Posted: Wed May 02, 2007 2:17 Post subject: WTR54GS v2 Linksys Travel Router
During the winter holiday Linksys starting sending out to retailers the WTR54GS v2. The v1 has 4mb flash, 16mb RAM, and JTAG pins brought out to pads on the PCB. The v2 has 2mb flash, 8mb RAM, and no JTAG pins brought out to pads.
I connected the serial port to a terminal and seen that it uses a CFE bootloader but a vxworks firmware. Standard vxworks bootloader killers won't help, as it uses a CFE bootloader. Kaloz from the Openwrt dev said the CFE bootloader is not standard on the v1, but was able to flash the standard CFE via jtag and get openwrt running on it. The v2 I'm guessing uses the same CFE bootloader as the v1. Remember on the v2 there are no JTAG pads. The chipset it uses is BCM5350.
I tried loading the micro image of dd-wrt via the web interface, hoping it'll work like the later model WAP54Gs. The error it gave me was: Upgrade terminated due to insufficient resources.Upgrade failed.Please try again when system is idle (no Internet traffic).
Now, I got this same error when I tried to upgrade it using the WTR54GS v1 firmware on Linksys's site. Looking on their ftp I found the WTR54GS v2 EU firmware, same version as loaded on my WTR54GS v2. It upgraded fine. So the v2 EU firmware seems to work on all v2 WTR54GS units, mine I purchased from a US retailer.
So, since there is no documentation on the BCM5350, I can't trace out the JTAG lines. Is there a way to get this running the standard CFE and dd-wrt via the web interface? Possibly disassembling the v2 EU firmware might help? Link here.
Joined: 07 Jun 2006 Posts: 2087 Location: Odessa, Ukraine
Posted: Wed May 02, 2007 4:47 Post subject:
Johnathan,
I have only looked quickly, but will look again later, pretty cool, first firmware I have seen with the whole CFE embedded in it, striped out the default NVRAM, and going for the firmwares default NVRAM next.
looks like a wholeflash. _________________ Want JTAG support - Donate a router
or Donate with PayPal !
My goal is to get a CFE.bin running on it with it's MAC address, just like with the WRT54G v5. And like the WRT54G v5, just tftp the micro generic image over and it should be fine, or an image with the speedbooster drivers. It's a cute little router and just because it's a 2/8 device I hate to see it go to waste. The JTAG signals are not brought out to pads, so the easiest way is through the web interface.
Joined: 07 Jun 2006 Posts: 2087 Location: Odessa, Ukraine
Posted: Wed May 02, 2007 6:01 Post subject:
emuman100,
Have you tried holding down, say the spacebar or something like that while powering the router on, in the serial console window ? I am still looking at it and trying to figure out a way to help you. Right now the 4-25-07 micro_generic or before is the image to use, Don't use 4-30-07, its to big. Is there firmware somewhere else that we can look at, for patterns, etc ? I only saw a hdro in the file you pointed to.
Is this image from a G V2 or 1 ?
I also caught somethng in the CFE that indicates a reset button or something putting it into upgrade mode. Thats all for now. _________________ Want JTAG support - Donate a router
or Donate with PayPal !
The image I linked to is the WTR54GS v2 firmware, for a 2/8 device. The firmware download link on their main site is for the v1 which is a 4/16 device. I tried loading dd-wrt V23 SP1 micro generic but it gave me that error: Upgrade terminated due to insufficient resources.Upgrade failed.Please try again when system is idle (no Internet traffic). I tried to load the v1 firmware on it and it gave me the same error, only upgrading to the v2 firmware it was successful. I tried every other key except space bar when I tried to get the bootloader to stop. I also did try using the reset button curing CFE boot but it just reset the whole unit. I'll do some more testing and get back to you.
