OpenWrt Forum Archive

Topic: Siemens SX551

The content of this topic has been archived between 14 Apr 2018 and 5 May 2018. Unfortunately there are posts – most likely complete pages – missing.

I'm trying to get OpenWRT running on the Siemens SX551. Wiki.

The stock bootloader decompresses the stock binary to 0x94000000, and starts it.

I created a kernel, containing an initrmfs, containing mostly busybox, and a few kernel modules.

Before building I edited target/linux/ar7/Makefile:

FEATURES:=squashfs jffs2 atm pci usb2

And I added a '#define CONFIG_BOOT_RAW' to the head of  build_dir/linux-ar7/linux-2.6.32.27/arch/mips/kernel/head.S, to get this code working:

#ifdef CONFIG_BOOT_RAW
        /*
         * Give us a fighting chance of running if execution beings at the
         * kernel load address.  This is needed because this platform does
         * not have a ELF loader yet.
         */
FEXPORT(__kernel_entry)
        j       kernel_entry
#endif

The bootloader uncompresses a LZMA compressed flash partition, so I took vmlinux, and compressed that, and put it into the flash partition, as described in the wiki.

The bootloader happily decompressed the image, and then felt back to it's prompt:

Unzipping  web at 0x94f30000 ... [LZMA] done
Unzipping code at 0x94000000 ... [LZMA] done

[AR7300 Boot]:

The boot of the stock firmware looks like this:

Unzipping  web at 0x94f30000 ... [LZMA] done
Unzipping code at 0x94000000 ... [LZMA] done
In C_Entry() function ...
install_exception 
sys_irq_init() ...
Set GPIO
Reset USB, PCI and VP140 module ...
<snip>

I suppose that when the OpenWRT image was just faulty, the box would have crashed, or something like that. Now it returns to the bootloader, so I suppose the bootloader decided not to start the code at 0x94000000 for some reason.

Any suggestions?

(Last edited by Mijzelf on 19 Dec 2011, 21:59)

Yes, could well be (almost) the same device. Can you point me to some firmware for it? Then I can search for similarities.

The firmware has the same layout as the SX551 firmware:
1st binary block padded with 0xFF, Checksum + magic number ending at 1k boundary, 2n binary block padded with 0xFF, Checksum + magic number ending at 1k boundary, magic number.

But on the SX551 the 2 binary blocks are just plain LZMA, while the SE555 has blocks starting with 0x0F 0x0F 0x0F 0x0F. Don't know what it is. Some encryption?
'Binwalk' nor 'file' knows this header.

Using this instructions I disassembled the firmware 'kernel' and generated vmlinux. This is the result:
vmlinux:

94000000:       090410c4        j       0x94104310
94000004:       00000000        nop
94000008:       00000000        nop
9400000c:       090410c4        j       0x94104310
94000010:       00000000        nop
94000014:       4c444d43        0x4c444d43
94000018:       3a454e49        xori    a1,s2,0x4e49
        ...
94000420:       40086000        mfc0    t0,c0_status
94000424:       35080001        ori     t0,t0,0x1
94000428:       39080001        xori    t0,t0,0x1
9400042c:       40886000        mtc0    t0,c0_status
94000430:       00000040        ssnop
94000434:       00000040        ssnop
94000438:       00000040        ssnop
9400043c:       10000002        b       0x94000448

firmware kernel:

94000000:       40026000        mfc0    v0,c0_status
94000004:       3c010040        lui     at,0x40
94000008:       00411024        and     v0,v0,at
9400000c:       40826000        mtc0    v0,c0_status
94000010:       3c049403        lui     a0,0x9403
94000014:       24840a10        addiu   a0,a0,2576
94000018:       3c059437        lui     a1,0x9437
9400001c:       24a5f24c        addiu   a1,a1,-3508
94000020:       00a42823        subu    a1,a1,a0
94000024:       ac800000        sw      zero,0(a0)
94000028:       ac800004        sw      zero,4(a0)
9400002c:       24a5fff0        addiu   a1,a1,-16

What is striking me is that the code at 94000420 of vmlinux is almost exacly the same as the start of the firmware kernel. So I wouldn't be surprised if that was supposed to be the entry point. Yet ' j       kernel_entry' supposedly compiles to 'j       0x94104310', which is definitely not 0x94000420. Am I missing something?

Changed the vmlinux header to

mfc0    v0,c0_status
lui     at,0x40
and     v0,v0,at
mtc0    v0,c0_status
j    kernel_entry

No change.

I've also determined that it's not the end of the code block which makes the difference. The 'upgrade code' is accepted as 'runtime code'. The end of the 'upgrade code' contains some static strings, which are completely different from the 'runtime code' end.

Changed the vmlinux header to

<------>.fill 0x1000
<------>j<----->kernel_entry

copied the first 4KiB of the firmware code to vmlinux, and copied the jump to the first 4 bytes.

Progress! Well, at least the system doesn't fall back to the bootloader menu. Now it freezes directly after the 'done':

Copying boot params.....DONE

Flash Checking  Passed.

