Support Fritzbox 7490

Hey there,
Is there any progress here. I got a 7490 and need to do 802.1x Authentification for which I'd need openwrt on the router? So is it possible to make it work these days?

I also habe a spare box lying around collecting dust.
If I can help you getting this done (testing for example) just drop me a message.

Cheers for that, Iā€™ll let you know if I get it something stable enough to use. Havenā€™t yet looked at how someone could install without console access .

Anyways, after few months on the back burner I finally had some spare time to revisit this. I have the gpio leds tested, but am currently stuck with getting the changes to compile.

wlan and dsl working with 7362 fw?

I'd like to help. Would you sell this spare one?

@Sparks do you still have the files you used to start porting to 7490? I'm planning to port to 5490, which seems to be nearly identical (optics instead of DSL).

I just diffed the AVM kernel source tree and it seems they are identical except for avm_event stuff

1 Like

hey, sure here they are:

target/linux/lantiq/base-files/etc/hotplug.d/firmware/12-ath9k-eeprom


case "FIRMWARE" in 
....
...
...
avm,fritz3370-rev2-hynix|\
                        avm,fritz3370-rev2-micron|\
                        avm,fritz7362sl|\
                        avm,fritz7490)
                                ath9k_eeprom_extract_reverse "urlader" 5441 1088
                                ;;

...
...
esac
target/linux/lantiq/base-files/lib/upgrade/platform.sh

PART_NAME=firmware
REQUIRE_IMAGE_METADATA=1

platform_check_image() {
        return 0
}

platform_do_upgrade() {
        local board=$(board_name)

        case "$board" in
        avm,fritz3370-rev2-hynix|\
        avm,fritz3370-rev2-micron|\
        avm,fritz7362sl|\
        avm,fritz7490|\
        bt,homehub-v2b|\
        bt,homehub-v3a|\
        bt,homehub-v5a|\
        zyxel,p-2812hnu-f1|\
        zyxel,p-2812hnu-f3)
                nand_do_upgrade $1
                ;;
        *)
                default_do_upgrade "$ARGV"
                ;;
        esac
}

target/linux/lantiq/image/Makefile
define Device/avm_fritz7490
  $(Device/AVM)
  $(Device/NAND)
  KERNEL_SIZE := 4096k
  IMAGE_SIZE := 49152k
  DEVICE_DTS := FRITZ7490
  DEVICE_TITLE := AVM FRITZ!Box 7490
  DEVICE_PACKAGES := kmod-ath9k kmod-owl-loader wpad-basic kmod-usb-dwc2 fritz-tffs
endef
TARGET_DEVICES += avm_fritz7490
target/linux/lantiq/files-4.14/arch/mips/boot/dts/FRITZ7490.dts
/dts-v1/;

#include "vr9.dtsi"

#include <dt-bindings/input/input.h>
#include <dt-bindings/mips/lantiq_rcu_gphy.h>

/ {
        compatible = "avm,fritz7490", "lantiq,xway", "lantiq,vr9";
        model = "AVM FRITZ!Box 7490";

        chosen {
                bootargs = "console=ttyLTQ0,115200";
        };

        aliases {
                led-boot = &power_green;
                led-failsafe = &info_red;
                led-running = &power_green;
                led-upgrade = &power_green;

                led-dsl = &info_green;
                led-wifi = &wifi;
        };

        memory@0 {
                reg = <0x0 0x20000000>;
        };

        gpio-keys-polled {
                compatible = "gpio-keys-polled";
                #address-cells = <1>;
                #size-cells = <0>;
                poll-interval = <100>;
                dect {
                        label = "dect";
                        gpios = <&gpio 1 GPIO_ACTIVE_LOW>;
                        linux,code = <KEY_PHONE>;
                };
                wifi {
                        label = "wifi";
                        gpios = <&gpio 29 GPIO_ACTIVE_LOW>;
                        linux,code = <KEY_WLAN>;
                };
        };

        gpio-leds {
                compatible = "gpio-leds";

