"But NETGEAR was kind enough to tell me that the radio is the 3x3 AR9103 and the CPU/MAC/Baseband the AR9132. The 10/100 switch is an Atheros AR8216 6 port 10/100 and I could clearly tell from looking at the board that there is 32 MB of RAM and 4 MB of flash."
Can anyone help me get somewhere with this router? I have the latest Netgear firmware (V1.1.3.9NA) on it.
I am able to telnet into the system and it has busybox v1.01 with ash shell on it.
You have to use the NetGear "telnetenable" trick on port 23 to get into telnet. Once on, I do indeed observe files on the system (functions.sh) with references to OpenWRT origins in them.
/sbin/mtd is on the system, so I can use that to write new flash... or the web interface upload system. What else do we need to know, any flash that I can try that would be similar to this system?
I managed to compile the netgear firmware on Ubuntu 8.04 32bit. It installed ok, but after booting my own firmware the router the website returned 404 on all pages. So no way to reflash from the Netgear webpages. So I've soldered up rs232 port. There are header pins installed on J1 of the system board. Got in!
AP81 (ar7100) U-boot
sri
32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 245k for U-Boot at: 81fc0000
Reserving 192k for malloc() at: 81f90000
Reserving 44 Bytes for Board Info at: 81f8ffd4
Reserving 36 Bytes for Global Data at: 81f8ffb0
Reserving 128k for boot params() at: 81f6ffb0
Stack Pointer at: 81f6ff98
Now running in RAM - U-Boot at: 81fc0000
id read 0x100000ff
flash size 4MB, sector count = 64
Flash: 4MB
In: serial
Out: serial
Err: serial
Net: ag7100_enet_initialize...
Fetching MAC Address from 0x81fea7b0
: cfg1 0xf cfg2 0x7114
eth0: 00:22:3f:0b:c5:9c
dup 1 speed 100
eth0 up
eth0
### main_loop entered: bootdelay=4
### main_loop: bootcmd="bootm 0xbf2a0000"
Hit any key to stop autoboot: 0
ar7100>
AP81 (ar7100) U-boot
sri
32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 245k for U-Boot at: 81fc0000
Reserving 192k for malloc() at: 81f90000
Reserving 44 Bytes for Board Info at: 81f8ffd4
Reserving 36 Bytes for Global Data at: 81f8ffb0
Reserving 128k for boot params() at: 81f6ffb0
Stack Pointer at: 81f6ff98
Now running in RAM - U-Boot at: 81fc0000
id read 0x100000ff
flash size 4MB, sector count = 64
Flash: 4MB
In: serial
Out: serial
Err: serial
Net: ag7100_enet_initialize...
Fetching MAC Address from 0x81fea7b0
: cfg1 0xf cfg2 0x7114
eth0: 00:22:3f:0b:c5:9c
dup 1 speed 100
eth0 up
eth0
Factory Reset Mode
The Router is in TFTP Server Firmware Recovery mode NOW!
Listening on Port : 69, IP Address: 192.168.1.1...
AP81 (ar7100) U-boot
sri
32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 245k for U-Boot at: 81fc0000
Reserving 192k for malloc() at: 81f90000
Reserving 44 Bytes for Board Info at: 81f8ffd4
Reserving 36 Bytes for Global Data at: 81f8ffb0
Reserving 128k for boot params() at: 81f6ffb0
Stack Pointer at: 81f6ff98
Now running in RAM - U-Boot at: 81fc0000
id read 0x100000ff
flash size 4MB, sector count = 64
Flash: 4MB
In: serial
Out: serial
Err: serial
Net: ag7100_enet_initialize...
Fetching MAC Address from 0x81fea7b0
: cfg1 0xf cfg2 0x7114
eth0: 00:22:3f:0b:c5:9c
dup 1 speed 100
eth0 up
eth0
### main_loop entered: bootdelay=4
### main_loop: bootcmd="bootm 0xbf2a0000"
Hit any key to stop autoboot: 0
ar7100> tftpboot 0x81000000 openwrt-ar71xx-uImage-gzip.bin
Using eth0 device
TFTP from server 192.168.2.28; our IP address is 192.168.2.126
Filename 'openwrt-ar71xx-uImage-gzip.bin'.
Load address: 0x81000000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
##################################
done
Bytes transferred = 2501382 (262b06 hex)
ar7100> bootm
## Booting image at 81000000 ...
Image Name: MIPS OpenWrt Linux-2.6.26.8
Created: 2008-12-16 2:55:58 UTC
Image Type: MIPS Linux Kernel Image (gzip compressed)
Data Size: 2501318 Bytes = 2.4 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 33554432
Starting kernel ...
