Home » Not404.com Legacy Projects » Hardware Hacking Projects

Hacking on the Linksys WRT55AG v2

Submitted by lalee-admin2 on Sun, 01/20/2008 - 20:32

Update 2008-January-20
I have taken a renewed interest in hacking these routers, and will be taking another stab at rebuilding the firmware based on the latest source code available in the OpenWRT project's repositories.  I've given away most of my other routers to friends and family who either needed quick replacements for their dead Internet Routers, or needed something that operated in "Wireless Bridge Mode".

Thus, with all of my "Good" routers spoken for, I'm a whole lot more motivated to get some of these unused WRT55AG routers back into service.

OpenWRT Kamikaze Compilation Notes

  • make menuconfig, select Atheros AR531x as board type.
  • Select Busybox and Package Options as desired.
  • It's a good idea to compile lrzsz, files can be exchanged over the serial-port if needed.
  • Upgrade MadWifi Driver to madwifi-ng-r1456-20060225.tar.gz
    • Adjust the filename in target/linux/package/madwifi/Makefile
    • Adjust the MD5 sum, which is 27ccc5ba2e463fd8bee6da74d717731d
    • While you're in there, add this line to the Makefile:
      • ATH_SUPERG_FF := y
    • Remove target/linux/package/madwifi/patches/103-*.patch -- it's already applied in this newer version.
    • Edit target/linux/package/madwifi/patches/100-*.patch -- remove all occurrences of "-mips32" -- it conflicts with a "-mips3" cpu flag that I've yet to figure out its origin.
  • edit top-level .config file, change all occurences of "mipsel" to "mips". (Only in the Busybox Cross-Compiler prefix; and even then, I'm not sure if it really helps)
  • Create Directory: target/linux/image/ar531x
    • mkdir target/linux/image/ar531x
    • cp -apf target/linux/image/brcm target/linux/image/ar531x
    • (Yes, I know it'll create unusable (*.trx) files -- we just want the damn thing to compile right now..)
  • Edit the AR531x Kernel Configuration File: target/linux/ar531x-2.4/config
    • Change the line "CONFIG_BLK_DEV_RAM_SIZE=3072" to "CONFIG_BLK_DEV_RAM_SIZE=4096" (or whatever bigger size floats your boat)
    • Change the line "CONFIG_EXT2_FS=m" to "CONFIG_EXT2_FS=y" -- we need this for now to boot into the kernel-embedded ramdisk

Now, do a "make V=99 | tee BuildLog-01". Go ahead and enjoy a Coke and play with the kids for a while. When you come back, you'll see it barfed with "no rule to make ramdisk.gz". I just created a new ext2 image and copied build_mips/root/* into it. This is approximately what I did (this is coming from memory, about a day later) :

  • dd if=/dev/zero of=ramdisk bs=1M count=4
  • mkfs.ext2 ramdisk
  • mount ramdisk /mnt
  • cp -apf build_mips/root/* /mnt
  • umount /mnt
  • gzip -9 ramdisk
  • mv ramdisk.gz <directory_where_barf_happened>

Then re-run make: "make V=99 | tee BuildLog-02"

That *should* be the only major stumbling block, after that, everything is compiled. Now, we have a whole bunch of output in the bin directory, all of which are *UNUSABLE* because they're not ELF files. (Nor are they *.FIM files needed to upgrade the firmware using the built-in functionality -- we'll figure something out for that later).

To determine the correct file to place into your tftp directory, I did this:

  • find -name "vmlinu*" -exec file {} \;

Look for the one that says it's an ELF file (MIPS), and copy it to the TFTP root directory. Now you can fire up the router, and it should load up this new Kernel with the OpenWRT root. Enjoy!

Booting the DeviceScape Kernel for Netgear WGT624

Verdict:  YES, it boots, but NO, the Atheros support doesn't seem to work.

YAY! Thanks soo much to malfi for giving me the heads-up on booting a DeviceScape Linux Kernel on the Netgear WGT624. It's a huge breakthrough with the VxWorks bootloader as well as getting a Linux kernel to load! Now that the proof-of-concept has been done, (and now that I know how to interrupt VxWorks and tell it how to boot from TFTP.. *duh*), a lot more serious effort can be made at getting an Atheros port of OpenWRT running.

A session with this Linux Kernel is below. 'Sure is nice that this kernel recognized both Wireless Devices right off the bat.  I guess it could work with some configuration tweaking...

R&D to Upgrade the WRT55AGv2 to 128-Megabytes

What's known about the WRT55AG v2 is that it uses the G-LINK GLT5640L16-6TC, which is a 4Mx16 (probably more like a 1M x 16bit x 4bank) SDRAM in a 54-pin TSOP. Needless to say That sucks'''. Following some threads in the OpenWRT Forums, I notice that people have upgraded other Linksys WRT54G models to 32 Megs (up from 16 or less) by swapping the onboard 66-pin TSOP. The appropriate 66-pin chip can be salvaged from a common DDR (2700 or 3300) SODIMM. Sourcing an appropriate 54-pin TSOP for these WRT55AG v2 routers is a bit of a problem at the moment.

In theory, to get 128 Megabytes on this router, you need to replace the existing 4Mx16 chips with a pair of 32Mx16 (512-MegaBit) chips. One show-stopping problem to investigate: the higher-capacity chips define A12, which is "No-Connect" on the original chip. I'll have to Ohm the trace out to see if it's connected to anything on or near the CPU. If A12 isn't connected, there's really no point in exploring any RAM upgrades on these routers.

