legacy.not404.com

Older Stuff

[Outdated] Bummer, doing a little more research on the VxWorks bootloader, it seems I'm in way over my head. According to this article, the VxWorks bootloader has trouble with Linux Kernel images because the Linux Kernel's ELF header is specifying a start offset in Virtual Memory, not physical memory. *Aurrgh*. OK, well, the software hacks are definitely on permanent hold until I can either:

• figure out how to get u-boot to chain-load under the VxWorks bootloader
• desolder the flash chip and install a socket, so I can do things the hard way.
• figure out why the damn JTAG interface isn't responding. *Grrr*

I'm somewhat disappointed. I was just about to order some RAM chips to swap out from this router, maybe bringing it up to 128MB of RAM. Ah well, maybe I'll just upgrade a cheapie WRT54GL, or dive into a high-end Asus router with all the USB support stuff..

Older News

Anyone with OpenWRT Wiki Access, feel free to copy/paste what you think is relevant into the OpenWRT wiki -- I'm just not in the habit of creating a whole bunch of accounts that I'd rarely use. Thanks!

Just logging my progress below. Next step.. not for a while, just probing through the menu system.

Check it out, though -- from the extended menu, it looks like you can set the Operation Mode on these devices through the Serial Port:

set operationMode ap               -- Operating as Access Point
set operationMode sta              -- Operating as Wireless Client
set operationMode ppt              -- Operating as Wireless Bridge
set operationMode mpt              -- Operating as Multi-point Bridge
set operationMode repeater         -- Operating as Wireless Repeater

Hmm -- Maybe one could get this running as a Dual-Channel Wireless Bridge without OpenWRT? :-D

External Docs

A product brief on the AR5001AP, which I believe is a reference design. Nice block diagram of how things are laid out.

I also found the manuals for a similarly (identically) equipped device: BroVis AS1000. Their firmware has the Telnet server enabled. Lucky bums!

Progress Report

I finally managed to debrick the WRT55AG after getting into the serial console, and holding the reset button down for several seconds to force it to load up the Factory Settings. Make no mistake, these routers are damn expensive, and I really hate having bricked hardware in the house. Y'know the feeling, when a simple and hackable device just calls out to you and says "fix me! fix me!". ;-) So now I've got my router all tricked out with a Serial Adapter and a (seemingly non-functional) JTAG Header.

Note that the latest "1.67" firmware does not expose a serial-port login. You can see status messages, but you will not get a login-prompt by simply pressing <Return>. Way to go, Linksys. :-p Fortunately, the older version of the firmware is still in the Linksys FTP Site, so I was able to downgrade the firmware back to 1.10. Whew! (The 1.10 firmware is named WRT55AGv2_v1.10_09302004.fim) -- the "v2" in the filename is all-important!

OpenWRT Progress

I think I have cobbled together a version of OpenWRT built for the Atheros CPU, (after much hand-tweaking of CFLAGS in the MadWifi driver, and other small fixups all around). It's based on Kamikaze from mid-February, and still uses the "AP30" default settings. I gotta figure out how to hack up those config-files used in Buildroot or something. Hopefully someone upstream will take pity on the WRT55AG and do that for us (me). :-)

Anyways.. At first, I thought there's no easy way to get firmware loaded onto the router, but I've discovered the filenames and an FTP method to transfer firmware into and out of the device. I also have the equipment to desolder the flash chip, but I'd still need to get a flash chip programmer and (ideally) a few TSOP-48 ZIF Sockets if it really comes down to that.

I'm *REALLY* hoping that I can just upload kernel firmware (as apimg1 via FTP), without it wiping out the embedded Boot-Loader. Otherwise, I'd be hosed. I'll probably probe the JTAG interface a *LOT* so I can build up my confidence on this and have a way out without breaking out the soldering equipment. Recall, only the 1.10 version of the Linksys Firmware will give you a command-prompt! >:-(

JTAG Progress

I also added a header to the JTAG port. It's a 14-port header, and appears to be wired in what's considered "standard" for a MIPS platform (Reference, as that's what the Atheros chip is based on:

I have verified that pins 2,4,6,8, and 10are GND. Pin 14 measures 3.28V. I have yet to establish a JTAG session on this interface, though. :-(

Building a Serial Adapter

After weighing the options, I decided that I didn't want to waste time building out an RS-232 adapter circuit, when you can use a USB Data Cable for a common cell phone (Nice tutorial thanks to I-Hacked.com). Lucky for me, my corner Radio Shack store was clearing out their data cables for some older or unsupported models. I picked up an LG 1010/5350/VX1/VX10 data cable for $10 and change.

Following the tutorial, I had constructed a working cable in under 20 minutes. Nice.

Complete Help Menu (Some Hidden Options)

In the Serial Session, if you type help on a bogus command, you get a larger menu:

