So this might be revealing my n00bishness but I can't load Kamikaze on my wrt600n. I would like to look at how the 2.4 kernel maps flash so I can help you ZeroPain, but what did you do to build a .bin file?

Edit: I can build Kamikaze for a Broadcom 4785 with the bcm5397 roboswitch... But when I tried to tftp up openwrt-wrt350n_v1-squashfs.bin the CFE rejected it. I think what I'm missing is the signature... here is the relevant section from kamikaze/target/linux/brcm-2.4/image/Makefile:

define Image/Build/jffs2-64k
        $(call Image/Build/CyberTAN,$(1),wrt54g3g,W54F,2.20.1,$(patsubst jffs2-%,jffs2,$(1)))
        $(call Image/Build/CyberTAN,$(1),wrt54g3g-em,W3GN,2.20.1,$(patsubst jffs2-%,jffs2,$(1)))
        $(call Image/Build/CyberTAN,$(1),wrt54g,W54G,4.71.1,$(patsubst jffs2-%,jffs2,$(1)))
        $(call Image/Build/CyberTAN,$(1),wrt54gs_v4,W54s,1.09.1,$(patsubst jffs2-%,jffs2,$(1)))
        $(call Image/Build/CyberTAN,$(1),wrt150n,N150,1.51.3,$(patsubst jffs2-%,jffs2,$(1)))
        $(call Image/Build/CyberTAN,$(1),wrt300n_v1,EWCB,1.51.2,$(patsubst jffs2-%,jffs2,$(1)))
        $(call Image/Build/CyberTAN,$(1),wrt350n_v1,EWCG,1.04.1,$(patsubst jffs2-%,jffs2,$(1)))
        $(call Image/Build/Motorola,$(1),wa840g,2,$(patsubst jffs2-%,jffs2,$(1)))
        $(call Image/Build/Motorola,$(1),we800g,3,$(patsubst jffs2-%,jffs2,$(1)))
endef

I think if I'm reading your posts correctly, ZeroPain, you have it working. How?

Edit: I think the wrt600n uses the bcm5397 switch, supported by the bcm57xx driver

(Last edited by dch24 on 6 Aug 2008, 22:35)

OK, I think I identified the wrt600n magic: $(call Image/Build/CyberTAN,$(1),wrt600n_v1,GMTK,1.04.1,$(patsubst jffs2-%,jffs2,$(1)))

But CFE still gives me the same rejection of my TFTP:

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Fri Jan 18 15:59:34 CST 2008 (joseph@localhost)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena
Initializing PCI. [normal]
PCI bus 0 slot 0/0: vendor 0x14e4 product 0x0800 (flash memory, rev 0x02)
PCI bus 0 slot 1/0: vendor 0x14e4 product 0x471f (ethernet network, rev 0x02)
PCI bus 0 slot 2/0: vendor 0x14e4 product 0x471a (USB serial bus, interface 0x1)
PCI bus 0 slot 2/1: vendor 0x14e4 product 0x471a (USB serial bus, interface 0x2)
PCI bus 0 slot 3/0: vendor 0x14e4 product 0x471b (USB serial bus, rev 0x02)
PCI bus 0 slot 4/0: vendor 0x14e4 product 0x0804 (PCI bridge, rev 0x02)
PCI bus 0 slot 5/0: vendor 0x14e4 product 0x0816 (MIPS processor, rev 0x02)     
PCI bus 0 slot 6/0: vendor 0x14e4 product 0x471d (IDE mass storage, rev 0x02)   
PCI bus 0 slot 7/0: vendor 0x14e4 product 0x4718 (network/computing crypto, rev)
PCI bus 0 slot 8/0: vendor 0x14e4 product 0x080f (RAM memory, rev 0x02)         
PCI bus 0 slot 9/0: vendor 0x14e4 product 0x471e (class 0xfe, subclass 0x00, re)
Initializing Devices.                                                           
Boot partition size = 262144(0x40000)                                           
PCI bus 0 slot 1/0: pci_map_mem: attempt to map 64-bit region tag=0x800 @ addr=4
PCI bus 0 slot 1/0: pci_map_mem: addr=0x18010004 pa=0x18010000                  
ge0: BCM5750 Ethernet at 0x18010000                                             
CPU type 0x2901A: 300MHz                                                        
Total memory: 32768 KBytes                                                      
                                                                                