From this cross-reference page, it looks like the appropriate chips to upgrade this router to 128Megs of RAM would be one of these 32Mx16 form-factor chips:

Elpida EDS5116ABTA
Elpida HM5257165B
Samsung K4S511632M
Micron MT48LC32M16A2
Infineon HYB39S5121600

I started fiddling with replacing the RAM chips.  My hardware hacking blog-notes follow:

Hardware Hacking Notes

Alright, the chips arrived, and I have a new guinea pig to work on. 'Gonna have to extract the new machine's flash contents and to a comparative analysis.. and then do the RAM upgrade. If all goes well, then MAYBE I'll have more enthusiasm for these routers...

Older News

Bummer, the RAM chips didn't arrive in time for this weekend's hacking session. 'Guess that'll wait 'til next weekend. :-(

Older News

Found a link to a very compelling Skype Handset that uses Bluetooth, connected via USB. 'Wonder what it'll take to hack up an ASUS WL-500G Deluxe to drive one of these? :-)

Older News

Aha, someone has a patch to bring Ruby to OpenWRT. Sweeeet! So, now I can run Ruby on Rails under lightTPD on a 128-Meg Router. :o) :o) :o) Now THAT would be interesting. Maybe enough to get my 15 seconds of fame on Slashdot or Digg? ;-)

Also started looking into a replacement for the onboard flash chip. I found the 8Meg version by SST here - link. I'm sure I can cross-ref it later on and find something a little more consumer-friendly. Standard JEDEC 16-bit pinouts, so we'll see. Would be great to find a 32Meg or 64Meg Flash Chip to drop in there. :-D

Older News

I finally got the WRT55AG v2 to run the OpenWRT Kamikaze -- see below. It runs with a kernel-embedded ramdisk for now. The MadWifi drivers aren't running yet, but I managed to snarf a copy of the flash using Xmodem over the serial-line.

I'm taking a short break from the Linux Kernel stuff - I have the RAM chips on the way, and will focusing my next weekend's attention on upgrading the RAM on this router to 128 Megs. For any of you following along with this page, though, here's my kernel-building procedure. The TFTP instructions and VxWorks notes are well documented on the WGT624 Wiki page. If you come up with any great patches or tweaks, PLEASE feel free to post-comment at the bottom of this page! Thanks!

I expect to have OpenWRT fully operational (i.e. MadWifi and the Switch hardware can be configured) on these routers within the next 4 to 6 weeks. Let's see how well Murphy's Law plays into this timeline, though. ;-)

Keep in mind, for this project I'm still a "code butcher", and most of what I'm doing probably will not make it back into the OpenWRT Kamikaze code base without some help. I'm an OpenWRT amateur at best -- I really don't want to pee in someone else's pool by submitting fugly hack-patches. ("Been there, done that" on other projects, and have been flamed enough to invest in Asbestos Suit.. ;-) )

So, I'm hoping to relay enough information on these pages so that an OpenWRT Guru will be able to take my handful of tweaks and adjust the Kamikaze code base in a way that everyone's happy with. And if the OpenWRT Gurus step up and complete the Atheros Port before I do, then so much the better -- I'm really more interested in the hardware hacking on these devices and would prefer to focus my attention on upgrading SDRAMs and Flashes to make the wimpy/cheap models much more interesting to work with.

LogFiles of Various Working Kernels

 

DeviceScape Kernel running on WRT55AG v2

ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED


Atheros AR5001AP default version 4.0.0.2
Bootloader version 1.00


 1

oot]:
[Boot]: ?

 ?                     - print this list
 @                     - boot (load and go)
 p                     - print boot params
 c                     - change boot params
 e                     - print fatal exception
 v                     - print version
 B                     - change board data
 S                     - show board data
 n netif               - print network interface device address
 $dev(0,procnum)host:/file h=# e=# b=# g=# u=usr [pw=passwd] f=#
                           tn=targetname s=script o=other
 boot device: tffs=drive,removable     file name: /tffs0/vxWorks
 Boot flags:
   0x02  - load local system symbols
   0x04  - don't autoboot
   0x08  - quick autoboot (no countdown)
   0x20  - disable login security
   0x40  - use bootp to get boot parameters
   0x80  - use tftp to get boot image
   0x100 - use proxy arp

available boot devices:Enhanced Network Devices
 ae0 ae1 tffs
[Boot]: p

boot device          : ae
unit number          : 0
processor number     : 0
host name            : 192.168.1.101
file name            : /vmlinux
inet on ethernet (e) : 192.168.1.1:0xffffff00
host inet (h)        : 192.168.1.101
flags (f)            : 0x80
other (o)            : ae

[Boot]: @
Attached TCP/IP interface to ae0.
Attaching network interface lo0... done.
Loading... 1298312 + 725392
Starting at 0x80142040...

