Topic: Fonera FON-2200 Redboot Access through Ethernet (kolofnium not needed?

The content of this topic has been archived on 17 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

shadsec

19 Oct 2007, 03:59

Hi,

Doing some tests with a stock Fonera 2200 (the one similar to the 2100 but without the heat sink nor metal shield over RF components) I have discovered that 3-5 seconds after power on, it has redboot accesible on 192.168.1.1 9000 for just two seconds. It is a bit hard to do the timing to interrupt it, but with several attempts it can be done.

I am not sure if this is already known, but i havent been able to find any info about reflashing this units without serial console access or some hack like kolofonium method. So I am just documenting it just in case.

After interrupting Redbot, it looks like it keeps trying to execute its bootup, but the good thing is that it also accepts any command:

Here starts a long capture, as you can see, even if I keep ctrl-C it insist on go on with execution:

== Executing boot script in 1.990 seconds - enter ^C to abort
â™¥^C
RedBoot> â™¥/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/dev
s/eth/mips/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEB
UG_ERROR = 00000145
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
^C
RedBoot> â™¥/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/dev
s/eth/mips/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEB
UG_ERROR = 00000001
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
^C
RedBoot> â™¥/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/dev
s/eth/mips/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEB
UG_ERROR = 00000001
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
^C
RedBoot> â™¥/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/dev
s/eth/mips/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEB
UG_ERROR = 00000001
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
^C
RedBoot> â™¥/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/dev
s/eth/mips/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEB
UG_ERROR = 00000145
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
^C
RedBoot> â™¥/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/dev
s/eth/mips/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEB
UG_ERROR = 00000001
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
^C
RedBoot> â™¥^C
RedBoot> â™¥^C
RedBoot> â™¥^C
RedBoot> â™¥^C
RedBoot> â™¥^C
RedBoot> f/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/dev
s/eth/mips/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEB
UG_ERROR = 00000043
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
config -/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/
eth/mips/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEBUG
_ERROR = 0000c34f
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
ll/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mi
ps/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEBUG_ERROR
= 0000c34f
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEBUG_ERROR =
00000145
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145

/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEBUG_ERROR =
00000145
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145

-> Here is the output of the command 'fconfig -l' I typed very fast between ctrl-c's:

Run script at boot: true
Boot script:
.. fis load -l vmlinux.bin.l7
.. exec

Boot script timeout (1000ms resolution): 2
Use BOOTP for network configuration: false
Gateway IP address: 0.0.0.0
Local IP address: 192.168.1.1
Local IP address mask: 0.0.0.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
RedBoot> /home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs
/eth/mips/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEBU
G_ERROR = 0000c34f
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEBUG_ERROR =
00000145
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145

Here is the output of a fis list:

Name FLASH addr Mem addr Length Entry point
RedBoot 0xA8000000 0x80040C00 0x00030000 0xA8000000
rootfs 0xA8030000 0xA8030000 0x00700000 0x00000000
vmlinux.bin.l7 0xA8730000 0x80041000 0x000B0000 0x80190040
FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0x00000000
RedBoot config 0xA87EF000 0xA87EF000 0x00001000 0x00000000
RedBoot> /home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs
/eth/mips/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEBU
G_ERROR = 0000c34f
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEBUG_ERROR =
00000145
/home/alfa/Atheros_Beta5.0/linuxsrc/src/redboot_fon1/ecos/packages/devs/eth/mips
/ar531x/current/src/ae531xecos.c#393:ae531x_send AHB ERROR status_4 = 00000145

... and goes on... the good thing is that it seems to accept any command... I didnt tried a fis init just in case I could end up with a bricked fonera, but I bet it would be possible to reflash it easily and without any "trick" like kolofonium.

Its not that using kolofonium and doing the kernel and redboot mod is a big hassle, but I guess it would be very interesting for many users to just run some gui flasher like freifunk's one configured to 192.168.1.1 and avoid most of the process.

I have checked to see if the same behavior is on FON2100 and FON2201A with no luck. It seems it only happens on FON2200.

Anyone has more experience with this behaviour? If it is already known and there is no way to reflash using it I would also like to hear it (though i would really be surprised if it would not be possible).

