1 (edited by whiskas 2009-10-26 19:57:13)

Topic: WNDR3700 exploration

I have a Netgear wndr3700 and am willing to serve as a guinea pig, to get openWrt running on it.

I've already attached a Nokia CA-42 cable for serial access. For those willing to follow, here is a picture: http://img387.imageshack.us/img387/606/26102009417.th.jpg.
And here is the boot output:

U-Boot 1.1.4DNI1.6 (May 22 2009 - 16:37:44)

WNDR3700U (ar7100) U-boot 0.0.12
DRAM:  b8050000: 0xc0140180
64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 315k for U-Boot at: 83fb0000
Reserving 192k for malloc() at: 83f80000
Reserving 44 Bytes for Board Info at: 83f7ffd4
Reserving 36 Bytes for Global Data at: 83f7ffb0
Reserving 128k for boot params() at: 83f5ffb0
Stack Pointer at: 83f5ff98
Now running in RAM - U-Boot at: 83fb0000
id read 0x100000ff
flash size 8MB, sector count = 128
Flash:  8 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag7100_enet_initialize...
CHH:mac: 0 if: 2
CHH:mac:verify: 0 if: 00000002
: cfg1 0xf cfg2 0x7014
eth0: 00:24:XX:XX:XX:XX
eth0 up
CHH:mac: 1 if: 1
CHH:mac:verify: 1 if: 00000001
: cfg1 0xf cfg2 0x7014
eth1: 00:24:XX:XX:XX:XX
eth1 up
eth0, eth1
Trying eth0
: unit 0 phy is up...RGMii 1000Mbps full duplex
#259:ag7100_set_mac_from_link
: pll reg 0x18050010: 0x11110000
: cfg_1: 0x1ff0000
: cfg_2: 0x3ff
: cfg_3: 0x8001ff
: cfg_4: 0xffff
: cfg_5: 0xfffef
: done cfg2 0x7215 ifctl 0x40605060 miictrl 0x22

 Client starts...[Listening] for ADVERTISE...TTT
Retry count exceeded; boot the image as usual

 nmrp server is stopped or failed !
Hit any key to stop autoboot:  0
   Verifying Checksum ... OK
### SQUASHFS loading 'image/uImage' to 0x80800000
### SQUASHFS load complete: 939504 bytes loaded to 0x80800000
## Booting image at 80800000 ...
   Image Name:   Linux Kernel Image
   Created:      2009-08-26   9:29:14 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    939440 Bytes = 917.4 kB
   Load Address: 80002000
   Entry Point:  80297000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80297000) ...
## Giving linux memsize in bytes, 67108864

Starting kernel ...