<4>CPU revision is: 00018009
<4>Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.
<4>Primary data cache 16kB 4-way, linesize 16 bytes.
<4>Linux version 2.4.25 (malte@duron) (gcc version 2.96-mips3264-000710) #7 Sat Sep 3 19:19:29 CEST 2005
<4>Determined physical RAM map:
<4> memory: 01000000 @ 00000000 (usable)
<4>Initial ramdisk at: 0x80169000 (389120 bytes)
<4>On node 0 totalpages: 4096
<4>zone(0): 4096 pages.
<4>zone(1): 0 pages.
<4>zone(2): 0 pages.
<4>Kernel command line: console=ttyS0,9600
<4>Using 110.000 MHz high precision timer.
<4>Calibrating delay loop... 219.54 BogoMIPS
<6>Memory: 14204k/16384k available (1267k kernel code, 2180k reserved, 464k data, 64k init, 0k highmem)
<6>Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
<6>Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
<6>Mount cache hash table entries: 512 (order: 0, 4096 bytes)
<6>Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
<4>Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
<4>Checking for 'wait' instruction...  available.
<4>POSIX conformance testing by UNIFIX
<6>Linux NET4.0 for Linux 2.4
<6>Based upon Swansea University Computer Society NET3.039
<4>Initializing RT netlink socket
<4>Starting kswapd
<5>JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.
<7>Allocated 399036 bytes for deflate workspace
<7>Allocated 46912 bytes for inflate workspace
<6>Serial driver version 5.05c (2001-07-08) with no serial options enabled
<6>ttyS00 at 0xbc000003 (irq = 37) is a 16550A
<6>Generic MIPS RTC Driver v1.0
<4>RAMDISK driver initialized: 16 RAM disks of 3072K size 1024 blocksize
<5>physmap flash device: 200000 at be000000
<5> Amd/Fujitsu Extended Query Table v1.1 at 0x0040
<5>number of CFI chips: 1
<5>cfi_cmdset_0002: Disabling fast programming due to code brokenness.
<5>Using physmap partition definition
<5>Creating 1 MTD partitions on "Physically mapped flash":
<5>0x000f0000-0x001d0000 : "rootfs"
<6>NET4: Linux TCP/IP 1.0 for NET4.0
<6>IP Protocols: ICMP, UDP, TCP, IGMP
<6>IP: routing cache hash table of 512 buckets, 4Kbytes
<6>TCP: Hash tables configured (established 1024 bind 2048)
<6>NET4: Ethernet Bridge 008 for NET4.0
<5>RAMDISK: Compressed image found at block 0
<6>Freeing initrd memory: 380k freed
<4>VFS: Mounted root (ext2 filesystem) readonly.
<4>Algorithmics/MIPS FPU Emulator v1.5reed
init started:  BusyBox v1.00-pre10 (2004.06.09-17:51+0000) multi-call binary
<6>wlan: 0.7.3.1 BETA
Starting pid 10, console /dev/console: '/etc/rc.<6>ath_hal: 0.9.9.2
d/rcS'
Load MADWiFi wlan module
Using ../../li<6>ath_pci: 0.8.5.5 BETA
<4>macVersion = 4, macRev = 2
b/modules/2.4.25<4>Setup queue (0) for WME_AC_BK
<4>Setup queue (1) for WME_AC_BE
<4>Setup queue (2) for WME_AC_VI
<4>Setup queue (3) for WME_AC_VO
<3>ath0: mac 4.2 phy 4.2 5ghz radio 3.6
<4>ath0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
<4>ath0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath0: turbo rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath0: 802.11 address: 00:12:17:6d:10:3d
<6>ath0: Atheros 5312 WiSoC: mem=0xb8000000, irq=2
<4>macVersion = 4, macRev = 2
/net/wlan.o
Loa<4>Setup queue (0) for WME_AC_BK
<4>Setup queue (1) for WME_AC_BE
<4>Setup queue (2) for WME_AC_VI
<4>Setup queue (3) for WME_AC_VO
<3>ath1: mac 4.2 phy 4.2 5ghz radio 4.6
<4>ath1: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath1: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
<4>ath1: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath1: turbo rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath1: 802.11 address: 00:12:17:6d:10:3e
<6>ath1: Atheros 5312 WiSoC: mem=0xb8500000, irq=5
d MADWiFi Atheros HAL module
Using ../../lib/modules/2.4.25/net/ath_hal.o
Warning: loading ath_hal will taint the kernel: non-GPL license - Proprietary
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Load MADWiFi Atheros Driver module
Using ../../lib/modules/2.4.25/net/ath_lbus.o
Starting pid 19, console /dev/console: '/bin/sh'


BusyBox v1.00-pre10 (2004.06.09-17:51+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

#

Kamikaze Kernel running on WRT55AG v2

ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED


Atheros AR5001AP default version 4.0.0.2
Bootloader version 1.00


 0
auto-booting...

Attached TCP/IP interface to ae0.
Attaching network interface lo0... done.
Loading... 1558080 + 1426624
Starting at 0x80182040...

