Kuwfi SY205 bridge

Hello, I recently started work on a new peace of hardware that is cheap. It is the KuWFi SY205. It is a relatively cheap WIFI bridge that sells for around 50-60 us dollars. This gets you 2 devices to use has a wireless bridge.

It is based on QUALCOMM's AP147 reference board. I have seen that there was work on this board during the previous release ; 18. But no development has been done in 19. For 60us bucks I think this is a good price for getting 2 devices. Now this is a cut down version of AP147, but still a nifty device. It doesn't have PCIE or USB access. And it has only 8mb of flash and 64mb of ram. It otherwise is a AP147 board.

I am new to the development side of things so I have spent a long time just getting the info to start compiling a firmware. It does have a strip down u-boot. This made it difficult to get all the info. So to start we need to update the u-boot. It is late and I am getting tired so I figured I throw the info I have and get some help on this project.

environment var
bootdelay=2
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=192.168.1.1
serverip=192.168.1.10
stdin=serial
stdout=serial
stderr=serial
bootargs=board=AP147 console=ttyS0,115200 mtdparts=spi0.0:192k(boot)ro,64k(env),64k(bsp),7616k(KernelFS),6144k@0x1c0000(RootFS),64k(CFM),64k(CFM_BACKUP),64k(CFG),64k(art),8192k@0x0(ALL) root=31:04
bootcmd=bootm 0x9f050000
ethact=eth0

Boot log
U-Boot 1.1.4 (Mar  2 2018 - 10:27:33)

ap147 - Honey Bee 1.1

DRAM:  64 MB
Now running in RAM - U-Boot at: 83fdc000

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id dev_size era_size chipName
@ 0000000h 0ef4017h 0800000h 0010000h W25Q64
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt
@ 0010000h 0000080h 0001000h 0000800h 0000100h 0008000h
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
ath_gmac_enet_initialize: reset mask:c02200
Honey Bee ---->  MAC 1 S27 PHY *
S27 reg init2
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth0: 04:c3:e6:65:da:7a
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :10
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :10
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :10
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :10
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 config done
eth0
Setting 0x181162c0 to 0x4b97a100
Hit ctrl+c to stop autoboot:  0
## Booting image at 9f050000 ...
   Image Name:   MIPS Linux-3.3.8
   Created:      2019-09-11  14:44:53 UTC
   Image Type:   MIPS Linux Multi-File Image (lzma compressed)
   Data Size:    1026640 Bytes = 1002.6 kB
   Load Address: 80060000
   Entry Point:  80060000
   Contents:
   Image 0:  1026632 Bytes = 1002.6 kB
   Verifying Checksum at 0x9f050040 ...OK
   Uncompressing Multi-File Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 67108864

Starting kernel ...

