1 (edited by Marek 2008-10-09 10:05:50)

Topic: OpenWRT Kamikaze on TP-link tl-wa501g?

I bumped similar thread on Whiterussian forum but i think this is right place for this.

I'm interested in flashing tp-link tl-wa501g with OpenWRT. It's very cheap AP (~$30) based probably on atheros AR2313 chipset - manufaturer claims that it is Atheros based and the size of metal covering CPU suggest me that it is really WiSOC.

I found one PCB photo but with metioned cover on main chips..:
http://www.nag.ru/goodies/foto/wireless/tl_wa501g/001.jpg

Anyone tried to flash it with some recent Kamikaze Atheros port?

Marek

2 (edited by TAXI 2008-12-18 03:38:57)

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

I'm interested in that, too.
If anyone had tried it: PLEASE reply!

//EDIT: I opened my AP and googled for the chips wink
It seems that this AP has 8 MB RAM - but I can't find any flash chip! here again what i could read:

---------------------
ELPIDA TAIWAN
S6416AHTA-75-E
0815CR366000
---------------------
this is the RAM chip wink

---------------------
F0814R
AMC34063AM
---------------------
DC-DC converter (wtf?)

---------------------
AFM9435
XX38V
---------------------
not found yet ^^

---------------------
(logo)-15G
25L1605AM2C
2T780803A3
TAIWAN
L070724
---------------------
font size extreme small, could be something other also ^^ - not found yet

---------------------
PPT 08065
PM45-1041M-F
---------------------
not found yet but it don't seems to be interresting (some LAN chip like the realtek I think)

P.S: mine is a rev. 1.3 board, not 1.2 like on the image wink

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

Hi!! i have this model.

http://lh6.ggpht.com/_ZYKGnyKzkPQ/So1pUNvUI8I/AAAAAAAAAFc/Gd2EgBBtnxo/s640/LGIM0005.jpg
http://lh4.ggpht.com/_ZYKGnyKzkPQ/So1pUkhM4XI/AAAAAAAAAFg/jau_BoAuFIU/s640/LGIM0006.jpg
http://lh6.ggpht.com/_ZYKGnyKzkPQ/So1pUwRZLnI/AAAAAAAAAFk/W8-QMgOKBqk/s640/LGIM0008.jpg

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

Atheros bulletin

http://www.atheros.com/pt/bulletins/AR5006AP_GBulletin.pdf

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

TAXI wrote:

---------------------
F0814R
AMC34063AM
---------------------
DC-DC converter (wtf?)

This makes the power for the unit. The unit is powerd by a relatively hi, unregulated AC voltage (like 12 V or so) from an transformer that plugs into mains. This generates the required voltages (like 1.3V, 2.5V, 3.3V)

TAXI wrote:

---------------------
(logo)-15G
25L1605AM2C
2T780803A3
TAIWAN
L070724
---------------------
font size extreme small, could be something other also ^^ - not found yet

This is the flash - A serial SPI flash. 16 Mbit. Look for 25P16, MX25L1605A, or similar.

6 (edited by zorxd 2010-03-26 18:41:24)

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

If it really has only 8MB RAM, then I don't think it is worth much for OpenWRT.
If it has only 2MB flash, then it just won't work.

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

I have a running Kamikaze 8.09.2 on similar setup (tl-wr340g 2/8Mb ar2317).

Btw, guys, what are you expect to get from this device with Linux?

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

xssa wrote:

I have a running Kamikaze 8.09.2 on similar setup (tl-wr340g 2/8Mb ar2317).

Btw, guys, what are you expect to get from this device with Linux?

I have a tl-wa500g with same specs. I'm interested in flashing my router also, how did you manage to flash it ?

9 (edited by xssa 2010-04-24 22:46:07)

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

I'm starting from spipgm (very useful utility to read and flash SPI flash chips through LPT port). Now I'm working on flashing via tp-link WEB.

PS. What are you mean same specs?

10 (edited by degenerated 2010-04-25 17:14:37)

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

xssa wrote:

I'm starting from spipgm (very useful utility to read and flash SPI flash chips through LPT port). Now I'm working on flashing via tp-link WEB.

PS. What are you mean same specs?

AR2317 and 2MB flash / 8MB ram

details:

TP-LINK TL-WA500G

cpu   ATHEROS AR2317-AC1A
flash SPANSION FLO16AIF
ram  WINBOND W9864G61H-6

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

xssa wrote:

I'm starting from spipgm (very useful utility to read and flash SPI flash chips through LPT port). Now I'm working on flashing via tp-link WEB.

