Tuesday, September 29, 2009

How to TFTP firmware to your WRT54G2

In order to tftp the firmware you had created, you will need to tftp into the chip. First, open a terminal and continuous ping 192.168.1.1 and you will notice that the TTL is 100. During the normal ping reply will be 64. Keep this terminal on while open another new terminal.

Try to erase the nvram and kernel with the JTAG cable. I am still not sure yet and I will post more on this part. AsI had done many trial and errors before getting into this stage.

This new terminal will be flashing the firmware into the wireless router. The command is something like below:
root@node01:~/> atftp --trace --option "timeout 1" --option "mode octet" --put --local-file openwrt-xxx-x.x-xxx.bin 192.168.1.1

Leave the terminal open and turn off the wireless router and wait for a few seconds before turn it on. Once the tftp is ready, you will see the terminal dumping out lots of information out.

You can actually open another terminal and run your minicom for monitoring the process. At least you are not working in blind.

The output will be something like below:
Decompressing..........done


CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Thu Oct 30 16:02:09 EDT 2008 (tornado@dd-wrt.com)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena
Initializing Devices.
Boot partition size = 131072(0x20000)
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 4.150.10.5
CPU type 0x29029: 240MHz
Total memory: 16384 KBytes

Total memory used by CFE:  0x80700000 - 0x807977D0 (620496)
Initialized Data:          0x8072E860 - 0x80730FB0 (10064)
BSS Area:                  0x80730FB0 - 0x807317D0 (2080)
Local Heap:                0x807317D0 - 0x807957D0 (409600)
Stack Area:                0x807957D0 - 0x807977D0 (8192)
Text (code) segment:       0x80700000 - 0x8072E860 (190560)
Boot area (physical):      0x00798000 - 0x007D8000
Relocation Factor:         I:00000000 - D:00000000