Linux version 2.6.15 (ronger@ronger-desktop) (gcc version 3.4.4 (OpenWrt-2.0)) #1 Wed Aug 26 17:29:04 CST 2009
flash_size passed from bootloader = 8
CPU revision is: 00019374
Determined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
Built 1 zonelists
Kernel command line: console=ttyS0,115200 root=31:09 rootfstype=squashfs init=/etc/preinit mtdparts=ar7100-nor0:320k(uboot),128k(env),7296k(rootfs),64k(config),64k(config_bak),64k(pot),64k(traffic_meter),128k(language),64k(caldata),7471040@458816(mount_fs)
Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
PID hash table entries: 512 (order: 9, 8192 bytes)
Using 340.000 MHz high precision timer.
Console: colour dummy device 80x25
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 61952k/65536k available (2151k kernel code, 3536k reserved, 488k data, 132k init, 0k highmem)
Mount-cache hash table entries: 512
Checking for 'wait' instruction...  available.
NET: Registered protocol family 16
WLAN ON/OFF button is pressed..
SCSI subsystem initialized
usbcore: registered new driver usbfs
usbcore: registered new driver hub
AR7100 GPIOC major 0
Initializing usb led semaphore
squashfs: version 3.0 (2006/03/15) Phillip Lougher
Initializing Cryptographic API
io scheduler noop registered
io scheduler deadline registered
Serial: 8250/16550 driver $Revision: #1 $ 4 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x0 (irq = 19) is a 16550A
RAMDISK driver initialized: 1 RAM disks of 8192K size 1024 blocksize
10 cmdlinepart partitions found on MTD device ar7100-nor0
Creating 10 MTD partitions on "ar7100-nor0":
0x00000000-0x00050000 : "uboot"
0x00050000-0x00070000 : "env"
0x00070000-0x00790000 : "rootfs"
0x00790000-0x007a0000 : "config"
0x007a0000-0x007b0000 : "config_bak"
0x007b0000-0x007c0000 : "pot"
0x007c0000-0x007d0000 : "traffic_meter"
0x007d0000-0x007f0000 : "language"
0x007f0000-0x00800000 : "caldata"
0x00070040-0x00790000 : "mount_fs"
mtd: partition "mount_fs" doesn't start on an erase block boundary -- force read-only
10 Dec 2004 USB 2.0 'Enhanced' Host Controller (EHCI) Driver (AR7100_EHCI)
In ar7100_ehci_drv_probe
probing ehci...
hcd->regs is 0xbb000000
ehci->caps is 0xbb000000
ehci->caps->hc_base is 0x1000010
ar7100-ehci ar7100-ehci.0: AR7100 EHCI
ar7100-ehci ar7100-ehci.0: new USB bus registered, assigned bus number 1
ar7100-ehci ar7100-ehci.0: irq 3, io mem 0x1b000000
hcc_params addr 0xbb000008 val 0xa020 hcs_params addr 0xbb000004 val 0x1212
ar7100-ehci ar7100-ehci.0: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
...probing done
2005 April 22 USB 1.1 'Open' Host Controller (OHCI) Driver (ar7100_ohci)block sizes: ed 64 td 64
In ohci_hcd_ar7100_drv_probeprobing...
ar7100-ohci ar7100-ohci.0: new USB bus registered, assigned bus number 2
ar7100-ohci ar7100-ohci.0: irq 22, io mem 0x1c000000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
probing done
Initializing USB Mass Storage driver...
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
usbcore: registered new driver usbserial
drivers/usb/serial/usb-serial.c: USB Serial support registered for generic
usbcore: registered new driver usbserial_generic
drivers/usb/serial/usb-serial.c: USB Serial Driver core
u32 classifier
    Perfomance counters on
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 2, 16384 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
ip_conntrack version 2.4 (512 buckets, 4096 max) - 228 bytes per conntrack
ip_conntrack_rtsp v0.6.21 loading
ip_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2002 Netfilter core team
IPP2P v0.8.2 loading
DNIFILTER loading
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Ebtables v2.0 registered
ar7100wdt_init: Registering WDT success
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 132k freed
Warning: unable to open an initial console.
Algorithmics/MIPS FPU Emulator v1.5
init started:  BusyBox v1.4.2 (2009-08-26 17:05:42 CST) multi-call binary
Loading data from /dev/mtd/3 ...
The data configuration is Valid
The data center is Running ...
ipt_CONENAT: module license 'unspecified' taints kernel.
sed: /etc/modules.d/20-dnirtsp: No such file or directory
ip_conntrack_pptp version 3.1 loaded
ip_nat_pptp version 3.0 loaded
Generating Rules...
Done!
fuse init (API version 7.8)
fuse distribution version: 2.7.4
POT is Running...
POT is Finished!!!
The POT-(Get/Set) Demo is Running ...
sn:22R1985L00A2D
SN: 22R1985L00A2D
dni-qos module init at dev:eth1, real_dev:eth1
/home/ronger/release/wndr3700-35/build_mips/linux-2.6-wndr3700u/rtl8366s/switch-core.c #172:switch_init
/home/ronger/release/wndr3700-35/build_mips/linux-2.6-wndr3700u/rtl8366s/switch-core.c #177:switch_init
/home/ronger/release/wndr3700-35/build_mips/linux-2.6-wndr3700u/rtl8366s/switch-core.c #181:switch_init
/home/ronger/release/wndr3700-35/build_mips/linux-2.6-wndr3700u/rtl8366s/switch-core.c #201:switch_init
/home/ronger/release/wndr3700-35/build_mips/linux-2.6-wndr3700u/rtl8366s/switch-core.c #203:switch_init
/home/ronger/release/wndr3700-35/build_mips/linux-2.6-wndr3700u/rtl8366s/switch-core.c #210:switch_init init succeeds
AG7100: Length per segment 512
AG7100: Max segments per packet 4
AG7100: Max tx descriptor count    400
AG7100: Max rx descriptor count    252
AG7100: fifo cfg 3 018001ff
AG7100CHH: Mac address for unit 0
AG7100CHH: 00:24:XX:XX:XX:XX
AG7100CHH: Mac address for unit 1
AG7100CHH: 00:24:XX:XX:XX:XX
init the qos
NET-LAN: Default WAN MAC is : 00:24:XX:XX:XX:XX
AG7100: unsupported ioctl
device eth0 entered promiscuous mode
number of br ports=1
NET-LAN: Default LAN MAC is : 00:24:XX:XX:XX:XX
ag7100_ring_alloc Allocated 4800 at 0x83de8000
ag7100_ring_alloc Allocated 3024 at 0x83f7a000
CHH:mac:verify: 0 if: 00000002
AG7100: cfg1 0xf cfg2 0x7014
AG7100: unit 0 phy is up...RGMii 1000Mbps full duplex
AG7100#1000:ag7100_set_mac_from_link
AG7100: pll reg 0x18050010: 0x11110000
AG7100: cfg_1: 0x1ff0000
AG7100: cfg_2: 0x3ff
AG7100: cfg_3: 0x18001ff
AG7100: cfg_4: 0xffff
AG7100: cfg_5: 0xfffef
AG7100: done cfg2 0x7215 ifctl 0x0 miictrl 0x22
Writing 4
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
/home/ronger/release/wndr3700-35/build_mips/linux-2.6-wndr3700u/kmod-ar7100-watchdog/watchdog.c #25:ar7100_reset_watchdog AR7100 HW watchdog enabled
udhcp server (v0.9.8) started
The attached devices demo is Running ...
killall: miniupnpd: no process killed
killall: utelnetd: no process killed
killall: telnetenable: no process killed
Jan  1 00:00:09 miniupnpd[969]: listening on 192.168.1.1:5555
The telnetenable is running ...
Deleting static route ... Done!
Adding static route ... Done!
ag7100_ring_alloc Allocated 4800 at 0x8394e000
ag7100_ring_alloc Allocated 3024 at 0x8394c000
CHH:mac:verify: 1 if: 00000000
AG7100: cfg1 0xf cfg2 0x7014
AG7100: unit 1: phy not up carrier 1
AG7100: WAN Rx Hang Detected 1 times!
Writing 6
ADDRCONF(NETDEV_UP): eth1: link is not ready
ag7100_ring_free Freeing at 0x8394e000
ag7100_ring_free Freeing at 0x8394c000
ag7100_ring_alloc Allocated 4800 at 0x8394e000
ag7100_ring_alloc Allocated 3024 at 0x8394c000
CHH:mac:verify: 1 if: 00000000
AG7100: cfg1 0xf cfg2 0x7014
Writing 6
ADDRCONF(NETDEV_UP): eth1: link is not ready
udhcp client (v0.9.8) started
traffic_meter config_update : killall: traffic_meter: no process killed
.
killall: ntpclient: no process killed
time zone index is : 0
Run NTP Client with setting: pri:time-g.netgear.com sec:time-h.netgear.com
Jan  1 00:00:15 miniupnpd[969]: received signal 15, good-bye
Jan  1 00:00:18 miniupnpd[1063]: listening on 192.168.1.1:5555
/etc/rc.d/rc.wlan: /etc/rc.d/rc.wlan: 56: uname: not found
Args: 1
ath_hal: 0.9.17.1 (AR5416, REGOPS_FUNC, WRITE_EEPROM, 11D)
wlan: 0.8.4.2 (Atheros/multi-bss)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
insmod: ath_dfs.ko: no module by that name found
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
ath_pci: 0.9.4.5 (Atheros/multi-bss)
!!!!! SC Callback Registration for wifi0
wifi0: Atheros 9280: mem=0x10000000, irq=48 hw_base=0xb0000000
!!!!! SC Callback Registration for wifi1
wifi1: Atheros 9280: mem=0x10010000, irq=49 hw_base=0xb0010000
wlan: mac acl policy registered
wlan_me: Version 0.1
Copyright (c) 2008 Atheros Communications, Inc. All Rights Reserved
Creating ap for NETGEAR on
Added ath0 mode master
Interface doesn't accept private ioctl...
HALDbg (8BE0): Operation not permitted
The command noedgech needs exactly 1 argument(s)...
Invalid command : ampdumin
Created ath0 mode ap for NETGEAR
lo        no wirelAG7100: unsupported ioctl
AG7100: unsupported ioctl


sit0      no wireless extensions.

br0       no wireless extensions.

eth0      no wireless extensions.

eth1      no wireless extensions.

wifi0     no wireless extensions.

wifi1     no wireless extensions.

Modules already loaded
Creating ap for NETGEAR-5G on
Added ath1 mode master
Interface doesn't accept private ioctl...
HALDbg (8BE0): Operation not permitted
The command noedgech needs exactly 1 argument(s)...
Invalid command : ampdumin
Created ath1 mode ap for NETGEAR-5G
lo        no wirelAG7100: unsupported ioctl
AG7100: unsupported ioctl


sit0      no wireless extensions.

br0       no wireless extensions.

eth0      no wireless extensions.

eth1      no wireless extensions.

wifi0     no wireless extensions.

wifi1     no wireless extensions.