Total memory used by CFE:  0x80300000 - 0x804066F0 (1074928)                    
Initialized Data:          0x80337C80 - 0x8033AC10 (12176)                      
BSS Area:                  0x8033AC10 - 0x8033C6F0 (6880)                       
Local Heap:                0x8033C6F0 - 0x804046F0 (819200)                     
Stack Area:                0x804046F0 - 0x804066F0 (8192)                       
Text (code) segment:       0x80300000 - 0x80337C80 (228480)                     
Boot area (physical):      0x00407000 - 0x00447000                              
Relocation Factor:         I:00000000 - D:00000000                              
                                                                                
eth0: Link speed: 1000BaseT FDX                                                 
Device eth0:  hwaddr 00-90-4C-A6-00-01, ipaddr 192.168.1.1, mask 255.255.255.0  
        gateway not set, nameserver not set                                     
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)                          
Loading: .... 2363424 bytes read                                                
Entry at 0x804066f0                                                             
Loader:raw Filesys:memory Dev:eth0 File::0x804066f0 Options:(null)              
Loading: . 0 bytes read                                                         
Failed.                                                                         
Could not load :0x804066f0: Error                                               
CFE>

if you download linksys gpl source code for the wrt600n
ftp://ftp.linksys.com/opensourcecode/wr … .36.03.tgz

use this file on the trx you made
wrt600n_v1.01.36.03/src/user/tools/trailer-tools/trailer_mkimage/mkimage
and just move it to your bin folder

example:

./mkimage openwrt-brcm-2.4-squashfs.trx
mv Trailed_LINKSYS_WRTB193N_1.01.36\ build\ 3_US.bin openwrt-wrt600n-squashfs.bin

Your router should accept openwrt-wrt600n-squashfs.bin its what i do to load it.
the 1st few times i had to load dd-wrt on it then use dd-wrt to flash openwrt.
But luckly i found that file in the linksys gpl code.

(Last edited by ZeroPain on 3 Aug 2008, 07:50)

OK, I'm slowly figuring it out.

This time I loaded the .trx instead of the .bin. Now I just need to figure out how to add the right trailer when generating the .trx:

eth0: Link speed: 1000BaseT FDX                                                 
Device eth0:  hwaddr 00-90-4C-A6-00-01, ipaddr 192.168.1.1, mask 255.255.255.0  
        gateway not set, nameserver not set                                     
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)                          
Loading: .... 2363392 bytes read                                                
Entry at 0x804066f0                                                             
Reading from 0x804066f0: front: Total size is 2363392                           
BCM5395                                                                         
No Trailer is not allowed!                                                      
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)                       
Loading: .. 3732 bytes read                                                     
Entry at 0x80001000                                                             
Closing network.                                                                
Starting program at 0x80001000                                                  
CPU revision is: 0002901a                                                       
Linux version 2.4.36 (eko@dd-wrt) (gcc version 3.4.6 (OpenWrt-2.0)) #674 Fri Ju8
Setting the PFC to its default value

Looks like i posted the answer to your question like 15 seconds before you asked it. just in case you don't see it i know i have a habit of scrolling down to the last thing i posted don't tend to look at anything before it.

I see that you do have a serial port connected. This took me awail to figure out i thought the bootloader was locked out.
Because most everything i read you just pressed any key during bootup to access it and it didn't work for this router.

But if you need to get into the CFE i found the hitting crtl + c during the bootwait time will drop me to CFE

basicly once i see

Device eth0:  hwaddr 00-90-4C-A6-00-01, ipaddr 192.168.1.1, mask 255.255.255.0  
        gateway not set, nameserver not set                                     
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)                          
Loading:

i start hitting crtl + c and then i'm at the CFE prompt

(Last edited by ZeroPain on 3 Aug 2008, 07:58)

The ctrl-c trick is great! But I crossed a wire while soldering and sent +5V down the router's RX line... Yeah, I can't send anything to the router, just listen to it. I even looked at reprogramming it to use the second serial port out of the CPU, but that one isn't apparently visible anywhere on the PCB.

Thanks for the tip on mkimage! I reverse engineered it:
.text is 0x80485b0 - 0x8048b68
main() starts somewhere around 0x8048684
Inside main() from 0x80487b1 to 0x804891d fills in the struct
0x8048924 call 0x8048a78 - this is the CRC function
main() continues from there

The CRC function is a standard IEEE 802.3 CRC32, so here is an 86-line C program to output the image file. The point is to open-source this function for OpenWrt. The CRC implementation is the most simple way (certainly not the fastest).