Is it necessary to desolder the flash to use spipgm? What exactly did you write to your flash? (link?) Is everything working as expected?
Thanks

12 (edited by xssa 2010-04-25 21:22:40)

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

Ok, guys. To reflash MX25L1605D you need to desolder pins 1,2,5,6 and make connection between pins 8-3. google spipgm homepage for more details. But be patient - reverce engeneering work on native WEB capable "vxkiller" is mostly done. Any help on building killer scripts are welcome. I'm using custom build MicroRedBoot - thus save 128 kB of flash space and custom build kamikadze 8.09.2. There are some limitations in available flash space ;-) so to save it there is no WEB, no ppp in my setup (only telnet and ssh), 88e6060 switch is not working as expected - it is detected as generic PHY. I think switch routines can be fixed in future but it is not in my priority list for now. WEB interface can be added also (there are also some free space in image). Wireless interface is working well, wired is working as 5port switch on eth0.
As you can see, you need to be familiar with soldering iron, redboot and openwrt linux CLI (uci and so on) to switch OS on your router/AP to linux.
degenerated  - can you post internal photos?

13 (edited by mvsroot 2010-04-26 18:13:16)

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

xssa wrote:

But be patient - reverce engeneering work on native WEB capable "vxkiller" is mostly done. Any help on building killer scripts are welcome. I'm using custom build MicroRedBoot - thus save 128 kB of flash space and custom build kamikadze 8.09.2. There are some limitations in available flash space ;-) so to save it there is no WEB, no ppp in my setup (only telnet and ssh), Wireless interface is working well, wired is working as 5port switch on eth0.

This sounds great. I think I'll should wait until flashing via tp-link WEB is ready. I am an experienced  Linux administrator but I am new to OpenWrt so I am not sure if I can help but I can take a look at it if you post your sources somewhere. Is there a Wiki about "vxkiller" available on the net? I've googled vxkiller but don't find anything usefull to start.
Do you think it'll be possible to revert to the original firmware without spipgm? (Just in case of a needed repair. My tl-wr340g is just 1 week old.)
Thanks.

Edit: I know that the OS of this router is VxWorks by Wind River Systems. I think that is the meaning of "vxkiller". The name of this program is usually Vxworkskiller.

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

Is it possible to upgrade TP-Link TL-WR340G with the latest Kamikaze firmware though the TP-Link's web interface or somehow else?

15 (edited by xssa 2010-04-28 15:55:45)

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

Guys.

Work on vxkiller is done.
Upgrade your TL-WR340G through TP-Link's web.
After second reboot you can telnet 192.168.1.1 onto (very striped) OpenWrt 10.03 and enjoy.
RedBoot interface is accesable on telnet 192.168.1.1:9000 when you poweron your device with pressed reset key.
For reverting back to VxWorks use vxrestore and read carefully what it says ;-)

http://78.109.17.98/files/klients/prices/2864/606fe38dda4014fb8f16b9b8a27cee3e.rar
Ooops! Where can I post binary image on this forum?

PS. It seems to be compatible with TL-WA500G  but I can't check this due luck of such hardware to test.
Native WA500G firmware runs well on WR340G (client mode) ;-)

Edit: Added link to file

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

xssa: I've tried your firmware, now I can't connect to my router by cable (but lamp on the router is blinking). I've tried to reset, but nothing happens. Is it possible somehow to recover the router?

Thanks,
Dmitry

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

dmitryp,
Sorry for inconviniance, may be I gave incomplete description about this linux, or you don't read carefully all discussion before.

Tp_Link TL-WR340G/D and any other Tp-links with vxworks onboard is not stated anywhere as supported devices and until yesterday there was no opportunity to work with it w/o soldering and flashing bootloader and linux into chip directly.

There is also no way to flash production OpenWrt through TP-Link's WEB directly, because of many limitations and most of it is it can accept only images less then 1179648 bytes long(hardcoded in firmware) and even less in practice.

What I gave for community is NOT a production firmware!!! There are no working DHCP server on this image, no WiFi, no WEB, no SSH and rootfs is not writable in sense of saving changes on reboot - it's aim is only to fit it into specs TP-Link's web can accept it, reflash bootloader, prepare eeprom  and give you, guys, starting point to put your own Linux images on it w/o soldering and so on. And let you start coding. There is also oportunity in it to revert all back to original VxWorks, as was asked by mvsroot ;-)

Use it on your own risk and without any warranties!

dmitryp wrote:

...(but lamp on the router is blinking)...

Exactly describe, what lamp and when it blinking? How did you try to connect to your device?

So start to read docs about OpenWrt, Linux, RedBoot, download Backfire or Kamikadze sources, try to build something for your device by yourself and share your knowlage here.

WiP - stay tuned.

Is it possible somehow to recover the router?

WARNING!!! Reflashing bootloader area (0xbfc00000-0xbfc10000 space in RedBoot or mtd0 named RedBoot on Linux) with wrong image 100% will brick your router completly and you'll need spipgm and soldering iron on next step. So be carefull. If you can't prepare vxworks.raw by yourself - ask and I'll give you one.