                power_green: power {
                        label = "fritz7490:green:power";
                        gpios = <&gpio 45 GPIO_ACTIVE_LOW>;
                        default-state = "keep";
                };
                info_red: info_red {
                        label = "fritz7490:red:info";
                        gpios = <&gpio 46 GPIO_ACTIVE_LOW>;
                };
                info_green: info_green {
                        label = "fritz7490:green:info";
                        gpios = <&gpio 33 GPIO_ACTIVE_LOW>;
                };
                internet_green {
                        label = "fritz7490:green:internet";
                        gpios = <&gpio 47 GPIO_ACTIVE_LOW>;
                };
                wifi: wifi {
                        label = "fritz7490:green:wlan";
                        gpios = <&gpio 35 GPIO_ACTIVE_LOW>;
                };
                dect {
                        label = "fritz7490:green:dect";
                        gpios = <&gpio 36 GPIO_ACTIVE_LOW>;
                };
        };
};


&eth0 {
        lan: interface@0 {
                compatible = "lantiq,xrx200-pdi";
                #address-cells = <1>;
                #size-cells = <0>;
                reg = <0>;
                mtd-mac-address = <&urlader 0xa91>;
                mtd-mac-address-increment = <(-2)>;
                lantiq,switch;

                ethernet@0 {
                        compatible = "lantiq,xrx200-pdi-port";
                        reg = <0>;
                        phy-mode = "rmii";
                        phy-handle = <&phy0>;
                };
                ethernet@1 {
                        compatible = "lantiq,xrx200-pdi-port";
                        reg = <1>;
                        phy-mode = "rmii";
                        phy-handle = <&phy1>;
                };
                ethernet@2 {
                        compatible = "lantiq,xrx200-pdi-port";
                        reg = <2>;
                        phy-mode = "gmii";
                        phy-handle = <&phy11>;
                };
                ethernet@3 {
                        compatible = "lantiq,xrx200-pdi-port";
                        reg = <4>;
                        phy-mode = "gmii";
                        phy-handle = <&phy13>;
                };
        };

        mdio@0 {
                #address-cells = <1>;
                #size-cells = <0>;
                compatible = "lantiq,xrx200-mdio";
                reg = <0>;

                phy0: ethernet-phy@0 {
                        reg = <0x00>;
                        compatible = "ethernet-phy-ieee802.3-c22";
                        reset-gpios = <&gpio 37 GPIO_ACTIVE_LOW>;
                };
                phy1: ethernet-phy@1 {
                        reg = <0x01>;
                        compatible = "ethernet-phy-ieee802.3-c22";
                        reset-gpios = <&gpio 44 GPIO_ACTIVE_LOW>;
                };
                phy11: ethernet-phy@11 {
                        reg = <0x11>;
                        compatible = "lantiq,phy11g", "ethernet-phy-ieee802.3-c22";
                };
                phy13: ethernet-phy@13 {
                        reg = <0x13>;
                        compatible = "lantiq,phy11g", "ethernet-phy-ieee802.3-c22";
                };
        };
};

&gphy0 {
        lantiq,gphy-mode = <GPHY_MODE_GE>;
};

&gphy1 {
        lantiq,gphy-mode = <GPHY_MODE_GE>;
};


&gpio {
        pinctrl-names = "default";
        pinctrl-0 = <&state_default>;

        state_default: pinmux {
                mdio {
                        lantiq,groups = "mdio";
                        lantiq,function = "mdio";
                };
                nand {
                        lantiq,groups = "nand ale", "nand cle",
                                        "nand cs1", "nand rd", "nand rdy";
                        lantiq,function = "ebu";
                };
                phy-rst {
                        lantiq,pins = "io37", "io44";
                        lantiq,pull = <0>;
                        lantiq,open-drain;
                        lantiq,output = <1>;
                };
                pcie-rst {
                        lantiq,pins = "io21";
                        lantiq,open-drain = <1>;
                        lantiq,output = <1>;
                };
        };

        pins_spi_default: pins_spi_default {
                spi_in {
                        lantiq,groups = "spi_di";
                        lantiq,function = "spi";
                };

                spi_out {
                        lantiq,groups = "spi_do", "spi_clk",
                                "spi_cs4";
                        lantiq,function = "spi";
                        lantiq,output = <1>;
                };
        };

};

