User Tools

Site Tools


toh:belkin:f7c027

Belkin F7C027

The WeMo Case

Belkin's WeMo SmartSwitch is a wifi-controlled 120V relay.

Supported Versions

Version/Model Launch Date S/N OpenWrt Version Supported Model Specific Notes
v1 - WiP -

Hardware Highlights

CPU Ram Flash Network USB Serial JTag
Ralink RT5350F 32MiB 16MiB RT2860 Wifi No Yes ?

Hardware

Info

CPU: Ralink RT5350F
RAM: Winbond W9825G6JH - The W9825G6JH is a 256M (32MB) SDRAM
Flash: mx25L12835emi - 128Mbit (16MB) SPI Flash
Wi-Fi: Ralink RT2820

Serial port

Serials console parameters: 57600,8n1

Serial console is available on two test points:

TP2 - TX from board
TP3 - RX into board

5-pin header

1 White (GPIO13) - AC Relay control
2 Black - Gnd
3 Red - 5V
4 3.3V
5 GPIO14 - 0V off (default) 3.3V on

GPIOs

GPIO Inverted Purpose
7 Yes Blue status LED
9 Yes Blue power On/Off LED
10 Yes Top button
11 Yes Orange status LED
12 Yes Power On/Off button
13 No AC relay control
14 No Pin 5 of header

System Information

Status

Currently, a WeMo has been booted into OpenWrt, however, those changes have not yet been checked into the main tree.

Things look very promising: Wifi works, all of the buttons and LEDs work, and the AC relay control works.

Stock firmware images

At this time, the only way to work with a WeMo initially is to use the RS232 pads and load firmware using the stock OS. This is somewhat tricky, as after WeMo image WeMo_US_2.00.2176.PVT_SNS, the firmware requires a root password to log in over serial. On previous firmware versions, firmware can be loaded using wget and the stock 'fwupgrade' utility.

The stock firmware images are distributed in a standard 'sysupgrade' format with a 19-byte header prepended to the file, and then the entire thing is PGP encrypted for a Belkin-owned PGP key. Oddly, PGP is used to encrypt the file, but not to sign it, making it possible to build firmware images without the Belkin PGP key, but harder to read the belkin-distributed firmware upgrades.

Bootloader

The bootloader appears to be a modified U-Boot. It's built to allow the device to attempt a firmware upgrade, and then be able to fail back to the original firmware.

It does this by keeping two complete copies of the kernel and rootfs, and uses two environment variables to track the state during an upgrade. The first is "check_boot", set to 1 when the bootloader is first testing a new firmware image, and set to 0 on successful boot. The second is bootstate, which appears to be set to 0 or 2 in normal operation, or 1 or 3 in "let's try this new firmware once" mode. Values of 0 or 1 will boot from the first kernel, 2 or 3 will boot from the second.

This means that Openwrt can be loaded into the first kernel and rootfs partitions, and be consistently booted with bootstate=0 and check_boot=0. To recover, you can set bootstate=2, and go back to the stored (stock) firmware in the the alternate kernel and rootfs partitions.

The command 'bootm' has been modified, it is not working how it is intended. It is still trying to load stuff from flash. Loading and booting an openWrt over serial line is possible if you compile a cmdline into your kernel. Baudrate is apparently hardcoded and 'setenv baudrate 115200' does not work, it stays at 56700.

loadb 0x80000000
go 0x80000000

U-Boot environment

Note: The bootdelay is 1 seconds or less. You need to send bytes repeatedly while the device is booting to get uboot stop the normal boot procedure.

U-Boot 1.1.3 (Oct 14 2011 - 16:53:20)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fb4000
spi_wait_nsec: 21
spi device id: c2 20 18 c2 20 (2018c220)
find flash: MX25L12805D
raspi_read: from:30000 len:1000
.raspi_read: from:30000 len:1000
.============================================
Ralink UBoot Version: 3.5.0.0
--------------------------------------------
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping
DRAM_TYPE: SDRAM
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 32 MBytes
Flash component: SPI Flash
Date:Oct 14 2011  Time:16:53:20
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384

 ##### The CPU freq = 360 MHZ ####
 estimate memory size =32 Mbytes
set GPIO 7, 9, 11, 13 to 1 Output
set GPIO 10, 12, 14 to 0 Iutput

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.

You choosed 3
                                                                                                                              0

3: System Boot system code via Flash.
Trying to boot from B...bootstate=[2]
Boot B addr_str=[0xBC7C0000]
## Booting image at bc7c0000 ...
raspi_read: from:7c0000 len:40
.   Image Name:   Linux Kernel Image
   Created:      2012-11-23  13:14:06 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    817143 Bytes = 798 kB
   Load Address: 80000000
   Entry Point:  80255000
raspi_read: from:7c0040 len:c77f7
.............   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80255000) ...
## Giving linux memsize in MB, 32

Starting kernel ...


