Aus Freifunk Hannover

Inhaltsverzeichnis 1 SMC WEBT-G Wireless Bridge 2 Serial Settings 3 Standard Settings 4 Image 4.1 Firmware zerlegen 5 CPU Geschwindigkeit 6 Bootloader 7 Bootvorgang 8 Bilder 9 Bilder

SMC WEBT-G Wireless Bridge

• http://forum.openwrt.org/viewtopic.php?pid=45838

Im worrking with the SMC device, that has a bootloader from arcadyan.
It starts from position 0x80001000, so i need to build a bootloader that
starts from this position, decompress the LZMA kernel, and then boot the
kernel from  its Kernel Entry.

• http://forum.openwrt.org/viewtopic.php?id=7799

orginaler SMC boot dump + thread

• other Drivers: http://62.168.45.50/smc/drivers/wireless/

Serial Settings

data 8, none parity, stopp 1 baud 115200 hw flow yes, sw flow no

Standard Settings

IP: 192.168.2.25 Standard Passwort: smcadmin Handbuch: SMC USA

Image

orginal image zip gepackt. Raus kommt ein PFS/0.9 Image.

• PFS manual: http://www.cs.wisc.edu/condor/pfs/pfs-0_9_3/doc/pfs.html
• auch im Speedport w700v: http://www.kessler-design.com/speedport-w700v/firmware.html
• same image layout: http://ar7-firmware.berlios.de/doc/loader
• fast wie SMC 7004 - http://hri.sourceforge.net/SMC7004/index.html

Die letzten Zeilen im .bin zum flashen

 000bfff0:  ff ff ff ff 86 40 07 00  78 56 34 12 b0 15 6f 08  .....@..xV4...o.
 000c0000:  42 52 4e 57 00 00 00 00  00 00 -- -- -- -- -- --  BRNW......------

Firmware zerlegen

• orginal runterladen SMCWEBT-G_FCC_V1_09_2.bin
• divide.pl

#!/usr/bin/perl

# divide firmware parts

$hb="PK\x03\x04";
$he="PK\x05\x06";

undef $/;

$bulk = <>;
(@f)= ($bulk =~ m/(?:($hb.*?$he.{18}).*?)+/sg);
for(@f) { $i++; open F, ">fw$i.zip"; print F $_ }

• divide.pl SMCWEBT-G_FCC_V1_09_2.bin brigt zwei fw?.zip Dateien
• unzip fw1+fw2: mv fw1.zip fw1.gz && gunzip fw1.gz
• fw1 -> pfs.img (filesystem mit www, cgi-bin)
• fw2 -> soho.img (system image) - perhaps VxWorks!?
• strings soho.img ist interessant

CPU Geschwindigkeit

normalerweise 184Mhz,

cpuFreq=184000000 sysFreq=40000000 cntFreq=92000000

aber unser Gerät bootet dann immer mit 240Mhz.

cpuFreq=240000000 sysFreq=60000000 cntFreq=120000000

Der Grund ist noch nicht gefunden. Erste Ideen: Übertakten beim Flash-Laden, dann runtertakten für normalen Betrieb. Evlt. funktioniert das nicht richtig.

Bootloader

• http://forum.openwrt.org/viewtopic.php?id=7799&p=3

Redboot doesn't have ar531x support.
I have downloaded from meraki, the file redboot_mini that has this support, but when i try to build the image, i have a problem....

Bootvorgang

ar531xPlus rev 0x00000087 boot loader startup...
Flash initialized
SDRAM initialized
Cache initialized

Copy program from 0xbfc00000 to 0x80520000, length 0x0000c70c bytes ... done
Jump to SDRAM 0x80520cb4 [0x10000008, 0x00000000, 0x00000000]
Clear BSS section ... done
Stack: 0x8053e530
Heap: 0x8053e540



=======================================================================

Flash Found. It is 2MB Flash....

Copying boot params.....DONE
cpuFreq=240000000 sysFreq=60000000 cntFreq=120000000

Press any key to enter command mode ...
Memory Checking from 0xa0000000 to 0xa03fffff
Pattern [ 0x00000000 ] ........................
Pattern [ 0xffffffff ] ........................
Pattern [ 0xaaaaaaaa ] ........................
Pattern [ 0x55555555 ] ........................
Pattern [   serial   ] ........................
Address Overlap Test ......................
Passed.

Checking Valid Image in Flash...
 Passed.