wlan0 -> help blahblahfoo
List of Access Point CLI commands:
 config wlan                        -- config wlanX
 connect bss                        -- connect to bssX
 del acl                            -- Delete Access Control List
 del key                            -- Delete Encryption key
 find bss                           -- Find BSS
 find channel                       -- Find Available Channel
 find all                           -- Find All BSS
 ftp                                -- Software update via FTP
 get acl                            -- Display Access Control List
 get aging                          -- Display Aging Interval
 get antenna                        -- Display Antenna Diversity
 get association                    -- Display Association Table
 get authentication                 -- Display Authentication Type
 get autochannelselect              -- Display Auto Channel Select
 get beaconinterval                 -- Display Beacon Interval
 get burstSeqThreshold              -- Display Max Number of frames in a Burst
 get burstTime                      -- Display Burst Time
 get channel                        -- Display Radio Channel
 get cipher                         -- Display Encryption cipher
 get config                         -- Display Current AP Configuration
 get countrycode                    -- Display Country Code
 get domainsuffix                   -- Display Domain Name Server suffix
 get dtim                           -- Display Data Beacon Rate (DTIM)
 get encryption                     -- Display Encryption Mode
 get fragmentthreshold              -- Display Fragment Threshold
 get frequency                      -- Display Radio Frequency (MHz)
 get gateway                        -- Display Gateway IP Address
 get groupkeyupdate                 -- Display Group Key Update Interval (in Seconds)
 get hardware                       -- Display Hardware Revisions
 get hostipaddr                     -- Display Host IP Address
 get ipaddr                         -- Display IP Address
 get ipmask                         -- Display IP Subnet Mask
 get key                            -- Display Encryption Key
 get keyentrymethod                 -- Display Encyrption Key Entry Method
 get keysource                      -- Display Source Of Encryption Keys
 get login                          -- Display Login User Name
 get minimumrate                    -- Display Minimum Rate
 get nameaddr                       -- Display IP address of name server
 get operationMode                  -- Display Operation Mode
 get pktLogEnable                   -- Display Packet Logging Mode
 get power                          -- Display Transmit Power Setting
 get radiusname                     -- Display RADIUS server name or IP address
 get radiusport                     -- Display RADIUS port number
 get rate                           -- Display Data Rate
 get reg                            -- Display the register contents at the given offset
 get remoteAp                       -- Display Remote Ap's Mac Address
 get rtsthreshold                   -- Display RTS/CTS Threshold
 get sntpserver                     -- Display SNTP/NTP Server IP Address
 get ssid                           -- Display Service Set ID
 get ssidsuppress                   -- Display SSID Suppress Mode
 get station                        -- Display Station Status
 get SuperG                         -- Display SuperG Feature Status
 get systemname                     -- Display Access Point System Name
 get tzone                          -- Display Time Zone Setting
 get uptime                         -- Display UpTime
 get wirelessmode                   -- Display Wireless LAN Mode
 get wlanstate                      -- Display wlan state
 help                               -- Display CLI Command List
 ping                               -- Ping
 pktLog                             -- Packet Log
 reboot                             -- Reboot Access Point
 run                                -- Run command file
 quit                               -- Logoff
 set acl allow                      -- Add MAC address to the ACL
 set acl enable                     -- Select Restricted Access
 set acl deny                       -- Add MAC address to the disabled ACL
 set acl disable                    -- Select Unrestrict Access
 set acl keymap                     -- Add Encryption key mapping for MAC address
 set acl strict                     -- Select Restricted (w/ACL match) Access
 set aging                          -- Set Aging Interval
 set antenna best                   -- Enable antenna diversity
 set antenna 1                      -- Select antenna 1
 set antenna 2                      -- Select antenna 2
 set authentication open-system     -- Select Open-System Authentication Type
 set authentication shared-key      -- Select Shared-Key Authentication Type
 set authentication auto            -- Select auto Authentication Type
 set authentication WPA             -- Select Authentication WPA Type
 set authentication WPA-PSK         -- Select Authentication WPA-PSK Type
 set autochannelselect disable      -- Disable Automatic Channel Selection
 set autochannelselect enable       -- Enable Automatic Channel Selection
 set beaconinterval                 -- Modify Beacon Interval
 set burstSeqThreshold              -- Set Max Number of frames in a Burst
 set burstTime                      -- Set Burst Time
 set channel                        -- Set Radio Channel
 set cipher wep                     -- Select wep
 set cipher aes                     -- Select aes
 set cipher tkip                    -- Select tkip
 set cipher auto                    -- Select cipher through negotiation
 set countrycode                    -- Set Country Code
 set domainsuffix                   -- Set Domain Name Server Suffix
 set dtim                           -- Set Data Beacon Rate (DTIM)
 set encryption disable             -- Disable Encryption
 set encryption enable              -- Enable Encryption
 set factorydefault                 -- Restore to Default Factory Settings
 set fragmentthreshold              -- Set Fragment Threshold
 set frequency                      -- Set Radio Frequency (MHz)
 set gateway                        -- Set Gateway IP Address
 set groupkeyupdate                 -- Set Group Key Update Interval (in Seconds)
 set hostipaddr                     -- Set Host IP address
 set ipaddr                         -- Set IP Address
 set ipmask                         -- Set IP Subnet Mask
 set key default                    -- Set Default Encryption Key
 set key 40                         -- Set 40-bit Encryption Key
 set key 104                        -- Set 104-bit Encryption Key
 set key 128                        -- Set 128-bit Encryption Key
 set keyentrymethod hexadecimal     -- Key contains (0 - 9, A - F)
 set keyentrymethod asciitext       -- Key contains keyboard characters
 set keysource flash                -- All keys will be read from flash (no key derivation)
 set keysource server               -- All keys will be derived from authentication server
 set keysource mixed                -- Keys read from flash or derived from authentication server
 set login                          -- Modify Login User Name
 set minimumrate 0.25               -- Select 0.25 Mbps
 set minimumrate 0.5                -- Select 0.5 Mbps
 set minimumrate 1                  -- Select 1 Mbps
 set minimumrate 2                  -- Select 2 Mbps
 set minimumrate 3                  -- Select 3 Mbps
 set minimumrate 6                  -- Select 6 Mbps
 set minimumrate 9                  -- Select 9 Mbps
 set minimumrate 12                 -- Select 12 Mbps
 set minimumrate 18                 -- Select 18 Mbps
 set minimumrate 24                 -- Select 24 Mbps
 set minimumrate 36                 -- Select 36 Mbps
 set minimumrate 48                 -- Select 48 Mbps
 set minimumrate 54                 -- Select 54 Mbps
 set nameaddress                    -- Set Name Server IP address
 set operationMode ap               -- Operating as Access Point
 set operationMode sta              -- Operating as Wireless Client
 set operationMode ppt              -- Operating as Wireless Bridge
 set operationMode mpt              -- Operating as Multi-point Bridge
 set operationMode repeater         -- Operating as Wireless Repeater
 set password                       -- Modify Password
 set passphrase                     -- Modify Passphrase
 set pktLogEnable                   -- Enable Packet Logging
 set power full                     -- Set maximum (normal) transmit power
 set power half                     -- Set fractional (1/2) transmit power
 set power quarter                  -- Set fractional (1/4) transmit power
 set power eighth                   -- Set fractional (1/8) transmit power
 set power min                      -- Set minimum transmit power
 set radiusname                     -- Set RADIUS name or IP address
 set radiusport                     -- Set RADIUS port number
 set radiussecret                   -- Set RADIUS shared secret
 set rate best                      -- Select best data rate
 set rate 0.25                      -- Select 0.25 Mbps
 set rate 0.5                       -- Select 0.5 Mbps
 set rate 1                         -- Select 1 Mbps
 set rate 2                         -- Select 2 Mbps
 set rate 3                         -- Select 3 Mbps
 set rate 6                         -- Select 6 Mbps
 set rate 9                         -- Select 9 Mbps
 set rate 12                        -- Select 12 Mbps
 set rate 18                        -- Select 18 Mbps
 set rate 24                        -- Select 24 Mbps
 set rate 36                        -- Select 36 Mbps
 set rate 48                        -- Select 48 Mbps
 set rate 54                        -- Select 54 Mbps
 set reg                            -- Set Register Value
 set remoteAP                       -- Set Remote AP's Mac Address
 set rtsthreshold                   -- Set RTS/CTS Threshold
 set sntpserver                     -- Set SNTP/NTP Server IP Address
 set ssid                           -- Set Service Set ID
 set ssidsuppress enable            -- Enable SSID suppress mode
 set ssidsuppress disable           -- Disable SSID suppress mode
 set SuperG enable                  -- Enable SuperG Features
 set SuperG disable                 -- Disable SuperG Features
 set systemname                     -- Set Access Point System Name
 set tzone                          -- Set Time Zone Setting
 set wlanstate disable              -- Disable wlan
 set wlanstate enable               -- Enable wlan
 set wirelessmode 11a               -- 802.11a
 set wirelessmode 11b               -- 802.11b
 set wirelessmode 11g               -- 802.11g
 set wirelessmode 108g static       -- 802.11g Static Turbo
 set wirelessmode 108g dynamic      -- 802.11g Dynamic Turbo
 set wirelessmode turbo static      -- 802.11a Static Turbo
 set wirelessmode turbo dynamic     -- 802.11a Dynamic Turbo
 timeofday                          -- Display Current Time of Day
 version                            -- Software version
 nvram                              -- nvram utility