Linux version 2.6.26.8 (root@stephen-desktop) (gcc version 4.1.2) #3 Mon Dec 15 18:55:46 PST 2008
console [early0] enabled
CPU revision is: 00019374 (MIPS 24K)
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
Normal 0 -> 8192
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0 -> 8192
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128
Kernel command line: rootfstype=squashfs,yaffs,jffs2 noinitrd console=ttyS0,115200 init=/etc/preinit
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
PID hash table entries: 128 (order: 7, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 28336k/32768k available (1764k kernel code, 4432k reserved, 318k data, 1576k init, 0k highmem)
SLUB: Genslabs=6, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Mount-cache hash table entries: 512
net_namespace: 484 bytes
NET: Registered protocol family 16
MIPS: machine is Generic AR71xx board
registering PCI controller with io_map_base unset
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 3.0 (2006/03/15) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY) þþ 2001-2006 Red Hat, Inc.
yaffs Dec 14 2008 22:59:50 Installing.
msgmni has been set to 55
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver $Revision: 1.90 $ 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
console handover: boot [early0] -> real [ttyS0]
ag71xx_mdio: probed
eth0: Atheros AG71xx at 0xb9000000, irq 4
eth0: invalid speed specified
ag71xx: probe of ag71xx.0 failed with error -22
eth0: Atheros AG71xx at 0xba000000, irq 5
Atheros AR71xx SPI Controller driver version 0.2.2
m25p80 spi0.0: unrecognized JEDEC id c22016
Atheros AR71xx hardware watchdog driver version 0.1.0
TCP vegas registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Freeing unused kernel memory: 1576k freed
Algorithmics/MIPS FPU Emulator v1.5
[sighandler]: No more events to be processed, quitting.
[cleanup]: Waiting for children.
[cleanup]: All children terminated.
- preinit -
Press CTRL-C for failsafe
Please press Enter to activate this console. br-lan: Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature.
device eth0 entered promiscuous mode
PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
wlan: trunk
ath_hal: module license 'Proprietary' taints kernel.
ath_hal: 2008-10-02 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, RF2425, REGOPS_FUNC, DFS, XR)
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk)
ath_rate_minstrel: look around rate set to 10%
ath_rate_minstrel: EWMA rolloff level set to 75%
ath_rate_minstrel: max segment size in the mrr set to 6000 us
wlan: mac acl policy registered
ath_pci: trunk
eth0: link up (1000Mbps/Full duplex)
br-lan: port 1(eth0) entering learning state
br-lan: topology change detected, propagating
br-lan: port 1(eth0) entering forwarding state
br-lan: port 1(eth0) entering disabled state
br-lan: port 1(eth0) entering learning state
br-lan: topology change detected, propagating
br-lan: port 1(eth0) entering forwarding state
BusyBox v1.11.3 (2008-12-14 22:37:50 PST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (bleeding edge, r13658) -------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
---------------------------------------------------
root@OpenWrt:/# cat /proc/meminfo
MemTotal: 29912 kB
MemFree: 21144 kB
Buffers: 0 kB
Cached: 4828 kB
SwapCached: 0 kB
Active: 2340 kB
Inactive: 3236 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 764 kB
Mapped: 756 kB
Slab: 1432 kB
SReclaimable: 364 kB
SUnreclaim: 1068 kB
PageTables: 184 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 14956 kB
Committed_AS: 2564 kB
VmallocTotal: 1048404 kB
VmallocUsed: 1300 kB
VmallocChunk: 1046716 kB
root@OpenWrt:/# uname -a
Linux OpenWrt 2.6.26.8 #3 Mon Dec 15 18:55:46 PST 2008 mips unknown
root@OpenWrt:/#
I took the RF shield off the router motherboard, the WiFi chip is a AR9103. That makes it a 3x3 MIMO router.
For hardware hackers: I also notice that 2 of the 3 antennas on the motherboard (etched shapes) have provisions for an external antenna cable. The third (center) has a pad but nothing soldered on.
Note that although I've been able to boot current OpenWRT via tftpboot, I don't have wireless working. The factory-provided firmware (based on OpenWRT) seems to use these drivers:
Code:
# cat /proc/modules
wlan_scan_ap 8224 1 - Live 0xc00a4000
wlan_acl 5248 1 - Live 0xc009c000
wlan_wep 5568 0 - Live 0xc0099000
wlan_tkip 12928 0 - Live 0xc0060000
wlan_ccmp 7840 0 - Live 0xc000a000
wlan_xauth 992 0 - Live 0xc0008000
ath_ahb 47104 0 - Live 0xc00da000
ath_dev 102848 1 ath_ahb, Live 0xc00eb000
ath_rate_atheros 38000 1 ath_dev, Live 0xc00bd000
wlan 215296 9 wlan_scan_ap,wlan_acl,wlan_wep,wlan_tkip,wlan_ccmp,wlan_xauth,ath_ahb,ath_dev, Live 0xc002a000
ath_hal 196736 3 ath_ahb,ath_dev, Live 0xc0067000
ip_nat_sip 4320 0 - Live 0xc00ba000
ip_conntrack_sip 8624 1 ip_nat_sip, Live 0xc00a0000
ip_nat_starcraft 2208 0 - Live 0xc0014000
ipt_CONENAT 2656 2 - Live 0xc0012000
ag7100_mod 33728 0 - Live 0xc0020000
ar91xxgpiointr 4256 1 - Live 0xc000f000
ar91xxgpio 3520 1 - Live 0xc000d000
The Linux ath9k driver now supports this router (ar9103 wireless chip). is available now in compat-wireless now and is scheduled for kernel 2.6.30 inclusion.
OpenWRT works on this router with tftpboot... but the u-boot does a checksum of the firmware on each boot that needs to be disabled. The GPL download includes u-boot, so it is possible to hack it.