Unzipping program from bank 2...failed(04)
Try to find image for running...
Valid Code found in the Flash

Unzipping program from bank 3........................................................................................................
I am going to run the Code image from 80001000




firmware startup...
Stack: 0x807a0eb0
Heap: 0x807a0ec0
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17/ar5315/gpio.c: feed_watchdog is called??
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17/ar5315/gpio.c: setGpio is called??
##### _ftext      = 0x80001000
##### _fdata      = 0x8011E250
##### __bss_start = 0x80139D44
##### end        = 0x80790EB8
##### Backup Data from 0x8011E250 to 0x807B0EB8 length=0001BAF4
[CGI] Web SDRAM area is from 0XBFC40000H

install_exception
Installing TLB Refill exception handler from 8000A2B0 to 80000000, size=184
Installing General exception handler from 8000A368 to 80000180, size=216
Installing Interrupt exception handler from 8000A440 to 80000200, size=160
misc_int_init
mips_int_enable : 0x00000400
Connect the AHB interrupt
sysBoardDataInit
Init the GPIOs !!!
Enable arbitration for SOC devices !!!
cpuFreq=184000000 sysFreq=40000000 cntFreq=92000000
should call WLanReset..
AR531X_TIMER=00061A6D
AR531X_RELOAD=00061A80
AR531X_IMR=00000028
mips_cp0_status=10000401
mips_cp0_cause=30800000
[INIT] MTinitialize ..
Runtime code version: V1.03
System startup...
[INIT] MTmeminit ..
[INIT] check COLOR 0 ..
soho initialize COLOR1 : 409600
[INIT] soho initialize COLOR2 : 25480
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17/ar5315/gpio.c: feed_watchdog is called??

Flash Found. It is 2MB Flash....
Set flash memory layout to Runcode version: V1.03
Runcode date: Sep 23 2005 21:04:09
Bootcode version: V0.03
Serial number: J631009782
Hardware version: 01
sizeof(struct III_Config_t) is 28604
!!! Invalid wireless channel range 0 ~ 0
!!! Use default value 1 ~ 11
default route: 0.0.0.0
BufferInit:
BUF_HDR_SZ=32 BUF_ALIGN_SZ=12 BUFFER_OFFSET=96
BUF_BUFSZ0=384 BUF_BUFSZ1=3264
NUM_OF_B0=200 NUM_OF_B1=900
BUF_POOL0_SZ=83200 BUF_POOL1_SZ=2966400
sizeof(BUFFER0)=416,sizeof(BUFFER1)=3296
*BUF0=0x8066911c *BUF1=0x80394d8c
Altgn *BUF0=0x80669120 *BUF1=0x80394d90
End at BUF0:0x8067d620, BUF1:0x80669110

buffer0 pointer init OK!
buffer1 pointer init OK!
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=0)> ifp->add_default_route:0
Interface 0 ip = 127.0.0.1

ar531xmac_init: ifno=1, initstr=UNIT=0 VLAN=-1
D:/Projects/ttf2004/source/firmware/hardware/ar5312/ar531xbsp.c:sysEnetInit is called
ae531xEndLoad: loading device ...
ae531xEndLoad: unit=0, pDmaBuf=0xa02a5bb4, dmaBufSize=8976, txDescCount=192, rxDescCount=256, clCount=512
ae531xEndLoad: System param: mac=b0500000, dma=b0501000, ivec=4, ilev=1000
ae531xEndLoad: Flash ea = 00:13:f7:45:5f:f0
ae0 qt = 1, buf begin = 80000000, buf end = 80000000
ae0 qt = 1, drsc begin = a02a5bc0, desc end = a02a6aac
Tx Queue b=0xa02a5bc0, e=0xa02a6aac, c=0xa02a5bc0, s@c=0x       0
ae0 qt = 2, buf begin = 80394df2, buf end = 80462112
ae0 qt = 2, drsc begin = a02a6ac0, desc end = a02a7eac
Rx Queue b=0xa02a6ac0, e=0xa02a7eac, c=0xa02a6ac0, s@c=0x80000000
ae531xMemInit: Memory setup complete.
Invalid PHY ID1 for enet0.  Expected 0x002E, read 0x0022
eth0: Phy reset complete, starting auto-negotiation...
ALTM_PHY_CONTROL               = 3100
ALTM_PHY_STATUS                = 7849
ALTM_PHY_ID1                   = 0022
ALTM_PHY_ID2                   = 5521
ALTM_AUTONEG_ADVERT            = 01E1
ALTM_LINK_PARTNER_ABILITY      = 0001
ALTM_AUTONEG_EXPANSION         = 0004
ALTM_NEXT_PAGE_TRANSMIT        = 2001
ALTM_BT_INT_LEVEL_CONTROL      = 1800
ALTM_INT_CONTROL_STATUS        = 0000
ALTM_DIAGNOSTIC                = 0010
ALTM_POWER_LOOPBACK            = 0000
ALTM_CABLE_MEASUREMENT_CONTROL = C0DD
ALTM_RECEIVE_ERROR_COUNTER     = 0000
ALTM_POWER_MANAGEMENT          = 01FF
ALTM_OPERATION_MODE            = 8040
ALTM_CRC_FOR_RECENT_RCVD_PKT   = 0000
eth0: Phy Status=7849
eth0: duplex 0, link 1
ae_SetMacFromPhy: enet0 as half duplex, 10Mbps
ae0: setting TXDP=0xa02a5bc0 RXDP=0xa02a6ac0
ae0 Verify MAC address 45F71300 0000F05F
  sb = 00 13 F7 45 5F F0
ae531xRxFilterConfig: MacControl = 1084000C
ae531xEndLoad: Done loading, pDrvCtrl=802A59AC txQ=802A59D8 rxQ=802A59EC
ar531xmac_init: enet0 set to NORMAL mode

