Hi guys, for many years I and my friends (who help traditional communities set up their community networks) have dreamed of supporting the intelbras equipment that is widely available in Brazil as ISPs are increasingly abandoning this equipment to use fiber.
It's the first time I've tried this and I've been studying for a long time about how to do it and now I've got the courage to write here.
The specifications I got from the equipment:
Opening the case I realized:
SoC: Atheros AR9342 (533 MHz)
FLA1: 16MiB (cFeon EN25QH128A)
WL1 chip1:?
WI1 802dot11 protocols: bgn
Switch: Atheros AR8032
I tried to put it in recovery mode by pressing reset while turning it on, I followed tcpdump and didn't see much, but it opened an http server offering a firmware upload option.
Then I tried a serial access with a USB-TTL ft232 converter and was able to access the bootloader:
U-Boot 1.1.4_1.3.5 (May 16 2019 - 14:39:02)
INTELBRAS WOM5A16M
DRAM:
sri
Wasp 1.3
wasp_ddr_initial_config(266): (16bit) ddr2 init
wasp_ddr_initial_config(443): Wasp ddr init done
Tap value selected = 0xf [0x0 - 0x1f]
64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 227k for U-Boot at: 83fc4000
Reserving 192k for malloc() at: 83f94000
Reserving 44 Bytes for Board Info at: 83f93fd4
Reserving 36 Bytes for Global Data at: 83f93fb0
Reserving 128k for boot params() at: 83f73fb0
Stack Pointer at: 83f73f98
Now running in RAM - U-Boot at: 83fc4000
Flash Manuf Id 0x1c, DeviceId0 0x70, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
In: serial
Out: serial
Err: serial
Net: ag934x_enet_initialize...
No valid address in Flash. Using fixed address
wasp reset mask:c02200
WASP ----> F1 PHY *
F1Phy reg init
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
ATHR_AUTONEG_ADVERT:DE1
ATHR_1000BASET_CONTROL:0
ATHR_PHY_CONTROL:3100
ATHRSF1_PHY: Port 0, Neg Success
ATHRSF1_PHY: unit 0 phy addr 0 eth0 up
eth0
Setting 0xb8116290 to 0x40802d0f
Autobooting in 1 seconds
## Booting image at 9f050000 ...
Image Name: MIPS OpenWrt Linux-3.10.49
Created: 2021-03-19 18:10:56 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 844771 Bytes = 825 kB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum at 0x9f050040 ...OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 67108864
Starting kernel ...
[ 0.000000] Linux version 3.10.49 (build@runner-50ec0c25-project-43-concurrent-0) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 a00aa2) ) #1 1
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU revision is: 0001974c (MIPS 74Kc)
[ 0.000000] SoC: Atheros AR9342 rev 3
[ 0.000000] Clocks: CPU:535.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:40.000MHz
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 04000000 @ 00000000 (usable)
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x03ff0fff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x03ff0fff]
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16240
[ 0.000000] Kernel command line: board=WOM5A16M console=ttyS0,115200 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,1024k(kernel),6528k(rootfs)d
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 61812k/65472k available (1960k kernel code, 3660k reserved, 340k data, 192k init, 0k highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Calibrating delay loop... 267.26 BogoMIPS (lpj=534528)
[ 0.036000] pid_max: default: 32768 minimum: 301
[ 0.040000] Mount-cache hash table entries: 512
[ 0.044000] NET: Registered protocol family 16
[ 0.048000] MIPS: machine is WOM5A16M
[ 0.052000]
WLAN firmware dump buffer allocation of 2097152 bytes @ address 0x83a00000- SUCCESS !!!
[ 0.264000] bio: create slab <bio-0> at 0
[ 0.268000] Switching to clocksource MIPS
[ 0.272000] NET: Registered protocol family 2
[ 0.280000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[ 0.284000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[ 0.292000] TCP: Hash tables configured (established 512 bind 512)
[ 0.296000] TCP: reno registered
[ 0.300000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.304000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.312000] NET: Registered protocol family 1
[ 0.332000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.340000] msgmni has been set to 120
[ 0.344000] io scheduler noop registered
[ 0.348000] io scheduler deadline registered (default)
[ 0.352000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.380000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[ 0.388000] console [ttyS0] enabled, bootconsole disabled
[ 0.388000] console [ttyS0] enabled, bootconsole disabled
[ 0.400000] ath79-spi ath79-spi: master is unqueued, this is deprecated
[ 0.408000] m25p80 spi0.0: found en25qh128, expected m25p80
[ 0.412000] m25p80 spi0.0: en25qh128 (16384 Kbytes)
[ 0.420000] 12 cmdlinepart partitions found on MTD device spi0.0
[ 0.424000] Creating 12 MTD partitions on "spi0.0":
[ 0.428000] 0x000000000000-0x000000040000 : "u-boot"
[ 0.436000] 0x000000040000-0x000000050000 : "u-boot-env"
[ 0.444000] 0x000000050000-0x000000150000 : "kernel"
[ 0.452000] 0x000000150000-0x0000007b0000 : "rootfs"
[ 0.456000] mtd: device 3 (rootfs) set to be root filesystem
[ 0.464000] 0x0000007b0000-0x0000007c0000 : "mib0"
[ 0.468000] 0x0000007c0000-0x0000007f0000 : "conf"
[ 0.476000] 0x0000007f0000-0x000000800000 : "rsvd"
[ 0.484000] 0x000000800000-0x000000900000 : "kernel-bkp"
[ 0.488000] 0x000000900000-0x000000f60000 : "rootfs-bkp"