Joined: 07 Jun 2006 Posts: 2087 Location: Odessa, Ukraine
Posted: Thu May 03, 2007 6:48 Post subject:
Ok, its using CFE 1.3.3 so really anykey should stop it, but it's all timing. You might want to try holding down a key while applying power, thats the only way I was able to get into the VxWorks BSP. Also, that version has a nvram param called wait_time that I have been building into my recent CFE's.
It allows you to pause the boot for a specific amount of time no matter if you have a good firmware on or not, usefull for windows users that always seem to miss the tftp window, because the nic interface is not detected as up. I don't know how to set that on your box thru the web pages.
We need access to the console, because we can install the CFE or Firmware from there, only problem with upgrading the CFE thru the console, is if it doesn't take, we have to have a JTAG to get it back. _________________ Want JTAG support - Donate a router
or Donate with PayPal !
No matter what I do I cannot get the CFE to stop or pause. Here is a capture of the terminal from bootup:
CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Fri Nov 4 11:42:58 CST 2005 (root@localhost.localdomain)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.
Initializing Arena.
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 1.3.3.0
CPU type 0x29008: 200MHz
Total memory: 0x800000 bytes (8MB)
Total memory used by CFE: 0x80E00000 - 0x80F426F0 (1320688)
Initialized Data: 0x80E1B940 - 0x80E1DD70 (9264)
BSS Area: 0x80E1DD70 - 0x80E406F0 (141696)
Local Heap: 0x80E406F0 - 0x80F406F0 (1048576)
Stack Area: 0x80F406F0 - 0x80F426F0 (8192)
Text (code) segment: 0x80E00000 - 0x80E1B940 (112960)
Boot area (physical): 0x00F43000 - 0x00F83000
Relocation Factor: I:00000000 - D:00000000
CS4Config orignal value =00000072
CS4Config changed value =00000071
mac address in flash is:00:18:39:27:97:6c
mac address in flash is:00:18:39:27:97:6c
have eRcOmM
run kernel
Loading: ......Entry at 0x80001000
Starting program at 0x80001000
Check and update broadcom NVRAM variable
Pass NVRAM checking..Done
Host Name: bootHost
Target Name: vxTarget
User: target
vl0: vl_ioctl: error: not bound (cmd 0x40046514)
vl0: vl_ioctl: error: not bound (cmd 0x40046514)
Can't find END device <> unit <0>. Known devices are
Current mode: NORMAL
Device: wl Unit: 0
Description: END wl Driver
Device: et Unit: 0
Description: END et Driver
Device: vl Unit: 0
Description: vl
Couldn't attach to network
CPU: bcm47xx(mips32). Processor #0.
Memory Size: 0x7e0000. BSP version 1.2/0.
Sernet Technology Corp.
Wireless-G Travel Router, Version: WTR54GS
Init shell
shell init complete
Initializing abstract layer
Flash : AMD 29lv160DB 1Mx16 BotB
Done
Initializing Services
vl0: vl_ioctl: error: from down (cmd 0xc00c6516)
Done
Kickoff Services
vl0: vl_ioctl: error: from down (cmd 0x40046514)
..Done
Bring up WPA
BSS Config summary: primary -> "wl0", wl0_vifs -> ""
BSS Config "wl0": index 0
wlconf: wlconfig(wl0): configuring bsscfg #0 (wl0) with SSID "Linksys_SES_48388"
wl0: wlc_set_rate_override: A PHY not present
wl0: wlc_set_rate_override: A PHY not present
Attaching network interface lo0... done.
NAS task tNASlan is not running.