&spi {
        status = "okay";

        pinctrl-names = "default";
        pinctrl-0 = <&pins_spi_default>;

        m25l80@4 {
                #address-cells = <1>;
                #size-cells = <1>;
                compatible = "jedec,spi-nor";
                reg = <4 0>;
                spi-max-frequency = <1000000>;

                urlader: partition@0 {
                        reg = <0x0 0x40000>;
                        label = "urlader";
                        read-only;
                };

                partition@40000 {
                        reg = <0x40000 0x60000>;
                        label = "tffs (1)";
                        read-only;
                };

                partition@A0000 {
                        reg = <0xA0000 0x60000>;
                        label = "tffs (2)";
                        read-only;
                };
        };
};

&localbus {
        nand@1 {
                compatible = "lantiq,nand-xway";
                lantiq,cs1 = <1>;
                bank-width = <1>;
                reg = <1 0x0 0x2000000>;
                #address-cells = <1>;
                #size-cells = <1>;

                nand-ecc-mode = "on-die";

                partitions {
                        compatible = "fixed-partitions";
                        #address-cells = <1>;
                        #size-cells = <1>;
                        partition@0 {
                                label = "kernel";
                                reg = <0x0 0x400000>;
                        };
                        partition@400000 {
                                label = "ubi";
                                reg = <0x400000 0x7c00000>;
                        };
                };
        };
};

&pcie0 {
        status = "okay";
        gpio-reset = <&gpio 21 GPIO_ACTIVE_LOW>;

        pcie@0 {
                reg = <0 0 0 0 0>;
                #interrupt-cells = <1>;
                #size-cells = <1>;
                #address-cells = <2>;
                device_type = "pci";

                wifi@168c,002e {
                        compatible = "pci168c,002e";
                        reg = <0 0 0 0 0>;
                        qca,no-eeprom; /* load from ath9k-eeprom-pci-0000:01:00.0.bin */
                };
        };
};

&usb_phy0 {
        status = "okay";
};

&usb_phy1 {
        status = "okay";
};

&usb0 {
        status = "okay";
};

&usb1 {
        status = "okay";
};

  1. Take these with a big grain of salt though. They compiled a bootable ram image for me, but they could be far from optimal (maybe even wrong in places).
  2. use the python script to copy your ram image for testing (scripts/flashing/eva_ramboot.py 192.168.0.3 bin/targets/lantiq/xrx200/openwrt-lantiq-xrx200-avm_fritz7490-initramfs-kernel.bin)
  3. I found I could change the tftp bootloader IP by fiddling with the environment var my_ipaddress - made it simpler for testing for me. Use at your own risk :wink: I made a reference of stuff here: https://openwrt.org/docs/techref/bootloader/eva

The sticking point for me was the Wifi. In the 7490 the Wifi is run on a completely separate CPU chip that includes 2.4Ghz on chip, and then has another chip for 5Ghz. The communications between the Wifi CPU and the main CPU is done by some 'fancy' IPv6 ethernet bridge/vlan thing that was over my level of understanding. I only got as far as waking up the Wifi CPU by doing this:

To wakeup the 2nd Wifi chip, do this:

root@OpenWrt:/# ./gpiocontrol.sh 34 out 0
root@OpenWrt:/# ./gpiocontrol.sh 34 out 1

(script source from here:https://openwrt.org/docs/techref/hardware/port.gpio?s[]=gpio&s[]=control#utilities)

From the 2nd uart console, I could then see this output, but I could never figure what else was needed to get an image delivered to the 2nd CPU for it to boot up.


__________________sri____________________
944x BootROM Ver. (asic) 1.0 [Nov  8 2011 13:42:57]
_________________________________________
find_hif: bootstrap = 0x21e78
GMAC start
ROM>:mdio download ready

I've kept all the logs and analysis I've done - happy to share these if you need. But as for the 7490 its doubtful I'll make much further headway on this on my own. If the 5490 has a dual CPU design as well and you can figure out how to get the wifi CPU to boot please @mention me in a post about it, or reply on this thread with the details :+1:

1 Like

what about ac wireless on this device, multiple sites mention QCA9880-AR1A, even though from several photos i've found it seems like it is BR4A chip actually. are there multiple revisions of this router?

Yeh its likely there are at least 2 if not 3 variants

1 Like

@Sparks, yes it has the same dual CPU design, I believe AVM refers to it as the wasp.

