Not404.com Legacy Projects
Actively Maintained Projects- AsusWL700gE - My attempts to fix the 2-Gigabyte BitTorrent client limitation in the Asus WL700gE Router's Firmware
- LaCie Ethernet Big Disk - My attempts to turn the LaCie Ethernet Big Disk into something much more useful.
- CentOS for the Xbox (XCentOS) - Not Started Yet, Sorry. Feel free to flame/prod me in the Comments below if you really want an RPM-based distro for Xbox. Otherwise, GentooX is probably the best maintained Linux Distro for the Xbox.
- Fedora Core 6 for the Xbox (XFedora6) - My attempts to run Fedora Core 6 on an Xbox
- Fedora Core 4 for the Xbox (XFedora4) - My port of Fedora Core's installer for the Xbox
- Atheros OpenWRT Port - My attempts to run OpenWRT on a Linksys WRT55AG v2
- SSH Tunnel Creator for NTLM / Microsoft Proxy - Create SSH Tunnels from behind Microsoft Proxy
- Rails on Fedora Core - How to Install Ruby On Rails, using Mongrel and Lighttpd, on Fedora Core 6 (FC6)
- SQL2005 From Linux Rails - How To Connect To SQL2005 From Ruby On Rails on Fedora Core 6 (Linux)
- DVD Burner in an Xbox HOWTO - How to add a Sony DWQ28A Dual-Layer DVD Burner to the Xbox. Also includes Digikey Parts, Datasheets, and miscellaneous notes to build a breakout adapter for the Xbox DVD connector.
- IOpener Firmware and Datasheets - "Wild Pencil" IOpener Support Files
Fedora Resources
Fedora ResourcesHOWTO: Connect RubyOnRails to SQL2005 on Fedora Linux
I've been very fortunate to lead an ETL project, using Ruby on Rails as the core engine. With a few weeks devoted to "Pure R&D Effort", I have come up with a mini-recipe of tweaks and connectivity layers necessary to connect a Rails Application (on Linux) to a SQL2005 Database. I hope my published instructions here are eloquent and sufficient enough to guide you through your own efforts along such a path.
System Requirements and Configuration Steps Involved
- UnixODBC >= 2.2.11
- FreeTDS >= 0.63
- Configure an ODBC DSN
- Ruby ODBC >= 0.996
- Rails ODBC >= 1.1
- Ruby DBI >= 0.1.1
- Various Plumbing and Best-Practices
While I'd love to use Rails-ODBC in the true "Bleeding-Edge" spirit of Fedora Core, Rails-ODBC isn't quite usable with SQL2005 at the time of this writing. If you need to use SQL2005 right now then you should try using the Ruby DBI layer until the Rails-ODBC solution matures a little more. This article documents both approaches, in anticipation of an updated Rails-ODBC that will be usable with SQL2005.
Specifically, in my experience, most SELECT queries work, but most UPDATE queries fail. Trace Logs show a properly formed query -- i.e. the query works fine if cut/pasted and run from SQL2005 Studio -- but FreeTDS reports a syntax error. When I have time, I'll dig deeper and see if I can fix it myself (or submit a detailed bug-report).. but for now, my boxes have to be up ASAP, so I'm moving forward with the Ruby-DBI solution as it seems to work better.
UnixODBC
Install UnixODBC
Fedora Core has a package out-of-box, so we'll use it:
- yum install unixODBC unixODBC-devel
Configure UnixODBC
Place variables similar to these in an /etc/profile.d global-settings file, or in your ~/.bashrc file
- export ODBCINI=/etc/odbc.ini
- export ODBCSYSINI=/etc
FreeTDS
(Easy Way) Download FreeTDS RPM
FreeTDS isn't included out-of-box in Fedora because of potential Intellectual Property issues. But Dries and others have an RPM that can be used:
- wget ftp.belnet.be/packages/dries.ulyssis.org/fedora/fc6/i386/RPMS.dries/freetds-0.63-1.2.fc6.rf.i386.rpm
- rpm -ivH freetds*i386.rpm
(The Hard Way) Build and Compile FreeTDS
FYI, I didn't take this approach, so you're on your on if you take this route. :-7
- wget ftp://ftp.ibiblio.org/pub/Linux/ALPHA/freetds/stable/freetds-stable.tgz
- tar -xvzpf freetds-stable.tgz
- cd freetds*
- ./configure
- make
- make install
Configure FreeTDS
- nano /etc/freetds.conf
- Add something similar to the following to the tail end of /etc/freetds.conf, substituting your own values as appropriate.
[SQL2005Host1] host = 192.168.1.101 port = 1433 tds version = 8.0
- See Also FreeTDS Configuration Options For Reference.
- See Also FreeTDS Protocol Selection For Reference.
Test FreeTDS
- tsql -S SQL2005Host1 -U UserName
You should be able to type in your password and get a ">" prompt. At this point, try fetching something from a database table, to make sure your connection and database access controls are how you expect them.
use SomeDatabaseName go select * from SomeTable go quit
Configure an ODBC DSN
- nano /etc/odbc.ini, and add a hunk similar to the following, Change values to suit your own environment.
[SQL2005DSN1] Driver = FreeTDS Description = ODBC Connection via FreeTDS Trace = No Server = 192.168.1.101 Port = 1433 TDS Version = 8.0 Database = SomeDatabaseName
- nano /etc/odbcinst.ini, and add a hunk similar to the following. Change the values to suit your own environment.
[FreeTDS] Description = ODBC Connection via FreeTDS Driver = /usr/lib/libtdsodbc.so.0 FileUsage = 1
Test UnixODBC Over FreeTDS
- isql SQL2005DSN1 MyUserID MyPassword should reveal something like the following:
+---------------------------------------+ | Connected! | | | | sql-statement | | help [tablename] | | quit | | | +---------------------------------------+ SQL>
Ruby-ODBC Module
Build and Compile Ruby-ODBC
- wget http://ch-werner.de/rubyodbc/ruby-odbc-0.9993.tar.gz
- tar -xvzpf ruby-odbc*gz
- cd ruby-odbc*[0-9]*
- ruby extconf.rb
checking for sql.h... yes checking for sqlext.h... yes checking for SQLTCHAR... yes checking for SQLLEN... yes checking for SQLULEN... yes checking for odbcinst.h... yes checking for dlopen()... yes checking for dlopen() in -ldl... yes creating Makefile
- make
- sudo make install
Test the Ruby-ODBC Module
- ruby -e 'require "odbc"'
You should just get back to the command prompt. if you get a LoadError, something is amiss within this step.
Rails-ODBC ActiveRecord Adapter
Build and Compile Rails-ODBC
Caution: At this writing, the Rails-ODBC Layer is not quite usable with SQL2005. Hopefully an updated version will be, though.
- wget http://rubyforge.org/frs/download.php/13979/rails-odbc-1.1.tgz
- tar -xvzpf rails-odbc*tgz
- cd rails-odbc*[0-9]
- sudo ruby install_odbc.rb
Make modifications as you see fit (I didn't change anything on my own boxes), and then type "i" to proceed with the installation.
Update config/database.yml
Modify your database.yml to something similar to this:
development: adapter: odbc dsn: SQL2005DSN1 username: MyUserID password: MyPassword trace: false convert_numeric_literals: true
Optional Patch To Get Current Database Name
The Rails-ODBC connection-adapter doesn't yet implement current_database. The following patch will implement a current_database function that gives the ODBC DSN in place of the current_database. For my needs (My application tells users what database they're working against), this is sufficient enough -- I can name my DSNs to reflect a meaningful name.
If you also have a need for current_database, add the following hunk of code to the tail-end of your Rails Application's environment.rb file:
# LALEE's Quick-Fix for ODBCAdapter
class ActiveRecord::ConnectionAdapters::ODBCAdapter
def current_database
@connection_options[0] # 0 == dsn name, 1 == username, 2 == password
end
end
Database Migrations and Type Mappings
I've noticed that using SQL2005 Databases under this solution is a bit more strict than using the Ruby-DBI/ADO solution under Windows. Specifically, I'm noticing type-mismatch complaints when using strings to search for text-fields. The following document may be helpful in identifying these issues:
Since this still a brand-new setup for me, I'm figuring out the best way to handle this for my application. In the end, I may just decide to patch Rails-ODBC to test field-types and maybe figure out how to rework things at that layer. We'll see.
Ruby-DBI
Build and Compile Ruby-DBI
- wget http://rubyforge.org/frs/download.php/12368/dbi-0.1.1.tar.gz
- tar -xvzpf dbi-0.1.1.tar.gz
- cd ruby-dbi
- sudo ruby setup.rb config --with=dbi,dbd_odbc
- sudo ruby setup.rb setup
- sudo ruby setup.rb install
Update config/database.yml
Modify your database.yml to something similar to this:
development: adapter: sqlserver mode: odbc dsn: SQL2005DSN1 username: MyUserID password: MyPassword
Various Plumbing and Best-Practices
(More to Come)
Additional References
This article could not have been put together without referring to older documentation:
Contacting The Author
If you need additional Ruby on Fedora support, or are looking to hire an experienced Ruby On Rails Developer, feel free to contact me (Laurence Lee) as username lalee_net, at yahoo.com.
User Comments and Feedback
Comment by juanvidal2@hotmail.com on Mon May 28 10:56:51 2007
HI.. i need to do this connection but I wanna ask U if U want to send me a copy of one of your programs who reallly works...TKS
Comment by lalee on Mon May 28 15:52:24 2007
Hi juanvidal2,
I wish I could provide you with the source code that uses SQL2005 as the back-end, but it was done as a work-for-hire. All I can really say is that it's an ETL application that uses two databases concurrently, and that the company I wrote it for is reselling it in the Insurance/Finance sector.
The above instructions work OK -- about the only gotchas I remember are in making sure the SQL2005 databases have ANSI-Nulls enabled. (Found in the properties tab when you right-click the database in SQL2005 Manager.)
HOWTO: Install Ruby on Rails on Fedora Core (Mongrel + Lighttpd)
The goal of this article is to create a "Production-Quality" Rails Server. Thus, the best possible technologies (strictly my opinion) have been selected at the time of this writing to achieve this goal.
Unlike other developers, I prefer to install my Rails Applications under Web Subdirectories, such as http://www.not404.com/MyRailsApp, instead of running it as a Root Application of a Web Root, such as http://MyRailsApp.not404.com/. These instructions are geared for how I lay things out, but will let you know what to adjust in order to run your Rails Apps as traditional Web-Root Applications.
You may also notice that these instructions are SQLite3-oriented. This is intentional. IMHO, it's better to use the simplest-case database to prove that everything else is properly stitched together. Then, once you're satisfied that everything is properly locked down and performance-tuned, you can focus your attention on tying your Rails Application to a real database.
- Fedora Core (6 or later)
- Ruby on Rails
- Mongrel Ruby Application Server
- Lighttpd Web Server
- Various Plumbing and Configuration "Best Practices" to stitch it all together. :-)
Related Articles:
Update For Fedora 8
The Ruby on Rails support in Fedora 8 is superb, and there are RPMs that handle everything about this configuration. Note that the most common Ruby Gems are available as rubygem-* in the Yum Repositories. (You can do a yum search rubygem for a complete list of Fedora-Supplied Ruby Gems).
Thus, through Fedora 8's Yum support, you can install Rails, Lighttpd, and Mongrel in one command:
yum install ruby ruby-devel rubygem-rails rubygem-mongrel lighttpd lighttpd-fastcgi
The following instructions are specific to Fedora Core 6. If you're using Fedora 8, you can skim through most of the Installation Procedures, but pay attention to the Configuration Procedures -- particularly for the Lighttpd Proxy and the Mongrel Cluster as a Startup Service.
Fedora Core 6: The Base Server
- Install Fedora Core 6. Enable the "Development Tools" group in the initial setup screens.
- do a yum -y update to get the latest update patches
- Optionally, do a visudo to configure "sudo" access.
If you missed the "Development Tools" checkbox, do a yum -y groupinstall "Development Tools" to install it now. You'll need the GCC compiler to build some Ruby Gems, it makes sense to have it ready here. After everything's configured, you may decide to do a yum -y groupremove "Development Tools" to remove the C compiler and other tools from your production box.
Ruby On Rails
- yum -y install ruby ruby-devel ruby-irb ruby-libs ruby-rdoc ruby-ri rubygems
- yum -y install ruby-sqlite3
- Now, we can use Gem to get the latest Rails Framework:
- sudo gem install rails --include-dependencies
Optional (But Recommended) Yum Packages
- ruby-sqlite3
- ruby-mysql
- ruby-postgres
- ruby-clearsilver
- ruby-racc
- subversion-ruby
- ruby-docs
Mongrel Ruby Application Server
- sudo gem install gem_plugin daemons capistrano --include-dependencies
- sudo gem install mongrel mongrel_cluster railsmachine --include-dependencies
- sudo /usr/sbin/adduser -r mongrel (This creates a mongrel user, as suggested in Bryan Thompson's Blog).
As I've mentioned before, I prefer to install my Rails Applications under Web Subdirectories, such as http://www.not404.com/MyRailsApp. Most of the other deployment tutorials and strategies advocate installing the Rails Application under the Web Root directory: http://MyRailsApp.not404.com/.
To correctly handle Rails Applications running under Web Subdirectories , we need to use Mongrel's --prefix support, recently added in Mongrel Cluster 0.2.1. At this writing though, Mongrel Cluster 0.2.1 is still a pre-release version, so it needs to be installed from their "trunk" repository, instead of from the standard Gem Repositories.
