OpenWrt Forum Archive

Topic: OpenWRT Kamikaze on TP-link tl-wa501g?

The content of this topic has been archived between 31 Aug 2014 and 5 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Wohhoo... I found how to fix my router. It's only possible when you set the manual IP adress with ip, mask and gateway and switch-off/on with pressing the restart button and connect using telnet while ten second. So now I can go into the telnet console. Now I have another question: which version of openWRT is better to compile? Is it possible to find somewhere precompiled version of the image?

And another question: how to downgrade to the original firmware. What can I do?

In your manual you are loading vxworks.raw

RedBoot> load -r -b %{FREEMEMLO} vxworks.raw

where did you found this raw file? Loaded using the TFTP?

Thanks,
Dmitry

I've just recovered all the topic in my head, now I want to ask you to send the vxworks.raw file smile

And also to proof: you have upgraded the same tp-link wr340g v5.3 (written on the board, sticker and it was written in tp-link web panel) with that vxworks.raw file?

dmitryp
It seems that flash chip in your revision is not supported yet. Read it's marking.
Can you solder UART and show console log?

PM your email.

Just for information: My device is REV 5.4 and it contains a WINBOND W25Q16BVSIG flash (and RAM is WINBOND W9864G6IH-6).

All devices I had was rev:5.4 onboard and has HK 25L1605AM2 spi flash and it was supported by Kamikadze out of the box.

xssa wrote:

Tommorow I'll try to put all configs and images together and put it there on the forum.

It would be great if you could post your config files soon because I've succesfully compiled Kamikaze 8.09.2. It is too large as expected, so I have to change the config and it is better to use a working config as start point.

My router contains a WINBOND flash (see above for the type) and I don't have any problems like dmitryp but I've only completed the first step (upgrade with web dialog) and have a running mini Linux. What are you doing after the first reboot? Are you changing the contents of the flash and can I therefore be sure that I can flash a larger Linux from RedBoot and/or Linux?
Where did you get your Kamikaze 8.09.2? I've downloaded the sources of Kamikaze 8.09.2 but it is older than your version. I think you are using Kernel 2.6.30 and my version contains 2.6.28.

Thanks

Edit: Could you please provide some infos about the serial interface? I found a connector labeled SJ1. What is the  pin assignment?
+----------+
!  * * * ! *  ! SJ1
+----------+

(Last edited by mvsroot on 8 May 2010, 15:38)

mvsroot wrote:

... because I've succesfully compiled Kamikaze 8.09.2.

- sounds very attractive!

Serial interface on SJ1
|3,3V GND RX | TX |
38400 on vxwoks, 115200 on my RedBoot/kernels, 9600 on original openwrt kernel config.
"Vxkiller" is my first try on latest stable Openwrt (it is not Kamikadze but Backfire 10.03). You can get it from oficial site as usual.

Flash content, especially last eraseblock with boardconfig and radioconfig, is fully prepared for openwrt after second reboot. So, for sure, you can flash your images from RedBoot as usual. Use openwrt-atheros-vmlinux.lzma/openwrt-atheros-root.squashfs for this job. There was link on good tutorial in my posts before. Many things are changed in my working 8.09.3 Kamikaze tree. Changes are in the main build config, arch/kernel config, base_files and some other packges also need attention. I have no idea how to share all this changes on this forum. Just make decision what functionality you need from your device, and try to disable all unnessesary parts in image and kernel and it will fit.
Now i'm trying to add dsa_switch routines on latest kenel in Openwrt/trunk.

Can you help dmitryp with vxworks.raw?
Thanks.

Thanks for your reply. What is the size of your compressed (for example .tar.bz2) working directory of Backfire/Kamikaze? If it is not too large you can upload it to www.rapidshare.com.
dmitryp can download the following file http://www.tp-link.com/support/toDownlo … 3811%2Ezip and strip the header. I don't know which Operating System he uses so I can't give any advice how to strip the header. In Linux I would use tail or dd.

