Looking for a cheap and small device to hack on, I bought a router advertised as TopLink RT-3GWT, or Portable Wireless router model C1291, or CW-G3. I have seen other model numbers from other merchants that look the same, but the one I got has a writing on the PCB: XDX-RN502R V2.0
Here are its characteristics:
* Ralink RT3050F
* 4MB Flash, 32MB RAM
* USB port
* Ethernet port
* RP-SMA antenna connector
* 12 volt power adapter
I can telnet into the original firmware and I get:
Welcome to Bococom Router Series
For detailed information, please check:
www.bococom.com
BusyBox v1.12.1 (2010-11-26 17:38:48 CST) built-in shell (msh)
Enter 'help' for a list of built-in commands.This lead me to a post on this forum about a similar board based on the big brother Ralink 3052 which has two antennas and an ethernet switch, the XDX-RN502J:
https://forum.openwrt.org/viewtopic.php?pid=163152
So I bought a TTL-level serial cable and soldered it. Here's the output of the original firmware:
U-Boot 1.1.3 (Apr 7 2010 - 09:43:57)
Board: Ralink APSoC DRAM: 32 MB
relocate_code Pointer at: 81fac000
======= config usb otg =====
flash_protect ON: from 0xBF000000 to 0xBF0205C3
protect on 0
protect on 1
protect on 2
protect on 3
protect on 4
protect on 5
protect on 6
protect on 7
protect on 8
protect on 9
flash_protect ON: from 0xBF030000 to 0xBF03FFFF
protect on 10
*** Warning - bad CRC, using default environment
============================================
Ralink UBoot Version: 3.2
--------------------------------------------
ASIC 3052_MP2 (Port5<->None)
DRAM COMPONENT: 256Mbits
DRAM BUS: 16BIT
Total memory: 32 MBytes
Date:Apr 7 2010 Time:09:43:57
============================================
icache: sets:128, ways:4, linesz:32 ,total:16384
dcache: sets:128, ways:4, linesz:32 ,total:16384
##### The CPU freq = 320 MHZ ####
SDRAM bus set to 16 bit
SDRAM size =32 Mbytes
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 3
0
3: System Boot system code via Flash.
## Booting image at bf050000 ...
Image Name: Linux Kernel Image
Created: 2011-05-25 7:38:47 UTC
System Control Status = 0x00400000
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 3502016 Bytes = 3.3 MB
Load Address: 80000000
Entry Point: 802d2000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 802d2000) ...
## Giving linux memsize in MB, 32
Starting kernel ...
LINUX started...
THIS IS ASIC
3G Router Start!Then the console goes silent and does not echo back what I type.
Choosing option #4 to enter the U-Boot menu, I'm able to see some variables:
RT3052 # printenv
bootcmd=tftp
bootdelay=5
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
ipaddr=10.10.10.123
serverip=10.10.10.3
preboot=echo;echo
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off
addmisc=setenv bootargs $(bootargs) console=ttyS0,$(baudrate) ethaddr=$(ethaddr) panic=1
flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr)
kernel_addr=BFC40000
u-boot=u-boot.bin
load=tftp 8A100000 $(u-boot)
u_b=protect off 1:0-1;era 1:0-1;cp.b 8A100000 BC400000 $(filesize)
loadfs=tftp 8A100000 root.cramfs
u_fs=era bc540000 bc83ffff;cp.b 8A100000 BC540000 $(filesize)
test_tftp=tftp 8A100000 root.cramfs;run test_tftp
stdin=serial
stdout=serial
stderr=serial
ethact=Eth0 (10/100-M)
Environment size: 783/65532 bytesHere are the other available commands:
RT3052 # help
? - alias for 'help'
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
cp - memory copy
echo - echo args to console
erase - erase FLASH memory
go - start application at address 'addr'
help - print online help
loadb - load binary file over serial line (kermit mode)
md - memory display
mdio - Ralink PHY register R/W command !!
mm - memory modify (auto-incrementing)
mw - memory write (fill)
nm - memory modify (constant address)
printenv- print environment variables
protect - enable or disable FLASH write protection
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
spicmd - read/write data from/to eeprom or vtss
tftpboot- boot image via network using TFTP protocol
loopback - Ralink eth loopback test !!