Connect your router to your pc by ethernet cable, asign static IP to your PC - 192.168.1.10 netmask 255.255.255.0
try to
ping 192.168.1.1
telnet 192.168.1.1

=== IMPORTANT ============================
  Use 'passwd' to set your login password
  this will disable telnet and enable SSH
------------------------------------------


BusyBox v1.15.3 (2010-04-26 19:06:00 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
Backfire (10.03, r20974) --------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua
  * 1/3 shot Bailey's  on the bottom, then Bailey's,
  * 1/3 shot Vodka     then Vodka.
---------------------------------------------------
root@OpenWrt:/# vxrestore
3+0 records in
3+0 records out
2048+0 records in
2048+0 records out
Unlocking radio ...
Writing from /tmp/radio.rom to radio ...
Unlocking board ...
Writing from /tmp/mac.rom to board ...
All eeprom stuff is done!

        Now for reverting back to VxWorks you need to:
        1) prepare raw VxWorks image from correct firmware update image
            by truncating first 20 bytes of it's header
            Be CAREFULL - choosing wrong image will brick your device!!!
        2) put raw image into working TFTP server directory, say vxworks.raw
        3) restart your unit with pressed RESET key for !!!LESS then 5 sec!!!
            be carefull, do not let to start this linux again because
            it will revert board eeprom to linux version on restart
        4) telnet to 192.168.1.1:9000
        5) in RedBoot prompt do
RedBoot> ^C
RedBoot> ip_address -h 192.168.1.10                                                              // your TFTP server IP
IP: 192.168.1.1, Default server: 192.168.1.10
RedBoot> load -r -b %{FREEMEMLO} vxworks.raw
Using default protocol (TFTP)
Raw file loaded 0x80033800-0x8010e587, assumed entry at 0x80033800
RedBoot> fis write -b %{FREEMEMLO} -l 0x120000 -f 0xbfc00000
* CAUTION * about to program FLASH
            at 0xbfc00000..0xbfd1ffff from 0x80033800 - continue (y/n)? y              // carefully wait here about a one-two minute for complition
... Erase from 0xbfc00000-0xbfd20000: ..................
... Program from 0x80033800-0x80153800 at 0xbfc00000: ..................
RedBoot>reset
        enjoy old days of VxWorks smile
root@OpenWrt:/#

Thanks.

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

I have Tp-Link wr340g v5.3. Connected to it with a cable by a lan 1 port, put .bin file into file input and pressed upgrade button. It started to upgrade, progress bar was moving. After around 1 minute, it self-restarted (after that only power and lan lamps were on). Then switched it off, and tried to connect. I though it should have DHCP, and tried to hard reset several times. Then I've tried to connect it using a static IP: ping doesn't work. Power lamp is on, and lan (1) lamp is blinking when I'm connected using a cable. Also just tried to connect by a wan port, using static IP - still nothing. I think now it's bricked, so I still have a question - is it possible somehow to reset or do something else to unbrick the router?

19 (edited by xssa 2010-04-29 13:10:30)

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

What did U meen "..and tried to connect", "..tried to hard reset several times" "..tried to connect it using a static IP: ping doesn't work"? Screenshots can be useful.
How much skilled are you?
Did you hear smth about telnet, tcp port 23, tcp port 9000? Where did you find "v5.3"? On sticker? Somewere else? There is only one publically available hw version of Tp-link wr340g as you can state on tplink downloads site.

There is console port inside on the bosrd, speed 115200, TTL levels. It can give some light what actually happens.
But first of all, make shure it restarts twice after upgrade. On first run it starts with wrong MAC addres, so ethernet not works as expected. Power up device, dont touch anything about a minute and a half, wait and look on the LEDS - it will blink and down/up network interface several times. Give chance to vxkiller to make all his job (about a minute) and then it will automatically reboot device. You'll see it on leds. Then wait second time a minute then you can try to connect with TELNET to 192.168.1.1 port 23

PS. on bricked router there will be network interface in down state and PWR,WAN,1,2,3,4 leds are light and not blink at all.

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

xssa wrote:

What I gave for community is NOT a production firmware!!! There are no working DHCP server on this image, no WiFi, no WEB, no SSH and rootfs is not writable in sense of saving changes on reboot - it's aim is only to fit it into specs TP-Link's web can accept it, reflash bootloader, prepare eeprom  and give you, guys, starting point to put your own Linux images on it w/o soldering and so on. And let you start coding. There is also oportunity in it to revert all back to original VxWorks, as was asked by mvsroot ;-)

Thanks for your work. I haven't tried it yet mostly because of "no WiFi". What is the difference between the downloadable version and this version:

xssa wrote:

Wireless interface is working well, wired is working as 5port switch on eth0.