PCI Hardware Reported

Interesting Hardware information reported:

wlan0 -> get hardware
wlan0 revisions: mac 5.7 phy 4.2 analog 3.6
  PCI Vendor ID: 0x168c, Device ID: 0x13
  Sub Vendor ID: 0x168c, Sub Device ID: 0x13
chip is AR2312

Router Default Configuration

The overall configuration:

wlan0 -> get config
wlan0 revisions: mac 5.7 phy 4.2 analog 3.6
  PCI Vendor ID: 0x168c, Device ID: 0x13
  Sub Vendor ID: 0x168c, Sub Device ID: 0x13
chip is AR2312
Country Code: US
Operation Mode: Access Point
Wlan State: Enabled
Radio Frequency: 5260 MHz (IEEE 52)
Wireless LAN Mode: 802.11a
Auto Channel Select: Disabled
Data Rate: best
Antenna: best
Login Username:
RADIUS address:
Name server IP address:
Name server domain suffix:
SSID: linksys-a
SSID Suppress Mode: Disabled
System Name:
Beacon Interval: 100
DTIM: 1
Fragmentation Threshold: 2346
RTS/CTS Threshold: 2346
Burst Time: 2
Burst Sequence Threshold: 3
IP Address: 192.168.1.1
IP Mask: 255.255.255.0
Host IP Address: 0.0.0.0
Gateway IP Address: 192.168.1.20
SNTP/NTP Server IP Address:
Time Zone:
HW Transmit Retry Limit: 4
SW Transmit Retry Limit: 3
TransmitPower: full
Current Transmit Output Power 16.0 dBm
SuperG :Disabled
Encryption: Disabled
Cipher selection: AUTO
Authentication Type: Open System
Default transmit key: none
Access Check: Disabled
Key Entry Method: hexadecimal
Group Key Update Interval: 3600 seconds
Key Source: flash
Aging Interval: 300 seconds
Minimum rate: 0.25 Mbps
XR Poll interval: 100 msec
XR Frame Limit: 25
XR Poll Rate String is 0.25 1 1 3 3 6 6 20
XR Fragmentation Threshold: 540

Undocumented ls Command

Aha, there's an undocumented ls command!

wlan0 -> ls
apcfg          3364
nvram          8404
apimg1      1290212
apimg1.hdr       52
apcfg.bak      3364
config.bin    11227
2146304 bytes free

File Contents Downloaded via FTP

AP Config (APCFG)

(Passphrases are Masked out).

# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved
# DO NOT EDIT -- This configuration file is automatically generated
magic Ar52xxAP
fwc: 1
login 
nameaddr 
domainsuffix 
RADIUSaddr 
RADIUSport 1812
RADIUSsecret 
password admin
passphrase 
wlan1 passphrase 
passphraseKey ********************************************************************************
wlan1 passphraseKey ********************************************************************************
version 2
AgingInterval 300
Abolt 112
wlan1 Abolt 112
pktLogEnable 0
wlan1 pktLogEnable 0
ofdmTrigLow 800
ofdmTrigHigh 1500
cckTrigLow 200
cckTrigHigh 500
enableANI 1
noiseImmunityLvl 0
spurImmunityLvl 0
ofdmWeakSigDet 1
cckWeakSigThr 1
firStepLvl 0
groupKeyUpdateInterval 3600
wlan1 groupKeyUpdateInterval 3600
BeaconInterval 100
wlan1 BeaconInterval 100
BurstTime 2
wlan1 BurstTime 2
BurstSeqThreshold 3
wlan1 BurstSeqThreshold 3
CalibrationPeriod 30
wlan1 CalibrationPeriod 30
CountryCode US
WirelessMode 11a
wlan1 WirelessMode 11g
WlanState Enable
wlan1 WlanState Enable
OpMode Access Point
wlan1 OpMode Access Point
RemoteApMacAddr 00:00:00:00:00:00
wlan1 RemoteApMacAddr 00:00:00:00:00:00
RadioChannel 5260
wlan1 RadioChannel 2437
DataRate best
wlan1 DataRate best
Antenna best
wlan1 Antenna best
ssid linksys-a
wlan1 ssid linksys-g
ssidSuppress Disable
wlan1 ssidSuppress Disable
SystemName 
DTIM 1
wlan1 DTIM 1
gOptimize 1
wlan1 gOptimize 1
CTSMODE 2
wlan1 CTSMODE 2
CTSRATE 4
wlan1 CTSRATE 4
CTSTYPE 0
wlan1 CTSTYPE 0
ShortSlotTime Enable
wlan1 ShortSlotTime Enable
Basic11g 1
wlan1 Basic11g 1
GBEACON 0
wlan1 GBEACON 0
gOnly Disable
wlan1 gOnly Disable
gOverlap Enable
wlan1 gOverlap Enable
gDraft5 Disable
wlan1 gDraft5 Disable
FragmentThreshold 2346
wlan1 FragmentThreshold 2346
RTSThreshold 2346
wlan1 RTSThreshold 2346
SntpServer 
SoftwareRetry Enable
wlan1 SoftwareRetry Enable
HwTxRetries 4
wlan1 HwTxRetries 4
SwTxRetries 3
wlan1 SwTxRetries 3
Telnet Disable
Timeout 0
TimeZone 
TransmitPower full
wlan1 TransmitPower full
OverRideTxPower 0
WDS Disable
wlan1 WDS Disable
WME Disable
wlan1 WME Disable
GPRS 0
wlan1 GPRS 0
UPSD Disable
wlan1 UPSD Disable
QuietAckCtsAllow Disable
wlan1 QuietAckCtsAllow Disable
QuietDuration 0
wlan1 QuietDuration 0
QuietOffset 0
wlan1 QuietOffset 0
CompressionProc 0
wlan1 CompressionProc 0
CompressionWinSize 4096
wlan1 CompressionWinSize 4096
Keytable 1
wlan1 Keytable 1
Keyentrymethod hexadecimal
wlan1 Keyentrymethod hexadecimal
Keysource flash
wlan1 Keysource flash
DefaultKey 1
wlan1 DefaultKey 1
WATCHDOG Enable
extendedchanmode Enable
encryption Disable
wlan1 encryption Disable
cipher auto
wlan1 cipher auto
AuthenticationType Open-System
wlan1 AuthenticationType Open-System
autochanselect Disable
wlan1 autochanselect Disable
OutdoorChannel Enable
wlan1 OutdoorChannel Enable
ShortPreamble Enable
wlan1 ShortPreamble Enable
Basic11b Disable
wlan1 Basic11b Disable
AccessPermission Disable
wlan1 AccessPermission Disable
Acltable 4
wlan1 Acltable 4
FtpVenDef ; ; ; ; ; ; 0
FtpUpdate ; ; ; ; ; ; 0
FtpScript ; ; ; ; ; _stemp_; 0
XR Enable
wlan1 XR Enable
XRPoll 100
wlan1 XRPoll 100
XRQueueFrameLimit 25
wlan1 XRQueueFrameLimit 25
XRQueuePollRate 0.25 1 1 3 3 6 6 20
wlan1 XRQueuePollRate 0.25 1 1 3 3 6 6 20
XRFragmentThreshold 540
wlan1 XRFragmentThreshold 540
MinimumRate 0.25
wlan1 MinimumRate 0.25
Bytes: 3336
checksum: 45779