Linux version 3.3.8 (root@kali) (gcc version 4.9.3 (Buildroot 2015.08) ) #2 Wed Sep 11 12:10:57 CST 2019
boot arg:6, 0xa3f8bfb0, 0xa3f8c480
Ethaddr=0x04:0xc3:0xe6:0x65:0xda:0x7a
bootconsole [early0] enabled
CPU revision is: 00019374 (MIPS 24Kc)
SoC: Qualcomm Atheros QCA9531 rev 1
Clocks: CPU:650.000MHz, DDR:391.137MHz, AHB:216.666MHz, Ref:25.000MHz
Determined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00004000
Movable zone start PFN for each node
Early memory PFN ranges
    0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 61580k/65536k available (2154k kernel code, 3956k reserved, 558k data, 168k init, 0k highmem)
SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:83
Calibrating delay loop... 432.53 BogoMIPS (lpj=2162688)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
Performance counters: mips/24K PMU enabled, 2 32-bit counters available to each CPU, irq 13
NET: Registered protocol family 16
gpiochip_add: registered GPIOs 0 to 17 on device: ath79
MIPS: machine is Qualcomm Atheros AP147 reference board
AP147 Reference Board Id is 17
ar724x-pci ar724x-pci.0: PCIe link is down
registering PCI controller with io_map_base unset
ar71xx: invalid MDIO id 1
bio: create slab <bio-0> at 0
PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [mem 0x10000000-0x11ffffff]
pci_bus 0000:00: root bus resource [io  0x0000]
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 120
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
m25p80 spi0.0: found s25fl064k, expected m25p80
m25p80 spi0.0: s25fl064k (8192 Kbytes), erasesize:0x00010000
Kernel code size:0xfaa90
m25p80 spi0.1: found pm25lv512, expected m25p80
m25p80 spi0.1: pm25lv512 (64 Kbytes), erasesize:0x00001000
ag71xx_mdio: probed
match drv:0x4d0000-Atheros AR8216/AR8236/AR8316 and dev:0x4dd042-ag71xx-mdio.1:00
match drv:0x4d0000-Atheros AR8216/AR8236/AR8316 and dev:0x4dd042-ag71xx-mdio.1:01
match drv:0x4d0000-Atheros AR8216/AR8236/AR8316 and dev:0x4dd042-ag71xx-mdio.1:02
match drv:0x4d0000-Atheros AR8216/AR8236/AR8316 and dev:0x4dd042-ag71xx-mdio.1:03
match drv:0x4d0000-Atheros AR8216/AR8236/AR8316 and dev:0x4dd042-ag71xx-mdio.1:04
ag71xx_mdio: probed
eth0: Atheros AG71xx at 0xba000000, irq 5
eth0: Found an AR934X built-in switch
PPP generic driver version 2.4.2
PPP MPPE Compression module registered
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (962 buckets, 3848 max)
IPv4 over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 17
8021q: 802.1Q VLAN Support v1.8
### of_selftest(): No testcase data in device tree; not running tests
VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
Freeing unused kernel memory: 168k freed
mkdir: can't create directory '/var/run': File exists
match drv:0x4d0000-QCA AR8216 AR8236 AR8316 AR8327 AR8337 and dev:0x4dd042-ag71xx-mdio.1:00
match drv:0x4d0000-QCA AR8216 AR8236 AR8316 AR8327 AR8337 and dev:0x4dd042-ag71xx-mdio.1:01
match drv:0x4d0000-QCA AR8216 AR8236 AR8316 AR8327 AR8337 and dev:0x4dd042-ag71xx-mdio.1:02
match drv:0x4d0000-QCA AR8216 AR8236 AR8316 AR8327 AR8337 and dev:0x4dd042-ag71xx-mdio.1:03
match drv:0x4d0000-QCA AR8216 AR8236 AR8316 AR8327 AR8337 and dev:0x4dd042-ag71xx-mdio.1:04
PHY ID is 0x4dd042
qca probe f2 phy driver succeeded!
AR71XX_RESET_REG_WDOG_CTRL: 0x0
 377+0 records in
377+0 records out
12064 bytes (11.8KB) copied, 0.036534 seconds, 322.5KB/s
auto startup
Give root password for system maintenance
(or type Control-D for normal startup):current mode is common

mem_manager: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
_gpio_signal_send user didn't set pid
ath_hal: 0.9.17.1 (AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_EEPROM, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
insmod: can't read '/lib/modules/hst_tx99.ko': No such file or directory
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
__ath_attach: Set global_scn[0]
*** All the minfree values should be <= ATH_TXBUF-32, otherwise default value will be used instead ***
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
ATH_TXBUF=512
CC++ attach devid 0x3d
Enterprise mode: 0x03fc0000
Restoring Cal data from FS
qdf_fs_read[59], Open File /tmp/wifi0.caldata SUCCESS!!file system magic:-2054924042super blocksize:4096inode 388file size:12064qdf_fs_read[79]: caldata data size mismatch, fsize=12064, cal_size=1088
ART Version : -48.0.0
SW Image Version : -48.0.0.0.0
Board Revision :
ar9300_attach: nf_2_nom -110 nf_2_max -60 nf_2_min -125
Green-AP : Green-AP : Attached

