Topic: Atheros AR2316 - wireless radio config missing

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

zinbatsu

28 Apr 2008, 23:44

Hi all!

I just found my old (SMC WBR14T-G) router again and decided to try putting OpenWRT on it.
The device has 16 MB of RAM, Atheros AR2316 WiSoC, almost identical to what is found here:
http://wiki.openwrt.org/OpenWrtDocs/Har … mens/SE551

(the only problem is that the flash is only 2 MB, so i'll probably use RedBoot with network booting...)
I downloaded kamikaze from SVN, changed start address from 0x80041000 to 0x80001000 and the serial port baud rate to 115200, compiled the kernel with built-in jffs2 and uploaded the vmlinux image to memory via serial interface (it uses arcadyan's bootloader)

ar531xPlus rev 0x00000087 boot loader startup...                                                
Flash initialized                 
SDRAM initialized                 
Cache initialized                 

Copy program from 0xbfc00000 to 0x80520000, length 0x0000c56c bytes ... done                                                                            
Jump to SDRAM 0x80520cb4 [0x10000008, 0x00000000, 0x00000000]                                                             
Clear BSS section ... done                          
Stack: 0x8053e390                 
Heap: 0x8053e3a0                



==================================================================                                                                  
 Wireless Gateway WG4005E Loader V0.03 build Mar 29 2005 15:25:28                                                                 
                  Arcadyan Technology Corporation                                                 
==================================================================                                                                  

Flash Found. It is 2MB Flash....                                

Copying boot params.....DONE                            
cpuFreq=240000000 sysFreq=60000000 cntFreq=120000000                                                    

Press any key to enter command mode ...                                       

[WG4005E Boot]:m                

RAM upload destination: (default:0x80001000) : 0x                                                 
Starting XModem download...(press Enter to abort)                                                 
CCCCCCC       
Done!     
Do you want to execute the uploaded code? (Y/n) Linux version 2.6.23.16 (                                                                                
norb@bt) (gcc version 4.1.2) #16 Sat Apr 26 20:48:21 GMT 2008                                                             
CPU revision is: 000                  
Determined physical RAM map:                            
 memory: 01000000 @ 00000000 (usable)                                     
Built 1 zonelists in Zone order.  Total pages: 4064                                                   
Kernel command line: console=ttyS0,115200 rootfstype=squashfs,jffs2 init=/etc/pr                                                                                
einit     
Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.                                                                            
Primary data cache 16kB, 4-way, linesize 16 bytes.                                                  
Synthesized TLB refill handler (20 instructions).                                                 
Synthesized TLB load handler fastpath (32 instructions).                                                        
Synthesized TLB store handler fastpath (32 instructions).                                                         
Synthesized TLB modify handler fastpath (31 instructions).                                                          
PID hash table entries: 64 (order: 6, 256 bytes)                                                
Using 92.000 MHz high precision timer.                                      
console [ttyS0] enabled                       
Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)                                                            
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)                                                           
Memory: 14832k/16384k available (1006k kernel code, 1552k reserved, 197k data, 8                                                                                
0k init, 0k highmem)                    
Mount-cache hash table entries: 512                                   
NET: Registered protocol family 16                                  
WARNING: No board configuration data found!                                           
Time: MIPS clocksource has been installed.                                          
ar531x: Registering GPIODEV device                                  
CPU 0 Unable to handle kernel paging request at virtual address 00000050, epc ==                                                                                
 8012f900, ra == 8012e780                         
Oops[#1]:         
Cpu 0     
$ 0   : 00000000 10008400 80140000 80140000                                           
$ 4   : ffff8af2 00000000 000000b8 801017ec                                           
$ 8   : ffffffff fffffffc 00000001 00000000                                           
$12   : 80150000 80150000 fff7ffff 00200200                                           
$16   : 00000000 00000000 8014100c 00000000                                           
$20   : fffffffe 00000000 00000000 00000000                                           
$24   : 00000000 800c57cc                         
$28   : 80188000 80189f38 80                          
Hi    : 0000005b                
Lo    : c01e0000                
epc   : 8012f900 ar531x_init_reset+0x28/0x5c     Not tainted
ra    : 8012e780 kernel_init+0xbc/0x328
Status: 10008403    KERNEL EXL IE
Cause : 30800008
BadVA : 00000050
PrId  : 00019064
Modules linked in:
Process swapper (pid: 1, threadinfo=80188000, task=80187568)
Stack : 8012f568 8012f4e0 00000000 8012b31c 8012b2e0 000001bf 8012e780 8012e780
        00000000 8012e6c4 00000000 00000000 00000000 00000000 00000000 00000000
        00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
        00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
        00000000 00000000 00000000 80005454 10008403 00000000 00000000 00000000
        ...
Call Trace:
[<8012f900>] ar531x_init_reset+0x28/0x5c
[<8012e780>] kernel_init+0xbc/0x328
[<80005454>] kernel_thread_helper+0x10/0x18