/etc/ath/activateVAP: /etc/ath/activateVAP: 62: uname: not found
lo        no wirelAG7100: unsupported ioctl
AG7100: unsupported ioctl


sit0      no wireless extensions.

br0       no wireless extensions.

eth0      no wireless extensions.

eth1      no wireless extensions.

wifi0     no wireless extensions.

wifi1     no wireless extensions.

device ath0 entered promiscuous mode
br0: port 2(ath0) entering learning state
br0: topology change detected, propagating
br0: port 2(ath0) entering forwarding state
number of br ports=2
/etc/ath/activateVAP: /etc/ath/activateVAP: 1: arping: not found
>>>>> WPS ENABLED, PSK
cat: /etc/wpa2/WSC_ath0.conf: No such file or directory
>>>>> WPS Translate, Index:0
/etc/ath/activateVAP: /etc/ath/activateVAP: 62: uname: not found
lo        no wirelAG7100: unsupported ioctl
AG7100: unsupported ioctl


sit0      no wireless extensions.

br0       no wireless extensions.

eth0      no wireless extensions.

eth1      no wireless extensions.

wifi0     no wireless extensions.

wifi1     no wireless extensions.

Country ie is DE
device ath1 entered promiscuous mode
br0: port 3(ath1) entering learning state
br0: topology change detected, propagating
br0: port 3(ath1) entering forwarding state
number of br ports=3
/etc/ath/activateVAP: /etc/ath/activateVAP: 1: arping: not found
>>>>> WPS ENABLED, PSK
cat: /etc/wpa2/WSC_ath1.conf: No such file or directory
>>>>> WPS Translate, Index:2
Making Topology File . . .
Reading topology file /var/run/topology.conf ...
Reading bss configuration file /etc/wpa2/WSC_ath0.conf ...

Reading bss configuration file /etc/wpa2/WSC_ath1.conf ...

br0: port 2(ath0) entering disabled state
br0: port 3(ath1) entering disabled state
l2_packet_receive - recvfrom: Network is down
Could not connect to kernel driver.
Using interface ath0 with hwaddr 00:24:XX:XX:XX:XX and ssid 'NETGEAR'
Country ie is DE
br0: port 2(ath0) entering learning state
br0: topology change detected, propagating
br0: port 2(ath0) entering forwarding state
upnp_wps_device_init called
l2_packet_receive - recvfrom: Network is down
Could not connect to kernel driver.
Using interface ath1 with hwaddr 00:24:XX:XX:XX:XX and ssid 'NECountry ie is DE
TGEAR-5G'
br0: port 3(ath1) entering learning state
br0: topology change detected, propagating
br0: port 3(ath1) entering forwarding state
upnp_wps_device_init called
Starting Firewall...
Done!
time zone index is : 0
Run NTP Client with setting: pri:time-g.netgear.com sec:time-h.netgear.com
dnsmasq: started, version 2.39 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt ISC-leasefile no-DBus no-I18N no-TFTP
dnsmasq: using local addresses only for domain lan
dnsmasq: failed to access /tmp/dhcp.leases: No such file or directory
dnsmasq: no servers found in /tmp/resolv.conf, will retry
dnsmasq: cleared cache
killall: uhttpd: no process killed
checksum = 0xFF, len = 131072
There is not language table in flash or language table was broken!
gui_region = English
region = English, download_region =
 Update string table successfully, memory usage: 248KB.
The httpd server is running ...
Start utelnetd by telnetenable
killall: lld2d: no process killed
traffic_meter start : .
USB Storage daemon is Running ...
Boot up procedure is Finished!!!

Please press Enter to activate this console.


BusyBox v1.4.2 (2009-08-26 17:05:42 CST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (7.09) -----------------------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@WNDR3700:/#

Some more outputs:

root@WNDR3700:/# cat /proc/cpuinfo                                                       
system type             : Atheros AR7100 (hydra)                                         
processor               : 0                                                              
cpu model               : MIPS 24K V7.4                                                  
BogoMIPS                : 451.58                                                         
wait instruction        : yes                                                            
microsecond timers      : yes                                                            
tlb_entries             : 16                                                             
extra interrupt vector  : yes                                                            
hardware watchpoint     : yes                                                            
ASEs implemented        : mips16                                                         
VCED exceptions         : not available                                                  
VCEI exceptions         : not available                                                  

root@WNDR3700:/# cat /proc/mtd                                                           
dev:    size   erasesize  name                                                           
mtd0: 00050000 00010000 "uboot"                                                          
mtd1: 00020000 00010000 "env"                                                            
mtd2: 00720000 00010000 "rootfs"                                                         
mtd3: 00010000 00010000 "config"                                                         
mtd4: 00010000 00010000 "config_bak"                                                     
mtd5: 00010000 00010000 "pot"                                                            
mtd6: 00010000 00010000 "traffic_meter"                                                  
mtd7: 00020000 00010000 "language"                                                       
mtd8: 00010000 00010000 "caldata"                                                        
mtd9: 0071ffc0 00010000 "mount_fs"                                                       

root@WNDR3700:/# mount                                                                   
rootfs on / type rootfs (rw)                                                             
/dev/root on / type squashfs (ro)                                                        
none on /proc type proc (rw,nodiratime)                                                  
none on /tmp type tmpfs (rw,nosuid,nodev)                                                
tmpfs on /dev type tmpfs (rw)                                                            
sysfs on /sys type sysfs (rw)

I can access u-boot by pressing a key while booting. Here is the output of printenv:

bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 init=/sbin/init mtdparts=ar7100-nor0:256k(uboot),128k(env),6144k(rootfs),64k(caldata),1024k(uImage)
bootcmd=fsload 80800000 image/uImage;bootm 80800000
bootdelay=1
baudrate=115200
ipaddr=192.168.1.2
serverip=192.168.1.1
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

So as far as i understand, the device loads the file '/image/uImage' to RAM and boots from it.

2 (edited by whiskas 2009-10-26 17:34:25)

Re: WNDR3700 exploration

So first step should be to get a ramdisk image running.