Starting random number generator thread
ath_get_caps[6329] rx chainmask mismatch actual 3 sc_chainmak 0
ath_get_caps[6304] tx chainmask mismatch actual 3 sc_chainmak 0
[slottime] auto, set to 20.
ath_attach_dfs[12729] dfsdomain 0
dfs_attach: event log enabled by default
ath_attach: Set global_ic[1]..gloabl_ic ptr:82528030
====tun_node_list_init init(0)====
ath_tx_paprd_init sc 83278000 PAPRD disabled in HAL
wifi0: Atheros ???: mem_start: =0xb8100000, mem_end: =0xb8120000, irq=47
ath_da_pci:  (Atheros/multi-bss)
             total         used         free       shared      buffers
Mem:         61748        15112        46636            0          572
-/+ buffers:              14540        47208
Swap:            0            0            0
device vlan1 entered promiscuous mode
device eth0 entered promiscuous mode
device vlan1 left promiscuous mode
device eth0 left promiscuous mode
br0: port 1(vlan1) entered disabled state
device eth0 entered promiscuous mode
Sun May  1 00:00:00 UTC 2011
get_eth_name(P_LAN_1) = eth0, get_eth_name(L_LAN_1) = vlan1,get_eth_name(WAN_1) = vlan2
GoAhead default debug level : 4
/var/goahead_debug nost exist, record default debug leve 4
GoAhead default debug level : 4
goahead: 4: websOpen----229

route: SIOCDELRT: No such process
route: SIOCADDRT: Invalid argument
/bin/sh: can't create /proc/br_igmpsnoop: nonexistent directory
config changed,CRC:old[f0b817e3],new[2ec30030]
Erasing 64 Kbyte @ 0 -- 100 % complete.
wifi_probe(570): ath0 not exist!
wifi_probe(570): ath1 not exist!
wifi_probe(570): ath8 not exist!
wifi_probe(570): wifi0 not exist!

=========hardware check wifi0 ========

wifi_probe(570): ath8 not exist!
VAP device ath8 created osifp: (82729b80) os_if: (82750000)
ath8
wifi_probe(570): ath0 not exist!
VAP device ath0 created osifp: (82774380) os_if: (82778000)
ath0
ath_net80211_dfs_clist_update: called, cmd=1, nollist=  (null), nentries=0
ath_attach_dfs[12729] dfsdomain 0
dfs_attach: event log enabled by default
goahead: 0: Can't get host address for host linux-7ada65e6c304: errno 124, use Local:127.0.0.1
Successfully initialized wpa_supplicant
ath_net80211_dfs_clist_update: called, cmd=1, nollist=  (null), nentries=0
ath_attach_dfs[12729] dfsdomain 0
dfs_attach: event log enabled by default
siwfreq
Set freq vap 1 stop send + 82778000
Set freq vap 1 stop send -82778000
Set wait done --82778000
Vendor IE is NUll , please add using wlanconfig command
[distance] try to set distance to 3000.
[distance] calculate out slottime(18) acktimeout(66) ctstimeout(66).
Vendor IE is NUll , please add using wlanconfig command
wifi_probe(575):[DEBUG] vap-1(ath0):set SIOC80211NWID, 9 characters
ath0 is exist. n
 DES SSID SET=MBGAGwifi
ame: IEEE 802.11b
 ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1
 DEVICE IS DOWN ifname=ath0
 DEVICE IS DOWN ifname=ath0
Warning: node not in table 0x82790000
OK
Setting Max Stations:48
Vendor IE is NUll , please add using wlanconfig command
Vendor IE is NUll , please add using wlanconfig command
wifi_probe(575):[DEBUG] vap-0(ath8):set SIOC80211NWID, 9 characters
ath8 is exist. nSame ssid support enabled ssid:MBGAGwifi len:9
ame: IEEE 802.11
 DES SSID SET=MBGAGwifi
b
ieee80211_ucfg_getparam : parameter 0x284 not supported
[distance] try to set distance to 3000.
[distance] calculate out slottime(18) acktimeout(66) ctstimeout(66).
OK
[slottime] try to set 9, but use fixed 18.
/bin/sh: wserver_notify.sh: not found