Have you looked into drivers/net/avm_cpmac/phy/phy_wasp.h (kernel source tree)

extern void (*cpmac_magpie_reset_cb_hook)(void); /*--- wird aufgerufen, 10 ms nachdem die WLan-CPU aus dem Reset geholt wurde ---*/

The german comment means that that function is to be called 10 ms after the WLAN CPU is pulled out of reset (I would guess by the GPIO pin you've pulled).

@psyborg the 5490 I opened up has a BR4A chip. Not sure about the other one

2 Likes

Good find! I never came across that in my travels. Seems itā€™s the same code too in the WiFi scorpion cpu as well as the main cpu. Iā€™m not sure though how this would be used. Would this driver expose a new network device that can be read and written to by each cpu?

this site confirms it https://frixtender.de/kompatibilitaet-der-fritzbox-7490/

it has photos for 3 revisions, all have v2 wifi, thus info in several sites including openwrt wiki is wrong

1 Like

Ok so some updates :wink:

I've found the file that contains the kernel for the Atheros SoC:

binwalk filesystem/lib/firmware/ath_tgt_fw2.fw 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
4325588       0x4200D4        xz compressed data
4344448       0x424A80        CRC32 polynomial table, little endian
4418204       0x436A9C        Unix path: /var/tmp/me_avmdebug.ctl
4418288       0x436AF0        Unix path: /var/tmp/me_ctlmgr.ctl
4436252       0x43B11C        Unix path: /lib/firmware/updates/4.4.60
4459636       0x440C74        Unix path: /sys/firmware/devicetree/base
4460273       0x440EF1        Unix path: /sys/firmware/fdt': CRC check failed
4500269       0x44AB2D        Neighborly text, "neighbor table overflow!is %x"
4537936       0x453E50        Neighborly text, "NeighborSolicitsp6InMsgs"
4537956       0x453E64        Neighborly text, "NeighborAdvertisementsrs"
4540870       0x4549C6        Neighborly text, "neighbor %.2x%.2x.%pM lostbroadcast ratelimiter registered"
4553409       0x457AC1        Certificate in DER format (x509 v3), header length: 4, sequence length: 27776
5040376       0x4CE8F8        device tree image (dtb)
5140480       0x4E7000        ELF, 32-bit MSB MIPS64 shared object, MIPS, version 1 (SYSV)
6104576       0x5D2600        Squashfs filesystem, big endian, version 4.0, compression:xz, size: 4665244 bytes, 471 inodes, blocksize: 65536 bytes, created: 1970-02-23 23:54:04

(as well as a stage1 file: filesystem/lib/firmware/ath_tgt_fw1.fw, nothing to see there with binwalk)

I've found, what I at least expect to be, the file responsible for uploading the firmwares to the SoC (unfortnuately its a binary lib, so it will require more inspection).
binwalk:

binwalk filesystem/lib/liboffload_X490.so 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 32-bit MSB MIPS64 shared object, MIPS, version 1 (SYSV)
20132         0x4EA4          Unix path: /lib/firmware/ath_tgt_fw2.fw
21960         0x55C8          Unix path: /lib/firmware/ath_tgt_fw1.fw
23000         0x59D8          Unix path: /var/tmp/wlan_ol_wd_crash.XXXXXX

strings:

_init
_gp_disp
_fini
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
__cxa_finalize
__deregister_frame_info
__register_frame_info
_Jv_RegisterClasses
stat
__errno_location
strerror
sysprt_err
fopen
fread
feof
fclose
socket
strncpy
ioctl
clock_gettime
usleep
setsockopt
recv
malloc
sendto
memcmp
free
sysprt_info
putchar
stdout
fflush
kill
raise
offload_mgr_start_system
getpid
sigfillset
sigprocmask
fork
exit
setpriority
snprintf
offload_mgr_shutdown_system
offload_mgr_start_monitoring
offload_mgr_stop_monitoring
puts
mkstemp
dprintf
__libc_current_sigrtmax
sigismember
sigaction
libc.so.1
_ftext
_fdata
_edata
__bss_start
_fbss
_end
('9E
 8!$
@0!$
($cI
ap$	
0$bL
 8!$
@ !.
 (!&
&'I0$
,&%I0
 0!4
 0!4
`'9#
!&$N
c&$N
('9#
@0!4
$BP8$
 8!$
 !0E
D #P
(!&D
	$DP
H~s:
"et$
('92
$BT`
@8!$
@8!$
@8!$
@8!$
('92
@ !<
$det
;|C:
@8!$
 Failed to retrieve size of '%s': %s (%d)
Failed to open '%s': %s (%d)
Failed to read '%s')
Failed to close '%s': %s (%d)
Requested length is larger than file (%d B left))
Failed to open socket: %s (%d)
wasp
IOCTL SIOCGMIIREG failed with: %s (%d)
IOCTL SIOCSMIIREG failed with: %s (%d)
IOCTL SCORPION_RESET failed with: %s (%d)
Failed to retrieve current time: %s (%d)
Failed to read MDIO register 0x%x.
Timeout while waiting for MDIO lock (read 0x%x).
Failed to write MDIO Reg 1
Failed to read MDIO Reg 1
MDIO rw-Test failed, expected: %04x %04x %04x %04x %04x %04x %04x %04x, got: %04x %04x %04x %04x %04x %04x %04x %04x
Failed to write 0x%x to MDIO register 0x%x.
Length %d exceeds maximum MDIO block length %d.
Failed to release the MDIO lock.
Failed to get the MDIO lock.
Failed to read from MDIO register 0x%x.
Failed to send file chunk.
Failed to read 0x%x from MDIO register 0x%x.
Target pattern mismatch, expected: %04x %04x %04x %04x %04x %04x %04x %04x, got: %04x %04x %04x %04x %04x %04x %04x %04x
:<<=>?JKLMNOZ[\]Failed to create socket: %s (%d)
IOCTL SIOCGIFHWADDR failed with: %s (%d)
IOCTL SIOCGIFHWADDR returned unexpected address family %d
Failed to open socket: %s (%d)
Failed to bind socket to device '%s': %s (%d)
Failed to set receive timeout: %s (%d)
IOCTL SIOCGIFFLAGS failed with: %s (%d)
IOCTL SIOCSIFFLAGS failed with: %s (%d)
Failed to setup raw socket.
Failed to receive packet: %s (%d)
MDIO-Status: Poll %x, RX: %x, TX: %x, Offset: %x
Unexpected packet type 0x%x
/lib/firmware/ath_tgt_fw2.fw
Failed to determine 2nd stage firmware size.
Failed to calculate 2nd stage firmware checksum.
IOCTL SIOCGIFINDEX failed with: %s (%d)
Failed to copy source MAC address.
Failed to setup socket address.
Failed to allocate %d B for tx frame.
Failed to read end of '%s')
Failed to send firmware chunk: %s (%d)
Failed to receive reply packet: %s (%d)
Received packet with unexpected mac-addr %02x:%02x:%02x:%02x:%02x:%02x
Received packet with unexpected ath protocol 0x%x
Ignoring duplicated ACK for offset 0x%x
Received ACK with invalid offset 0x%x, expected 0x%x
Target sent FWD_RSP_FAILED for offset 0x%x
Target sent unexpected response for offset 0x%x
Maximum number of retries exceeded for offset 0x%x
%s:%d OL-DL: Failed to send kill signal crash signal to wland, %s
%s:%d OL-DL: Failed to verify mdio magic pattern
%s:%d, Failed to kill old Offload-Downloader
%s:%d, Failed to mask signal for forking operation: %s
%s:%d Failed to bring scorpion into reset
%s:%d, Failed to fork for Offload-Downloader: %s
%s:%d, Offload-Downloader exited unappropriately
%s:%d Failed to generate cmd string, ret = %d
Failed to setup OL-VLANs, ret = %d
%s:%d, Failed to unmask signal after forking operation in offload manager: %s
%s:%d Failed to set priority for ol dl process, errno = %d
%s:%d Failed to find WiFi-ATA-Role
wifi_offload_link.sh
%s %s %02x:%02x:%02x:%02x:%02x:%02x
start
wifi_offload_link.sh stop
Failed to bring down OL-VLANs, ret = %d
Offset after Bootup: 0x%08x
%s:%d OL-DL: Failed to write magic pattern to target
Offload MDIO Monitoring
offload_mgr_start_monitoring
remote_monitor
wland_notify_crash
offload_mgr_start_system
Failed to reset target.
Failed to acquire MDIO Lock after reset
/lib/firmware/ath_tgt_fw1.fw
Failed to determine 1st stage firmware size.
Failed to send 1st stage download parameters.
Failed to calculate 1st stage firmware checksum.
Failed to send 1st stage firmware checksum.
Failed to send 1st stage firmware image.
Target failed to validate 1st stage firmware checksum.
Failed to read number of dump registers from target.
Dumping %d regs from target
Failed to read dump registers %d from target.
Not enough space to store reg %d
target_reg_dump[%d] = %08x
Watchdog reboot at epc %08x
Failed to open temp-File for crashreport, %s
--BEGIN_TGT_REGS--
errorepc=0x%08x
wdt_ctrl=0x%08x
--END_TGT_REGS--
tgt_regs[%d]=0x%08x
Failed to close wd cr file, %s
Sending crash report with target register dump
msgsend ctlmgr crashreport xxx WLANLog_v2 %s
%s:%d: system() failed for command "%s"
%s:%d: /bin/sh failed for command "%s"
%s:%d: command "%s" returned %d
Failed to send 1st stage runtime parameters.
Starting target memory test.
/var/tmp/wlan_ol_wd_crash.XXXXXX
Failed to load 1st stage firmware
Failed to setup network interface.
Failed to receive discovery packet.
Failed to send 2nd stage firmware image.
%s:%d OL-DL: Failed to set signal handler for signal %d, %s
%s:%d OL-DL: Failed to download firmware to target
%s:%d OL-DL: Upload successful
send_wd_crashreport
ol_dl_main
aLGCC: (GNU) 3.3.2
GCC: (Buildroot 2016.05-gc3ca4dd) 5.4.0
.shstrtab
.MIPS.abiflags
.reginfo
.dynamic
.hash
.dynsym
.dynstr
.rel.dyn
.init
.text
.MIPS.stubs
.fini
.rodata
.eh_frame
.ctors
.dtors
.jcr
.data
.got
.sdata
.bss
.comment
.pdr
.gnu.attributes
.mdebug.abi32