Edit: You can post (or upload to rapidshare) a patch (diff -Naur after deleting object code/load moduls/images) if it is too large

(Last edited by mvsroot on 12 May 2010, 13:57)

xssa wrote:

(...)
degenerated  - can you post internal photos?

sorry i couldn't post earlier. here you go

http://i40.tinypic.com/35aj8za.jpg (1600x1200)

TL-WA500G
http://i41.tinypic.com/97tx0y.jpg


I currently use it in acess point mode connected to a Asus wl500gp via WDS and WEP128.

I intend to flash it with openWrt in hope i can use WPA2, since the default firmware doesn't allow me.
Do you guys think is possible ?

(Last edited by degenerated on 10 May 2010, 16:06)

degenerated wrote:

I currently use it in acess point mode connected to a Asus wl500gp via WDS and WEP128.

I intend to flash it with openWrt in hope i can use WPA2, since the default firmware doesn't allow me.
Do you guys think is possible ?

Thanks for photo. Can you write down chip markings here? It is really impossible to read it from photo.

Openwrt's WPA2 implementation need to be tested on such small RAM footprint we have on this devices. It is a realy horrible setup for recent linuxes.

However WPA2 is working well on last wa500 firmware. I did tests yet and post this message from wr340g hardware running last wa500 fimware in WPA2-PSK client mode connected to wr340g running last wr340g firmware in AP mode WPA2-PSK AES encryption.

On client:
Firmware Version:   
4.2.3 Build 090707 Rel.37067n
Hardware Version:   
WA500G v1 081520C2

On AP:
Firmware Version:   
4.5.4 Build 100316 Rel.59606n
Hardware Version:   
WR340G v5 081520C2

(Last edited by xssa on 13 May 2010, 07:48)

Hello xssa,

first of all I'd like to thank you for your work.
I had an useless TP-LINK TL-WR340G+ bought for 5 euros in a chinese supermarket. When I saw your topic I decided to have fun with it.
Revision on board is 5.4.

I uploaded the vxkiller in the webif and it worked perfectly. I had a running Busybox.

Since I'm totally new with Redboot I decided to get my hands on.
I followed the instructions om the link you gave few posts before.
But it seems that I can't flash the rootfs on my box, i get a very talkative "Unknown error"...
(I have the same issue on Kamikaze and backfire binaries downloaded from openwrt.org)

[ diaz_j->imac-jeremy.eth.diaznet.fr ~/Documents ] $ telnet 192.168.1.1 9000
Trying 192.168.1.1...
Connected to 192-168-1-1.pool-vpn.diaznet.fr.
Escape character is '^]'.
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
FIS directory     0xBFDE0000  0xBFDE0000  0x0000F000  0x00000000
RedBoot config    0xBFDEF000  0xBFDEF000  0x00001000  0x00000000
RedBoot> ip_addr -h 192.168.1.42
IP: 192.168.1.1, Default server: 192.168.1.42
RedBoot> load -r -v -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
-
Raw file loaded 0x80033800-0x800f37ff, assumed entry at 0x80033800
RedBoot> fis create -r 0x80034000 -e 0x80034000 vmlinux.bin.l7
... Erase from 0xbfc10000-0xbfcd0000: ............
... Program from 0x80033800-0x800f3800 at 0xbfc10000: ............
... Erase from 0xbfde0000-0xbfdf0000: .
... Program from 0x807f0000-0x80800000 at 0xbfde0000: .
RedBoot> load -r -v -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
-
Raw file loaded 0x80033800-0x801d37ff, assumed entry at 0x80033800
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
vmlinux.bin.l7    0xBFC10000  0x80034000  0x000C0000  0x80034000
FIS directory     0xBFDE0000  0xBFDE0000  0x0000F000  0x00000000
RedBoot config    0xBFDEF000  0xBFDEF000  0x00001000  0x00000000
RedBoot> fis free
  0xBFCD0000 .. 0xBFDE0000
RedBoot> fis create -l 110000 rootfs
... Erase from 0xbfcd0000-0xbfceadb0: ..
... Program from 0x80033800-0x801d3800 at 0xbfcd0000: ..V
Can't program region at 0xbfcf0000: Unknown error
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
vmlinux.bin.l7    0xBFC10000  0x80034000  0x000C0000  0x80034000
FIS directory     0xBFDE0000  0xBFDE0000  0x0000F000  0x00000000
RedBoot config    0xBFDEF000  0xBFDEF000  0x00001000  0x00000000
RedBoot>