Code: 3c038014  ac652074  ac442078 <94a40050> 3c078011  3c058000  24840030  24a5
1c90  24e72a24
Kernel panic - not syncing: Attempted to kill init!

It seems that the flash does not contain atheros board config... i downloaded the whole 2MB flash and searched for the pattern 0x35333131 but found nothing, so i made an ugly hack and modified arch/mips/atheros/board.c and added a static board config, similar to the one here:
http://wiki.openwrt.org/WingedUnicorn

I also modified spiflash.c and added 5 static partitions.
Now everything works, except the wireless interface

wlan: trunk
ath_hal: module license 'Proprietary' taints kernel.
ath_hal: 0.9.30.13 (AR5212, AR5312, RF2316, TX_DESC_SWAP)
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk)
ath_rate_minstrel: look around rate set to 10%
ath_rate_minstrel: EWMA rolloff level set to 75%
ath_rate_minstrel: max segment size in the mrr set to 6000 us
wlan: mac acl policy registered
ath_ahb: trunk
MadWifi: unable to attach hardware: 'EEPROM checksum invalid' (HAL status 7)

Since the Atheros HAL is not open source, i can't make a radio config structure the way i made the board config.
I tried to find radio config in the "Params Area" partition of the flash, but the whole partition is filled with 0xff bytes, except a small part of about 60 bytes which contain information for the bootloader. Maybe I missed something.

Is there any way i can make my wireless interfaces work?
BTW i heard that board config has gone missing in almost all ar2316 devices, but radio config is present in some of them. I'd be grateful if someone could send me his/her "params area" flash partition (i think D-Link DI624 has radio params in its flash ROM)

Thank you for your effort.

(Last edited by zinbatsu on 28 Apr 2008, 23:45)

Post #2

yoonix

19 Jun 2008, 20:48

I have a similar problem with the wireless configuration.
How did you resolve it?

I am getting 'EEPROM version invalid' (HAL status 5)

(Last edited by yoonix on 27 Jun 2008, 20:28)

Post #3

zinbatsu

23 Jun 2008, 18:52

As a matter of fact I'm still looking for a fix... however i didn't check the output of ath_info so i'll give it a try. Afer all i didn't change anything in the madwifi code, only board config & MTD partitions, the wireless config pointer in the kernel was initially NULL, which caused kernel panic so I allocated a 0x100 bytes buffer and filled it with zeroes.
This is how i got the 'EEPROM checksum invalid' error. Now i have a lot of free time (end of final exams etc.) so i'll probably compile a new kernel from trunk, patch it and check if anything changed (saw a few atheros-related fixes in the changelog).

Post #4

Kaloz

23 Jun 2008, 19:04

Your board doesn't use RedBoot, so the board config is probably is in vxwork's format.. When you flash redboot to such a board, it modifies/moves the board data to the format the Linux drivers use, too.

Post #5

zinbatsu

23 Jun 2008, 21:39

thanks for the info
i'll try putting RedBoot on it then

Post #6

yoonix

24 Jun 2008, 17:24

GOOD NEWS!!

I got the wifi0 created in /proc/sys/dev/.
It is not fully configured. But ath_ahb gets loaded without any error!

I loaded DDWRT Redboot for WR430W onto my moded WBR1310 (DI614 or something). After that I issued command "bdrestore". That wiped out my fis info but created the last sector with somewhat proper configuration. I issued bunch of fis commands to recreate the fis directory.

After that voila my wifi device was loaded without any error.

I am cut and past-ing my binary file (first so many bytes of the last sector) because I don't know how to include files on this forum. If you need the binary configuration file let me know.

Let me know how things work out for you!