What I would really like to get is a full tcpdump when the SoC reboots, I've installed tcpdump and some other tooling on my box using freetz, however I've got no idea how to force the Atheros SoC to reset (or if the fritzbox would then reinit the boot process). If the process is done via IP we would be able to replicate it, otherwise some more work would be involved.

1 Like

Nice! Maybe see if you can get wlan_ctl to do a reset or restart of it.
Boxmatrix has some useful stuff..

Alternatively you might be able to get it by resetting the WiFi cpu via gpio. If your lucky the watchdog thing should recovers it after 1-2mins - fingers crossed

1 Like

Unfortunately the Fritzbox does not have the GPIO exposed in the same way as the script you posted looks for (and I have no idea yet where to look)

wlan_ctl seems smart!

-edit- I've managed to restart the SoC and capture packets! (/etc/init.d/rc.wlan stop does the trick it seems :wink: ) Lot of traffic, however less than I hoped for :confused: The image I've found before is around 10meg, so I was hoping to see at least that + protocol overhead going over the line, as it would've meant that the boot protocol is somehow going over TCP (my dump not finding anything of course does not mean that it doesnt!)
You can find the tcpdump, kernel file and library that is booting the box here: https://www.dropbox.com/sh/xujavvx9a4x0owq/AADYejrApt74HRq6CHuxHQ6ga?dl=0 Perhaps some more eyeballs on this would help create understanding on how to boot the SoC :slight_smile:

1 Like

Not sure whether you found the 2nd uart pinnout from your earlier comments. Assuming 5490 uses same console chip it might be same as 7490 Pinout

The one thatā€™s soldered in the picture is the main cpu uart , the column to the left is connected to uart of the WiFi cpu. (And the 3rd column on the right seemed to be connected to some fpga thing - I dunno what thatā€™s for but assume itā€™s related to dect functions).

With a 2nd usb uart cable you can interact with the 2nd cpu directly after it boots, as well as verify whether itā€™s doing some soft reset when you do the stop/start via init script. Alternatively you should be able to either crash it or plain reboot it from there, then wait for watchdog thing on main cpu to bring it back while the dump is running. Unfortunately I canā€™t do this myself at present as Im using my 7490 for other stuff.

did anyone tried to build GPL sources for this device and did they provide fully usable image?

