Support for Gigastone Smart Battery A4-52ER

Hey knightrider007.

I am hoping that you can give me some guidance with the MK IV install. I understand quite a bit of what you are saying, but I don't know where to begin with breaking the firmware security.

I have 3x gigastone A4-52ER units, and I am desperate to install open WRT on them at minimum, and it would be nice to make one into a Mark IV pinapple.

I have some experience with linux and I successfully turned a GLinet AR-150 into a pinapple with second wifi card, and usb swap/storage for modules.

PLEASE help a brother out! I can offer some $ if it helps, via bitcoin. Im not rich, but can toss you some bucks for the help if that motivates you to help me out?

I can be reached directly @ supermandog2020 at hotmail.com

THANKS!

@supermandog2020
This was while ago I can't recall exactly all steps. However, if you were able to make the AR150 mod, this one is easier. The difference is the MarkV had switches to activate the device and the mark4 had some reset button to press. The process goes exactly the same as the making of AR150, but before the build you need to place your own password in /etc/shadow so you will be able to ssh in to the device, delete the kernel folder so Openwrt build it again, and to break the security you need to use grep to find the location of the welcome sentence/reset/activation and mod the javascript to bypass the reset button/activation/switches.

About Openwrt running in the device I already mentioned 2 methods here in past postings, This is the easiest way:

UHHMM, I also recalled, that while trying to update the firmware through the device webserver page the update will fail. However, the firmware file will be transferred to /tmp inside the device file system.
So I tried the following:
telnet 192.168.1.2
root/root
cd ..
Then go to the webserver and try to update the firmware using u-boot-MR3040-pepep2k (it will fail but no worries)
again in terminal verify: ls /tmp/ you should see your file, then enter:
flashcp -v /tmp/u-boot-MR3040-pepe2k /dev/mtd0

and I got SUCCESS!!! once again. I went to 192.168.1.1 and I could see the firmware update page I flashed Pulpstone-openwrt and no issues at all with 8M flash and 64 ram. This time no UART, or TFTP or flash addresses,very easy. Big thanks to pepe2k and his awesome work.

After you have Openwrt, do the usual sysupgrade with the mar4 image or use Uboot to upgrade firmware, go to hak5 forums for the modules, will be the top thread and is hosted in github.

I have to say I got a bigger 16MB flash on this A4-52ER and with already 64MB ram I tried the NANO firmware and everything works but Pineap doesn't. Here the link to the Mark4 images mods, the password would be 26002600.
http://www.mediafire.com/file/ga0wgrj454mkl0w/mark4-work-mr3020.bin/file
http://www.mediafire.com/file/lr7vyl1yk1kxecm/works-mr3020.bin/file
Good luck.

I just followed the instructions to use the OEM/gigastone firmware page to load the "tp-link_tl-mr3040_v1_120328.bin" into /tmp

After telnet into the device root@192.168.1.1 (root/root) I issued the command:
flashcp -v /tmp/tp-link_tl-mr3040_v1_120328.bin /dev/mtd0

The device did write the file, as the terminal output said successfull, and re-read it 3x and said flash successfull.

Now my device seems to be bricked.
I power it on, and the green power level LEDS come on, and the ethernet port lights remain fully lit, then it blonks the green power LED, followed by the RED led flash (the LED between 6 and 9 oclock.

I have tried to power-cycle and use the reset pin, and in combination with power cycling. I just can't get any communication through 192.168.1.1 or 192.168.1.2 , it wont seem to offer any connection.

I am not upset at all, this is part of the course for FW modding, just hoping you might be able to help me with some next steps, or things to try/test

Thank you very much knightrider007!

edit: perhaps I F^^^ked up with not using the same "u-boot-MR3040-pepe2k" that you mention, but I couldn't find it on pepe2k's github page,

perhaps after I can (hopefully unbrick it) you could share a url for the exact file you used?

thanks again!

btw- I have been spending all day so far playing with this,
I opened up the first "bricked" gigastone, and am trying to read the flash chip with a ch341a programmer, but I am getting an error
"Couldn't open device 1a86:5512."

I hope I am connected to the correct chip, the chip directly to the right of the Atheros SOC (if usb ports were facing up)

I unfortunately don't have a UART adapter, but I am going to buy one from a hobby store sometime this week when I have time.

