Topic: Netgear WNDAP360 -> How to hack?

The content of this topic has been archived between 8 Feb 2018 and 30 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 2

Post #1

jaceq

22 Mar 2013, 10:21

Hello,

I have few of WNDAP360 access points from Netgear.

I found this page: http://wiki.openwrt.org/toh/netgear/wndap360 but it's highly incomplete, also there is no build target for it.
Is there any work being done on this device? Original firmware is really crap with major problems.
In case there is no work in progress, maybe I can do it myself, but I am not sure where to start.
I have root access to OS (original is linux based) as well as access to boot loader via serial console.
I've tried getting uImage from openWRT build (gzipped) but I get error:

ar7100> bdinfo
boot_params = 0x87F73FA4
memstart    = 0x80000000
memsize     = 0x08000000
flashstart  = 0xBF000000
flashsize   = 0x00800000
flashoffset = 0x0002F62C
ethaddr     = 00:00:00:00:00:00
ip_addr     = 192.168.1.100
baudrate    = 9600 bps
ar7100> tftpboot 0x80000000 uImage.bin
Trying eth0
Using eth0 device
TFTP from server 192.168.1.1; our IP address is 192.168.1.100
Filename 'uImage.bin'.
Load address: 0x80000000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #######################
done
Bytes transferred = 1446611 (1612d3 hex)
ar7100> bootm
## Booting image at 80000000 ...
   Image Name:   MIPS OpenWrt Linux-3.8.3
   Created:      2013-03-21   1:18:02 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    1446547 Bytes =  1.4 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... Error: inflate() returned -3
GUNZIP ERROR - must RESET board to recover

Any advice why this might be happening?
I noticed that in stock firmware Load address and entry point are different, might this be an issue?
Original kernel boots like this:

Enter SPACE to drop into boot loader:  0 
## Booting image at bf050000 ...
   Image Name:   Linux Kernel
   Created:      2012-10-25   6:08:28 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    917504 Bytes = 896 kB
   Load Address: 80020000
   Entry Point:  801ec000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 801ec000) ...
## Giving linux memsize in bytes, 134217728

Starting kernel ...
�Linux version 2.6.23-WNDAP360_V2.1.5 (root@localhost.localdomain) (gcc version 4.2.4) #1 Thu Oct 25 11:28:28 IST 2012

(Last edited by jaceq on 22 Mar 2013, 10:23)

Post #2

jaceq

22 Mar 2013, 17:40

So problem with unzipping was related to memory over write.
Now if I tftpboot into different place in memory (at the end), I manage to start kernel, but it panics as it can't mount root FS.
It detects no partition and it seems that driver for internal flash is missing...

Interesting thing is that any mention of board AP94 I find it regards kernel 2.6.x and not 3.x is it possible that board AP94 is not supported by kernels 3.x ?

Are there any special modules / settings that I need to use to compile kernel for AP94 board?

Also one more thing, is it possible to just replace rootFS and keep original kernel in place (since it works), also in case of problems is there a procedure how to restore origian firmware via a uboot ?

(Last edited by jaceq on 22 Mar 2013, 17:42)

Post #3

MBS

23 Mar 2013, 01:03

to really comment if the driver for the flash is missing, we would need the bootlog. another reason for not being able to mount the rootfs is that openwrt uses a different partition layout than the original firmware.

Post #4

vhrm

23 Mar 2013, 03:46

I don't have any comment on whether the flash chip is supported or not, but check out this thread about the WNR2000. It's an AP81 board but it doesn't have an official image. Instead you copy the kernel to one place and the root fs to a different place so as to conform to the expectations that the default uboot has..

https://forum.openwrt.org/viewtopic.php?id=18279

You can presumably do something similar.

Also... looking through the code it seems to me that the AP94 support for at least some of the components was abstracted into some AP9x stuff.
e.g. if you look in files in target/linux/ar71xx/files/arch/mips/ath79 there's still mentions of ap94 if you grep for it.

Looking around i can't figure out what actually the difference is between the ap94 and the ap96 (they seem very similar). So i'd just try to build an ap96 image (for which there is a target) to start with.