Unzipping  web at 0x94f30000 ... [LZMA] done
Unzipping code at 0x94000000 ... [LZMA] done

So it seems the code is accepted.
According to wireshark nothing happens on the network port. (Should it, if the switch isn't supported?) No serial data too. (BTW, I changed the kernel commandline (make kernel_menuconfig->kernel hacking->Default kernel command string) to console=ttyS0,115200)

Any ideas?

any progress?

No. I'm out of ideas, at the moment. The only way I can think of to get further is disassembling the bootloader, to see how it starts the firmware, but that's a bit beyond my skills, I'm afraid.

Yet another attempt. Looking through the kernelsources I saw that the SoC has actually two serial ports. Well, maybe Siemens wired 'the other one'. So I exchanged them in the kernel source. Unfortunately nothing.

But, a port is defined this way:

        uart_port[0].type = PORT_AR7;
        uart_port[0].line = 0;
        uart_port[0].irq = AR7_IRQ_UART0;
        uart_port[0].uartclk = ar7_bus_freq() / 2;
        uart_port[0].iotype = UPIO_MEM32;
        uart_port[0].mapbase = AR7_REGS_UART0;
        uart_port[0].membase = ioremap(uart_port[0].mapbase, 256);
        uart_port[0].regshift = 2;

This is pretty straightforward. I just exchanged all values, including 'line'. But I'm not sure about that last one. The only documentation I could find is in the header file (serial_core.h), which says /* port index */. But what does that mean? Is it a virtual index, or hardware related? In the last case I should exchange it, in the first case not. The other values are enough to define the hardware, so a hardware index doesn't seem necessary. Does anybod know? (I didn't exchange it. So the orginal kernel has line=0 coupled with irq=AR7_IRQ_UART0, in my new kernel line=1 has this irq.

(Last edited by Mijzelf on 16 Feb 2012, 20:43)

Mijzelf wrote:
Copying boot params.....DONE

Flash Checking  Passed.

Unzipping  web at 0x94f30000 ... [LZMA] done
Unzipping code at 0x94000000 ... [LZMA] done

Hi, have noticed in the SE555 bootlog there is no LZMA message during fw image decompress - just cannot figure out commpressed image type...

===========================================================
 TI ADSL AR7300 Loader 0.69c.4 build Aug  1 2005 13:50:49
                 Broad Net Technology, INC.
===========================================================
ES29LV160D bottom boot 16-bit mode found

Copying boot params.....DONE

Press any key to enter command mode ...
Flash Checking  Passed.

Unzipping  web at 0x95ef0000 ... [ZIP 3] [ZIP 2] done
Unzipping code at 0x94000000 ... [ZIP 3] [ZIP 2] done
In C_Entry() function ...
install_exception
sys_irq_init() ...
Set GPIO
Reset USB, PCI and VP140 module ...
vpReset(0)
vpReset(1)
PciPortal.start 40000000
##### _ftext      = 0x94000000
##### _fdata      = 0x943410B0
##### __bss_start = 0x9438C348
##### end         = 0x956FF18C
##### Backup Data from 0x943410B0 to 0x9571F18C~0x9576A424 len 307864
vlynq_config_init: HW Reset Bypass!
inside reset callbackreset assert
inside reset callbackreset deassert
inside reset callbackLink Estab
inside reset callbackinit ok
Checking for Vlynq Link...
VLYNQ0 @ base 0xa8611800 is properly enumerated.

Resetting PCI
Setting up PCIC registers
Lock out access to PCI interface (currently=3c00)
Setting up PCIC_SLAVE_BASE_ADDR_XLAT_REG
Enabling arbiter and base0
Setting up PCIC_MASTER_MEM_SPACE_ADDR_XLAT_REG
Done with PCI configuration
Delaying for PCI cards to reset
Enumerating devices
Enumerating PCI device 0
Assigning resources to PCI device #0IntPin 1

 BaseAddress @ 0x00000010 after writing 0xFFFFFFFF = 0xfc000008
Device requires 67108864 bytes of memory space.
 ERROR: Could not allocate resources for this device.
 BaseAddress @ 0x00000014 after writing 0xFFFFFFFF = 0xfc000000
Device requires 67108864 bytes of memory space.
 ERROR: Could not allocate resources for this device.
 BaseAddress @ 0x0000001c after writing 0xFFFFFFFF = 0x00000000
 BaseAddress @ 0x00000020 after writing 0xFFFFFFFF = 0x00000000
 BaseAddress @ 0x00000024 after writing 0xFFFFFFFF = 0x00000000Device 0 : base 0 reg fc000008

Enumerating PCI device 1
Assigning resources to PCI device #1IntPin 1

 BaseAddress @ 0x00000010 after writing 0xFFFFFFFF = 0xffff0000
Device requires 65536 bytes of memory space.
 Usable base address located! Memory range allocated = 0x40000000 - 0x4000ffff
Enumerating PCI device 2
Assigning resources to PCI device #2IntPin 1