version - print monitor versionI compiled OpenWRT with these settings:
Target System: Ralink RT288x/RT3xxx
Subtarget: RT305x based boards
Target Profile Default Profile
Target images: ramdisk
Here's what I got by booting from the generated openwrt-ramips-rt305x-xdxrn502j-initramfs-uImage.bin image:
U-Boot 1.1.3 (Apr 7 2010 - 09:43:57)
Board: Ralink APSoC DRAM: 32 MB
relocate_code Pointer at: 81fac000
======= config usb otg =====
flash_protect ON: from 0xBF000000 to 0xBF0205C3
protect on 0
protect on 1
protect on 2
protect on 3
protect on 4
protect on 5
protect on 6
protect on 7
protect on 8
protect on 9
flash_protect ON: from 0xBF030000 to 0xBF03FFFF
protect on 10
============================================
Ralink UBoot Version: 3.2
--------------------------------------------
ASIC 3052_MP2 (Port5<->None)
DRAM COMPONENT: 256Mbits
DRAM BUS: 16BIT
Total memory: 32 MBytes
Date:Apr 7 2010 Time:09:43:57
============================================
icache: sets:128, ways:4, linesz:32 ,total:16384
dcache: sets:128, ways:4, linesz:32 ,total:16384
##### The CPU freq = 320 MHZ ####
SDRAM bus set to 16 bit
SDRAM size =32 Mbytes
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 1
0
eth_register
Eth0 (10/100-M)
enetvar=ethaddr,Eth addr:00:AA:BB:CC:DD:10
00:AA:BB:CC:DD:10:
eth_current->name = Eth0 (10/100-M)
1: System Load Linux to SDRAM via TFTP.
Please Input new ones /or Ctrl-C to discard
Input device IP (192.168.1.1) ==:
Input server IP (192.168.1.2) ==:
Input Linux Kernel filename (xdxrn502j.bin) ==:
netboot_common, argc= 3
*************buf = 0x81fcc740
**********NexTxPacket = 81fe4840
NetTxPacket = 0x81FE4840
NetRxPackets[0] = 0x81FE4E40
NetRxPackets[1] = 0x81FE5440
NetRxPackets[2] = 0x81FE5A40
NetRxPackets[3] = 0x81FE6040
NetRxPackets[4] = 0x81FE6640
NetRxPackets[5] = 0x81FE6C40
NetRxPackets[6] = 0x81FE7240
NetRxPackets[7] = 0x81FE7840
NetRxPackets[8] = 0x81FE7E40
NetRxPackets[9] = 0x81FE8440
NetRxPackets[10] = 0x81FE8A40
NetRxPackets[11] = 0x81FE9040
NetRxPackets[12] = 0x81FE9640
NetRxPackets[13] = 0x81FE9C40
NetRxPackets[14] = 0x81FEA240
NetRxPackets[15] = 0x81FEA840
NetRxPackets[16] = 0x81FEAE40
NetRxPackets[17] = 0x81FEB440
NetRxPackets[18] = 0x81FEBA40
NetRxPackets[19] = 0x81FEC040
KSEG1ADDR(NetTxPacket) = 0xA1FE4840
NetLoop,call eth_halt !
NetLoop,call eth_init !
Trying Eth0 (10/100-M)
Waitting for RX_DMA_BUSY status Start... done
Header Payload scatter function is Disable !!
ETH_STATE_ACTIVE!!
Using Eth0 (10/100-M) device
TFTP from server 192.168.1.2; our IP address is 192.168.1.1
Filename 'xdxrn502j.bin'.
TIMEOUT_COUNT=10,Load address: 0x80800000
Loading: Got ARP REPLY, set server/gtwy eth addr (00:50:ba:0d:35:9e)
Got it
T #
first block received
################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################
done
Bytes transferred = 2243740 (223c9c hex)
NetBootFileXferSize= 00223c9c
Automatic boot of image at addr 0x80800000 ...
## Booting image at 80800000 ...
Image Name: MIPS OpenWrt Linux-3.2.15
Created: 2012-04-25 4:18:59 UTC
System Control Status = 0x00400000
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 2243676 Bytes = 2.1 MB
Load Address: 80000000
Entry Point: 80000000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 32
Starting kernel ...