Oh, one thing to note. For the AP81 on current trunk the various kernel images weren't being built because with debug symbols and such the actual kernel image was bigger than some 1M limit set in the build process. The failures didn't fail the build though so they were only apparent if looking closely through the output (and noting the files were missing)

Post #5

jaceq

23 Mar 2013, 14:49

MBS@ : I will post log from booting on monday (as I have this at work), in terms of partition places, these are passed via kernel CMD line (from env variables)

vhrm@ : this is exactly what I want to do I am trying to boot kernel via uboot (with tftp) so I can confirm that it's working first, than I will flash if into place where original is (again, via uboot), and then I will do root FS... the only trick is that I can't get kernel to work yet... I will try 2.6.xx on monday, maybe in some magical way this will work... Also, worst case scenario would be to try to flash just rootfs but then I would have to copy kernel modules from old one... messy thing really.
In terms of images, I tried with self built as well, I build for ar71xx, generic board so in theory it should have all drivers... my kernel is 1,4 megs gzipped (and it means it will not fit like this into flash partition as it's only 1 meg but this is problem for later

(Last edited by jaceq on 23 Mar 2013, 14:51)

Post #6

vhrm

23 Mar 2013, 23:41

Going to old kernels is barking up the wrong tree, in my opinion. the move to 3.x kernels wasn't even a big change it was just the whole Chrome version numbering system (which 15 years ago happened with Solaris) also apparently Linus' mind. Because bigger numbers are impressive, apparently.

Also, if you have one of these you should take it apart and take pictures and put them on the wiki.

The flashing the rootfs route is HIGHLY unlikely to work because you'd have to build matching kernel modules for that particular kernel. bleh.

I'm still not 100% on all the different moving parts that it takes to get openwrt support going, but they have (some of) the code available for this thing at http://kb.netgear.com/app/answers/detail/a_id/2649

For the life of me i don't understand why they pack it the way they do ... (are they trying to defeat search engines or something ? )

it's tar -> tar -> bzip2 -> zip i thought it was some sort of error... but once you get it open the README.txt actually does have that in it:

Unpack the open source distribution into a separate directory using the
follwoing command:
$ unzip wndap360_v<version>_ww_src.tar.bz2.zip
$ tar xvjf wndap360_v<version>_ww_src.tar.bz2
$ tar xvf wndap360_v<version>_ww_src.tar

To my eye it doesn't look TOO much is patched. i.e. nothing that adds whole drivers (though i could just be missing it).

BTW, i think this thread actually belong in the Dev section. "Hardware Hacking" is, i think , for people cutting things and soldering things. My impression is that the dev forum gets a bit more traffic too.

Post #7

jaceq

24 Mar 2013, 10:04

Hi,

Thanks for a lot of information.
In terms of flashing rootfs only I am aware that I need modules from old rootFS but this isn't too much of a problem really, I can just replace original and than flash that in.
I will have a look at netgear original firmware, this is good path
As I said tomorrow, I will post more output here with details of problem.

In terms of going for old kernel... well tbh anything will be better than original firmware, and I mean anything. AP has MAJOR issues (we have 4 of them and they all have same problems), devices won't route, they have random reboots etc. (I found some threads on various forums and many people are complaining about the same issues.

Also you might be right about wrong forum, can some admin move this to dev forum, please?

EDIT: Actually they have patch there that adds that board to kernel: includes/platforms/WNDAP360/patches/arch_n_bsp/000-ap94bsp-on-linux-2.6.23.patch
I don't know if this stuff is not in openwrt or if it's different... but maybe this is it? I will play a bit and we will see

(Last edited by jaceq on 24 Mar 2013, 11:46)

Post #8

jaceq

25 Mar 2013, 15:48

So, I managed to compile kernel form stable branch but are still having same problem as will latest one, console dump:

### main_loop: bootcmd="bootm 0xbf050000"
Enter SPACE to drop into boot loader:  0 
ar7100> 
ar7100> tftpboot 0x85000000 3.bin
Trying eth0
Using eth0 device
TFTP from server 192.168.1.1; our IP address is 192.168.1.100
Filename '3.bin'.
Load address: 0x85000000
Loading: #################################################################
         #################################################################
         #################################################################
         ########################################
done
Bytes transferred = 1198929 (124b51 hex)
ar7100> bootm 0x85000000
## Booting image at 85000000 ...
   Image Name:   MIPS OpenWrt Linux-2.6.32.27
   Created:      2013-03-25  14:21:03 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    1198865 Bytes =  1.1 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 134217728

Starting kernel ...

