User Tools

Site Tools


toh:belkin:f5d8635-4v1_danube

Belkin F5D8635-4v1

There are many different versions for the Belkin F5D8635 with different hardware, and it seems that not even same versions have the same hardware. This page is for the one that has a Danube soc, not the Amazon one.

Hardware

Architecture Infineon( Lantiq) Danube (MIPS 24Kec) Processor (big endian)
Board WADI-125GN_V01
System-On-Chip Infineon DANUBE PSB 50702
CPU clock 333mhz
Number of CPU 2(mips0 and mips1)
Wireless pci Ralink corp. RT2800 802.11n PCI
Class 0280: PCI device 1814:0601 (rev 0).
Wireless controller chip (Ralink) RT2860 GZ41330F0 0829ST
Wifi antennas 2
Ethernet switch (IC Plus) IC+ IP175E
Ram Qimonda 0828 C HYB25DC256160CE-5 WVV41038
Ram size 32MiB
Flash (Macronix) MX S082744 TAIWAN
Flash size 4MiB
USB Yes
Power 12v 1.25A
Lan 4xRJ-45
Wan 1xRJ-45/RJ-11
Internet ADSL2+

Opening the case

There are 2 T8 screws under the sticker on the front case where the leds are located. Once unscrewed pull the case with a flat screwdriver.

Board

image

Original firmware

Source code Download(likely, not sure)
Bootloader U-Boot

Original flash layout

Partition (OpenWRT)
layer 2
mtd0 mtd1
Description U-Boot rootfs,kernel,Data,Environment
Start
End
0x00000000
0x00010000
0x00010000
0x00400000
Size 64KiB 4032KiB
Data block number 0 1 2 3 4 6 7 5
Data block (U-boot)
layer 1
uboot rootfs kernel sysconfig ubootconfig fwdiag calibration voip
Start address 0xB0000000 0xB0010000 0xB004D8A0 0xB03F5000 0xB03F9000 0xB03F9C00 0xB03F9E00 0xB03FA000
Size
(as reported by U-boot)
0 0 0x003A7752 0x4000 0x0C00 0x0200 0x0200 0x6000

There are 71 sectors, the first 8 sectors(mtd0) have a size of 8KiB(0x2000) each and the remaining 63 sectors(mtd1) have a size of 64KiB(0x10000) each

Either the backup I did was erroneous or fwdiag, calibration and voip partitions are filled with 1s, that is the hex dump just shows FF which means they are empty.

From the binary dump I can say:

  • uboot datablock has data from 0x0 to 0xD66D.
  • rootfs datablock has data at the end, from 0x4B120 to 0x4D89F. It's not clear if there is anything useful in here.
  • kernel datablock has data from 0x4D8A0 to 0x3F4FFF (It is full). The start address matches an uImage header which is followed by LZMA compressed data. Inside there is a squash filesystem named ramdisk.
  • sysconfig datablock has data from 0x3F5000 to 0x3F6FE2 which is in gzip format. When uncompressed there are plain text settings and most of them just refer to wan, lan, wi-fi, MAC and vlan.
  • ubootconfig datablock has data from 0x3F9000 to 0x3F9BFF which contains the U-boot environment
  • fwdiag, calibration and voip are empty

Access

The router has telnet and is enabled by default. It can also be accessed from serial and EJTAG.

Telnet

Telnet the router ip and login to admin user with the same password of the web based interface

$ telnet 192.168.2.1

Serial

There are 4 pins(1 squared and 3 round) in line

1(squared)234
VccTxRxGND

See board picture

Maybe Tx and Rx are switched

Settings:

  • Speed: 115200 baud
  • Data bits: 8
  • Stop bits: 1
  • Parity: None
  • Flow control: None (No hardware and no software flow control)

Once connected the console log output will appear. Restart the router and press any key to stop autoboot and enter U-boot's command line:

CFG 01                                                                          
Read                                                                            
ROM VER: 1.0.3                                                                  
CFG 01                                                                          
Read EEPROMX                                                                    
 X                                                                              
                                                                                
                                                                                
U-Boot 1.1.5-LXDB (Sep 16 2008 - 00:52:08)                                      
                                                                                
DRAM:  32 MB                                                                    
                                                                                
 relocate_code start                                                            
 relocate code finish.                                                          
Flash:  4 MB                                                                    
In:    serial                                                                   
Out:   serial                                                                   
Err:   serial                                                                   
Net:   ethaddr=00:22:75:XX:XX:XX                                                
danube Switch                                                                   
                                                                                
Type "run flash_nfs" to mount root filesystem over NFS                          
                                                                                
Hit any key to stop autoboot:  0
DANUBE #

EJTAG

There are 9 pins in line(8 round and 1 squared). See board picture .

Development

I'm following this and this as a reference

Priorities

  • Instructions on how to make a backup
  • Find UART mode, i.e. how to activate CFG 04 mode

Backup

Connect a fat32 usb to the router and then telnet into the router. Login as the root user and use as password the same as that of the web interface. Find where is the usb mounted:

$ mount

Now let's make the backup:

$ dd if=/dev/mtd/0 of=/ramdisk/dev/sda1/mtd0.bin
$ dd if=/dev/mtd/0 of=/ramdisk/dev/sda1/mtd0_compare.bin
$ dd if=/dev/mtd/1 of=/ramdisk/dev/sda1/mtd1.bin
$ dd if=/dev/mtd/1 of=/ramdisk/dev/sda1/mtd1_compare.bin

Unmount the usb:

$ umount /dev/sda1

Connect the usb to the computer and make sure that checksums of the same mtd partition match, otherwise try doing a backup again:

$ md5sum mtd0.bin mtd0_compare.bin
Make sure that checksums of mtd0.bin and mtd0_compare.bin match
$ md5sum mtd1.bin mtd1_compare.bin
Make sure that checksums of mtd1.bin and mtd1_compare.bin match