Again, any help from anyone would be greatly appreciated.
I am not sure where I went wrong, writing the uboot file. (it was only 64kb, I can provide the sha256 for the file I uploaded if it helps?

Any help is appreciated. Thanks!

The whole point of using the pepe2k Uboot was to replace a locked Uboot from gigastone which does not allow firmware modification. Openwrt uboot images do not offer a web server. Pepe2k Uboot activates itself at the failure of flashing a firmware, so you can go to 192.168.1.1 and upload a new firmware to recover.
The directions of this process were clear.
Here the link to pepe2k's

Because you have overwritten your working Gigastone Uboot with some random Uboot, the device now is a brick. Now, there are 2 options:
1.- The ch341a can be used to flash pepe2k uboot at address 0x0, then Openwrt (any Openwrt tlmr3020 or tlmr3040 works but I used pulpstone for 8MB flash chips) at address 0x20000, and ART at last 64k. However, de-soldering the flash chip would be needed to use the programmer.

2.-Desolder a working flash chip of A4-52ER , and make a copy of full flash with the programmer, then flash it the broken gigastone flash chip and solder it back again. Once the router is back to life, follow the directions again, with out jumping steps.

Either way, you need to de-solder the flash chips and solder back. I tried your programmer, it fails because while trying to read the flash, is also powering the CPU, this operation most often ends corrupting the image. Tip, flashrom supports the ch341a.

Get the UART to USB adapter, and use the same values you have used to work with AR150 to access Uboot console. Command httpd to activate the webserver.

wow, I feel like a bumbling idiot. I totally re-read the whole thread here like 10x , and still missed the link you just resubmitted.

I sincerely thank you for the followup, and being an undertstanding gentleman about my mishaps.

With option one, I am going to assume that the flash chip is the one closest to the battery wiring harness, so therefor is in-accessable with a chip clip, etc.

I really appreciate your time knightrider007, thank you VERY MUCH!

Ok, so just to be clear, I now have downloaded the 1.1.4 master zip that you just linked, and there are 4 directories:

'OpenWrt Barrier Breaker 14.07 images for easy U-Boot upgrade'
'U-Boot images'
'U-Boot images - RAM version'
'U-Boot images - silent console'

what exact .bin should I be using? from what folder?
I am confused because I did use the uboot file from pepe2k's github, perhaps it was a more recent version?

Really appreciate the help knightrider007.
You are a gentleman and a scholar.

I've picked up a couple of these boxes with 8MB of flash and 64MB of RAM. Was able to flash the pepe2k MR3020 u-boot and then stock 17.01.5 TL-MR3020 v1 without much issues.

I've since gone rooting around in the stock one and picked up most(I think) of the GPIO configs and have a hopefully working OpenWRT branch for these (its compiling right now). If it works and boots without fire and mayhem I'll push the branch and a build to github for interested parties to play around with.

At knightrider007 request the GPIOs I've found are

 0 - top blue light 1
23 - top blue light 2
17 - green light on the lan port
27 - amber light on the lan port
12 - reset button
18 - software-controlled poweroff
21 - MSB of battery remaining
20 - These 3 combined provide the remaining battery with a range of 1-5, 7 indicates overtemp
19 - LSB of battery remaining

All are active high

Most of these were obtained by just trolling through the stock shell scripts, except for the reset button, that one I just watched for which GPIO changed when I pressed it.

PS. for those like myself who would see their device power on for a few seconds then immediately die, its because the MR3040 firmware attempts to use GPIO 18 to enable a USB vreg, which on this board signals the power supply to turn off.

U-Boot_1.1.4_modification_for_routers_2014-11-19/U-Boot images/TP-Link TL-MR3020/uboot_for_tp-link_tl-mr3020.bin
or this one U-Boot_1.1.4_modification_for_routers_2014-11-19/U-Boot images/TP-Link TL-MR3040/uboot_for_tp-link_tl-mr3040.bin

As promised, I've got it producing functional images on the 19.07 branch. I've pushed the changes to my own GitHub fork here https://github.com/MadnessASAP/openwrt

It does not require replacing U-Boot with the modified version, it does, however, require TFTP booting the initramfs-kernel image and then applying the sysupgrade image. If anybody has a copy of a stock firmware update file from Gigastone or the format it's expecting it should be possible to produce images flashable through the stock web interface.

