OpenWrt Forum Archive

Topic: Hi-Link wireless module HLK-RM04

The content of this topic has been archived between 31 Dec 2017 and 26 Apr 2018. Unfortunately there are posts – most likely complete pages – missing.

Coincidentally, we've just received this device on our test bench.  It was purchased to possibly use in a project requiring remote connections.  It seems fairly capable, containing
4MB Flash - PMC PM25LQ032
16MB RAM - ESMT M12L128168A

And has the added benefit of being explicitly pinned out to a very good degree.  The downside is that the software has been modified to limit hackability.  There is almost no boot text except for

LINUX started...

THIS IS ASIC

And it doesn't seem possible to trap in u-boot's command interpreter.  TFTP (although blind due to no text output) may be an option because starting up while repeatedly pressing 1 on host PC does make the device pause and stop the boot sequence.  Something to try later.

So far, we've dumped the serial flash and are just taking a small look around to see what build they may be running.

(Last edited by oschemes on 4 Mar 2013, 20:46)

I recently acquired this module and observed the same.

I removed the flash from the board and programmed it with an image taken from a stock HAME MPR-A1 3G router. Much to my amusement the HLK-RM04 module booted successfully.

I'd recently built a working openwrt image for my MPR-A1. I uploaded this to the HLK-RM04 using the bootloader copied from the MPR-A1. Unfortunately the openwrt image fails to boot, see below:-

## Booting image at bc050000 ...                                               
raspi_read: from:50000 len:40                                                   
.   Image Name:   MIPS OpenWrt Linux-3.7.9                                     
   Created:      2013-03-15   4:15:36 UTC                                       
   Image Type:   MIPS Linux Kernel Image (lzma compressed)                     
   Data Size:    916029 Bytes = 894.6 kB                                       
   Load Address: 80000000                                                       
   Entry Point:  80000000                                                       
raspi_read: from:50040 len:dfa3d                                               
..............   Verifying Checksum ... OK                                     
   Uncompressing Kernel Image ... OK                                           
No initrd                                                                       
## Transferring control to Linux (at address 80000000) ...                     
## Giving linux memsize in MB, 16                                               
                                                                               
Starting kernel ...                                                             
                                                                               
[    0.000000] Linux version 3.7.9 (user@openwrtdev) (gcc version 4.6.4 20121213
[    0.000000] bootconsole [early0] enabled                                     
[    0.000000] CPU revision is: 0001964c (MIPS 24KEc)                           
[    0.000000] Ralink RT5350 id:1 rev:3 running at 360.00 MHz                   
[    0.000000] Determined physical RAM map:                                     
[    0.000000]  memory: 02000000 @ 00000000 (usable)                           
[    0.000000] Initrd not found or empty - disabling initrd                     
[    0.000000] Zone ranges:                                                     
[    0.000000]   Normal   [mem 0x00000000-0x01ffffff]                           
[    0.000000] Movable zone start for each node                                 
[    0.000000] Early memory node ranges                                         
[    0.000000]   node   0: [mem 0x00000000-0x01ffffff]       
....gets stuck here

If anybody can give me a pointer where to look to fix this, it would be most appreciated?

there is a firmware upgrade page from this module's router page. has anyone tried using it for openwrt upgrade?

paulsykes wrote:

I recently acquired this module and observed the same.

I removed the flash from the board and programmed it with an image taken from a stock HAME MPR-A1 3G router. Much to my amusement the HLK-RM04 module booted successfully.

I'd recently built a working openwrt image for my MPR-A1. I uploaded this to the HLK-RM04 using the bootloader copied from the MPR-A1. Unfortunately the openwrt image fails to boot, see below:-

## Booting image at bc050000 ...                                               
raspi_read: from:50000 len:40                                                   
.   Image Name:   MIPS OpenWrt Linux-3.7.9                                     
   Created:      2013-03-15   4:15:36 UTC                                       
   Image Type:   MIPS Linux Kernel Image (lzma compressed)                     
   Data Size:    916029 Bytes = 894.6 kB                                       
   Load Address: 80000000                                                       
   Entry Point:  80000000                                                       
raspi_read: from:50040 len:dfa3d                                               
..............   Verifying Checksum ... OK                                     
   Uncompressing Kernel Image ... OK                                           
No initrd                                                                       
## Transferring control to Linux (at address 80000000) ...                     
## Giving linux memsize in MB, 16                                               
                                                                               
Starting kernel ...                                                             
                                                                               