(Optionally)Concatenate both dumps:

$ cat mtd0.bin mtd1.bin > full_backup.bin

Proposed Partition Layout

Layer 2 (OpenWRT) uboot firmware uboot_env
Start
End
0xB0000000
0xB0010000
0xB0010000
0xB03F0000
0xB03F0000
0xB0400000
Size 0x10000 0x3E0000 0x10000
Size 64 KiB 3.875 MiB 64 KiB
Layer 1 (U-boot) [0]uboot [1]rootfs [2]kernel [3]sysconfig [4]ubootconfig [6]fwdiag [7]calibration [5]voip
Start address 0xB0000000 0xB0010000 0xB004D8A0 0xB03F5000 0xB03F9000 0xB03F9C00 0xB03F9E00 0xB03FA000
Size 0x10000 0x3D8A0 0x003A7760 0x4000 0x0C00 0x0200 0x0200 0x6000
Size 64 KiB 246.15 KiB 3.65 MiB 16 KiB 4 KiB 512 B 512 B 24 KiB

Partitions must have as a minimum the size of a sector. It is 0x10000 except for the first 0x10000 block which is 0x2000.

Bootloader

It is very dangerous to flash a bootloader image without having UART mode(recovery) access. Once there is a working image, modifying the original bootloader environment(kernel_addr variable) so it boots from 0xB0010000 can be done as follows:

setenv kernel_addr 0xb0010000
saveenv

DON'T DO THIS NOW AS THERE ISN'T ANY IMAGE WORKING!!!

Generate OpenWRT image

Get trunk source:

git clone git://git.openwrt.org/openwrt.git
Or get Attitude Adjustment source:
git clone git://git.openwrt.org/12.09/openwrt.git

Step 1: Makefile

Add to target/linux/lantiq/image/Makefile under "# Danube" comment section

Image/BuildKernel/Profile/F5D8635-4V1_DANUBE=$(call Image/BuildKernel/Template,F5D8635-4V1_DANUBE)
Image/Build/Profile/F5D8635-4V1_DANUBE=$(call Image/Build/$(1),$(1),F5D8635-4V1_DANUBE)

Step 2: belkin.mk

Create file target/linux/lantiq/xway/profiles/belkin.mk

define Profile/F5D8635-4V1_DANUBE
  NAME:=Belkin F5D8635-4v1 (Danube SoC)
  PACKAGES:=kmod-ltq-adsl-danube-mei kmod-ltq-adsl-danube \
        kmod-ltq-adsl-danube-fw-a kmod-ltq-atm-danube \
        ltq-adsl-app ppp-mod-pppoe \
        kmod-rt2800-pci wpad-mini \
        kmod-usb-storage block-mount kmod-fs-ext4 kmod-scsi-generic \
        kmod-ledtrig-usbdev kmod-usb2 kmod-usb-uhci \
        swconfig
endef

$(eval $(call Profile,F5D8635-4V1_DANUBE))

Step 3: F5D8635-4V1_DANUBE.dts

Create file target/linux/lantiq/dts/F5D8635-4V1_DANUBE.dts

/dts-v1/;

/include/ "danube.dtsi"

/ {
        model = "F5D8635-4v1_DANUBE - Belkin F5D8635-4v1 (Danube SoC)";

        chosen {
                bootargs = "console=ttyLTQ0,115200 init=/etc/preinit";
        };

        memory@0 {
                reg = <0x0 0x2000000>;
        };

        sram@1F000000 {
                vmmc@107000 {
                        status = "okay";
                };
        };

        fpi@10000000 {
                localbus@0 {
                        nor-boot@0 {
                                compatible = "lantiq,nor";
                                bank-width = <2>;
                                reg = <0 0x0 0x1000000>;
                                #address-cells = <1>;
                                #size-cells = <1>;

                                partition@0 {
                                        label = "uboot";
                                        reg = <0x00000 0x10000>;
                                        read-only;
                                };

                                partition@10000 {
                                        label = "firmware";
                                        reg = <0x10000 0x3e0000>;
                                };

                                partition@3f0000 {
                                        label = "uboot_env";
                                        reg = <0x3f0000 0x10000>;
                                        read-only;
                                };
                        };
                };
        };

};

Step 4: Networking

Set mac address from U-boot variable. Add our router to BTHOMEHUBV2B case block in the file target/linux/lantiq/base-files/etc/uci-defaults/02_network

BTHOMEHUBV2B|F5D8635-4V1_DANUBE)
        lan_mac=$(mtd_get_mac_ascii uboot_env ethaddr)
        wan_mac=$(macaddr_add "$lan_mac" 1)
        ;;

Is target/linux/lantiq/base-files/etc/hotplug.d/firmware/10-rt2x00-eeprom necessary?

TODO

  • Map gpio
  • More

Building the images

$ rm -rf tmp
$ make prereq
$ ./scripts/feeds update -a
$ ./scripts/feeds install -a
$ make menuconfig
$ make

Testing

Configure a tftp server on your pc, open ports and copy openwrt image in the tftp folder as uImage:

sudo cp bin/lantiq/openwrt-lantiq-xway-F5D8635-4V1_DANUBE-uImage-initramfs /var/lib/tftpboot/uImage

Then load it on the router's ram:

DANUBE # setenv ipaddr 192.168.1.1                                              
DANUBE # setenv serverip 192.168.1.2
DANUBE # tftpboot 80400000 boot.img                                             
Using danube Switch device                                                      
TFTP from server 192.168.1.2; our IP address is 192.168.1.1                     
Filename 'boot.img'.                                                            
Load address: 0x80400000                                                        
Loading: #################################################################      
         #################################################################      
         #################################################################      
         #################################################################      
         #################################################################      
         #################################################################      
         #################################################################      
         #################################################################      
         #################################################################      
         #################################################################      
         #################################################################      
         ######################################################                 
done                                                                            
Bytes transferred = 3932164 (3c0004 hex)                                        
DANUBE # bootm 80400000                                                                                                                                                 
## Booting image at 80400000 ...                                                                                                                                        
   Image Name:   MIPS OpenWrt Linux-3.10.49                                                                                                                             
   Created:      2014-07-24  16:08:27 UTC                                                                                                                               
   Image Type:   MIPS Linux Kernel Image (lzma compressed)                                                                                                              
   Data Size:    1353019 Bytes =  1.3 MB                                                                                                                                
   Load Address: 80002000                                                                                                                                               
   Entry Point:  80002000                                                                                                                                               
   Verifying Checksum ... OK                                                                                                                                            
   Uncompressing Kernel Image ... OK                                                                                                                                    
                                                                                                                                                                        
Starting kernel ...                                                                                                                                                     
                                                                                                                                                                        
[    0.000000] Linux version 3.10.49 (javier@localhost.localdomain) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r41816) ) #2 Thu Jul 24 18:08:21 CEST 2014       
[    0.000000] SoC: (null) rev 1.5                                                                                                                                      
[    0.000000] bootconsole [early0] enabled                                                                                                                             
[    0.000000] CPU revision is: 00019641 (MIPS 24KEc)                                                                                                                   
[    0.000000] MIPS: machine is F5D8635-4v1_DANUBE - Belkin F5D8635-4v1 (Danube SoC)                                                                                    
[    0.000000] Determined physical RAM map:                                                                                                                             
[    0.000000]  memory: 02000000 @ 00000000 (usable)                                                                                                                    
[    0.000000] Initrd not found or empty - disabling initrd                                                                                                             
[    0.000000] Zone ranges:                                                                                                                                             
[    0.000000]   Normal   [mem 0x00000000-0x01ffffff]                                                                                                                   
[    0.000000] Movable zone start for each node                                                                                                                         
[    0.000000] Early memory node ranges                                                                                                                                 
[    0.000000]   node   0: [mem 0x00000000-0x01ffffff]                                                                                                                  
[    0.000000] Primary instruction cache 16kB, VIPT, 4-way, linesize 32 bytes.                                                                                          
[    0.000000] Primary data cache 16kB, 4-way, VIPT, no aliases, linesize 32 bytes                                                                                      
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128                                                                                
[    0.000000] Kernel command line: console=ttyLTQ0,115200 init=/etc/preinit                                                                                            
[    0.000000] PID hash table entries: 128 (order: -3, 512 bytes)                                                                                                       
[    0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)                                                                                            
[    0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)                                                                                              
[    0.000000] Writing ErrCtl register=0007ff28                                                                                                                         
[    0.000000] Readback ErrCtl register=0007ff28                                                                                                                        
[    0.000000] Memory: 28268k/32768k available (3008k kernel code, 4500k reserved, 762k data, 188k init, 0k highmem)                                                    
[    0.000000] NR_IRQS:256                                                                                                                                              
[    0.000000] CPU Clock: 333MHz                                                                                                                                        
[    0.000000] Calibrating delay loop... 221.18 BogoMIPS (lpj=442368)                                                                                                   
[    0.036000] pid_max: default: 32768 minimum: 301                                                                                                                     
[    0.040000] Mount-cache hash table entries: 512                                                                                                                      
[    0.048000] pinctrl core: initialized pinctrl subsystem                                                                                                              
[    0.052000] NET: Registered protocol family 16                                                                                                                       
[    0.060000] CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 803b37dc, ra == 8000f658                                                
[    0.064000] Oops[#1]:                                                                                                                                                
[    0.064000] CPU: 0 PID: 1 Comm: swapper Not tainted 3.10.49 #2                                                                                                       
[    0.064000] task: 81821888 ti: 81822000 task.ti: 81822000                                                                                                            
[    0.064000] $ 0   : 00000000 00000000 803e2280 00000000                                                                                                              
[    0.064000] $ 4   : 00000080 81041cfc 80324234 00000069                                                                                                              
[    0.064000] $ 8   : 0000005f 00000059 00000005 0000003d                                                                                                              
[    0.064000] $12   : 00000000 00000007 0000000e 80360928                                                                                                              
[    0.064000] $16   : 803e0000 803b37a8 00000000 803e0000                                                                                                              
[    0.064000] $20   : 00000008 803b1224 803d3fe4 803e0000                                                                                                              
[    0.064000] $24   : 00000001 8004c6c4                                                                                                                                
[    0.064000] $28   : 81822000 81823e88 00000026 8000f658                                                                                                              
[    0.064000] Hi    : 00000000                                                                                                                                         
[    0.064000] Lo    : 00000000                                                                                                                                         
[    0.064000] epc   : 803b37dc plat_of_setup+0x34/0x98                                                                                                                 
[    0.064000]     Not tainted                                                                                                                                          
[    0.064000] ra    : 8000f658 do_one_initcall+0xf0/0x198                                                                                                              
[    0.064000] Status: 1100fc03 KERNEL EXL IE                                                                                                                           
[    0.064000] Cause : 00800008                                                                                                                                         
[    0.064000] BadVA : 00000000                                                                                                                                         
[    0.064000] PrId  : 00019641 (MIPS 24KEc)                                                                                                                            
[    0.064000] Modules linked in:                                                                                                                                       
[    0.064000] Process swapper (pid: 1, threadinfo=81822000, task=81821888, tls=00000000)                                                                               
[    0.064000] Stack : 00000003 81041d08 00000003 00000000 803dc328 00000003 803d4014 803e0000                                                                          
          803dc32c 00000003 803d4014 803e0000 00000008 803b1a90 ffffffff ffffffff                                                                                       
          8038c76c ffffffff 00000003 00000003 803b1224 ffffffff ffffffff ffffffff                                                                                       
          8000a7a0 00000000 803e0000 00000000 00000000 00000000 00000000 00000000                                                                                       
          00000000 8000a7bc 00000000 80049e60 ffffffff ffffffff 8000a7a0 00000000                                                                                       
          ...                                                                                                                                                           
[    0.064000] Call Trace:                                                                                                                                              
[    0.064000] [<803b37dc>] plat_of_setup+0x34/0x98                                                                                                                     
[    0.064000]                                                                                                                                                          
[    0.064000]                                                                                                                                                          
Code: 3c02803e  24422280  24040080 <90610000> 2484ffff  a0410000  10200003  24420001  1480fffa                                                                          
[    0.068000] ---[ end trace e730b9af53bdb92d ]---                                                                                                                     
[    0.072000] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b                                                                                  
[    0.072000]

