OpenWrt Forum Archive

Topic: Netgear WNDAP360 -> How to hack?

The content of this topic has been archived between 8 Feb 2018 and 30 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

really great tutorial!
would be good to specify your board model or that offsets for macs and checksums are the same for all ar71xx?
post some example art files and/or art write-enabled image??

How did you find the offsets to modify?
I ask just so the solution is future proof (if those offsets change).

I think offsets will be the same as long as they use same driver... Also I found some manual about this (but all thing on uboot level)  and it was about different board / radio and offsets were the same...
Best idea is to verify that mac is there (if you know mac from device that backup was taken from).

Image itself is file and is always writable it's more about kernel definitions...
It is here: http://git.openwrt.org/?p=openwrt.git;a … c65209dab2

Take wndr3700 as example, line: 188 there is definition: 64k(art)ro , basically you need to remove ro flag from that partition definition for your router, recompile and put on router, than it will be RW from OS level

I will add the thing about making sure that mac is there in a wiki, also I will probably add above example.

robthebrew wrote:

How did you find the offsets to modify?
I ask just so the solution is future proof (if those offsets change).

Finding a MAC isn't hard if you know a mac of device you have a backup of...
But in terms of checksum bits, I managed to find  THIS POST where guys basically explains this (but he does whole change on uboot level), I gave it a go (there is nothing to loose but flashing wrong art if you already lost yours wink ) and it worked! smile
Also I was encouraged by the fact than my MAC was in same place as his on his Buffalo device.

(Last edited by jaceq on 12 Apr 2013, 12:32)

I am having trouble with the current repo. I get a nasty kernel panic before it gets very far into boot at all, I've seen some vauge references to it on the web, but it was a bug that came and went in the 2.6.X tree. I dont' have symbols enabled, I disabled all the debuging code to make sure THAT wasn't causing the issue, but it bombs right when it tries and register_net devices. (I got this while debugging was on). I get the same results with using the latest patch and targeting WDNAP360, or when I just fix the bootargs for the ap96. I think it's just a kernel bug, but I wanted to see if anyone else is getting current booted on thiers.

My boot dump:
U-Boot 1.1.4 dni-1.07 (Jul  7 2009 - 14:17:28)

AP94 (ar7100) U-boot 0.0.12
DRAM:  b8050000: 0xc0140180
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 228k for U-Boot at: 87fc4000
Reserving 192k for malloc() at: 87f94000
Reserving 56 Bytes for Board Info at: 87f93fc8
Reserving 36 Bytes for Global Data at: 87f93fa4
Reserving 128k for boot params() at: 87f73fa4
Stack Pointer at: 87f73f88
Now running in RAM - U-Boot at: 87fc4000
id read 0x100000ff
flash size 8MB, sector count = 128
Flash:  8 MB
In:    serial
Out:   serial
Err:   serial
Net:   ag7100_enet_initialize...
: cfg1 0xf cfg2 0x7014
VSCXXX Found 0  unit 0:0  phy_addr: 1  id: 004dd04e
PHY:   Atheros AR8021
eth0: 00:03:7f:e0:00:96
eth0 up
eth0
Manu data is valid!
### main_loop entered: bootdelay=4

### main_loop: bootcmd="bootm 0xbf050000"
Enter SPACE to drop into boot loader:  0
## Booting image at bf050000 ...
   Image Name:   MIPS OpenWrt Linux-3.8.13
   Created:      2013-06-19   4:23:33 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    1296830 Bytes =  1.2 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 134217728

Starting kernel ...