[    0.000000] Linux version 3.7.9 (user@openwrtdev) (gcc version 4.6.4 20121213
[    0.000000] bootconsole [early0] enabled                                     
[    0.000000] CPU revision is: 0001964c (MIPS 24KEc)                           
[    0.000000] Ralink RT5350 id:1 rev:3 running at 360.00 MHz                   
[    0.000000] Determined physical RAM map:                                     
[    0.000000]  memory: 02000000 @ 00000000 (usable)                           
[    0.000000] Initrd not found or empty - disabling initrd                     
[    0.000000] Zone ranges:                                                     
[    0.000000]   Normal   [mem 0x00000000-0x01ffffff]                           
[    0.000000] Movable zone start for each node                                 
[    0.000000] Early memory node ranges                                         
[    0.000000]   node   0: [mem 0x00000000-0x01ffffff]       
....gets stuck here

If anybody can give me a pointer where to look to fix this, it would be most appreciated?

i met the same problem as you, and solved it by recompiling the openwrt follow this topic.

i met the same problem as you, and solved it by recompiling the openwrt follow this topic.

do you mean this ? I try on my board and will see. thank you

Great!  Thanks for posting your pic, it will help the other MPR-A1 users!
I'm sure you know this, but now you need to rebuild your OpenWrt with Squonk's rt5350 patches, and set the kernel config to mem=32M.  Squonk showed me where this is located - for those who may not know, here is his clip from email.
-----------
make kernel_menuconfig' -> Kernel hacking -> 'rootfstype=squashfs,jffs2 mem=32M' or by editing the CONFIG_CMDLINE directly in target/linux/ramips/config/default.
Once you have changed the memory size, recompile with 'make target/clean world' and reflash.
------------
I am still using linuxpro's bootloader, but I reflashed the system code to a fresh OpenWRT build that has enough USB support to shift the bootup to a USB drive formatted ext4.  Now I have 8GB of space to install LuCI and all sorts of other stuff.  Doubling the ram to 32MB was a big help.

Also - to all:  I discovered that the reason HAME and clones sometimes do not boot up with the serial port attached is due to noise on one of the OTHER empty config lines located near the 40MHz oscillator.  I have not added any resistors to fix it, but I do know that if you just pinch your fingers hard onto the empty resistor footprints near the osc (Directly above the "Ra" in Ralink in xopal's picture) the troublesome devices will boot even with serial attached.  It's strange, 2 of my devices act nicely, 4 do not.

oschemes wrote:

Coincidentally, we've just received this device on our test bench.  It was purchased to possibly use in a project requiring remote connections.  It seems fairly capable, containing
4MB Flash - PMC PM25LQ032
16MB RAM - ESMT M12L128168A

And has the added benefit of being explicitly pinned out to a very good degree.  The downside is that the software has been modified to limit hackability.  There is almost no boot text except for

LINUX started...

THIS IS ASIC

And it doesn't seem possible to trap in u-boot's command interpreter.  TFTP (although blind due to no text output) may be an option because starting up while repeatedly pressing 1 on host PC does make the device pause and stop the boot sequence.  Something to try later.

So far, we've dumped the serial flash and are just taking a small look around to see what build they may be running.

you are always lucky, I got 4 picecs of this module, with same SDRAM, but flash 3 of WINBOND,  1 of ST. no one have any letter on the serial terminal.

binwalk shows that it is u-boot.

(Last edited by trapdragon on 12 Apr 2013, 15:57)

@trapdragon.  Maybe your baud rate is wrong?  Or maybe the vendor figured out how to remove those last few messages.

Does anyone know if this device's web interface will accept an plenary firmware for upgrade?  It might be encrypted, but we've figured out how to make those firmware images recently.  Looks like its time to take this little guy back off the shelf!

oschemes wrote:

@trapdragon.  Maybe your baud rate is wrong?  Or maybe the vendor figured out how to remove those last few messages.

Does anyone know if this device's web interface will accept an plenary firmware for upgrade?  It might be encrypted, but we've figured out how to make those firmware images recently.  Looks like its time to take this little guy back off the shelf!

@oschemes

my RM04 works fine with gaplee's suggestion putting mem=16M at the kernel hacking.
https://forum.openwrt.org/viewtopic.php … 2&p=18

with wifi on, the device seems busy on the console prompt (slow),
trying luci etc, but I have to recompile ipk files, those on trunk repository does not work.

the webpage interface checks for something, I just flashed completely.

