000 - A873 0000 (0070 0000 bytes) rootfs
A873 0000 - A87E 0000 (000B 0000 bytes) vmlinux.bin.l7 (mem addr/entry 8004 1000)

The MTD-devices in the linux (these are the ones I have byte-dumped to files):

00000000 - 00030000 mtdblock/0 RedBoot
00030000 - 00720000 mtdblock/1 rootfs
001c0000 - 00720000 mtdblock/2 rootfs1
00720000 - 00730000 mtdblock/3 config
00730000 - 007E0000 mtdblock/4 vmlinux.bin.l7
007E0000 - 007EF000 mtdblock/5 FIS directory (Read only)
007EF000 - 007F0000 mtdblock/6 RedBoot config (Read only)
007F0000 - 00800000 mtdblock/7 board_config

Note that mtdblock/1 includes all of mtdblock/2 and that FIS rootfs includes all of mtdblock 1, 2 and 3.

mtdblock 3 is funny enough empty, all zeroes, except for the first two bytes, which read "13 37" :-)

I hope this info is of any use to you. I'm just beginning my adventurers with OpenWRT and linux-routers in general, and this is my first encounter with embedded systems runninx linux from flash. I'm learning quickly though.

obiwan_kenobi wrote:

I have managed to compile openwrt for Atheros

Maybe you could explain to me how do you choose a target for Atheros ?

When you 'make menuconfig',

1. What do you select for 'target system' ? Atheros is not selectable there.
   
    Did you choose Broadcom BCM947xx/953xx or what ?

2. What do you choose for target profile ?

    Did you mean you choose Generic, Atheros WiFi ?

Cheers.

Hello,

I managed to compile a kernel & image as well. I downloaded the fonera gpl tarball and copied over all of their changes. I managed to boot my kernel over network. Now I'm working on flashing my kernel & root-filesystem.
Actually I think my kernel has loaded the original mini_fo.ko module and with that it corrupted the fonera rootfs, but I'm not sure. Anyway, once I know how that works I will post a patch or instructions.

Sosumi, how does your exploit work?

Here is a dump of the original "fis list" through a serial cable:

+PHY ID is 0022:5521
Ethernet eth0: MAC address 00:18:84:10:97:f4
IP: 0.0.0.0/255.255.255.255, Gateway: 0.0.0.0
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version v1.3.0 - built 16:57:58, Aug  7 2006

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.

Board: ap51 
RAM: 0x80000000-0x81000000, [0x80040450-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 1.000 seconds - enter ^C to abort
^C
RedBoot> ^C
RedBoot> 
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0xA8000000  0x00030000  0x00000000
rootfs            0xA8030000  0xA8030000  0x00700000  0x00000000
vmlinux.bin.l7    0xA8730000  0x80041000   x000B0000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EE000  0x00001000  0x00000000
RedBoot>

Cheers & keep on hacking...

Now i´m stuck with boot loaders
Im worrking with the SMC device, that has a bootloader from arcadyan.
It starts from position 0x80001000, so i need to build a bootloader that starts from this position, decompress the LZMA kernel, and then boot the kernel from its Kernel Entry.
I´m trying to do some modifications in the boot loader thats working with Sinus 154 DSL.
Does anyone now how to build a bootloder for BRN boot loader devices?

Let the force be with you!!!

.:: Obiwan ::.

obiwan_kenobi wrote:

I have managed to compile openwrt for Atheros

I have downloaded kamikaze and dlink gpl source ( di-524 ). The dlink GPL source does not include the toolchain binary. So I thought I would use kamikaze toolchain binary to compile the sources.

Basically I ran menuconfig, selected atheros targets. In the end I path-ed the environment variables to point to kamikaze compiled toolchain binaries. But the compilation failed half way.

Then the ran dlink gpl source for compiling the toolchain binary, answered
MIP32, big endian, and 'NO MMU' and after obtaining the toolchain binary, it managed to compile the dlink gpl sources ( except for one part where the hostapd get knocked out due to unsatisfied symbols 'daemon' ).

I am posting this inform here for sharing - perhaps it is useful info and at the same time someone might have comments on it.

Cheers.