 BaseAddress @ 0x00000010 after writing 0xFFFFFFFF = 0x00000000
 BaseAddress @ 0x00000014 after writing 0xFFFFFFFF = 0x00000000
 BaseAddress @ 0x00000018 after writing 0xFFFFFFFF = 0x00000000
 BaseAddress @ 0x0000001c after writing 0xFFFFFFFF = 0x00000000
 BaseAddress @ 0x00000020 after writing 0xFFFFFFFF = 0xffffffe1
Device requires 32 bytes of memory space.
 Usable base address located! IO range allocated = 0x60000000 - 0x6000001f
Enumerating PCI device 3
Assigning resources to PCI device #3IntPin 2

 BaseAddress @ 0x00000010 after writing 0xFFFFFFFF = 0x00000000
 BaseAddress @ 0x00000014 after writing 0xFFFFFFFF = 0x00000000
 BaseAddress @ 0x00000018 after writing 0xFFFFFFFF = 0x00000000
 BaseAddress @ 0x0000001c after writing 0xFFFFFFFF = 0x00000000
 BaseAddress @ 0x00000020 after writing 0xFFFFFFFF = 0xffffffe1
Device requires 32 bytes of memory space.
 Usable base address located! IO range allocated = 0x60000020 - 0x6000003f
Enumerating PCI device 4
Assigning resources to PCI device #4IntPin 3

 BaseAddress @ 0x00000010 after writing 0xFFFFFFFF = 0xffffff00
Device requires 256 bytes of memory space.
 Usable base address located! Memory range allocated = 0x40010000 - 0x400100ff
Enumerating PCI device 5
PCI: Slot=0, ID=TI VLYNQ2PCI , Index=0, MemBase=0x00000000, Int=00
0x00: 0xa10a104c 0x22100007 0x00000000 0x00002004
0x10: 0xfc000008 0xfc000000 0x00000001 0x00000000
0x20: 0x00000000 0x00000000 0x00000000 0x00000000
0x30: 0x00000000 0x00000040 0x00000000 0x02010100
0x40: 0x00020001 0x00000000
PCI: Slot=1, ID=Atheros AR5212 , Index=0, MemBase=0x40000000, Int=00
0x00: 0x0013168c 0x02900006 0x02000001 0x00002004
0x10: 0x40000000 0x00000000 0x00000000 0x00000000
0x20: 0x00000000 0x00000000 0x00005001 0x44121113
0x30: 0x00000000 0x00000044 0x00000000 0x1c0a0100
0x40: 0x00000000 0x01c20001
PCI: Slot=2, ID=VIA VT6212 , Index=0, MemBase=0x60000000, Int=00
0x00: 0x30381106 0x02100007 0x0c030061 0x00802004
0x10: 0x00000000 0x00000000 0x00000000 0x00000000
0x20: 0x60000001 0x00000000 0x00000000 0x30381106
0x30: 0x00000000 0x00000080 0x00000000 0x00000100
0x40: 0x00031040 0x00000000
PCI: Slot=3, ID=VIA VT6212 , Index=1, MemBase=0x60000020, Int=00
0x00: 0x30381106 0x02100007 0x0c030061 0x00802004
0x10: 0x00000000 0x00000000 0x00000000 0x00000000
0x20: 0x60000021 0x00000000 0x00000000 0x30381106
0x30: 0x00000000 0x00000080 0x00000000 0x00000200
0x40: 0x00031040 0x00000000
PCI: Slot=4, Vendor:DeviceID=0x1106:0x3104, Index=0, MemBase=0x40010000, Int=00
0x00: 0x31041106 0x02100007 0x0c032063 0x00802004
0x10: 0x40010000 0x00000000 0x00000000 0x00000000
0x20: 0x00000000 0x00000000 0x00000000 0x31041106
0x30: 0x00000000 0x00000080 0x00000000 0x00000300
0x40: 0x000b0000 0x00000000
PCI: Slot=5, --- No device present ---
[INIT] System Log Pool startup ...
[INIT] MTinitialize ..
userclk_init() ...
Runtime code version: 1.30k
System startup...
[INIT] Memory COLOR 0, 1500000 bytes ..
[INIT] Memory COLOR 1, 1048576 bytes ..
[INIT] Memory COLOR 2, 1900000 bytes ..
DSL HAL Version: 06.00.04.107
Die ID : 0xDE811A0D - 781B941D
Sangam detected, rev 0x26
set dspfreq 250Mhz
Sangam clock boost 250
REG_VSERCLKSELR<-0x01
Enable Analog PLL

SAR_FREQUNCY = 62500000Hz

manu_id=004A chip_id=2249
v1=0000 v2=00FF
ESS ES29LV160D bottom boot 16-bit mode found
Set flash memory layout to Boot Parameters found !!!
Bootcode version: 0.69c.4
Serial number: J606316482
Hardware version: 01
sizeof(struct III_Config_t) is 108760

manu_id=004A chip_id=2249
v1=0000 v2=00FF
ESS ES29LV160D bottom boot 16-bit mode found
!!! Invalid wireless channel range 0 ~ 0
!!! Use default value 1 ~ 13
default route: 0.0.0.0
BufferInit:
BUF_HDR_SZ=64 BUF_ALIGN_SZ=12 BUFFER_OFFSET=128
BUF_BUFSZ0=384 BUF_BUFSZ1=3264
NUM_OF_B0=0 NUM_OF_B1=1200
BUF_POOL0_SZ=0 BUF_POOL1_SZ=3993600
sizeof(BUFFER0)=448,sizeof(BUFFER1)=3328
*BUF0=0x9529a8d0 *BUF1=0x94ecb8c0
Altgn *BUF0=0x9529a8d0 *BUF1=0x94ecb8c0
End at BUF0:0x9529a8d0, BUF1:0x9529a8c0