To get the Pre-Release version of Mongrel Cluster to let us run Rails Applications under Web Subdirectories, run this command:
- sudo gem install mongrel_cluster --source http://railsmachine.rubyforge.org/releases/
- sudo gem cleanup
Test Mongrel and Rails As a Non-Root User
- cd ~
- rails testapp
- cd testapp
- mongrel_rails start
Launch firefox, and go to http://localhost:3000 -- you should get the "Welcome Aboard" web page. You can now stop Mongrel, so we can configure it as a Service.
Configure Mongrel for Production
Because everyone lays out their Production Directories differently, I'll just call the Production Root Directory $PRODUCTION in this article, and I'll assume that Application Instances are in subdirectories, which I'll call $APP_ROOT. For my Production Servers, I like to lay things out this way -- it makes things easier to create master startup scripts that can iterate over all $APP_ROOT instances in $PRODUCTION. I also configure $APP_PORT to a unique service port for each instance on my Production Server.
Please substitute my variables with your own directory structures as appropriate.
If you're following along with my layout, now's a good time to copy ~/testapp to your Production Area:
- sudo mv ~/testapp /$PRODUCTION
- sudo chown -R mongrel:mongrel /$PRODUCTION/testapp
Install Mongrel_Cluster a Startup Service
- sudo mkdir /etc/mongrel_cluster
- find /usr/lib/ruby -type f -name "mongrel_cluster" -exec sudo cp -ap {} /etc/init.d/ \;
- sudo chmod +x /etc/init.d/mongrel_cluster
- sudo /sbin/chkconfig --level 345 mongrel_cluster on
Install Mongrel_Cluster Controller Tool
(I've not found a use for this, but since others think it's important enough to document, I've put it in . . .)
- find /usr/lib/ruby -type f -name "mongrel_cluster_ctl" -exec sudo ln -s {} /usr/bin; \;
Configure Mongrel_Cluster For Each Application Instance
(NOTE: The following hunk is a pseudo-script, just to give you an idea of what I do on my machines. It's not a complete bash script)
- export APP_PORT=8000 # Change this as needed
- export APP_NODES=3 # Change this as needed
- cd $PRODUCTION/$APP_ROOT
- sudo mongrel_rails cluster::configure -e production -c $PRODUCTION/$APP_ROOT -p $APP_PORT -N $APP_NODES -a 127.0.0.1 --user mongrel --group mongrel --prefix /$APP_ROOT
- sudo ln -s $PRODUCTION/$APP_ROOT/config/mongrel_cluster.yml /etc/mongrel_cluster/$APP_ROOT.yml
Note that my instructions above include the new --prefix $APP_ROOT command, which allows Mongrel Applications to properly "ignore" the prefix. Prior to this Mongrel Enhancement, we needed to configure Apache or Lighttpd to strip out this prefix.
If you're running your Rails Apps as the web server root application, remove the --prefix /$APP_ROOT additions.
Lighttpd Web Server
At this point, you now have your Mongrel-Rails Applications properly configured to run as Startup Services. (They'll automatically startup when your machine reboots). Now it's time to stitch together the Lighttpd Web Server as our front-end.
Install Lighttpd
- sudo yum -y install lighttpd
- sudo /sbin/chkconfig --level 345 lighttpd on
Configure Lighttpd For Mongrel
- sudo nano /etc/lighttpd/lighttpd.conf
Uncomment the mod_proxy module, as we'll need that to dispatch requests to our Mongrel Serves.
Additional (Recommended) Modules For Lighttpd
Out of the Box, Fedora's Lighttpd configuration is rather light. You may want to uncomment these additional modules to get more functionality.
- mod_rewrite
- mod_redirect
- mod_access
- mod_accesslog
- mod_compress
Configure A Mongrel-Cluster In Lighttpd
Add a hunk of code similar to the following to the tail end of /etc/lighttpd/lighttpd.conf:
proxy.balance = "fair"
proxy.server = ( "/testapp" =>
( ( "host" => "127.0.0.1", "port" => 8001 ),
( "host" => "127.0.0.1", "port" => 8002 ),
( "host" => "127.0.0.1", "port" => 8003 ) ) )
You will need to change the /testapp prefix to the name of your Rails Application. Remember that $APP_ROOT variable that we passed to Mongrel as --prefix? Yes, the value you input here must match that --prefix value. Obviously, you will also need to change the Mongrel Server-Ports to match your $APP_PORT, up to $APP_NODES instances for this server pool.
If you are running your apps in the root-directory, change "/testapp" to "/"
That should be it! Now you can fire up the whole shebang and cross your fingers:
- sudo service mongrel_cluster start
- sudo service lighttpd start
Various Plumbing and Best-Practices
(more to come)
Additional References
This article couldn't have been put together without referring to older documentation:
- Official Mongrel FAQ
- Official Mongrel-Lighttpd HOWTO
- Apache 2.2 + Mongrel on Fedora Core 5 installation guide
- Five-Minute Rails Application Deployment
- Time For A Grown-Up Server: Rails, Mongrel, Apache, Capistrano and You
- Installing Ruby on Rails on Fedora Core 5
- Installing Ruby on Rails with Lighttpd and MySQL on Fedora Core 4
- Rails on Fedora
- Mongrel Cluster 0.2.1 pre-release Announcement
Contacting The Author
If you need additional Ruby on Fedora support, or are looking to hire an experienced Ruby On Rails Developer, feel free to contact me (Laurence Lee) as username lalee_net, at yahoo.com.
User Comments and Feedback
Comment by Aaron on Thu Mar 29 16:25:33 2007
I actually wrote the BryanThompsons blog article, you have a great howto here, good work!
Comment by anonymous on Thu May 3 12:04:27 2007
Thanks for the HOWTO... worked like a charm for my very first Rails installation :-)
Comment by Sam Pierson on Thu Jun 14 14:46:34 2007
In section: Install Mongrel_Cluster a Startup Service I think you mean:
- sudo mkdir /etc/init.d/mongrel_cluster
Comment by lalee on Wed Jun 20 17:13:44 2007
Sam,
It's a matter of personal preference, I suppose. I create /etc/mongrel_cluster as a directory that stores all of the Mongrel Configuration Files deployed across all applications. For me, it makes more logical sense to keep it as a subdirectory of /etc (the system-wide configuration directory), rather than in /etc/init.d (the system-wide configuration-scripts repository).
As far as I can tell in Fedora's layout, most of the services have configuration directories directly under /etc, too, so at least I'm being consistent with what's already in place. :-)
Comment by anonymous on Sat Oct 27 22:59:10 2007
The biggest problem I have with FC6 is that rails for the x64 version is still stuck at 1.8.5. This is inadequate if you use certain methods ( Time.to_datetime for example). I'm trying to manually build Ruby 1.8.6 and rubygems, but the rubygems installer complains about missing zlib.. any thoughts?
Comment by michael on Sat Oct 27 23:00:10 2007
previous should have read "ruby for the x64 version".
Comment by lalee on Sun Oct 28 01:37:06 2007
You might want to upgrade to Fedora7, or wait to grab Fedora8 since it's scheduled for release on November 8. Fedora7-x64 has Ruby 1.8.6 available.
Comment by Lou Arnold on Sun Nov 18 09:19:21 2007
This was quite good, but for us Ruby first timers, it might be nice to give somewhat more: 1) Folders to change to before executing commands. 2) For optional packages/utilities - what are they/why or when would you need them. 3) Some servers - Mongrel in particular - would go on a second server computer. It would be nice to have some sense of how those are configured to work with Ruby and Rails on a development computer.
Comment by lalee on Mon Nov 19 13:19:11 2007
Thanks for the feedback, Lou. I have been considering an overhaul of this article for Fedora8 for quite some time, and those suggestions will help take it into a new direction.
Best Regards,
Laurence Lee
Hardware Hacking Projects
Hardware Hacking ProjectsD900T Technical Support
Lalee's Notes on Rebuilding an Alienware 7700
Motherboard Diagnostic Codes
"3 Flashing Lights" (Scroll Lock, Caps Lock, Num Lock)
Upon startup, the scroll lock, caps lock, and num lock keep flashing for a few seconds, and then the laptop shuts off. The computer does manage to complete a POST.
According to a post on NotebookReview.com, this happens because the GPU (Video Card) is not properly seated.
Symptoms and Possible Solutions
System won't start. Blue "Power LED" is on, "HD Activity" LED is on, CD-ROM clicks a few times. The Screen Backlight does not illuminate. The machine does not manage to complete a POST. Pressing Fn+F2 (for newer BIOSes) does not activate the fans.
Remove and reinstall the RAM. By installing one stick at a time, powering up the machine to see if it POSTs, and then adding additional sticks of RAM one at a time, you will reseat the connections and hopefully that's all you need. At the worst case, you should be able to identify a bad stick of RAM.
Other things to watch for: Whether or not the front panel ("Audio DJ") clock illuminates. I always set my D900T motherboards to illuminate the clock.
More notes to come . . . feel free to add to the list.
Also of interest: There is a 10-pin "Debug" port to the lower right end of the D900T Keyboard connector. I doubt that's simply for POST diagnostics cards, and I suspect it's a JTAG connector.
Other Ideas
I've recently been seeing a crapload of broken "Revision 6.x" motherboards. Half are dead ("Non Starting") like the "Revision 5.x" motherboards I've seen. The ones that do POST almost always have problems with the RAID controller recognizing hard drives.
There is at least one MiniPCI SATA/IDE Controller commercially available. Out of desperation and convenience, it may be possible to use something like that to route a ribbon cable from the upper motherboard (where the MiniPCI slots are) down to where the HD caddy is. Of course, you'd need to ditch the stock D900T HD cable.
You could also probably rig something with a PCMCIA SATA/IDE controller; or find something to take up the spare Optical Slot to accept a 2.5" hard drive.
Hacking on the Asus WL-700gE
My primary reason for owning an Asus WL-700gE is to use the included, built-in bittorrent client to share the large DVD images that contain the latest Fedora Linux releases. I started out with a 160-Gig model that contains Firmware 1.0.4.6. Unfortunately, the built-in bittorrent client is based on a faulty code-base that can't handle sharing content larger than 2 Gigabytes. That's a problem for my purposes, as Fedora Installer DVD images are typically 3 Gigabytes' worth of data.
Other fine hacker efforts, such as those led by KFurge, address this issue by rebuilding the Open-Sourced firmware provided by Asus, and have dropped in command-line versions of bittorrent clients. If you're a power-user who's comfortable with using Telnet or SSH to access yoru router, you should definitely look into that alternative strategy.
The approach I'm taking is far more time-consuming (and frustrating), because I'm trying to build a drop-in replacement of the ctorrent binary included with Asus' firmware. Thus, I need to do some reverse-engineering of some Asus-customized protocols used for the Web User Interface to communicate with the bittorrent client; as well performing a clean-room rebuild of ctorrent by using the updated code from the enhanced-ctorrent project. Enhanced-ctorrent does not exhibit the 2-Gigabyte limitation.
Until I can build such a drop-in replacement, which will be useful in the Web User Interface, I'll need to use the telnet or ssh backdoor into the router and initiate command-line sessions to share the larger Fedora Linux installation DVDs.
[Updated 2007-June-12]
According to a forum thread at the wl500g.info website, a new Firmware version, 2.0.0.7, is floating in the wild. Unfortunately, the early reports suggest that large BitTorrent downloads STILL don't work! That's a definite bummer, so it looks like I'll need to continue with my efforts to reverse-engineer the custom ctorrent client in order to replace the binary that is included with the Asus-shipped firmware.
On a positive note, though, the updated Web User Interface bundled with this new Firmware revision has definitely improved.
What I've Discovered About Asus' Ctorrent
To aid in my hacking efforts, I have done the serial-port mod, and am successfully using a Hacked Cell-Phone USB data cable to communicate with the router's serial port (115200,N81). Tip: you might be able to find hackable USB Data Cables, red-tagged (clearance) for $10 or so at your local Radio Shack. Find a Radio Shack store that is "slow" (less turnaround of merchandise -- i.e. in a small neighborhood strip-mall), and hunt around in the cell-phone accessories section.
I have also gone through the exercise of building up a development-environment that allows me to cross-compile enhanced-ctorrent for this router. It was through the exercise of injecting my own ctorrent executable into the firmware that I discovered that my fix was far more involved than simply replacing a binary. Ah well, it's never easy with these things.
Furthermore, I have been spelunking in /proc to examine things like command-line parameters, startup directories, and file-handles. I discovered an undocumented command-line switch is being used, -D. This parameter was added by Asus to identify the Root Downloads Directory -- which I'll call $DLDIR throughout this document. Unfortunately, this conflicts with the -D parameter of enhanced-ctorrent, which uses it to define the Download Rate. No biggie, it's a minor source-code change to enhanced-ctorrent to get things in order.
Anyways, the -D parameter specifies the parent directory of InComplete, Complete, .logs, and .sems -- I'll get to those last two directories in a moment, as they're of particular interest here. Thus, when you run the stock ctorrent client with a proper value for -D, you'll get visual confirmation on the Serial Console that the ctorrent client knows to use the InComplete and Complete directories under the directory passed in via -D.
From my observations, the stock ctorrent client has been modified to write a "status update" file into the $DLDIR/.logs directory (using the process id as part of the filename). This file is repeatedly read by the stock giFT daemon, which in turn maintains statistics that are displayed in the Web GUI. (Torrent Filename, Size, Protocol, etc..). It's pretty easy to snarf a copy of a log file of a running ctorrent process, strategically twiddle a few bytes, and see how they impact what's displayed in the WebGUI. The only tricky part is that you'd need to hijack a freshly-launched ctorrent process to do so.
At this point, all I'm really interested in discovering here are the simple metrics, like percentage complete and process status (Processing, Paused, Stopped, etc.). At least figuring out how to decode the Torrent Filename is pretty obvious, as it's plain-text. :o)
The $DLDIR/.sems directory contains a "sem" file (again, uniquely identified by process-id), which I believe is nothing more than a Process-Control Pipe that allows the giFT Daemon to send runtime-commands to the ctorrent client.