  DmaStatus  = 0x       0
  DmaBusMode = 0x    2084
  DmaRxBase  = 0x  2a6ac0
  DmaTxBase  = 0x  2a5bc0
  DmaControl = 0x  200000
  DmaIntr    = 0x       0
  MacControl = 0x1084000c
  MacAddrHi  = 0x    f05f
  MacAddrLo  = 0x45f71300
  MacVlan1   = 0x    8100
  MacVlan2   = 0x       0

Rx Queue b=0xa02a6ac0, e=0xa02a7eac, c=0xa02a6ac0, s@c=0x80000000
Current Rx buffer = 0x       0
Tx Queue b=0xa02a5bc0, e=0xa02a6aac, c=0xa02a5bc0, s@c=0x       0
Current Tx buffer = 0x       0
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=1)> ifp->add_default_route:1
ae531xRxFilterConfig: MacControl = 1084000C
Interface 1 ip = 192.168.2.25

ae531xRxFilterConfig: MacControl = 1084000C
ether_init : Set WAN MTU = 1500
ar531xmac_init: ifno=2, initstr=UNIT=0 VLAN=-1
ar531xmac_init: driver already loaded, number of instances is 2
ar531xmac_init: enet0 set to NORMAL mode

  DmaStatus  = 0x       0
  DmaBusMode = 0x    2084
  DmaRxBase  = 0x  2a6ac0
  DmaTxBase  = 0x  2a5bc0
  DmaControl = 0x  200000
  DmaIntr    = 0x       0
  MacControl = 0x1084000c
  MacAddrHi  = 0x    f05f
  MacAddrLo  = 0x45f71300
  MacVlan1   = 0x    8100
  MacVlan2   = 0x       0

Rx Queue b=0xa02a6ac0, e=0xa02a7eac, c=0xa02a6ac0, s@c=0x80000000
Current Rx buffer = 0x       0
Tx Queue b=0xa02a5bc0, e=0xa02a6aac, c=0xa02a5bc0, s@c=0x       0
Current Tx buffer = 0x       0
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=2)> ifp->add_default_route:1
Interface 2 ip = 0.0.0.0

[HWLAN] ifno=3 irno=7 port=0x00000000
[HWLAN] semBCreate return 1 80299178, count 1
[HWLAN] pRadio->abolt = 00000000
[HWLAN] pRadio->abolt = 00000000
[HWLAN] gSetting.BasicRate=f
apInit: Initialize Access Point.
[HWLAN] ar5hwcCreatePhy : ifno:3 pdevInfo=8030cb24, devno=1
[HWLAN] devno 1 pdevInfo 8030cb24
[HWLAN] Base address = b0000000, irq 3
Attach AR5212 0x13 0x8030cb24
[HWLAN] DOMAIN 00008348
[HWLAN] Set HWLAN MAC as LAN MAC ..
[HWLAN] MAC Address=00-13-F7=45-5F-F0
[HWLAN] wlan1 revisions: mac 11.0 phy 4.8 analog 7.0 eeprom 5.2
[HWLAN] phwChannel 2437, channelFlags 00005400
[HWLAN] size of ATHEROS_DESC hardware part 32
[HWLAN] CACHE_LINE_SIZE 16, AR_DESC_SIZE 128
[HWLAN] AR_HEADER_SIZE 96, AR_BUF_SIZE 3196numDescriptors = 704
[HWLAN] wlan1: pDmaBuf=A013A770
[HWLAN] pMemBuf a013a770 pdevInfo->pDmaBuf a013a770
[HWLAN] semBCreate return 2 80299188, count 1
[HWLAN] ar5hwcQueueCreate: semaphore id 80299188
[HWLAN] semBCreate return 3 80299198, count 1
[HWLAN] ar5hwcQueueCreate: semaphore id 80299198
[HWLAN] semBCreate return 4 802991a8, count 1
[HWLAN] ar5hwcQueueCreate: semaphore id 802991a8
[HWLAN] semBCreate return 5 802991b8, count 1
[HWLAN] ar5hwcQueueCreate: semaphore id 802991b8
[HWLAN] pMemBuf a0156770, pdevInfo->pDmaBuf + pdevInfo->dmaBufSize a0188790
[HWLAN] muxDevLoad is called for vportNum 10000, loadfn 80057e64, vportStr 16: 0: 1
[HWLAN] semBCreate return 6 802991c8, count 1
[HWLAN] semBCreate return 7 802991d8, count 1
ar5212Reset: maxCalCount 20
[HWLAN] ioctl CMD=0xb
mips_int_connect: ivec 3 ar5hwcInt 8003ca78 pdevInfo 8030cb24
mips_int_enable : 0x00000C00
[HWLAN] bridgePortAdd : vp, 10000
[HWLAN] bridgePortAdd (base BSS) succeeded for vp1
[HWLAN] semBCreate return 8 802991e8, count 0
[HWLAN] semBCreate return 9 802991f8, count 0
[HWLAN] semBCreate return 10 80299208, count 1
[HWLAN] semBCreate return 11 80299218, count 1
[HWLAN] semBCreate return 12 80299228, count 0
[HWLAN] semBCreate return 13 80299238, count 1
[HWLAN] semBCreate return 14 80299248, count 1
[HWLAN] semBCreate return 15 80299258, count 0
[HWLAN] semBCreate return 16 80299268, count 1
[HWLAN] semBCreate return 17 80299278, count 1
[HWLAN] semBCreate return 18 80299288, count 0
[HWLAN] semBCreate return 19 80299298, count 1
wlan1 added STA: 00:13:f7:45:5f:f0 (1630)
[HWLAN] ifno=3 after call apInit() : .... bg 1 , a 0 ....
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17/ar5315/gpio.c: Hwlan_light_init is called??
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=3)> ifp->add_default_route:0
[HWLAN] hwlan_ioctl() ..
Interface 3 ip = 192.168.2.25