[ 0.496000] 0x000000f60000-0x000000ff0000 : "rsvd2"
[ 0.504000] 0x000000ff0000-0x000001000000 : "ART"
[ 0.512000] 0x000000050000-0x0000007b0000 : "firmware"
[ 0.524000] libphy: ag71xx_mdio: probed
[ 1.080000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.0:00 [uid=004dd023, driver=Atheros 8032 ethernet]
[ 1.092000] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[ 1.100000] TCP: cubic registered
[ 1.104000] NET: Registered protocol family 17
[ 1.108000] Bridge firewalling registered
[ 1.120000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
[ 1.128000] Freeing unused kernel memory: 192K (802a0000 - 802d0000)
init started: BusyBox v1.22.1 (2021-03-19 18:05:56 UTC)
starting pid 219, tty '': '/system/bin/firmware init &'
Please press Enter to activate this console. [ 5.472000] 8021q: 802.1Q VLAN Support v1.8
[ 5.532000] NET: Registered protocol family 10
[ 5.544000] gre: GRE over IPv4 demultiplexor driver
[ 5.552000] ip_gre: GRE over IPv4 tunneling driver
[ 5.564000] nf_conntrack version 0.5.0 (968 buckets, 3872 max)
[ 5.576000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 5.596000] u32 classifier
[ 5.600000] input device check on
[ 5.604000] Actions configured
[ 5.608000] Mirror/redirect action on
[ 5.620000] Loading modules backported from Linux version master-2014-05-22-0-gf2032ea
[ 5.628000] Backport generated by backports.git backports-20140320-37-g5c33da0
[ 5.640000] devdh: Unknown symbol itbnlhub_set_wlan_sta_address (err 0)
[ 5.660000] Ebtables v2.0 registered
[ 5.668000] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 5.680000] Module kmod-itbnlhub initialized
[ 5.748000] xt_time: kernel timezone is -0000
[ 5.780000] cfg80211: Calling CRDA to update world regulatory domain
[ 5.784000] cfg80211: World regulatory domain updated:
[ 5.792000] cfg80211: DFS Master region: unset
[ 5.796000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 5.804000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 5.812000] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 5.820000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[ 5.828000] cfg80211: (5170000 KHz - 5250000 KHz @ 160000 KHz), (N/A, 2000 mBm), (N/A)
[ 5.836000] cfg80211: (5250000 KHz - 5330000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[ 5.844000] cfg80211: (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[ 5.852000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 5.860000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[ 5.872000] Initializing devdh module version (3.3). Listening on: (wlan)(ath)(ra). With unlimited max entries.
[ 5.932000] PPP generic driver version 2.4.2
[ 5.936000] PPP MPPE Compression module registered
[ 5.944000] NET: Registered protocol family 24
[ 5.952000] PPTP driver version 0.8.5
[ 5.988000] PPP BSD Compression module registered
[ 6.000000] PPP Deflate Compression module registered
[ 6.048000] cfg80211: Calling CRDA for country: US
[ 6.056000] cfg80211: Regulatory domain changed to country: US
[ 6.060000] cfg80211: DFS Master region: FCC
[ 6.064000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 6.076000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[ 6.084000] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 1700 mBm), (N/A)
[ 6.092000] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz), (N/A, 2300 mBm), (0 s)
[ 6.100000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[ 6.108000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
[ 6.116000] ieee80211 phy0: Atheros AR9340 Rev:0 mem=0xb8100000, irq=47
Mon Mar 16 00:00:00 UTC 2020
[ 7.388000] cfg80211: Calling CRDA for country: BR
[ 7.404000] cfg80211: Regulatory domain changed to country: BR
[ 7.408000] cfg80211: DFS Master region: FCC
[ 7.412000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 7.424000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3600 mBm), (N/A)
[ 7.432000] cfg80211: (5150000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 7.440000] cfg80211: (5250000 KHz - 5350000 KHz @ 80000 KHz), (N/A, 2000 mBm), (0 s)
[ 7.448000] cfg80211: (5470000 KHz - 5725000 KHz @ 80000 KHz), (N/A, 2700 mBm), (0 s)
[ 7.456000] cfg80211: (5725000 KHz - 5850000 KHz @ 80000 KHz), (N/A, 3600 mBm), (N/A)
[ 7.544000] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
command failed: Invalid argument (-22)
[ 7.728000] device eth0 entered promiscuous mode
[ 7.740000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 7.856000] br0: port 1(eth0) entered forwarding state
[ 7.860000] br0: port 1(eth0) entered forwarding state
[ 8.556000] br0: port 1(eth0) entered disabled state
Successfully initialized wpa_supplicant
script.sh: applet not found
udhcpc (v1.22.1) started
Sending discover...
Cannot advertise duplex full
[ 10.232000] cleanup module devdh
[ 10.244000] Module kmod-itbnlhub finished
Sending discover...
Sending discover...
I realize that we have a owrt inside:
# cat /proc/version
Linux version 3.10.49 (build@runner-50ec0c25-project-43-concurrent-0) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 a00aa2) ) #1 Fri Mar 19 18:10:52 UTC 2021
mtd partitions:
# cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00100000 00010000 "kernel"
mtd3: 00660000 00010000 "rootfs"
mtd4: 00010000 00010000 "mib0"
mtd5: 00030000 00010000 "conf"
mtd6: 00010000 00010000 "rsvd"
mtd7: 00100000 00010000 "kernel-bkp"
mtd8: 00660000 00010000 "rootfs-bkp"
mtd9: 00090000 00010000 "rsvd2"
mtd10: 00010000 00010000 "ART"
mtd11: 00760000 00010000 "firmware"