@gizah did you make any progress on this?
I recently bought a used Fritz!Box 3390 for cheap and I'm trying to port OpenWrt. After opening the box, I found a second Atheros SoC that is responsible for WiFi, very similar to yours.

I did the very same as you and tried to capture packets. On the 3390, there are two firmware stages / images for the Atheros SoC which seem to be transferred over different media: I tried to capture network traffic as well and could easily find the stage 2 firmware transfer in the dump. However, the stage 1 firmware might be transferred via a different mechanism - my current guess is that it is transferred directly over MDIO.

On the 3390, the liboffload files are not present. Instead, there are some kernel modules in a directory called "offload".

For now, I've only played around with the stock firmware, but I'll do the Lantiq port soon.

1 Like

Yep, stage 1 is transferred over MDIO: I created a freetz image with a custom kernel that has debug flags in the avmnet driver enabled. This prints all MDIO messages over the serial console and I can see how the registers are written. The console is too slow to process all messages, so initialization fails, but I now have a rough idea on how this works.

[   27.670000] [avmnet] {avmnet_phy_wasp_poll} powerup, link, Speed 2, fullduplex
[   27.670000] [avmnet] [avmnet_swi_7port_reg_read] addr 0x7  reg 0x700 -> 0x2
[   27.680000] [avmnet] [avmnet_swi_7port_reg_read] addr 0x7  reg 0x700 -> 0x2
[   27.690000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x702  data 0xbd00
[   27.690000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x704  data 0x3000
[   27.700000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x706  data 0x0
[   27.710000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x708  data 0x38e4
[   27.710000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x70a  data 0xbd00
[   27.730000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x70c  data 0x3000
[   27.740000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x700  data 0xc01
[   27.740000] [avmnet] [avmnet_swi_7port_reg_read] addr 0x7  reg 0x0 -> 0x2
[   27.750000] [avmnet] [avmnet_swi_7port_reg_read] addr 0x7  reg 0x700 -> 0x2
[   27.760000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x702  data 0x6a83
[   27.760000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x704  data 0xffc7
[   27.770000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x706  data 0x0
[   27.780000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x708  data 0x0
[   27.790000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x700  data 0x801
[   27.790000] [avmnet] [avmnet_swi_7port_reg_read] addr 0x7  reg 0x0 -> 0x2
[   27.800000] [avmnet] [avmnet_swi_7port_reg_read] addr 0x7  reg 0x700 -> 0x2
[   27.810000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x702  data 0x4080
[   27.820000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x704  data 0x0
[   27.820000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x706  data 0x4080
[   27.830000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x708  data 0x800
[   27.840000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x70a  data 0x4080
[   27.840000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x70c  data 0x1000
[   27.850000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x70e  data 0x4080
[   27.860000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x700  data 0xe01
[   27.870000] [avmnet] [avmnet_swi_7port_reg_read] addr 0x7  reg 0x0 -> 0x2
[   27.870000] [avmnet] [avmnet_swi_7port_reg_read] addr 0x7  reg 0x700 -> 0x2
[   27.880000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x702  data 0x1800
[   27.890000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x704  data 0x4080
[   27.900000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x706  data 0x2000
[   27.900000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x708  data 0x4080
[   27.910000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x70a  data 0x2800
[   27.920000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x70c  data 0x4080
[   27.930000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x70e  data 0x3000
[   27.930000] [avmnet] [avmnet_swi_7port_reg_write] addr 0x7  reg 0x700  data 0xe01
[   27.940000] [avmnet] [avmnet_swi_7port_reg_read] addr 0x7  reg 0x0 -> 0x2

Starting from 27.810000, I can see the raw values from my ath_tgt_fw1.fw file :slight_smile: I need to find a way to do a full dump, though, since I expect some sort of start command after a successful upload.

0x700 seems to be the command and status register, 0xe01 probably finishes the current write?

try reducing output char size, it might get you more prints.
e.g. instead of

[avmnet_swi_7port_reg_write] addr 0x7  reg 0x70c  data 0x1000

put
7w a 0x7 r 0x70c d 0x1000