I build an image from trunk with settings: ar71xx, no wifi, ramdisk (lzma). I set up an tftp-server and loaded the files by:

ar7100> setenv ipaddr 192.168.1.1                                                        
ar7100> setenv serverip 192.168.1.2  

ar7100> tftpboot 80800000 lzma.bin                                                       
Trying eth0                                                                              
: unit 0 phy is up...RGMii 1000Mbps full duplex                                          
#259:ag7100_set_mac_from_link                                                            
: pll reg 0x18050010: 0x11110000                                                         
: cfg_1: 0x1ff0000                                                                       
: cfg_2: 0x3ff                                                                           
: cfg_3: 0x8001ff                                                                        
: cfg_4: 0xffff                                                                          
: cfg_5: 0x2fffef                                                                        
: done cfg2 0x7215 ifctl 0x40605060 miictrl 0x22                                         
Using eth0 device                                                                        
TFTP from server 192.168.1.2; our IP address is 192.168.1.1                              
Filename 'lzma.bin'.                                                                     
Load address: 0x80800000                                                                 
Loading: #################################################################               
         #################################################################               
         #################################################################               
         #################################################################               
         #################################################################               
         #################################################################               
         #################################################################               
         #######                                                                         
done                                                                                     
Bytes transferred = 2362068 (240ad4 hex)                                                 
ar7100> bootm                                                                            
## Booting image at 80800000 ...                                                         
Bad Magic Number                                                                         
Trying eth0                                                                              
: unit 0 phy is up...RGMii 1000Mbps full duplex                                          
#259:ag7100_set_mac_from_link                                                            
: pll reg 0x18050010: 0x11110000                                                         
: cfg_1: 0x1ff0000                                                                       
: cfg_2: 0x3ff                                                                           
: cfg_3: 0x8001ff                                                                        
: cfg_4: 0xffff                                                                          
: cfg_5: 0x2fffef                                                                        
: done cfg2 0x7215 ifctl 0x40605060 miictrl 0x22                                         
                                                                                         
The Router is in TFTP Server Firmware Recovery mode NOW!                                 
Listening on Port : 69, IP Address: 192.168.1.1...

So.. 'Bad Magic Number'. Afterwards it tries recovery mode which i can abort. The same result with different images (bzip, from snapshots, different RAM-addresses...).

The memory-dump of the specified address looks like this:

ar7100> md 80800000                                                                      
80800000: 27051956 51038946 4ae5b6ef 003256ae    '..VQ..FJ....2V.                        
80800010: 80060000 80060000 88b4824c 05050201    ...........L....                        
80800020: 4d495053 204f7065 6e577274 204c696e    MIPS OpenWrt Lin                        
80800030: 75782d32 2e362e33 302e3800 00000000    ux-2.6.30.8.....                        
80800040: 1f8b0808 c6b6e54a 0203766d 6c696e75    .......J..vmlinu                        
80800050: 7800ec5b 0f7454e5 95bfefcd 64e6254c    x..[.tT.....d.%L                        
80800060: 92070e32 4d523363 de9041b2 7ba6dbe4    ...2MR3c..A.{...                        
80800070: 80757a7c c660071a 34baf49c 14393dd9    .uz|.`..4....9=.                        
80800080: 8a7bd25d dc43cf72 da28b0fb 84c04e60    .{.].C.r.(....N`                        
80800090: c20b2eab 3934ea48 094ee0e1 448b1a04    ....94.H.N..D...                        
808000a0: 7454c4d1 726ab453 1bb6fec9 ae80b1a2    tT..rj.S........                        
808000b0: 663d538d 1a7d7bbf efbe8199 14d0627b    f=S..}{.......b{                        
808000c0: dc25cc39 5f6ebeef bbf77edf bdf777ef    .%.9_n....~...w.                        
808000d0: f7fecc48 c2e64570 e173e173 e133e93f    ...H..Ep.s.s.3.?                        
808000e0: 572f6c68 9c7fedbc 6f5df0c4 85cf85cf    W/lh....o]......                        
808000f0: 850ffb5c d5d20232 8088ff26 135da0ea    ...\...2...&.]..


ar7100> iminfo
## Checking Image at 80800000 ...
Bad Magic Number

After loading the original uImage file from /image/uImage, i can take a look at it:

ar7100> fsload 80800000 image/uImage
### SQUASHFS loading 'image/uImage' to 0x80800000
### SQUASHFS load complete: 936796 bytes loaded to 0x80800000


ar7100> md 80800000
80800000: 33373030 9d721b84 4a66f234 000e4b1c    3700.r..Jf.4..K.
80800010: 80002000 80295000 14e13558 05050203    .. ..)P...5X....
80800020: 4c696e75 78204b65 726e656c 20496d61    Linux Kernel Ima
80800030: 67650000 00000000 00000000 00000000    ge..............
80800040: 5d000080 0086302b 00000000 00000068    ].....0+.......h
80800050: 2e824f33 bf0ff5c6 4be9d243 96a1ac7a    ..O3....K..C...z
80800060: 0cb0fefb 8d7b2233 0927b080 0f2d3919    .....{"3.'...-9.
80800070: 9d03325e bb546da1 3e76fe99 d3da8205    ..2^.Tm.>v......
80800080: 6c7bbf92 72e0330d 885ffcb0 b47f3db9    l{..r.3.._....=.
80800090: 7bb0102b 22c2e8b0 d590904a df901386    {..+"......J....
808000a0: 9853df72 3855b163 d1682b56 0005807c    .S.r8U.c.h+V...|
808000b0: 65c98211 05aaea79 f372d01e 3c1723d0    e......y.r..<.#.
808000c0: c64b4818 05e89092 845a6ffc b38c7a01    .KH......Zo...z.
808000d0: 62915dfb 42398609 7173e87d dd31954e    b.].B9..qs.}.1.N
808000e0: d9ad16bb 1d7cc375 6bad2a65 2e46cff8    .....|.uk.*e.F..
808000f0: 5e461588 988e9433 3ca18203 99d4f093    ^F.....3<.......


ar7100> iminfo                                                                                                                 
## Checking Image at 80800000 ...                                                        
   Image Name:   Linux Kernel Image                                                      
   Created:      2009-07-22  11:04:20 UTC                                                
   Image Type:   MIPS Linux Kernel Image (lzma compressed)                               
   Data Size:    936732 Bytes = 914.8 kB                                                 
   Load Address: 80002000                                                                
   Entry Point:  80295000                                                                
   Verifying Checksum ... OK

So.. what now?

3 (edited by Nilfred 2009-10-27 01:49:43)

Re: WNDR3700 exploration

Look if 3700 repeats on every n offset or is only found at the start. This should be the magic number as seen on Linksys routers (First time on Netgear)
Edit: DUPE

Netgear WNR854T (ARM Marvell Orion CPU 500MHz, Marvell 88W8361P mini-PCI STA only, 8/32MB) - trunk r17427 since 09/09/09 to 06-06-12 GLOD
TP-LINK TL-WR741ND v1.9 (Atheros AR7240 CPU 350MHz, Atheros AR9285 Chipset, 4/32MB) - trunk r23281 since 10/10/10
TP-LINK TL-MR3420 v1.1, TL-MR3220 v1.2 - trunk r25302 since 11/11/11
TP-LINK TL-WR842ND v1.0, TL-WR1043ND v1.8 - 12.09-rc1 since 12/12/12

Re: WNDR3700 exploration

I got the same error Bad Magic Number no matter what I tried. And  then the router dumped to TFTP Server Firmware Recovery mode .I even tried loading the same uImage copied from image directory.
I think the u-boot booloader used does a checksum and header check on the image. I may be wrong here, but a good way forward is to modify or change  the u-boot

Re: WNDR3700 exploration

Netgear has published their source of uBoot for the wndr3700. So that should help I think?