BUF0[0]=0x9529a8d0 BUF1[0]=0x94ecb8c0

buffer0 pointer init OK!
buffer1 pointer init OK!
[qm_lnk_init] CLOCKHZ=1000 ...
[qm_lnk_init] add if 3 into QM link 0
[qm_cbq_enable] no QM attached
[qm_cbq_detach] no QM is attached at link 0
f=0/100000, ns_per_byte=65536000/100000
New cls: id=0, bw=8080 ns/byte, maxd=0 ms,
         maxb=32, minb=2, avgpktsz=250, maxpktsz=1802,
         offtime=40, parent=0, borrow=0
         pri=0, maxidle=31, minidle=-29123,
         maxq=48, clsfg=17
f=0/100000, ns_per_byte=4247781376/100000
New cls: id=1, bw=808080 ns/byte, maxd=0 ms,
         maxb=16, minb=1, avgpktsz=1802, maxpktsz=1802,
         offtime=1441745, parent=95617d3c, borrow=95617d3c
         pri=7, maxidle=384166, minidle=-2912323,
         maxq=48, clsfg=21
qm_cbq_attach(): cbqp->cbq_res=48
f=0/100000, ns_per_byte=245104640/100000
New cls: id=2, bw=8162 ns/byte, maxd=0 ms,
         maxb=32, minb=4, avgpktsz=250, maxpktsz=1802,
         offtime=166, parent=95617d3c, borrow=95617d3c
         pri=0, maxidle=31, minidle=-29417,
         maxq=48, clsfg=21
f=0/100000, ns_per_byte=0/100000
[qm_cbq_newcls] warning: bandwidth of the class may be low enough to cause INT overflow
New cls: id=3, bw=1191722 ns/byte, maxd=0 ms,
         maxb=16, minb=4, avgpktsz=250, maxpktsz=1802,
         offtime=1212204, parent=9561673c, borrow=9561673c
         pri=0, maxidle=0, minidle=-4294966,
         maxq=48, clsfg=21
f=0/100000, ns_per_byte=0/100000
[qm_cbq_newcls] warning: bandwidth of the class may be low enough to cause INT overflow
New cls: id=4, bw=1191722 ns/byte, maxd=0 ms,
         maxb=16, minb=4, avgpktsz=250, maxpktsz=1802,
         offtime=1212204, parent=9561673c, borrow=9561673c
         pri=2, maxidle=0, minidle=-4294966,
         maxq=48, clsfg=23
f=0/100000, ns_per_byte=0/100000
[qm_cbq_newcls] warning: bandwidth of the class may be low enough to cause INT overflow
New cls: id=5, bw=1191722 ns/byte, maxd=0 ms,
         maxb=16, minb=4, avgpktsz=250, maxpktsz=1802,
         offtime=1212204, parent=9561673c, borrow=9561673c
         pri=3, maxidle=0, minidle=-4294966,
         maxq=48, clsfg=23
f=0/100000, ns_per_byte=0/100000
[qm_cbq_newcls] warning: bandwidth of the class may be low enough to cause INT overflow
New cls: id=6, bw=1191722 ns/byte, maxd=0 ms,
         maxb=16, minb=4, avgpktsz=250, maxpktsz=1802,
         offtime=1212204, parent=9561673c, borrow=9561673c
         pri=4, maxidle=0, minidle=-4294966,
         maxq=48, clsfg=23
f=0/100000, ns_per_byte=0/100000
[qm_cbq_newcls] warning: bandwidth of the class may be low enough to cause INT overflow
New cls: id=7, bw=1191722 ns/byte, maxd=0 ms,
         maxb=16, minb=4, avgpktsz=250, maxpktsz=1802,
         offtime=1212204, parent=9561673c, borrow=9561673c
         pri=5, maxidle=0, minidle=-4294966,
         maxq=48, clsfg=23
f=0/100000, ns_per_byte=245104640/100000
New cls: id=8, bw=8162 ns/byte, maxd=0 ms,
         maxb=16, minb=4, avgpktsz=250, maxpktsz=1802,
         offtime=166, parent=9561673c, borrow=9561673c
         pri=7, maxidle=31, minidle=-29417,
         maxq=48, clsfg=20
CLOCKHZ=1000
gConfig.Interface[0].IP_Addr = 127.0.0.1
gConfig.Interface[0].Subnet_Mask = 255.255.255.255
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
Interface 0 ip = 127.0.0.1