[ 0.000000] Linux version 3.2.15 (nicolas@cortex) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #6 Wed Apr 25 00:18:02
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU revision is: 0001964c (MIPS 24KEc)
[ 0.000000] Ralink RT3350 id:1 rev:2 running at 320.00 MHz
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 02000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone PFN ranges:
[ 0.000000] Normal 0x00000000 -> 0x00002000
[ 0.000000] Movable zone start PFN for each node
[ 0.000000] early_node_map[1] active PFN ranges
[ 0.000000] 0: 0x00000000 -> 0x00002000
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128
[ 0.000000] Kernel command line: board=XDXRN502J console=ttyS1,57600 mtdparts=physmap-flash.0:192k(u-boot)ro,64k(u-boot-env)ro,64k(factory2
[ 0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[ 0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Primary instruction cache 16kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 16kB, 4-way, VIPT, no aliases, linesize 32 bytes
[ 0.000000] Writing ErrCtl register=0000f648
[ 0.000000] Readback ErrCtl register=0000f648
[ 0.000000] Memory: 28612k/32768k available (1889k kernel code, 4156k reserved, 316k data, 1532k init, 0k highmem)
[ 0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:48
[ 0.000000] console [ttyS1] enabled, bootconsole disabled
[ 0.000000] console [ttyS1] enabled, bootconsole disabled
[ 0.010000] Calibrating delay loop... 212.58 BogoMIPS (lpj=1062912)
[ 0.090000] pid_max: default: 32768 minimum: 301
[ 0.090000] Mount-cache hash table entries: 512
[ 0.100000] NET: Registered protocol family 16
[ 0.110000] MIPS: machine is XDX RN502J
[ 0.140000] bio: create slab <bio-0> at 0
[ 0.150000] Switching to clocksource MIPS
[ 0.170000] NET: Registered protocol family 2
[ 0.170000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.190000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[ 0.200000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.220000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.230000] TCP reno registered
[ 0.240000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.250000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.260000] NET: Registered protocol family 1
[ 4.160000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 4.170000] JFFS2 version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 4.190000] msgmni has been set to 55
[ 4.200000] io scheduler noop registered
[ 4.210000] io scheduler deadline registered (default)
[ 4.220000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[ 4.230000] serial8250: ttyS0 at MMIO 0x10000500 (irq = 13) is a 16550A
[ 4.250000] serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
[ 4.270000] physmap platform flash device: 00800000 at bf000000
[ 4.280000] physmap-flash.0: Found 1 x16 devices at 0x0 in 16-bit bank. Manufacturer ID 0x0000c2 Chip ID 0x0022a8
[ 4.300000] Amd/Fujitsu Extended Query Table at 0x0040
[ 4.310000] Amd/Fujitsu Extended Query version 1.1.
[ 4.320000] number of CFI chips: 1
[ 4.330000] 6 cmdlinepart partitions found on MTD device physmap-flash.0
[ 4.340000] Creating 6 MTD partitions on "physmap-flash.0":
[ 4.350000] 0x000000000000-0x000000030000 : "u-boot"
[ 4.370000] 0x000000030000-0x000000040000 : "u-boot-env"
[ 4.390000] 0x000000040000-0x000000050000 : "factory"
[ 4.400000] 0x000000050000-0x000000130000 : "kernel"
[ 4.420000] 0x000000130000-0x000000400000 : "rootfs"
[ 4.430000] mtd: partition "rootfs" set to be root filesystem
[ 4.440000] split_squashfs: no squashfs found in "physmap-flash.0"
[ 4.460000] 0x000000050000-0x000000400000 : "firmware"
[ 4.480000] TCP westwood registered
[ 4.490000] NET: Registered protocol family 17
[ 4.500000] 8021q: 802.1Q VLAN Support v1.8
[ 4.530000] Freeing unused kernel memory: 1532k freed
[ 5.690000] input: gpio-keys-polled as /devices/platform/gpio-keys-polled/input/input0
- preinit -
Press the [f] key and hit [enter] to enter failsafe mode
- regular preinit -
- init -
Please press Enter to activate this console. [ 9.670000] Compat-wireless backport release: compat-wireless-2012-04-17-1-r31387
[ 9.680000] Backport based on wireless-testing.git master-2012-04-17
[ 9.740000] cfg80211: Calling CRDA to update world regulatory domain
[ 9.940000] cfg80211: World regulatory domain updated:
[ 9.950000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 9.970000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 9.980000] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 10.000000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 10.010000] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 10.030000] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 10.160000] SCSI subsystem initialized
[ 10.240000] usbcore: registered new interface driver usbfs
[ 10.250000] usbcore: registered new interface driver hub
[ 10.270000] usbcore: registered new device driver usb
[ 10.480000] usbcore: registered new interface driver rtl8187
272+0 records in
272+0 records out
[ 10.830000] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 11.130000] nf_conntrack version 0.5.0 (471 buckets, 1884 max)
[ 11.560000] batman_adv: B.A.T.M.A.N. advanced 2012.1.0 (compatibility version 14) loaded
[ 11.650000] i2c /dev entries driver
[ 11.700000] dwc_otg: version 2.72a 24-JUN-2008
[ 11.710000] dwc_otg: Core Release: 2.66a
[ 11.920000] dwc_otg: Periodic Transfer Interrupt Enhancement - disabled
[ 11.930000] dwc_otg: Multiprocessor Interrupt Enhancement - disabled
[ 11.940000] dwc_otg: Using DMA mode
[ 11.950000] dwc_otg: Device using Buffer DMA mode
[ 11.960000] dwc_otg dwc_otg.0: DWC OTG Controller
[ 11.970000] dwc_otg dwc_otg.0: new USB bus registered, assigned bus number 1
[ 11.990000] dwc_otg dwc_otg.0: irq 26, io mem 0x101c0000
[ 12.000000] dwc_otg: Init: Port Power? op_state=1
[ 12.010000] dwc_otg: Init: Power Port (0)
[ 12.020000] hub 1-0:1.0: USB hub found
[ 12.020000] hub 1-0:1.0: 1 port detected
[ 12.100000] Initializing USB Mass Storage driver...