Using Adjustment Attitude

[    0.088000] Oops[#1]:
[    0.088000] Cpu 0
[    0.088000] $ 0   : 00000000 0000006d be105400 00000003
[    0.088000] $ 4   : 802e0000 feffffff ffffffff 000061c3
[    0.088000] $ 8   : ffffffdf 80133f9c 00000000 ffffff80
[    0.088000] $12   : 03ff0000 03bd0000 24000000 ac000000
[    0.088000] $16   : 802603d0 0000000e 802c75a0 0000000e
[    0.088000] $20   : 802c55a8 804f0000 802d0000 804f0000
[    0.088000] $24   : 00000018 80249c08
[    0.088000] $28   : 81818000 81819d80 00000000 80249db0
[    0.088000] Hi    : 00000000
[    0.088000] Lo    : 00000000
[    0.088000] epc   : 80249dd4 ltq_pci_probe+0x1cc/0x3d0
[    0.088000]     Not tainted
[    0.088000] ra    : 80249db0 ltq_pci_probe+0x1a8/0x3d0
[    0.088000] Status: 1100fc03    KERNEL EXL IE
[    0.088000] Cause : 1080001c
[    0.088000] PrId  : 00019641 (MIPS 24KEc)
[    0.088000] Modules linked in:
[    0.088000] Process swapper (pid: 1, threadinfo=81818000, task=818168b8, tls=00000000)
[    0.088000] Stack : 00000000 802c55a8 802c55b0 802d7fbc 802a3788 802d7fbc 00000000 802c55a8
[    0.088000]         804f0000 ffffffed 802d7fbc 802c2680 802d7fbc 00000000 00000000 80174d30
[    0.088000]         81852700 81819dc8 818504a0 80241cc4 81401518 802c55dc 802c55a8 802d7fbc
[    0.088000]         802d7fbc 8183d100 00000000 80174e98 802d7fbc 8017322c 00000000 8183d100
[    0.088000]         00000000 802d7fbc 80174e2c 80173520 802a0000 80172900 802d61a0 801731ac
[    0.088000]         ...
[    0.088000] Call Trace:
[    0.088000] [<80249dd4>] ltq_pci_probe+0x1cc/0x3d0
[    0.088000] [<80174d30>] driver_probe_device+0x12c/0x228
[    0.088000] [<80174e98>] __driver_attach+0x6c/0xa4
[    0.088000] [<80173520>] bus_for_each_dev+0x54/0x98
[    0.088000] [<801744cc>] bus_add_driver+0xc0/0x254
[    0.088000] [<80175244>] driver_register+0xc8/0x174
[    0.088000] [<802ef814>] pcibios_init+0x18/0x40
[    0.088000] [<80002900>] do_one_initcall+0xf0/0x1c0
[    0.088000] [<802dc990>] kernel_init+0xb4/0x130
[    0.088000] [<8000824c>] kernel_thread_helper+0x10/0x18
[    0.088000]         
[    0.088000]         
[    0.088000] Code: 34a5ffff  3c04802e  7c631a80 <00c52824> ac450030  ac83802c  0000000f  8ee3e400  8c85802c
[    0.092000] ---[ end trace 82e6514b04a04334 ]---
[    0.096000] Kernel panic - not syncing: Attempted to kill init! 

Additional Information

Original boot log:

ROM VER: 1.0.3 CFG 01 Read ROM VER: 1.0.3 CFG 01 Read EEPROMX X U-Boot 1.1.5-LXDB (Sep 16 2008 - 00:52:08) DRAM: 32 MB relocate_code start relocate code finish. Flash: 4 MB In: serial Out: serial Err: serial Net: ethaddr=00:22:75:XX:XX:XX danube Switch Type "run flash_nfs" to mount root filesystem over NFS Hit any key to stop autoboot: 0 ## Booting image at b004d8a0 ... Image Name: MIPS Linux-2.4.31-Danube-3.3.0-G Created: 2008-11-12 10:25:56 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 3831550 Bytes = 3.7 MB Load Address: 80002000 Entry Point: 8021a040 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ... TODO: chip version memsize=32l initrd_start=0xa0000000 initrd_size=0l flash_start=0xb0000000 flash_size=4194304l Reserving memory for CP1 @0xa1f00000 memsize=31 CPU revision is: 00019641 Primary instruction cache 16kB, physically tagged, 4-way, linesize 32 bytes. Primary data cache 16kB, 4-way, linesize 32 bytes. Linux version 2.4.31-Danube-3.3.0-G0432V33T_SM (root@localhost.localdomain) (gc8 Can't analyze prologue code at 80020d80 Determined physical RAM map: User-defined physical RAM map: memory: 01f00000 @ 00000000 (usable) Initial ramdisk at: 0x8026e000 (3014656 bytes) On node 0 totalpages: 7936 zone(0): 7936 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: root=/dev/ram0 ip=192.168.2.1:192.168.2.33::::eth0:on cons ethaddr_setup: mac address x-xx-xx-xx-xx-xx mips_hpt_frequency:166666667 r4k_offset: 00196e6a(1666666) Using 166.667 MHz high precision timer. Syam before calibrate_delay Calibrating delay loop... 222.00 BogoMIPS Syam after calibrate_delay MIPS CPU counter frequency is fixed at 166666667 Hz Memory: 25272k/31744k available (2125k kernel code, 6472k reserved, 3164k data,) Dentry cache hash table entries: 4096 (order: 3, 32768 bytes) Inode cache hash table entries: 2048 (order: 2, 16384 bytes) Mount cache hash table entries: 512 (order: 0, 4096 bytes) Buffer cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 8192 (order: 3, 32768 bytes) Checking for 'wait' instruction... unavailable. POSIX conformance testing by UNIFIX PCI: Probing PCI hardware on host bus 0. Autoconfig PCI channel 0x802602c0 Scanning bus 00, I/O 0x1ae00000:0x1b000001, Mem 0x18000000:0x1a000001 00:0e.0 Class 0280: 1814:0601 Mem at 0x18000000 [size=0x10000] Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket LSP Revision 2 Starting kswapd Squashfs 2.2 (released 2005/07/03) (C) 2002-2004, 2005 Phillip Lougher pty: 256 Unix98 ptys configured ttyS0 at MEM 0xbe100400 (irq = 2) is a IFX_ASC ttyS1 at MEM 0xbe100c00 (irq = 9) is a IFX_ASC Danube MEI version:1.00.09 Danube MEI MIB version:0.90.04 enable_irq(55) unbalanced from 80229028 Danube PMU driver v0.3 cgu: misc_register on minor = 63 gptu: totally 6 16-bit timers/counters gptu: misc_register on minor 62 gptu: succeeded to request irq 118 gptu: succeeded to request irq 119 gptu: succeeded to request irq 120 gptu: succeeded to request irq 121 gptu: succeeded to request irq 122 gptu: succeeded to request irq 123 led: misc_register on minor = 151 memcopy_init: memcopy init RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize loop: loaded (max 8 devices) Unable to get major number 43 for NBD PPP generic driver version 2.4.2 danube MAC driver loaded! oamk: init_module() called. Opening oam kernel socket oamk: init_module() returned. ppe: ATM init succeeded (firmware version 1.1.0.2.1.13) SCSI subsystem driver Revision: 1.00 init_danube_mtd: start_scan_addr: b0000000 init_danube_mtd: chip probing count 0 Danube: probing address:b0000000 Amd/Fujitsu Extended Query Table v1.1 at 0x0040 number of CFI chips: 1 cfi_cmdset_0002: Disabling fast programming due to code brokenness. init_danube_mtd: bank1, name:Danube Bank 0, size:4194304bytes DANUBE flash0: Using static image partition definition Creating 2 MTD partitions on "Danube Bank 0": 0x00000000-0x00010000 : "U-Boot" 0x00010000-0x00400000 : "rootfs,kernel,Data,Environment" usb.c: registered new driver usbdevfs usb.c: registered new driver hub dwc_otg: version 2.40a 10-APR-2006 DWC_otg: Using DMA mode dwc_otg_hcd: irq 54, addr be101000 usb.c: new USB bus registered, assigned bus number 1 hub.c: USB hub found hub.c: 1 port detected DWC_otg: Init: Port Power? op_state=1 DWC_otg: Init: Power Port (0) dwc_otg proc initialization okay! Initializing USB Mass Storage driver... usb.c: registered new driver usb-storage USB Mass Storage support registered. NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 2048 bind 4096) Linux IP multicast router 0.06 plus PIM-SM ip_conntrack version 2.1 (248 buckets, 1984 max) - 640 bytes per conntrack ip_conntrack_pptp version 1.9 loaded ip_conntrack_rtsp v0.01 loading (init)::init: Registering Sip Conntrack device ip_nat_pptp version 1.5 loaded ip_nat_rtsp v0.01 loading ip_tables: (C) 2000-2002 Netfilter core team ipt_time loading netfilter PSD loaded - (c) astaro AG NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. NET4: Ethernet Bridge 008 for NET4.0 Danube Port Initialization DANUBE MIPS24KEc MPS mailbox driver, Version 1.1.0 (c) Copyright 2006, Infineon Technologies AG IFX_MPS: using proc fs RAMDISK: Compressed image found at block 0 Freeing initrd memory: 2944k freed FAT: bogus logical sector size 101 VFS: Mounted root (squashfs filesystem) readonly. Freeing unused kernel memory: 104k freed init started: BusyBox v1.00 (2008.11.12-10:14+0000) multi-call binary Algorithmics/MIPS FPU Emulator v1.5 Created character device /dev/danube-port with major[248] and minor[0] Using /lib/rt2860ap.o mei_interrupt_arcmsgav: Got MODEM_READY_MSG === pAd = c014e000, size = 489568 === <-- RTMPAllocAdapterBlock, Status=0 insmod: /lib/modules/2.4.31-Danube-3.3.0-G0432V33T_SM: No such file or directory insmod: ifx_nfext_core.o: no module by that name found insmod: /lib/modules/2.4.31-Danube-3.3.0-G0432V33T_SM: No such file or directory insmod: ifx_nfext_ppp.o: no module by that name found Bringing up syslog date: 6, month: 12, hour: 40, minute: 6 Bringing up klogd iptables: Chain already exists iptables: Chain already exists iptables: Chain already exists iptables: Chain already exists sh: cannot create /proc/sys/net/ipv4/netfilter_bridged_enable: Directory nonexit sh: cannot create /proc/sys/net/bridge/bridge-nf-local-in-enable: Directory nont sh: cannot create /proc/sys/net/bridge/bridge-nf-local-out-enable: Directory not device eth0 entered promiscuous mode atmsvc: no signaling demon sh: cannot create /proc/sys/net/ipv4/netfilter_bridged_enable: Directory nonexit sh: cannot create /proc/sys/net/bridge/bridge-nf-local-in-enable: Directory nont sh: cannot create /proc/sys/net/bridge/bridge-nf-local-out-enable: Directory not sh: cannot create /proc/sys/net/ipv4/netfilter_bridged_enable: Directory nonexit sh: cannot create /proc/sys/net/bridge/bridge-nf-local-in-enable: Directory nont sh: cannot create /proc/sys/net/bridge/bridge-nf-local-out-enable: Directory not iptables: Bad rule (does a matching rule exist in that chain?) sh: cannot create /proc/sys/net/ipv4/netfilter_bridged_enable: Directory nonexit sh: cannot create /proc/sys/net/bridge/bridge-nf-local-in-enable: Directory nont sh: cannot create /proc/sys/net/bridge/bridge-nf-local-out-enable: Directory not /etc/init.d/rcS: 204: /usr/sbin/sipALGd: not found br0: port 1(eth0) entering learning state device eth0 is already a member of a bridge; can't enslave it to bridge br0. sendarp uses obsolete (PF_INET,SOCK_PACKET) br0: port 1(eth0) entering forwarding state br0: topology change detected, propagating sh: cannot create /proc/sys/net/ipv4/netfilter_bridged_enable: Directory nonexit sh: cannot create /proc/sys/net/bridge/bridge-nf-local-in-enable: Directory nont sh: cannot create /proc/sys/net/bridge/bridge-nf-local-out-enable: Directory not dhcpd not enabled !! RX DESC a13fc000 size = 2048 <-- RTMPAllocTxRxRingMemory, Status=0 1. Phy Mode = 0 2. Phy Mode = 0 RTMPSetPhyMode: channel is out of range, use first channel=0 3. Phy Mode = 0 RTMPSetPhyMode: channel is out of range, use first channel=0 MCS Set = 00 00 00 00 00 SYNC - BBP R4 to 20MHz.l The 8-BSSID mode is enabled, the BSSID byte5 MUST be the multiple of 8 Main bssid = XX:XX:XX:XX:XX:XX The UUID Hex string is:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The UUID ASCII string is:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx! <==== RTMPInitialize, Status=0 0x1300 = 00064230 br0: port 1(eth0) entering disabled state br0: port 1(eth0) entering learning state ERROR!!! RTMPCancelTimer failed, Timer hasn't been initialize! ERROR!!! RTMPCancelTimer failed, Timer hasn't been initialize! ERROR!!! RTMPCancelTimer failed, Timer hasn't been initialize! ERROR!!! RTMPCancelTimer failed, Timer hasn't been initialize! ERROR!!! RTMPCancelTimer failed, Timer hasn't been initialize! ERROR!!! RTMPCancelTimer failed, Timer hasn't been initialize! device ra0 is not a slave of br0 device ra1 is not a slave of br0 RX DESC a19c9000 size = 2048 <-- RTMPAllocTxRxRingMemory, Status=0 1. Phy Mode = 9 2. Phy Mode = 9 3. Phy Mode = 9 MCS Set = ff ff 00 00 01 Main bssid = XX:XX:XX:XX:XX:XX The UUID Hex string is:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The UUID ASCII string is:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx! <==== RTMPInitialize, Status=0 0x1300 = 00064380 br0: port 1(eth0) entering forwarding state br0: topology change detected, propagating device ra0 entered promiscuous mode ra0: attempt to add interface with same source address. br0: port 2(ra0) entering learning state iptables: Bad rule (does a matching rule exist in that chain?) iptables: Bad rule (does a matching rule exist in that chain?) iptables: Bad rule (does a matching rule exist in that chain?) iptables v1.2.9: Couldn't find target `ping-death' Try `iptables -h' or 'iptables --help' for more information. iptables: Table does not exist (do you need to insmod?) iptables: Bad rule (does a matching rule exist in that chain?) iptables: Bad rule (does a matching rule exist in that chain?) iptables: Bad rule (does a matching rule exist in that chain?) iptables v1.2.9: Couldn't find target `AllIcmpFlood' Try `iptables -h' or 'iptables --help' for more information. iptables: Table does not exist (do you need to insmod?) br0: port 2(ra0) entering forwarding state br0: topology change detected, propagating Remote management is enabled! EZI for 8635-4v1000 Start (20080803) EZI for 8635-4v1000 Start (20080803) easyconf: sin_family success easyconf: s_addr success easyconf: sin_port success easyconf: bind socket success easyconf: Waiting for client to connect... Using /lib/ufsd.o ufsd: driver loaded UFSD version 6.12 (May 26 2008, 18:38:27) NTFS read/write support included Big endian platform $Id: ufsdvfs.c,v 1.154 2008/05/23 16:25:14 shura Exp $ ufsd: address 0xc01e8000 lan_ip is 192.168.1.2 installing mps devices... Bringup wan started for wan index 1 !! 3.3.0-432-V33T_SM +--------------------------------------+ | Linux/MIPS on DANUBE by Infineon COM AC BB_CPE | +--------------------------------------+ usb_hotplug.exe : no usb device attached Danube login: Created interface nas0 <---> WAN1 !! Plugin /usr/lib/pppd/2.4.2/rp. 2 C G

