Nice work, lark! I don't really understand it except 4MB flash memory should still be enough, right? I hope Sash will reply to this thread. But he seems to be ignoring it...
Nice work, lark! I don't really understand it except 4MB flash memory should still be enough, right? I hope Sash will reply to this thread. But he seems to be ignoring it...
So there still is 2c0000 - 261000 = 380KB room. Using 30% compression ratio, about 1.23MB room left for firmware. So I think 4MB is enough for simple router.
It's bad that wr941n uses SOP-16 flash chip, but cheap flash programmer usually only supports SOP-8.
I will replace it with 8MB or even 16MB flash, but not now.
I sent email to Luis Rodriguez of Atheros (who is active in kernel contribution for Atheros chips) with these questions
Quote:
1. If I want to get source code for bootloader and firmware packing tools, who I should query, Atheros or device vendors?
2. Will atheros provide source code for bootloader and firmware packing tools (for device vendors) directly and publicly?
I also dumped mtd block3 and block4, and did some analysis. Some interesting thing here
Quote:
# file config.bin art.bin
config.bin: BIOS (ia32) ROM Ext. (3*512)
art.bin: DOS executable (device driver) for DOS
But generally, the content's format is not obvious.
My easy plan is keeping the whole kernel thing and replaceing userspace programs with dd-wrt's.
First step is busybox. wr941n uses mips big endian. Although openwrt has mips BE tool chain, I decided to compile my own tool chain in my debian environment.
The wr941n uses 0.9.28.2 or older version of uClibc 0.9.28. 0.9.28.2's layout will conflict with other dpkg-cross-ified toolchains, so I modified 0.9.28.3 debian source package to compile out packages which use 0.9.28.2 -soname scheme. Then I built gcc-mips-linux-uclibc packages.
wr941n also uses an old busybox (1.01), behaviour is different from busybox 1.12.2 I used. For example, wr941n's udhcpc will go background immediately, but 1.12.2 is not (it supports -b but wr941n's main program doesn't call udhcpc that way), and then wr941n's main program hangs there. I modified udhcpc to always -b.
Finally, I replace busybox. The new rootfs runs fine and give me telnet access. Now serial port overrun is not a big problem.
With RoundSparrow's information (http://www.dd-wrt.com/phpBB2/viewtopic.php?t=43228), I download SDK from Trendnet. Although the SDK looks buggy and in a mess, I made some tweaks, built kernel modules to test the kernel tree and succeeded :)
Quote:
# insmod scsi_mod.ko
insmod: cannot insert 'scsi_mod.ko': invalid module format
# insmod scsi_mod.ko
insmod: cannot insert 'scsi_mod.ko': unknown symbol in module
# insmod scsi_mod.ko
# dmesg|tail
br0: port 1(ath0) entering learning state
br0: topology change detected, propagating
br0: port 2(eth0) entering forwarding state
br0: topology change detected, propagating
br0: port 1(ath0) entering forwarding state
scsi_mod: version magic '2.6.15- MIPS32_R2 32BIT gcc-3.4' should be '2.6.15--LSDK-6.1.1.40 MIPS32_R2 32BIT gcc-3.4'
scsi_mod: version magic '2.6.15- MIPS32_R2 32BIT gcc-3.4' should be '2.6.15--LSDK-6.1.1.40 MIPS32_R2 32BIT gcc-3.4'
scsi_mod: version magic '2.6.15- MIPS32_R2 32BIT gcc-3.4' should be '2.6.15--LSDK-6.1.1.40 MIPS32_R2 32BIT gcc-3.4'
scsi_mod: Unknown symbol __might_sleep
SCSI subsystem initialized
So usb
Quote:
# insmod ehci_hcd.ko
# insmod ohci_hcd.ko
# dmesg | more
<snip>
0 Dec 2004 USB 2.0 'Enhanced' Host Controller (EHCI) Driver (AR7100_EHCI)
In ar7100_ehci_drv_probe
probing ehci...
hcd->regs is 0xbb000000
/home/TEW-652BRP/TEW-652BRP_GPL/platform/AR9100/kernels/mips-linux-2.6.15/drivers/usb/host/ehci-ar7100.c: starting AR7100 EHCI USB Controller...done. reset 0x0 usb config 0x2
ehci->caps is 0xbb000000
ehci->caps->hc_base is 0x42fa05
ar7100-ehci ar7100-ehci.0: AR7100 EHCI
ar7100-ehci ar7100-ehci.0: new USB bus registered, assigned bus number 1
ar7100-ehci ar7100-ehci.0: irq 3, io mem 0x1b000000
hcc_params addr 0xbb000008 val 0x10020001 hcs_params addr 0xbb000004 val 0x22
ar7100-ehci ar7100-ehci.0: USB 0.0 started, EHCI 0.42, driver 10 Dec 2004
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
...probing done
2005 April 22 USB 1.1 'Open' Host Controller (OHCI) Driver (ar7100_ohci)block sizes: ed 64 td 64
In ohci_hcd_ar7100_drv_probeprobing...