Device eth0:  hwaddr 00-23-69-F8-07-AF, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: Failed.
Could not load :: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3768 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
Linux version 2.6.28.10 (bert@Node01) (gcc version 4.1.2) #7 Tue Sep 29 14:16:43 MYT 2009
CPU revision is: 00029029 (Broadcom BCM3302)
ssb: Core 0 found: ChipCommon (cc 0x800, rev 0x14, vendor 0x4243)
ssb: Core 1 found: Fast Ethernet (cc 0x806, rev 0x09, vendor 0x4243)
ssb: Core 2 found: MIPS 3302 (cc 0x816, rev 0x08, vendor 0x4243)
ssb: Core 3 found: USB 2.0 Host (cc 0x819, rev 0x02, vendor 0x4243)
ssb: Core 4 found: MEMC SDRAM (cc 0x80F, rev 0x04, vendor 0x4243)
ssb: Core 5 found: IEEE 802.11 (cc 0x812, rev 0x0D, vendor 0x4243)
ssb: Core 6 found: Roboswitch (cc 0x81C, rev 0x02, vendor 0x4243)
ssb: Initializing MIPS core...
ssb: core 0x0800, irq : 2(S)  3* 4  5  6  D  I
ssb: core 0x0806, irq : 2(S)  3  4* 5  6  D  I
ssb: core 0x0816, irq : 2(S)  3  4  5* 6  D  I
ssb: core 0x0819, irq : 2(S)  3  4  5  6* D  I
ssb: core 0x080f, irq : 2(S)  3  4  5  6  D  I*
ssb: core 0x0812, irq : 2(S)* 3  4  5  6  D  I
ssb: core 0x081c, irq : 2(S)  3  4  5  6  D  I*
ssb: set_irq: core 0x0806, irq 4 => 4
ssb: set_irq: core 0x0816, irq 5 => 2
ssb: set_irq: core 0x0812, irq 2 => 5
ssb: after irq reconfiguration
ssb: core 0x0800, irq : 2(S)  3* 4  5  6  D  I
ssb: core 0x0806, irq : 2(S)  3  4* 5  6  D  I
ssb: core 0x0816, irq : 2(S)* 3  4  5  6  D  I
ssb: core 0x0819, irq : 2(S)  3  4  5  6* D  I
ssb: core 0x080f, irq : 2(S)  3  4  5  6  D  I*
ssb: core 0x0812, irq : 2(S)  3  4  5* 6  D  I
ssb: core 0x081c, irq : 2(S)  3  4  5  6  D  I*
ssb: Sonics Silicon Backplane found at address 0x18000000
Serial init done.
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00001000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00001000
Built 1 zonelists in Zone order, mobility grouping off.  Total pages: 4064
Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
Primary instruction cache 16kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 16kB, 2-way, VIPT, cache aliases, linesize 16 bytes
PID hash table entries: 64 (order: 6, 256 bytes)
console [ttyS0] enabled
Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
Memory: 13488k/16384k available (2153k kernel code, 2896k reserved, 312k data, 136k init, 0k highmem)
Calibrating delay loop... 239.10 BogoMIPS (lpj=478208)
Mount-cache hash table entries: 512
net_namespace: 428 bytes
NET: Registered protocol family 16
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP reno registered
NET: Registered protocol family 1
detected lzma initramfs
initramfs: LZMA lc=1,lp=2,pb=2,origSize=512
squashfs: version 3.0 (2006/03/15) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  �© 2001-2006 Red Hat, Inc.
msgmni has been set to 26
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver2 ports, IRQ sharing enabled
serial8250: ttyS0 at MMIO 0xb8000300 (irq = 3) is a 16550A
serial8250: ttyS1 at MMIO 0xb8000400 (irq = 3) is a 16550A
serial8250.0: ttyS0 at MMIO 0xb8000300 (irq = 3) is a 16550A
serial8250.0: ttyS1 at MMIO 0xb8000400 (irq = 3) is a 16550A
b44.c:v2.0
eth0: Broadcom 44xx/47xx 10/100BaseT Ethernet 00:23:69:f8:07:af
flash init: 0x1c000000 0x02000000
Physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
Physically mapped flash: JEDEC Device ID is 0x22C4. Assuming broken CFI table.
Physically mapped flash: Swapping erase regions for broken CFI table.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Flash device: 0x200000 at 0x1fc00000
bootloader size: 131072
Creating 4 MTD partitions on "Physically mapped flash":
0x00000000-0x00020000 : "cfe"
0x00020000-0x001f0000 : "linux"
0x000ed800-0x001f0000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
mtd: partition "rootfs" set to be root filesystem
mtd: partition "rootfs_data" created automatically, ofs=1E0000, len=10000
0x001e0000-0x001f0000 : "rootfs_data"
0x001f0000-0x00200000 : "nvram"
BCM47xx Watchdog Timer enabled (30 seconds, nowayout)
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 136k freed
Please be patient, while OpenWrt loads ...
- preinit -
Press CTRL-C for failsafe
diag: Router model not detected.
b44: eth0: Link is up at 100 Mbps, full duplex.
b44: eth0: Flow control is off for TX and off for RX.
b44: eth0: powering down PHY
jffs2 not ready yet; using ramdisk
mini_fo: using base directory: /
mini_fo: using storage directory: /tmp/root
- init -

Anyway, my version still having some bugs as I am trying to develop a working firmware. At least now is booting with some status. ;)

Sunday, September 27, 2009

How to Use tjtag to flash the WRT54G2

The first time I was facing a serious problem after I had updated the firmware with a problematic firmware. It left me no choice but force me to use a JTAG cable to flash the bricked wireless router.

To flash it properly, you need to make sure you download the the tjtag. It is for linux users. Windows users please find your way to use this application as I am not good in operating Windows.

For the WRT54G2 use /fc:10 as something like below:
root@node01:~/tjtag -flash:cfe /skipdetect /fc:10

It may be varies for different versions and model. For my model I had found that chipset is equivalent to the fc:10. In the later post I will show you how I found out the model for this wireless router.