(Last edited by trapdragon on 18 Apr 2013, 02:35)

trapdragon wrote:

my RM04 works fine with gaplee's suggestion putting mem=16M at the kernel hacking.
https://forum.openwrt.org/viewtopic.php … 2&p=18

with wifi on, the device seems busy on the console prompt (slow),
trying luci etc, but I have to recompile ipk files, those on trunk repository does not work.

the webpage interface checks for something, I just flashed completely.


Hmm, I will have to flash one with OpenWRT.  I would expect it to be pretty responsive, since it is so similar to MPR-A1.  You could check "free" to see if it is somehow running out of memory.  With stock Openwrt you're OK with 16MB, but after adding USB and other stuff (like samba) I did find that a 16MB device bogged down quickly.

How handy are you with a soldering iron?  It's possible to replace that 16MB chip with a 32MB (or 64, but only 32 can be used by RT5350). 

I got some $15 laptop memory SODIMM's to harvest PC133 memory from ebay.  Each one had 8x 32x16 PC133 SDRAM.

These were overkill due to the RT5350's 32MB limit, but still work.  You're better off using 16x16, for 32MB per chip.

If you'd like to search it, probably "256MB 16x16 PC133 SODIMM" (and maybe include "8-chip", which kind of forces 16x16 configuration) will find you a suitable RAM stick to take chips from.

If you want a sure thing, you can always by the 64MB chips and waste half their capacity.  This is an example of the device that I am using.  (yes, this seller is good)
http://www.ebay.com/itm/512MB-PC133-144 … 2c57cc19d4

(Last edited by oschemes on 8 May 2013, 04:48)

Share my hlk-rm04 openwrt resource.
I don't know how to generate the DTS patch, can some tell me how to create it? If so, i can publish the HLK-RM04 patches just like the Squonk do with the Hame MPR-A1.

(Last edited by gaplee on 11 May 2013, 18:54)

I've been playing with these modules a bit and I have discovered a few things.  There are a number of undocumented AT commands in the stock firmware.  Here's the full list of them:

Channel
CLport
default
dhcpc
dhcpd
dhcpd_dns
dhcpd_ip
dhcpd_time
err
escap
excxxx
Get_MAC
gpio_mode
gpio_read
gpio_save
gpio_write
net_commit
net_dns
net_ip
netmode
net_wanip
out_trans
pm
reboot
reconn
remoteip
remoteport
remotepro
S2N_Stat
save
settings
settings_done
status
suspend
tcp_auto
tcp_client_check
uart
uartpackintertimeout
uartpacklen
uartpacktimeout
ver
wifi_conf
wifi_ConState
wifi_Scan
XON_XOFF

The most interesting of these is at+excxxx, its just a call to system() with the argument you provide.  You can start telnetd with it to get a shell.

at+excxxx=telnetd

You can also get a shell on UART2 by sending the special sequence "174317529705122" and return.  getty sets up the port for 57600 baud and waits on this sequence before its allowed to accept characters and output anything.  login has already issued the "login:" prompt, so after entering the sequence, you won't see anything until login asks for the password.

I've documented the above already in the wiki, including a bit on TFTP, check it out.

Here's a couple of handy resources not referenced here yet:

A schematic of the HLK starter kit V1.7 PCB in this zip: http://m5.img.dxcdn.com/CDDriver/CD/sku.214540.zip
The manual for the module in English is here: http://www.hlktech.net/inc/lib/download … php?DId=19

Cheers!

(Last edited by jkent on 9 Jun 2013, 20:22)

I had some issues extracting the squashfs on my first dump.  I decided to make a patch against squashfs4.2 so it handles the hybrid zlib/lzma squashfs.  It should work fine with normal squashfs images still.  The squashfs is on mtd5 if you want to try it yourself.  Easiest way to get it off the device is to be running a tftp server and do like so:

cd /dev
tftp -p -l mtd5ro 192.168.16.1

Here's the patch:

https://gist.github.com/jkent/5747180

-------------

I found yet another way in...  There sure are a lot of backdoors!
http://admin:admin@192.168.16.254/adm/h … 283194.asp

Unfortunately the POST URL is wrong.. but there is a solution for that...

https://gist.github.com/jkent/5748249

(Last edited by jkent on 10 Jun 2013, 13:03)

@jkent nice work! I'll try it later.

Hi All,

With the GPIO's is it possible to create an embedded device server for IoT application.
Regards
Sougata

I think they decided to disable USB and GIO functionality in their newest release as the new user manual differs from the first one in the pin table:

http://img818.imageshack.us/img818/2219/fuli.png

Curiously, the new eval board revision has a new Female USB-A footprint:

http://img14.imageshack.us/img14/8657/lrx9.th.jpg http://img824.imageshack.us/img824/2165/i1qw.th.jpg http://img46.imageshack.us/img46/7123/3o7a.th.jpg

And the backdoor that jkent found doesn't work anymore on latest 1.59 firmware.