Linux version 2.6.32.27 (jacek@jacek-MacBookPro) (gcc version 4.3.3 (GCC) ) #2 Mon Mar 25 15:21:01 CET 2013
bootconsole [early0] enabled
CPU revision is: 00019374 (MIPS 24Kc)
Atheros AR7161 rev 2, CPU:680.000 MHz, AHB:170.000 MHz, DDR:340.000 MHz
Determined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line:  console=ttyS0,9600 rootfstype=squashfs root=31:03 init=/sbin/init mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),1024k(vmlinux.gz.uImage),6208k(rootfs),512k(var),64k(manufacturing-data),64k(ART)
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 126660k/131072k available (2044k kernel code, 4224k reserved, 406k data, 148k init, 0k highmem)
SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Hierarchical RCU implementation.
NR_IRQS:56
Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
MIPS: machine is Generic AR71xx board
bio: create slab <bio-0> at 0
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
yaffs Mar 25 2013 15:07:58 Installing. 
msgmni has been set to 247
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
Atheros AR71xx SPI Controller driver version 0.2.4
Atheros AR71xx hardware watchdog driver version 0.1.0
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Cannot open root device "31:03" or unknown-block(31,3)
Please append a correct "root=" boot option; here are the available partitions:
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,3)

Kernel cmdline is taken from uboot env so partitions are matching what is on device...
Any ideas? I was thinking about trying to apply patches from stock firmware (if that is even possible).

Post #9

robthebrew

25 Mar 2013, 16:09

Finally a day off, and unfortunately have had a beer!, but is what you are loading mapping to what you have in partitions?
Looks like it can't find rootfs

p.s. when will a spell check be available for hackers? Grrr.

Post #10

jaceq

25 Mar 2013, 18:28

Hi,

I see it can't find partitions
I get that from uboot env and this is used by original kernel so I am pretty sure it's ok.
I think it's about lack of driver, I had a look at patched in openWRt vs patches in original kernel and differences are quite significant (eg. spi driver is a lot longer in original firmware).

My next options are:
1. remove ar71xx patches from open WRT (talking about stable build with kernel 2.6.32) and try to apply patches / files from stock firmware
OR
2. Try mu luck with merging kernel modules from original rootFS into rootFS from openWRT and flash that somehow (any nice manual how to flash rootfs that I have in tar.gz? )

I also found that device name I pass to mtdblocks parameter is probably... wrong. It comes from driver from netgear, but not sure what should it be in case of this kernel...

One more question, when I tried to use lzma compressed kernel I got info that it's not supported (compression I mean), is that something coming from uboot?? I am asking since lzma packed kernel is considerably smaller (~800kb while gzipped is 1.1 megs)

(Last edited by jaceq on 25 Mar 2013, 18:35)

Post #11

vhrm

25 Mar 2013, 18:36

Check out the thread i mentioned before. Note that they change the root to an mtd name "root=/dev/mtdblock2". now, i don't know if major:minor is just as good or what. And the kernel didn't report any mtds at all so that DOES suggest the right driver isn't there ...

One approach you can look at here is to boot with an extroot on a USB. Then you'll have the running system up and you can try different modules or tools to figure out what the chip is , how to talk to it etc. (i don't know what those tools are, but that's an approach i would take.

Also a lower tech approach would be to to take a screwdriver and a camera to take pictures of the board.. and put them on the wiki while you're at it.

[edit: to answer your question... re flashing a root fs i don't know. It's actually not trivial because of the way things have to be (sometimes) padded and aligned to be on flash block boundaries. If you look at the output of the build process in how it creates the different files you'll get an idea.]

(Last edited by vhrm on 25 Mar 2013, 18:40)

Post #12

jaceq

25 Mar 2013, 19:12

Thanks for hint about mtdblock, but as you said, it doesn't seem to detect anything at all...

I am not sure if I will be able to open one of them as they are company owned and warrant might be an issue... but will check that.

Ext root is not an option as there is no USB in it...