[HWLAN] hwlan_ioctl() ..
[HWLAN] ifno=6 irno=7 port=0x00000000
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17/ar5315/gpio.c: Hwlan_light_init is called??
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=6)> ifp->add_default_route:0
[HWLAN] hwlan_ioctl() ..
Interface 6 ip = 192.168.2.25

[HWLAN] hwlan_ioctl() ..
[HWLAN] ifno=7 irno=7 port=0x00000000
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17/ar5315/gpio.c: Hwlan_light_init is called??
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=7)> ifp->add_default_route:0
[HWLAN] hwlan_ioctl() ..
Interface 7 ip = 192.168.2.25

[HWLAN] hwlan_ioctl() ..
[HWLAN] ifno=8 irno=7 port=0x00000000
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17/ar5315/gpio.c: Hwlan_light_init is called??
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=8)> ifp->add_default_route:0
[HWLAN] hwlan_ioctl() ..
Interface 8 ip = 192.168.2.25

[HWLAN] hwlan_ioctl() ..
[HWLAN] ifno=9 irno=7 port=0x00000000
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17/ar5315/gpio.c: Hwlan_light_init is called??
time = 08/01/2003, 00:00:00
iput_IpLinkUp(ifno=9)> ifp->add_default_route:0
[HWLAN] hwlan_ioctl() ..
Interface 9 ip = 192.168.2.25

[HWLAN] hwlan_ioctl() ..
ae0 Tx Down, dropping mBlk=0x804FE270
ae0 Tx Down, dropping mBlk=0x804FD590
ae0 Tx Down, dropping mBlk=0x804FE270
ae0 Tx Down, dropping mBlk=0x804FE270
ae0 Tx Down, dropping mBlk=0x804FE270
ae0 Tx Down, dropping mBlk=0x804FE270
ae0 Tx Down, dropping mBlk=0x804FE270
RUNTASK id=2 if_task if0...
RUNTASK id=3 if_task if1...
RUNTASK id=4 if_task if2...
RUNTASK id=5 if_task if3...
RUNTASK id=6 if_task if6...
RUNTASK id=7 if_task if7...
RUNTASK id=8 if_task if8...
RUNTASK id=9 if_task if9...
RUNTASK id=10 timer_task...
RUNTASK id=11 main_8021x...
year=104,mon=11,day=18D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17/ar5315/gpio.c: feed_watchdog is called??
randomize ..
RUNTASK id=12 period_task...
RUNTASK id=13 dhcp_clt...on interface 2
httpd: listen at 192.168.2.25:80
HTTPD TIMER_RESOURCE:5, FS_RESOURCE:6
RUNTASK httpd...
DHCPD is Disabled
D:/Projects/ttf2004/source/firmware/project/smc/wa4001c-17/ar5315/gpio.c: feed_watchdog is called??
Starting Multitask...
MTstart2() begin  ...
[HWLAN] Ready

 This Device is AP

enet0 up
We just gained our first link(s) for MAC0
ae531xDmaIntEnable 0001a1e2
mips_int_enable : 0x00001C01

Bilder

Bilder