Re: WNDR3700 exploration

yes they published it, you could even upgrade (the instructions are there)

Re: WNDR3700 exploration

I also tried encapsulating the image with header information using mkimage tools, it did not work

8 (edited by whiskas 2009-10-27 10:24:06)

Re: WNDR3700 exploration

The string '3700' caught my eye too. But it does not repeat throughout the image.

If requested, i can upload/send the uImage file.

As posted by Borromi in the other thread, this is the link to the sourcecode for the firmware and the used bootloader: link

So i'll try to get a look at the bootloader source for a special file header. Starting point is the function 'int do_bootm(...)' in file 'cmd_bootm.c'.

ratbug wrote:

[...] you could even upgrade (the instructions are there)

What do you mean by that?

Re: WNDR3700 exploration

I found this: in header.h:

#define IH_MAGIC    0x33373030    /* Image Magic Number       */

which is hex for '3700'. smile

The struct for the image header is (image.h):

typedef struct image_header {
    uint32_t    ih_magic;    /* Image Header Magic Number    */
    uint32_t    ih_hcrc;    /* Image Header CRC Checksum    */
    uint32_t    ih_time;    /* Image Creation Timestamp    */
    uint32_t    ih_size;    /* Image Data Size        */
    uint32_t    ih_load;    /* Data     Load  Address        */
    uint32_t    ih_ep;        /* Entry Point Address        */
    uint32_t    ih_dcrc;    /* Image Data CRC Checksum    */
    uint8_t        ih_os;        /* Operating System        */
    uint8_t        ih_arch;    /* CPU architecture        */
    uint8_t        ih_type;    /* Image Type            */
    uint8_t        ih_comp;    /* Compression Type        */
    uint8_t        ih_name[IH_NMLEN];    /* Image Name        */
} image_header_t;

So.. placing '3700' at the start and recalculation header checksum should do the magic, huh?

Re: WNDR3700 exploration

@whiska,

Try to set : setenv bootargs 'board=WNDR3700'; I have not tried that.

As far the instructions, I get back to you on this. I'm not at home now but it is there in one the README files

11 (edited by whiskas 2009-10-27 14:11:19)

Re: WNDR3700 exploration

SUCCESS!

Complete HowTo so far:
1. build openwrt (ar71xx...)
2. copy 'openwrt-ar71xx-uImage-lzma.bin' to your tftpboot-Folder
3. change image header:
3.1. dd if=openwrt-ar71xx-uImage-lzma.bin of=header count=1 bs=64
3.2. open 'header' with a hex-editor and write the first bytes: 3700 (as characters) and the next 4 bytes '00000000' (as hexcode!)
3.3. calculate the crc32 of the file 'header' (i am using the program from here link)
3.4. open the 'openwrt-ar71xx-uImage-lzma.bin' and edit the first bytes: '3700' as characters and the next 4 bytes the generated crc32-checksum
4. (optional) in bootloader: setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.2; setenv bootargs 'board=WNDR3700'
5. tftpboot 80800000 openwrt-ar71xx-uImage-lzma.bin
6. (optional) 'iminfo 80800000' should produce something like

ar7100> iminfo

## Checking Image at 80800000 ...
   Image Name:   MIPS OpenWrt Linux-2.6.30.8
   Created:      2009-10-26  16:41:19 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2289739 Bytes =  2.2 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK

7. 'bootm 80800000'

bootlog from openWrt as ramdisk:

ar7100> bootm
## Booting image at 80800000 ...
   Image Name:   MIPS OpenWrt Linux-2.6.30.8
   Created:      2009-10-26  16:41:19 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2289739 Bytes =  2.2 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 67108864

Starting kernel ...

Linux version 2.6.30.8 (marco@marco-laptop) (gcc version 4.1.2) #2 Mon Oct 26 17:40:31 CET 2009
console [early0] enabled
CPU revision is: 00019374 (MIPS 24Kc)
Atheros AR7161 rev 2, CPU:680.000 MHz, AHB:170.000 MHz, DDR:340.000 MHz
Determined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: rootfstype=squashfs,yaffs,jffs2 noinitrd console=ttyS0,115200 board=WNDR3700
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
NR_IRQS:56
PID hash table entries: 256 (order: 8, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 56476k/65536k available (1914k kernel code, 8984k reserved, 428k data, 5600k init, 0k highmem)
SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
Mount-cache hash table entries: 512
net_namespace: 528 bytes
NET: Registered protocol family 16
MIPS: machine is Generic AR71xx board
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
yaffs Oct 26 2009 17:00:36 Installing. 
msgmni has been set to 110
alg: No test for lzma (lzma-generic)
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
console handover: boot [early0] -> real [ttyS0]
Atheros AR71xx SPI Controller driver version 0.2.4
Atheros AR71xx hardware watchdog driver version 0.1.0
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Freeing unused kernel memory: 5600k freed
- preinit -
Press CTRL-C for failsafe
gpio-buttons driver version 0.1.1
Button Hotplug driver version 0.3.1

Please press Enter to activate this console. cfg80211: Using static regulatory domain info
cfg80211: Regulatory domain: US
    (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
    (2402000 KHz - 2472000 KHz @ 40000 KHz), (600 mBi, 2700 mBm)
    (5170000 KHz - 5190000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5190000 KHz - 5210000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5210000 KHz - 5230000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5230000 KHz - 5330000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5735000 KHz - 5835000 KHz @ 40000 KHz), (600 mBi, 3000 mBm)
cfg80211: Calling CRDA for country: US
PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
ath_hal: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 2009-05-08 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, RF2425, REGOPS_FUNC, XR)
ath_pci: trunk
wlan: trunk
wlan: mac acl policy registered
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk)
ath_rate_minstrel: look around rate set to 10%
ath_rate_minstrel: EWMA rolloff level set to 75%
ath_rate_minstrel: max segment size in the mrr set to 6000 us



BusyBox v1.14.4 (2009-10-26 16:42:34 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (bleeding edge, r17993) ------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@OpenWrt:/#

explanation:
The image header is 64 bytes long. the last 32 bytes is the image name as byte-array.
dd ... copies these 64 bytes to a separate file 'header'
We change the header-file to the correct magic number: '3700'.
Now to calculating the checksum: prior to this we have to delete the old checksum! -> overwrite it with zeros in the header file
By writing the new magic number and the new checksum to our image-file the image is ready for installing.

Re: WNDR3700 exploration

I think this is the point, where we have to wait for the openWrt-developers.

The image doesn't bring an interface up.

Here are some outputs:

ar7100> bootm
## Booting image at 80800000 ...
   Image Name:   MIPS OpenWrt Linux-2.6.30.8
   Created:      2009-10-27  13:28:09 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2289824 Bytes =  2.2 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 67108864

Starting kernel ...