Recent Developments
2007-May-20 - Successful Debug-Tracing!
I managed to trace-log a session under the router, and now have enough to start building in "Asus-Compatible" extensions to Enhanced-CTorrent. There's now a light at the end of the tunnel, and I should have a first cut working within the week. Depending on how ambitious I get with the Hex-Calculator, getting all of the "Status Counters" working under Download Manager may take a bit longer.
2007-May-13 - Fixed Sources to compile on Kernels > 2.6.18
I rebuilt my development environment over the weekend, getting rid of the Debian under VMWare solution, in favor of using the environment of my native Fedora workarea. I was really only using Debian to work around some issues in other experimental attempts, and Debian uses a kernel version that doesn't suffer from the UTS_RELEASE undefined problem.
It seems that recent Linux Kernels have pulled the carpet on nfs_utils -- instead of including linux/version.h, you need to include linux/utsrelease.
Thus, the contents of my /opt/WL700g/nasoc/src/apps/nfs-utils/tools/getkversion/getkversion.c would ideally read as follows:
/*
* Get version number of the kernel this was compiled for.
* This is NOT the same as calling uname(), because we may be
* running on a different kernel.
*/
#include "config.h"
#include <linux/utsrelease.h>
#include <stdio.h>
int
main(void) /* This is for Dan Popp ;) */
{
printf("%s\n", UTS_RELEASE);
return 0;
}Unfortunately for me, that doesn't quite work in my build-environment. For some daffy reason that I've got to track down, including <linux/utsrelease.h> fails on Fedora 7. I'll figure this out later, I'm too lazy to fix this seemingly useless nfs-utils tool right now...
I also needed to add the -lcrypt flag to pppd/pppd/Makefile. Interesting that it compiled fine under Debian, but not in Fedora 7. *Shrug*. Ah well. Moving on . . .
2007-May-11 - Multiple versions of ctorrent exist in the Build Environment.
ctorrent-1.3.4.5.e reveals the useful information:
# ./ctorrent -e0 -D/shares/MYVOLUME1/MYSHARE1/Download ctorrent-1.3.4.5.e complete path is /shares/MYVOLUME1/MYSHARE1/Download/Complete incomplete path is /shares/MYVOLUME1/MYSHARE1/Download/InComplete CTorrent devel Copyright: YuHong(992126018601033) WARNING: THERE IS NO WARRANTY FOR CTorrent. USE AT YOUR OWN RISK!!! Generic Options: -h/-H Show this message. -x Decode metainfo(torrent) file only, don't download. -c Check exist only. don't download. Download Options: -e int Exit while seed <int> hours later. (default 72 hours) -p port Listen port. (default 2156 -> 2106) -s save_as Save file/directory/metainfo as... -C cache_size Cache size,unit MB. (default 16MB) -f Force seed mode. skip hash check at startup. -b bf_filename Bit field filename. (use it carefully) -M max_peers Max peers count. -m min_peers Min peers count. -B rate Max bandwidth (unit KB/s) -P peer_id Set Peer ID [-CT1304-] Make metainfo(torrent) file Options: -t With make torrent. must specify this option. -u url Tracker's url. -l piece_len Piece length.(default 262144) eg. hong> ctorrent -s new_filename -e 12 -C 32 -p 6881 eg.torrent home page: http://ctorrent.sourceforge.net/ bug report: bsdi@sina.com
ctorrent-1.3.4.700gE.9.a - does not give much useful information -- the InComplete/Complete? directory knowledge doesn't show up:
# ./ctorrent -e0 -D/shares/MYVOLUME1/MYSHARE1/Download ctorrent-1.3.4.700gE.9.a CTorrent devel Copyright: YuHong(992126018601033) WARNING: THERE IS NO WARRANTY FOR CTorrent. USE AT YOUR OWN RISK!!! Generic Options: -h/-H Show this message. -x Decode metainfo(torrent) file only, don't download. -c Check exist only. don't download. Download Options: -e int Exit while seed <int> hours later. (default 72 hours) -p port Listen port. (default 2156 -> 2106) -s save_as Save file/directory/metainfo as... -C cache_size Cache size,unit MB. (default 16MB) -f Force seed mode. skip hash check at startup. -b bf_filename Bit field filename. (use it carefully) -M max_peers Max peers count. -m min_peers Min peers count. -B rate Max bandwidth (unit KB/s) -P peer_id Set Peer ID [-CT1304-] Make metainfo(torrent) file Options: -t With make torrent. must specify this option. -u url Tracker's url. -l piece_len Piece length.(default 262144) eg. hong> ctorrent -s new_filename -e 12 -C 32 -p 6881 eg.torrent home page: http://ctorrent.sourceforge.net/ bug report: bsdi@sina.com
2007-May-11 - Special Files ?
- $DLDIR/.logs/dm.jqs
- $DLDIR/.sems/sem.jqs
It seems that ctorrent was coded to recognize those two as well. When I launch ctorrent solely on the command-line (without the help of giFT or snarf), giFT still knows about it. Despite my renaming the files (and creating zero-length substitutes as plain-files), the Asus-customized ctorrent client knows how to send a signal to giFT -- it's not happening through these files:
# /apps/bin/ctorrent-oob -e0 -D/shares/MYVOLUME1/MYSHARE1/Download f7-test4-live-i386.torrent ctorrent-1.3.4.700gE.9.a sem error :: No such file or directory Cannot open semsem error :: No such file or directory Cannot open semsem error :: No such file or directory Cannot open semf7-test4-live-i386F-6.93-i386-Live.isoSHA1SUMf7-test4-live-i386F-6.93-i386-Live.isoSHA1SUMf7-test4-live-i386F-6.93-i386-Live.isoSHA1SUMf7-test4-live-i386F-6.93-i386-Live.isoSHA1SUM guest_from (suit_num) is 1 (0:BIG5 ,1:GB2312, -1:UTF-8), possible sets are 2 gift: err completed : send fail gift: err completed : send fail gift: err completed : send fail sem error :: No such file or directory sem error :: No such file or directory sem error :: No such file or directory sem error :: No such file or directory sem error :: No such file or directory sem error :: No such file or directory sem error :: No such file or directory ctorrent term write # # # ls -l ../.sems -rw-r--r-- 1 root root 0 May 11 21:35 sem.jqs prw-r--r-- 1 root root 0 May 11 21:33 sem.jqs.oob # sem error :: No such file or directory ls -l ../.logs --wT--T--t 1 root root 0 May 11 21:33 dm.jqs.oob ---------- 1 root root 768 May 11 21:37 log.531 # sem error :: No such file or directory sem error :: No such file or directory sem error :: No such file or directory sem error :: No such file or directory sem error :: No such file or directory sem error :: No such file or directory sem error :: No such file or directory
Loud Thinking
Hmm, the parent (caller) probably creates the .sem file, and the child (ctorrent) continually tries to open the .sem file. The parent gets back the Process-ID of the child from the exec() or system() call, and uses it to construct the .sem filename.
The child creates the .log file, free-and-clear. It also communicates this fact to giFT, as gift comes back with "gift: err completed : send fail". I'm guessing ctorrent is auto-failing because it can't open its sem file?
My Next Steps
I need to make a "wrapper" application that emulates the Logs and Sems behavior. The wrapper will then launch the real ctorrent client and proxy all traffic that run across the pipe -- while simultaneously dumping traffic out to the Serial Console. This is pretty much identical in concept to tee, and I'm only doing it to aid my understanding of what WebGUI Actions correspond to what process-control commands over the pipe.
Once I have the full list of commands that I'd need to reimplement, I can begin writing a patch to enhanced-ctorrent to emulate all of the Customized Behavior that Asus put into the original ctorrent: Using $DLDIR/InComplete as a staging area, moving completed files to $DLDIR/Complete, logging progress in $DLDIR/.logs, and accepting process-control commands via a sem file in $DLDIR/.sems.
If things go well, I should have this wrapped up in another weekend or two. If you're tracking this project and I've been dragging ass on this, though, please ping me through the Comments Section below. I often bounce around between several projects, which means that some things can wind up on hold for quite some time. I can't tell that anyone (aside from me) is interested in seeing this through in a timely fashion without some feedback. :-)
Right now, my goal (which is aggressive) is to have this ready by the time Fedora 7 is released. I bought this router for the sole purpose of downloading and sharing those huge Installer-DVD iso files, and they're way larger than the 2-Gigabyte limitation I'm encountering with this router. Thus, without this fix, the router is absolutely useless for the purpose I originally bought it for.
Still, though, it's a nice, hackable device that I'm going to tear into a lot more -- I just wanted the stock firmware to tide me over for a few months. *Grumble* *Grumble*
Older Notes on Recompiling the Firmware
(Yea, I know this procedural description sucks. It'd be nice to rework this into a bash-script that automagically downloads the file and does all of this, but that's a low priority item on my huge task list. Sorry.)
- Obtain the Sources
- Go to the WL-700gE Support Site
- Enter "wl-700ge" in the search-box
- Scroll down to the latest GPL source code for firmware version 1.0.4.6 at this writing)
- Download from the appropriate mirror for your region
- Unpack the sources to /opt
- cd /opt - yes, it must be in /opt.
- unzip GPL_WL700gE_1046.zip - this produces a LICENSE text file, and two tarballs: One for the toolchain, and one for the sources.
- tar -xvzpf toolchain_wl700ge.tar.gz - this unpacks the toolchain to ./brcm
- tar -xvzpf GPL_WL700gE_1.0.4.6.tar.gz - this unpacks the sources to ./WL700g
- Working Environment Adjustments
- ln -s /bin/bash /bin/ash - the build-scripts really want the ash shell, which is a scaled-down version of bash. If you want, you can install a "real" ash like this one for FC3.
- ln -s /sbin/mkfs.cramfs /sbin/mkcramfs - the build scripts expect and use mkcramfs, so we'll just create a symbolic link to finesse around this.
- chown -R $USER:$USER /opt/brcm /opt/WL700g - this makes sure you "own" all the files. (The second $USER in "$USER:$USER" is really to name the Group ID. I'm assuming that your Group ID is the same as your User ID - which is the default in Fedora).
- chmod u+w -R WL700g/* - this makes sure you can write all the files.
- find WL700g -type d -exec chmod u+x {} \; - this makes sure you can navigate through all the direcctories.
- export PATH=$PATH:/opt/brcm/hndtools-mipsel-uclibc/bin:/opt/brcm/hndtools-mipsel-linux/bin
- cd /opt/WL700g/nasoc/src/apps
- Customize / Adjust Busybox Settings
- make menuconfig
- mv Config_ASUS Config_ASUS.oob ; mv .config Config_ASUS - save the original (out-of-box) Asus Apps configuration, and move our new version in its place.
- Build / Rebuild Firmware Apps
- make clean && make rebuild
Additional References
This article couldn't have been put together without referring to older documentation:
- Customizing the Asus WL700gE NAS Router - KFurge's Notes on rebuilding and customizing the 1.0.4.6 Firmware, using ready-made ipkg repositories.
- HOW-TO: Compiling the firmware for version 1.0.4.6 - wl500g.info's thread on rebuilding the firmware.
- WL-700gE/RebuildFirmware on freesa.org - FreeSA.org's notes on rebuilding the firmware.
- Scratchbox.org - It may be possible to cobble together a compatible mipsel-QEmu environment.
- CrossToolToolchainPreApophis - CrossTool notes from Scratchbox.
- sw's QEmu Project - From an OpenWRT thread, an AR7 QEmu solution for OpenWRT. Clever.
- ASUS WL-600g hacking - ideas on how to get the Asus Toolchain to compile what I want.
Hacking on the Linksys WRT55AG v2
Update 2008-January-20
I have taken a renewed interest in hacking these routers, and will be taking another stab at rebuilding the firmware based on the latest source code available in the OpenWRT project's repositories. I've given away most of my other routers to friends and family who either needed quick replacements for their dead Internet Routers, or needed something that operated in "Wireless Bridge Mode".
Thus, with all of my "Good" routers spoken for, I'm a whole lot more motivated to get some of these unused WRT55AG routers back into service.
OpenWRT Kamikaze Compilation Notes
- make menuconfig, select Atheros AR531x as board type.
- Select Busybox and Package Options as desired.
- It's a good idea to compile lrzsz, files can be exchanged over the serial-port if needed.
- Upgrade MadWifi Driver to madwifi-ng-r1456-20060225.tar.gz
- Adjust the filename in target/linux/package/madwifi/Makefile
- Adjust the MD5 sum, which is 27ccc5ba2e463fd8bee6da74d717731d
- While you're in there, add this line to the Makefile:
- ATH_SUPERG_FF := y
- Remove target/linux/package/madwifi/patches/103-*.patch -- it's already applied in this newer version.
- Edit target/linux/package/madwifi/patches/100-*.patch -- remove all occurrences of "-mips32" -- it conflicts with a "-mips3" cpu flag that I've yet to figure out its origin.
- edit top-level .config file, change all occurences of "mipsel" to "mips". (Only in the Busybox Cross-Compiler prefix; and even then, I'm not sure if it really helps)
- Create Directory: target/linux/image/ar531x
- mkdir target/linux/image/ar531x
- cp -apf target/linux/image/brcm target/linux/image/ar531x
- (Yes, I know it'll create unusable (*.trx) files -- we just want the damn thing to compile right now..)