[ 12.110000] usbcore: registered new interface driver usb-storage
[ 12.120000] USB Mass Storage support registered.
[ 12.170000] Linux video capture interface: v2.00
[ 12.250000] usbcore: registered new interface driver zd1211rw
[ 12.310000] gspca_main: v2.14.0 registered
[ 16.590000] ramips-wdt: timeout value 60 must be 0 < timeout < 40
[ 24.800000] device eth0.1 entered promiscuous mode
[ 24.810000] device eth0 entered promiscuous mode
[ 24.940000] br-lan: port 1(eth0.1) entering forwarding state
[ 24.960000] br-lan: port 1(eth0.1) entering forwarding state
^[OM
BusyBox v1.19.4 (2012-04-23 23:51:27 EDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
ATTITUDE ADJUSTMENT (31387, r31387)
-----------------------------------------------------
* 1/4 oz Vodka Pour all ingredients into mixing
* 1/4 oz Gin tin with ice, strain into glass.
* 1/4 oz Amaretto
* 1/4 oz Triple sec
* 1/4 oz Peach schnapps
* 1/4 oz Sour mix
* 1 splash Cranberry juice
-----------------------------------------------------
root@OpenWrt:/#This is promising! The wireless card works (after enabling it in /etc/config/wireless and doing /etc/init.d/network restart), and there are eth0, eth0.1 and eth0.2 although there's only one ethernet port. I suppose this is because the XDX-RN502J board has more than one, and this can be fixed by some configuration. The LAN LED flashes correctly, and the 3G LED flashes during boot, then stays ON. When I bring wlan0 up with ifconfig, the WIFI LED goes ON. All good :)
However, when restarting the network, I see these errors:
root@OpenWrt:/# /etc/init.d/network restart
/sbin/wifi: eval: line 1: hostapd_set_log_options: not found
/sbin/wifi: eval: line 1: hostapd_set_bss_options: not found
/sbin/wifi: eval: line 1: hostapd: not found
Failed to start hostapd for phy0I don't know how to fix that.
I would now like to write this image to the flash memory, but I don't know how I should do that. I'm currently booting with a ramfs+initrd image. Ideally, I would flash from the web interface, so nobody else has to solder a cable to flash this model.
Currently, here are the options I see for flashing:
* Using "2: Load system code then write to Flash via TFTP." from U-Boot menu
* Using "4: Entr boot command line interface." from U-Boot menu, download the image (how?) and write it to the correct address (which?)
* Download the image while running OpenWRT and write it with mtd or dd
* Original firmware web interface, which has a form to upload a firmware
Here's the mtd layout:
root@OpenWrt:/# cat /proc/mtd
dev: size erasesize name
mtd0: 00030000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00010000 00010000 "factory"
mtd3: 000e0000 00010000 "kernel"
mtd4: 002d0000 00010000 "rootfs"
mtd5: 003b0000 00010000 "firmware"I'm not sure where to start.
It is important to me to test the flashing from the original firmware, so I made a backup of the mtdX devices so I can copy them back in case I wipe it. I guess I could restore it by booting this ramfs image I'm using, then dd the mtd partitions back to the flash.
. Show/see your /etc/config/network.