- ShadSEC

Post #2

shadsec

19 Oct 2007, 04:37

Ok, I had to try.....

Freifunk EasyFlash finds it on boot and, after some stderr:tftp repeat block XXXX (from 27 to 2560) while loading rootfs errors, it have it reflashed without any hassle as expected....

So, I must conclude that FON2200 doesnt need any hack and are just reflashable as they come... This is so easy that probably it was already known, but since I didnt know about it before, i guess a bit more information about it wouldnt hurt.

- ShadSEC

Post #3

Lama Bleu

28 Oct 2007, 07:50

shadsec wrote:

I have checked to see if the same behavior is on FON2100 and FON2201A with no luck. It seems it only happens on FON2200.
Anyone has more experience with this behaviour? If it is already known and there is no way to reflash using it I would also like to hear it (though i would really be surprised if it would not be possible).
- ShadSEC

Hi ShadSEC

For the La Fonera+ (FON2201), ethernet access for RedBoot is avalaible too --> listening two seconds at boot on 192.168.1.1 on port 9000
And serial port too.

== Executing boot script in 1.300 seconds - enter ^C to abort
^C

RedBoot(tm) bootstrap and debug environment [ROMRAM]
OpenWrt certified release, version 1.1 - built 22:32:28, May  7 2007

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.

Board: FON 2201
RAM: 0x80000000-0x81000000, [0x80040290-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
RedBoot> 
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0x80040400  0x00030000  0xA8000000
loader            0xA8030000  0x80100000  0x00010000  0x80100000
image             0xA8040000  0x80040400  0x00230004  0x80040400
image2            0xA8660000  0xA8660000  0x00140000  0x80040400
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000
RedBoot>
RedBoot> IP
IP: 192.168.1.1/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.254
RedBoot>

RedBoot> fconfig -l
Run script at boot: true
Boot script:
.. fis load -b 0x80100000 loader
..  go 0x80100000

Boot script timeout (1000ms resolution): 2
Use BOOTP for network configuration: false
Gateway IP address: 0.0.0.0
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
RedBoot>

Some tips on my "only 3 pages" website here: http://www.moliets-bastide.info
Ram boot for OpenWRT-kamikaze ( Wifi and serial ) without reflashing.
Just for fun and playing.

Regards
Lama Bleu

Post #4

intrax

2 Nov 2007, 02:16

I can't stop laughing at this discovery... Martin Varsavsky probably crying !

great work guys !

Post #5

Lama Bleu

2 Nov 2007, 09:01

intrax wrote:

I can't stop laughing at this discovery... Martin Varsavsky probably crying !
great work guys !

Thanks intrax.

Now, here is the link to SSH a Fonera+ (FON2201): http://www.fonboard.nl/wiki/Main_Page or http://wifi.wikia.com (mirror).
Multilingual Wiki for all OS. Martin sends us a congratulation mail ( "OK I will check"), but probably crying while in private.

LamaBleu.

Post #6

byzuser

11 Jan 2008, 14:53

Sorry to be a thread necromancer with this, but it seems fitting, and about the only place I've seen reference this problem:

I received a Fon 2200 flashed to... I think it was 0.7.1-2 actually. I went through the normal process of reflashing one as described at http://www.dd-wrt.com/wiki/index.php/La … e_Flashing -- used Kolofonium and used the CAMICIA.lzma and out.hex...

That of course got me to a RedBoot prompt, which it seems from this thread I could have gotten to in the first place (boo, I didn't know).

Trying to go further with it and do the actual flashing from RedBoot causes me to get similar errors as listed in the original post, like "/ar531x/current/src/ae531xecos.c#390:ae531x_send AHB ERROR: AR531X_DEBUG_ERROR" <-- those. And I similarly have to Ctrl+C, and sometimes that stabilizes it back to a Redboot prompt.

But either way, I can't get it to flash any further, due to those errors it seems. Any ideas on how to get it flashed?

Thanks in advance to anyone who can give some insight

(Last edited by byzuser on 11 Jan 2008, 14:53)

Post #7

michu

11 Jan 2008, 14:59

hey byzuser

I wrote down, how I flashed my Atheros: http://www.neophob.com/serendipity/inde … mmies.html

cheers

The discussion might have continued from here.

Page 1 of 1