Telnet connection to original firmware

$ telnet 192.168.1.2 Trying 192.168.1.2... Connected to 192.168.1.2. Escape character is '^]'. Danube login: admin Password: BusyBox v1.00 (2008.11.12-10:14+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # help Built-in commands: ------------------- . : break cd chdir continue eval exec exit export false hash help local pwd read readonly return set shift times trap true type ulimit umask unset wait # cat /proc/pci PCI devices found: Bus 0, device 14, function 0: Class 0280: PCI device 1814:0601 (rev 0). IRQ 22. Master Capable. Latency=128. Min Gnt=2.Max Lat=4. Non-prefetchable 32 bit memory at 0x18000000 [0x1800ffff]. # cat /proc/modules ufsd 607472 0 (unused) rt2860ap 1312000 2 # cat /proc/lspinfo/summary Board Name : Infineon Danube (MIPS 24Kec) Processor (big endian) Lsp Name : danube-mips-linux LSP Revision : 2.0.4.2 MVL Architecture : mips-linux # cat /proc/cpuinfo system type : DANUBE processor : 0 cpu model : unknown V4.1 BogoMIPS : 222.00 wait instruction : no microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes VCED exceptions : not available VCEI exceptions : not available # cat /proc/iomem 00000000-01efffff : System RAM 00002cc0-002162df : Kernel code 00237000-0054dfff : Kernel data 18000000-1800ffff : 00:0e.0 be101000-be140fff : dwc_otg_hcd # cat /proc/mtd dev: size erasesize name mtd0: 00010000 00002000 "U-Boot" mtd1: 003f0000 00010000 "rootfs,kernel,Data,Environment" # cat danube_cgu pll0 : N = 73, M = 7, K = 0 pll1 : N = 50, M = 6, K = 399 pll2 : N = 74, M = 8, INPUT DIV = 7 pll0_fosc = 333000000 pll0_fps(1) = 266400000 pll0_fps(2) = 222000000 pll0_fdiv = 41625000 pll1_fosc = 264289621 pll1_fps = 176193081 pll1_fdiv = 264289621 pll2_fosc = 294400000 pll2_fps(1) = 235520000 pll2_fps(2) = 261688889 mips0 clock = 333000000 mips1 clock = 333000000 cpu clock = 333000000 IO region = 166500000 FPI bus 1 = 166500000 FPI bus 2 = 83250000 PP32 clock = 261688889 PCI clock = 32711111 Ethernet MII0 = 24533333 Ethernet MII1 = 24533333 USB clock = 12000000 Clockout0 = 22024 Clockout1 = 43614815 Clockout2 = 24533333 Clockout3 = 11776000

Serial connection to original u-boot

U-Boot 1.1.5-LXDB (Sep 16 2008 - 00:52:08) DRAM: 32 MB relocate_code start relocate code finish. Flash: 4 MB In: serial Out: serial Err: serial Net: ethaddr=00:22:75:XX:XX:XX danube Switch Type "run flash_nfs" to mount root filesystem over NFS Hit any key to stop autoboot: 0 DANUBE # help ? - alias for 'help' askenv - get environment variables from stdin autoscr - run script from memory base - print or set address offset bdinfo - print Board Info structure bootm - boot application image from memory bootp - boot image via network using BootP/TFTP protocol cmp - memory compare cp - memory copy crc32 - checksum calculation echo - echo args to console erase - erase FLASH memory flinfo - print FLASH memory information go - start application at address 'addr' help - print online help loop - infinite loop on address range md - memory display mm - memory modify (auto-incrementing) mtest - simple RAM test mw - memory write (fill) nm - memory modify (constant address) printenv- print environment variables protect - enable or disable FLASH write protection rarpboot- boot image via network using RARP/TFTP protocol reset - Perform RESET of the CPU run - run commands in an environment variable saveenv - save environment variables to persistent storage setenv - set environment variables sleep - delay execution for some time tftpboot- boot image via network using TFTP protocol upgrade - forward/backward copy memory to pre-defined flash location version - print monitor version DANUBE # bdinfo boot_params = 0x81F9B3B0 memstart = 0x80000000 memsize = 0x02000000 flashstart = 0xB0000000 flashsize = 0x00400000 flashoffset = 0x00000000 ethaddr = 00:22:75:22:5E:24 ip_addr = 192.168.2.1 baudrate = 115200 bps DANUBE # flinfo Bank # 1: MXIC 29LV320AB (32 Mbit, boot sector SA0~SA7 size 8K bytes,other sec) Size: 4 MB in 71 Sectors Sector Start Addressesprintenv bootcmd=run flash_flash bootdelay=3 baudrate=115200 preboot=echo;echo Type "run flash_nfs" to mount root filesystem over NFS;echo mem=31M extra=0 mode=SHIP netdev=eth0 baudrate=115200 rootpath=/opt/nfs nfsargs=setenv bootargs root=/dev/nfs rw nfsroot=$(serverip):$(rootpath) ramargs=setenv bootargs root=/dev/ram rw addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):on addmisc=setenv bootargs $(bootargs) console=ttyS1,$(baudrate) ethaddr=$(ethaddr) mem=$(mem) panic=1 flash_nfs=run nfsargs addip addmisc;bootm $(kernel_addr) ramdisk_addr=B0100000 flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr) bootfile=uImage net_nfs=tftp 80500000 $(bootfile);run nfsargs addip addmisc;bootm u-boot=u-boot.ifx root_filesystem=rootfs.img load=tftp 80500000 $(u-boot) update=protect off 1:0-2;era 1:0-2;cp.b 80500000 B0000000 $(filesize) flashargs=setenv bootargs root=/dev/ram0 flash_flash=run flashargs addip addmisc; bootm $(kernel_addr) update_uboot=tftpboot 80400000 $(u-boot);upgrade uboot 80400000 $(filesize) 0 update_kernel=tftpboot 80400000 $(bootfile);upgrade kernel 80400000 $(filesize) 1 update_rootfs=tftpboot 80400000 $(root_filesystem);upgrade rootfs 80400000 $(filesize) 0 update_firmware=tftpboot 80400000 firmware.img;upgrade firmware 80400000 $(filesize) 0 reset_uboot_config=erase 0xB03F9000 0xB03F9BFF 1;erase $(f_rootfs_end) $(f_kernel_addr) 1 part0_begin=0xB0000000 part1_begin=0xB0010000 total_part=2 flash_end=0xB03FFFFF data_block0=uboot data_block1=rootfs data_block2=kernel data_block3=sysconfig data_block4=ubootconfig data_block5=voip data_block6=fwdiag data_block7=calibration total_db=8 f_uboot_addr=0xB0000000 f_uboot_size=0 f_firmware_addr=IFX_CFG_FLASH_FIRMWARE_IMAGE_START_ADDR f_firmware_size=IFX_CFG_FLASH_FIRMWARE_IMAGE_SIZE f_rootfs_addr=0xB0010000 f_rootfs_size=0 f_rootfs_end=0xB0010000 f_sysconfig_addr=0xB03F5000 f_sysconfig_size=0x4000 f_ubootconfig_addr=0xB03F9000 f_ubootconfig_size=0x0C00 f_fwdiag_addr=0xB03F9C00 f_fwdiag_size=0x0200 f_calibration_addr=0xB03F9E00 f_calibration_size=0x0200 f_voip_addr=0xB03FA000 f_voip_size=0x6000 ethact=danube Switch bootargs=root=/dev/ram0 ip=192.168.2.1:192.168.2.33::::eth0:on console=ttyS1,115200 ethaddr=08:01:11:11:11:11 mem=31M panic=1 filesize=3a3b51 fileaddr=80400000 ipaddr=192.168.2.1 serverip=192.168.2.33 ethaddr=00:22:75:XX:XX:XX sn=XXXXXXXXXXXXX country=UK f_kernel_size=0x003a7752 f_kernel_addr=0xb004d8a0 kernel_addr=0xb004d8a0 stdin=serial stdout=serial stderr=serial Environment size: 2537/3068 bytes

