Tenda W3002R Openwrt Development

Good day Openwrt,

So I'm pretty new to this whole thing, but reverse engineering has always been one of my hobbies. I had an old router lying around and I decided to give it a shot at trying to get Openwrt running on it.

So currently, I have identified the serial pads on the router and soldered on some pins. Using putty I managed to get (what I believe to be) a full dump of my firmware. I have also compiled Openwrt for the bcrm47xx architecture, but whenever I try to boot the vmlinux.elf from an TFTP server I get the following messages:

[    0.000000] Linux version 4.14.141 (dean@dean-Lenovo-Legion-Y530-15ICH) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r10975-681acdcc54)) #0 Mon Sep 9 07:38:55 2019
[    0.000000] CPU0 revision is: 00019749 (MIPS 74Kc)
[    0.000000] bcm47xx: Using bcma bus
[    0.000000] (NULL device *): bus0: Found chip with id 53572, rev 0x01 and package 0x08
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 01000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] This processor doesn't support highmem. -16384k highmem ignored
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000000ffffff]
[    0.000000]   HighMem  empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000000ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000000ffffff]
[    0.000000] random: get_random_bytes called from start_kernel+0x9c/0x4a4 with crng_init=0
[    0.000000] Built 1 zonelists, mobility grouping off.  Total pages: 4060
[    0.000000] Kernel command line: noinitrd console=ttyS0,115200
[    0.000000] PID hash table entries: 64 (order: -4, 256 bytes)
[    0.000000] Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.000000] Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 10840K/16384K available (3819K kernel code, 162K rwdata, 832K rodata, 168K init, 299K bss, 5544K reserved, 0K cma-reserved, 0K highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 128
[    0.000000] (NULL device *): bus0: Core 0 found: ChipCommon (manuf 0x4BF, id 0x800, rev 0x27, class 0x0)
[    0.000000] (NULL device *): bus0: Core 1 found: IEEE 802.11 (manuf 0x4BF, id 0x812, rev 0x1C, class 0x0)
[    0.000000] (NULL device *): bus0: Core 2 found: GBit MAC (manuf 0x4BF, id 0x82D, rev 0x03, class 0x0)
[    0.000000] (NULL device *): bus0: Core 3 found: MIPS 74K (manuf 0x4A7, id 0x82C, rev 0x05, class 0x0)
[    0.000000] (NULL device *): bus0: Core 4 found: SDR/DDR1 Memory Controller (manuf 0x4BF, id 0x835, rev 0x02, class 0x0)
[    0.000000] (NULL device *): bus0: Found M25P16 serial flash (size: 2048KiB, blocksize: 0x10000, blocks: 32)
[    0.000000] (NULL device *): bus0: Early bus registered
[    0.000000] MIPS: machine is Unknown Board
[    0.000000] bcm47xx: Setting up vectored interrupts
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 12741736309 ns
[    0.000024] sched_clock: 32 bits at 150MHz, resolution 6ns, wraps every 14316557820ns
[    0.000130] Calibrating delay loop... 149.91 BogoMIPS (lpj=749568)
[    0.070106] pid_max: default: 32768 minimum: 301
[    0.070784] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.070843] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.077461] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.077540] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.078912] NET: Registered protocol family 16
[    0.130300] clocksource: Switched to clocksource MIPS
[    0.133512] NET: Registered protocol family 2
[    0.135423] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.135506] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.135566] TCP: Hash tables configured (established 1024 bind 1024)
[    0.135915] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.135993] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.136768] NET: Registered protocol family 1
[    0.294253] can not parse nvram name sb/1/ag3(null) with value 0xff got -34
[    0.329061] can not parse nvram name sb/1/rxpo2g(null) with value 0xff got -34
[    0.472730]  2(S)*
[    0.472740]  3
[    0.472767]  4
[    0.472787]  5
[    0.472807]  6
[    0.472827]  D
[    0.472846]  I
[    0.472865]
[    0.472907]  2(S)
[    0.472917]  3*
[    0.472937]  4
[    0.472957]  5
[    0.472976]  6
[    0.472996]  D
[    0.473015]  I
[    0.473033]
[    0.473075]  2(S)
[    0.473084]  3
[    0.473104]  4*
[    0.473124]  5
[    0.473143]  6
[    0.473163]  D
[    0.473182]  I
[    0.473200]
[    0.473241]  2(S)
[    0.473250]  3
[    0.473270]  4
[    0.473289]  5
[    0.473309]  6
[    0.473328]  D
[    0.473347]  I*
[    0.473366]
[    0.473408]  2(S)
[    0.473417]  3
[    0.473437]  4
[    0.473457]  5
[    0.473476]  6
[    0.473496]  D*
[    0.473515]  I
[    0.473533]
[    0.475270] (NULL device *): bus0: Bus registered
[    0.476990] Crashlog allocated RAM at address 0xf00000
[    0.484547] workingset: timestamp_bits=14 max_order=12 bucket_order=0
[    0.501141] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.501188] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.533739] io scheduler noop registered
[    0.533788] io scheduler deadline registered (default)
[    0.534192] Serial: 8250/16550 driver, 2 ports, IRQ sharing enabled
[    0.535537] console [ttyS0] disabled
[    0.555928] serial8250.0: ttyS0 at MMIO 0xb8000300 (irq = 2, base_baud = 1250000) is a U6_16550A
[    1.061843] console [ttyS0] enabled
[    1.091130] 4 bcm47xxpart partitions found on MTD device bcm47xxsflash
[    1.097787] Creating 4 MTD partitions on "bcm47xxsflash":
[    1.103369] 0x000000000000-0x000000020000 : "boot"
[    1.116536] 0x000000020000-0x0000001e0000 : "firmware"
[    1.123963] 1 trx partitions found on MTD device firmware
[    1.129475] Creating 1 MTD partitions on "firmware":
[    1.134674] 0x00000000001c-0x0000001c0000 : "linux"
[    1.146245] 0x0000001e0000-0x0000001f0000 : "nvram"
[    1.155150] 0x0000001f0000-0x000000200000 : "nvram"
[    1.170840] libphy: Fixed MDIO Bus: probed
[    1.175324] bgmac_bcma bcma0:2: Found PHY addr: 30 (NOREGS)
[    1.214958] b53_common: found switch: BCM5325, rev 4
[    1.220167] libphy: bcma_mdio mii bus: probed
[    1.224721] bgmac_bcma bcma0:2: Support for Roboswitch not implemented
[    1.332098] bgmac_bcma: Broadcom 47xx GBit MAC driver loaded
[    1.338464] bcm47xx-wdt bcm47xx-wdt.0: BCM47xx Watchdog Timer enabled (30 seconds)
[    1.349268] NET: Registered protocol family 10
[    1.364188] Segment Routing with IPv6
[    1.368186] NET: Registered protocol family 17
[    1.373010] 8021q: 802.1Q VLAN Support v1.8
[    1.383044] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6
[    1.390773] Please append a correct "root=" boot option; here are the available partitions:
[    1.399287] 1f00             128 mtdblock0
[    1.399300]  (driver?)
[    1.406033] 1f01            1792 mtdblock1
[    1.406048]  (driver?)
[    1.412774] 1f02            1791 mtdblock2
[    1.412789]  (driver?)
[    1.419453] 1f03              64 mtdblock3
[    1.419462]  (driver?)
[    1.426184] 1f04              64 mtdblock4
[    1.426198]  (driver?)
[    1.432930] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[    1.444163] Rebooting in 1 seconds..
[    2.447376] bcm47xx: Please stand by while rebooting the system...