Hello everybody,

I successfully ported over the fonera-changes to kamikaze-svn, so I now have a working kamikaze for the fonera.
Had to use the old (0.9.0) madwifi-driver, but that is working like a charm in client mode.
I'll prepare a patch in the next few days.

Cheers,
casperado

2.4 code won't go into kamikaze.. I'm working on a total rewrite, the only problem I'm facing with is time..

Hello Kaloz,

nbd already told me 2.4 won't go into kamikaze, but for now kamikaze works well on the fonera with 2.4 because of fon.com's help. At least I'll be using it for a while...

How far are you with 2.6? Maybe I can help?

Cheers,
Kaspar

casperado,

Cool! Can't wait till you get openwrt on fonera!

casperado wrote:

I successfully ported over the fonera-changes to kamikaze-svn,
I'll prepare a patch in the next few days.

have you already posted this patches? i'd like to have them...
and may a little howto what you did to flash...
would be great !!!

Are there any updates on this ?

I'm currently stuck with a broken shell after trying to install a modified kmod ipkg.

init started:  BusyBox v1.1.3 (2006.09.11-19:54+0000) multi-call binary

Algorithmics/MIPS FPU Emulator v1.5



Please press Eactivate this console.





Busy.3 (2006.09.11-19:54+0000) Built-in shell (ash)

Enter 'help' for a list of built-in commands.



_______  _______  _______

|   ____||       ||   _   |

|   ____||   -   ||  | |  |

|   |    |_______||__| |__|

|___|



Fonera Firmware (Version 0.7.0 rev 4) -------------

  *

  * Based on OpenWrt - http://openwrt.org

  * Powered by FON - http://www.fon.com

---------------------------------------------------
root@(none):/# Registering mini_fo version $Id$

mini_fo: using base directory: /

mini_fo: using storage directos

jffs2.bbc: SIZE compression mode activated.

:-\

Updates are stalled as apparently FON (Varzavsky) is paying some openwrt developpers to 'contribute' i.e. not participate in any 'FON compromizing activities'...

Hi guys,
After working a weekend I also successfully modified kamikaze-svn, and now I have a working kamikaze on my fonera!
I used the fon's patch to madwifi, now it works smoothly!
I am planning to update the changes I made.
Stay tuned.

Cris

Chris you are great big_smile

Cris wrote:

Hi guys,
After working a weekend I also successfully modified kamikaze-svn, and now I have a working kamikaze on my fonera!
I used the fon's patch to madwifi, now it works smoothly!
I am planning to update the changes I made.
Stay tuned.

Cris

Tell us more, please... I would like to have OpenWRT on LaFonera, too!

@casperado, cris:

many people are waiting that anybody of you gives us the patches you both use to get kamikaze working!

would be nice to get it working here,too.

I guess this means that you can't buy security then doesn't it?

Cris wrote:

Hi guys,
After working a weekend I also successfully modified kamikaze-svn, and now I have a working kamikaze on my fonera!
I used the fon's patch to madwifi, now it works smoothly!
I am planning to update the changes I made.
Stay tuned.

Cris

It's one thing to declare... but another thing to share... that's why I don't declare !

intrax wrote:
Cris wrote:

I used the fon's patch to madwifi, now it works smoothly!
Cris

It's one thing to declare... but another thing to share... that's why I don't declare !

It's one thing to hack it together, another thing to put it into a shareable shape... that's why I don't share (yet).

Casper

Yo,

here is it:
ftp://vs2066243.netfabrik.de/openwrt/ka … fonera.tgz

In order to install it, you need a serial console!
BE CAREFUL!
This can kill your router. Only try installing kamikaze if you know what you're doing!
These instructions probably don't work for you. If you don't understand the commands issued, don't do this!

To build, checkout the kamikaze-svn. I know that revision 5859 works, so:

 svn co -r 5859 https://svn.openwrt.org/openwrt/trunk

download & extract & build my tarball into trunk:

 
cd trunk
wget ftp://vs2066243.netfabrik.de/openwrt/kamikaze/fonera/kamikaze_fonera.tgz
tar -xzf kamikaze_fonera.tgz

In the configuration, select ar513x as target platform. Make sure Driver/madwifi is built.
Then build.

make menuconfig; make

To flash it, make everything from the bin-directory avalable per http.

