OpenWrt Wiki

The Sitecom WL-173 is a 54 Mbit (with turbo mode) wireless broadband router. It's original firmware is based on uClinux (Firmware 1.28) and a Realtek RTL8650B chip at 200 MHz is used. The following pictures were taken from a WL-173 v1 001.

• attachment:outsideWL173.jpg

There are four screws. Two are not hidden. The other screws are located underneath the little rubber feet near the front of the router.

• attachment:boardWL173_s.jpg

High resolution pictures upside: and .

Low resolution picure downside:

• SoC: Realtek RTL8650B at 200 MHz

http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PNid=9&PFid=11&Level=4&Conn=3&ProdID=70

http://www.csie.nctu.edu.tw/~cfliu/work/8650.htm

# cat /proc/cpuinfo
system type             : Philips Nino
processor               : 0
cpu model               : R3000 V0.0
BogoMIPS                : 199.06
wait instruction        : no
microsecond timers      : no
tlb_entries             : 16
extra interrupt vector  : no
hardware watchpoint     : no
VCED exceptions         : not available
VCEI exceptions         : not available
 

• RAM: 2x PSC A2V64S40CTP á 64Mbit / Data sheet: To link …
• ROM: Spansion S29Al016D 16Mbit/70ns / Data sheet: http://www.spansion.com/datasheets/s29al016d_00_a5_e.pdf

The firmware source code and the toolchain: http://www.sitecom.com/drivers_result.php?groupid=5&productid=528

File format of the official firmware (1.28) from the Sitecom website:

Firmware Header:

Kernel block:

SquashFS:

• Special header with "Magic Number" 0x59a0e842, checksum of following data(kernel and romfs)
• Next in flashfile is the kernel also with special header and "Magic Byte sequence", checksum of kernel etc
• Some filling 0x00 bytes follow
• and after that the SquashFS-LZMA

The special header is generated by the binary "packbin" from the source package.

In this firmware file (1.28) the kernel and squashfs are lzma compressed.

• Original 1.28 firmware image from Sitecom website: WL-173 Firmware
• Extracted and decompressed kernel image: WL-173 Kernel
• Extracted SquashFS (LZMA compressed): WL-173 SquashFS-LZMA
• Uncompressed and "unsquashed" root file system: WL-173 RootFS

There is a modified 1.28 firmware with telnet daemon. Telnet is open to WAN and not password protected so do NOT connect to the internet.

Modified firmware image:

• Version 1.28 with telnetd (by GIGA)

Is this the bootloader (?) "Project ROME LOADER"