gConfig.Interface[1].IP_Addr = 192.168.1.1
gConfig.Interface[1].Subnet_Mask = 255.255.255.0
gConfig.Interface[1].VLAN_Idx = 0
ifp->ipaddr = 0101A8C0
ifp->netmask = 00FFFFFF
gConfig.Vlan_Ports[gConfig.Interface[1].VLAN_Idx].VNet = 1
gConfig.Vlan_Ports[gConfig.Interface[1].VLAN_Idx].IGMP_Querier_Enable = 1
Memory request 2072 left 297928 ptr 945E8AC4
Call tn7sar_malloc_dma_xfer() addr:B45E8AC4 size:2072
MAC1 [RX=128 TX=1]: TI External PHY
MAC Address: 00:01:e3:c8:3d:df
[VLAN] port: 0x0003 vlan: 0x000c
[VLAN] ifno: 1 port: 3 vlan: 0x1030
[VLAN] ifno: 1 port: 4 vlan: 0x1028
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!

manu_id=004A chip_id=2249
v1=0000 v2=00FF
ESS ES29LV160D bottom boot 16-bit mode found
br_MacAddress=00-01-E3-C8-3D-DF
Interface 1 ip = 192.168.1.1

gConfig.Interface[2].IP_Addr = 0.0.0.0
gConfig.Interface[2].Subnet_Mask = 0.0.0.0
gConfig.Interface[2].VLAN_Idx = 0
ifp->ipaddr = 0101A8C0
ifp->netmask = 00FFFFFF
gConfig.Vlan_Ports[gConfig.Interface[2].VLAN_Idx].VNet = 1
gConfig.Vlan_Ports[gConfig.Interface[2].VLAN_Idx].IGMP_Querier_Enable = 1
[HWLAN] ifno=2 irno=7 port=0x00000000
[PCI] devtag=00000800 probe=940a342c
[HWLAN] devtag = 00000800
[HWLAN] Vendor ID 0x168c
[HWLAN] Device ID 0x13
[HWLAN] Base Addr 0xa4001400
[HWLAN] SVendor ID 0x1113
[HWLAN] SDevice ID 0x4412
[HWLAN] Revision ID 0x1
[HWLAN] interrupt vector 0x1
INTTYPR1 00000004 INTPOLR1 00000004, GPIOEN f3f7fff0
apCfgRadioDefaultSet> gSetting.channel=0, pRadio->channel=5260, pRadio->freqSpec=1
[HWLAN] pRadio->abolt = 00000000
apCfgRadioDefaultSet> gSetting.channel=0, pRadio->channel=2462, pRadio->freqSpec=8
[HWLAN] pRadio->abolt = 00000000
[HWLAN] gSetting.BasicRate=f
[HWLAN] apCfgDefaultSet : prepare to set WDS..
apInit: Initialize Access Point.
[HWLAN] ar5hwcCreatePhy : ifno:2 pdevInfo=94b50094, devno=1
[HWLAN] devno 1 pdevInfo 94b50094
[HWLAN] Base address = a4001400, irq 1
Attach AR5212 0x13 0x94b50094
[HWLAN] DOMAIN 00008114
[HWLAN] Set HWLAN MAC as LAN MAC ..
[HWLAN] MAC Address=00-01-E3=C8-3D-E1
[HWLAN] wlan1 revisions: mac 7.9 phy 4.5 analog 5.6 eeprom 5.2
[apCfgRadioCheck] nRadio=1
[apCfgRadioCheck] wmode=12, pRadio1->freqSpec=8
[ar5hwcCreatePhy]  devno=1, opModes=8
[wlanInitChannelList] wireless_selection=0x8
[HWLAN] country code = 00000114
wlanInitChannelList -- country: DE, mode: 8 11g

[HWLAN] wlanInitChannelList -- 13 channels
[HWLAN]  2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472
[wlanGetChannelPtr] channel=2462, modeSelect=8, pCList->listSize=13[wlanGetChannelPtr] pCList->chanArray[0].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[wlanGetChannelPtr] pCList->chanArray[1].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[wlanGetChannelPtr] pCList->chanArray[2].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[wlanGetChannelPtr] pCList->chanArray[3].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[wlanGetChannelPtr] pCList->chanArray[4].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[wlanGetChannelPtr] pCList->chanArray[5].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[wlanGetChannelPtr] pCList->chanArray[6].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[wlanGetChannelPtr] pCList->chanArray[7].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[wlanGetChannelPtr] pCList->chanArray[8].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[wlanGetChannelPtr] pCList->chanArray[9].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[wlanGetChannelPtr] pCList->chanArray[10].channelFlags=0x5400, modeTable[3].channelFlags=0x1400
[HWLAN] phwChannel 2462, channelFlags 00005400
[HWLAN] size of ATHEROS_DESC hardware part 32
[HWLAN] CACHE_LINE_SIZE 16, AR_DESC_SIZE 128
[HWLAN] AR_HEADER_SIZE 96, AR_BUF_SIZE 3196numDescriptors = 704
[HWLAN] wlan1: pDmaBuf=B438D5B0
[HWLAN] pMemBuf b438d5b0 pdevInfo->pDmaBuf b438d5b0
[HWLAN] ar5hwcQueueCreate: semaphore id 945cdb3c
[HWLAN] ar5hwcQueueCreate: semaphore id 945cdb50
[HWLAN] ar5hwcQueueCreate: semaphore id 945cdb64
[HWLAN] ar5hwcQueueCreate: semaphore id 945cdb78
[HWLAN] pMemBuf b43a95b0, pdevInfo->pDmaBuf + pdevInfo->dmaBufSize b43db5d0
[HWLAN] muxDevLoad is called for vportNum 10000, loadfn 940c21f4, vportStr 16: 0: 1
[HWLAN] ioctl CMD=0xb
[HWLAN] bridgePortAdd : vp, 10000
[HWLAN] bridgePortAdd (base BSS) succeeded for vp1
wlan1 added STA: 00:01:e3:c8:3d:e1 (0)
[HWLAN] ifno=2 after call apInit() : .... bg 1 , a 0 ....
wlan_timer_init() ...
Wireless Init Success
inside isr callback for reporting vlynq events.Reg=1000001
inside isr callback for reporting vlynq events.Reg=1000003
ISR not installed for vlynq vector:3
ISR not installed for vlynq vector:4
ISR not installed for vlynq vector:5
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
[HWLAN] hwlan_ioctl() ..
Interface 2 ip = 192.168.1.1