Am I doing something wrong ? I'm quite lost for the moment smile

Thanks,
Jeremy

(Last edited by diazeeeee on 13 May 2010, 23:56)

diazeeeee wrote:

Hello xssa,

first of all I'd like to thank you for your work.
I had an useless TP-LINK TL-WR340G+ bought for 5 euros in a chinese supermarket. When I saw your topic I decided to have fun with it.
Revision on board is 5.4.

I uploaded the vxkiller in the webif and it worked perfectly. I had a running Busybox.

Since I'm totally new with Redboot I decided to get my hands on.
I followed the instructions om the link you gave few posts before.
But it seems that I can't flash the rootfs on my box, i get a very talkative "Unknown error"...
(I have the same issue on Kamikaze and backfire binaries downloaded from openwrt.org)

[ diaz_j->imac-jeremy.eth.diaznet.fr ~/Documents ] $ telnet 192.168.1.1 9000
Trying 192.168.1.1...
Connected to 192-168-1-1.pool-vpn.diaznet.fr.
Escape character is '^]'.
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
FIS directory     0xBFDE0000  0xBFDE0000  0x0000F000  0x00000000
RedBoot config    0xBFDEF000  0xBFDEF000  0x00001000  0x00000000
RedBoot> ip_addr -h 192.168.1.42
IP: 192.168.1.1, Default server: 192.168.1.42
RedBoot> load -r -v -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
-
Raw file loaded 0x80033800-0x800f37ff, assumed entry at 0x80033800
RedBoot> fis create -r 0x80034000 -e 0x80034000 vmlinux.bin.l7
... Erase from 0xbfc10000-0xbfcd0000: ............
... Program from 0x80033800-0x800f3800 at 0xbfc10000: ............
... Erase from 0xbfde0000-0xbfdf0000: .
... Program from 0x807f0000-0x80800000 at 0xbfde0000: .
RedBoot> load -r -v -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
-
Raw file loaded 0x80033800-0x801d37ff, assumed entry at 0x80033800
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
vmlinux.bin.l7    0xBFC10000  0x80034000  0x000C0000  0x80034000
FIS directory     0xBFDE0000  0xBFDE0000  0x0000F000  0x00000000
RedBoot config    0xBFDEF000  0xBFDEF000  0x00001000  0x00000000
RedBoot> fis free
  0xBFCD0000 .. 0xBFDE0000
RedBoot> fis create -l 110000 rootfs
... Erase from 0xbfcd0000-0xbfceadb0: ..
... Program from 0x80033800-0x801d3800 at 0xbfcd0000: ..V
Can't program region at 0xbfcf0000: Unknown error
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
vmlinux.bin.l7    0xBFC10000  0x80034000  0x000C0000  0x80034000
FIS directory     0xBFDE0000  0xBFDE0000  0x0000F000  0x00000000
RedBoot config    0xBFDEF000  0xBFDEF000  0x00001000  0x00000000
RedBoot>

Am I doing something wrong ? I'm quite lost for the moment smile

Thanks,
Jeremy

This router has just 1MB (Edit: 2MB is correct) flash. I think the size of your kernel and root fs is probably too large. You have to compile your own with less options turned on.

(Last edited by mvsroot on 14 May 2010, 13:04)

diazeeeee
1)
Your kernel is 0xC0000 bytes long (786432 bytes),
Your rootfs is 0x1A0000 bytes long (1703936 bytes)
But after flashing a kernel you have only 0x110000 bytes of free space, so your rootfs will not fit.
2)
When you try to flash rootfs you omit "0x" prefix in size, so "110000" is interpreted as dec value which is not aligned to 0x10000 (or 65536 bytes) eriseblock size. Because of that you got "Unknown error" when trying to flash 110000 or 0x1ADB0 bytes of data.