#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdint.h>

#define IEEE_802_3_CRC 0xEDB88320
struct mkimage_trailer
{
    char magic[4];
    uint32_t version;
    uint32_t PID;
    uint32_t filesize;
    uint32_t crc32;
    char padding[12];
};

void docrc(uint32_t * crc, unsigned char c)
{
    int i;
    *crc ^= c;
    for (i = 0; i < 8; i++)
        if (*crc & 1) *crc = (*crc >> 1) ^ IEEE_802_3_CRC;
            else *crc >>= 1;
}

int do_trailer(FILE * fin, FILE * fout, const char * nin, const char * nout)
{
    int i;
    struct mkimage_trailer t;
    memset(&t, 0, sizeof(t));
    uint32_t crc = (uint32_t) -1;
    while (!feof(fin)) {
        char c;
        if (fread(&c, 1, 1, fin) != 1) {
            if (feof(fin)) break;
            fprintf(stderr, "\"%s\" read err %d\n", nin, errno);
            return 1;
        }
        docrc(&crc, c);
        t.filesize++;
        if (fwrite(&c, 1, 1, fout) != 1) {
            fprintf(stderr, "\"%s\": write err %d\n", nout, errno);
            return 1;
        }
    }
    strncpy(t.magic, "GMTK", sizeof(t.magic));
    t.version = 1;
    t.filesize += sizeof(t);
    t.PID = 0x1020001lu;
    // note: we compute the CRC of everything, including t.crc32 (= 0 now)
    for (i = 0; i < (int) sizeof(t); i++) docrc(&crc, ((char *) &t)[i]);
    t.crc32 = crc ^ (uint32_t) -1;    // IEEE 802.3 CRC requires a final XOR
    if (fwrite(&t, 1, sizeof(t), fout) != sizeof(t)) {
        fprintf(stderr, "\"%s\" trailer write err: %d\n", nout, errno);
        return 1;
    }
    return 0;
}

int main(int argc, char ** argv)
{
    if (argc != 2) {
        fprintf(stderr, "Usage: %s filename\n", argv[0]);
        return 1;
    }
    const char * nout = "Trailed_LINKSYS_WRTB193N_1.01.36 build 3_US.bin";
    FILE * fin = fopen(argv[1], "rb"), * fout = fopen(nout, "wb");
    if (!fin) {
        fprintf(stderr, "Failed to open \"%s\" for reading\n", argv[1]);
        return 1;
    }
    if (!fout) {
        fprintf(stderr, "Failed to open \"%s\" for writing\n", nout);
        fclose(fin);
        return 1;
    }
    if (do_trailer(fin, fout, argv[1], nout)) {
        fclose(fin);
        fclose(fout);
        return 1;
    }
    fclose(fin);
    fclose(fout);
    return 0;
}

if you don't mind and haven't done so already I'm going to look into making a patch that will put it in as a option of the make menuconfig so i can chose to have it automatically trail the file for me.

I would have looked in to doing it sooner i just didn't want to use Linksys's binary to do it.

Yeah i couldn't find a 2nd port either. There aren't many empty holes on that board if i remember right the ones i found for the 1st serial port were the only ones and honestly don't know if its the right way to hook it up or not i just know it works. This is all very new territory for me i haven't done electronics sense like 6th grade when i was building strobe lights and little audio amps out of kits and such. Then got my computer and all that stuff kinda feel behind but openwrt has sparked a old interest of working with stuff on more of a hardware level So i thank them for that.

ZeroPain

Sure, I haven't done a patch or anything, so I'll be able to use one if you do one. Thanks!

I got openwrt running. Thanks so much ZeroPain for the hints! Now I'll see what I can learn about flash mapping in 2.6.

I had made a patch so you can control the leds but thats the only patch i have made for anything really. Its already been commited to the svn i believe and i think its still in there wasn't anything major but made me happy.

In 2.4 i have a problem with it crashing when i try to use both wireless cards the kernel will panic at various points. I dunno whats different between the drivers being used in openwrt and the ones in dd-wrt but under dd-wrt you can get 260mbit connection over the 2.4 ghz anyways the 5.6ghz maxes out at 130 on there. But it doesn't crash. Just another one of the many things i'm looking into

yeah i got no idea how i would go about adding it to openwrt system

I'm sure it has something to do with the files in /tools/firmware-utils/src
and /usr/src/openwrt-brcm-2.4/target/linux/brcm-2.4/image/Makefile

But pretty sure its above my head for now

Maybe ask the devs? They're busy now, but it's best to ask them, as they are probably specific as to how this stuff is folded in! Not to mention it'd be great if this was included in 808!