[    0.000000] Linux version 3.8.13 (tshackelton@centos.tshackelton.net) (gcc version 4.6.4 (OpenWrt/Linaro GCC 4.6-2012.12 r36954) ) #6 Tue Jun 18 22:22:59 MDT 2013
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR7161 rev 2
[    0.000000] Clocks: CPU:680.000MHz, DDR:340.000MHz, AHB:170.000MHz, Ref:40.000MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x07ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x07ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line:  board=AP96 console=ttyS0,9600 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,1728k(kernel),6080k(rootfs),64k(art)ro,7808k@0x50000(firmware) rootfstype=squashfs,jffs2 noinitrd
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] __ex_table already sorted, skipping sort
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 126508k/131072k available (2179k kernel code, 4564k reserved, 419k data, 216k init, 0k highmem)
[    0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:51
[    0.000000] Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
[    0.080000] pid_max: default: 32768 minimum: 301
[    0.090000] Mount-cache hash table entries: 512
[    0.100000] NET: Registered protocol family 16
[    0.110000] MIPS: machine is Atheros AP96
[    2.710000] registering PCI controller with io_map_base unset
[    2.720000] bio: create slab <bio-0> at 0
[    2.730000] PCI host bridge to bus 0000:00
[    2.740000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x16ffffff]
[    2.750000] pci_bus 0000:00: root bus resource [io  0x0000]
[    2.760000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    2.770000] pci 0000:00:11.0: fixup device configuration
[    2.780000] pci 0000:00:12.0: fixup device configuration
[    2.790000] pci 0000:00:11.0: BAR 0: assigned [mem 0x10000000-0x1000ffff]
[    2.800000] pci 0000:00:12.0: BAR 0: assigned [mem 0x10010000-0x1001ffff]
[    2.810000] pci 0000:00:11.0: using irq 40 for pin 1
[    2.820000] pci 0000:00:12.0: using irq 41 for pin 1
[    2.830000] Kernel bug detected[#1]:
[    2.830000] Cpu 0
[    2.830000] $ 0   : 00000000 00000000 00000001 00000001
[    2.830000] $ 4   : 802b0000 00000064 00000000 000003f3
[    2.830000] $ 8   : 00000000 80064890 00000000 00000000
[    2.830000] $12   : 00000000 802a97bc 00000000 00000000
[    2.830000] $16   : 8786e800 8786e800 802e6610 00000000
[    2.830000] $20   : 80320000 80320000 00000020 802ea210
[    2.830000] $24   : 00000000 8009b8b8
[    2.830000] $28   : 87822000 87823d90 802cbf5c 801ffc8c
[    2.830000] Hi    : 0000001c
[    2.830000] Lo    : 00000002
[    2.830000] epc   : 801ffcb8 0x801ffcb8
[    2.830000]     Not tainted
[    2.830000] ra    : 801ffc8c 0x801ffc8c
[    2.830000] Status: 1000c403    KERNEL EXL IE
[    2.830000] Cause : 10800034
[    2.830000] PrId  : 00019374 (MIPS 24Kc)
[    2.830000] Modules linked in:
[    2.830000] Process swapper (pid: 1, threadinfo=87822000, task=87824000, tls=00000000)
[    2.830000] Stack : 00000000 00000000 8786e800 00000001 8786e800 8786e800 802e6610 00000000
        80320000 80200048 00000000 8031a894 802e6610 00000000 00000000 803028c0
        00000000 00000000 00000000 803034f8 00000001 8783f500 00000000 8031a894
        8031a894 801f8274 00000000 8784ed08 00000000 8034a654 80320000 802e0000
        8031a894 8031a894 00000000 80320000 80320000 801f8340 87823e30 802edc00
        ...
[    2.830000] Call Trace:[<80200048>] 0x80200048
[    2.830000] [<803028c0>] 0x803028c0
[    2.830000] [<803034f8>] 0x803034f8
[    2.830000] [<801f8274>] 0x801f8274
[    2.830000] [<801f8340>] 0x801f8340
[    2.830000] [<802edc00>] 0x802edc00
[    2.830000] [<801f83bc>] 0x801f83bc
[    2.830000] [<80303458>] 0x80303458
[    2.830000] [<80302f28>] 0x80302f28
[    2.830000] [<8030332c>] 0x8030332c
[    2.830000] [<80068a28>] 0x80068a28
[    2.830000] [<8030228c>] 0x8030228c
[    2.830000] [<802eaa44>] 0x802eaa44
[    2.830000] [<802ea210>] 0x802ea210
[    2.830000] [<80064b0c>] 0x80064b0c
[    2.830000] [<80064b1c>] 0x80064b1c
[    2.830000] [<80064b0c>] 0x80064b0c
[    2.830000] [<80060870>] 0x80060870
[    2.830000]
[    2.830000]
Code: 00000000  9202021c  0002102b <00028036> 00001021  00028036  2402ffff  ae020074  02002021
[    2.840000] ---[ end trace aa7ea15f4e0b85a2 ]---
[    2.850000] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[    2.850000]

Start with having a look @ the wiki. It has been updated very recently but one guy I also helped with WNDAP360.
I turns out that my inital patch is now included in trunk, but I made one extra modification and that isn't there.
Anyway, updated wiki accounts for all this, and it has a working revision there (with minor, second patch).
Try this step by step, build a image without any additions (well maybe except luci) and give it a go.
If you still have problems put boot log here (but from WNDAP360 build, not AP96).
Good luck!

Here is the boot log from the 360 target, I also re-enabled debugging. I think it's related to that register_net, but i'm not sure what else to try myself... I would try an older RC but I'm out of space on the my build VM and don't want to trash my current environment, since I would like to run current once I can work around this. Here is my bootlog:
## Booting image at bf050000 ...
   Image Name:   MIPS OpenWrt Linux-3.8.13
   Created:      2013-06-25   5:59:09 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    1401772 Bytes =  1.3 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 134217728

Starting kernel ...