0000000 3335 3131 7d13 0400 7441 6568 6f72 2073
0000010 5241 3335 3531 6420 6665 7561 746c 0000
0000020 0000 0000 0000 0000 0000 0000 0000 0000
*
0000040 0000 0000 0000 0000 0100 0000 0000 3902
0000050 0600 0700 f70a 009e 7b05 00cf 7b05 00cf
0000060 1900 d75b 2e55 1900 d75b 2f55 8000 53c8
0000070 0211 1300 0000 8000 53c8 0411 ffff ffff
0000080 ffff ffff ffff ffff ffff ffff ffff ffff
*
00000f0 ffff ffff ffff ffff 1c00 8c16 0002 0100
0000100 0000 0150 0000 62a0 8c16 0a1c 0001 0000
0000110 c201 0200 06c6 0100 0000 0000 0000 0000
0000120 0000 0000 0000 0000 0000 0000 0000 0000
0000130 0000 ebf1 be7f 0300 0000 0000 0000 0000
0000140 0000 0000 0000 0000 0000 0000 0000 0000
*
0000170 0000 a55a 0000 0000 1303 4349 5320 0471
0000180 0212 0004 0603 0100 0000 0005 0e41 b139
0000190 b51e 2d4e 5630 ffff 02e9 0007 0601 0000
00001a0 0001 0015 5207 0141 7468 6572 6f73 2043
00001b0 6f6d 6d75 6e69 6361 7469 6f6e 732c 2049
00001c0 6e63 2e00 4152 3530 3031 2d30 3030 302d
00001d0 3030 3030 0057 6972 656c 6573 7320 4c41
00001e0 4e20 5265 6665 7265 6e63 6520 4361 7264
00001f0 0030 3000 ff00 0021 0206 0122 0502 808d
0000200 5b00 2205 0240 5489 0022 0502 001b b700
0000210 2205 0280 a812 0122 0502 0036 6e01 2205
0000220 0200 5125 0222 0502 006c dc02 2205 0280
0000230 f937 0322 0502 00a2 4a04 2202 0308 2208
0000240 0406 f1eb 7fbe 0003 2202 0501 ff00 0000
0000250 0000 0000 0000 0000 ffff ffff ffff ffff
0000260 ffff ffff ffff ffff ffff ffff ffff ffff
0000270 ffff ffff ffff 0000 2b7c 0350 6ea2 0100
0000280 dc81 8201 ff02 ffe8 a315 0500 0000 0000
0000290 0000 0000 0000 0000 0000 0000 0000 0000
00002a0 2c2d 0000 0000 0000 0000 28e0 92a4 001c
00002b0 0e00 cab8 1300 0000 f808 4b6b 59c0 7115
00002c0 0000 0000 0000 0000 0000 0000 0000 0000
00002d0 0000 0000 0000 0000 0000 0000 3431 6700
00002e0 389e 9ac1 a268 45da 1c00 0700 ffb0 9501
00002f0 0000 0000 70ff ff31 0000 0000 0000 0000
0000300 0000 0000 0000 0000 0000 0000 0000 0000
0000310 0000 205f 6700 389e 9ac1 a268 45da 1c00
0000320 0e00 ffb0 9521 0000 d82f 70ff 2611 ff37
0000330 8000 0164 8607 8705 0000 0000 0000 0000
0000340 0000 0000 0000 0000 1211 4114 3142 3432
0000350 0000 0000 0000 0000 0000 0000 0000 0000
0000360 0000 0000 0000 0000 0080 0000 0000 0000
0000370 0000 7805 0807 6806 0080 0000 0000 0000
0000380 0000 0000 0000 0000 0000 0000 0000 0000
0000390 0000 0000 0000 0000 314d 547f 933c 0512
00003a0 3119 2d49 507f 933c 010e 2d19 708e ac00
00003b0 0090 431e 092a 021e 85d4 5212 0080 4226
00003c0 f929 0226 8514 5313 0080 4426 69aa 022e
00003d0 9514 4313 708e ac00 0080 432a 97a8 4209
00003e0 765c 831a 0080 451a 0729 4309 655c 6316
00003f0 0080 462e f628 4311 5420 5416 0000 0000
0000400 0000 0000 0000 0000 0000 0000 0000 0000
0000410 0000 0000 0000 0000 0000 0000 8a70 a228
0000420 8aa7 a228 8a70 9c07 8a89 9c07 8aa7 9c07
0000430 7570 00a2 0000 0000 6626 0066 0000 0000
0000440 8970 00a2 0000 0000 6621 0061 0000 0000
0000450 8989 0000 0000 0000 2626 0000 0000 0000
0000460 7570 aca2 00b8 0000 6828 2828 0028 0000
0000470 7570 aca2 0000 0000 6828 2828 0000 0000
0000480 7570 00ac 0000 0000 6424 0024 0000 0000
0000490 7570 00ac 0000 0000 5e1e 001e 0000 0000
00004a0 8989 0000 0000 0000 2020 0000 0000 0000
00004b0 0000 ffff ffff ffff ffff ffff ffff ffff
00004c0 ffff ffff ffff ffff ffff ffff ffff ffff