[HWLAN] hwlan_ioctl() ..
gConfig.Interface[3].IP_Addr = 0.0.0.0
gConfig.Interface[3].Subnet_Mask = 0.0.0.0
pppInit> set (PPPShutdownRequest[ifno] = 0)
Init SAR ifno:3 chan:0 VPI/VCI:0/33
Init PDSP ...
Init PDSP done.
Memory request 552 left 297376 ptr 945E92DC
Call tn7sar_malloc() addr:B45E92DC size:552
[aal5->os]2.IsrRegister(OsDev:9438c7d4, halIsr:9418e684, Interrupt:15)
[aal5]halControl(HalDev:95569ab8, Key:OamMode, Action:Set, Value:9571f04c)
[aal5]halChannelSetup(HalDev:95569ab8, HalCh:9571ef90, OsSetup:00000000)
  [aal5 Inst 0, Ch 0] Config Dump:
    TxNumBuffers  :00000128, TxNumQueues :00000002
    RxNumBuffers  :00000128, RxBufSize   :00001582
    TxServiceMax  :00000032, RxServiceMax:00000016
    RxBufferOffset:00000000, DaMask      :00000001
    CpcsUU        :00000000, Gfc         :00000000
    Clp           :00000000, Pti         :00000000
    Priority      :00000002, PktType     :00000000
    Vci           :00000033, Vpi         :00000000
    TxVc_CellRate :00015625, TxVc_QosType:00000002
    TxVc_Mbs      :00015625, TxVc_Pcr    :00015625
    TxVc_AtmHeader:00000528
InitTcb(CH:0): tcbsize:48 allsize:6160 num:128
Memory request 6160 left 291216 ptr 945E9504
Call tn7sar_malloc_dma_xfer() addr:B45E9504 size:6160
Memory request 6160 left 285056 ptr 945EAD14
Call tn7sar_malloc_dma_xfer() addr:B45EAD14 size:6160
InitRcb(CH:0): rcbsize:64 allsize:8208 num:128
Memory request 8208 left 276848 ptr 945EC524
Call tn7sar_malloc_dma_xfer() addr:B45EC524 size:8208
Call halChannelSetup(), Ch:0
(HalCh->TxVc_VpOffset)=00000000
(HalCh->RxVc_VpOffset)=00000000
Install SAR handler ...
MAC Address: 00:01:e3:c8:3d:e0
Interface 3 ip = 0.0.0.0

gConfig.Interface[11].IP_Addr = 0.0.0.0
gConfig.Interface[11].Subnet_Mask = 0.0.0.0
IFLNK_PPPOE init : (Linkp)ifno = 11 idx = 2
IFLNK_PPPOE init : (Driverp)ifno = 11 idx = 3
pppInit> set (PPPShutdownRequest[ifno] = 0)
Interface 11 ip = 0.0.0.0

gConfig.Interface[21].IP_Addr = 192.168.200.1
gConfig.Interface[21].Subnet_Mask = 255.255.255.0
gConfig.Interface[21].VLAN_Idx = 1
ifp->ipaddr = 01C8A8C0
ifp->netmask = 00FFFFFF
gConfig.Vlan_Ports[gConfig.Interface[21].VLAN_Idx].VNet = 1
gConfig.Vlan_Ports[gConfig.Interface[21].VLAN_Idx].IGMP_Querier_Enable = 0
MAC Address: 00:01:e3:c8:3d:df
[VLAN] port: 0x000c vlan: 0x0003
[VLAN] ifno: 21 port: 1 vlan: 0x2024
[VLAN] ifno: 21 port: 2 vlan: 0x2022
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!