<4>CPU revision is: 00018009
<4>Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.
<4>Primary data cache 16kB, 4-way, linesize 16 bytes.
<4>Linux version 2.4.32 (root@ufo.lalee.net) (gcc version 3.4.5 (OpenWrt-2.0)) #3 Sun Feb 26 18:22:40 HST 2006
<4>Determined physical RAM map:
<4> memory: 01000000 @ 00000000 (usable)
<4>Initial ramdisk at: 0x801af000 (983040 bytes)
<4>On node 0 totalpages: 4096
<4>zone(0): 4096 pages.
<4>zone(1): 0 pages.
<4>zone(2): 0 pages.
<4>Kernel command line: console=ttyS0,9600
<4>Using 110.000 MHz high precision timer.
<4>Calibrating delay loop... 219.54 BogoMIPS
<6>Memory: 13264k/16384k available (1521k kernel code, 3120k reserved, 1052k data, 80k init, 0k highmem)
<6>Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
<6>Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
<6>Mount cache hash table entries: 512 (order: 0, 4096 bytes)
<6>Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
<4>Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
<4>Checking for 'wait' instruction...  available.
<4>POSIX conformance testing by UNIFIX
<6>Linux NET4.0 for Linux 2.4
<6>Based upon Swansea University Computer Society NET3.039
<4>Initializing RT netlink socket
<4>Starting kswapd
<6>devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
<6>devfs: boot_options: 0x1
<5>JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.
<6>Squashfs 2.2 (released 2005/07/03) (C) 2002-2004, 2005 Phillip Lougher
<4>pty: 256 Unix98 ptys configured
<6>Serial driver version 5.05c (2001-07-08) with no serial options enabled
<6>ttyS00 at 0xbc000003 (irq = 37) is a 16550A
<4>RAMDISK driver initialized: 16 RAM disks of 3072K size 1024 blocksize
<5>physmap flash device: 400000 at be000000
<5> Amd/Fujitsu Extended Query Table v1.1 at 0x0040
<5>number of CFI chips: 1
<5>cfi_cmdset_0002: Disabling fast programming due to code brokenness.
<5>No RedBoot partition table detected in Physically mapped flash
<6>Initializing Cryptographic API
<6>NET4: Linux TCP/IP 1.0 for NET4.0
<6>IP Protocols: ICMP, UDP, TCP, IGMP
<6>IP: routing cache hash table of 512 buckets, 4Kbytes
<6>TCP: Hash tables configured (established 1024 bind 2048)
<4>ip_conntrack version 2.1 (5953 buckets, 5953 max) - 360 bytes per conntrack
<4>ip_tables: (C) 2000-2002 Netfilter core team
<6>NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
<6>NET4: Ethernet Bridge 008 for NET4.0
<6>802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
<6>All bugs added by David S. Miller <davem@redhat.com>
<5>RAMDISK: Compressed image found at block 0
<6>Freeing initrd memory: 960k freed
<4>VFS: Mounted root (ext2 filesystem) readonly.
<6>Mounted devfs on /dev
init started:  BusyBox v1.1.0 (2006.02.27-03:56+0000) multi-call binary
<4>Algorithmics/MIPS FPU Emulator v1.5

Please press Enter to activate this console. <3>kmod: failed to exec /sbin/modprobe -s -k net-pf-10, errno = 2
<6>device eth0 entered promiscuous mode



BusyBox v1.1.0 (2006.02.27-03:56+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (bleeding edge, r3276) -------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@(none):/#

Older Progress Notes

My older notes on the WRT55AGv2 are archived here. Thanks!

Comments and Feedback

Comment by lalee on Tue 21 Feb 2006 04:53:13 PM PST

Note to self: Some documents would have you manually tie pin 1 (TRST*) to pin 14 (VCC) through a 100-Ohm resistor. (Reference)

Comment by malfi on Wed 22 Feb 2006 07:29:18 PM PST

hi, I (malfi) figured out how to boot linux on a wgt624, please have a look at: http://wiki.openwrt.org/OpenWrtDocs/Hardware/Netgear/WGT624

kaloz@openwrt managed to boot the linux kernel image http://home.fhtw-berlin.de/~s0502837/wgt624/vmlinux on his wrt55ag

Comment by lalee on Thu 23 Feb 2006 01:04:25 AM PST

malfi,

I'll be damned, it works! It's exactly the breakthrough I was looking for. Thanks! :-D

Comment by lalee on Sat 11 Mar 2006 06:07:14 PM PST

With No RAM Installed, you get these:

ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
NMI (watchdog): ErrorPC: 0xbfc00614
      epc: 0xfe7ffe7f bva: 0xbfc0bfc0 sr:  0xfe7ffe7f cse: 0xbfc0bfc0
  R0: r0:  0x00000000 at:  0xbfc0bfc0 v0:  0xbfc0bfc0 v1:  0xbfc0bfc0
  R4: a0:  0xbfc0bfc0 a1:  0xbfc0bfc0 a2:  0xbfc0bfc0 a3:  0xbfc0bfc0
  R8: t0:  0xbfc0bfc0 t1:  0xbfc0bfc0 t2:  0xbfc0bfc0 t3:  0xbfc0bfc0
 R12: t4:  0xbfc0bfc0 t5:  0xbfc0bfc0 t6:  0xbfc0bfc0 t7:  0xbfc0bfc0
 R16: s0:  0xbfc0bfc0 s1:  0xbfc0bfc0 s2:  0xbfc0bfc0 s3:  0xbfc0bfc0
 R20: s4:  0xbfc0bfc0 s5:  0xbfc0bfc0 s6:  0xbfc0bfc0 s7:  0xbfc0bfc0
 R24: t8:  0xffffffff t9:  0xfffcffff k0:  0x00000000 k1:  0x00000000
 R28: gp:  0xbfc0bfc0 sp:  0xbfc0bfc0 fp:  0xbfc0bfc0 ra:  0xbfc0bfc0