- Edit the AR531x Kernel Configuration File: target/linux/ar531x-2.4/config
- Change the line "CONFIG_BLK_DEV_RAM_SIZE=3072" to "CONFIG_BLK_DEV_RAM_SIZE=4096" (or whatever bigger size floats your boat)
- Change the line "CONFIG_EXT2_FS=m" to "CONFIG_EXT2_FS=y" -- we need this for now to boot into the kernel-embedded ramdisk
Now, do a "make V=99 | tee BuildLog-01". Go ahead and enjoy a Coke and play with the kids for a while. When you come back, you'll see it barfed with "no rule to make ramdisk.gz". I just created a new ext2 image and copied build_mips/root/* into it. This is approximately what I did (this is coming from memory, about a day later) :
- dd if=/dev/zero of=ramdisk bs=1M count=4
- mkfs.ext2 ramdisk
- mount ramdisk /mnt
- cp -apf build_mips/root/* /mnt
- umount /mnt
- gzip -9 ramdisk
- mv ramdisk.gz <directory_where_barf_happened>
Then re-run make: "make V=99 | tee BuildLog-02"
That *should* be the only major stumbling block, after that, everything is compiled. Now, we have a whole bunch of output in the bin directory, all of which are *UNUSABLE* because they're not ELF files. (Nor are they *.FIM files needed to upgrade the firmware using the built-in functionality -- we'll figure something out for that later).
To determine the correct file to place into your tftp directory, I did this:
- find -name "vmlinu*" -exec file {} \;
Look for the one that says it's an ELF file (MIPS), and copy it to the TFTP root directory. Now you can fire up the router, and it should load up this new Kernel with the OpenWRT root. Enjoy!
Booting the DeviceScape Kernel for Netgear WGT624
Verdict: YES, it boots, but NO, the Atheros support doesn't seem to work.
YAY! Thanks soo much to malfi for giving me the heads-up on booting a DeviceScape Linux Kernel on the Netgear WGT624. It's a huge breakthrough with the VxWorks bootloader as well as getting a Linux kernel to load! Now that the proof-of-concept has been done, (and now that I know how to interrupt VxWorks and tell it how to boot from TFTP.. *duh*), a lot more serious effort can be made at getting an Atheros port of OpenWRT running.
A session with this Linux Kernel is below. 'Sure is nice that this kernel recognized both Wireless Devices right off the bat. I guess it could work with some configuration tweaking...
R&D to Upgrade the WRT55AGv2 to 128-Megabytes
What's known about the WRT55AG v2 is that it uses the G-LINK GLT5640L16-6TC, which is a 4Mx16 (probably more like a 1M x 16bit x 4bank) SDRAM in a 54-pin TSOP. Needless to say That sucks'''. Following some threads in the OpenWRT Forums, I notice that people have upgraded other Linksys WRT54G models to 32 Megs (up from 16 or less) by swapping the onboard 66-pin TSOP. The appropriate 66-pin chip can be salvaged from a common DDR (2700 or 3300) SODIMM. Sourcing an appropriate 54-pin TSOP for these WRT55AG v2 routers is a bit of a problem at the moment.
In theory, to get 128 Megabytes on this router, you need to replace the existing 4Mx16 chips with a pair of 32Mx16 (512-MegaBit) chips. One show-stopping problem to investigate: the higher-capacity chips define A12, which is "No-Connect" on the original chip. I'll have to Ohm the trace out to see if it's connected to anything on or near the CPU. If A12 isn't connected, there's really no point in exploring any RAM upgrades on these routers.
From this cross-reference page, it looks like the appropriate chips to upgrade this router to 128Megs of RAM would be one of these 32Mx16 form-factor chips:
| Elpida | EDS5116ABTA |
| Elpida | HM5257165B |
| Samsung | K4S511632M |
| Micron | MT48LC32M16A2 |
| Infineon | HYB39S5121600 |
I started fiddling with replacing the RAM chips. My hardware hacking blog-notes follow:
Hardware Hacking Notes
Alright, the chips arrived, and I have a new guinea pig to work on. 'Gonna have to extract the new machine's flash contents and to a comparative analysis.. and then do the RAM upgrade. If all goes well, then MAYBE I'll have more enthusiasm for these routers...
Older News
Bummer, the RAM chips didn't arrive in time for this weekend's hacking session. 'Guess that'll wait 'til next weekend. :-(
Older News
Found a link to a very compelling Skype Handset that uses Bluetooth, connected via USB. 'Wonder what it'll take to hack up an ASUS WL-500G Deluxe to drive one of these? :-)
Older News
Aha, someone has a patch to bring Ruby to OpenWRT. Sweeeet! So, now I can run Ruby on Rails under lightTPD on a 128-Meg Router. :o) :o) :o) Now THAT would be interesting. Maybe enough to get my 15 seconds of fame on Slashdot or Digg? ;-)
Also started looking into a replacement for the onboard flash chip. I found the 8Meg version by SST here - link. I'm sure I can cross-ref it later on and find something a little more consumer-friendly. Standard JEDEC 16-bit pinouts, so we'll see. Would be great to find a 32Meg or 64Meg Flash Chip to drop in there. :-D
Older News
I finally got the WRT55AG v2 to run the OpenWRT Kamikaze -- see below. It runs with a kernel-embedded ramdisk for now. The MadWifi drivers aren't running yet, but I managed to snarf a copy of the flash using Xmodem over the serial-line.
I'm taking a short break from the Linux Kernel stuff - I have the RAM chips on the way, and will focusing my next weekend's attention on upgrading the RAM on this router to 128 Megs. For any of you following along with this page, though, here's my kernel-building procedure. The TFTP instructions and VxWorks notes are well documented on the WGT624 Wiki page. If you come up with any great patches or tweaks, PLEASE feel free to post-comment at the bottom of this page! Thanks!
I expect to have OpenWRT fully operational (i.e. MadWifi and the Switch hardware can be configured) on these routers within the next 4 to 6 weeks. Let's see how well Murphy's Law plays into this timeline, though. ;-)
Keep in mind, for this project I'm still a "code butcher", and most of what I'm doing probably will not make it back into the OpenWRT Kamikaze code base without some help. I'm an OpenWRT amateur at best -- I really don't want to pee in someone else's pool by submitting fugly hack-patches. ("Been there, done that" on other projects, and have been flamed enough to invest in Asbestos Suit.. ;-) )
So, I'm hoping to relay enough information on these pages so that an OpenWRT Guru will be able to take my handful of tweaks and adjust the Kamikaze code base in a way that everyone's happy with. And if the OpenWRT Gurus step up and complete the Atheros Port before I do, then so much the better -- I'm really more interested in the hardware hacking on these devices and would prefer to focus my attention on upgrading SDRAMs and Flashes to make the wimpy/cheap models much more interesting to work with.
LogFiles of Various Working Kernels
DeviceScape Kernel running on WRT55AG v2
ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
Atheros AR5001AP default version 4.0.0.2
Bootloader version 1.00
1
oot]:
[Boot]: ?
? - print this list
@ - boot (load and go)
p - print boot params
c - change boot params
e - print fatal exception
v - print version
B - change board data
S - show board data
n netif - print network interface device address
$dev(0,procnum)host:/file h=# e=# b=# g=# u=usr [pw=passwd] f=#
tn=targetname s=script o=other
boot device: tffs=drive,removable file name: /tffs0/vxWorks
Boot flags:
0x02 - load local system symbols
0x04 - don't autoboot
0x08 - quick autoboot (no countdown)
0x20 - disable login security
0x40 - use bootp to get boot parameters
0x80 - use tftp to get boot image
0x100 - use proxy arp
available boot devices:Enhanced Network Devices
ae0 ae1 tffs
[Boot]: p
boot device : ae
unit number : 0
processor number : 0
host name : 192.168.1.101
file name : /vmlinux
inet on ethernet (e) : 192.168.1.1:0xffffff00
host inet (h) : 192.168.1.101
flags (f) : 0x80
other (o) : ae
[Boot]: @
Attached TCP/IP interface to ae0.
Attaching network interface lo0... done.
Loading... 1298312 + 725392
Starting at 0x80142040...
<4>CPU revision is: 00018009
<4>Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.
<4>Primary data cache 16kB 4-way, linesize 16 bytes.
<4>Linux version 2.4.25 (malte@duron) (gcc version 2.96-mips3264-000710) #7 Sat Sep 3 19:19:29 CEST 2005
<4>Determined physical RAM map:
<4> memory: 01000000 @ 00000000 (usable)
<4>Initial ramdisk at: 0x80169000 (389120 bytes)
<4>On node 0 totalpages: 4096
<4>zone(0): 4096 pages.
<4>zone(1): 0 pages.
<4>zone(2): 0 pages.
<4>Kernel command line: console=ttyS0,9600
<4>Using 110.000 MHz high precision timer.
<4>Calibrating delay loop... 219.54 BogoMIPS
<6>Memory: 14204k/16384k available (1267k kernel code, 2180k reserved, 464k data, 64k init, 0k highmem)
<6>Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
<6>Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
<6>Mount cache hash table entries: 512 (order: 0, 4096 bytes)
<6>Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
<4>Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
<4>Checking for 'wait' instruction... available.
<4>POSIX conformance testing by UNIFIX
<6>Linux NET4.0 for Linux 2.4
<6>Based upon Swansea University Computer Society NET3.039
<4>Initializing RT netlink socket
<4>Starting kswapd
<5>JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.
<7>Allocated 399036 bytes for deflate workspace
<7>Allocated 46912 bytes for inflate workspace
<6>Serial driver version 5.05c (2001-07-08) with no serial options enabled
<6>ttyS00 at 0xbc000003 (irq = 37) is a 16550A
<6>Generic MIPS RTC Driver v1.0
<4>RAMDISK driver initialized: 16 RAM disks of 3072K size 1024 blocksize
<5>physmap flash device: 200000 at be000000
<5> Amd/Fujitsu Extended Query Table v1.1 at 0x0040
<5>number of CFI chips: 1
<5>cfi_cmdset_0002: Disabling fast programming due to code brokenness.
<5>Using physmap partition definition
<5>Creating 1 MTD partitions on "Physically mapped flash":
<5>0x000f0000-0x001d0000 : "rootfs"
<6>NET4: Linux TCP/IP 1.0 for NET4.0
<6>IP Protocols: ICMP, UDP, TCP, IGMP
<6>IP: routing cache hash table of 512 buckets, 4Kbytes
<6>TCP: Hash tables configured (established 1024 bind 2048)
<6>NET4: Ethernet Bridge 008 for NET4.0
<5>RAMDISK: Compressed image found at block 0
<6>Freeing initrd memory: 380k freed
<4>VFS: Mounted root (ext2 filesystem) readonly.
<4>Algorithmics/MIPS FPU Emulator v1.5reed
init started: BusyBox v1.00-pre10 (2004.06.09-17:51+0000) multi-call binary
<6>wlan: 0.7.3.1 BETA
Starting pid 10, console /dev/console: '/etc/rc.<6>ath_hal: 0.9.9.2
d/rcS'
Load MADWiFi wlan module
Using ../../li<6>ath_pci: 0.8.5.5 BETA
<4>macVersion = 4, macRev = 2
b/modules/2.4.25<4>Setup queue (0) for WME_AC_BK
<4>Setup queue (1) for WME_AC_BE
<4>Setup queue (2) for WME_AC_VI
<4>Setup queue (3) for WME_AC_VO
<3>ath0: mac 4.2 phy 4.2 5ghz radio 3.6
<4>ath0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
<4>ath0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath0: turbo rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath0: 802.11 address: 00:12:17:6d:10:3d
<6>ath0: Atheros 5312 WiSoC: mem=0xb8000000, irq=2
<4>macVersion = 4, macRev = 2
/net/wlan.o
Loa<4>Setup queue (0) for WME_AC_BK
<4>Setup queue (1) for WME_AC_BE
<4>Setup queue (2) for WME_AC_VI
<4>Setup queue (3) for WME_AC_VO
<3>ath1: mac 4.2 phy 4.2 5ghz radio 4.6
<4>ath1: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath1: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
<4>ath1: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath1: turbo rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
<4>ath1: 802.11 address: 00:12:17:6d:10:3e
<6>ath1: Atheros 5312 WiSoC: mem=0xb8500000, irq=5
d MADWiFi Atheros HAL module
Using ../../lib/modules/2.4.25/net/ath_hal.o
Warning: loading ath_hal will taint the kernel: non-GPL license - Proprietary
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Load MADWiFi Atheros Driver module
Using ../../lib/modules/2.4.25/net/ath_lbus.o
Starting pid 19, console /dev/console: '/bin/sh'
BusyBox v1.00-pre10 (2004.06.09-17:51+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
#
Kamikaze Kernel running on WRT55AG v2
ar531x rev 0x00005742 firmware startup... SDRAM TEST SKIPPED Atheros AR5001AP default version 4.0.0.2 Bootloader version 1.00 0 auto-booting... Attached TCP/IP interface to ae0. Attaching network interface lo0... done. Loading... 1558080 + 1426624 Starting at 0x80182040... <4>CPU revision is: 00018009 <4>Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes. <4>Primary data cache 16kB, 4-way, linesize 16 bytes. <4>Linux version 2.4.32 (root@ufo.lalee.net) (gcc version 3.4.5 (OpenWrt-2.0)) #3 Sun Feb 26 18:22:40 HST 2006 <4>Determined physical RAM map: <4> memory: 01000000 @ 00000000 (usable) <4>Initial ramdisk at: 0x801af000 (983040 bytes) <4>On node 0 totalpages: 4096 <4>zone(0): 4096 pages. <4>zone(1): 0 pages. <4>zone(2): 0 pages. <4>Kernel command line: console=ttyS0,9600 <4>Using 110.000 MHz high precision timer. <4>Calibrating delay loop... 219.54 BogoMIPS <6>Memory: 13264k/16384k available (1521k kernel code, 3120k reserved, 1052k data, 80k init, 0k highmem) <6>Dentry cache hash table entries: 2048 (order: 2, 16384 bytes) <6>Inode cache hash table entries: 1024 (order: 1, 8192 bytes) <6>Mount cache hash table entries: 512 (order: 0, 4096 bytes) <6>Buffer cache hash table entries: 1024 (order: 0, 4096 bytes) <4>Page-cache hash table entries: 4096 (order: 2, 16384 bytes) <4>Checking for 'wait' instruction... available. <4>POSIX conformance testing by UNIFIX <6>Linux NET4.0 for Linux 2.4 <6>Based upon Swansea University Computer Society NET3.039 <4>Initializing RT netlink socket <4>Starting kswapd <6>devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au) <6>devfs: boot_options: 0x1 <5>JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB. <6>Squashfs 2.2 (released 2005/07/03) (C) 2002-2004, 2005 Phillip Lougher <4>pty: 256 Unix98 ptys configured <6>Serial driver version 5.05c (2001-07-08) with no serial options enabled <6>ttyS00 at 0xbc000003 (irq = 37) is a 16550A <4>RAMDISK driver initialized: 16 RAM disks of 3072K size 1024 blocksize <5>physmap flash device: 400000 at be000000 <5> Amd/Fujitsu Extended Query Table v1.1 at 0x0040 <5>number of CFI chips: 1 <5>cfi_cmdset_0002: Disabling fast programming due to code brokenness. <5>No RedBoot partition table detected in Physically mapped flash <6>Initializing Cryptographic API <6>NET4: Linux TCP/IP 1.0 for NET4.0 <6>IP Protocols: ICMP, UDP, TCP, IGMP <6>IP: routing cache hash table of 512 buckets, 4Kbytes <6>TCP: Hash tables configured (established 1024 bind 2048) <4>ip_conntrack version 2.1 (5953 buckets, 5953 max) - 360 bytes per conntrack <4>ip_tables: (C) 2000-2002 Netfilter core team <6>NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. <6>NET4: Ethernet Bridge 008 for NET4.0 <6>802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> <6>All bugs added by David S. Miller <davem@redhat.com> <5>RAMDISK: Compressed image found at block 0 <6>Freeing initrd memory: 960k freed <4>VFS: Mounted root (ext2 filesystem) readonly. <6>Mounted devfs on /dev init started: BusyBox v1.1.0 (2006.02.27-03:56+0000) multi-call binary <4>Algorithmics/MIPS FPU Emulator v1.5 Please press Enter to activate this console. <3>kmod: failed to exec /sbin/modprobe -s -k net-pf-10, errno = 2 <6>device eth0 entered promiscuous mode BusyBox v1.1.0 (2006.02.27-03:56+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M KAMIKAZE (bleeding edge, r3276) ------------------- * 10 oz Vodka Shake well with ice and strain * 10 oz Triple sec mixture into 10 shot glasses. * 10 oz lime juice Salute! --------------------------------------------------- root@(none):/#
Older Progress Notes
My older notes on the WRT55AGv2 are archived here. Thanks!