/home/TEW-652BRP/TEW-652BRP_GPL/platform/AR9100/kernels/mips-linux-2.6.15/drivers/usb/host/ohci-ar7100.c: starting AR7100 OHCI USB Controller...<6>ar7100-ohci ar7100-ohci.0: AR7100 OHCI
ar7100-ohci ar7100-ohci.0: new USB bus registered, assigned bus number 2
ar7100-ohci ar7100-ohci.0: irq 22, io mem 0x1c000000
ar7100-ohci ar7100-ohci.0: init err (00000000 0038)
/home/TEW-652BRP/TEW-652BRP_GPL/platform/AR9100/kernels/mips-linux-2.6.15/drivers/usb/host/ohci-ar7100.c: can't start ar7100_usb
ar7100-ohci ar7100-ohci.0: startup error -79
ar7100-ohci ar7100-ohci.0: USB bus 2 deregistered
/home/TEW-652BRP/TEW-652BRP_GPL/platform/AR9100/kernels/mips-linux-2.6.15/drivers/usb/host/ohci-ar7100.c: stopping ar7100 OHCI USB Controller
ar7100-ohci: probe of ar7100-ohci.0 failed with error -79
I am also looking at the USB port's power supply circuit. It is 12v to 5v DC-DC converter, and yes it's not that complex as I thought before.
AR913x support USB On-The-Go, but WR941N seems to use it as pure host, so power supply is simplified.
I think I can figure out the USB PSU soon, then USB port can be used --- that is one of reasons that I bought WR941N.
I contacted TP-Link (China) support to ask for source code. They refused at first but after I wrote another email, they gave me a link
http://www.tplink.com/support/gpl.asp
The source code they provide is not complete. U-boot is missing, however, kernel code is complete. They use their own GUI implementation and source code is not available.
To make upgradable and reversible replacement firmware, firmware format and config format must be known. I have asked them to provide these information along with u-boot source code. With these information, I will implement nvram interface and firmware packaging scripts.
TP-Link's technical staff rejected my request for u-boot source code and firmware format. Then I read disassembled code and write a fixsum tool. Currently, this tool can only be used under big endian system, fixing it is easy but now it is too late and I will go to bed.
I have upgraded via web UI using firmware I repackaged successfully.
I see u-boot coming up more and more on the Ahteros systems. Has anyone found a way to access u-boot from etherner (not adding rs232 serial to hardware) like you can with redboot on port 9000?
I have been able to inject my own content into the firmware for the Trednet TEW-652BRP and the D-Link DIR-615 Rev C1 (identical Atheros based routers).
You mentioned replacing BusyBox. do you have the newest one compiled for kernel 2.6.15 on this CPU? can you put that Busybox binary up - might be useful in our quest to get telnet up on these two firmwares.
I see u-boot coming up more and more on the Ahteros systems. Has anyone found a way to access u-boot from etherner (not adding rs232 serial to hardware) like you can with redboot on port 9000?
I have been able to inject my own content into the firmware for the Trednet TEW-652BRP and the D-Link DIR-615 Rev C1 (identical Atheros based routers).
You mentioned replacing BusyBox. do you have the newest one compiled for kernel 2.6.15 on this CPU? can you put that Busybox binary up - might be useful in our quest to get telnet up on these two firmwares.
Joined: 06 Jun 2006 Posts: 7492 Location: Dresden, Germany
Posted: Sat Dec 06, 2008 17:25 Post subject:
i will review the source and look what i can do. about the uboot. no there is no way to access it without serial console
but it could take a while until i'm done with ap81 or ap83. i have the sourcecodes for all the 802.11n drivers, but they arent that good and they dont support our current featureset used in other atheros based units where we are using our own driver _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
i will review the source and look what i can do. about the uboot. no there is no way to access it without serial console
but it could take a while until i'm done with ap81 or ap83. i have the sourcecodes for all the 802.11n drivers, but they arent that good and they dont support our current featureset used in other atheros based units where we are using our own driver
feature set, for example? My suggestion is using their built kernel first, make it work, then expand. Nvram emulation is the first thing should be done now.
u-boot has no server facility, such as httpd, like redboot, but I think it's not a problem. Using 1 GPIO, u-boot script, and some customized command, you can have 2 predefined functions (for example, press GPIO switch less than 5 seconds or longer), including tftp and boot a failsafe image.
Does this router have a recovery mode like the d-link and trendnet u-boot Atheros routers?
Hold down reset button, connect power, keep holding reset button (I do it for at least 30 seconds, not sure how long it really needs). Then you can connect on http at 192.168.0.1
Just curious if that's built into the router you have.