Firmware Header? (apimg1.hdr)

[root@ufo RouterFiles]# hexdump -C apimg1.hdr
00000000  41 48 30 30 41 5b bb 32  00 13 af e4 da 98 22 4e  |AH00A[.2......"N|
00000010  24 9e 72 4b a8 ab f2 07  58 28 08 29 00 01 00 14  |$.rK....X(.)....|
00000020  41 63 63 65 73 73 50 6f  69 6e 74 5f 35 33 31 32  |AccessPoint_5312|
00000030  5f 30 31 00                                       |_01.|
00000034

First 512 Bytes of Firmware File

[root@ufo RouterFiles]# head -c 512 apimg1 | hexdump -C
00000000  7f 45 4c 46 01 02 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  00 02 00 08 00 00 00 01  80 48 46 e0 00 00 00 34  |.........HF....4|
00000020  00 13 ae f4 10 00 00 01  00 34 00 20 00 01 00 28  |.........4. ...(|
00000030  00 06 00 05 00 00 00 01  00 00 00 60 80 48 00 00  |...........`.H..|
00000040  80 48 00 00 00 13 ae 60  00 15 4a e0 00 00 00 07  |.H.....`..J.....|
00000050  00 00 00 10 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  30 82 00 03 14 40 00 30  00 c0 38 21 30 a2 00 03  |0....@.0..8!0...|
00000070  14 40 00 2d 2c e2 00 04  14 40 00 2b 24 02 00 03  |.@.-,....@.+$...|
00000080  00 46 10 23 28 c6 00 04  14 c0 00 13 30 43 00 0f  |.F.#(.......0C..|
00000090  10 60 00 18 28 62 00 0c  10 40 00 0f 28 62 00 08  |.`..(b...@..(b..|
000000a0  10 40 00 08 28 62 00 04  14 40 00 12 00 00 00 00  |.@..(b...@......|
000000b0  8c a2 00 00 24 a5 00 04  24 e7 ff fc ac 82 00 00  |....$...$.......|
000000c0  24 84 00 04 8c a2 00 00  24 a5 00 04 24 e7 ff fc  |$.......$...$...|
000000d0  ac 82 00 00 24 84 00 04  8c a2 00 00 24 a5 00 04  |....$.......$...|
000000e0  24 e7 ff fc 2c e6 00 04  ac 82 00 00 14 c0 00 0e  |$...,...........|
000000f0  24 84 00 04 8c a2 00 00  ac 82 00 00 8c a3 00 04  |$...............|
00000100  ac 83 00 04 8c a2 00 08  24 e7 ff f0 ac 82 00 08  |........$.......|
00000110  8c a3 00 0c 2c e6 00 04  24 a5 00 10 ac 83 00 0c  |....,...$.......|
00000120  10 c0 ff f4 24 84 00 10  10 e0 00 24 00 07 10 23  |....$......$...#|
00000130  30 43 00 03 10 60 00 15  28 62 00 03 10 40 00 0d  |0C...`..(b...@..|
00000140  28 62 00 02 10 40 00 06  00 00 00 00 90 a2 00 00  |(b...@..........|
00000150  24 a5 00 01 24 e7 ff ff  a0 82 00 00 24 84 00 01  |$...$.......$...|
00000160  90 a2 00 00 24 a5 00 01  24 e7 ff ff a0 82 00 00  |....$...$.......|
00000170  24 84 00 01 90 a2 00 00  24 a5 00 01 24 e7 ff ff  |$.......$...$...|
00000180  a0 82 00 00 10 e0 00 0d  24 84 00 01 90 a2 00 00  |........$.......|
00000190  a0 82 00 00 90 a3 00 01  a0 83 00 01 90 a2 00 02  |................|
000001a0  a0 82 00 02 90 a3 00 03  24 e7 ff fc 24 a5 00 04  |........$...$...|
000001b0  a0 83 00 03 14 e0 ff f5  24 84 00 04 03 e0 00 08  |........$.......|
000001c0  00 00 00 00 30 82 00 03  14 40 00 21 00 a0 18 21  |....0....@.!...!|
000001d0  28 62 00 04 14 40 00 1e  24 02 00 03 00 45 10 23  |(b...@..$....E.#|
000001e0  30 45 00 0f 10 a0 00 12  28 a2 00 0c 10 40 00 0b  |0E......(....@..|
000001f0  28 a2 00 08 10 40 00 06  28 a2 00 04 14 40 00 0c  |(....@..(....@..|