Comments and Feedback
Comment by lalee on Tue 21 Feb 2006 04:53:13 PM PST
Note to self: Some documents would have you manually tie pin 1 (TRST*) to pin 14 (VCC) through a 100-Ohm resistor. (Reference)
Comment by malfi on Wed 22 Feb 2006 07:29:18 PM PST
hi, I (malfi) figured out how to boot linux on a wgt624, please have a look at: http://wiki.openwrt.org/OpenWrtDocs/Hardware/Netgear/WGT624
kaloz@openwrt managed to boot the linux kernel image http://home.fhtw-berlin.de/~s0502837/wgt624/vmlinux on his wrt55ag
Comment by lalee on Thu 23 Feb 2006 01:04:25 AM PST
malfi,
I'll be damned, it works! It's exactly the breakthrough I was looking for. Thanks! :-D
Comment by lalee on Sat 11 Mar 2006 06:07:14 PM PST
With No RAM Installed, you get these:
ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
NMI (watchdog): ErrorPC: 0xbfc00614
epc: 0xfe7ffe7f bva: 0xbfc0bfc0 sr: 0xfe7ffe7f cse: 0xbfc0bfc0
R0: r0: 0x00000000 at: 0xbfc0bfc0 v0: 0xbfc0bfc0 v1: 0xbfc0bfc0
R4: a0: 0xbfc0bfc0 a1: 0xbfc0bfc0 a2: 0xbfc0bfc0 a3: 0xbfc0bfc0
R8: t0: 0xbfc0bfc0 t1: 0xbfc0bfc0 t2: 0xbfc0bfc0 t3: 0xbfc0bfc0
R12: t4: 0xbfc0bfc0 t5: 0xbfc0bfc0 t6: 0xbfc0bfc0 t7: 0xbfc0bfc0
R16: s0: 0xbfc0bfc0 s1: 0xbfc0bfc0 s2: 0xbfc0bfc0 s3: 0xbfc0bfc0
R20: s4: 0xbfc0bfc0 s5: 0xbfc0bfc0 s6: 0xbfc0bfc0 s7: 0xbfc0bfc0
R24: t8: 0xffffffff t9: 0xfffcffff k0: 0x00000000 k1: 0x00000000
R28: gp: 0xbfc0bfc0 sp: 0xbfc0bfc0 fp: 0xbfc0bfc0 ra: 0xbfc0bfc0
trying NMI callback: 0xbfc0bfc0
sysConsoleDump: type 0x00000380
epc: 0x80018001 bva: 0xffff9fe0 sr: 0x10400002 cse: 0x10800008
R0: r0: 0x00000000 at: 0xbfc00000 v0: 0x10800010 v1: 0x800169d0
R4: a0: 0xbfc00614 a1: 0x8000ff38 a2: 0xbfc00b50 a3: 0xa8000000
R8: t0: 0x00000040 t1: 0x00000020 t2: 0xfffffffc t3: 0x00000030
R12: t4: 0x00000020 t5: 0x00080000 t6: 0x00023000 t7: 0xfe7ffdff
R16: s0: 0xbfc0bfc0 s1: 0x00000002 s2: 0xfddfffff s3: 0xfffff7ff
R20: s4: 0xffffffff s5: 0xfffffffe s6: 0xfffbff7f s7: 0xfe7fffff
R24: t8: 0xffffffff t9: 0xfffcffff k0: 0x00000000 k1: 0x00000000
R28: gp: 0x80057900 sp: 0x8000ff38 fp: 0xffffffff ra: 0xbfc01898
ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
NMI (watchdog): ErrorPC: 0xbfc00614
epc: 0xfe7ffe7f bva: 0xbfc0bfc0 sr: 0xfe7ffe7f cse: 0xbfc0bfc0
R0: r0: 0x00000000 at: 0xbfc0bfc0 v0: 0xbfc0bfc0 v1: 0xbfc0bfc0
R4: a0: 0xbfc0bfc0 a1: 0xbfc0bfc0 a2: 0xbfc0bfc0 a3: 0xbfc0bfc0
R8: t0: 0xbfc0bfc0 t1: 0xbfc0bfc0 t2: 0xbfc0bfc0 t3: 0xbfc0bfc0
R12: t4: 0xbfc0bfc0 t5: 0xbfc0bfc0 t6: 0xbfc0bfc0 t7: 0xbfc0bfc0
R16: s0: 0xbfc0bfc0 s1: 0xbfc0bfc0 s2: 0xbfc0bfc0 s3: 0xbfc0bfc0
R20: s4: 0xbfc0bfc0 s5: 0xbfc0bfc0 s6: 0xbfc0bfc0 s7: 0xbfc0bfc0
R24: t8: 0xffffffff t9: 0xfffcffff k0: 0x00000000 k1: 0x00000000
R28: gp: 0xbfc0bfc0 sp: 0xbfc0bfc0 fp: 0xbfc0bfc0 ra: 0xbfc0bfc0
trying NMI callback: 0xbfc0bfc0
sysConsoleDump: type 0x00000380
epc: 0x80018001 bva: 0xffff9fe0 sr: 0x10400002 cse: 0x10800008
R0: r0: 0x00000000 at: 0xbfc00000 v0: 0x10800010 v1: 0x800169d0
R4: a0: 0xbfc00614 a1: 0x8000ff38 a2: 0xbfc00b50 a3: 0xa8000000
R8: t0: 0x00000040 t1: 0x00000020 t2: 0xfffffffc t3: 0x00000030
R12: t4: 0x00000020 t5: 0x00080000 t6: 0x00023000 t7: 0xfe7ffdff
R16: s0: 0xbfc0bfc0 s1: 0x00000002 s2: 0xfddfffff s3: 0xfffff7ff
R20: s4: 0xffffffff s5: 0xfffffffe s6: 0xfffbff7f s7: 0xfe7fffff
R24: t8: 0xffffffff t9: 0xfffcffff k0: 0x00000000 k1: 0x00000000
R28: gp: 0x80057900 sp: 0x8000ff38 fp: 0xffffffff ra: 0xbfc01898
ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
NMI (watchdog): ErrorPC: 0xbfc00614
epc: 0xfe7ffe7f bva: 0xbfc0bfc0 sr: 0xfe7ffe7f cse: 0xbfc0bfc0
R0: r0: 0x00000000 at: 0xbfc0bfc0 v0: 0xbfc0bfc0 v1: 0xbfc0bfc0
R4: a0: 0xbfc0bfc0 a1: 0xbfc0bfc0 a2: 0xbfc0bfc0 a3: 0xbfc0bfc0
R8: t0: 0xbfc0bfc0 t1: 0xbfc0bfc0 t2: 0xbfc0bfc0 t3: 0xbfc0bfc0
R12: t4: 0xbfc0bfc0 t5: 0xbfc0bfc0 t6: 0xbfc0bfc0 t7: 0xbfc0bfc0
R16: s0: 0xbfc0bfc0 s1: 0xbfc0bfc0 s2: 0xbfc0bfc0 s3: 0xbfc0bfc0
R20: s4: 0xbfc0bfc0 s5: 0xbfc0bfc0 s6: 0xbfc0bfc0 s7: 0xbfc0bfc0
R24: t8: 0xffffffff t9: 0xfffcffff k0: 0x00000000 k1: 0x00000000
R28: gp: 0xbfc0bfc0 sp: 0xbfc0bfc0 fp: 0xbfc0bfc0 ra: 0xbfc0bfc0
trying NMI callback: 0xbfc0bfc0
sysConsoleDump: type 0x00000380
epc: 0x80018001 bva: 0xffff9fe0 sr: 0x10400002 cse: 0x10800008
R0: r0: 0x00000000 at: 0xbfc00000 v0: 0x10800010 v1: 0x800169d0
R4: a0: 0xbfc00614 a1: 0x8000ff38 a2: 0xbfc00b50 a3: 0xa8000000
R8: t0: 0x00000040 t1: 0x00000020 t2: 0xfffffffc t3: 0x00000030
R12: t4: 0x00000020 t5: 0x00080000 t6: 0x00023000 t7: 0xfe7ffdff
R16: s0: 0xbfc0bfc0 s1: 0x00000002 s2: 0xfddfffff s3: 0xfffff7ff
R20: s4: 0xffffffff s5: 0xfffffffe s6: 0xfffbff7f s7: 0xfe7fffff
R24: t8: 0xffffffff t9: 0xfffcffff k0: 0x00000000 k1: 0x00000000
R28: gp: 0x80057900 sp: 0x8000ff38 fp: 0xffffffff ra: 0xbfc01898
ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
NMI (watchdog): ErrorPC: 0xbfc00614
epc: 0xfe7ffe7f bva: 0xbfc0bfc0 sr: 0xfe7ffe7f cse: 0xbfc0bfc0
R0: r0: 0x00000000 at: 0xbfc0bfc0 v0: 0xbfc0bfc0 v1: 0xbfc0bfc0
R4: a0: 0xbfc0bfc0 a1: 0xbfc0bfc0 a2: 0xbfc0bfc0 a3: 0xbfc0bfc0
R8: t0: 0xbfc0bfc0 t1: 0xbfc0bfc0 t2: 0xbfc0bfc0 t3: 0xbfc0bfc0
R12: t4: 0xbfc0bfc0 t5: 0xbfc0bfc0 t6: 0xbfc0bfc0 t7: 0xbfc0bfc0
R16: s0: 0xbfc0bfc0 s1: 0xbfc0bfc0 s2: 0xbfc0bfc0 s3: 0xbfc0bfc0
R20: s4: 0xbfc0bfc0 s5: 0xbfc0bfc0 s6: 0xbfc0bfc0 s7: 0xbfc0bfc0
R24: t8: 0xffffffff t9: 0xfffcffff k0: 0x00000000 k1: 0x00000000
R28: gp: 0xbfc0bfc0 sp: 0xbfc0bfc0 fp: 0xbfc0bfc0 ra: 0xbfc0bfc0
trying NMI callback: 0xbfc0bfc0
sysConsoleDump: type 0x00000380
epc: 0x80018001 bva: 0xffff9fe0 sr: 0x10400002 cse: 0x10800008
R0: r0: 0x00000000 at: 0xbfc00000 v0: 0x10800010 v1: 0x800169d0
R4: a0: 0xbfc00614 a1: 0x8000ff38 a2: 0xbfc00b50 a3: 0xa8000000
R8: t0: 0x00000040 t1: 0x00000020 t2: 0xfffffffc t3: 0x00000030
R12: t4: 0x00000020 t5: 0x00080000 t6: 0x00023000 t7: 0xfe7ffdff
R16: s0: 0xbfc0bfc0 s1: 0x00000002 s2: 0xfddfffff s3: 0xfffff7ff
R20: s4: 0xffffffff s5: 0xfffffffe s6: 0xfffbff7f s7: 0xfe7fffff
R24: t8: 0xffffffff t9: 0xfffcffff k0: 0x00000000 k1: 0x00000000
R28: gp: 0x80057900 sp: 0x8000ff38 fp: 0xffffffff ra: 0xbfc01898
ar531x rev 0x00005742 firmware startup...