Where did you find this instruction?
Edit: I am about this command:
fis create -r 0x80034000 -e 0x80034000 vmlinux.bin.l7

(Last edited by xssa on 14 May 2010, 12:14)

mvsroot wrote:

This router has just 1MB flash. I think the size of your kernel and root fs is probably too large. You have to compile your own with less options turned on.

You are wrong, router has 2MB flash (0xBFDFFFF-0xBFC00000=0x200000=2097152 bytes)
But suggestion is good.

(Last edited by xssa on 14 May 2010, 12:01)

xssa wrote:
mvsroot wrote:

This router has just 1MB flash. I think the size of your kernel and root fs is probably too large. You have to compile your own with less options turned on.

You are wrong, router has 2MB flash (0xBFDFFFF-0xBFC00000=0x200000=2097152 bytes)
But suggestion is good.

Sorry was a typo. I just tried to change it. You were faster :-)

My board looks this:

http://i43.tinypic.com/350kk1v.jpg
Full screen image: raw image

Version is flashed, but it's 5.3.

I have Ubuntu, so I'm running on linux OS. I know tail, dd and split commands. Where I can download kamikazde to update my board, and how I should split/erase/load using tftp etc.? Can you write something like step by step?

(Last edited by dmitryp on 15 May 2010, 10:00)

Hi,

I have a 5.4 hardware version. There is a few PCB diference's to 5.3. You have an older case too. Full screen image. Version from white sticker 2.22.

To xssa and mvsroot:

I have found the instructions at the link you gave:
http://wiki.x-wrt.org/index.php/Kamikaze_Installation

I have compiled successfully a light-weighted build of kamikaze and I finally managed to put it on my flash.
But sadly it won't boot sad

[ diaz_j->192-168-0-106.wifi.diaznet.fr ~ ]                                                                                                                                                                                                                                              $ telnet 192.168.1.1 9000
Trying 192.168.1.1...
Connected to 192-168-1-1.pool-vpn.diaznet.fr.
Escape character is '^]'.
RedBoot> 
RedBoot> 
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
vmlinux.bin.l7    0xBFC10000  0x80034000  0x000C0000  0x80034000
rootfs            0xBFCD0000  0x80033800  0x00110000  0x80033800
FIS directory     0xBFDE0000  0xBFDE0000  0x0000F000  0x00000000
RedBoot config    0xBFDEF000  0xBFDEF000  0x00001000  0x00000000
RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xbfde0000-0xbfdf0000: .
... Program from 0x807f0000-0x80800000 at 0xbfde0000: .
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
FIS directory     0xBFDE0000  0xBFDE0000  0x0000F000  0x00000000
RedBoot config    0xBFDEF000  0xBFDEF000  0x00001000  0x00000000
RedBoot> ip_addr -h 192.168.1.42
IP: 192.168.1.1, Default server: 192.168.1.42
RedBoot> load -r -v -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
-
Raw file loaded 0x80033800-0x800f37ff, assumed entry at 0x80033800
RedBoot> fis create kernel
... Erase from 0xbfc10000-0xbfcd0000: ............
... Program from 0x80033800-0x800f3800 at 0xbfc10000: ............
... Erase from 0xbfde0000-0xbfdf0000: .
... Program from 0x807f0000-0x80800000 at 0xbfde0000: .
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
kernel            0xBFC10000  0x80033800  0x000C0000  0x80033800
FIS directory     0xBFDE0000  0xBFDE0000  0x0000F000  0x00000000
RedBoot config    0xBFDEF000  0xBFDEF000  0x00001000  0x00000000
RedBoot> fis free
  0xBFCD0000 .. 0xBFDE0000
RedBoot> load -r -v -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
-
Raw file loaded 0x80033800-0x800f37ff, assumed entry at 0x80033800
RedBoot> fis create -l 0x110000 rootfs
... Erase from 0xbfcd0000-0xbfde0000: .................
... Program from 0x80033800-0x800f3800 at 0xbfcd0000: ............
... Erase from 0xbfde0000-0xbfdf0000: .
... Program from 0x807f0000-0x80800000 at 0xbfde0000: .
RedBoot> fis load -l kernel
Image loaded from 0x80033800-0x8028df2c
RedBoot> exec

The AP keeps rebooting since then.