In terms of swapping rootfs you worried me a bit here unfortunately, I will look around a bit, maybe I will find explanation somewhere.

Post #13

vhrm

25 Mar 2013, 21:08

http://www.techinfodepot.info/index.php … r_WNDAP360
says that the chip is a Macronix MX25L6406EMI-12G

http://git.chromium.org/gitweb/?p=chrom … b58d31d14e

says that

MX25L6405D: Sector erase (20h) erases 64k.
MX25L6406E: Sector erase (20h) erases 4k. Same write protection as MX25L6405D.

and also that they share the same ID.

The linux driver http://lxr.free-electrons.com/source/dr … s/m25p80.c
has support for the mx25l12805d under seemingly that id:
"mx25l12805d", INFO(0xc22018, 0, 64 * 1024, 256, 0) },

(and i checked the file is the same in trunk)
So there's some level of support in there for this chip. The issue is prob with how things are initialized in the kernel or how it is compiled.

What target did you chose in menuconfig? was it AP96 ?

(grepping through that would give you
+config ATH79_MACH_AP96
+ bool "Atheros AP96 board support"
+ select SOC_AR71XX
+ select ATH79_DEV_ETH
+ select ATH79_DEV_AP9X_PCI if PCI
+ select ATH79_DEV_GPIO_BUTTONS
+ select ATH79_DEV_LEDS_GPIO
+ select ATH79_DEV_M25P80
+ select ATH79_DEV_USB

)

which seems about right.

Post #14

jaceq

25 Mar 2013, 21:28

Hi,

In menuconfig I went for generic (all drivers), maybe I really should try board specific... I will give it a go tomorrow with AP96. Thanks for a hint!

Post #15

jaceq

27 Mar 2013, 10:02

Unfortunately I won't be able to continue on this dues to lack of time and point.
I took pictures and uploaded them to wiki: http://wiki.openwrt.org/toh/netgear/wndap360

Post #16

jaceq

2 Apr 2013, 15:18

So, despite the fact that I was told to leave it I just couldn't )
Anyway I got it to work... mostly
I have kernel and rootfs from latest trunk and it even boots and all that
But I have come across weird problem, for some reason my lan port doesn't want to work on 1Gbps, when I will lower speed to 100mbps it works well... this is super weird. I found this guy with identical problem: LINK TO THREAD but there isn't solution... any help on this? I am not sure where to start... I can provide all logs if needed.

Other than this, flash, radio etc all seem to work, so I feel only this left.

btw if ANYONE owns WNDR3700 -> could you connect a network cable to a WAN port with 1000meg speed and do dmesg | grep pll ? it has same SOC with same clock so pll value from it should work for me too...

(Last edited by jaceq on 2 Apr 2013, 16:05)

Post #17

robthebrew

2 Apr 2013, 15:45

How does it fail? Are there any error messages? What is in dmesg?
It might be that it is not enabled in the kernel

Post #18

jaceq

2 Apr 2013, 16:12

so first full dmesg with 1000 meg interface connected at the end of it:

[    0.000000] Linux version 3.8.3 (jacek@jacek-MacBookPro) (gcc version 4.6.4 20121210 (prerelease) (Linaro GCC 4.6-2012.12) ) #6 Tue Apr 2 12:19:55 CEST 2013
[    0.000000] MyLoader: sysp=aaaa5554, boardp=aaaa5554, parts=aaaa5554
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR7161 rev 2
[    0.000000] Clocks: CPU:680.000MHz, DDR:340.000MHz, AHB:170.000MHz, Ref:40.000MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x07ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x07ffffff]
[    0.000000] On node 0 totalpages: 32768
[    0.000000] free_area_init_node: node 0, pgdat 802f2470, node_mem_map 81000000
[    0.000000]   Normal zone: 256 pages used for memmap
[    0.000000]   Normal zone: 0 pages reserved
[    0.000000]   Normal zone: 32512 pages, LIFO batch:7
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[    0.000000] pcpu-alloc: [0] 0 
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line:  board=AP96 console=ttyS0,9600 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,1728k(kernel),6080k(rootfs),64k(art)ro,7872k@0x50000(firmware) rootfstype=squashfs,jffs2 noinitrd
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] __ex_table already sorted, skipping sort
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 126384k/131072k available (2145k kernel code, 4688k reserved, 578k data, 216k init, 0k highmem)
[    0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:51
[    0.070000] Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
[    0.080000] pid_max: default: 32768 minimum: 301
[    0.090000] Mount-cache hash table entries: 512
[    0.100000] NET: Registered protocol family 16
[    0.110000] MIPS: machine is Atheros AP96
[    2.710000] registering PCI controller with io_map_base unset
[    2.720000] bio: create slab <bio-0> at 0
[    2.730000] PCI host bridge to bus 0000:00
[    2.740000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x16ffffff]
[    2.750000] pci_bus 0000:00: root bus resource [io  0x0000]
[    2.760000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    2.770000] pci 0000:00:11.0: [168c:ff1d] type 00 class 0x020000
[    2.770000] pci 0000:00:11.0: fixup device configuration
[    2.780000] pci 0000:00:11.0: reg 10: [mem 0x00000000-0x0000ffff]
[    2.780000] pci 0000:00:11.0: PME# supported from D0 D3hot
[    2.780000] pci 0000:00:12.0: [168c:ff1d] type 00 class 0x020000
[    2.780000] pci 0000:00:12.0: fixup device configuration
[    2.790000] pci 0000:00:12.0: reg 10: [mem 0x00000000-0x0000ffff]
[    2.790000] pci 0000:00:12.0: PME# supported from D0 D3hot
[    2.790000] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 00
[    2.790000] pci 0000:00:11.0: BAR 0: assigned [mem 0x10000000-0x1000ffff]
[    2.800000] pci 0000:00:12.0: BAR 0: assigned [mem 0x10010000-0x1001ffff]
[    2.810000] pci 0000:00:11.0: using irq 40 for pin 1
[    2.820000] pci 0000:00:12.0: using irq 41 for pin 1
[    2.830000] Switching to clocksource MIPS
[    2.840000] NET: Registered protocol family 2
[    2.890000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[    2.970000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    3.050000] TCP: Hash tables configured (established 1024 bind 1024)
[    3.120000] TCP: reno registered
[    3.160000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    3.230000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    3.310000] NET: Registered protocol family 1
[    3.360000] PCI: CLS 0 bytes, default 32
[    3.370000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    3.440000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    3.560000] msgmni has been set to 246
[    3.600000] io scheduler noop registered
[    3.650000] io scheduler deadline registered (default)
[    3.710000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    3.810000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[    3.890000] console [ttyS0] enabled, bootconsole disabled
[    4.020000] ath79-spi ath79-spi: master is unqueued, this is deprecated
[    4.100000] m25p80 spi0.0: found mx25l6405d, expected m25p80
[    4.160000] m25p80 spi0.0: mx25l6405d (8192 Kbytes)
[    4.220000] 6 cmdlinepart partitions found on MTD device spi0.0
[    4.290000] Creating 6 MTD partitions on "spi0.0":
[    4.350000] 0x000000000000-0x000000040000 : "u-boot"
[    4.410000] 0x000000040000-0x000000050000 : "u-boot-env"
[    4.480000] 0x000000050000-0x000000200000 : "kernel"
[    4.540000] 0x000000200000-0x0000007f0000 : "rootfs"
[    4.600000] mtd: partition "rootfs" set to be root filesystem
[    4.670000] mtd: partition "rootfs_data" created automatically, ofs=3F0000, len=400000 
[    4.760000] 0x0000003f0000-0x0000007f0000 : "rootfs_data"
[    4.830000] 0x0000007f0000-0x000000800000 : "art"
[    4.890000] 0x000000050000-0x000000800000 : "firmware"
[    4.950000] libphy: ag71xx_mdio: probed
[    5.000000] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:RGMII