SDRAM TEST SKIPPED
NMI (watchdog): ErrorPC: 0xbfc00614
epc: 0xfe7ffe7f bva: 0xbfc0bfc0 sr: 0xfe7ffe7f cse: 0xbfc0bfc0
R0: r0: 0x00000000 at: 0xbfc0bfc0 v0: 0xbfc0
Comment by andrea@dbcsrl.it on Mon May 8 05:20:11 2006
Hi, I'm Andrea, I've buyed new WRT55AG, and i've build my own serial cable, but i can't stop the bootloader, can someone help me? I've tried with minicom, but after boot "login" don't appear, and is impossible to send ESC in boot time. I attach my WRT55AG , thanks a lot :)
ar531x rev 0x00005742 firmware startup... SDRAM TEST SKIPPED Atheros AR5001AP default version 4.0.0.140 Bootloader version 1.03 0 auto-booting... Attaching to TFFS... done. Loading /fl/APIMG1...1470912 Starting at 0x804846e0... /fl/ - Volume is OK Reading Configuration File "/fl/apcfg". Configuration file checksum: 4aae4 is good multicastRateIndex = 2 multicastRateIndex = 6 Attaching interface lo0...done DHCP server started. wireless access point starting... wlan1 Ready wireless access point starting... Remote Web service on TCP port 8080 ... Allowing any hosts on INTERNET start easyconf Starting the blocking WAN PING service ... successful vp0 macaddr = 00:12:17:a7:ef:db vp65536 macaddr = 00:12:17:a7:ef:dc ae0 macaddr = 00:12:17:a7:ef:dd ae1 macaddr = 00:12:17:a7:ef:de add bridge port ae0 Radar scan beginning on all eligible channels InitSingleScan -- 5260, 2410 ofdm 5 passive scan Radar scan complete Auto Channel Scan selected 5200 MHz, channel 40 wlan0 Ready Ready
Comment by andrea@dbcsrl.it on Mon May 8 05:28:17 2006
Hi, I'm Andrea, I've buyed new WRT55AG, and i've build my own serial cable, but i can't stop the bootloader, can someone help me? I've tried with minicom, but after boot "login" don't appear, and is impossible to send ESC in boot time. I attach my WRT55AG , thanks a lot :)
ar531x rev 0x00005742 firmware startup... SDRAM TEST SKIPPED Atheros AR5001AP default version 4.0.0.140 Bootloader version 1.03 0 auto-booting... Attaching to TFFS... done. Loading /fl/APIMG1...1470912 Starting at 0x804846e0... /fl/ - Volume is OK Reading Configuration File "/fl/apcfg". Configuration file checksum: 4aae4 is good multicastRateIndex = 2 multicastRateIndex = 6 Attaching interface lo0...done DHCP server started. wireless access point starting... wlan1 Ready wireless access point starting... Remote Web service on TCP port 8080 ... Allowing any hosts on INTERNET start easyconf Starting the blocking WAN PING service ... successful vp0 macaddr = 00:12:17:a7:ef:db vp65536 macaddr = 00:12:17:a7:ef:dc ae0 macaddr = 00:12:17:a7:ef:dd ae1 macaddr = 00:12:17:a7:ef:de add bridge port ae0 Radar scan beginning on all eligible channels InitSingleScan -- 5260, 2410 ofdm 5 passive scan Radar scan complete Auto Channel Scan selected 5200 MHz, channel 40 wlan0 Ready Ready
Comment by lalee on Fri Jun 2 13:46:43 2006
Hi Andrea,
It looks like your firmware version doesn't have the boot console. If you can find the 1.10 firmware on Linksys' site, you can try downgrading it through the router's web interface.
Otherwise, you can just press <Esc> when the router first starts up, and you'll get into the BootLoader mode. You can set up the TFTP parameters at that point, and tell the router how to load up any OpenWRT image that you've compiled.
Comment by czzink123@czinfo.net on Sun Jun 4 10:36:54 2006
I need somebody help me:
I have a linksys wrt55ag v2 , i bricked it after i upload wrong firmware,jtag does not work.I need whole flash dump because i have programmer.
Thanks !
Comment by lalee on Tue Jun 6 16:23:46 2006
You might be able to reset the router to factory settings by holding down the RESET button while powering the device up. Worked for me several times when I thought I had bricked mine.
At the very worst case, you'd need to hook up the serial port and mess around with settings to get it booting a factory (or OpenWRT) image via TFTP.
Comment by svieira on Thu Jun 8 14:38:06 2006
Ialee,
What do you mean by "Otherwise, you can just press &lt;Esc&gt;"? My router has firmware 1.30 and the web interface always break at the middle. Doing tftp does not work for me either.
Is there any way to put the router in bootloader mode?
Comment by lalee on Mon Jun 12 18:53:38 2006
svieira,
If you hook up the serial port, the router will go into bootloader mode if you press ESC when the router starts. (Just when the router says "ar531x rev 0x00005742 firmware startup...") You can then change the TFTP settings, as noted in Section 1.5 of the Netgear WGT624 page.
Hope this helps! (And sorry for the messy site at the moment -- I'm still working on integrating Trac with Ruby-on-Rails...)
Comment by czzink123@czinfo.net on Tue Jun 13 23:07:22 2006
I have ic programmer,so i open router case and use IC PROGRAMMER to dump whole flash. Unfortunately, i make a big mistake,i hit "erase"......
so,i only have one way to save back my wrt55ag v2 ,just somebody give me a whole flash dump
please,please help me, thanks !!!
Comment by czzink123@czinfo.net on Tue Jun 13 23:08:34 2006
I have ic programmer,so i open router case and use IC PROGRAMMER to dump whole flash. Unfortunately, i make a big mistake,i hit "erase"......
so,i only have one way to save back my wrt55ag v2 ,just somebody give me a whole flash dump
please,please help me, thanks !!!
Comment by bbsux@binary.net on Mon Jul 10 09:26:37 2006
Wow, This is the first place I have found good info on hacking the wrt55agv2.
Any news on getting a more (well, newbie freindly) hack?
Thanks...
Comment by lalee on Thu Jul 13 18:39:15 2006
Hi,
Sorry, I haven't touched this router in months.. I swapped the RAM chips to larger-capacity ones, but the it still registered 16 Megs.. so I put the project aside for the time being. I was more interested in getting a nice, beefy router platform before diving in too dep with the software.
Comment by firestormo@yahoo.com on Tue Aug 8 19:36:01 2006
any new news on a working firmware for the WRT55AGv2
Comment by lalee on Wed Aug 9 13:47:51 2006
There hasn't been any development on the WRT55AGv2 from my end, but maybe the guys at OpenWRT have put something together. The kernel basically works, but (last time I tried) some fixes need to be done to get the MadWifi driver functional.
Though.. I think the old DeviceScape kernel that Malfi built for his Netgear router detected the Atheros devices, so I'm pretty sure it's just a module configuration issue on our part.
Comment by nutnut@centrum.cz on Sat Nov 11 22:53:43 2006
What serial port parameters should I set? I have XtendLan WDAP 1001 that has the serial port prepared on the pcb but the header is not soldered and I'm using http://pinouts.ru/CellularPhonesCables/nokia_dku-5_cable_pinout.shtml. Connecting grounds and then trying remaining pins I have found one single pin from which I can receive an unreadable mess at 115200-8N1, at 9600-8N1 nothing can be received from any pin.
Comment by nutnut@centrum.cz on Sat Nov 11 23:17:09 2006
Heh a second after posting I have found it, both data and charger ground on the DKU-5 cable have to be connected, and the firmware is set to 9600-8N1 (another incarnation of this design uses 115200-8N1, so I was trying that too, see http://atheros.openwrt.net/).
Comment by franek on Sat Dec 9 13:47:56 2006
Is anyone upgrading wap/wrt55ag v2 without serial cable?
Comment by gig.it@_nospam_tiscalinet.it on Fri Mar 2 11:35:14 2007
how is avoided this error? Loading... Error loading file: errno = 0x610001.
Comment by gig.it@_nospam_tiscalinet.it on Sat Mar 3 03:10:25 2007
how is avoided this error? Loading... Error loading file: errno = 0x610001.
Comment by Weedy <weedy2887@gmail.com> on Sat May 5 15:10:03 2007
lalee be less dead
Comment by lalee on Sat May 5 16:44:42 2007
Sorry guys, I haven't worked on the WRT55AG in quite some time now. Aside from the RAM upgrade hack (which didn't work - I have larger chips, but the machine still only sees 16 Megs), I haven't touched the router.
I'd imagine that after all this time, Kamikaze has made enough progress to operate on these devices, though.
Comment by anonymous on Sat Nov 17 15:31:05 2007
They have not. Everyone is still holding their breath waiting for someone to release something to make upgrading the WRT55AG and WAP55AG devices easy.
Comment by anonymous on Sat Nov 17 15:37:23 2007
You're awesome BTW. You are much closer to useful hack for the WRT55AG than anyone else on the net that I am aware of currently. Linksys WRT55AG and WAP55AG images crash when using Cisco IP softphone or IP Communicator. Linksys knows about it but will not do anything about it. I have 14 of these things so it is either get a workaround or toss them for somethine else!
Comment by anonymous on Tue Nov 20 23:07:44 2007
Keep up the progress! I've got a WRT55AG V2, I'm not afraid to rip it up and add serial or JTAG, or replace parts (I run an electronics lab at work).
Is there anything I can do to help you with getting this running?
Also, we use VxWorks at work (Aerospace)...
Comment by BL! on Sun Nov 25 15:57:03 2007
I really hope someone can wrap this up soon because I'm sure a lot of people are sitting on these WRT55AGs and the firmware versions released by Linksys has several issues (and they have dropped the support now(!)).
I would easily pay for another firmware based on this excellent hardware!
Comment by anonymous on Fri Nov 30 10:35:03 2007
I am with u,
Older Progress Notes on Hacking the WRT55AGv2
Older Stuff
[Outdated] Bummer, doing a little more research on the VxWorks bootloader, it seems I'm in way over my head. According to this article, the VxWorks bootloader has trouble with Linux Kernel images because the Linux Kernel's ELF header is specifying a start offset in Virtual Memory, not physical memory. *Aurrgh*. OK, well, the software hacks are definitely on permanent hold until I can either:
- figure out how to get u-boot to chain-load under the VxWorks bootloader
- desolder the flash chip and install a socket, so I can do things the hard way.
- figure out why the damn JTAG interface isn't responding. *Grrr*
I'm somewhat disappointed. I was just about to order some RAM chips to swap out from this router, maybe bringing it up to 128MB of RAM. Ah well, maybe I'll just upgrade a cheapie WRT54GL, or dive into a high-end Asus router with all the USB support stuff..
Older News
Anyone with OpenWRT Wiki Access, feel free to copy/paste what you think is relevant into the OpenWRT wiki -- I'm just not in the habit of creating a whole bunch of accounts that I'd rarely use. Thanks!
Just logging my progress below. Next step.. not for a while, just probing through the menu system.
Check it out, though -- from the extended menu, it looks like you can set the Operation Mode on these devices through the Serial Port:
set operationMode ap -- Operating as Access Point set operationMode sta -- Operating as Wireless Client set operationMode ppt -- Operating as Wireless Bridge set operationMode mpt -- Operating as Multi-point Bridge set operationMode repeater -- Operating as Wireless Repeater
Hmm -- Maybe one could get this running as a Dual-Channel Wireless Bridge without OpenWRT? :-D
External Docs
A product brief on the AR5001AP, which I believe is a reference design. Nice block diagram of how things are laid out.
I also found the manuals for a similarly (identically) equipped device: BroVis AS1000. Their firmware has the Telnet server enabled. Lucky bums!
Progress Report
I finally managed to debrick the WRT55AG after getting into the serial console, and holding the reset button down for several seconds to force it to load up the Factory Settings. Make no mistake, these routers are damn expensive, and I really hate having bricked hardware in the house. Y'know the feeling, when a simple and hackable device just calls out to you and says "fix me! fix me!". ;-) So now I've got my router all tricked out with a Serial Adapter and a (seemingly non-functional) JTAG Header.
Note that the latest "1.67" firmware does not expose a serial-port login. You can see status messages, but you will not get a login-prompt by simply pressing <Return>. Way to go, Linksys. :-p Fortunately, the older version of the firmware is still in the Linksys FTP Site, so I was able to downgrade the firmware back to 1.10. Whew! (The 1.10 firmware is named WRT55AGv2_v1.10_09302004.fim) -- the "v2" in the filename is all-important!
OpenWRT Progress
I think I have cobbled together a version of OpenWRT built for the Atheros CPU, (after much hand-tweaking of CFLAGS in the MadWifi driver, and other small fixups all around). It's based on Kamikaze from mid-February, and still uses the "AP30" default settings. I gotta figure out how to hack up those config-files used in Buildroot or something. Hopefully someone upstream will take pity on the WRT55AG and do that for us (me). :-)
Anyways.. At first, I thought there's no easy way to get firmware loaded onto the router, but I've discovered the filenames and an FTP method to transfer firmware into and out of the device. I also have the equipment to desolder the flash chip, but I'd still need to get a flash chip programmer and (ideally) a few TSOP-48 ZIF Sockets if it really comes down to that.