(Last edited by napierzaza on 5 Aug 2008, 04:45)

Well, I can reproduce the 2.6 flash error:

Physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank              
 Amd/Fujitsu Extended Query Table at 0x0040                                     
  Unknown Amd/Fujitsu Extended Query version 0.0.                               
gen_probe: No supported Vendor Command Set found                                
Failed to do_map_probe

When it is working in 2.4.35.4, it looks like this:

 Amd/Fujitsu Extended Query Table v0.0 at 0x0040
Physically mapped flash: JEDEC Device ID is 0xE2. Assuming broken CFI table.
Physically mapped flash: Swapping erase regions for broken CFI table.
number of CFI chips: 1
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
Flash device: 0x800000 at 0x1c000000
bootloader size: 262144
Physically mapped flash: Filesystem type: squashfs, size=0x1a70fa
Updating TRX offsets and length:
old trx = [0x0000001c, 0x00000904, 0x0007f800], len=0x00241000 crc32=0x4ba6048f
new trx = [0x0000001c, 0x00000904, 0x0007f800], len=0x00230000 crc32=0xdc6bf58a
Done
Creating 5 MTD partitions on "Physically mapped flash":
0x00000000-0x00040000 : "cfe"
0x00040000-0x007f0000 : "linux"
0x000bf800-0x00270000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-y
0x007f0000-0x00800000 : "nvram"
0x00270000-0x007f0000 : "rootfs_data"

I can't decide whether the 2.4 message is what I want 2.6 to do also or not.

If it were that simple, just get this file to work on the 2.6 kernel:
kamikaze/target/linux/generic-2.4/patches/005-mtd_flashtypes.patch

But obviously, I'm still just a n00b so this might take some time to figure out.

yeah but i think thats half the fun and why open source works its all the figuring out we get to do and the feeling we get when we finally figure it out. Otherwise i would have just settled on using dd-wrt with optware or something. But i wanted to know and do more so here i am :-P

I'm about to test out a few things i'll let you know what i come up with if anything works

I did a little research, and the 2.6 kernel has the b43 driver in it (for broadcom wireless devices), but it doesn't support the bcm4329 or bcm432a. So even a 2.6 kernel would still use the same wl_mimo proprietary driver, and I don't even know if it works in a 2.6 kernel.

Here is a summary of the hardware and what works/doesn't work:

CPU: 300 MHz bcm4785 rev 2 - working

Flash: Samsung NOR Flash K8D6316ubm (I have the datasheet) - not supported by the 2.6.25 kernel mtd driver, but works fine in 2.4.35.

CFE: version 1.0.37. Loads firmware via TFTP fine, but use the reverse-engineered code in this thread to add a trailer to the .trx, then TFTP it.

package/broadcom-diag: ZeroPain, your patch is in, but has anyone tested whether it identifies the wrt600n v1 correctly? It identifies my wrt600n v1.1 correctly.

Switch: bcm5397 GbE, using the bcm57xx driver. (But since Broadcom is discontinuing the bcm5397, the wrt600n may come with the bcm5395 in the future.) I've tested the VLAN support, and it works. Linux 2.4.36.6 adds GemTek support for QoS, although that's not in the 2.4.35 in OpenWRT svn. robocfg does not have support for bcm539x.

WiFi: Two radios, bcm4329 for 802.11bgn and bcm432a for 802.11an - supported in 2.4.35 using Broadcom proprietary wl_mimo driver. ZeroPain, are you still having speed/throughput problems? I've verified at least that the bcm4329 for 802.11bgn can scan for APs in STA mode.

LEDs: ZeroPain, your patch works great. Power LED can either blink or stay lit. eth port LEDs are green for 100 Mbit and amber for 1000 Mbit. USB LED is controllable (on or off), and the two WiFi encryption indicator LEDs (really four LEDs, a green and amber LED for each) are all independently controllable (on or off).

USB: The bcm4785 has two USB device ports and one USB host port, but only a USB device port is connected up. I don't see how to get the USB modules included in the image (/lib/modules where they should be), but loading them from /tmp works fine.