Linux version 2.6.30.8 (marco@marco-laptop) (gcc version 4.1.2) #3 Tue Oct 27 14:27:20 CET 2009
console [early0] enabled
CPU revision is: 00019374 (MIPS 24Kc)
Atheros AR7161 rev 2, CPU:680.000 MHz, AHB:170.000 MHz, DDR:340.000 MHz
Determined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: rootfstype=squashfs,yaffs,jffs2 noinitrd console=ttyS0,115200 board=WNDR3700
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
NR_IRQS:56
PID hash table entries: 256 (order: 8, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 56476k/65536k available (1914k kernel code, 8984k reserved, 428k data, 5600k init, 0k highmem)
SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
Mount-cache hash table entries: 512
net_namespace: 528 bytes
NET: Registered protocol family 16
MIPS: machine is Generic AR71xx board
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
yaffs Oct 26 2009 17:00:36 Installing. 
msgmni has been set to 110
alg: No test for lzma (lzma-generic)
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
console handover: boot [early0] -> real [ttyS0]
Atheros AR71xx SPI Controller driver version 0.2.4
Atheros AR71xx hardware watchdog driver version 0.1.0
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Freeing unused kernel memory: 5600k freed
- preinit -
Press CTRL-C for failsafe
gpio-buttons driver version 0.1.1
Button Hotplug driver version 0.3.1

Please press Enter to activate this console. cfg80211: Using static regulatory domain info
cfg80211: Regulatory domain: US
    (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
    (2402000 KHz - 2472000 KHz @ 40000 KHz), (600 mBi, 2700 mBm)
    (5170000 KHz - 5190000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5190000 KHz - 5210000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5210000 KHz - 5230000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5230000 KHz - 5330000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5735000 KHz - 5835000 KHz @ 40000 KHz), (600 mBi, 3000 mBm)
cfg80211: Calling CRDA for country: US
PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
ath_hal: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 2009-05-08 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, RF2425, REGOPS_FUNC, XR)
ath_pci: trunk
wlan: trunk
wlan: mac acl policy registered
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk)
ath_rate_minstrel: look around rate set to 10%
ath_rate_minstrel: EWMA rolloff level set to 75%
ath_rate_minstrel: max segment size in the mrr set to 6000 us



root@OpenWrt:/# ifconfig 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)



root@OpenWrt:/# lsmodroot@OpenWrt:/# lsmod 
Module                  Size  Used by    Tainted: P  
ath_pci               280096  0 
ath_hal               293968  1 ath_pci
nf_nat_tftp              432  0 
nf_conntrack_tftp       2384  1 nf_nat_tftp
nf_nat_irc               816  0 
nf_conntrack_irc        2576  1 nf_nat_irc
nf_nat_ftp              1328  0 
nf_conntrack_ftp        4624  1 nf_nat_ftp
ipt_MASQUERADE          1040  0 
iptable_nat             2288  1 
nf_nat                 10032  5 nf_nat_tftp,nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat
xt_NOTRACK               544  0 
iptable_raw              640  1 
xt_state                 784  3 
nf_conntrack_ipv4       7440  6 iptable_nat,nf_nat
nf_defrag_ipv4           624  1 nf_conntrack_ipv4
nf_conntrack           36960 12 nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,xt_NOTRACK,xt_state,nf_conntrack_ipv4
pppoe                   7408  0 
pppox                   1168  1 pppoe
ipt_REJECT              1712  2 
xt_TCPMSS               1872  0 
ipt_LOG                 4176  0 
xt_multiport            1824  0 
xt_mac                   576  0 
xt_limit                1056  1 
iptable_mangle          1008  0 
iptable_filter           784  1 
ip_tables               8080  4 iptable_nat,iptable_raw,iptable_mangle,iptable_filter
xt_tcpudp               1776  3 
x_tables                8688 12 ipt_MASQUERADE,iptable_nat,xt_NOTRACK,xt_state,ipt_REJECT,xt_TCPMSS,ipt_LOG,xt_multiport,xt_mac,xt_limit,ip_tables,xt_tcpudp
ppp_async               6304  0 
ppp_generic            18496  3 pppoe,pppox,ppp_async
slhc                    4224  1 ppp_generic
ath9k                 248688  0 
ath                     6576  1 ath9k
mac80211              137808  1 ath9k
cfg80211              101104  3 ath9k,ath,mac80211
crc_ccitt                992  1 ppp_async
arc4                     816  0 
aes_generic            28704  0 
deflate                 1376  0 
ecb                     1312  0 
cbc                     2000  0 
button_hotplug          2592  0 
gpio_buttons            1856  0 
input_polldev           1376  1 gpio_buttons
input_core             17424  3 button_hotplug,gpio_buttons,input_polldev
leds_gpio               1360  0 



root@OpenWrt:/# dmesg
Linux version 2.6.30.8 (marco@marco-laptop) (gcc version 4.1.2) #3 Tue Oct 27 14:27:20 CET 2009
prom: fw_arg0=00000002, fw_arg1=a3f5ffb0, fw_arg2=a3f603c0, fw_arg3=00000008
MyLoader: sysp=aaaa5554, boardp=aaaa5554, parts=aaaa5554
console [early0] enabled
CPU revision is: 00019374 (MIPS 24Kc)
Atheros AR7161 rev 2, CPU:680.000 MHz, AHB:170.000 MHz, DDR:340.000 MHz
Determined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00004000
On node 0 totalpages: 16384
free_area_init_node: node 0, pgdat 802a76a0, node_mem_map 81000000
  Normal zone: 128 pages used for memmap
  Normal zone: 0 pages reserved
  Normal zone: 16256 pages, LIFO batch:3
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: rootfstype=squashfs,yaffs,jffs2 noinitrd console=ttyS0,115200 board=WNDR3700
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
NR_IRQS:56
PID hash table entries: 256 (order: 8, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 56476k/65536k available (1914k kernel code, 8984k reserved, 428k data, 5600k init, 0k highmem)
SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
Mount-cache hash table entries: 512
net_namespace: 528 bytes
NET: Registered protocol family 16
MIPS: machine is Generic AR71xx board
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
Switched to high resolution mode on CPU 0
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
yaffs Oct 26 2009 17:00:36 Installing. 
msgmni has been set to 110
alg: No test for lzma (lzma-generic)
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
console handover: boot [early0] -> real [ttyS0]
Atheros AR71xx SPI Controller driver version 0.2.4
Atheros AR71xx hardware watchdog driver version 0.1.0
ar71xx-wdt: timeout=15 secs (max=25)
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Freeing unused kernel memory: 5600k freed
gpio-buttons driver version 0.1.1
Button Hotplug driver version 0.3.1
cfg80211: Using static regulatory domain info
cfg80211: Regulatory domain: US
    (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
    (2402000 KHz - 2472000 KHz @ 40000 KHz), (600 mBi, 2700 mBm)
    (5170000 KHz - 5190000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5190000 KHz - 5210000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5210000 KHz - 5230000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5230000 KHz - 5330000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
    (5735000 KHz - 5835000 KHz @ 40000 KHz), (600 mBi, 3000 mBm)
cfg80211: Calling CRDA for country: US
PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
ath_hal: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 2009-05-08 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, RF2425, REGOPS_FUNC, XR)
ath_pci: trunk
wlan: trunk
wlan: mac acl policy registered
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk)
ath_rate_minstrel: look around rate set to 10%
ath_rate_minstrel: EWMA rolloff level set to 75%
ath_rate_minstrel: max segment size in the mrr set to 6000 us
ar71xx-wdt: enabling watchdog timer