device ath8 entered promiscuous mode
br0: port 2(ath8) entered forwarding state
br0: port 2(ath8) entered forwarding state
device ath0 entered promiscuous mode
br0: port 3(ath0) entered forwarding state
br0: port 3(ath0) entered forwarding state
wlan_server_decode_radius(677): ERROR: decode config ifname failed!
wlan_service_radius(727): ERROR: decode radius data failed!
wlan_handle_msg(282): ERROR: handle msg id 17 failed!
iptables: No chain/target/match by that name.
iptables v1.4.4: Couldn't find target `dmz_forward_pre'

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables v1.4.4: Couldn't find target `dmz_forward_post'

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.4: Couldn't find target `port_forward_pre'

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: Couldn't find target `port_forward_post'

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.4: Couldn't find target `web_wanadmin'

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.4: Couldn't find target `web_wanadmin'

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
killall: 3322ip: no process killed
killall: 88ip: no process killed
killall: gnway: no process killed
killall: inadyn: no process killed
rm: can't remove '/etc/ddns_*': No such file or directory
iptables: No chain/target/match by that name.
iptables v1.4.4: Couldn't find target `MINIUPNPD'

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
string=0;0
string[0]=0
string[1]=0
vendor_register_extend_event(294): DEBUG:  wserver_pid=401
--set ic->td_wserver_pid=401

The serial is password protected on Linux boot.

I have the flash binary dump but I will have to get it on github. I let you know.

Now the reason I started this is because this was made by some small Chinese company that spent little time on development. The made the AP147 board has cheap has possible and threw a half hazard OS on it to get it running. The UI is horrible. Getting openwrt running would make this a good cheap device.

you could try to extract the passwd file (if that's where the logon details for serial are coming from) using binwalk, and see if you can google the hash for the password.

Or try to figure out how to disable password protection for the serial.

Thanks, working on that now. However don't think it really matters. I'm not really trying to gain access to the current firmware. I want to develop new firmware. But I suppose knowing how this one put together will give me the info I need to do that. What I need help with is creating the make file to compile firmware. Let me create the git so we can work on this

just make sure it's not a 4mb flash device, then you won't be able to fit pretty much anything onto it.

It is a 8mb spi flash with 64mb of ram. Plenty of room.

In fact it uses a W25Q64. With a little bit of soldering, it could be upgraded. I pulled the chip off to dump it since the u-boot is so limited.

if you're able to play around with the flash chip, see if you can upgrade the u-boot in a safe, and reproducible manner.

You bet. The current u-boot only has simple commands. It only supports tftpboot and writing to memory. It doesn't have a dump command of a tftpput. So once I am able to make a new u-boot, every one else can just flash it by serial.

This device comes with serial pins, but does not have jtag. I upload some pics soon.

Its flash is at 9000000 and working mem is 8000000. it seems to be well organized with plenty of memory space.

Im sure most are, but this is my first attempt. I am learning has I go.

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
14096         0x3710          U-Boot version string, "U-Boot 1.1.4 (Mar  2 2018 - 10:27:34)"
14144         0x3740          CRC32 polynomial table, big endian
15448         0x3C58          uImage header, header size: 64 bytes, header CRC: 0xA2607EB0, created: 2018-03-02 02:27:35, image size: 39847 bytes, Data Address: 0x80010000, Entry Point: 0x80010000, data CRC: 0xE730C0EA, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image"
15512         0x3C98          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 99376 bytes
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0xE97D6595, created: 2019-09-11 14:44:53, image size: 1026640 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0x5BBB495F, OS: Linux, CPU: MIPS, image type: Multi-File Image, compression type: lzma, image name: "MIPS Linux-3.3.8"
327752        0x50048         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2953068 bytes

I was wrong on model. They have two different ones. I have the SY205.