[    0.000000] Linux version 3.8.13 (tshackelton@centos.tshackelton.net) (gcc ve                                                                                        rsion 4.6.4 (OpenWrt/Linaro GCC 4.6-2012.12 r36954) ) #7 Mon Jun 24 23:58:26 MDT                                                                                         2013
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR7161 rev 2
[    0.000000] Clocks: CPU:680.000MHz, DDR:340.000MHz, AHB:170.000MHz, Ref:40.00                                                                                        0MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x07ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x07ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32                                                                                         bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pag                                                                                        es: 32512
[    0.000000] Kernel command line:  board=WNDAP360 console=ttyS0,9600 mtdparts=                                                                                        spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,1728k(kernel),6080k(rootfs),64k(art)ro,7                                                                                        808k@0x50000(firmware) rootfstype=squashfs,jffs2 noinitrd
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] __ex_table already sorted, skipping sort
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 126316k/131072k available (2188k kernel code, 4756k reser                                                                                        ved, 577k data, 240k init, 0k highmem)
[    0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, No                                                                                        des=1
[    0.000000] NR_IRQS:51
[    0.000000] Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
[    0.080000] pid_max: default: 32768 minimum: 301
[    0.090000] Mount-cache hash table entries: 512
[    0.100000] NET: Registered protocol family 16
[    0.110000] MIPS: machine is Netgear WNDAP360
[    2.510000] registering PCI controller with io_map_base unset
[    2.520000] bio: create slab <bio-0> at 0
[    2.530000] PCI host bridge to bus 0000:00
[    2.540000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x16ffffff]
[    2.550000] pci_bus 0000:00: root bus resource [io  0x0000]
[    2.560000] pci_bus 0000:00: No busn resource found for root bus, will use [b                                                                                        us 00-ff]
[    2.570000] pci 0000:00:11.0: fixup device configuration
[    2.580000] pci 0000:00:12.0: fixup device configuration
[    2.590000] pci 0000:00:11.0: BAR 0: assigned [mem 0x10000000-0x1000ffff]
[    2.600000] pci 0000:00:12.0: BAR 0: assigned [mem 0x10010000-0x1001ffff]
[    2.610000] pci 0000:00:11.0: using irq 40 for pin 1
[    2.620000] pci 0000:00:12.0: using irq 41 for pin 1
[    2.630000] Kernel bug detected[#1]:
[    2.630000] Cpu 0
[    2.630000] $ 0   : 00000000 00000000 00000001 00000001
[    2.630000] $ 4   : 802e0000 00000064 00000000 000003e5
[    2.630000] $ 8   : 00000000 80064890 00000000 00000000
[    2.630000] $12   : 00000000 00000001 00000000 00000000
[    2.630000] $16   : 8786e800 8786e800 80310610 00000000
[    2.630000] $20   : 80350000 80350000 00000020 80314210
[    2.630000] $24   : 00000000 8009be20
[    2.630000] $28   : 87822000 87823d90 802f7808 80202294
[    2.630000] Hi    : 0000001c
[    2.630000] Lo    : 00000002
[    2.630000] epc   : 802022c0 register_netdevice+0x60/0x3d4
[    2.630000]     Not tainted
[    2.630000] ra    : 80202294 register_netdevice+0x34/0x3d4
[    2.630000] Status: 1000c403    KERNEL EXL IE
[    2.630000] Cause : 10800034
[    2.630000] PrId  : 00019374 (MIPS 24Kc)
[    2.630000] Modules linked in:
[    2.630000] Process swapper (pid: 1, threadinfo=87822000, task=87824000, tls=                                                                                        00000000)
[    2.630000] Stack : 00000000 00000000 8786e800 00000001 8786e800 8786e800 803                                                                                        10610 00000000
        80350000 80202650 00000000 8034484c 80310610 00000000 00000000 8032c868
        00000000 00000000 00000000 8032d4a0 00000001 8783f500 00000000 8034484c
        8034484c 801fa87c 00000000 8784ed08 00000000 8037a674 80350000 80310000
        8034484c 8034484c 00000000 80350000 80350000 801fa948 87823e30 80317c04
        ...
[    2.630000] Call Trace:
[    2.630000] [<802022c0>] register_netdevice+0x60/0x3d4
[    2.630000] [<80202650>] register_netdev+0x1c/0x38
[    2.630000] [<8032c868>] loopback_net_init+0x4c/0xa8
[    2.630000] [<801fa87c>] ops_init.constprop.10+0xf4/0x138
[    2.630000] [<801fa948>] register_pernet_operations.isra.6+0x88/0xd8
[    2.630000] [<801fa9c4>] register_pernet_device+0x2c/0x74
[    2.630000] [<8032d400>] net_dev_init+0x12c/0x188
[    2.630000] [<80068a38>] do_one_initcall+0xf0/0x1b8
[    2.630000] [<80314a48>] kernel_init_freeable+0x13c/0x220
[    2.630000] [<80064b1c>] kernel_init+0x10/0x10c
[    2.630000] [<80060870>] ret_from_kernel_thread+0x10/0x18
[    2.630000]
[    2.630000]
Code: 00000000  9202021c  0002102b <00028036> 00001021  00028036  2402ffff  ae02                                                                                        0074  02002021
[    2.640000] ---[ end trace 2760fbed5b61b980 ]---
[    2.650000] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00                                                                                        00000b
[    2.650000]

Hi,

I sent you my images that work for me.
I've never had issue that early in boot, try my builds, if you have more of those APs try on a different one, maybe it's a HW problem?

Good luck and let us know what is the progress.
Regards

The discussion might have continued from here.