Re: WNDR3700 exploration

Congrats, whiskas

he we go

How to build:
=============

make wndr3700u_config
make

Steps to upgrade u-boot:
========================

In the meantime, u-boot takes 5 erase blocks (5*0x10000)

ar7100> loady 0x80800000
ar7100> crc32 0x80800000 ${filesize}
ar7100> erase 0xbf000000 +50000
ar7100> cp.b 0x80800000 0xbf000000 0x50000

14 (edited by whiskas 2009-10-28 14:00:20)

Re: WNDR3700 exploration

Regarding the wireless cards: problem #1 seems to me, that the pci-bus does not seem to be working.

root@OpenWrt:/# cat proc/bus/pci/devices

gives out nothing. In my previous threads you can see, that the ath_pci-module is loaded.

While the stock-firmware gives:

root@WNDR3700:/# cat proc/bus/pci/devices 
0000    168c0029    30    10000000    00000000    00000000    00000000    00000000    00000000    00000000    00010000    00000000    00000000    00000000    00000000    00000000    00000000    ath_pci
0008    168c0029    31    10010000    00000000    00000000    00000000    00000000    00000000    00000000    00010000    00000000    00000000    00000000    00000000    00000000    00000000    ath_pci



root@WNDR3700:/# cat proc/pci 
PCI devices found:
  Bus  0, device   0, function  0:
    Class 0280: PCI device 168c:0029 (rev 1).
      IRQ 48.
      Master Capable.  Latency=168.  
      Non-prefetchable 32 bit memory at 0x10000000 [0x1000ffff].
  Bus  0, device   1, function  0:
    Class 0280: PCI device 168c:0029 (rev 1).
      IRQ 49.
      Master Capable.  Latency=168.  
      Non-prefetchable 32 bit memory at 0x10010000 [0x1001ffff].



root@WNDR3700:/# lsmod
Module                  Size  Used by    Tainted: P  
wlan_scan_ap            9152  1 
ath_pktlog             14336  0 
wlan_me                 9152  0 
wlan_acl                5152  0 
wlan_wep                5536  0 
wlan_tkip              12608  0 
wlan_ccmp               7968  0 
wlan_xauth              1024  0 
ath_pci                59488  0 
ath_dev               131728  2 ath_pktlog,ath_pci
ath_rate_atheros       46928  2 ath_pktlog,ath_dev
wlan                  253440  12 wlan_scan_ap,ath_pktlog,wlan_me,wlan_acl,wlan_wep,wlan_tkip,wlan_ccv
wlan_ext                3328  1 wlan                                                                 
ath_hal               277312  6 ath_pktlog,ath_pci,ath_dev,wlan                                      
ag7100_mod             23600  0                                                                      
rtl8366sr_mod          84896  1 ag7100_mod                                                           
dni_qos                 5984  1 ag7100_mod                                                           
watchdog                1488  0                                                                      
dni_dmapool            15552  2 ath_dev,ath_hal                                                      
ar7100gpiointr          4096  1                                                                      
ar7100gpio              2656  0                                                                      
fuse                   46640  0                                                                      
ext2                   54960  0                                                                      
ext3                  124112  0                                                                      
vfat                   11296  0                                                                      
fat                    52208  1 vfat                                                                 
nls_iso8859_1           3296  0                                                                      
nls_cp437               4832  0                                                                      
jbd                    54240  1 ext3                                                                 
ip_nat_dnisip           6560  0                                                                      
ip_conntrack_dnisip     6064  1 ip_nat_dnisip                                                        
ipt_TRIGGER             3296  1                                                                      
ipt_spiadvDoS          13392  1                                                                      
ipt_NETGEAR_REJECT     12640  0                                                                      
ipt_urlBlock            5424  0                                                                      
ipt_dnshijack           1408  1                                                                      
ipt_spiDoS              3200  2                                                                      
wndr3700_usbled         2672  0                                                                      
ip_nat_pptp             4816  0                                                                      
ip_conntrack_pptp       7600  1 ip_nat_pptp                                                          
ip_nat_dnih323          6240  0                                                                      
ip_conntrack_dnih323    38720  1 ip_nat_dnih323                                                      
ip_nat_STARCRAFT        1504  0                                                                      
ipt_CONENAT             1824  2                                                                      
ip_nat_ftp              2496  0                                                                      
ip_conntrack_ftp        5712  1 ip_nat_ftp

Another problem is the ethernet-switch. Chip is Realtek RTL8366SR Gigabit switch (src)


Any ideas on either?

Re: WNDR3700 exploration

whiskas wrote:

Another problem is the ethernet-switch. Chip is Realtek RTL8366SR Gigabit switch (src)

There's a binary module (rtl8366sr_mod.ko) included in Netgear's WNDR3700 firmware archive. Can it be injected into the custom firmware image?

I just ordered one of these and I'm pretty anxious for it to get here. Excited to finally have a platform for OpenWRT. smile

Re: WNDR3700 exploration

whiskas wrote:

Another problem is the ethernet-switch. Chip is Realtek RTL8366SR Gigabit switch (src)
Any ideas on either?

whiskas,

look here board/ar7100/wndr3700u/rtl8366s_phy.c

and here that might give you an idea how they build the driver



# Copyright (C) 2006 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
# $Id: Makefile,v 1.1.2.2 2006/11/14 08:57:31 ronger Exp $

include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk

PKG_NAME:=rtl8366s
PKG_VERSION:=
PKG_RELEASE:=

PKG_SOURCE:=
PKG_SOURCE_URL:=
PKG_MD5SUM:=
PKG_CAT:=zcat

PKG_GIT_TREEISH=f6c9ef8a843d680cbc8864c595959107821d6d49
PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/rtl8366s

include $(INCLUDE_DIR)/package.mk

ENET_AUTOLOAD:= rtl8366sr_mod.$(LINUX_KMOD_SUFFIX)

AR531X_KERNEL_CROSS:=mips-linux-

define KernelPackage/rtl8366s
  SUBMENU:=Ethernet Drivers
  DEPENDS:=@LINUX_2_6_WNDR3700U
  TITLE:=Driver for Realtek ethernet
  DESCRIPTION:=\
        This package contains a driver for Realtek ethernet
  URL:=http://www.atheros.com/
  VERSION:=$(LINUX_VERSION)+$(PKG_VERSION)-$(BOARD)-$(PKG_RELEASE)
  FILES:= $(PKG_BUILD_DIR)/rtl8366sr_mod.$(LINUX_KMOD_SUFFIX)
  AUTOLOAD:=$(call AutoLoad,50,$(ENET_AUTOLOAD))
endef