NAS task tNASwan is not running.
nas_wksp_build_cmd_line: nas_wksp_build_cmd_line: ifnames are vl0 wl0
nas_wksp_build_cmd_line: nas_wksp_build_cmd_line: probing for if vl0
nas_wksp_build_cmd_line: nas_wksp_build_cmd_line: name vl0 namebuf vl0
command = 0
vl0: vl_ioctl: error: from down (cmd 0x180)
nas_wksp_build_cmd_line: nas_wksp_build_cmd_line: failed to probe or ioctl ifname vl0
nas_wksp_build_cmd_line: nas_wksp_build_cmd_line: probing for if wl0
nas_wksp_build_cmd_line: nas_wksp_build_cmd_line: name wl0 namebuf wl0
nas_wksp_build_cmd_line: nas_wksp_build_cmd_line: using prefix wl0_
nas_wksp_build_cmd_line: nas_wksp_build_cmd_line: cmd line is
nas_wksp_build_cmd_line: nas_wksp_build_cmd_line: argc=18
nas_wksp_build_cmd_line: argv[0] = nas
nas_wksp_build_cmd_line: argv[1] = -l
nas_wksp_build_cmd_line: argv[2] = mirror0
nas_wksp_build_cmd_line: argv[3] = -H
nas_wksp_build_cmd_line: argv[4] = 34954
nas_wksp_build_cmd_line: argv[5] = -i
nas_wksp_build_cmd_line: argv[6] = wl0
nas_wksp_build_cmd_line: argv[7] = -A
nas_wksp_build_cmd_line: argv[8] = -m
nas_wksp_build_cmd_line: argv[9] = 4
nas_wksp_build_cmd_line: argv[10] = -k
nas_wksp_build_cmd_line: argv[11] = 9c4qnzm30j3curob
nas_wksp_build_cmd_line: argv[12] = -s
nas_wksp_build_cmd_line: argv[13] = Linksys_SES_48388
nas_wksp_build_cmd_line: argv[14] = -w
nas_wksp_build_cmd_line: argv[15] = 2
nas_wksp_build_cmd_line: argv[16] = -g
nas_wksp_build_cmd_line: argv[17] = 300
NAS task tNASlan started.
nas_wksp..Done
_alloc_workspPatch wlan vifs
ace:..Done
allocated NAstart wl monitor
S wNot URE mode, need not run tWlMonitor
o..Done
rkspace 4380
Bring up SES
bytes
..Done
nas_wksp_parse_cmd_line: nwksp.lan mirror0
command = nas_wksp_parse_cmd_line: nwksp.port 34954
0nas_wksp_parse_cmd_line: nas[0].interface wl0
nas_wksp_parse_cmd_line: nas[0].hwaddr 00:18:39:27:97:6c
vlnas_wksp_parse_cmd_line: nas[0].role authenticator
0nas_wksp_parse_cmd_line: nas[0].mode 4
: vl_ioctl: error:nas_wksp_parse_cmd_line: nas[0].psk 9c4qnzm30j3curob
from dnas_wksp_parse_cmd_line: nas[0].ssid Linksys_SES_48388
own (nas_wksp_parse_cmd_line: nas[0].wsec 2
cnas_wksp_parse_cmd_line: nas[0].gtk.rekey 300
nas_wksp_open_wpa: mirror: device driver is an END driver.
md 0xnas_wksp_open_wpa: mirror0: opened wlpvtdata socket 80793e60
180nas_wksp_open_wpa: mirror0: opened preauth socket 80793e88
)
nas_wpa_open: wl: device driver is an END driver.
ure_disable=nas_wpa_open: wl0: opened wpa socket 80793eb0
1nas_eapol_open: wl: device driver is an END driver.
nas_eapol_open: wl0: opened eapol socket 80793ed8
command = nas_wksp_open_host: host: opened loopback socket 4
nas_set_key: wl0: index 0, flags 0, len 0
nas_set_key: wl0: index 1, flags 0, len 0
nas_set_key: wl0: index 2, flags 0, len 0
nas_set_key: wl0: index 3, flags 0, len 0
wl0: link up
nas_validate_wlpvt_message: nas_validate_wlpvt_message: validating message
nas_wksp_find_nwcb_by_mac: 00:18:39:27:97:6C wl0: found 806a4520
nas_handle_wlpvt_messages: nas_handle_wlpvt_messages(): Processing
nas_handle_wlpvt_messages: wl0: recved wl wpa packet interface bytes: 72
nas_main: nas_main: task id is 0x806bbcb0, nas_wksp_taskvar is 0x0x806b3650
nas12_wksp_dispatch_packet: host: include host socket 4 in fdset
nas_wksp_dispatch_pa
cket: listening to total 5 socket(s)
command = 12
SES_EVTO_CONFIGURED: Status of last input event FAILURE
ure_disable=1
If I hit enter i get an "SC>" prompt.
