Support for Gigastone Smart Battery A4-52ER

Hello,

I have the device mentioned in the title and would be very interested in getting OpenWrt Ported to it but I have no idea where to start. I am pretty familiar with using Linux, desoldering flash chips and reading/writing to them, I have compiled OpenWrt on a couple of occasions for supported devices and have the hardware and the means to get access via serial UART. I am going to gather as much info as I can and make another post in this topic later today. If there is any info that would be handy I will make sure to add it to my list if it isn't there already. I am also okay with blindly trying some risky stuff since the router is fairly inexpensive and I can get another easily.

Cheers!

Here is some additional info about the device in question as well as some pictures. I will try to add better photos when I can get to some decent lighting.

  • Gigastone Smart Battery A4-52ER
  • System-On-Chip: AR9331-AL3A
  • Flash-Chip: 8 MiB (Macronix MX25L6406E)
  • DRAM-Chip: 32MiB (Winbond W9725G6KB-25)
  • Li-ion Battery: 5200mAh
  • Wireless: WiFi 802.11 b/g/n
  • Default IP: 192.168.1.2
  • Default Admin Password: 0000
  • Default Telnet Login: root
  • Default Telnet Password: root

Here is a link to a dropbox folder with all the pictures since I am a new user and cannot add all of the photos in this post.

I will add additional info soon...

Sorry I took so long to reply I was having some trouble trying to get proper input/output over serial since the usual baudrate (115200) wasn't working. After much troubleshooting I managed to get clear output. Here is what I get from the serial console...

U-Boot 1.1.4-g73b24108-dirty (Jan 15 2014 - 16:23:32)

AP121 (ar9331) U-boot

DRAM:  32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 139k for U-Boot at: 81fdc000
Reserving 192k for malloc() at: 81fac000
Reserving 44 Bytes for Board Info at: 81fabfd4
Reserving 36 Bytes for Global Data at: 81fabfb0
Reserving 128k for boot params() at: 81f8bfb0
Stack Pointer at: 81f8bf98
Now running in RAM - U-Boot at: 81fdc000
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x17
flash size 8388608, sector count = 128
Flash:  8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag7240_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
: cfg1 0x5 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
eth1 up
eth0, eth1
Hit any key to stop autoboot:  0 
## Booting image at 9f070000 ...
   Image Name:   Linux Kernel Image
   Created:      2014-11-18   3:16:43 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1022984 Bytes = 999 kB
   Load Address: 80002000
   Entry Point:  801f6610
   Verifying Checksum at 0x9f070040 ...OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 801f6610) ...
## Giving linux memsize in bytes, 33554432

Starting kernel ...