trying NMI callback: 0xbfc0bfc0
sysConsoleDump: type 0x00000380
      epc: 0x80018001 bva: 0xffff9fe0 sr:  0x10400002 cse: 0x10800008
  R0: r0:  0x00000000 at:  0xbfc00000 v0:  0x10800010 v1:  0x800169d0
  R4: a0:  0xbfc00614 a1:  0x8000ff38 a2:  0xbfc00b50 a3:  0xa8000000
  R8: t0:  0x00000040 t1:  0x00000020 t2:  0xfffffffc t3:  0x00000030
 R12: t4:  0x00000020 t5:  0x00080000 t6:  0x00023000 t7:  0xfe7ffdff
 R16: s0:  0xbfc0bfc0 s1:  0x00000002 s2:  0xfddfffff s3:  0xfffff7ff
 R20: s4:  0xffffffff s5:  0xfffffffe s6:  0xfffbff7f s7:  0xfe7fffff
 R24: t8:  0xffffffff t9:  0xfffcffff k0:  0x00000000 k1:  0x00000000
 R28: gp:  0x80057900 sp:  0x8000ff38 fp:  0xffffffff ra:  0xbfc01898



ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
NMI (watchdog): ErrorPC: 0xbfc00614
      epc: 0xfe7ffe7f bva: 0xbfc0bfc0 sr:  0xfe7ffe7f cse: 0xbfc0bfc0
  R0: r0:  0x00000000 at:  0xbfc0bfc0 v0:  0xbfc0bfc0 v1:  0xbfc0bfc0
  R4: a0:  0xbfc0bfc0 a1:  0xbfc0bfc0 a2:  0xbfc0bfc0 a3:  0xbfc0bfc0
  R8: t0:  0xbfc0bfc0 t1:  0xbfc0bfc0 t2:  0xbfc0bfc0 t3:  0xbfc0bfc0
 R12: t4:  0xbfc0bfc0 t5:  0xbfc0bfc0 t6:  0xbfc0bfc0 t7:  0xbfc0bfc0
 R16: s0:  0xbfc0bfc0 s1:  0xbfc0bfc0 s2:  0xbfc0bfc0 s3:  0xbfc0bfc0
 R20: s4:  0xbfc0bfc0 s5:  0xbfc0bfc0 s6:  0xbfc0bfc0 s7:  0xbfc0bfc0
 R24: t8:  0xffffffff t9:  0xfffcffff k0:  0x00000000 k1:  0x00000000
 R28: gp:  0xbfc0bfc0 sp:  0xbfc0bfc0 fp:  0xbfc0bfc0 ra:  0xbfc0bfc0


trying NMI callback: 0xbfc0bfc0
sysConsoleDump: type 0x00000380
      epc: 0x80018001 bva: 0xffff9fe0 sr:  0x10400002 cse: 0x10800008
  R0: r0:  0x00000000 at:  0xbfc00000 v0:  0x10800010 v1:  0x800169d0
  R4: a0:  0xbfc00614 a1:  0x8000ff38 a2:  0xbfc00b50 a3:  0xa8000000
  R8: t0:  0x00000040 t1:  0x00000020 t2:  0xfffffffc t3:  0x00000030
 R12: t4:  0x00000020 t5:  0x00080000 t6:  0x00023000 t7:  0xfe7ffdff
 R16: s0:  0xbfc0bfc0 s1:  0x00000002 s2:  0xfddfffff s3:  0xfffff7ff
 R20: s4:  0xffffffff s5:  0xfffffffe s6:  0xfffbff7f s7:  0xfe7fffff
 R24: t8:  0xffffffff t9:  0xfffcffff k0:  0x00000000 k1:  0x00000000
 R28: gp:  0x80057900 sp:  0x8000ff38 fp:  0xffffffff ra:  0xbfc01898



ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
NMI (watchdog): ErrorPC: 0xbfc00614
      epc: 0xfe7ffe7f bva: 0xbfc0bfc0 sr:  0xfe7ffe7f cse: 0xbfc0bfc0
  R0: r0:  0x00000000 at:  0xbfc0bfc0 v0:  0xbfc0bfc0 v1:  0xbfc0bfc0
  R4: a0:  0xbfc0bfc0 a1:  0xbfc0bfc0 a2:  0xbfc0bfc0 a3:  0xbfc0bfc0
  R8: t0:  0xbfc0bfc0 t1:  0xbfc0bfc0 t2:  0xbfc0bfc0 t3:  0xbfc0bfc0
 R12: t4:  0xbfc0bfc0 t5:  0xbfc0bfc0 t6:  0xbfc0bfc0 t7:  0xbfc0bfc0
 R16: s0:  0xbfc0bfc0 s1:  0xbfc0bfc0 s2:  0xbfc0bfc0 s3:  0xbfc0bfc0
 R20: s4:  0xbfc0bfc0 s5:  0xbfc0bfc0 s6:  0xbfc0bfc0 s7:  0xbfc0bfc0
 R24: t8:  0xffffffff t9:  0xfffcffff k0:  0x00000000 k1:  0x00000000
 R28: gp:  0xbfc0bfc0 sp:  0xbfc0bfc0 fp:  0xbfc0bfc0 ra:  0xbfc0bfc0


trying NMI callback: 0xbfc0bfc0
sysConsoleDump: type 0x00000380
      epc: 0x80018001 bva: 0xffff9fe0 sr:  0x10400002 cse: 0x10800008
  R0: r0:  0x00000000 at:  0xbfc00000 v0:  0x10800010 v1:  0x800169d0
  R4: a0:  0xbfc00614 a1:  0x8000ff38 a2:  0xbfc00b50 a3:  0xa8000000
  R8: t0:  0x00000040 t1:  0x00000020 t2:  0xfffffffc t3:  0x00000030
 R12: t4:  0x00000020 t5:  0x00080000 t6:  0x00023000 t7:  0xfe7ffdff
 R16: s0:  0xbfc0bfc0 s1:  0x00000002 s2:  0xfddfffff s3:  0xfffff7ff
 R20: s4:  0xffffffff s5:  0xfffffffe s6:  0xfffbff7f s7:  0xfe7fffff
 R24: t8:  0xffffffff t9:  0xfffcffff k0:  0x00000000 k1:  0x00000000
 R28: gp:  0x80057900 sp:  0x8000ff38 fp:  0xffffffff ra:  0xbfc01898



ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
NMI (watchdog): ErrorPC: 0xbfc00614
      epc: 0xfe7ffe7f bva: 0xbfc0bfc0 sr:  0xfe7ffe7f cse: 0xbfc0bfc0
  R0: r0:  0x00000000 at:  0xbfc0bfc0 v0:  0xbfc0bfc0 v1:  0xbfc0bfc0
  R4: a0:  0xbfc0bfc0 a1:  0xbfc0bfc0 a2:  0xbfc0bfc0 a3:  0xbfc0bfc0
  R8: t0:  0xbfc0bfc0 t1:  0xbfc0bfc0 t2:  0xbfc0bfc0 t3:  0xbfc0bfc0
 R12: t4:  0xbfc0bfc0 t5:  0xbfc0bfc0 t6:  0xbfc0bfc0 t7:  0xbfc0bfc0
 R16: s0:  0xbfc0bfc0 s1:  0xbfc0bfc0 s2:  0xbfc0bfc0 s3:  0xbfc0bfc0
 R20: s4:  0xbfc0bfc0 s5:  0xbfc0bfc0 s6:  0xbfc0bfc0 s7:  0xbfc0bfc0
 R24: t8:  0xffffffff t9:  0xfffcffff k0:  0x00000000 k1:  0x00000000
 R28: gp:  0xbfc0bfc0 sp:  0xbfc0bfc0 fp:  0xbfc0bfc0 ra:  0xbfc0bfc0


trying NMI callback: 0xbfc0bfc0
sysConsoleDump: type 0x00000380
      epc: 0x80018001 bva: 0xffff9fe0 sr:  0x10400002 cse: 0x10800008
  R0: r0:  0x00000000 at:  0xbfc00000 v0:  0x10800010 v1:  0x800169d0
  R4: a0:  0xbfc00614 a1:  0x8000ff38 a2:  0xbfc00b50 a3:  0xa8000000
  R8: t0:  0x00000040 t1:  0x00000020 t2:  0xfffffffc t3:  0x00000030
 R12: t4:  0x00000020 t5:  0x00080000 t6:  0x00023000 t7:  0xfe7ffdff
 R16: s0:  0xbfc0bfc0 s1:  0x00000002 s2:  0xfddfffff s3:  0xfffff7ff
 R20: s4:  0xffffffff s5:  0xfffffffe s6:  0xfffbff7f s7:  0xfe7fffff
 R24: t8:  0xffffffff t9:  0xfffcffff k0:  0x00000000 k1:  0x00000000
 R28: gp:  0x80057900 sp:  0x8000ff38 fp:  0xffffffff ra:  0xbfc01898



ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
NMI (watchdog): ErrorPC: 0xbfc00614
      epc: 0xfe7ffe7f bva: 0xbfc0bfc0 sr:  0xfe7ffe7f cse: 0xbfc0bfc0
  R0: r0:  0x00000000 at:  0xbfc0bfc0 v0:  0xbfc0

Comment by andrea@dbcsrl.it on Mon May 8 05:20:11 2006

Hi, I'm Andrea, I've buyed new WRT55AG, and i've build my own serial cable, but i can't stop the bootloader, can someone help me? I've tried with minicom, but after boot &#34;login&#34; don't appear, and is impossible to send ESC in boot time. I attach my WRT55AG , thanks a lot :)

ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED


Atheros AR5001AP default version 4.0.0.140
Bootloader version 1.03


 0
auto-booting...

Attaching to TFFS... done.
Loading /fl/APIMG1...1470912
Starting at 0x804846e0...

/fl/  - Volume is OK
Reading Configuration File &#34;/fl/apcfg&#34;.
Configuration file checksum: 4aae4 is good
multicastRateIndex = 2
multicastRateIndex = 6
Attaching interface lo0...done
DHCP server started.
wireless access point starting...
wlan1 Ready
wireless access point starting...
Remote Web service on TCP port 8080 ... Allowing any hosts on INTERNET
start easyconf
Starting the blocking WAN PING service ... successful
vp0 macaddr = 00:12:17:a7:ef:db
vp65536 macaddr = 00:12:17:a7:ef:dc
ae0 macaddr = 00:12:17:a7:ef:dd
ae1 macaddr = 00:12:17:a7:ef:de
add bridge port ae0
Radar scan beginning on all eligible channels
InitSingleScan -- 5260, 2410  ofdm 5 passive scan
Radar scan complete
Auto Channel Scan selected 5200 MHz, channel 40
wlan0 Ready
Ready

Comment by andrea@dbcsrl.it on Mon May 8 05:28:17 2006

Hi, I'm Andrea, I've buyed new WRT55AG, and i've build my own serial cable, but i can't stop the bootloader, can someone help me? I've tried with minicom, but after boot &#34;login&#34; don't appear, and is impossible to send ESC in boot time. I attach my WRT55AG , thanks a lot :)

ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED


Atheros AR5001AP default version 4.0.0.140
Bootloader version 1.03


 0
auto-booting...