(Last edited by yoonix on 24 Jun 2008, 19:10)

Post #7

zinbatsu

24 Jun 2008, 21:22

hmm... uploaded RedBoot (ap61.rom) to the flash via the original bootloader (effectively overwriting it), but it doesn't seem to work

when i power on the router it sends a few characters of garbage on serial port, and that's all (baudrate 38400 [default], parity none, databits 8, stopbits 1, that's the default RedBoot config if i remember well; tried other configurations as well, but no luck so far). ethernet ports don't get initialised so telnet is not an option.
i'll build a simple unbuffered jtag cable tomorrow and see if i can get it to work.

Post #8

yoonix

24 Jun 2008, 21:37

It's 9600 baud not 38600.

I just put up a website for debricking your box.

http://wiki.openwrt.org/yoonix#preview

Post #9

zinbatsu

24 Jun 2008, 21:54

thanks for the help

unfortunately, the serial output is still not readable on 9600 baud (tried all possible baudrates and played a bit with parity and databits, no success)

i'll buy the required stuff tomorrow (both for buffered and unbuffered cables)

Post #10

zinbatsu

24 Jun 2008, 22:00

no problem

There's 14-pin connector-like thing that seems to be the JTAG connector. I measured some voltages, seems to be a standard 2.5 EJTAG conector, which makes the job a lot easier.

Post #11

zinbatsu

25 Jun 2008, 17:07

doesnt seem to work

connected the unbuffered EJTAG cable, powered on router, tried to probe flash
it says

Probing bus ... Done

Instruction Length set to 4

CPU Chip ID: 11111111111111111111111111111111 (FFFFFF)
*** Unknown or NO CPU Chip ID Detected ***

BTW Is it normal that all the pins on the board which are actually connected (GND, TDI, TDO, TM, TCK, TRST_N) except SRST_N have -3.3V present?

This is how i connected them:

 (-3.3v present) TRST_N | GND  <-> Parport 18-25
 Parport 2   <->    TDI | GND  <-> Parport 18-25
 Parport 13  <->    TDO | GND  <-> Parport 18-25
 Parport 4   <->    TMS | GND  <-> Parport 18-25
 Parport 3   <->    TCK | GND  <-> Parport 18-25
 (connected)     SRST_N | ??? (unused)
 (unused)          DINT | VCC (+3.3v present)

(i used 100 ohm resistors everywhere except for GND pins)

Before bootloader was overwritten, i checked the SRST_N pin and it actually restarted the bootloader (so it worked).

Another idea popped in my head ...
what happens if an exception occurs and no hander is installed, or another exception occurs while processing the exception on MIPS? (x86 CPUs usually halt)
does EJTAG work if the processor is in halted state? (if such a state exists)

(Last edited by zinbatsu on 25 Jun 2008, 17:11)

Post #12

yoonix

25 Jun 2008, 18:05

When you program the flash using ejtag. The processor actually goes to debug state and you are already at the exception state.

There is a way to disable additional exceptions as well by writing different status to your JTAG controller register.

You can go to mips site and register to get the full documetations. I did add a new function that comes out of exception and resets. I got most of information from one of the mips document that's circulating on internet.

The reason I liked the tjtag code was it's quite simple. It's pretty much a single source file.
You can easily track down to the section where you want to make mods.

Post #13

zinbatsu

25 Jun 2008, 18:11

the pinout i posted and the cable i use is the Xilinx one. I'll go and check out the documentation maybe it helps

Post #14

yoonix

25 Jun 2008, 18:47

Yup that looks correct actually.... Try to ground the TRST_N? I am not sure.

Post #15

zinbatsu

25 Jun 2008, 18:52

There is already -3.3V present on TRST_N so grounding it won't affect anything
That's my main problem, that it simply shouldn't be there, it should be 0V in theory.