Booting AR9330(Hornet)...
Linux version 2.6.31--LSDK-9.2.0_U10.5.13-GST-A4 (astro@astro) (gcc version 4.3.3 (GCC) ) #44 Tue Nov 18 11:16:25 CST 2014
flash_size passed from bootloader = 8
arg 1: console=ttyS0,115200
arg 2: root=31:05
arg 3: rootfstype=squashfs
arg 4: init=/sbin/init
arg 5: mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),64k(CONF),64k(NVRAM),1280k(uImage),4096k(rootfs),2304k(secfs),64k(ART)
arg 6: mem=32M
CPU revision is: 00019374 (MIPS 24Kc)
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: console=ttyS0,115200 root=31:05 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),64k(CONF),64k(NVRAM),1280k(uImage),4096k(rootfs),2304k(secfs),64k(ART) mem=32M 
PID hash table entries: 128 (order: 7, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 29544k/32768k available (2016k kernel code, 3224k reserved, 700k data, 128k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop... 266.24 BogoMIPS (lpj=532480)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
===== ar7240_platform_init: 0
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
AR7240 GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
fuse init (API version 7.12)
msgmni has been set to 57
alg: No test for lzma (lzma-generic)
alg: No test for stdrng (krng)
io scheduler noop registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
ttyS0: detected caps 00000000 should be 00000100
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
brd: module loaded
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V1.0
usbcore: registered new interface driver cdc_ether
usbcore: registered new interface driver rndis_host
8 cmdlinepart partitions found on MTD device ar7240-nor0
Creating 8 MTD partitions on "ar7240-nor0":
0x000000000000-0x000000040000 : "u-boot"
0x000000040000-0x000000050000 : "u-boot-env"
0x000000050000-0x000000060000 : "CONF"
0x000000060000-0x000000070000 : "NVRAM"
0x000000070000-0x0000001b0000 : "uImage"
0x0000001b0000-0x0000005b0000 : "rootfs"
0x0000005b0000-0x0000007f0000 : "secfs"
0x0000007f0000-0x000000800000 : "ART"
usbmon: debugfs is not available
usbcore: registered new interface driver cdc_acm
cdc_acm: v0.26:USB Abstract Control Model driver for USB modems and ISDN adapters
usbcore: registered new interface driver usbserial
usbserial: USB Serial Driver core
USB Serial support registered for GSM modem (1-port)
usbcore: registered new interface driver option
option: v0.7.2:USB Driver for GSM modems
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (512 buckets, 2048 max)
ctnetlink v0.93: registering with nfnetlink.
ip_tables: (C) 2000-2006 Netfilter Core Team
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 17
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
ar7240wdt_init: Registering WDT success
VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
Freeing unused kernel memory: 128k freed
[I] rootfs up, version: ap121-2.6.31/2014-11-18-11:19
[I] secfs up, version: r1.7.12
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Port Status 1c000004 
ar7240-ehci ar7240-ehci.0: ATH EHCI
ar7240-ehci ar7240-ehci.0: new USB bus registered, assigned bus number 1
ehci_reset Intialize USB CONTROLLER in host mode: 3
ehci_reset Port Status 1c000000 
ar7240-ehci ar7240-ehci.0: irq 3, io mem 0x1b000000
ehci_reset Intialize USB CONTROLLER in host mode: 3
ehci_reset Port Status 1c000000 
ar7240-ehci ar7240-ehci.0: USB 2.0 started, EHCI 1.00
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: ATH EHCI
usb usb1: Manufacturer: Linux 2.6.31--LSDK-9.2.0_U10.5.13-GST-A4 ehci_hcd
usb usb1: SerialNumber: platform
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
ATHR_GMAC: Length per segment 1536
ATHR_GMAC: fifo cfg 3 01f00140
ATHR_GMAC: Mac address for unit 0:bf7f1002
ATHR_GMAC: c0:34:b4:88:90:32
ATHR_GMAC: Max segments per packet :   1
ATHR_GMAC: Max tx descriptor count :   40
ATHR_GMAC: Max rx descriptor count :   252
ATHR_GMAC: Mac capability flags    :   4403
ATHR_GMAC: Mac address for unit 1:bf7f1008
ATHR_GMAC: c0:34:b4:ff:ff:fe
ATHR_GMAC: Max segments per packet :   1
ATHR_GMAC: Max tx descriptor count :   40
ATHR_GMAC: Max rx descriptor count :   96
ATHR_GMAC: Mac capability flags    :   4D83
usb 1-1: new high speed USB device using ar7240-ehci and address 2
athr_gmac_ring_alloc Allocated 640 at 0x81659c00
athr_gmac_ring_alloc Allocated 4032 at 0x81cf2000
Setting Drop CRC Errors, Pause Frames and Length Error frames 
Setting PHY...
usb 1-1: New USB device found, idVendor=05e3, idProduct=0608
usb 1-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0
usb 1-1: Product: USB2.0 Hub
usb 1-1: configuration #1 chosen from 1 choice
hub 1-1:1.0: USB hub found
hub 1-1:1.0: 4 ports detected
usb 1-1.2: new high speed USB device using ar7240-ehci and address 3
usb 1-1.2: New USB device found, idVendor=048d, idProduct=1338
usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1.2: Product: Mass Storage Device
usb 1-1.2: Manufacturer: Generic 
usb 1-1.2: SerialNumber: 0000000000000006
usb 1-1.2: configuration #1 chosen from 1 choice
scsi0 : SCSI emulation for USB Mass Storage devices
**** drop_caches_sysctl_handler: all done timer added ...**** 
Populating /dev using udev: done
Args: 1
asf: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 0.9.17.1 (AR9380, DEBUG, REGOPS_FUNC, WRITE_EEPROM, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
ath_ahb: 9.2.0_U11.14 (Atheros/multi-bss)
__ath_attach: Set global_scn[0]
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
Bootstrap clock 25MHz
ar9300RadioAttach: Need analog access recipe!!
Restoring Cal data from Flash
Using Cal data from Flash 0xbf7f0000
ath_get_caps[5184] rx chainmask mismatch actual 1 sc_chainmak 0
ath_get_caps[5159] tx chainmask mismatch actual 1 sc_chainmak 0
SC Callback Registration for wifi0
wifi0: Atheros 9380: mem=0xb8100000, irq=2
Creating ap for Smartbox_809032 on 
wlan_vap_create : enter. devhandle=0x81d4c2c0, opmode=IEEE80211_M_HOSTAP, flags=0x1
wlan_vap_create : exit. devhandle=0x81d4c2c0, opmode=IEEE80211_M_HOSTAP, flags=0x1.
Added ath0 mode master
Configuring RF . . .
 ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1 
Created ath0 mode ap for "Smartbox_809032"
scsi 0:0:0:0: Direct-Access     Generic  Storage Device   0.00 PQ: 0 ANSI: 2
device ath0 entered promiscuous mode
br0: port 1(ath0) entering forwarding state
ARPING to 192.168.1.2 from 192.168.1.2 via br0
Sent 1 probe(s) (1 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
WSCMODE:0, SECMODE:None