[    5.370000] ag71xx ag71xx.0 eth0: connected to PHY at ag71xx-mdio.0:01 [uid=004dd04e, driver=Generic PHY]
[    5.490000] eth1: Atheros AG71xx at 0xba000000, irq 5, mode:RGMII
[    5.860000] ag71xx ag71xx.1 eth1: no PHY found with phy_mask=00000010
[    5.940000] TCP: cubic registered
[    5.980000] NET: Registered protocol family 17
[    6.030000] 8021q: 802.1Q VLAN Support v1.8
[    6.090000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
[    6.170000] Freeing unused kernel memory: 216k freed
[   10.740000] jffs2: notice: (416) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (0 unchecked, 0 orphan) and 14 of xref (0 dead, 2 orphan) found.
[   12.300000] Compat-drivers backport release: compat-drivers-2013-01-21-1
[   12.390000] Backport based on wireless-testing.git master-2013-02-22
[   12.480000] compat.git: wireless-testing.git
[   12.560000] cfg80211: Calling CRDA to update world regulatory domain
[   12.660000] cfg80211: World regulatory domain updated:
[   12.730000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   12.850000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   12.960000] cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   13.070000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   13.180000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   13.290000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   13.620000] usbcore: registered new interface driver usbfs
[   13.690000] usbcore: registered new interface driver hub
[   13.780000] usbcore: registered new device driver usb
[   14.330000] PCI: Enabling device 0000:00:11.0 (0000 -> 0002)
[   14.400000] ath: EEPROM regdomain: 0x0
[   14.400000] ath: EEPROM indicates default country code should be used
[   14.400000] ath: doing EEPROM country->regdmn map search
[   14.400000] ath: country maps to regdmn code: 0x3a
[   14.400000] ath: Country alpha2 being used: US
[   14.400000] ath: Regpair used: 0x3a
[   14.410000] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[   14.410000] ieee80211 phy0: Atheros AR9280 Rev:2 mem=0xb0000000, irq=40
[   14.490000] PCI: Enabling device 0000:00:12.0 (0000 -> 0002)
[   14.570000] ath: EEPROM regdomain: 0x0
[   14.570000] ath: EEPROM indicates default country code should be used
[   14.570000] ath: doing EEPROM country->regdmn map search
[   14.570000] ath: country maps to regdmn code: 0x3a
[   14.570000] ath: Country alpha2 being used: US
[   14.570000] ath: Regpair used: 0x3a
[   14.570000] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
[   14.580000] ieee80211 phy1: Atheros AR9280 Rev:2 mem=0xb0010000, irq=41
[   14.680000] PPP generic driver version 2.4.2
[   14.730000] cfg80211: Calling CRDA for country: US
[   14.790000] cfg80211: Regulatory domain changed to country: US
[   14.860000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   14.960000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
[   15.050000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
[   15.140000] cfg80211:   (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   15.230000] cfg80211:   (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   15.330000] cfg80211:   (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   15.420000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)
[   15.700000] ip_tables: (C) 2000-2006 Netfilter Core Team
[   15.830000] NET: Registered protocol family 24
[   15.890000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[   16.000000] ehci-platform: EHCI generic platform driver
[   16.070000] ehci-platform ehci-platform: EHCI Host Controller
[   16.140000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[   16.230000] ehci-platform ehci-platform: irq 3, io mem 0x1b000000
[   16.320000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
[   16.390000] hub 1-0:1.0: USB hub found
[   16.440000] hub 1-0:1.0: 2 ports detected
[   16.500000] nf_conntrack version 0.5.0 (1978 buckets, 7912 max)
[   19.530000] device eth0 entered promiscuous mode
[   20.830000] ar71xx: pll_reg 0xb8050010: 0x110000
[   20.830000] eth0: link up (1000Mbps/Full duplex)
[   20.880000] br-lan: port 1(eth0) entered forwarding state
[   20.950000] br-lan: port 1(eth0) entered forwarding state
[   22.950000] br-lan: port 1(eth0) entered forwarding state
[   27.610000] wlan1: authenticate with 10:0d:7f:53:e2:32
[   27.700000] wlan1: send auth to 10:0d:7f:53:e2:32 (try 1/3)
[   27.760000] wlan1: authenticated
[   27.870000] ath9k 0000:00:12.0 wlan1: disabling HT as WMM/QoS is not supported by the AP
[   27.960000] ath9k 0000:00:12.0 wlan1: disabling VHT as WMM/QoS is not supported by the AP
[   28.070000] wlan1: associate with 10:0d:7f:53:e2:32 (try 1/3)
[   28.190000] wlan1: RX AssocResp from 10:0d:7f:53:e2:32 (capab=0x511 status=0 aid=1)
[   28.280000] wlan1: associated
[   28.400000] wlan1: Limiting TX power to 20 (20 - 0) dBm as advertised by 10:0d:7f:53:e2:32