Last 512 Bytes of Firmware File

[root@ufo RouterFiles]# tail -c 512 apimg1 | hexdump -C
00000000  cb ad 54 1e 8d dd 8c 26  5f 8e f2 85 75 e6 b6 f6  |..T....&_...u...|
00000010  11 71 ef a0 be fa 77 e4  d7 1f a2 36 b9 9a 29 e2  |.q....w....6..).|
00000020  7e 8a fa e9 6d e4 81 b7  11 db df 86 ee e7 50 83  |~...m.........P.|
00000030  bc 5b bb aa eb 9b 06 1a  19 5d 6f fa 63 be c7 98  |.[.......]o.c...|
00000040  7c a4 ec d2 0e f2 5e d2  0d a1 87 5d 5e 6b ea ab  ||.....^....]^k..|
00000050  a6 fa a2 65 b2 d5 af af  fe cc fa 49 fb 55 d7 bb  |...e.......I.U..|
00000060  45 ff ef d2 8f d2 27 e8  ff d5 50 ab 3f 5f ea d5  |E.....'...P.?_..|
00000070  7c 26 e6 ff 89 70 a9 57  71 e0 22 42 fe ff 25 fd  ||&...p.Wq."B..%.|
00000080  bf 4b 24 0f c8 5f 29 dc  b2 15 9f 6d f8 c8 ff 23  |.K$.._)....m...#|
00000090  f0 a1 fc 0d 1b 7c 3e f7  bf fc dc f8 ff fc 91 da  |.....|>.........|
000000a0  15 7f 15 ef d2 ff f7 6f  b9 7b f5 7f d4 7e 9f 7a  |.......o.{...~.z|
000000b0  6f bd b8 aa e7 44 01 7d  8b d5 5f 44 66 3f 3a b6  |o....D.}.._Df?:.|
000000c0  6d 87 1f ad a0 96 5c c1  7e 64 05 eb fa bf a6 fe  |m.....\.~d......|
000000d0  1b b0 26 0e 2c 01 75 00  00 00 00 00 00 2e 73 79  |..&.,.u.......sy|
000000e0  6d 74 61 62 00 2e 73 74  72 74 61 62 00 2e 73 68  |mtab..strtab..sh|
000000f0  73 74 72 74 61 62 00 2e  74 65 78 74 00 2e 72 6f  |strtab..text..ro|
00000100  64 61 74 61 00 2e 64 61  74 61 00 2e 62 73 73 00  |data..data..bss.|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000130  00 00 00 00 00 00 00 00  00 00 00 1b 00 00 00 01  |................|
00000140  00 00 00 07 80 48 00 00  00 00 00 60 00 00 47 2c  |.....H.....`..G,|
00000150  00 00 00 00 00 00 00 00  00 00 00 10 00 00 00 00  |................|
00000160  00 00 00 21 00 00 00 01  00 00 00 02 80 48 47 30  |...!.........HG0|
00000170  00 00 47 90 00 00 02 40  00 00 00 00 00 00 00 00  |..G....@........|
00000180  00 00 00 10 00 00 00 00  00 00 00 29 00 00 00 01  |...........)....|
00000190  00 00 00 03 80 48 49 70  00 00 49 d0 00 13 64 f0  |.....HIp..I...d.|
000001a0  00 00 00 00 00 00 00 00  00 00 00 10 00 00 00 00  |................|
000001b0  00 00 00 2f 00 00 00 08  00 00 00 03 80 5b ae 60  |.../.........[.`|
000001c0  00 13 ae c0 00 01 9c 80  00 00 00 00 00 00 00 00  |................|
000001d0  00 00 00 10 00 00 00 00  00 00 00 11 00 00 00 03  |................|
000001e0  00 00 00 00 00 00 00 00  00 13 ae c0 00 00 00 34  |...............4|
000001f0  00 00 00 00 00 00 00 00  00 00 00 01 00 00 00 00  |................|

And file reports the firmware as:

[root@ufo RouterFiles]# file apimg1
apimg1: ELF 32-bit MSB executable, MIPS, MIPS-II version 1 (SYSV), statically linked, stripped