manu_id=004A chip_id=2249
v1=0000 v2=00FF
ESS ES29LV160D bottom boot 16-bit mode found
br_MacAddress=00-01-E3-C8-3D-DF
Interface 21 ip = 192.168.200.1

ruleCheck()> Group: 0,  Error: Useless rule index will be truncated
ruleCheck()> Group: 1,  Error: Useless rule index will be truncated
ruleCheck()> Group: 2,  Error: Useless rule index will be truncated
CBAC rule format check succeed !!
reqCBACBuf()> init match pool, Have: 1000
Memory Address: 0x955b535c ~ 0x955bc0d8
reqCBACBuf()> init timeGap pool, Have: 10000
Memory Address: 0x955bc0d8 ~ 0x955ece2c
reqCBACBuf()> init sameHost pool, Have: 2000
Memory Address: 0x955ece2c ~ 0x955fc84c
CBAC rule pool initialized !!
Init NAT data structure
RUNTASK id=2 if_task if0...
RUNTASK id=3 if_task if1...
RUNTASK id=4 if_task if2...
RUNTASK id=5 if_task if3...
RUNTASK id=6 if_task if21...
RUNTASK id=7 timer_task...
RUNTASK id=8 conn_mgr...
RUNTASK id=9 main_8021x...
RUNTASK id=10 UsbSysInitTask ...
RUNTASK id=12 period_task...

========== ADSL Modem initialization OK ! ======

RUNTASK id=13 dhcp_daemon...
Unzipping from B0040000 to 95D00000 ... done
Uncompressed size = 2925052
drive start addr[0]=95d00000, [1]=95fca200
[HTTPD] flash_init: failed!!
httpd: listen at 192.168.1.1:80
httpd: listen at 192.168.200.1:80
HTTPD TIMER_RESOURCE:5, FS_RESOURCE:6
RUNTASK httpd...
RUNTASK id=17 dnsproxy...
RUNTASK id=18 rip...
RUNTASK id=19 ripout...
RUNTASK id=20 nbios_main...
RUNTASK id=21 padmin_task_entry...
RUNTASK id=22 dhcpd_mgmt_task...
UPnP is enabled
UPNP Device initialize success! slot=23
Starting Multitask...
wlanFindChannel - Initialize channel costs
2412 -35  2417 -30  2422 -30  2427 -30  2432 -30  2437 -30  2442 -35
2447 -30  2452 -30  2457 -30  2462 -30  2467 -30  2472 -35

wlanFindChannel - Setup normal mode BSS value costs
2412   0  2417   0  2422   0  2427   0  2432   0  2437   0  2442   0
2447   0  2452   0  2457   0  2462   0  2467   0  2472   0

wlanFindChannel - Initial values, BSS RSSI maxes and multiple interferers added together
2412 -35  2417 -30  2422 -30  2427 -30  2432 -30  2437 -30  2442 -35
2447 -30  2452 -30  2457 -30  2462 -30  2467 -30  2472 -35

wlanFindChannel Cost Histogram: higher values indicate more interference
2412   0  2472   0  2417   5  2437   5  2442   5  2447   5  2467   5
2422  10  2452  10  2427  10  2432  10  2457  10  2462  10

Auto Channel Scan selected 2472 MHz, channel 13
[HWLAN] Ready





---------------------------------------------------------

[AR7300 Boot]:

======================
 [u] Upload to Flash
 [E] Erase Flash
 [G] Run Runtime Code
 [A] Set MAC Address
 [#] Set Serial Number
 [V] Set Board Version
 [h] Set Options
 [P] Print Boot Params
======================

[AR7300 Boot]:p


MAC address     : 00-01-E3-C8-3D-DF
Serial number   : J606316482
Hardware version: 01
Options         : 00-00-00-00-00-00

[AR7300 Boot]:


---------------------------------------------------------




UPLOAD Flash
---------------------------------------
    Area            Address      Length
---------------------------------------
[0] Boot            0xB0000000     128K
[1] Configuration   0xB0020000     128K
[2] Web Image       0xB0040000    1728K
[3] Code Image      0xB0040000    1728K
[4] Boot Params     0xB01F0000      64K
[5] Flash Image     0xB0000000    2048K
---------------------------------------
Enter area to UPLOAD:

@Mijzelf
Just curious, waht do you think:
I have a DSL-G684T https://forum.openwrt.org/viewtopic.php?id=26855 (ar7 wifi dsl router) and device is equipped with 4MB flash chip and it has the adam2 bootloader.
The idea is to dump the loader and flash it to SE555 - what do you think? I see only one problem - the smaller flash size in SE555...
The other but harder way is to take the flash chip from DSL-G684T and to solder it to SE555.

vpritiskovic wrote:

just cannot figure out commpressed image type...

I *think* it's encrypted somehow, and the steps [ZIP 3] and [ZIP 2] stand for decrypting and decompressing.
When you're lucky the bootloader will also understand and accept ordinary zipfiles. (And maybe even LZMA). On my box the 'recovery mode' consists of two zipfiles, which are also happily decompressed and executed by the same bootloader. I've not tried to zip the kernel instead of lzma'íng it.

===========================================================
 TI ADSL AR7300 Loader 0.71.4 build Oct 18 2005 11:13:40
                 Broad Net Technology, INC.
===========================================================
ESS ES29LV160D bottom boot 16-bit mode found

Copying boot params.....DONE
Reset button was pressed
Click 1...
Click 2...
Click 3...