Here are the USB modules to get, e.g. USB mass storage support and the vfat filesystem. I think ehci-hcd.o is part of USB 2.0. I'm not sure -- it seems unused here but it might be a good idea anyway.

vfat.o                 11340   1
fat.o                  34464   0 [vfat.o]
usb-storage.o          69632   1
sd_mod.o               12500   2
scsi_mod.o             66048   3 [usb-storage.o sd_mod.o]
ehci-hcd.o             20568   0 (unused)
usb-ohci.o             19252   0 (unused)
usbcore.o              71296   0 [usb-storage.o ehci-hcd.o usb-ohci.o]

(Last edited by dch24 on 7 Aug 2008, 08:02)

How much circuitry is missing for those two unwired ports? Does anyone have any photos of that area?

(Last edited by napierzaza on 7 Aug 2008, 15:52)

The pins on the processor are probably a BGA - under the processor on the PCB. The processor is covered with an EMI shield and a heatsink.

Yeah, but some times there are traces that go pretty close by the other port. I've seen this with other routers.

napierzaza: I'll see if I can find the second USB port. It's not hard to take the box apart (thanks, ZeroPain!)

ZeroPain: Your problems with wireless might not be wireless. I don't know what causes it, exactly, but the router gets into a state where it drops more and more packets. It may be when the WAN is on a busy network (so lots of broadcasts?), it may be overheating, I don't know... But I'm not using wireless at all and I'm seeing DNS timing out, long downloads grind to a halt, etc.

More testing needed...

My wireless is the wireless I'm not as  worried about the speed as i am when i try to run both wireless cards with WPA2/AES i get a kernel panic. It seems to crash on other random things having to do with running both cards different encryption's and things but its very random to me. Sometimes it will work for a minute sometimes 30seconds.

I haven't been using mine as my main router its more of a access point with a usb port for the most part. I plan to make it my primary router once i a few more things are stabilized. But for just using the wired interface and usb running the 2.4 kernel its been quite stable for me even when i was using it as a router but my laptop does support wide band 2.4ghz and 5.6ghz. And i have moved things around in my house so its not as easy to always have a network jack near by so I'm relying on it more over the wireless. Which was when i started trying to use the wireless more. I know the driver being used or the firmware openwrt is using is different then the one in the linksys firmware. I don't know what the changes are i just know the version numbers were off.

Openwrt svn trunk: Broadcom BCM%04x 802.11 Wireless Controller 4.150.10.5
its either for the 2.4.35.4 kernel or was compiled on the 2.4.35.4 kernel. i just know when i do a nano wl_mimo.o thats what i see.

Linksys wrt600n_v1.01.36.03 firmware:
Broadcom BCM%04x 802.11 Wireless Controller 4.158.4.0
its weird but the kernel version on this one is 2.4.20 which is the kernel running on that firmware.

That's why i figured there maybe something wrong on a driver level. Because the driver if i remember correctly in openwrt for the wl_mimo is from the wrt300n or wrt350n can't remember were i saw it to look it up again.

I get a decent speed though it its just i know its not registering 260 for me. But the driver should be able to do it for the 2.4ghz card at least because it came from a wrt300N which does 260mb i believe. so its probably just a matter of me figuring out how to tell it to use the wide band. I'm sure its just a option I'm missing.

From what i have been able to tell the only difference between the v1 and the v1.1 is the switch v1 is bcm5397 but v1.1 is bcm5395.
I may have that back words. I'll have to double check but if i remember right that's how i made the patch to detect the difference and i remember reading on dd-wrt's forums they do about the same thing. Has to be detected for settings up vlans according to them. the bcm5397 doesn't have a vlan0 or something to that effect. So on dd-wrt everything is shifted basically vlan0 is vlan1, vlan1 is vlan2 at least that's my understanding.

I don't really know that's just what i have been able to piece together and not so not any kind of expert when it comes to anything with hardware programming or the kernel really. Been a network/server admin and web programmer for a while but mostly just a jack of too many trades :-P

Form what i have read the broadcom driver from 2.4 could never be loaded in 2.6 its why there is a 2.4 still around broadcom is the only one left not supported in 2.6. At least that's what i gather

Oh did you notice during the pci init it also shows a IDE mass storage device just found that interesting.