NVRAM Contents

wan_proto=dhcp
wan_ipaddr=0.0.0.0
wan_netmask=0.0.0.0
wan_default_gw=0.0.0.0
wan_dns_1=0.0.0.0
wan_dns_2=0.0.0.0
wan_dns_3=0.0.0.0
pppoe_username=
pppoe_passwd=
pppoe_keepalive=1
pppoe_ondemand=0
pppoe_idle_time=0
pppoe_redialtime=60
sys_name=
wan_domain=
lan_ipaddr=192.168.1.1
lan_netmask=255.255.255.0
dhcps_mode=enabled
dhcps_startip=192.168.1.100
dhcps_endip=192.168.1.149
dhcps_lease=0
dhcps_dns_1=0.0.0.0
dns_1=
dns_1_1=0
dns_1_2=0
dns_1_3=0
dns_1_4=0
dhcps_dns_2=0.0.0.0
dns_2=
dns_2_1=0
dns_2_2=0
dns_2_3=0
dns_2_4=0
dhcps_dns_3=0.0.0.0
dns_3=
dns_3_1=0
dns_3_2=0
dns_3_3=0
dns_3_4=0
dhcps_wins_1=0.0.0.0
wins_1_1=0
wins_1_2=0
wins_1_3=0
wins_1_4=0
dhcps_start=
dhcps_end=
dhcps_client_mode_1=disabled
dhcps_client_mode_2=disabled
dhcps_client_mode_3=disabled
dhcps_client_mode_4=disabled
dhcps_client_mode_5=disabled
dhcps_client_mode_6=disabled
dhcps_client_mode_7=disabled
dhcps_client_mode_8=disabled
dhcps_client_mode_9=disabled
dhcps_client_mode_10=disabled
dhcps_client_name_1=
dhcps_client_name_2=
dhcps_client_name_3=
dhcps_client_name_4=
dhcps_client_name_5=
dhcps_client_name_6=
dhcps_client_name_7=
dhcps_client_name_8=
dhcps_client_name_9=
dhcps_client_name_10=
dhcps_client_ip_1_4=0
dhcps_client_ip_2_4=0
dhcps_client_ip_3_4=0
dhcps_client_ip_4_4=0
dhcps_client_ip_5_4=0
dhcps_client_ip_6_4=0
dhcps_client_ip_7_4=0
dhcps_client_ip_8_4=0
dhcps_client_ip_9_4=0
dhcps_client_ip_10_4=0
dhcps_client_mac_1=00:00:00:00:00:00
dhcps_client_mac_2=00:00:00:00:00:00
dhcps_client_mac_3=00:00:00:00:00:00
dhcps_client_mac_4=00:00:00:00:00:00
dhcps_client_mac_5=00:00:00:00:00:00
dhcps_client_mac_6=00:00:00:00:00:00
dhcps_client_mac_7=00:00:00:00:00:00
dhcps_client_mac_8=00:00:00:00:00:00
dhcps_client_mac_9=00:00:00:00:00:00
dhcps_client_mac_10=00:00:00:00:00:00
wan_dns=
login_name=
login_password=admin
lan_gateway=192.168.1.20
country_domain=US
wl0_ssid=linksys-a
wl0_channel=52
wl0_stat_mode=enabled
wl0_wirelessmode=11a
wl0_ssid_bcast=enabled
wl0_security_mode=disabled
wl0_encrypt_idx=40
wl0_key_idx=1
wl0_key1=
wl0_key2=
wl0_key3=
wl0_key4=
wl0_cipher_type=tkip
wl0_wpa_passphrase=
wl0_wpa_group_key_interval=1500
wl0_auth_type=open
wl0_transmission_rate=auto
wl0_transmission_power=full
wl0_frame_burst=enabled
wl0_beacon_interval=100
wl0_dtim_interval=1
wl0_frag_threshold=2346
wl0_rts_threshold=2346
wl1_ssid=linksys-g
wl1_channel=6
wl1_stat_mode=enabled
wl1_wirelessmode=11g
wl1_wirelessmode_tmp=11g
wl1_ssid_bcast=enabled
wl1_security_mode=disabled
wl1_encrypt_idx=40
wl1_key_idx=1
wl1_key1=
wl1_key2=
wl1_key3=
wl1_key4=
wl1_cipher_type=tkip
wl1_wpa_passphrase=
wl1_wpa_group_key_interval=1500
wl1_auth_type=auto
wl1_basic_rate=default
wl1_transmission_rate=auto
wl1_transmission_power=full
wl1_cts_protection_mode=auto
wl1_frame_burst=enabled
wl1_beacon_interval=100
wl1_dtim_interval=1
wl1_frag_threshold=2346
wl1_rts_threshold=2347
radius_server_ipaddr=0.0.0.0
radius_server_ipaddr_1=0
radius_server_ipaddr_2=0
radius_server_ipaddr_3=0
radius_server_ipaddr_4=0
radius_server_port=1812
radius_shared_key=
radius_shared_key_interval=3600
filter_mode=disabled
filter_type=allow
filter_mac_1=00:00:00:00:00:00
filter_mac_2=00:00:00:00:00:00
filter_mac_3=00:00:00:00:00:00
filter_mac_4=00:00:00:00:00:00
filter_mac_5=00:00:00:00:00:00
filter_mac_6=00:00:00:00:00:00
filter_mac_7=00:00:00:00:00:00
filter_mac_8=00:00:00:00:00:00
filter_mac_9=00:00:00:00:00:00
filter_mac_10=00:00:00:00:00:00
filter_mac_11=00:00:00:00:00:00
filter_mac_12=00:00:00:00:00:00
filter_mac_13=00:00:00:00:00:00
filter_mac_14=00:00:00:00:00:00
filter_mac_15=00:00:00:00:00:00
filter_mac_16=00:00:00:00:00:00
filter_mac_17=00:00:00:00:00:00
filter_mac_18=00:00:00:00:00:00
filter_mac_19=00:00:00:00:00:00
filter_mac_20=00:00:00:00:00:00
filter_mac_21=00:00:00:00:00:00
filter_mac_22=00:00:00:00:00:00
filter_mac_23=00:00:00:00:00:00
filter_mac_24=00:00:00:00:00:00
filter_mac_25=00:00:00:00:00:00
filter_mac_26=00:00:00:00:00:00
filter_mac_27=00:00:00:00:00:00
filter_mac_28=00:00:00:00:00:00
filter_mac_29=00:00:00:00:00:00
filter_mac_30=00:00:00:00:00:00
filter_mac_31=00:00:00:00:00:00
filter_mac_32=00:00:00:00:00:00
filter_mac_33=00:00:00:00:00:00
filter_mac_34=00:00:00:00:00:00
filter_mac_35=00:00:00:00:00:00
filter_mac_36=00:00:00:00:00:00
filter_mac_37=00:00:00:00:00:00
filter_mac_38=00:00:00:00:00:00
filter_mac_39=00:00:00:00:00:00
filter_mac_40=00:00:00:00:00:00
MacClone=disabled
MacCloneAddr=00:00:00:00:00:00
remote_client_macaddr=
port_forwarding=
TriggerName=
TriggerPortRange=
IncomingPortRange=
TriggerEnabled=
MACPriorityLevel=0|0|0|0|0;
MACPriorityHostMAC=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00;
MACPriorityHostEnabled=0|0|0|0|0|0;
AppPriorityLevel=0|0|0|0|0|0|0|0|0|0;
AppPriorityPortNum=0|0|0|0|0|0|0|0|0|0;
AppPriorityEnabled=0|0|0|0|0|0|0|0|0|0;
DataChlQSize=50
DSCPEnabled=1
dmz_enable=disabled
dmz_ipaddr=0
dmz_sour_ip_start=0.0.0.0
dmz_sour_ip_end=0.0.0.0
dmz_sour_check=Any
TimeZone=4
AutoDaylight=0
country=America
MTU_select=Auto
MTU=1500
RmtHttpCtrlFlag=disabled
RmtHttpPortNum=8080
AllowedCtrlFlag=disabled
allowed_start_remote_ip=0.0.0.0
allowed_end_remote_ip=0.0.0.0
remote_upgrade_mode=disabled
upnp_mode=enabled
upnp_usr_conf_mode=enabled
upnp_usr_disable_access_mode=enabled
ScheduleName=---#---#---#---#---#---#---#---#---#---
ScheduleList=8:24|8:24|8:24|8:24|8:24|8:24|8:24|8:24|8:24|8:24
IPFilter0=0|0|0|0|0|0|0-0|0-0|0-0|0-0
IPFilter1=0|0|0|0|0|0|0-0|0-0|0-0|0-0
IPFilter2=0|0|0|0|0|0|0-0|0-0|0-0|0-0
IPFilter3=0|0|0|0|0|0|0-0|0-0|0-0|0-0
IPFilter4=0|0|0|0|0|0|0-0|0-0|0-0|0-0
IPFilter5=0|0|0|0|0|0|0-0|0-0|0-0|0-0
IPFilter6=0|0|0|0|0|0|0-0|0-0|0-0|0-0
IPFilter7=0|0|0|0|0|0|0-0|0-0|0-0|0-0
IPFilter8=0|0|0|0|0|0|0-0|0-0|0-0|0-0
IPFilter9=0|0|0|0|0|0|0-0|0-0|0-0|0-0
MACFilter0=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00
MACFilter1=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00
MACFilter2=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00
MACFilter3=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00
MACFilter4=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00
MACFilter5=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00
MACFilter6=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00
MACFilter7=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00
MACFilter8=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00
MACFilter9=00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00|00:00:00:00:00:00
PortFilter0=0:0:0|0:0:0|0:0:0
PortFilter1=0:0:0|0:0:0|0:0:0
PortFilter2=0:0:0|0:0:0|0:0:0
PortFilter3=0:0:0|0:0:0|0:0:0
PortFilter4=0:0:0|0:0:0|0:0:0
PortFilter5=0:0:0|0:0:0|0:0:0
PortFilter6=0:0:0|0:0:0|0:0:0
PortFilter7=0:0:0|0:0:0|0:0:0
PortFilter8=0:0:0|0:0:0|0:0:0
PortFilter9=0:0:0|0:0:0|0:0:0
FilterUdp=0-0-0|0-0-0|0-0-0|0-0-0|0-0-0|0-0-0|0-0-0|0-0-0|0-0-0|0-0-0
FilterTcp=0-0-0|0-0-0|0-0-0|0-0-0|0-0-0|0-0-0|0-0-0|0-0-0|0-0-0|0-0-0
FilterStatuss=0|0|0|0|0|0|0|0|0|0
FilterAllows=0|0|0|0|0|0|0|0|0|0
BlockWANFlag=enabled
IPSec_status=enabled
L2TP_status=enabled
PPTP_status=enabled
log_mode=disabled
log_ipaddr=0.0.0.0
chk_fw_hdr=enabled
fw_extension=fim
modle_id=LinksysWRT55AGv2
basic_realm=LinksysWRT55AG
restore_defaults=0

Serial Dump - 1.10 to 1.67 Upgrade

Rebooting AP...
unknown boarddata rev!
MACunit 0 enabled
MACunit 0 enabled

ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED


Atheros AR5001AP default version 4.0.0.2
Bootloader version 1.00


 0
auto-booting...