Removed due to copyright issues…

# cat kmsg
************************************
Powered by Realtek RTL8650B SoC, rev 1
************************************
SDRAM size: 16MB
CPU revision is: 0000ff00
Init MMU (16 entries)
Primary instruction cache 0kB, linesize 0 bytes.
Primary data cache 0kB, linesize 0 bytes.
Linux version 2.4.26-uc0 (root@Fedora) (gcc version 3.2) #1065 Tue Oct 24 10:06:54 CST 2006
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
NOFS reserved @ 0x80392ca0
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock4
IRR(0)=c0000000
Calibrating delay loop... 199.06 BogoMIPS
Memory: 12540k/16384k available (2641k kernel code, 3844k reserved, 112k data, 96k init, 0k highmem)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
NEW PCI Driver...isLinuxCompliantEndianMode=False(Big Endian)
[PCI] Reset Bridge ..... Finish!
Memory Space 0 data=0xffff8000 size=0x8000
PCI device exists: slot 0 function 0 VendorID 1814 DeviceID 301 bbd40000
Memory Space 0 data=0xffff8000 size=0x8000
PCI device exists: slot 0 function 1 VendorID 1814 DeviceID 301 bbd40100
Memory Space 0 data=0xffff8000 size=0x8000
PCI device exists: slot 0 function 2 VendorID 1814 DeviceID 301 bbd40200
Memory Space 0 data=0xffff8000 size=0x8000
PCI device exists: slot 0 function 3 VendorID 1814 DeviceID 301 bbd40300
Memory Space 0 data=0xffff8000 size=0x8000
PCI device exists: slot 0 function 4 VendorID 1814 DeviceID 301 bbd40400
Memory Space 0 data=0xffff8000 size=0x8000
PCI device exists: slot 0 function 5 VendorID 1814 DeviceID 301 bbd40500
Memory Space 0 data=0xffff8000 size=0x8000
PCI device exists: slot 0 function 6 VendorID 1814 DeviceID 301 bbd40600
Memory Space 0 data=0xffff8000 size=0x8000
PCI device exists: slot 0 function 7 VendorID 1814 DeviceID 301 bbd40700
memory mapping BAnum=0 slot=0 func=0
memory mapping BAnum=0 slot=0 func=1
memory mapping BAnum=0 slot=0 func=2
memory mapping BAnum=0 slot=0 func=3
memory mapping BAnum=0 slot=0 func=4
memory mapping BAnum=0 slot=0 func=5
memory mapping BAnum=0 slot=0 func=6
memory mapping BAnum=0 slot=0 func=7
assign mem base 1bf00000~1bf07fff at bbd40010 size=32768
assign mem base 1bf08000~1bf0ffff at bbd40110 size=32768
assign mem base 1bf10000~1bf17fff at bbd40210 size=32768
assign mem base 1bf18000~1bf1ffff at bbd40310 size=32768
assign mem base 1bf20000~1bf27fff at bbd40410 size=32768
assign mem base 1bf28000~1bf2ffff at bbd40510 size=32768
assign mem base 1bf30000~1bf37fff at bbd40610 size=32768
assign mem base 1bf38000~1bf3ffff at bbd40710 size=32768
Find Total 8 PCI functions
Found 00:00 [1814/0301] 000280 00
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Squashfs 2.1-r2 (released 2004/12/15) (C) 2002-2004 Phillip Lougher
LZMA decompressor support based on LZMA SDK 4.05 by Oleg I.Vdovikin
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SERIAL_PCI enabled
Probing RTL8651 home gateway controller...
Initialize RTL865x ASIC and driver
chip name: 8650B, chip revid: 1
   Initialize mbuf...
   creating default 2 interfaces...eth0 IRR(6)=c0040000
===> Request IRQ 6 for eth0, ret=0
IRR(7)=c0070000
===> Request IRQ 7 for eth0, ret=0
eth1 ...OK
PPP generic driver version 2.4.2
PPP BSD Compression module registered
flash device: 200000 at be000000
 Amd/Fujitsu Extended Query Table v1.0 at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
Creating 5 MTD partitions on "Physically mapped flash":
0x00000000-0x00004000 : "boot1"
0x00010000-0x00018000 : "boot2"
0x00018000-0x00020000 : "boot3"
0x00020000-0x000e8000 : "kernel"
0x000e8000-0x00200000 : "rootfs"
*RT61*===> RT61_init_one
pcibios_enable_resources: already enabled when device probed.
*RT61*Driver version-1.0.7.0
pci_request_regions: PCI regions already reserved
pcibios_set_master: already done when device probed.
*RT61*ra0: at 0x1bf38000, VA 0xbbf38000, IRQ 5.
*RT61*<=== RT61_init_one
Initializing Cryptographic API
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
GRE over IPv4 tunneling driver
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
emulate opcode 0x25 at 800f3b54
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 96k freed
emulate opcode 0x25 at 800f3b54
IRR(3)=c3070000
===> Request IRQ 3 for serial, ret=0
initial console created on /dev/ttyS1
rtl8651_user_pid set to 19
Bring up ext  port 6..
Rx shift=10002