ENET_MAKEOPTS=  PATH="$(KERNEL_STAGING_DIR)/bin:$(TARGET_PATH)" \
                ARCH="$(LINUX_KARCH)" \
                CROSS_COMPILE="$(TARGET_CROSS)" \
                TOOLPREFIX="$(AR531X_KERNEL_CROSS)" \
                TOOLPATH="$(AR531X_KERNEL_CROSS)"

define Build/Prepare
        -mkdir -p $(PKG_BUILD_DIR)
        $(CP) $(GIT_HOME)/rtl8366sr.git/* $(KERNEL_BUILD_DIR)/$(PKG_NAME)
endef

define Build/Compile
endef

define Build/InstallDev
endef

define Build/UninstallDev
endef

define KernelPackage/rtl8366s/install
        mkdir -p $(1)/etc/init.d
        install -m0755 ./files/net-lan $(1)/etc/init.d/
        install -m0755 ./files/net-wan $(1)/etc/init.d/
endef

$(eval $(call KernelPackage,rtl8366s))

Re: WNDR3700 exploration

@ vexingviking:
as expected, loading a module, which is compiled for a different kernel, does not work

root@OpenWrt:/# insmod rtl8366sr_mod                                            
rtl8366sr_mod: version magic '2.6.15 MIPS32_R2 32BIT gcc-3.4' should be '2.6.30'
insmod: can't insert 'rtl8366sr_mod': invalid module format

@ratbug:
Rewriting and including my own linux driver is quiet new to me.. Any helps are appreciated.
Did you find the Makefile somewhere, or did you write it yourself?

Re: WNDR3700 exploration

Guys this is terrific smile. I can't be much of a help at this stage unfortunately :-/.

I pointed out the possible problem with kernel version magic out in the Netgear forums (MyOpenrouter.com), but got no conclusive answer (the 2.4 Broadcom drivers e.g. were stripped of kernel version magic I think so they could run against whatever 2.4 kernel you would throw at it). There are some drivers that are marked as GPL/BSD in the licensing overview but are made available as binary only in the source tarball, and the licensing overview has no link for their source code. I tried googling for the package/module names but nothing turned up (I usually do a thorough google but that doesn't mean I couldn't have missed a spot).

LEDE 17.01 RC2+ on D-Link DIR-860L B1 :: Netgear WNDR3700 v1 (2x) & v2 (1x) :: PC Engines APU2 :: Ubiquiti Unifi AC Pro (2x) :: TP-Link TL-WR1043ND v1 (1x) & v2 (4x) :: TL-WR841N (2x) :: LEDE trunk on Asus WL-500W (wl) :: OpenWrt Attitude Adjustment 12.09.1 on Asus WL-500G Deluxe

Re: WNDR3700 exploration

whiskas wrote:

@ vexingviking:
as expected, loading a module, which is compiled for a different kernel, does not work

root@OpenWrt:/# insmod rtl8366sr_mod                                            
rtl8366sr_mod: version magic '2.6.15 MIPS32_R2 32BIT gcc-3.4' should be '2.6.30'
insmod: can't insert 'rtl8366sr_mod': invalid module format

Assuming the gcc version is the same, maybe "modprobe --force-vermagic rtl8366sr_mod" would work? I'm just not sure what kind of side effects, if any, that might produce...

Re: WNDR3700 exploration

whiskas wrote:

@ vexingviking:
as expected, loading a module, which is compiled for a different kernel, does not work

root@OpenWrt:/# insmod rtl8366sr_mod                                            
rtl8366sr_mod: version magic '2.6.15 MIPS32_R2 32BIT gcc-3.4' should be '2.6.30'
insmod: can't insert 'rtl8366sr_mod': invalid module format

@ratbug:
Rewriting and including my own linux driver is quiet new to me.. Any helps are appreciated.
Did you find the Makefile somewhere, or did you write it yourself?

Modules must be from the same kernel.

@whiskas,

the Makefile is in the netgear SDK but unfortunately Netgear did not include the source code for the RTL8366SR, You might look in Belkin F5D8235 here under linux-x.xx/drivers/net/phys/

Re: WNDR3700 exploration

@whiskas, write Makefile for openwrt is fairly easy, you can take a look at how it  is done  ( the above one is for kernel modules, the one for apps is slightly different)

Re: WNDR3700 exploration

I'm giving up on loading the binary modules, since both changing the module kernel version with a hex-editor and removing the version-checking in kernel_menuconfig do not work. Also 'modprobe' is not included in the busybox-system; had problems finding a package including it.

@ratbug:
I'll take a look into the belkin sources.

Apart from this, i'd rather find out, what's about with the PCI. Since there are other routers around with the realtek-switch, this problem is likely to solve by itself. Any ideas where to start, if there are no pci-devices listed under /proc?

@all:
Does nobody else have this router? There is absolutely NO BRICKING RISK since we're only running ramdisk-images (if i not specifically interrupt the bootup, the router loads the netgear firmware). Also if you do not solder or rampage inside your router, you STILL HAVE WARRANTY. The serial-cable is easily built with a connector for the serial header, the screws are right under the rubber feet. Even the environment-args in uboot are not saved until one specifically calls 'saveenv'.

Re: WNDR3700 exploration

this is an expensive router, so not everyone is inclined to serve as guinea pigs for this experiment. I agree with you that this router is very safe to play besides it is running on top of openwrt but it is an expensive toy

Re: WNDR3700 exploration

whiskas wrote:

@all:
Does nobody else have this router? There is absolutely NO BRICKING RISK since we're only running ramdisk-images (if i not specifically interrupt the bootup, the router loads the netgear firmware). Also if you do not solder or rampage inside your router, you STILL HAVE WARRANTY. The serial-cable is easily built with a connector for the serial header, the screws are right under the rubber feet. Even the environment-args in uboot are not saved until one specifically calls 'saveenv'.

So what exactly is involved and how would we be able to help you?

25 (edited by whiskas 2009-10-30 01:04:51)

Re: WNDR3700 exploration

@entee
various possibilities:
a) install serial cable, play around with openWrt on this router and post your findings if you get the hardware running
b) if you have experience in dealing with linux and unsupported hardware, advice is always welcome
c) write to the developers or perhaps better: start another thread, where you state that you are anxious for openWrt-support for this router
d) donate a wndr3700 (or money) to the openWrt-team.   damn, this sounds like i'm paid for advertisement...

@ratbug
the Belkin GPL-firmware you pointed out seems really ressourceful. There are the rtl8366 sourcefiles for the bootloader, which have by coexistence the same filenames as the ones for the kernel-modules smile