Binwalk output:

Scan Time: 2014-07-18 10:40:51 Signatures: 261 Target File: full_backup.bin MD5 Checksum: daaa22ca1626efb99c8925877f04a940 DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 10320 0x2850 U-Boot boot loader reference 11692 0x2DAC uImage header, header size: 64 bytes, header CRC: 0x12F761A7, created: Mon Sep 15 12:52:52 2008, image size: 42863 bytes, Data Address: 0xA0400000, Entry Point: 0xA0400000, data CRC: 0x3D7CB575, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image" 11724 0x2DCC U-Boot boot loader reference 11756 0x2DEC LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 129672 bytes 307488 0x4B120 uImage header, header size: 64 bytes, header CRC: 0x1DA21F53, created: Thu Sep 4 22:14:58 2008, image size: 3841671 bytes, Data Address: 0x80002000, Entry Point: 0x8021A040, data CRC: 0x735BE74B, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Linux-2.4.31-Danube-3.3.0-G]" 307552 0x4B160 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 5562368 bytes 309328 0x4B850 uImage header, header size: 64 bytes, header CRC: 0xB9BC2A63, created: Mon Sep 15 13:12:39 2008, image size: 3839832 bytes, Data Address: 0x80002000, Entry Point: 0x8021A040, data CRC: 0xE421B03, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Linux-2.4.31-Danube-3.3.0-G]" 309392 0x4B890 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 5562368 bytes 317600 0x4D8A0 uImage header, header size: 64 bytes, header CRC: 0x77A30A0A, created: Wed Nov 12 05:25:56 2008, image size: 3831550 bytes, Data Address: 0x80002000, Entry Point: 0x8021A040, data CRC: 0x6F26A17C, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Linux-2.4.31-Danube-3.3.0-G]" 317664 0x4D8E0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 5554176 bytes 4149256 0x3F5008 gzip compressed data, maximum compression, from Unix, last modified: Fri Dec 31 19:09:05 1999 4166395 0x3F92FB U-Boot boot loader reference Scan Time: 2014-07-18 10:40:53 Signatures: 261 Target File: _full_backup.bin.extracted/4D8E0 MD5 Checksum: 198deb0dbb3fb6dd3184c2c1e84714e1 DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 1986320 0x1E4F10 Linux kernel version "2.4.31-Danube-3.3.0-G0432V33T_SM (root@localhost.localdomain) (M (root@localhost.localdomain) (gcc version 3.3.6) #26 Wed Nov " 2064584 0x1F80C8 U-Boot boot loader reference 2133383 0x208D87 Copyright string: " 2006, Infineon Technologies AG" 2373747 0x243873 LZMA compressed data, properties: 0x40, dictionary size: 16777216 bytes, uncompressed size: 339937152 bytes 2492377 0x2607D9 LZMA compressed data, properties: 0x40, dictionary size: 8388608 bytes, uncompressed size: 32835 bytes 2496461 0x2617CD LZMA compressed data, properties: 0xC0, dictionary size: 8388608 bytes, uncompressed size: 61695 bytes 2515807 0x26635F LZMA compressed data, properties: 0x88, dictionary size: 16777216 bytes, uncompressed size: 411248256 bytes 2530883 0x269E43 LZMA compressed data, properties: 0x64, dictionary size: 33554432 bytes, uncompressed size: 50331648 bytes 2533807 0x26A9AF LZMA compressed data, properties: 0xB4, dictionary size: 16777216 bytes, uncompressed size: 675159168 bytes 2539520 0x26C000 gzip compressed data, maximum compression, has original file name: "ramdisk", from Unix, last modified: Wed Nov 12 05:20:56 2008 2539543 0x26C017 Squashfs filesystem, big endian, lzma compression, version 2.1, size: 3011685 bytes, 1550 inodes, blocksize: 65536 bytes, created: Wed Nov 12 05:20:56 2008 Scan Time: 2014-07-18 10:41:20 Signatures: 261 Target File: _full_backup.bin.extracted/_4D8E0.extracted/ramdisk MD5 Checksum: 58064b7d0d1ea84b6c83ae980bac9bb3 DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 0 0x0 Squashfs filesystem, big endian, lzma compression, version 2.1, size: 3011685 bytes, 1550 inodes, blocksize: 65536 bytes, created: Wed Nov 12 05:20:56 2008

toh/belkin/f5d8635-4v1_danube.txt · Last modified: 2014/07/27 00:23 by javitury