Attaching to TFFS... done.
Loading /fl/APIMG1...1470912
Starting at 0x804846e0...

/fl/  - Volume is OK
Reading Configuration File &#34;/fl/apcfg&#34;.
Configuration file checksum: 4aae4 is good
multicastRateIndex = 2
multicastRateIndex = 6
Attaching interface lo0...done
DHCP server started.
wireless access point starting...
wlan1 Ready
wireless access point starting...
Remote Web service on TCP port 8080 ... Allowing any hosts on INTERNET
start easyconf
Starting the blocking WAN PING service ... successful
vp0 macaddr = 00:12:17:a7:ef:db
vp65536 macaddr = 00:12:17:a7:ef:dc
ae0 macaddr = 00:12:17:a7:ef:dd
ae1 macaddr = 00:12:17:a7:ef:de
add bridge port ae0
Radar scan beginning on all eligible channels
InitSingleScan -- 5260, 2410  ofdm 5 passive scan
Radar scan complete
Auto Channel Scan selected 5200 MHz, channel 40
wlan0 Ready
Ready

Comment by lalee on Fri Jun 2 13:46:43 2006

Hi Andrea,

It looks like your firmware version doesn't have the boot console. If you can find the 1.10 firmware on Linksys' site, you can try downgrading it through the router's web interface.

Otherwise, you can just press <Esc> when the router first starts up, and you'll get into the BootLoader mode. You can set up the TFTP parameters at that point, and tell the router how to load up any OpenWRT image that you've compiled.

Comment by czzink123@czinfo.net on Sun Jun 4 10:36:54 2006

I need somebody help me:

I have a linksys wrt55ag v2 , i bricked it after i upload wrong firmware,jtag does not work.I need whole flash dump because i have programmer.

Thanks !

Comment by lalee on Tue Jun 6 16:23:46 2006

You might be able to reset the router to factory settings by holding down the RESET button while powering the device up. Worked for me several times when I thought I had bricked mine.

At the very worst case, you'd need to hook up the serial port and mess around with settings to get it booting a factory (or OpenWRT) image via TFTP.

Comment by svieira on Thu Jun 8 14:38:06 2006

Ialee,

What do you mean by &#34;Otherwise, you can just press &amp;lt;Esc&amp;gt;&#34;? My router has firmware 1.30 and the web interface always break at the middle. Doing tftp does not work for me either.

Is there any way to put the router in bootloader mode?

Comment by lalee on Mon Jun 12 18:53:38 2006

svieira,

If you hook up the serial port, the router will go into bootloader mode if you press ESC when the router starts. (Just when the router says "ar531x rev 0x00005742 firmware startup...") You can then change the TFTP settings, as noted in Section 1.5 of the Netgear WGT624 page.

Hope this helps! (And sorry for the messy site at the moment -- I'm still working on integrating Trac with Ruby-on-Rails...)

Comment by czzink123@czinfo.net on Tue Jun 13 23:07:22 2006

I have ic programmer,so i open router case and use IC PROGRAMMER to dump whole flash. Unfortunately, i make a big mistake,i hit "erase"......

so,i only have one way to save back my wrt55ag v2 ,just somebody give me a whole flash dump

please,please help me, thanks !!!

Comment by czzink123@czinfo.net on Tue Jun 13 23:08:34 2006

I have ic programmer,so i open router case and use IC PROGRAMMER to dump whole flash. Unfortunately, i make a big mistake,i hit "erase"......

so,i only have one way to save back my wrt55ag v2 ,just somebody give me a whole flash dump

please,please help me, thanks !!!

Comment by bbsux@binary.net on Mon Jul 10 09:26:37 2006

Wow, This is the first place I have found good info on hacking the wrt55agv2.

Any news on getting a more (well, newbie freindly) hack?

Thanks...

Comment by lalee on Thu Jul 13 18:39:15 2006

Hi,

Sorry, I haven't touched this router in months.. I swapped the RAM chips to larger-capacity ones, but the it still registered 16 Megs.. so I put the project aside for the time being. I was more interested in getting a nice, beefy router platform before diving in too dep with the software.

Comment by firestormo@yahoo.com on Tue Aug 8 19:36:01 2006

any new news on a working firmware for the WRT55AGv2

Comment by lalee on Wed Aug 9 13:47:51 2006

There hasn't been any development on the WRT55AGv2 from my end, but maybe the guys at OpenWRT have put something together. The kernel basically works, but (last time I tried) some fixes need to be done to get the MadWifi driver functional.

Though.. I think the old DeviceScape kernel that Malfi built for his Netgear router detected the Atheros devices, so I'm pretty sure it's just a module configuration issue on our part.

Comment by nutnut@centrum.cz on Sat Nov 11 22:53:43 2006

What serial port parameters should I set? I have XtendLan WDAP 1001 that has the serial port prepared on the pcb but the header is not soldered and I'm using http://pinouts.ru/CellularPhonesCables/nokia_dku-5_cable_pinout.shtml. Connecting grounds and then trying remaining pins I have found one single pin from which I can receive an unreadable mess at 115200-8N1, at 9600-8N1 nothing can be received from any pin.