This dump assumes that the workstation is 192.168.123.1, the router 192.168.123.2.
I used busybox (came with my debian): (in trunk/bin):

 busybox httpd -p 8081 .

On the serial console:

RedBoot> ip_address -l 192.168.123.2/24
IP: 192.168.123.2/255.255.255.0, Gateway: 0.0.0.0
Default server: 0.0.0.0
RedBoot> load -r -b 0x80040450 -m http -p 8081 -h 192.168.123.1 /openwrt-ar531x-2.4-vmlinux.lzma
Raw file loaded 0x80040450-0x800c044f, assumed entry at 0x80040450
RedBoot> cksum
Computing cksum for area 0x80040450-0x800c0450
POSIX cksum = 2858572401 524288 (0xaa625a71 0x00080000)
RedBoot> fis list
Name              FLASH addr  Mem aadr    Length      Entry point
RedBoot           0xA8000000  0xA8000000  0000030000  0x00000000
rootfs            0xA8030000  0xA8030000  0x00700000  0x00000000
vmlinux.bin.l7    0xA8730000  0x80041000  0x000B0000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000
RedBoot> fis list -d
Name              FLASH addr  Mem addr    Datalen     Entry point
RedBoot           0xA8000000  0xA8000000  0x000285E0  0x00000000
rootfs            0xA8030000  0xA8030000  0x00180000  0x00000000
vmlinux.bin.l7    0xA8730000  0x80041000  0x00080000  0x800410000
FIS directory     0xA87E0000  0xA87E0000  0x00000000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00000000  0x00000000
RedBoot> load -r -b 0x80041000  m http -p 8081 -h 192.168.123.1 /openwrt-ar531x-2.4-vmlinux.lzma
Raw file loaded 0x80041000-0x800c0fff, assumed entry at 0x80041000
RedBoot> cksum
Computing cksum for area 0x80041000-0x800c1000
POSIX cksum = 2858572401 524288 (0xaa665a71 0x00080000)
RedBoot> fis create -b 0x80041000 -f 0xA8730000 -l 0x000B0000 -r 0x80041000 -e 0x80041000 -s 0x00080000 vmlinux.bin.l7
An image named 'vmminux.bin.l7' exists - continue (y/n)? y
... Erase from 0xa8730000-0xa87e0000: ...........
... Program from 0x80041000-0x800c1000 at 0xa8730000: ........
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0xA8000000  0x00030000  0x00000000
rootfs            0xA8030000  0xA8030000  0x00700000  0x00000000
vmlinux.bin.l7    0xA8730000  0x80041000  0x000B0000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000
RedBoot> fis list -d
Name              FLASH addr  Mem addr    Datalen     Entry poont
RedBoot           0xA8000000  0xA8000000  0x000285E0  0x00000000
rootfs            0xA8030000  0xA8030000  0x00180000  0x00000000
vmlinux.bin.l7    0xA8730000  0x80041000  0x00080000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x00000000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00000000  0x00000000
RedBoot> load -r -b 0x80040450 -m http -p 8081 -h 192.168.123.1 /openwrt-ar531x-2.4-root.jffs2-64k
Raw file loaded 0x80040450-0x801e044f, assumed entry at 0x80040450
RedBoot>                                                        
RedBoot> cksum
Computing cksum for area 0x80040450-0x801e0450
POSIX cksum = 3506838485 1703936 (0xd1061bd5 0x001a0000)
RedBoot>                                                                          
RedBoot> fis create -b 0x80040450 -f 0xA8030000 -l 0x00700000 -s 0x001a0000 rootfs
An image named 'rootfs' exists - continue ((/n)? y
... Erase from 0xa8030000-0xa8730000: ................................................................................................................
... Program from 0x80040450-0x801e0450 at 0xa8030000: ..........................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset
... Resetting.+PHY ID is 0022:5521

Have fun!
Casper

christmas is today? wink

or in a couple of day's?

may we get another present?

(Last edited by heini on 19 Dec 2006, 23:15)