 (none) mips #44 Tue Nov 18 11:16:25 CST 2014 (none)
(none) login: sd 0:0:0:0: [sda] Attached SCSI removable disk


I also have dumps of everything from the flash chip I made when I desoldered it and made a backup just in case

I am getting late to this party, I have the A4-52ER also called Media streamer plus /Smart battery model A4-52ER. However, my device has 8MB nor flash and 64 MB of ram and u- boot doesn't seem to be the exact same. I have a screenshot showing those details:


I got access to the shell and copy the firmware out of the device. I have a copy of the all the scripts related to update the device from the web interface, I can upload them somewhere if needed. to perform a firmware update the web interface verify the extension (.BRN), the image name and the size. So, several attempts to install Openwrt through this route failed.
Later, I tried updating the firmware through u-boot using TFTP, I know I need to locate the GPIO to add image builder to make a custom but I was lazy ( I found them later, then I lost the file with GPIO numbers-actions) . I didn't do much research that time so I used the openwrt firmware (rootfs and kernel) from the ALFA Network Hornet-UB (poor choice). I almost succeed. The firmware didn't recognize where rootfs is located I think the re was a difference in size I didn't verify before the test. It was like 2 am I was drunk flashing routers making dropboxes lol. I have a screenshot of that attempt:


I have the firmware update file from the manufacturer. I don't have the skills to modify it. I asked for the source code very kindly, Gigastone rejected my petition.

1 Like

Hey just read your post breifly. I have work soon so I gotta keep this short but I was curious about your hardware revision since the RAM and Flash are larger on yours. I have another flash chip the same as the one on your hardware but since the RAM doesn't have exposed legs I'm not too sure I could swap it without killing my router.

Because of all this I was wondering if you might be able to provide me with some images of your hardware and possibly a dump of your flash to play around with on my hardware.

If you have any other relevant files/info it certainly sounds like you've been able to figure out more about your device than me.

Thanks!