Then ping:

root@OpenWrt:/# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
^C
--- 192.168.1.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Than switch interface to 100 megs (on laptop, I use direct cable), dmesg:

[   75.060000] eth0: link down
[   75.090000] br-lan: port 1(eth0) entered disabled state
[   76.090000] eth0: link up (100Mbps/Full duplex)
[   76.140000] br-lan: port 1(eth0) entered forwarding state
[   76.210000] br-lan: port 1(eth0) entered forwarding state
[   78.210000] br-lan: port 1(eth0) entered forwarding state

And ping to same ip:

root@OpenWrt:/# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=1.121 ms
64 bytes from 192.168.1.2: seq=1 ttl=64 time=0.750 ms
64 bytes from 192.168.1.2: seq=2 ttl=64 time=0.750 ms
64 bytes from 192.168.1.2: seq=3 ttl=64 time=0.686 ms
^C
--- 192.168.1.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.686/0.826/1.121 ms

So basically there aren't any errors.. which is making this even weirder...

(Last edited by jaceq on 2 Apr 2013, 16:13)

Post #19

jaceq

3 Apr 2013, 08:39

So I managed to fix this!
This was due to wrong pll setting, my build was using default setting(from AP96), I noticed that wndr3700 (same CPU / same clock) had a different pll setting for eth0, so I decided to do things properly and rather than hacking I added proper support for my AP, than in my own new mach file, I used pll setting from wndr3700 and voila! interface works at 1Gbps, no problem
I will test things a bit more, and then I will submit the patch.
Currently not working things are:
Wifi LEDs (didn't have time for this as this isn't important for me)
/etc/config/network has wan interface defined with eth1 which doesn't exist on this device
sysupgrade doesn't work (should be pretty easy to add this).

Other than this device seem to work, trick is that inital flash has to be done via tftp as original software accepts .tar file that has seaprate kernel image and rootfs image in them, and since I had to alter original partition layout (kernel is 1,4megs and original partition for kernel was 1 meg) so flashing in uboot is mandatory to put things in right place.

Once I will put my patch out in public I will put whole procedure on wiki so others will be able to use this

(Last edited by jaceq on 3 Apr 2013, 09:18)

Post #20

jaceq

9 Apr 2013, 20:04

Update here:
I made final modifications and submitted patch we will see how will this go
One more interesting this, I managed to screw my ART partition, I was lucky as we have 4 APs like this so I took a copy from other one...
But changing a MAC was a must (since I'd have same macs on same network -> not good), it was a hassle but I made it (with fixing check summing etc), also I wrote a manual how to do it and was wondering what's the best place to put it?
Should I put it on wiki page to that access point? This is done on my example but I am pretty sure similarities are major on other routers based on atheros...

Post #21

vhrm

10 Apr 2013, 03:08

Good stuff.
Not great about the ART partition. I believe it (at least partly) contains per device calibration data. Actually is that something you can verify? If you diff the data from the ART partitions on your devices how different is it ?

Post #22

jaceq

10 Apr 2013, 07:46

Hi,

So I dumped 3 of them and they do differ in more places than just MAC and checksum... saying that my radios work so I think in the end it's better to have radios working a bit worse than not working at all... Unless someone comes up with calibration procedure

Also, wiki page updated: HERE

(Last edited by jaceq on 10 Apr 2013, 07:47)

Post #23

jaceq

11 Apr 2013, 13:15

Also, I've managed to make sysupgrade work so yaay
I've uploaded fixed patch and changed a link in wiki

Still wondering about where to put manual about ART partition...

Post #24

robthebrew

11 Apr 2013, 15:30

Is it possible to create a new page? Is there an Atheros page?
Otherwise maybe under the generic backup page (I think there is a bit on ART there)
http://wiki.openwrt.org/doc/howto/generic.backup

Post #25

jaceq

11 Apr 2013, 18:45

Ok, so I created page HERE , please have a look and let me know if all is understandable and if I should change anything. Thx.

Page 1 of 2