Remember to copy the CFE.BIN to the working directory as we only flash the CFE and not the whole firmware. Flashing the whole firmware will takes TWO hours. I had tried a few times and wasted lots of time. Flashing the CFE will only takes about FIVE minutes and you can do many trials and errors.

Flash with CFE then reboot the wireless modem then upload the firmware with tftp ready. For how to use linux command tftp, I will show you all in the later post.

Friday, September 25, 2009

Schedule

Below are my working schedule on the WRT54G2 wireless router modem. I will updating it frequently:

Day 1
- Wrote some scripts for the repository. Basically is just a simple script that helps me to download all the repository from the specific site. Well it takes quite a while for me to download it. Well, it consists of the kamikazi original source code and the packages.

- Reading and googling on how to build the OpenWRT firmware

Day 2
- Compiling the firmware and learning how to configure the whole thing.

- Building the JTAG. Due to problem on my new firmware causes the whole wireless modem hung.

- Learning how to use JTAG for flashing the bricked wireless modem.

Day 3
- Due to unknown problem for the firmware that I had built, I decided to build a simple output console using MAX232 but unfortunately, I had broken one of the IC terminals. In the end, using the olden day technology - One NPN transistor for the signal amplification.

- It works and I found out the problem through the serial console. It was a big mistakes that I was using the dd-wrt CFE for openwrt. No wonder it is not working at all.

Day 4
- Learning how to extract the CFE from the original cfe.

Day 5
- Flashing newly developed firmware into the wireless router.
- A bit problem but at least can see some outputs from the serial console.

Day 6
- Finally, my firmware is working but requires lots of hacking here and there
- Trying to make the MMC running as well

Serial RS-232 on WRT54G2

Last night, I had created a very simple yet workable RS-232 to my pc for viewing the output while the wireless router is booting up.

Well, at first I was using MAX232 which I savage out from my old electronic projects. I thought of lazy to get a new one from Pasar Road (KL). But, the sad thing was I accidentally broken it and I have to think of another way quickly. I need to see the output in order to know what was happenning to my firmware on this wireless router. It was not booting up properly. As I am still very new to this wireless router and also I am new in writting firmware for this particular wireless router.

In fact I was out of idea, then when I saw some of my spare transistors lying around then it strikes me to use the olden days technology. Which using only NPN transistor getting the output from the wireless router RS-232 port signal. It just need to amplify the signal in order to feed to the serial port of the PC.

I was googling around and search for "Transistor MAX232" and I found this. The below image is the one that I found from the net.

Well, for display output of the wireless router purposes, we just need the upper part of the schemetic. Guess what? It works!! But of course, if you need a full-duplex RS-232 will need both. In the future post, I will show you how am I going to use the MAX232 for turning this wireless router to a capable reading data from the RS232 port.

Now, I realized that my firmware was not an issue. It was the CFE (Common Firmware Enviroment) which was using the previous version for the DD-WRT. No wonder no matter how I tweak my firmware which is the OpenWRT and it does not run at all.

So, next post will be going to explain more details about how to flash the CFE using JTAG (Home made JTAG which costs $0).

References:
http://melbourne.wireless.org.au/files/wrt54/cfe.pdf
https://wiki.openwrt.org/oldwiki/openwrtdocs/customizing/firmware/cfe
http://www.circuitlake.com/simple-rs-232-level-converter.html

Thursday, September 24, 2009

Welcome

Hi All LinkSys Fans, I am currently developing the firmware for this particular LinkSys wireless router that I am having it as my project. I would like to share all the things that I had made and learned to everyone.

Hope everyone will also share the information around and developing a powerful wireless router out of the small little box.

Currently, I had already dismantle the whole router out and already build the JTAG cable for re-flashing back the firmware. I like dd-wrt and as well as the openwrt. The reason I choose openwrt is because it is flexible and nice to configure.

I had bricked my wireless router and fixed it back by using a home made JTAG cable. I will post more pictures that I had taken from my LG phone (Repaired by myself) to this blog.

I will also show everyone on how to build a cheap and also $0 cost JTAG cable to your LinkSys WRT54G2 wireless router.

Have Fun!