Attaching to TFFS... done.
Loading /fl/apimg1...1484992
Starting at 0x804846e0...

/fl/  - Volume is OK
apcfg: unknown config item nameaddr
apcfg: unknown config item domainsuffix
apcfg: unknown config item SntpServer
apcfg: unknown config item Telnet
apcfg: unknown config item Timeout
apcfg: unknown config item TimeZone
apcfg: unknown config item WME
apcfg: unknown config item WME
apcfg: unknown config item GPRS
apcfg: unknown config item GPRS
apcfg: unknown config item FtpVenDef
apcfg: unknown config item FtpUpdate
apcfg: unknown config item FtpScript
The wireless country domain : US.
AutoChanSelect on wireless i/f 0 ... disabled
The wireless country domain : US.
AutoChanSelect on wireless i/f 1 ... disabled
fopen /fl/dhcps_lease_entry fail !!!
Attaching interface lo0...done
DHCP server started.
wlan1 Ready
wlan0 Ready
Ready
Remote Web service ... disabled
start easyconf
Starting the blocking WAN PING service ... successful
Bandwidth Ctrl wizard ... disabled
add bridge port ae0
This is not a BOOTSTAP PKT, processing this DHCP_OFFER_PKT.
DHCP-OFFER -- chaddr : 00:12:17:6d:10:40 , wan_macaddr : 00:12:17:6d:10:40
This DHCP-OFFER Pkt is for this host ... accepting it.
DHCP-OFFER -- chaddr : 00:12:17:6d:10:40 , wan_macaddr : 00:12:17:6d:10:40
This DHCP-OFFER Pkt is for this host ... accepting it.
got lease now! LeaseGood = 0x0
stop igmp_proxy
NVRAM: Current Configuration Setup at 809dafe0
dns = 66.75.164.90
dnsproxy
-q
-d
-i
mirror0
-a
192.168.1.1
-S
66.75.164.90
-S
000.000.000.000
-S
000.000.000.000
UPnP Starts! LAN interface: mirror0, WAN interface: ae1
calling upnp_main
0x809ca970 (tUpnpd): arp_rtrequest: bad gateway value
Internet Access Policy ... stopped

Starting Internet Access Policy service ... successful
start igmp_proxy v1.3.3
Initializing iNetAccessTbl ( 256 entries available ) for Gemtek iNet firewall system ... successful
Initializing HTTPConnectionTbl ... Successful
Initializing the blocked Http URL table ... successful
Initializing the blocked Http keyword table ... successful
Initializing HTTPConnectionTbl ... Successful
HttpContentFilter service ( keyword, ActiveX, and Java-Applet ) ... stopped
current time is SAT FEB 18 13:02:48 2006

Serial Dump - 1.67 to 1.10 Downgrade

Rebooting AP...
Ù
ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED


Atheros AR5001AP default version 4.0.0.2
Bootloader version 1.00


 0
auto-booting...

Attaching to TFFS... done.
Loading /fl/apimg1...1395424
Starting at 0x804846e0...


FLASH IS 4M!
MACunit 0 enabled
MACunit 0 enabled
/fl/  - Volume is OK
Reading Configuration File "/fl/apcfg".
apcfg: unknown config item wmmParam
apcfg: unknown config item wmmParam
apcfg: unknown config item wmmParamBss
apcfg: unknown config item wmmParamBss
apcfg: unknown config item WMM
apcfg: unknown config item WMM
apcfg: unknown config item VLAN
apcfg: unknown config item VLAN
apcfg: unknown config item jswProfile
apcfg: no cmd!
apcfg: no cmd!
apcfg: byte mismatch 3560 != 3797
Bad cksum -- expected: 4aaf8, computed: 47b68, 47ead
apcfg: cannot set checksum: to 4aaf8
Can't parse configuration file.
Using factory default settings.
Attaching interface lo0...done
DHCP server started.
wireless access point starting...
add bridge port ae0
Auto Channel Scan selected 5280 MHz, channel 56
wlan0 Ready
wireless access point starting...
wlan1 Ready
Ready
Remote Web service ... disabled
start easyconf
Starting the blocking WAN PING service ... successful
vp0 macaddr = 00:12:17:6d:10:3d
vp65536 macaddr = 00:12:17:6d:10:3e
ae0 macaddr = 00:12:17:6d:10:3f
ae1 macaddr = 00:12:17:6d:10:40
got lease now! LeaseGood = 0x0
natcfg: writing to 0x802d4880
NVRAM: Current Configuration Setup at 80ffbc40
10.10.10.1 is alive
dns = 66.75.164.90
dnsproxy
-q
-d
-i
mirror0
-a
192.168.1.1
-S
66.75.164.90
-S
000.000.000.000
-S
000.000.000.000
UPnP Starts! LAN interface: mirror0, WAN interface: ae1
calling upnp_main
0x80987b00 (tUpnpd): arp_rtrequest: bad gateway valueInitializing iNetAccessTbl ( 256 entries available ) for Gemtek iNet firewall system ... successful
Initializing iNetAccessTbl ( 256 entries available ) for Gemtek iNet firewall system ... successful
Initializing iNetAccessTbl ( 256 entries available ) for Gemtek iNet firewall system ... successful
current time is SAT FEB 18 13:12:04 2006

Serial Dump - 1.10 Session

Same stuff as on the OpenWRT Wiki.

resetting to factory config.

ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED


Atheros AR5001AP default version 4.0.0.2
Bootloader version 1.00


 0
auto-booting...

Attaching to TFFS... done.
Loading /fl/apimg1...1395424
Starting at 0x804846e0...


