Joined: 06 Jun 2006 Posts: 7492 Location: Dresden, Germany
Posted: Wed Jul 22, 2009 20:26 Post subject:
who said this?
no we havent problems with it. we just dont have the device _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
I got serial working It's got the same weird baudrate as an asus with this chipset. 57600, and the JP1 header is indeed serial. pins furthest away are VCC and ground. Here's the serial output of mine (netcomm model)
Code:
U-Boot 1.1.3 (Apr 17 2008 - 13:26:01)
Board: RT2880 DRAM: 32 MB
twe0 set to <NULL>
toe0 set to <NULL>
MX_ID_LV320TOP, Size = 00400000 bytes
Set info->start[0]=BF000000
flash_protect ON: from 0xBF000000 to 0xBF026D8B
protect on 0
protect on 1
protect on 2
flash_protect ON: from 0xBF030000 to 0xBF03FFFF
protect on 3
============================================
ASIC -VerB/C (MAC to RTL8366SR Mode)
DRAM COMPONENT=128Mbits
DRAM BUS=32BIT
Total memory = 32Mbytes
Date:Apr 17 2008 Time:13:26:01
============================================
D-CACHE set to 4 way
I-CACHE set to 4 way
##### The CPU freq = 266 MHZ ####
SDRAM bus set to 32 bit
SDRAM size =32 Mbytes
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
5: Load ucos code to SDRAM via TFTP. 0
3: System Boot system code via Flash.
## Booting image at bf050000 ...
Image Name: Linux Kernel Image
Created: 2009-11-19 1:12:31 UTC
System Control Status = 0x02910084
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1071278 Bytes = 1 MB
Load Address: 8a000000
Entry Point: 8a198040
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8a198040) ...
## Giving linux memsize in MB, 32
Starting kernel ...
THIS IS ASIC - VERSION B
ramsize = 32 MBytes
rambase not set, set to default (0x08000000)
MEMORY DESCRIPTOR dump:
[0,8a281be0]: base<0a000000> size<02000000> type<Free RAM memory>
PROC INIT OK!
init started: BusyBox v1.7.5 (2009-11-19 09:11:47 CST)
starting pid 10, tty '/dev/console': '/sbin/config_init'
Config Init version: 1.2.1.6 date: 2009/11/19
starting pid 57, tty '/dev/ttyS1': '/sbin/config_term'
************************************************************************
* ESR-9750G-netcomm *
************************************************************************
After that it wouldn't really allow me to do anything in the terminal, i tried everything, help -? ? etc etc. So i just kept pressing 4 repeatively and resetting the unit untill i managed to get into the bootloader option. I got this:
Code:
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
5: Load ucos code to SDRAM via TFTP.
RT2880 # help protect
protect on start end
- protect FLASH from addr 'start' to addr 'end'
protect on N:SF[-SL]
- protect sectors SF-SL in FLASH bank # N
protect on bank N
- protect FLASH bank # N
protect on all
- protect all FLASH banks
protect off start end
- make FLASH from addr 'start' to addr 'end' writable
protect off N:SF[-SL]
- make sectors SF-SL writable in FLASH bank # N
protect off bank N
- make FLASH bank # N writable
[color=red][b]protect off all[/b][/color]
- make all FLASH banks writable
I found out something cool. After bricking the router trying to get ddrwt on it (LZMA error 1, i think it has something to do with the U-Boot having a too small malloc region, any idea how to increase it without me having to JTAG it? Otherwise ill just have to.)
Anyhow, i had to use header.x86 from the GPL release to decode the DLF, then remove the first couple of lines using a hex editor so the magic number was at the start and uploaded the kernel over tftp, it worked again after that but i couldn't login to upload the rest of the firmware.
I ended up using binwalker to unpack the kernel binary but that gave me heaps of random files. I ended up using strings on the romfs file and after heaps of useless information i found a little string called "svcm". I remember the esr-9752 having a sd2350 or something to activate console so i tried and it worked! i got the busybox console after entering svcm.
So to activate the console on any ESR-9750, use svcm.
I also managed to flash the engenious firmware on my netcomm NP802n without trouble this way. So if it can be figured out how to increase the malloc region OR to compile an image that uses less malloc memory i think DD-WRT can work on any ESR-9750.
Some commands from the busybox used (their all linked to busybox)
Code:
# ls /
apps dev kernel opt storage usr
appscore etc lib proc sys var
bin init mnt sbin tmp
# cd usr
# ls
bin lib local sbin
# cd bin
# ls
* cmp id md5sum test uptime
[ config_init ipcs printf tftp wc
[[ config_term killall sort time wget
basename expr logger tail tty