Set IGMP Default Upstream interface (eth0) ... SUCCESS!!
PPPoE Passthru disabled.
Drop Unknown PPPoE PADT disabled.
IPv6 Passthru disabled.
IPX Passthru disabled.
NETBIOS Passthru disabled.
*RT61*===> NICLoadFirmware
*RT61*NICLoadFirmware: CRC ok, ver=1.0
*RT61*<=== NICLoadFirmware (src=/etc/Wireless/RT61AP/RT2561S.bin, status=0)
*RT61*--> RTMPAllocAdapterBlock
*RT61*<-- RTMPAllocAdapterBlock
*RT61*--> RTMPAllocDMAMemory
*RT61*TxRing[0]: total 96 entry allocated
*RT61*TxRing[1]: total 96 entry allocated
*RT61*TxRing[2]: total 96 entry allocated
*RT61*TxRing[3]: total 96 entry allocated
*RT61*TxRing[4]: total 96 entry allocated
*RT61*MGMT Ring: total 32 entry allocated
*RT61*Rx Ring: total 96 entry allocated
*RT61*<-- RTMPAllocDMAMemory
*RT61* NICInitTxRxRingAndBacklogQueue
IRR(5)=c3070000
===> Request IRQ 5 for ra0, ret=0
*RT61*--> MLME Initialize
*RT61*<-- MLME Initialize
*RT61*--> PortCfgInit
*RT61*<-- PortCfgInit
*RT61*--> NICInitializeAdapter
*RT61*--> NICInitializeAsic
*RT61*BBP version = 22
*RT61*<-- NICInitializeAsic
*RT61*<-- NICInitializeAdapter
*RT61*CountryRegion=5
*RT61*SSID[0]=Sitecom
*RT61*PhyMode=0
*RT61*I/F(ra0) TxRate=(6c,60,48,30,16,0b,04,02,00,00,00,00)
*RT61*Channel=11
*RT61*BasicRate=15
*RT61*BeaconPeriod=100
*RT61*DtimPeriod=3
*RT61*TxPower=100
*RT61*BGProtection=2
*RT61*OLBCDetection=0
*RT61*TxAntenna=1
*RT61*RxAntenna=
*RT61*TxPreamble=1
*RT61*RTSThreshold=2347
*RT61*FragThreshold=2346
*RT61*TxBurst=1
*RT61*PktAggregate=1
*RT61*TurboRate=1
*RT61*I/F(ra0) WmmCapable=0
*RT61*I/F(ra0) NoForwarding=0
*RT61*NoForwardingBTNBSSID=0
*RT61*I/F(ra0) HideSSID=0
*RT61*ShortSlot=1
*RT61*AutoChannelAtBootup=0
*RT61*IEEE8021X=0
*RT61*IEEE80211H=0
*RT61*CSPeriod=10
*RT61*PreAuth=1
*RT61*RTMPMakeRSNIE IF(ra0): RSNIE_Len[0]=8, RSNIE_Len[1]=0
*RT61*I/F(ra0) AuthMode=7
*RT61*RTMPMakeRSNIE IF(ra0): RSNIE_Len[0]=20, RSNIE_Len[1]=0
*RT61*I/F(ra0) EncrypType=4
*RT61*ReKeyMethod=2
*RT61*ReKeyInterval=86400
*RT61*PMKCachePeriod=60000
*RT61*I/F(ra0) WPAPSK_KEY=vdsvdxd67
*RT61*strong RSSI=0, CCA=0, fixed R17 at 0x41, R62=4
*RT61*MlmeSetTxPreamble (= SHORT PREAMBLE)
*RT61*strong RSSI=0, CCA=0, fixed R17 at 0x41, R62=4
macptr - hexdump(len=8): 76 64 73 76 64 78 64 36
pAd->PortCfg.MBSSID[pAd->IoctlIF].Ssid - hexdump(len=7): 53 69 74 aa 63 6f 6d
keyMaterial - hexdump(len=32): 8b 30 e1 22 27 e9 71 16 1b aa cb 1a 86 13 6c 9c a1 b0 3e cf 41 d5 20 89 c3 86 94 50 66 e9 2d 11
*RT61*I/F(ra0) WPAPSK Key =>
8b:30:e1:22:27:e9:aa:aa:aa:89:cb:1a:86:13:6c:9c:
a1:b0:3e:cf:41:d5:20:89:c3:aa:94:aa:66:e9:2d:11:

*RT61*I/F(ra0) DefaultKeyID(0~3)=1
*RT61*HSCounter=0
*RT61*AccessPolicy0=0
*RT61*WDS-Enable mode=0
*RT61*WDS-AP(00) (0)-00:00:00:00:00:00
*RT61*WDS-AP(01) (0)-00:00:00:00:00:00
*RT61*WDS-AP(02) (0)-00:00:00:00:00:00
*RT61*WDS-AP(03) (0)-00:00:00:00:00:00
*RT61*--> NICReadEEPROMParameters
*RT61*MBSSID[0] MAC=00:0c:f6:xx:xx:x0
*RT61*MBSSID[1] MAC=00:0c:f6:xx:xx:x1
*RT61*MBSSID[2] MAC=00:0c:f6:xx:xx:x2
*RT61*MBSSID[3] MAC=00:0c:f6:xx:xx:x3
*RT61*E2PROM: Version = 1, FAE release #0
*RT61*E2PROM: G Tssi[-4 .. +4] = 255 255 255 255 - 255 -255 255 255 255, step=255, tuning=0
*RT61*MlmePeriodicExec: no traffic, Reset AsicBbpTuning
*RT61*Reset AsicBbpTuning, BBP_R62=4, OneSecFalseCCACnt=0
*RT61*strong RSSI=65458, CCA=0, fixed R17 at 0x41, R62=4
*RT61*E2PROM: A Tssi[-4 .. +4] = 255 255 255 255 - 255 -255 255 255 255, step=255, tuning=0
*RT61*E2PROM: RF freq offset=0x11, RF programming seq=0
*RT61*TxPowerDelta Config (Delta=3, Sign=0, Enable=1)
*RT61*<-- NICReadEEPROMParameters
*RT61*country code=5/0, RFIC=1, PHY mode=0, support 14 channels
*RT61*channel #1
*RT61*channel #2
*RT61*channel #3
*RT61*channel #4
*RT61*channel #5
*RT61*channel #6
*RT61*channel #7
*RT61*channel #8
*RT61*channel #9
*RT61*channel #10
*RT61*channel #11
*RT61*channel #12
*RT61*channel #13
*RT61*channel #14
*RT61*IF(ra0) RTMPSetPhyMode(=0)
*RT61*I/F(ra0) TxRate=(6c,60,48,30,16,0b,04,02,00,00,00,00)
*RT61*--> NICInitAsicFromEEPROM
*RT61*RFIC=3, LED mode=0
*RT61*<-- NICInitAsicFromEEPROM
*RT61*Register WDS(virtual) interface(ra1)-00:00:00:00:00:00
*RT61*Register WDS(virtual) interface(ra2)-00:00:00:00:00:00
*RT61*Register WDS(virtual) interface(ra3)-00:00:00:00:00:00
*RT61*Register WDS(virtual) interface(ra4)-00:00:00:00:00:00
*RT61*---> ApInitialize
*RT61*<--- ApInitialize
*RT61*---> ApStartUp
*RT61*IF(ra0) CapabilityInfo=431, WepStatus=4
*RT61*IF(ra0)-AP AuthMode=7, Pairwise Key Table in-used
*RT61*AsicRemoveSharedKeyEntry: #0
*RT61*AsicRemoveSharedKeyEntry: #1
*RT61*AsicRemoveSharedKeyEntry: #2
*RT61*AsicRemoveSharedKeyEntry: #3
*RT61*AsicSwitchChannel(RF=3, Pwr=24) to #11, R1=0x95002ccc, R2=0x9500479a, R3=0x9506b055, R4=0x950d1a0b
*RT61*UpdateBasicRateBitmap::(BasicRateBitMap=f)(82,84,8b,96,0c,12,18,24,30,48,60,6c)
*RT61*IF(ra0) MlmeUpdateTxRates (MaxDesire=54 Mbps, MaxSupport=54 Mbps, MaxTxRate=54 Mbps, Rate Switching =1)
*RT61* MlmeUpdateTxRates (RtsRate=11 Mbps, MlmeRate=1 Mbps, BasicRateBitmap=0x015f)
*RT61*MakeBssBeacon(ra0)(FrameLen=76,TimIELocateInBeacon=76,CapInfoLocateInBeacon=34)
*RT61*SW interrupt MCU (cmd=0x60, token=0xff, arg1,arg0=0x00,0x00)
*RT61*strong RSSI=65337, CCA=51, fixed R17 at 0x41, R62=4
*RT61*--->AsicEnableBssSync(INFRA mode)
*RT61*--->Disable TSF synchronization
*RT61*SW interrupt MCU (cmd=0x50, token=0xff, arg1,arg0=0xff,0x20)
*RT61*strong RSSI=65337, CCA=4, fixed R17 at 0x41, R62=4
*RT61*SW interrupt MCU (cmd=0x50, token=0xff, arg1,arg0=0xff,0x60)
*RT61*LOG#0 00:0c:f6:27:8a:c6 restart access point
*RT61*<--- ApStartUp (sec_csr4=0x1)
Register External Device (ra0) vid (9) extPortNum (6)
Reserve port 6 for peripheral device use. (0x40)
Total WLAN/WDS links: 1
register external ra0 device on extPort 6, id  1
ra0 -- (rtl865x_extDev_registerUcastTxDev [660]) Register Unicast Tx Device [80ec2800].
(rtl865x_extDev_regCallBack [845]) Register CallBack function -- Ucast Tx (8030c018) Free (8030c26c).
*RT61*==> Set_Debug_Proc *******************

 

• (Integrate SSH daemon for shell access) Telnet is now implemented
• TFTPD upload after reset
• Recovery (JTAG, serial …)
• Get RTL8650B data sheet

Not tested. No JTAG found for recovery…RTL8650B data sheet needed.