FLASH IS 4M!
MACunit 0 enabled
MACunit 0 enabled
/fl/  - Volume is OK
restore defaults...
Using factory default settings.
fopen /fl/dhcps_lease_entry fail !!!
Attaching interface lo0...done
DHCP server started.
wireless access point starting...
wlan0 Ready
wireless access point starting...
wlan1 Ready
Ready
Remote Web service ... disabled
start easyconf
Starting the blocking WAN PING service ... successful
vp0 macaddr = 00:12:17:6d:10:3d
vp65536 macaddr = 00:12:17:6d:10:3e
ae0 macaddr = 00:12:17:6d:10:3f
ae1 macaddr = 00:12:17:6d:10:40
got lease now! LeaseGood = 0x0
natcfg: writing to 0x802d4880
NVRAM: Current Configuration Setup at 809f1880
10.10.10.1 is alive
dns = 66.75.164.90
dnsproxy
-q
-d
-i
mirror0
-a
192.168.1.1
-S
66.75.164.90
-S
000.000.000.000
-S
000.000.000.000
UPnP Starts! LAN interface: mirror0, WAN interface: ae1
calling upnp_main
0x809ced00 (tUpnpd): arp_rtrequest: bad gateway valueInitializing iNetAccessTbl ( 256 entries available ) for Gemtek iNet firewall system ... successful
Initializing iNetAccessTbl ( 256 entries available ) for Gemtek iNet firewall system ... successful
current time is SUN FEB 12 04:23:08 2006

add bridge port ae0
Initializing iNetAccessTbl ( 256 entries available ) for Gemtek iNet firewall system ... successful
Initializing iNetAccessTbl ( 256 entries available ) for Gemtek iNet firewall system ... successful


AP login:
Password: *****

Atheros Access Point Rev 3.3.1.25
wlan0 -> help
List of Access Point CLI commands:
 config wlan                        -- config wlanX
 connect bss                        -- connect to bssX
 del acl                            -- Delete Access Control List
 del key                            -- Delete Encryption key
 find bss                           -- Find BSS
 find channel                       -- Find Available Channel
 find all                           -- Find All BSS
 ftp                                -- Software update via FTP
 get acl                            -- Display Access Control List
 get aging                          -- Display Aging Interval
 get antenna                        -- Display Antenna Diversity
 get association                    -- Display Association Table
 get authentication                 -- Display Authentication Type
 get autochannelselect              -- Display Auto Channel Select
 get beaconinterval                 -- Display Beacon Interval
 get burstSeqThreshold              -- Display Max Number of frames in a Burst
 get burstTime                      -- Display Burst Time
 get channel                        -- Display Radio Channel
 get cipher                         -- Display Encryption cipher
 get config                         -- Display Current AP Configuration
 get countrycode                    -- Display Country Code
 get domainsuffix                   -- Display Domain Name Server suffix
 get dtim                           -- Display Data Beacon Rate (DTIM)
 get encryption                     -- Display Encryption Mode
 get fragmentthreshold              -- Display Fragment Threshold
 get frequency                      -- Display Radio Frequency (MHz)
 get gateway                        -- Display Gateway IP Address
 get groupkeyupdate                 -- Display Group Key Update Interval (in Seconds)
 get hardware                       -- Display Hardware Revisions
 get hostipaddr                     -- Display Host IP Address
 get ipaddr                         -- Display IP Address
 get ipmask                         -- Display IP Subnet Mask
 get key                            -- Display Encryption Key
 get keyentrymethod                 -- Display Encyrption Key Entry Method
 get keysource                      -- Display Source Of Encryption Keys
 get login                          -- Display Login User Name
 get minimumrate                    -- Display Minimum Rate
 get nameaddr                       -- Display IP address of name server
 get operationMode                  -- Display Operation Mode
 get pktLogEnable                   -- Display Packet Logging Mode
 get power                          -- Display Transmit Power Setting
 get radiusname                     -- Display RADIUS server name or IP address
 get radiusport                     -- Display RADIUS port number
 get rate                           -- Display Data Rate
 get reg                            -- Display the register contents at the given offset
 get remoteAp                       -- Display Remote Ap's Mac Address
 get rtsthreshold                   -- Display RTS/CTS Threshold
 get sntpserver                     -- Display SNTP/NTP Server IP Address
 get ssid                           -- Display Service Set ID
 get ssidsuppress                   -- Display SSID Suppress Mode
 get station                        -- Display Station Status
 get SuperG                         -- Display SuperG Feature Status
 get systemname                     -- Display Access Point System Name
 get tzone                          -- Display Time Zone Setting
 get uptime                         -- Display UpTime
 get wirelessmode                   -- Display Wireless LAN Mode
 get wlanstate                      -- Display wlan state
 help                               -- Display CLI Command List
 ping                               -- Ping
 pktLog                             -- Packet Log
 reboot                             -- Reboot Access Point
 run                                -- Run command file
 quit                               -- Logoff
 set acl                            -- Set Access Control List
 set aging                          -- Set Aging Interval
 set antenna                        -- Set Antenna
 set authentication                 -- Set Authentication Type
 set autochannelselect              -- Set Auto Channel Selection
 set beaconinterval                 -- Modify Beacon Interval
 set burstSeqThreshold              -- Set Max Number of frames in a Burst
 set burstTime                      -- Set Burst Time
 set channel                        -- Set Radio Channel
 set cipher                         -- Set Cipher
 set countrycode                    -- Set Country Code
 set domainsuffix                   -- Set Domain Name Server Suffix
 set dtim                           -- Set Data Beacon Rate (DTIM)
 set encryption                     -- Set Encryption Mode
 set factorydefault                 -- Restore to Default Factory Settings
 set fragmentthreshold              -- Set Fragment Threshold
 set frequency                      -- Set Radio Frequency (MHz)
 set gateway                        -- Set Gateway IP Address
 set groupkeyupdate                 -- Set Group Key Update Interval (in Seconds)
 set hostipaddr                     -- Set Host IP address
 set ipaddr                         -- Set IP Address
 set ipmask                         -- Set IP Subnet Mask
 set key                            -- Set Encryption Key
 set keyentrymethod                 -- Select Encryption Key Entry Method
 set keysource                      -- Select Source Of Encryption Keys
 set login                          -- Modify Login User Name
 set minimumrate                    -- Set Minimum Rate
 set nameaddress                    -- Set Name Server IP address
 set operationMode                  -- Set operation Mode
 set password                       -- Modify Password
 set passphrase                     -- Modify Passphrase
 set pktLogEnable                   -- Enable Packet Logging
 set power                          -- Set Transmit Power
 set radiusname                     -- Set RADIUS name or IP address
 set radiusport                     -- Set RADIUS port number
 set radiussecret                   -- Set RADIUS shared secret
 set rate                           -- Set Data Rate
 set reg                            -- Set Register Value
 set remoteAP                       -- Set Remote AP's Mac Address
 set rtsthreshold                   -- Set RTS/CTS Threshold
 set sntpserver                     -- Set SNTP/NTP Server IP Address
 set ssid                           -- Set Service Set ID
 set ssidsuppress                   -- Set SSID Suppress Mode
 set SuperG                         -- Super G Features
 set systemname                     -- Set Access Point System Name
 set tzone                          -- Set Time Zone Setting
 set wlanstate                      -- Set wlan state
 set wirelessmode                   -- Set Wireless LAN Mode
 timeofday                          -- Display Current Time of Day
 version                            -- Software version
 nvram                              -- nvram utility
wlan0 ->