Well i gotta get back to work and hopefully find some time to play with my wrt600n sometime. It's fun in some weird way

ZeroPain
-- Disclaimer --
It's not my fault if anything i have said causes your router to explode or anything as stated I'm new to all this and honestly kinda surprised i haven't blown my up yet :-P

(Last edited by ZeroPain on 8 Aug 2008, 07:37)

Ok the wireless kernel panic seems to only be happening to me now when i enable the 5.6ghz card. Not sure if its a combination of both cards or just that one going to try to do some tests so i can provide more info.

Data bus error, epc == c0132850, ra == c0132850
Oops in traps.c::do_be, line 385:
$0 : 00000000 1000fc00 c0130550 00000001 81880000 00000000 00002b05 81880c68
$8 : 81881d74 00000001 00000001 00000000 00000000 fffffff9 0000000a 00000000
$16: 81880000 c0218000 81880fa8 81880000 00000024 00000001 81880000 81880fa8
$24: 00000000 c0194718                   81dce000 81dcfa68 00000000 c0132850
Hi : 00000000
Lo : 00000000
epc   : c0132850    Tainted: P 
Status: 1000fc03
Cause : 0000001c
PrId  : 0002901a
Process nas (pid: 447, stackpage=81dce000)
Stack:    c018d580 00000001 81880000 c018d918 81880000 81880000 81880fa8
 81762000 c01a1558 00000004 81880000 81880fa8 81880fa8 81880000 81880fa8
 81880000 00000000 c01948d4 81762000 00000004 0000000a 801519cc 00000085
 81880fb0 00000000 81762000 0000001a 81880fb0 00000002 81762000 c015449c
 c01541cc c0077114 00000007 81dcfc20 c00770c0 81762000 00000004 00000000
 81880fb0 ...
Call Trace:   [<c018d580>] [<c018d918>] [<c01a1558>] [<c01948d4>] [<801519cc>]
 [<c015449c>] [<c01541cc>] [<801421b8>] [<80141a78>] [<801418a8>] [<800023c8>]
 [<800023c8>] [<80021788>] [<801429c8>] [<801429a8>] [<801428bc>] [<c019b8b0>]
 [<80043524>] [<800284a0>] [<800d4204>] [<800d47e8>] [<8004e9c0>] [<800c9e00>]
 [<800c9fcc>] [<80049268>] [<800caaac>] [<80008a60>] [<8005bb0c>]

Code: 24420550  0040f809  00809821 <8e230120> 2404ffff  10640025  00000000  8e220128  10440022 
Kernel panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing
 <0>Rebooting in 3 seconds..Please stand by while rebooting the system...

Looking back at this looks like its something to do with nas maybe if i pull nas out of the latest firmware from linksys it will be updated to handle whatever is causing this i dunno but i'll try it and keep you posted

I'm curious to know what the current state of OpenWrt on the Linksys WRT600N V1.1 is?
Anyone care to enlighten me?

Would someone please share the working image for WRT600N v1.1 (WRT600NV11)? I used mkimage on a few official trx files (e.g. http://downloads.openwrt.org/backfire/1 … ashfs.trx), and tried to flash the generated bin using both tftp and linksys webgui, but it didn't work, it didn't respond to ping.

I haven't been able to get to a fully functioning image... the best I've been able to get to is by using the "brcm-2.4" (ie. broadcom 2.4 kernel based) kamikaze 8.09.2 imagebuilder.  I unfortunately don't have serial console on the box (and it's also currently on the other side of an ocean...).
I had no luck whatsoever with backfire.

http://downloads.openwrt.org/kamikaze/8 … 86.tar.bz2

You need to convert the trx to broadcom format (if you want to flash via tftp), using:

#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdint.h>

#define IEEE_802_3_CRC 0xEDB88320
struct mkimage_trailer {
  char magic[4];
  uint32_t version;
  uint32_t PID;
  uint32_t filesize;
  uint32_t crc32;
  char padding[12];
};

void docrc(uint32_t * crc, unsigned char c)
{
  int i;
  *crc ^= c;
  for (i = 0; i < 8; i++)
    if (*crc & 1) *crc = (*crc >> 1) ^ IEEE_802_3_CRC;
    else *crc >>= 1;
}