Would you have working images for this device ? Like a kernel and a rootfs

Many thanks

Jeremy.

diazeeeee wrote:

To xssa and mvsroot:

I have found the instructions at the link you gave:
http://wiki.x-wrt.org/index.php/Kamikaze_Installation

.....

RedBoot> load -r -v -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
-
Raw file loaded 0x80033800-0x800f37ff, assumed entry at 0x80033800
RedBoot> fis create kernel

.....

RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
kernel            0xBFC10000  0x80033800  0x000C0000  0x80033800

.....

RedBoot> fis load -l kernel
Image loaded from 0x80033800-0x8028df2c
RedBoot> exec

The AP keeps rebooting since then.

Would you have working images for this device ? Like a kernel and a rootfs

Many thanks

Jeremy.

You are on right way, all you need is to read carefully and keep in mind some statements:

..... Note: The atheros-2.6 kernel is built with the load and entry address set at 0x80041000.
..... Note: If you want to directly start the loaded kernel, you need to load it to the memory location 0x80041000 specified at the build time instead of the %{FREEMEMLO} alias.

and

..... Create the kernel flash image by the command (where -r - the load address, -e - the entry address, vmlinux.bin.l7 - name of the kernel image entry as used by the boot script):
RedBoot> fis create -r 0x80041000 -e 0x80041000 vmlinux.bin.l7

I have working images, but it has some issues, as I state before. I'm still working on it. And, as I can state, marvell switch is working well for now.

dmitryp wrote:

My board looks this:

Good photo, seems it has Intel SPI? flash chip, but marking is still unreadable. Look at the small 8 pin chip between Atheros and Marvell, share it's marking and I will try to add it in kernel flash routines if it is still not there. Also share this two hex dumps from your RedBoot prompt and we'll see what to do next.
RedBoot>x -b 0xbfde0000 -l 0x100
RedBoot>x -b 0xbfdf0000 -l 0x100

I think I did right but this is still not working:

[ diaz_j->192-168-0-106.wifi.diaznet.fr ~ ]                                                                                                                                                                                                                                              $ telnet 192.168.1.1 9000
Trying 192.168.1.1...
Connected to 192-168-1-1.pool-vpn.diaznet.fr.
Escape character is '^]'.
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xBFC00000  0xBFC00000  0x00010000  0x00000000
vmlinux.bin.l7    0xBFC10000  0x80041000  0x000C0000  0x80041000
rootfs            0xBFCD0000  0x80033800  0x00110000  0x80033800
FIS directory     0xBFDE0000  0xBFDE0000  0x0000F000  0x00000000
RedBoot config    0xBFDEF000  0xBFDEF000  0x00001000  0x00000000
RedBoot>

The AP does not reboot but I have no access to 192.168.1.1.

I think I will wait for your images :-)

I had a working openwrt with your vxkiller, I don't why I wanted to do it by myself...

xssa wrote:

I have working images, but it has some issues, as I state before. I'm still working on it. And, as I can state, marvell switch is working well for now.

Sounds great. I am using Linux on this router because I want to use a 5 port switch (like in your minimal image). Hopefully I can turn off the switching in your upcoming image :-). I am missing just WiFi, DHCP and a MAC address filter (firewall). I think that should easily fit into 2MB.

mvsroot wrote:

... I want to use a 5 port switch (like in your minimal image). Hopefully I can turn off the switching in your upcoming image :-).

If you mean some kind of firewalling (nat or whatever) between separated LAN and WAN ports - for now it is working.

xssa wrote:
mvsroot wrote:

... I want to use a 5 port switch (like in your minimal image). Hopefully I can turn off the switching in your upcoming image :-).

If you mean some kind of firewalling (nat or whatever) between separated LAN and WAN ports - for now it is working.

Not exactly. I mean a 5 port switch with all connectors in the same subnet (instead of a WAN connector and 4 LAN connections in 2 different subnets in VxWorks) and WiFi which allows only connections from specified MAC addresses.