I am unsure as to how I would fix this, some help would really be appreciated.

Here is the log for how the router usually boots:

Decompressing...done


CFE version 5.100.138.3 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 2011-05-26 10:33:50 4 (richard@aeteam.com)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.
Boot partition size = 131072(0x20000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138.3
CPU type 0x19749: 300MHz
Tot mem: 16384 KBytes

CFE mem:    0x80700000 - 0x80798550 (623952)
Data:       0x8072E3A0 - 0x807315C0 (12832)
BSS:        0x807315C0 - 0x80732550 (3984)
Heap:       0x80732550 - 0x80796550 (409600)
Stack:      0x80796550 - 0x80798550 (8192)
Text:       0x80700000 - 0x8072E39C (189340)

Device eth0:  hwaddr C8-3A-35-55-32-20, ipaddr 192.168.0.1, mask 255.255.255.0
        gateway not set, nameserver not set
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: ..... 2848468 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
IP Filter: v3.4.35 initialized.  Default = pass all, Logging = disabled
PCI: no core
PCI: no core
PCI: Fixing up bus 0
wl_pci_probe: find [14e4:4329] bus 0 slot 1 func 0 irq 1

eCos Router/AP V5.110.27.21 (Compiled at 19:36:34 on Sep 22 2014)
sys_led_test_gpio=6
Using pin 6 for sys_led output
wps_led_test_gpio=7
System start
vlan1: VLAN interface created
vlan2: VLAN interface created
wlconf: PHYTYPE: 4
EAPD task started
initWebs: lanip=[192.168.0.1]
NAS task started
CLI> 

and here it how it boots when the process is interrupted by Ctrl+C:

Decompressing...done


CFE version 5.100.138.3 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 2011-05-26 10:33:50 4 (richard@aeteam.com)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.
Boot partition size = 131072(0x20000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138.3
CPU type 0x19749: 300MHz
Tot mem: 16384 KBytes

CFE mem:    0x80700000 - 0x80798550 (623952)
Data:       0x8072E3A0 - 0x807315C0 (12832)
BSS:        0x807315C0 - 0x80732550 (3984)
Heap:       0x80732550 - 0x80796550 (409600)
Stack:      0x80796550 - 0x80798550 (8192)
Text:       0x80700000 - 0x8072E39C (189340)

Device eth0:  hwaddr C8-3A-35-55-32-20, ipaddr 192.168.0.1, mask 255.255.255.0
        gateway not set, nameserver not set
Startup canceled
CFE> ^C
CFE> ^C
CFE> ^C
CFE> 

Do yourself a favour, there is no chance in hell to run OpenWrt on a device with 2 MB flash and 16 MB RAM.

3 Likes

Okay thanks xD