int do_trailer(FILE * fin, FILE * fout, const char * nin, const char * nout)
{
  int i;
  struct mkimage_trailer t;
  memset(&t, 0, sizeof(t));
  uint32_t crc = (uint32_t) -1;
  while (!feof(fin)) {
    char c;
    if (fread(&c, 1, 1, fin) != 1) {
      if (feof(fin)) break;
      fprintf(stderr, "\"%s\" read err %d\n", nin, errno);
      return 1;
    }
    docrc(&crc, c);
    t.filesize++;
    if (fwrite(&c, 1, 1, fout) != 1) {
      fprintf(stderr, "\"%s\": write err %d\n", nout, errno);
      return 1;
    }
  }
  strncpy(t.magic, "GMTK", sizeof(t.magic));
  t.version = 1;
  t.filesize += sizeof(t);
  t.PID = 0x1020001lu;
  // note: we compute the CRC of everything, including t.crc32 (= 0 now)
  for (i = 0; i < (int) sizeof(t); i++) docrc(&crc, ((char *) &t)[i]);
  t.crc32 = crc ^ (uint32_t) -1;    // IEEE 802.3 CRC requires a final XOR
  if (fwrite(&t, 1, sizeof(t), fout) != sizeof(t)) {
    fprintf(stderr, "\"%s\" trailer write err: %d\n", nout, errno);
    return 1;
  }
  return 0;
}

int main (int argc, char ** argv)
{
  if (argc != 2) {
    fprintf(stderr, "Usage: %s filename\n", argv[0]);
    return 1;
  }
  const char * nout = "Trailed_LINKSYS_WRTB193N_1.01.36 build 3_US.bin";
  FILE * fin = fopen(argv[1], "rb"), * fout = fopen(nout, "wb");
  if (!fin) {
    fprintf(stderr, "Failed to open \"%s\" for reading\n", argv[1]);
    return 1;
  }
  if (!fout) {
    fprintf(stderr, "Failed to open \"%s\" for writing\n", nout);
    fclose(fin);
    return 1;
  }
  if (do_trailer(fin, fout, argv[1], nout)) {
    fclose(fin);
    fclose(fout);
    return 1;
  }
  fclose(fin);
  fclose(fout);
  return 0;
}

I can get functioning wired networking + one functioning wifi device (not sure about stability).
Getting wired networking up requires overriding the network config file so it has a proper vlan configuration.
I believe as soon as you enable the second wifi, you get a kernel crash or something bad happens.

ie. /etc/config/network in the built image (straight on the root file system) has to contain something along the lines of (single vlan config - no wan port) - I believe the important point is to not use 'vlan0' (doesn't work?) and that the cpu is port 8 (not 5), while the remaining ports are 0-4 (I think wan is 4, but can't remember).

#### VLAN configuration
config switch eth0
        option vlan1    "0 1 2 3 4 8"
        option vlan2    "8*"


#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.1"
        option proto    static
        option ipaddr   10.0.0.200
        option netmask  255.255.255.0
        option gateway  10.0.0.1
        option dns      "10.0.0.1 8.8.8.8 8.8.4.4"

While /etc/config/wireless in the built image could contain:

config wifi-device  wl0
        option type     broadcom
        option channel  5

config wifi-iface
        option device   wl0
        option network  lan
        option mode     ap
        option ssid     SSID
        option hidden   0
        option isolate  0
        option encryption psk2
        option key      KEY

(Last edited by MaZe on 12 Jun 2011, 16:00)

Once you extract the image builder, and create a new empty directory ${ROOTFS_OVERRIDE}, and put /etc/config/network in at ${ROOTFS_OVERRIDE}/etc/config/network (etc for wireless) you should be able to build via:

PACKAGES='kmod-brcm-wl-mimo wlc nas kmod-wlcompat kmod-brcm-57xx kmod-brcm-57xx ip'

(adding 'kmod-usb-core kmod-usb-ohci kmod-usb2' above might be the beginning of usb support)

make image PROFILE=None PACKAGES="${PACKAGES}" FILES="${ROOTFS_OVERRIDE}"

which should generate a "bin/openwrt-brcm-2.4-squashfs.trx" file.

Once you have a bin file (generated from the trx with the above program), you should be able to flash it via:

DEV=eth0
sudo ip addr add 192.168.1.2/16 broadcast + dev "${DEV}"
tftp -4 -v -l -m binary 192.168.1.1 -c put 'Trailed_LINKSYS_WRTB193N_1.01.36 build 3_US.bin'
# now you powercycle the WRT600N v1.1
sudo ip addr del 192.168.1.2/16 broadcast + dev "${DEV}"

(and now you cross your fingers and pray...)