Posted: Mon Sep 15, 2008 2:22 Post subject: Console/TFTP/CFE, etc
the space between the pads on the second serial location is 0.1"; I soldered a right-angle header on the board. Since I don't have my serial level converter yet, I'm using it in read-only mode; DB25 pin 7 to pin 2 and DB25 pin 3 to pin 1.
DO NOT TRY TO USE ANY WIRING SCHEME BASED ON THE ABOVE FOR READ-WRITE CONSOLE ACCESS !!! You WILL FRY your hardware!
At any rate, the WRT610N pukes on TFTP-ing in the generic images, with the indication that the header does not match (it expects 610N).
Using a TRX with addheader still pukes, but its a less useful, more generic error.
It looks like (digging in the 610N and 350N code packaqges from Cisco) the 350N and 610N *may* share the same CFE. If the CFE was originally engineered for the 350N, which has less flash, this would explain the problem with TFTP uploads to CFE stopping at 4MB.
the space between the pads on the second serial location is 0.1"; I soldered a right-angle header on the board. Since I don't have my serial level converter yet, I'm using it in read-only mode; DB25 pin 7 to pin 2 and DB25 pin 3 to pin 1.
reames,
This is great work! I hadn't even noticed those contacts before.
I noticed a few things:
"-max-0x3a0000" is 3,801,088 bytes...
"-size=0x1b8000" is 1,802,240 bytes (this matches the bytes read)
When I get my serial cable I'm going to try a:
load -raw -addr=0x807a60b0 -max=0x800000
to see if it pulls down the whole linksys image
I might have to adjust the memory location.
If that works then I will try a flash -mem -size etc...
for some reason CFE doesn't seem to like the bin files that are produced by DD-WRT (and the Cisco code!)...
Could there be some difference occuring with CRC calculations?
For reference the pop-pot plug on the DKU-5 is missing Pin 1; it would be on the other side of the left lug. (as you'd plug it into the phone.)
Your cable may be using pin 8 for ground instead of or in addition to pin 2. Use 8 if 2 isn't there or both if they are both present.
There was a wire connected to pin 3 on the pop-port, just cut that one off.
With that done, I plugged in, powered up, opened a terminal at 115.2k/8n1/no flow control, and hit control-c several times to get to a "CFE>" prompt.
I used the following command to load the image into RAM, please note the ":" at the end of the command; the router will instantly reboot without it! When you hit enter on this command, immediately start your tftp push (as you normally would)
FYI, linksys firmware 1.00.018 won't build out of the box.
I've found the following so far:
-Make sure you have "gawk" (symlink "awk"->"gawk" if need be)
-Remove release/src/router/config/menubox.o (especially if you are on a 64 bit host!)
-Remove the reference to configure for ntfs-progs (in release/src/Makefile or release/src/router/Makefile) -- if you don't you MAY get compile errors that libfuse can't be found.
-create a file called ".model" containing the line "LINKSYS_MODEL=WRT610N". Place copies in release/src, release/src/router, release/image, and release/tools.
Use the toolchain from wrt350n (v.1x) for compilation. It needs to be put in /opt/brcm/hndtools-*. Make sure you have /opt/brcm/hndtools-mipsel-ulibc-3.2.3/bin and /opt/brcm/hndtools/mipsel-linux-3.2.3/bin as the first entries in your path.
Go into release/src/router and "make menuconfig". Save and exit. Save and exit again.
Go into release/src and "./select.sh". Pick WRT610N USA. "make" (and wait a while)...
BTW, using the serial port method a couple of posts up won't toast your CFE....
It appears that NVRAM is sanity-checked and (re)written by "rc" in the 610n. Any attempts to reconfigure the switch using nvram variables results in RC rewriting the values and forcing a reboot.
Digging into the variables, I'm thinking that the switch is an 8-port chip that does 802.1Q tagging (and DSCP?)
I think the 4705 "et0" is connected to the switch chip port "8" and is carrying both WAN and LAN.
I think the setup is:
VLAN | Description
------+-------------
1 | LAN
2 | WAN
Switch | Port | Access or | Port
Port | Mode | Native VLAN | Use
-------+--------+-------------+----------
0 | Access | 2 | WAN
1 | Access | 1 | LAN 1
2 | Access | 1 | LAN 2
3 | Access | 1 | LAN 3
4 | Access | 1 | LAN 4
8 | Trunk | Native 1 | BCM4705
VLAN 1 is untagged, so that the 4705 could run a normal station (non-trunking) driver and still get recognizable (lan-only) frames.
It also looks like the Linksys firmware sees "wl0" as "eth1" and "wl1" as "eth2".
If this is right it MAY be possible to abuse this device and have as many as 5 (or perhaps 6 or 7?) firewall zones, simply by placing one port in each zone (and wireless in its own zone).. and creating (or not) bridge groups.
I'd like to abuse the 610N as a WET on steroids: put the wireless in station mode in a bridge group with the WAN vlan, as an alternate WAN, and then use the 4 LAN ports as a firewalled 1GbE switch.
I'd have secure private networking (between multiple machines "inside" the firewall) and the ability to connect in places that only do wifi. (i.e. hotels)
This will not be possible with the linksys firmware!
BTW the serial port/tftp combo is 115,200kbps for your commands and 1 GbE for data transfers, so pushing an image across it takes seconds for any image that we would write into the thing.
Posted: Wed Sep 17, 2008 18:35 Post subject: WRT610N serial numbers
Just curious what serial numbers you have.
I checked a WRT610N at the german retailer Atelco and they have a WRT610N-DE with a serial number beginning with CTG01H.....
Maybe there is again a difference to the US ones, just like with the WRT350N.