Activating recovery tool...

Unzipping  web at 0x94f30000 ... [ZIP] done
Unzipping code at 0x94000000 ... [ZIP] done
Boot ETCPIP running ...

In C_Entry() function ...
<snip>

The idea is to dump the loader and flash it to SE555 - what do you think? I see only one problem - the smaller flash size in SE555...

I really have no experience with this stuff. I've been looking for an alternate bootloader for my SX551. When reading through the routertech forums I had the impression that it's not trivial. The bootloader has to support the exact flashrom type and size, and maybe also some other hardware. (When exchanging the bootloader would disable the PCI bus (the only reason to prefer this ar7 box above any other), it's senseless).

Mijzelf wrote:

I really have no experience with this stuff. I've been looking for an alternate bootloader for my SX551. When reading through the routertech forums I had the impression that it's not trivial. The bootloader has to support the exact flashrom type and size, and maybe also some other hardware. (When exchanging the bootloader would disable the PCI bus (the only reason to prefer this ar7 box above any other), it's senseless).

In this case, as I have already mentioned, the replacment bootloader is one of the standard ar7 target loader. So the whole board should be initialized only the switch chip and the ram size are problem - but I am going to try - at the end the flash chip from DSL-G684T is 4MB(2MB bigger compared to SE555) so I think it would be enugh to build the OpenWrt firmware.

When relooking at what I've done, I found that something is wrong with the kernel adresses. Obviously the kernel will be loaded at 0x94000000. And I edited target/linux/ar7/image/Makefile to reflect that:

LOADADDR:=0x94000000
KERNEL_ENTRY:=0x94010000
RAMSTART:=0x94000000
RAMSIZE:=0x02000000

before running

echo CONFIG_TARGET_ar71=y > .config
make defconfig

But when I look at the disassembled vmlinux earlier in this thread, it starts with

94000000:       090410c4        j       0x94104310

So apparently the kernel expects to be at address 0x94100000. I checked it in System.map, and indeed:

94100000 A _text
9410000c T __kernel_entry
9410000c T _stext
94101020 T ret_from_exception
<snip>

I looked in the kernel .config, and couldn't find a load address. Nor in Makefile. How is the linker supposed to know the loadaddress of the kernel?

Finally success!!! Well, partly.

In the file build_dir/linux-ar7/linux-2.6.32.27/arch/mips/Makefile I found the section

#
# Texas Instruments AR7
# 
core-$(CONFIG_AR7)              += arch/mips/ar7/
cflags-$(CONFIG_AR7)            += -I$(srctree)/arch/mips/include/asm/mach-ar7
load-$(CONFIG_AR7)              += 0xffffffff94100000

in which I changed the last value to 0xffffffff94000000. I switched back the serial ports, and compiled the stuff.

The result (sound of drums):

===========================================================
 TI ADSL AR7300 Loader 0.71.4 build Oct 18 2005 11:13:40
                 Broad Net Technology, INC.
===========================================================
ESS ES29LV160D bottom boot 16-bit mode found

Copying boot params.....DONE

Flash Checking  Passed.

Unzipping  web at 0x94f30000 ... [LZMA] done
Unzipping code at 0x94000000 ... [LZMA] doneLinux version 2.6.32.27 (Mijzelf@ubuntu) (gcc version 4.3.3 (GCC) ) #11 Sun Feb 2
bootconsole [early0] enabled
CPU revision is: 00018448 (MIPS 4KEc)
TI AR7 (TNETD7300), ID: 0x0005, Revision: 0x26
Determined physical RAM map:
 memory: 02000000 @ 14000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00014000 -> 0x00016000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00014000 -> 0x00016000

And there it stops.

Still open for suggestions.

Mijzelf wrote:

Finally success!!!

Wow, I think you are close to normal boot...

I tried to generate a SE555 compatible firmware file, to check if your box would accept it, but a zipped vmlinux doesn't fit. So it should be a zipped LZMA'd zImage I suppose.

Can you send, I would like to test?

I don't have a zImage with the right addresses at the moment. So I just cut the tail of vmlinux, hoping it doesn't contain anything which will be executed in the few loglines I have.
You can download the testfile here:
http://www.mediafire.com/download.php?d8d8266f2qv3r12

Ok, tomorrow I will test your build and report back...

BTW I have a GPL source code released for DSL-G684T (TI ar7) if you like you could take a look?

Is it already possible to get OpenWRT working with the Siemens SX551? (it's a useless KPN thing)

When trying to upload the 2,7MB openwrt-ar7-squashfs.bin file, it bails out with "File too big" (not surprising considering the 2MB flash...)

(Last edited by Lekensteyn on 5 Mar 2012, 23:01)

Well, it wouldn't be accepted anyway, as the update has to be packed in a special way.

Anyway, I'm still working on it. Don't thrash your box yet.

I've ordered this PL2303HX cable, is there any way I can help with this? I'm not very knowledgable at EE, but have friends who are better at it. I'm a CS student myself.

Sorry, posts 26 to 25 are missing from our archive.