?
I think I have to read the openwrt docu now. It shouldn't be a problem for me to compile programs for this router because I've done cross compilations many times (for example for the WDTV and WDTV Live or the Dreambox)
Thanks

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

Any success, guys?

mvsroot wrote:

Thanks for your work. I haven't tried it yet mostly because of "no WiFi". What is the difference between the downloadable version and this version:

xssa wrote:

Wireless interface is working well, wired is working as 5port switch on eth0.

?

You can not go any further without reflashing bootloader first. Answer is simple - wireless will not fit in <1,1MB "vxkiller" image. Production images can only be flashed from RedBoot or from Linux itself, or ,of course, by spipgm. So this is an egg. Then will be a chiken. ;-)

Thanks

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

xssa wrote:

Any success, guys?

mvsroot wrote:

Thanks for your work. I haven't tried it yet mostly because of "no WiFi". What is the difference between the downloadable version and this version:

xssa wrote:

Wireless interface is working well, wired is working as 5port switch on eth0.

?

You can not go any further without reflashing bootloader first. Answer is simple - wireless will not fit in <1,1MB "vxkiller" image. Production images can only be flashed from RedBoot or from Linux itself, or ,of course, by spipgm. So this is an egg. Then will be a chiken. ;-)

Thanks

Sure I know. But I have no "production image" so I can flash your boot loader and restore vxworks but I can't use WiFi before I've compiled a "production image" by myself or you post your running version somewhere (RapidShare?). I am not familiar with Redboot so it would be great if you could post instructions how to flash a "production image". I think this is not very different from restoring vxworks. I should be extremely cautious because I don't have spipgm to unbrick my router and I can't use my nook without WiFi.
Thanks

23 (edited by mvsroot 2010-05-03 13:10:28)

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

xssa wrote:

Any success, guys?

You can not go any further without reflashing bootloader first. Answer is simple - wireless will not fit in <1,1MB "vxkiller" image. Production images can only be flashed from RedBoot or from Linux itself, or ,of course, by spipgm. So this is an egg. Then will be a chiken. ;-)

Thanks

I've flashed your image to my router and it works absolutely fine. Thanks again! There is still one thing missing in this image: I haven't found a way to transfer files to the router except TFTP in RedBoot. It would be great to add a ftp client or server or a nfs client or a tftp client or .... to this image.
Could you please post your configuration (.config) of this image and your  "production image" to this forum or drop me an email or PN. What is the maximum file size for a "production image" (NOT updated in the WEB dialog)? In my router is only appr. 1 MB RAM available so it shouldn't be possible to flash in Linux without killing some running tasks.

Btw. I am pretty sure that dmitryp can recover his router in RedBoot without any problems

Edit: Forget about my wish to add ftp etc. to this image because I found Netcat (nc) installed.

24 (edited by xssa 2010-05-03 22:19:43)

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

Sounds good.

My miss. I was not check out default busybox config in Backfire on building vxkiller. I think it's conviniant to stay with tftp in linux because it is used by RedBoot and optionaly used in tp-link's updates. It is easy to obtain it and run only one server on the host during update process. Also, tftpd32.exe is included in many tp-link fw update zip's. So I am about to include tftp in next version of "vxkiller". Maximum size for images is 2048-64(RedBoot)-64(eeprom)-64(optionally FIS) = 1920/1856kB. It can be divided onto 2 parts, in particular it is 640/704kB for kernel/rootfs for now. Can pipes save the world? Can you check if wget is still there?

Tommorow I'll try to put all configs and images together and put it there on the forum.

Edit: I found this http://wiki.x-wrt.org/index.php/Kamikaze_Installation can be very usefull in learning of RedBoot.

Re: OpenWRT Kamikaze on TP-link tl-wa501g?

xssa wrote:

Sounds good.

My miss. I was not check out default busybox config in Backfire on building vxkiller. I think it's conviniant to stay with tftp in linux because it is used by RedBoot and optionaly used in tp-link's updates. It is easy to obtain it and run only one server on the host during update process. Also, tftpd32.exe is included in many tp-link fw update zip's. So I am about to include tftp in next version of "vxkiller". Maximum size for images is 2048-64(RedBoot)-64(eeprom)-64(optionally FIS) = 1920/1856kB. It can be divided onto 2 parts, in particular it is 640/704kB for kernel/rootfs for now. Can pipes save the world? Can you check if wget is still there?

Tommorow I'll try to put all configs and images together and put it there on the forum.

Edit: I found this http://wiki.x-wrt.org/index.php/Kamikaze_Installation can be very usefull in learning of RedBoot.

Thanks for the update. I don't use Windows so I can't use tftpd32.exe but it is no problem to use tftp in Linux. Wget is there too (I just didn't see it) and works fine but I prefer nc (Netcat) because it works in both directions and don't need a running ftp or web server.