I'm *REALLY* hoping that I can just upload kernel firmware (as apimg1 via FTP), without it wiping out the embedded Boot-Loader. Otherwise, I'd be hosed. I'll probably probe the JTAG interface a *LOT* so I can build up my confidence on this and have a way out without breaking out the soldering equipment. Recall, only the 1.10 version of the Linksys Firmware will give you a command-prompt! >:-(
JTAG Progress
I also added a header to the JTAG port. It's a 14-port header, and appears to be wired in what's considered "standard" for a MIPS platform (Reference, as that's what the Atheros chip is based on:
| 1 - TRST | 2 - VSS (GND) |
| 3 - TDI | 4 - VSS (GND) |
| 5 - TDO | 6 - VSS(GND) |
| 7 - TMS | 8 - VSS (GND) |
| 9 - TCK | 10 - VSS (GND) |
| 11 - RST | 12 - KEY |
| 13 - DINT | 14 - Reference Voltage |
I have verified that pins 2,4,6,8, and 10are GND. Pin 14 measures 3.28V. I have yet to establish a JTAG session on this interface, though. :-(
Building a Serial Adapter
After weighing the options, I decided that I didn't want to waste time building out an RS-232 adapter circuit, when you can use a USB Data Cable for a common cell phone (Nice tutorial thanks to I-Hacked.com). Lucky for me, my corner Radio Shack store was clearing out their data cables for some older or unsupported models. I picked up an LG 1010/5350/VX1/VX10 data cable for $10 and change.
Following the tutorial, I had constructed a working cable in under 20 minutes. Nice.
Complete Help Menu (Some Hidden Options)
In the Serial Session, if you type help on a bogus command, you get a larger menu:
wlan0 -> help blahblahfoo List of Access Point CLI commands: config wlan -- config wlanX connect bss -- connect to bssX del acl -- Delete Access Control List del key -- Delete Encryption key find bss -- Find BSS find channel -- Find Available Channel find all -- Find All BSS ftp -- Software update via FTP get acl -- Display Access Control List get aging -- Display Aging Interval get antenna -- Display Antenna Diversity get association -- Display Association Table get authentication -- Display Authentication Type get autochannelselect -- Display Auto Channel Select get beaconinterval -- Display Beacon Interval get burstSeqThreshold -- Display Max Number of frames in a Burst get burstTime -- Display Burst Time get channel -- Display Radio Channel get cipher -- Display Encryption cipher get config -- Display Current AP Configuration get countrycode -- Display Country Code get domainsuffix -- Display Domain Name Server suffix get dtim -- Display Data Beacon Rate (DTIM) get encryption -- Display Encryption Mode get fragmentthreshold -- Display Fragment Threshold get frequency -- Display Radio Frequency (MHz) get gateway -- Display Gateway IP Address get groupkeyupdate -- Display Group Key Update Interval (in Seconds) get hardware -- Display Hardware Revisions get hostipaddr -- Display Host IP Address get ipaddr -- Display IP Address get ipmask -- Display IP Subnet Mask get key -- Display Encryption Key get keyentrymethod -- Display Encyrption Key Entry Method get keysource -- Display Source Of Encryption Keys get login -- Display Login User Name get minimumrate -- Display Minimum Rate get nameaddr -- Display IP address of name server get operationMode -- Display Operation Mode get pktLogEnable -- Display Packet Logging Mode get power -- Display Transmit Power Setting get radiusname -- Display RADIUS server name or IP address get radiusport -- Display RADIUS port number get rate -- Display Data Rate get reg -- Display the register contents at the given offset get remoteAp -- Display Remote Ap's Mac Address get rtsthreshold -- Display RTS/CTS Threshold get sntpserver -- Display SNTP/NTP Server IP Address get ssid -- Display Service Set ID get ssidsuppress -- Display SSID Suppress Mode get station -- Display Station Status get SuperG -- Display SuperG Feature Status get systemname -- Display Access Point System Name get tzone -- Display Time Zone Setting get uptime -- Display UpTime get wirelessmode -- Display Wireless LAN Mode get wlanstate -- Display wlan state help -- Display CLI Command List ping -- Ping pktLog -- Packet Log reboot -- Reboot Access Point run -- Run command file quit -- Logoff set acl allow -- Add MAC address to the ACL set acl enable -- Select Restricted Access set acl deny -- Add MAC address to the disabled ACL set acl disable -- Select Unrestrict Access set acl keymap -- Add Encryption key mapping for MAC address set acl strict -- Select Restricted (w/ACL match) Access set aging -- Set Aging Interval set antenna best -- Enable antenna diversity set antenna 1 -- Select antenna 1 set antenna 2 -- Select antenna 2 set authentication open-system -- Select Open-System Authentication Type set authentication shared-key -- Select Shared-Key Authentication Type set authentication auto -- Select auto Authentication Type set authentication WPA -- Select Authentication WPA Type set authentication WPA-PSK -- Select Authentication WPA-PSK Type set autochannelselect disable -- Disable Automatic Channel Selection set autochannelselect enable -- Enable Automatic Channel Selection set beaconinterval -- Modify Beacon Interval set burstSeqThreshold -- Set Max Number of frames in a Burst set burstTime -- Set Burst Time set channel -- Set Radio Channel set cipher wep -- Select wep set cipher aes -- Select aes set cipher tkip -- Select tkip set cipher auto -- Select cipher through negotiation set countrycode -- Set Country Code set domainsuffix -- Set Domain Name Server Suffix set dtim -- Set Data Beacon Rate (DTIM) set encryption disable -- Disable Encryption set encryption enable -- Enable Encryption set factorydefault -- Restore to Default Factory Settings set fragmentthreshold -- Set Fragment Threshold set frequency -- Set Radio Frequency (MHz) set gateway -- Set Gateway IP Address set groupkeyupdate -- Set Group Key Update Interval (in Seconds) set hostipaddr -- Set Host IP address set ipaddr -- Set IP Address set ipmask -- Set IP Subnet Mask set key default -- Set Default Encryption Key set key 40 -- Set 40-bit Encryption Key set key 104 -- Set 104-bit Encryption Key set key 128 -- Set 128-bit Encryption Key set keyentrymethod hexadecimal -- Key contains (0 - 9, A - F) set keyentrymethod asciitext -- Key contains keyboard characters set keysource flash -- All keys will be read from flash (no key derivation) set keysource server -- All keys will be derived from authentication server set keysource mixed -- Keys read from flash or derived from authentication server set login -- Modify Login User Name set minimumrate 0.25 -- Select 0.25 Mbps set minimumrate 0.5 -- Select 0.5 Mbps set minimumrate 1 -- Select 1 Mbps set minimumrate 2 -- Select 2 Mbps set minimumrate 3 -- Select 3 Mbps set minimumrate 6 -- Select 6 Mbps set minimumrate 9 -- Select 9 Mbps set minimumrate 12 -- Select 12 Mbps set minimumrate 18 -- Select 18 Mbps set minimumrate 24 -- Select 24 Mbps set minimumrate 36 -- Select 36 Mbps set minimumrate 48 -- Select 48 Mbps set minimumrate 54 -- Select 54 Mbps set nameaddress -- Set Name Server IP address set operationMode ap -- Operating as Access Point set operationMode sta -- Operating as Wireless Client set operationMode ppt -- Operating as Wireless Bridge set operationMode mpt -- Operating as Multi-point Bridge set operationMode repeater -- Operating as Wireless Repeater set password -- Modify Password set passphrase -- Modify Passphrase set pktLogEnable -- Enable Packet Logging set power full -- Set maximum (normal) transmit power set power half -- Set fractional (1/2) transmit power set power quarter -- Set fractional (1/4) transmit power set power eighth -- Set fractional (1/8) transmit power set power min -- Set minimum transmit power set radiusname -- Set RADIUS name or IP address set radiusport -- Set RADIUS port number set radiussecret -- Set RADIUS shared secret set rate best -- Select best data rate set rate 0.25 -- Select 0.25 Mbps set rate 0.5 -- Select 0.5 Mbps set rate 1 -- Select 1 Mbps set rate 2 -- Select 2 Mbps set rate 3 -- Select 3 Mbps set rate 6 -- Select 6 Mbps set rate 9 -- Select 9 Mbps set rate 12 -- Select 12 Mbps set rate 18 -- Select 18 Mbps set rate 24 -- Select 24 Mbps set rate 36 -- Select 36 Mbps set rate 48 -- Select 48 Mbps set rate 54 -- Select 54 Mbps set reg -- Set Register Value set remoteAP -- Set Remote AP's Mac Address set rtsthreshold -- Set RTS/CTS Threshold set sntpserver -- Set SNTP/NTP Server IP Address set ssid -- Set Service Set ID set ssidsuppress enable -- Enable SSID suppress mode set ssidsuppress disable -- Disable SSID suppress mode set SuperG enable -- Enable SuperG Features set SuperG disable -- Disable SuperG Features set systemname -- Set Access Point System Name set tzone -- Set Time Zone Setting set wlanstate disable -- Disable wlan set wlanstate enable -- Enable wlan set wirelessmode 11a -- 802.11a set wirelessmode 11b -- 802.11b set wirelessmode 11g -- 802.11g set wirelessmode 108g static -- 802.11g Static Turbo set wirelessmode 108g dynamic -- 802.11g Dynamic Turbo set wirelessmode turbo static -- 802.11a Static Turbo set wirelessmode turbo dynamic -- 802.11a Dynamic Turbo timeofday -- Display Current Time of Day version -- Software version nvram -- nvram utility
PCI Hardware Reported
Interesting Hardware information reported:
wlan0 -> get hardware wlan0 revisions: mac 5.7 phy 4.2 analog 3.6 PCI Vendor ID: 0x168c, Device ID: 0x13 Sub Vendor ID: 0x168c, Sub Device ID: 0x13 chip is AR2312
Router Default Configuration
The overall configuration:
wlan0 -> get config wlan0 revisions: mac 5.7 phy 4.2 analog 3.6 PCI Vendor ID: 0x168c, Device ID: 0x13 Sub Vendor ID: 0x168c, Sub Device ID: 0x13 chip is AR2312 Country Code: US Operation Mode: Access Point Wlan State: Enabled Radio Frequency: 5260 MHz (IEEE 52) Wireless LAN Mode: 802.11a Auto Channel Select: Disabled Data Rate: best Antenna: best Login Username: RADIUS address: Name server IP address: Name server domain suffix: SSID: linksys-a SSID Suppress Mode: Disabled System Name: Beacon Interval: 100 DTIM: 1 Fragmentation Threshold: 2346 RTS/CTS Threshold: 2346 Burst Time: 2 Burst Sequence Threshold: 3 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 Host IP Address: 0.0.0.0 Gateway IP Address: 192.168.1.20 SNTP/NTP Server IP Address: Time Zone: HW Transmit Retry Limit: 4 SW Transmit Retry Limit: 3 TransmitPower: full Current Transmit Output Power 16.0 dBm SuperG :Disabled Encryption: Disabled Cipher selection: AUTO Authentication Type: Open System Default transmit key: none Access Check: Disabled Key Entry Method: hexadecimal Group Key Update Interval: 3600 seconds Key Source: flash Aging Interval: 300 seconds Minimum rate: 0.25 Mbps XR Poll interval: 100 msec XR Frame Limit: 25 XR Poll Rate String is 0.25 1 1 3 3 6 6 20 XR Fragmentation Threshold: 540
Undocumented ls Command
Aha, there's an undocumented ls command!
wlan0 -> ls apcfg 3364 nvram 8404 apimg1 1290212 apimg1.hdr 52 apcfg.bak 3364 config.bin 11227 2146304 bytes free
File Contents Downloaded via FTP
AP Config (APCFG)
(Passphrases are Masked out).
# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved # DO NOT EDIT -- This configuration file is automatically generated magic Ar52xxAP fwc: 1 login nameaddr domainsuffix RADIUSaddr RADIUSport 1812 RADIUSsecret password admin passphrase wlan1 passphrase passphraseKey ******************************************************************************** wlan1 passphraseKey ******************************************************************************** version 2 AgingInterval 300 Abolt 112 wlan1 Abolt 112 pktLogEnable 0 wlan1 pktLogEnable 0 ofdmTrigLow 800 ofdmTrigHigh 1500 cckTrigLow 200 cckTrigHigh 500 enableANI 1 noiseImmunityLvl 0 spurImmunityLvl 0 ofdmWeakSigDet 1 cckWeakSigThr 1 firStepLvl 0 groupKeyUpdateInterval 3600 wlan1 groupKeyUpdateInterval 3600 BeaconInterval 100 wlan1 BeaconInterval 100 BurstTime 2 wlan1 BurstTime 2 BurstSeqThreshold 3 wlan1 BurstSeqThreshold 3 CalibrationPeriod 30 wlan1 CalibrationPeriod 30 CountryCode US WirelessMode 11a wlan1 WirelessMode 11g WlanState Enable wlan1 WlanState Enable OpMode Access Point wlan1 OpMode Access Point RemoteApMacAddr 00:00:00:00:00:00 wlan1 RemoteApMacAddr 00:00:00:00:00:00 RadioChannel 5260 wlan1 RadioChannel 2437 DataRate best wlan1 DataRate best Antenna best wlan1 Antenna best ssid linksys-a wlan1 ssid linksys-g ssidSuppress Disable wlan1 ssidSuppress Disable SystemName DTIM 1 wlan1 DTIM 1 gOptimize 1 wlan1 gOptimize 1 CTSMODE 2 wlan1 CTSMODE 2 CTSRATE 4 wlan1 CTSRATE 4 CTSTYPE 0 wlan1 CTSTYPE 0 ShortSlotTime Enable wlan1 ShortSlotTime Enable Basic11g 1 wlan1 Basic11g 1 GBEACON 0 wlan1 GBEACON 0 gOnly Disable wlan1 gOnly Disable gOverlap Enable wlan1 gOverlap Enable gDraft5 Disable wlan1 gDraft5 Disable FragmentThreshold 2346 wlan1 FragmentThreshold 2346 RTSThreshold 2346 wlan1 RTSThreshold 2346 SntpServer SoftwareRetry Enable wlan1 SoftwareRetry Enable HwTxRetries 4 wlan1 HwTxRetries 4 SwTxRetries 3 wlan1 SwTxRetries 3 Telnet Disable Timeout 0 TimeZone TransmitPower full wlan1 TransmitPower full OverRideTxPower 0 WDS Disable wlan1 WDS Disable WME Disable wlan1 WME Disable GPRS 0 wlan1 GPRS 0 UPSD Disable wlan1 UPSD Disable QuietAckCtsAllow Disable wlan1 QuietAckCtsAllow Disable QuietDuration 0 wlan1 QuietDuration 0 QuietOffset 0 wlan1 QuietOffset 0 CompressionProc 0 wlan1 CompressionProc 0 CompressionWinSize 4096 wlan1 CompressionWinSize 4096 Keytable 1 wlan1 Keytable 1 Keyentrymethod hexadecimal wlan1 Keyentrymethod hexadecimal Keysource flash wlan1 Keysource flash DefaultKey 1 wlan1 DefaultKey 1 WATCHDOG Enable extendedchanmode Enable encryption Disable wlan1 encryption Disable cipher auto wlan1 cipher auto AuthenticationType Open-System wlan1 AuthenticationType Open-System autochanselect Disable wlan1 autochanselect Disable OutdoorChannel Enable wlan1 OutdoorChannel Enable ShortPreamble Enable wlan1 ShortPreamble Enable Basic11b Disable wlan1 Basic11b Disable AccessPermission Disable wlan1 AccessPermission Disable Acltable 4 wlan1 Acltable 4 FtpVenDef ; ; ; ; ; ; 0 FtpUpdate ; ; ; ; ; ; 0 FtpScript ; ; ; ; ; _stemp_; 0 XR Enable wlan1 XR Enable XRPoll 100 wlan1 XRPoll 100 XRQueueFrameLimit 25 wlan1 XRQueueFrameLimit 25 XRQueuePollRate 0.25 1 1 3 3 6 6 20 wlan1 XRQueuePollRate 0.25 1 1 3 3 6 6 20 XRFragmentThreshold 540 wlan1 XRFragmentThreshold 540 MinimumRate 0.25 wlan1 MinimumRate 0.25 Bytes: 3336 checksum: 45779
Firmware Header? (apimg1.hdr)
[root@ufo RouterFiles]# hexdump -C apimg1.hdr 00000000 41 48 30 30 41 5b bb 32 00 13 af e4 da 98 22 4e |AH00A[.2......"N| 00000010 24 9e 72 4b a8 ab f2 07 58 28 08 29 00 01 00 14 |$.rK....X(.)....| 00000020 41 63 63 65 73 73 50 6f 69 6e 74 5f 35 33 31 32 |AccessPoint_5312| 00000030 5f 30 31 00 |_01.| 00000034
First 512 Bytes of Firmware File
[root@ufo RouterFiles]# head -c 512 apimg1 | hexdump -C 00000000 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 00 02 00 08 00 00 00 01 80 48 46 e0 00 00 00 34 |.........HF....4| 00000020 00 13 ae f4 10 00 00 01 00 34 00 20 00 01 00 28 |.........4. ...(| 00000030 00 06 00 05 00 00 00 01 00 00 00 60 80 48 00 00 |...........`.H..| 00000040 80 48 00 00 00 13 ae 60 00 15 4a e0 00 00 00 07 |.H.....`..J.....| 00000050 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000060 30 82 00 03 14 40 00 30 00 c0 38 21 30 a2 00 03 |0....@.0..8!0...| 00000070 14 40 00 2d 2c e2 00 04 14 40 00 2b 24 02 00 03 |.@.-,....@.+$...| 00000080 00 46 10 23 28 c6 00 04 14 c0 00 13 30 43 00 0f |.F.#(.......0C..| 00000090 10 60 00 18 28 62 00 0c 10 40 00 0f 28 62 00 08 |.`..(b...@..(b..| 000000a0 10 40 00 08 28 62 00 04 14 40 00 12 00 00 00 00 |.@..(b...@......| 000000b0 8c a2 00 00 24 a5 00 04 24 e7 ff fc ac 82 00 00 |....$...$.......| 000000c0 24 84 00 04 8c a2 00 00 24 a5 00 04 24 e7 ff fc |$.......$...$...| 000000d0 ac 82 00 00 24 84 00 04 8c a2 00 00 24 a5 00 04 |....$.......$...| 000000e0 24 e7 ff fc 2c e6 00 04 ac 82 00 00 14 c0 00 0e |$...,...........| 000000f0 24 84 00 04 8c a2 00 00 ac 82 00 00 8c a3 00 04 |$...............| 00000100 ac 83 00 04 8c a2 00 08 24 e7 ff f0 ac 82 00 08 |........$.......| 00000110 8c a3 00 0c 2c e6 00 04 24 a5 00 10 ac 83 00 0c |....,...$.......| 00000120 10 c0 ff f4 24 84 00 10 10 e0 00 24 00 07 10 23 |....$......$...#| 00000130 30 43 00 03 10 60 00 15 28 62 00 03 10 40 00 0d |0C...`..(b...@..| 00000140 28 62 00 02 10 40 00 06 00 00 00 00 90 a2 00 00 |(b...@..........| 00000150 24 a5 00 01 24 e7 ff ff a0 82 00 00 24 84 00 01 |$...$.......$...| 00000160 90 a2 00 00 24 a5 00 01 24 e7 ff ff a0 82 00 00 |....$...$.......| 00000170 24 84 00 01 90 a2 00 00 24 a5 00 01 24 e7 ff ff |$.......$...$...| 00000180 a0 82 00 00 10 e0 00 0d 24 84 00 01 90 a2 00 00 |........$.......| 00000190 a0 82 00 00 90 a3 00 01 a0 83 00 01 90 a2 00 02 |................| 000001a0 a0 82 00 02 90 a3 00 03 24 e7 ff fc 24 a5 00 04 |........$...$...| 000001b0 a0 83 00 03 14 e0 ff f5 24 84 00 04 03 e0 00 08 |........$.......| 000001c0 00 00 00 00 30 82 00 03 14 40 00 21 00 a0 18 21 |....0....@.!...!| 000001d0 28 62 00 04 14 40 00 1e 24 02 00 03 00 45 10 23 |(b...@..$....E.#| 000001e0 30 45 00 0f 10 a0 00 12 28 a2 00 0c 10 40 00 0b |0E......(....@..| 000001f0 28 a2 00 08 10 40 00 06 28 a2 00 04 14 40 00 0c |(....@..(....@..|
Last 512 Bytes of Firmware File
[root@ufo RouterFiles]# tail -c 512 apimg1 | hexdump -C
00000000 cb ad 54 1e 8d dd 8c 26 5f 8e f2 85 75 e6 b6 f6 |..T....&_...u...|
00000010 11 71 ef a0 be fa 77 e4 d7 1f a2 36 b9 9a 29 e2 |.q....w....6..).|
00000020 7e 8a fa e9 6d e4 81 b7 11 db df 86 ee e7 50 83 |~...m.........P.|
00000030 bc 5b bb aa eb 9b 06 1a 19 5d 6f fa 63 be c7 98 |.[.......]o.c...|
00000040 7c a4 ec d2 0e f2 5e d2 0d a1 87 5d 5e 6b ea ab ||.....^....]^k..|
00000050 a6 fa a2 65 b2 d5 af af fe cc fa 49 fb 55 d7 bb |...e.......I.U..|
00000060 45 ff ef d2 8f d2 27 e8 ff d5 50 ab 3f 5f ea d5 |E.....'...P.?_..|
00000070 7c 26 e6 ff 89 70 a9 57 71 e0 22 42 fe ff 25 fd ||&...p.Wq."B..%.|
00000080 bf 4b 24 0f c8 5f 29 dc b2 15 9f 6d f8 c8 ff 23 |.K$.._)....m...#|
00000090 f0 a1 fc 0d 1b 7c 3e f7 bf fc dc f8 ff fc 91 da |.....|>.........|
000000a0 15 7f 15 ef d2 ff f7 6f b9 7b f5 7f d4 7e 9f 7a |.......o.{...~.z|
000000b0 6f bd b8 aa e7 44 01 7d 8b d5 5f 44 66 3f 3a b6 |o....D.}.._Df?:.|
000000c0 6d 87 1f ad a0 96 5c c1 7e 64 05 eb fa bf a6 fe |m.....\.~d......|
000000d0 1b b0 26 0e 2c 01 75 00 00 00 00 00 00 2e 73 79 |..&.,.u.......sy|
000000e0 6d 74 61 62 00 2e 73 74 72 74 61 62 00 2e 73 68 |mtab..strtab..sh|
000000f0 73 74 72 74 61 62 00 2e 74 65 78 74 00 2e 72 6f |strtab..text..ro|
00000100 64 61 74 61 00 2e 64 61 74 61 00 2e 62 73 73 00 |data..data..bss.|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000130 00 00 00 00 00 00 00 00 00 00 00 1b 00 00 00 01 |................|
00000140 00 00 00 07 80 48 00 00 00 00 00 60 00 00 47 2c |.....H.....`..G,|
00000150 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 |................|
00000160 00 00 00 21 00 00 00 01 00 00 00 02 80 48 47 30 |...!.........HG0|
00000170 00 00 47 90 00 00 02 40 00 00 00 00 00 00 00 00 |..G....@........|
00000180 00 00 00 10 00 00 00 00 00 00 00 29 00 00 00 01 |...........)....|
00000190 00 00 00 03 80 48 49 70 00 00 49 d0 00 13 64 f0 |.....HIp..I...d.|
000001a0 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 |................|
000001b0 00 00 00 2f 00 00 00 08 00 00 00 03 80 5b ae 60 |.../.........[.`|
000001c0 00 13 ae c0 00 01 9c 80 00 00 00 00 00 00 00 00 |................|
000001d0 00 00 00 10 00 00 00 00 00 00 00 11 00 00 00 03 |................|
000001e0 00 00 00 00 00 00 00 00 00 13 ae c0 00 00 00 34 |...............4|
000001f0 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 |................|
And file reports the firmware as:
[root@ufo RouterFiles]# file apimg1 apimg1: ELF 32-bit MSB executable, MIPS, MIPS-II version 1 (SYSV), statically linked, stripped
NVRAM Contents
wan_proto=dhcp wan_ipaddr=0.0.0.0 wan_netmask=0.0.0.0 wan_default_gw=0.0.0.0 wan_dns_1=0.0.0.0 wan_dns_2=0.0.0.0 wan_dns_3=0.0.0.0 pppoe_username= pppoe_passwd= pppoe_keepalive=1 pppoe_ondemand=0 pppoe_idle_time=0 pppoe_redialtime=60 sys_name= wan_domain= lan_ipaddr=192.168.1.1 lan_netmask=255.255.255.0 dhcps_mode=enabled dhcps_startip=192.168.1.100 dhcps_endip=192.168.1.149 dhcps_lease=0 dhcps_dns_1=0.0.0.0 dns_1= dns_1_1=0 dns_1_2=0 dns_1_3=0 dns_1_4=0 dhcps_dns_2=0.0.0.0 dns_2= dns_2_1=0 dns_2_2=0 dns_2_3=0 dns_2_4=0 dhcps_dns_3=0.0.0.0 dns_3= dns_3_1=0 dns_3_2=0 dns_3_3=0 dns_3_4=0 dhcps_wins_1=0.0.0.0 wins_1_1=0 wins_1_2=0 wins_1_3=0 wins_1_4=0 dhcps_start= dhcps_end= dhcps_client_mode_1=disabled dhcps_client_mode_2=disabled dhcps_client_mode_3=disabled dhcps_client_mode_4=disabled dhcps_client_mode_5=disabled dhcps_client_mode_6=disabled dhcps_client_mode_7=disabled dhcps_client_mode_8=disabled dhcps_client_mode_9=disabled dhcps_client_mode_10=disabled dhcps_client_name_1= dhcps_client_name_2= dhcps_client_name_3= dhcps_client_name_4= dhcps_client_name_5= dhcps_client_name_6= dhcps_client_name_7= dhcps_client_name_8= dhcps_client_name_9= dhcps_client_name_10= dhcps_client_ip_1_4=0 dhcps_client_ip_2_4=0 dhcps_client_ip_3_4=0 dhcps_client_ip_4_4=0 dhcps_client_ip_5_4=0 dhcps_client_ip_6_4=0 dhcps_client_ip_7_4=0 dhcps_client_ip_8_4=0 dhcps_client_ip_9_4=0 dhcps_client_ip_10_4=0 dhcps_client_mac_1=00:00:00:00:00:00 dhcps_client_mac_2=00:00:00:00:00:00 dhcps_client_mac_3=00:00:00:00:00:00 dhcps_client_mac_4=00:00:00:00:00:00 dhcps_client_mac_5=00:00:00:00:00:00 dhcps_client_mac_6=00:00:00:00:00:00 dhcps_client_mac_7=00:00:00:00:00:00 dhcps_client_mac_8=00:00:00:00:00:00 dhcps_client_mac_9=00:00:00:00:00:00 dhcps_client_mac_10=00:00:00:00:00:00 wan_dns= login_name= login_password=admin lan_gateway=192.168.1.20 country_domain=US wl0_ssid=linksys-a wl0_channel=52 wl0_stat_mode=enabled wl0_wirelessmode=11a wl0_ssid_bcast=enabled wl0_security_mode=disabled wl0_encrypt