Post #16

zinbatsu

25 Jun 2008, 19:11

it's about 10 cm
however, i grounded the TRST_N pin and now there is 0V on TDI, TDO, TMS and TCK, now it says CPU Chip ID: 00000000000000000000000000000000 (000000), and still not working

Post #17

yoonix

25 Jun 2008, 19:12

maybe just 1k ohm resister and ground TRST_N? Hmm.. in theory it should be okay for the hardware.
you didn't short to ground did you? that may bring other pins to ground as well.. potentially.

(Last edited by yoonix on 25 Jun 2008, 19:14)

Post #18

zinbatsu

25 Jun 2008, 19:19

ofc not... i found something weird again... after grounding TRST_N, +3.3V is present on SRST_N pin

Post #19

zinbatsu

25 Jun 2008, 19:34

I got it to work!
Connected TRST_N to VCC instead of GND, and it works!

CPU Chip ID: 0000000000000000000000000000001 (00000001)
*** Found a Atheros A531X/231X CPU Chip ***

It is now probing the flash

VENDID-B 0x00000020
DEVID-B 0x00002015
-> 2 MB flash, 64 kbyte blocks

Now i'll make a backup and see if it really contains RedBoot

(Last edited by zinbatsu on 25 Jun 2008, 20:06)

Post #20

yoonix

25 Jun 2008, 20:30

Awesome!!!

Look at my read me file. You have to add the chip support for it.

Then you should be able to program redboot onto it.

Good luck.

You might want to consider installing wbr1310 redboot. It uses only 2 blocks.
The ddwrt one uses 3 blocks of your flash.

But if you have jtag you can pretty much flash anything you want.. It's a good news... How long did it take you? It took me forever to get that jtag working. I am not much of hardware person.

(Last edited by yoonix on 25 Jun 2008, 20:43)

Post #21

zinbatsu

25 Jun 2008, 20:48

Thanks for the help

Added to the chip list and backup is now running. Initial binary comparison shows that the image at the start of the flash is indeed RedBoot (exact match), so RedBoot image is intact. hmm.....

    { 0x0020, 0x2015, size2MB, CMD_TYPE_SPI, "ST 25P16V6P                (2MB)"   ,32,size64K,   0,0,    0,0,  0,0 },

Anyway, if it won't work I'll copy the bootloader from the other router to this one.

Post #22

yoonix

25 Jun 2008, 20:53

Ya I also realized that you are using 2316. I was using 2317. At least now we know how to use spi bus with flash chips over the jtag. It was lacking in open wrt. Now we have an easier dirtyhairy code for all spi chips instead of that ejtag code. I looked at ejtag stuff it was impossible to debug or find out where i want change.

Another thing now you have jtag working. You can even pick up 5$ flash chip from digikey and get upto 4meg or 8meg. I actually don't recommend 8meg..

The flash addresses has to change with 8meg and it becomes pain in neck to double check the kernel and redboot code to support 8meg.

(Last edited by yoonix on 25 Jun 2008, 21:06)

Post #23

zinbatsu

25 Jun 2008, 20:59

Well, the one i'm currently experimenting with is an ar2317 one. I couldn't find the EJTAG port for the 2316, and I won't risk uploading a new bootloader till i find it

Anyway, I'll reflash redboot and probably upload NVRAM and see if it works

Post #24

yoonix

25 Jun 2008, 21:22

Well after this one is working, can you try and see if you can use tjtagspi on 2316 just program like the middle of the block using custom flag.. so you can get your kernel back.

Just to see if it works or not.

Hmm if it's ar2317 i am not sure why it didn't boot up.. strange..

AH it is possible that the boot load needs your flash chip support as well. I know you can down load ddwrt redboot source code but I couldn't compile it.. If you try like svn co on ddwrt it takes pretty much over 5 hours getting every different flavour of kernel source code.

(Last edited by yoonix on 25 Jun 2008, 21:24)

Post #25

zinbatsu

25 Jun 2008, 21:40

Err... i bricked the 2317 one, the 2316 still has the original bootloader and firmware,the bootloader allows me to upload the kernel into memory, so i won't screw up the flash (and that router is in use atm), however to access the bootloader one still needs a serial console and a rs232-ttl converter. For me, both devices have pretty much the same loader, Arcadyan-BRN mixed stuff.

I'll build a RedBoot from dd-wrt trunk if it works

I'll create a page for it on the wiki if i can make it work ...

(Last edited by zinbatsu on 25 Jun 2008, 21:41)

The discussion might have continued from here.

Page 1 of 1