Comment by nutnut@centrum.cz on Sat Nov 11 23:17:09 2006

Heh a second after posting I have found it, both data and charger ground on the DKU-5 cable have to be connected, and the firmware is set to 9600-8N1 (another incarnation of this design uses 115200-8N1, so I was trying that too, see http://atheros.openwrt.net/).

Comment by franek on Sat Dec 9 13:47:56 2006

Is anyone upgrading wap/wrt55ag v2 without serial cable?

Comment by gig.it@_nospam_tiscalinet.it on Fri Mar 2 11:35:14 2007

how is avoided this error? Loading... Error loading file: errno = 0x610001.

Comment by gig.it@_nospam_tiscalinet.it on Sat Mar 3 03:10:25 2007

how is avoided this error? Loading... Error loading file: errno = 0x610001.

Comment by Weedy &lt;weedy2887@gmail.com&gt; on Sat May 5 15:10:03 2007

lalee be less dead

Comment by lalee on Sat May 5 16:44:42 2007

Sorry guys, I haven't worked on the WRT55AG in quite some time now. Aside from the RAM upgrade hack (which didn't work - I have larger chips, but the machine still only sees 16 Megs), I haven't touched the router.

I'd imagine that after all this time, Kamikaze has made enough progress to operate on these devices, though.

Comment by anonymous on Sat Nov 17 15:31:05 2007

They have not. Everyone is still holding their breath waiting for someone to release something to make upgrading the WRT55AG and WAP55AG devices easy.

Comment by anonymous on Sat Nov 17 15:37:23 2007

You're awesome BTW. You are much closer to useful hack for the WRT55AG than anyone else on the net that I am aware of currently. Linksys WRT55AG and WAP55AG images crash when using Cisco IP softphone or IP Communicator. Linksys knows about it but will not do anything about it. I have 14 of these things so it is either get a workaround or toss them for somethine else!

Comment by anonymous on Tue Nov 20 23:07:44 2007

Keep up the progress! I've got a WRT55AG V2, I'm not afraid to rip it up and add serial or JTAG, or replace parts (I run an electronics lab at work).

Is there anything I can do to help you with getting this running?

Also, we use VxWorks at work (Aerospace)...

Comment by BL! on Sun Nov 25 15:57:03 2007

I really hope someone can wrap this up soon because I'm sure a lot of people are sitting on these WRT55AGs and the firmware versions released by Linksys has several issues (and they have dropped the support now(!)).

I would easily pay for another firmware based on this excellent hardware!

Comment by anonymous on Fri Nov 30 10:35:03 2007

I am with u,

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Facebook
  • Google
  • Yahoo
  • Technorati
  • Icerocket
#1Submitted by Visitor (not verified) on Mon, 03/03/2008 - 20:00.

TTPT Client for WRT55AG v2

Hello All! Does anybody know if it is possible to make work PPTP client on WRT55AG v2? There is even option in internet configuration in web interface (original firmware), but looks like that there are not enough parameters... (eg. no vpn server ip/name).   Br, Slavique
#2Submitted by Henrique (not verified) on Mon, 03/31/2008 - 16:11.

How to open the dang thing without damaging the plastic shell?

Laugh out loud if you must, but I haven't managed to actually *open* my wrt55agv2 yet :) I have removed the plastic feet, and the two screws in the front "paws". But the thing won't open, I have made a lot of pressure trying to pull the front and back shells apart, but no go. I am obviously doing something wrong, and I really don't want to break the plastic shell to get to the circuitry inside (since serial access apparently is a must in order to attempt to get Linux to work on these devices). Any tips on how to actually OPEN the thing without damaging the shell?
#3Submitted by BL! (not verified) on Sun, 05/25/2008 - 11:15.

Project update?

What's the current status on this project? The need is still out there and still this ABG router is very good, just need the software to go along with it!  
#4Submitted by Visitor (not verified) on Thu, 03/06/2008 - 19:24.

Slavique,No idea on how to

Slavique, No idea on how to get PPTP working with the stock firmware, sorry.  It's been a tough nut to crack for a couple of years now.  *sigh*  
#5Submitted by lalee-admin2 on Tue, 04/01/2008 - 23:51.

Henrique,Once you have the

Henrique, Once you have the screws removed from the plastic feet, you need to give it a firm pull to get the router apart. I usually manage to open the WRT55AG v2 by holding the router "face down" secured between my feet.  Then I grab the back end of the router with my hands, and pull hard until it pops open.  It's a laughable procedure, but it works for me.
#6Submitted by lalee-admin2 on Fri, 05/30/2008 - 13:38.

As far as I know, little

As far as I know, little progress has been made with the WRT55AG v2.  I'm bogged down with a startup effort (probably extending through July and beyond), and haven't had time to crack either of my 55AG's open to play with them, sorry.  I'm hoping someone else with OpenWRT (maybe Kaloz?) would help in this.
#7Submitted by slavique (not verified) on Fri, 03/28/2008 - 07:08.

PPTP

Funny thing. I managed to run Openwrt kernel on WRT55AG v2 (in ramdisk). And even configure pptp on WLAN but can not make work neither MADWiFi or switch. :( So now I can browse the internet from WRT console, but can not connect to it any other device Br, Slavique