You are certain this CFE can be stopped by key presses? Either it can't or I cannot time it properly.
I think I'm getting farther. You need to hold in the reset button during power on, look on the serial console, It'll say if released to go upgrade mode, it looks like this:
CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Fri Nov 4 11:42:58 CST 2005 (root@localhost.localdomain)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.
Initializing Arena.
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 1.3.3.0
CPU type 0x29008: 200MHz
Total memory: 0x800000 bytes (8MB)
Total memory used by CFE: 0x80E00000 - 0x80F426F0 (1320688)
Initialized Data: 0x80E1B940 - 0x80E1DD70 (9264)
BSS Area: 0x80E1DD70 - 0x80E406F0 (141696)
Local Heap: 0x80E406F0 - 0x80F406F0 (1048576)
Stack Area: 0x80F406F0 - 0x80F426F0 (8192)
Text (code) segment: 0x80E00000 - 0x80E1B940 (112960)
Boot area (physical): 0x00F43000 - 0x00F83000
Relocation Factor: I:00000000 - D:00000000
CS4Config orignal value =00000072
CS4Config changed value =00000071
mac address in flash is:00:18:39:27:97:6c
mac address in flash is:00:18:39:27:97:6c
have eRcOmM
if release,go to upgrade mode
In download function
mac address:00:18:39:27:97:6c
Then just sits there. The power LED blinks amber to green, the wifi LED blinks on and off. My tftp requests never worked. Also too, I'm not sure if in that mode it uses the device's default IP address or the one in the config. I tried both but never worked.
Yes, it's wired correctly. when I press enter in the console after a normal boot up of the router, I get an "SC>" prompt, but no matter what I type, the only response I get back is "O???". "reboot" reboots the router, thats the only command it seems to understand:
SC>reboot
System will do reset!!!
I suppose in upgrade mode I use the default IP address, but if I reset it and let it boot normally it uses the IP I configured it with.
Joined: 07 Jun 2006 Posts: 2087 Location: Odessa, Ukraine
Posted: Fri May 04, 2007 10:08 Post subject:
@emuman100
I'm not positive about anything with this box, just trying to help and give you my opinion on what I have seen so far in some of the other Vxworks BSP's. So ? or help at the SC> prompt gives nothing huh ? I'm still looking at the code, it takes time to try and take it apart and understand what it's trying to do. _________________ Want JTAG support - Donate a router
or Donate with PayPal !
I have tried everything and anything to get the CFE to accept new firmware but nothing is happening. "help" and "?" don't seem to work in the vxworks shell, I get "O???". I think what needs to be done is to build a firmware image with a proper CFE. You said it looks to be a full flash image, the v2 firmware. What are you using to disassemble the firmware image? From the disassembly one can use that as a guide to building firmware image that is compatible, at least a proper CFE.
Joined: 07 Jun 2006 Posts: 2087 Location: Odessa, Ukraine
Posted: Sat May 05, 2007 4:50 Post subject:
@emuman100
And how do you plan to get the CFE on the box ? If your serial console was working or giving you access to normal Broadcom CFE command options it would be easy. Have you traced aout and found the correct lines to solder in a JTAG line ? I don't want you to be left stuck, as a matter of fact, even in a working console, without the JTAG connection, if the CFE doesn't take, your left without anyway to recover. _________________ Want JTAG support - Donate a router
or Donate with PayPal !