@MadnessASAP
I sent you a link with the files you are asking for.

@MadnessASAP
I don't have a copy of the stock Fw anymore but these files are important:

# gflashburn
# this script is called either external as cgi-bin or internal from fr_post.sh

f_upgrade_check () {
        if [ $LOCAL -eq 0 ]; then
                SDPATH=`mount | grep /tmp/ftp/SDdisk/SD | cut -d " " -f 3`
                if [ "$SDPATH" = "" ]; then
                        echo "[E] no SD"
                        exit 1
                fi
                LOG=$SDPATH/.gflashburn
                IMGFULLNAME=$SDPATH/$IMAGE
                if [ ! -e "$IMGFULLNAME" ]; then
                        echo "[E] no $IMGFULLNAME in SD" >>$LOG
                        echo "[E] no $IMGFULLNAME in SD"
                        exit 2
                fi
        else
                LOG=/tmp/.gflashburn
                IMGFULLNAME=/tmp/$IMAGE
        fi
        echo -n "" >$LOG
        # check battery low
        /tmp/www/powerlvl
        if [ $? -lt 2 ]; then
                echo "[E] Battery power low" >>$LOG
                echo "[E] Battery power low"
                exit 3
        fi
        IMG=`basename $IMGFULLNAME`
        # check version
        VER=`/tmp/www/flashburn -i $IMGFULLNAME`
        if [ $? -ne 4 ];then
                echo "[E] Firmware incorrect" >>$LOG
                echo "[E] Firmware incorrect"
                exit 4
        fi
}

f_do_upgrade_ind () {
        echo "[I] starts to upgrade using $IMG" >>$LOG
        echo "[I] starts to upgrade using $IMG"
        if [ "$MODEL" = "a63g" ]; then
                echo "Upgrade.." > /proc/config/oled_msg
        else
                /tmp/www/netled_set.sh on >/dev/null 2>&1
        fi
}

f_do_upgrade () {
        FLASHBURN=/tmp/www/flashburn
        #$FLASHBURN $OPT_DBG $IMGFULLNAME
        echo "[I] Upgrade Start in 4s"
        /tmp/www/upgradedelay $IMGFULLNAME 4 >/dev/null 2>&1 &
}

f_done_upgrade_ind () {
        echo "[I] ends of upgrade" >>$LOG
        echo "[I] ends of upgrade"
        if [ "$MODEL" = "a63g" ]; then
                echo "Finished" > /proc/config/oled_msg
        else
                /tmp/www/netled_set.sh off >/dev/null 2>&1
        fi
}
################################################################################
# main

LOG=
OPT_DBG=""
ROOTFS=
SDPATH=""

if [ "$1" != "" ]; then
        QUERY_STRING=$1
else
        /tmp/www/header.sh text/plain
fi
IMAGE=`echo "$QUERY_STRING" | grep "image=" |cut -d '&' -f 1 | sed 's/'^image='//g'`
FORCE=`echo "$QUERY_STRING" | grep "&force" | wc -l`
DEBUG=`echo "$QUERY_STRING" | grep "&debug" | wc -l`
REBOOT=`echo "$QUERY_STRING" | grep "&reboot" | wc -l`
LOCAL=`echo "$QUERY_STRING" | grep "&local" | wc -l`
MODEL=`cfg -s | grep IMAG | sed 's/.*=//'` >/dev/null 2>&1

if [ $DEBUG -eq 1 ]; then
        OPT_DBG="-v"
fi

f_upgrade_check

f_do_upgrade_ind

f_do_upgrade

#f_done_upgrade_ind
echo "OK"
exit 0

~/www/cgi-bin # 

And also this other imagecheck.sh:

t~/www # cat image_check.sh
#!/bin/sh

# image_check.sh - check image version

IMG_NO_ROOT=0
IMG_ROOT=1
IMG_NO_PARM=2
IMG_NO_NEWER=3

f_ver_num () {
        local VER=$1
        VERN=`echo $VER | sed "s/[a-zA-Z]*//"`
        N1=`echo $VERN | cut -d '.' -f 1`
        N2=`echo $VERN | cut -d '.' -f 2`
        N3=`echo $VERN | cut -d '.' -f 3`
        VERN=$((N1*1000+N2*100+N3))
        #echo $N1,$N2,$N3,$N
}
################################################################################
# main
if [ "$1" = "" ]; then
        exit $IMG_NO_PARM
fi
IMGNAME=$1
IMG=`basename $IMGNAME`
IMGTEST=test.brn
VERN=