If I go through all the hassle to desoldering and reflashing it with the MPR-1A firmware, are the AT commands still available? Do they change? Any functionality lost?

I mainly want to have full control of everything via the serial port and do things such as force wifi to 11Mbits/s (b) when selected SSID is weak. All from a microcontroller. This functionality currently isn't provided vía the serial port, only via the web interface, which kinda sucks for my application.

I have 512MB SDRAM laying around with 16 32MB MT48LC32M8A2 RAM chips on it. Would they work with this module if I solder them instead of 16MB chip that is on the board?

carloscuev07 wrote:

And the backdoor that jkent found doesn't work anymore on latest 1.59 firmware.

This is the same firmware version that I found the backdoor on.

AT+VER=?
V1.59(Apr  1 2013)

Are you positive about this?  There are 3 different binaries with backdoors, /sbin/getty (busybox), /bin/ser2net (hilink serial port server), and /bin/goahead (the ralink httpd).

There is also a TFTP flashing option, which still needs some investigation.  If you hold down the WPS button at power on, u-boot will start up with a static IP and will try to TFTP GET a couple of files and then write them to flash.  You can use wireshark to trace this behavior.  If you don't have a means of reflashing your SPI flash after bricking your device, I would not recommend trying this.

(Last edited by jkent on 5 Jul 2013, 17:58)

Hattori_Hanzo wrote:

I have 512MB SDRAM laying around with 16 32MB MT48LC32M8A2 RAM chips on it. Would they work with this module if I solder them instead of 16MB chip that is on the board?

Unfortunately no, these will not work.  They are 32Mx8, which mean they have an 8-bit wide data bus.  16-bit wide SDRAM chips are required, so you're looking for a 16Mx16 organization.

These are the chips I'm using for development:

I have soldered and verified the SDRAM works but I've not yet done anything with the SPI flash with the module.  I have, however, tested the 16MB SPI flash chip with flashrom and notified the flashrom list that it works.

(Last edited by jkent on 5 Jul 2013, 17:52)

I have Firmware(V1.59(Apr 1 2013)).
And the backdoor of jkent works perfectly. I have access to a telnet terminal.

https://gist.github.com/jkent/5748249

(Note: Special thank you to jkent!)

We probably have easy ways to modify the firmware or uboot using the terminal, tftp - I'll look into it.

Interesting too...
http://192.168.16.254/adm/hlk_update_ww … ch_com.asp

And I hope you have noticed this url
http://192.168.16.254/home.asp

(Last edited by gabriel.klein on 7 Jul 2013, 23:47)

Interesting files:

cat /etc_ro/rcS  : What is launched when you start the card.

/etc_ro/web/* : The files on the web server.

/proc/version

cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00400000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 000c1295 00010000 "Kernel"
mtd5: 002eed6b 00010000 "RootFS"
mtd6: 003b0000 00010000 "Kernel_RootFS"

/dev/mtd??: Probably we can extract and rewrite the file system using that...

mtd_write
Example: To write linux.trx to mtd4 labeled as linux and reboot afterwards
         mtd -r write linux.trx linux

>Patch for trunk 35407

Does this mean that openWrt is now working on this device?

How is it flashed?

With the original software, when you get a telnet console, is there something like dmesg?

gaplee wrote:

HLK-RM04 Patch for trunk 35407

Fantastic!  I hope to find some time soon to try it out.

lizby wrote:

With the original software, when you get a telnet console, is there something like dmesg?

Yes, there is logread.  Busybox was unfortunately not compiled with the dmesg applet.

Here's what busybox has to offer in the stock firmware:

Currently defined functions:
        [, [[, ash, basename, brctl, cat, chmod, chpasswd, cp, date, echo,
        expr, free, getty, grep, halt, hostname, ifconfig, init, init, insmod,
        kill, killall, klogd, logger, login, logread, ls, lsmod, mdev, mkdir,
        mknod, mount, ping, ping6, poweroff, printf, ps, pwd, reboot, rm,
        rmmod, route, sed, sh, sleep, syslogd, telnetd, test, tftp, top,
        touch, udhcpc, udhcpd, umount, uptime, vconfig, wc

(Last edited by jkent on 13 Jul 2013, 13:58)