My hardware is the one you will find googling "FCC ID PLE-ER5201" there you will find a lot of internal pics and more. The link here:


To replace your ram you might need a rework station or at least a hot air gun. The most critical information i found I think is that Gigastone uses a not conventional squashfs (version 3 I think) different from standard linux squashfs, I recall Binwalk couldn't extract it. I used the FMK (firmware mod kit) to unsquash the root and be able to navigate the file system. This hardware is almost identical/similar to the wifi pineapple nano. So, my goal is to re-purpose this device into a hardware security tool. Tell me what you think.
Regards,

@ JohnFreeman646
Did I mention that I almost succeed installing Openwrt. I just found a note I forgot I had.
Let me explain, if you take a look at the last part of the last screenshot I posted you can read that the firmware cannot locate the root, there says: kernel panic, not syncing VFS blah blah.
Well, I found that setting up a script from u-boot shell, where you indicate the root location then the firmware finds where is root and boot the new installed Openwrt. Here is the way to fix my error and make the new installation work.:
KERNEL_PANIC_FIX
Anyway, before I found this info I got upset and flashed the Hornet-UB bootloader and the device never boot again, well boot just to show the u-boot version and then stop. Therefore I cannot test that route yet. First, I have to re-flash my chip with the original firmware again.
Hopefully, someone here can confirm my makeshift assumption is true, or guide us on the right direction.
Cheers,

I can test any uboot, firmware etc etc on my unit currently running with a 16MB flash I have the tools to flash the chip from brick or any other state essentially so I'm not too worried aside from maybe gpio stuff possibly damaging the board bu on the otherhand I've never done playing around with routers that are not supported this way before. I have a debian linux install and have compiled modified images for a TP-Link router before so I can maybe help but idk where to start

That is the attitude we want, Adventure! Alright, being the case you can recover from anything let’s go the experiments/trials-error sessions:
1.- Make a back up of u-boot and all the files shown in the your dmesg:"u-boot",”u-boot-env",”CONF",”NVRAM",”uImage”,”rootfs”,”secfs""ART"
2.- verify and take note of the size of U-boot , Ulmage and roofs.
3.- From here https://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/
here you need to gather a kernel and rootfs from a device similar to yours (same AR9331 with same flash size and ram size) , your restriction is 32mb ram size, (until you get to install another ram module) here a list to choose the right device in your case:
https://openwrt.org/toh/views/toh_extended_all?dataflt[CPU*~]=AR9331&dataflt[RAM+MB*~]=32&dataflt[Flash+MB*~]=
verify the U-boot , Ulmage and roofs you are gathering from supported devices are equal or smaller size than their comparable files from your Gigastone device. (TREMENDOUSLY IMPORTANT)
4.- Now the brute force session number 1, starts:
place the kernel and rootfs in a VFAT formatted USB flash drive (fat16 or fat32) because this router already has support for VFAT .
Connect your Linux laptop/PC to the mini router via Ethernet and power up the mini router

  1. Connect the USB Flash drive to the smartbox
  2. Telnet to the smartbox with the following command:
    • telnet 192.168.1.2
    • root/root
  3. Mount the USB flash drive with the following command:
    • mount /dev/sda1 /mnt
  4. Wait for a little bit and verify that you see files
    • ls /mnt
    • You should see your files. Do not go further if you do not see files, otherwise start over.
  5. Upgrade kernel and rootfs
    • mtd_write write /mnt/rootfs-hornet-UB-or-whatever.img rootfs
    • mtd_write write /mnt/kernel-hornet-UB-or-whatever.img Ulmage
      Reboot the router with the command: reboot, or power cycle the device. After this process we should have success or a broken device LOL.
  • In case the success, there will be the possibility that lights or the reset/power button are not responding to commands. However, we will be able to find the GPIO info inside the Openwrt file system and then be able to make new custom Openwrt firmware that will have everything working out of the box.

In case we break the device, the original U-boot still should work. So, we need to get UART access and TFTP. Then, you can try to replicate my route a little bit more involved with details and the u-boot script mentioned in the last post (that would be called brute force session number 2).

Brute force session number 3, would be to install a pepe2k modified U-boot that will allow the installation of any firmware.


All this situation is a learning process, trial/error, then re-flash the chip with the original firmware and rinse and repeat.