VER=`/tmp/www/flashburn -i $IMGNAME`
if [ `echo $VER | grep R | wc -l` -eq 1 ]; then
        RET=$IMG_ROOT
else
        RET=$IMG_NO_ROOT
fi
f_ver_num $VER
VER=$VERN

if [ "$IMG" != "$IMGTEST" ]; then
        
        VERNOW=`cat /tmp/www/.version`
        f_ver_num $VERNOW
        VERNOW=$VERN
        if [ "$VERNOW" -ge "$VER" ]; then
                RET=$IMG_NO_NEWER
        fi
fi
exit $RET

~/www # 


I hope this helps.
Cheers,

Hi, I have 3 of these units. 2 of the a4-52er and 1 of the older a2-25de units. The a2-25de units (32mb flash/128mb ram) are discussed here on hackaday. I think they are running the same cpu and firmware. Both units seem to be the AR9331 processors. http://hackadayarchive.com/viewtopic.php?f=8&t=4136&sid=f02df23f164d7cb49d6e337ce95c6b16

I have the firmware for the last 3 versions that gigastone put out before they shutdown their ftp service for these devices.
Here the link - https://www.dropbox.com/sh/sok9w5994ngk8sf/AADm-pKD2mqJzdKCpatTv_aEa?dl=0

I would love a simple openwrt upgrade package for these. (or wifi pineapple) The firmware is very out of date (2018) and I'd be careful since they likely have security holes and ftp and telnet are open by default.

Hope this is helpful.

Is there any way to fix the issue with the device powering on for a few seconds then powering off? Without having to take apart the device....

Which image of CC 15.05.1 did you use? I tried on one of my devices but didn't have any luck.

I did flash the pepep2k UBoot first so I might be able to recover, just waiting on a USB UART adapter to arrive in the mail.

Any Openwrt TL_MR3020 image works, I tried, AA, BB, CC, lede, PIRATE-box, MINIPWNER, pineapple MARK IV ,MARK V and NANO. I used the Pulpstone image mentioned in July 19' 2019, because its a modified image for 8M and 16M flash. if you had follow the directions, and flashed u-boot throught the gigastone web UI (if you didn't get automatically the PEPE2k web interface going to 192.168.1.1) then you might need to get UART access and from "Uboot-terminal" enter the command HTTPD, next connect an ethernet cable (gigastone to pc) and open your browser at 192.168.1.1. You want omelettes, break the eggs.

Thanks, I managed to get the soft bricked one fixed and running Pulpstone. I also managed to flash pulpstone to another one, but I'm having problems getting the WiFi to work.

I think it has to do with the MAC address issue mentioned in an earlier post. Has anyone had any luck getting the uboot net console to work with these devices?

What were your settings for serial to get it working?

I recently unpacked my Gigastone Smart Batteries and I flashed an old backup of my flash that has the pepe2k uboot on it and I can't seem to figure out the baud rate for it. I never noted it last time I got it to work. I used the baud auto-detect on my BusPirate and it was giving me pretty wild readings which I will share at the bottom of the post. I just recall it was anything but a standard baud rate and it took me roughly 2 hours to randomly guess the right one by just seeing if the output seemed more or less corrupt, trust me when you get close to it you'll know because segmented parts of the boot text will come through. I think I'm gonna try to just flash back the Gigastone uboot and see if that fixes the baud rate being all broken. The weirdest thing is that the settings for the serial console are saying 115200 8n1 but it doesn't work.

Here are the reading from my BusPirate...

Estimated Baud Rates: 60606, 40404
Calculated Baud Rates: 57600, 38400

My guess is that it's somewhere between 40404 and 57600 but I kinda just gave up on that in hopes I can just fix it by going back to the stock bootloader. I have a flasher and the skills/tools necessary to remove the flash and dump/reprogram the IC so if you want a dump once I get one working I can give you a bin file.