RT5350 # help
?       - alias for 'help'
bootm   - boot application image from memory
cp      - memory copy
erase   - erase SPI FLASH memory
flash_test - test flash status, argv => test_pattern_start test_pattern_end test_repeat
go      - start application at address 'addr'
help    - print online help
loadb   - load binary file over serial line (kermit mode)
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
mw      - memory write (fill)
nm      - memory modify (constant address)
printenv- print environment variables
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveenv - save environment variables to persistent storage
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version

RT5350 # printenv
bootcmd=tftp
bootdelay=1
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off
addmisc=setenv bootargs $(bootargs) console=ttyS0,$(baudrate) ethaddr=$(ethaddr) panic=1
flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr)
kernel_addr=BFC40000
u-boot=u-boot.bin
load=tftp 8A100000 $(u-boot)
u_b=protect off 1:0-1;era 1:0-1;cp.b 8A100000 BC400000 $(filesize)
loadfs=tftp 8A100000 root.cramfs
u_fs=era bc540000 bc83ffff;cp.b 8A100000 BC540000 $(filesize)
test_tftp=tftp 8A100000 root.cramfs;run test_tftp
ethact=Eth0 (10/100-M)
ipaddr=192.168.2.1
serverip=192.168.2.10
bootfile=
autostart=no
bootargs=console=ttyS1,57600n8 root=/dev/mtdblock4
bootstate=2
check_boot=0
stdin=serial
stdout=serial
stderr=serial

Environment size: 865/4092 bytes
RT5350 # 

OEM Bootlog

Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 80255000) ... ## Giving linux memsize in MB, 32 Starting kernel ... LINUX started... THIS IS ASIC Linux version 2.6.21 (root@agnity-desktop) (gcc version 3.4.2) #53 Sun Nov 20 16:47:58 IST 2011 The CPU feqenuce set to 360 MHz CPU revision is: 0001964c Determined physical RAM map: memory: 02000000 @ 00000000 (usable) Built 1 zonelists. Total pages: 8128 Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock4 root_dev_setup: line=[/dev/mtdblock4] Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes. Primary data cache 16kB, 4-way, linesize 32 bytes. Synthesized TLB refill handler (20 instructions). Synthesized TLB load handler fastpath (32 instructions). Synthesized TLB store handler fastpath (32 instructions). Synthesized TLB modify handler fastpath (31 instructions). Cache parity protection disabled cause = c0808040, status = 11000000 PID hash table entries: 128 (order: 7, 512 bytes) calculating r4koff... 0015f900(1440000) CPU frequency 360.00 MHz Using 180.000 MHz high precision timer. Console: colour dummy device 80x25 Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Memory: 29888k/32768k available (2073k kernel code, 2880k reserved, 310k data, 108k init, 0k highmem) Mount-cache hash table entries: 512 NET: Registered protocol family 16 NET: Registered protocol family 2 Time: MIPS clocksource has been installed. IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered deice id : c2 20 18 c2 20 (2018c220) MX25L12805D(c2 2018c220) (16384 Kbytes) mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0 Creating 10 MTD partitions on "raspi": 0x00000000-0x00050000 : "uboot" 0x00050000-0x007c0000 : "A - Kernel and Rootfs" 0x00150000-0x007c0000 : "A - Rootfs" 0x007c0000-0x00f30000 : "B - Kernel and Rootfs" 0x008c0000-0x00f30000 : "B - Rootfs" 0x00fe0000-0x00ff0000 : "Nvram" 0x00ff0000-0x01000000 : "User_Factory" 0x00040000-0x00050000 : "Factory" 0x00f30000-0x00fd0000 : "Belkin_settings" 0x00030000-0x00040000 : "Uboot_env" squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher squashfs: LZMA suppport for slax.org by jro JFFS2 version 2.2. (NAND) (C) 2001-2006 Red Hat, Inc. io scheduler noop registered (default) reg1_gpio_dir ori = [0x003FABFF] ################################################ # # # SDK - PLUGIN_BOARD_DVT # # # ################################################ reg1_gpio_dir after 1 = [0x003FABFF] reg1_gpio_dir after 2 = [0x003FABFF] Ralink gpio driver initialized Gemtek LED init... ################## Don't Restore to Factory Defaults ################### Serial: 8250/16550 driver $Revision: 1.7 $ 2 ports, IRQ sharing disabled serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A loop: loaded (max 8 devices) rdm_major = 254 MAC_ADRH -- : 0x00000000 MAC_ADRL -- : 0x00000000 Ralink APSoC Ethernet Driver Initilization. v2.0 256 rx/tx descriptors allocated, mtu = 1500! MAC_ADRH -- : 0x0000000c MAC_ADRL -- : 0x43535077 PROC INIT OK! block2mtd: version $Revision: 1.1.1.1 $ nf_conntrack version 0.5.0 (256 buckets, 2048 max) IPv4 over IPv4 tunneling driver ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone TCP cubic registered NET: Registered protocol family 1 NET: Registered protocol family 10 lo: Disabled Privacy Extensions tunl0: Disabled Privacy Extensions Mobile IPv6 IPv6 over IPv4 tunneling driver sit0: Disabled Privacy Extensions NET: Registered protocol family 17 Bridge firewalling registered 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> saved_root_name is [/dev/mtdblock4] root_device_name is [/dev/mtdblock4] name is [/dev/root] fs_names is [squashfs] fs_names p is [squashfs], flags is 0x8001 VFS: [/dev/root] Mounted root (squashfs filesystem) readonly. mount_fail 0 is 0 Freeing unused kernel memory: 108k freed phy_tx_ring = 0x01372000, tx_ring = 0xa1372000 phy_rx_ring0 = 0x01373000, rx_ring0 = 0xa1373000 RT305x_ESW: Link Status Changed BusyBox v1.1.0 (2012.11.23-13:09+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # #sysinit: [sysinGTK LED Status: GMTK_SYSTEM_BOOT it] insmod: reset_btn.ko: no module by that name found Done # update nvram with default list! ############################################## # Check EEPROM # ############################################## Reading 4096 bytes......success Reading 4096 bytes......success 08, 86, 3B, C7, 16, 78, 50-50, 53-53, 00-00, 01-01, 08-08, 86-86, 3B-3B, C7-C7, 16-16, 78-78, # interfaces_init...... can't get info can't get info switch reg write offset=14, value=405555 switch reg write offset=50, value=2001 switch reg write offset=98, value=7f3f switch reg write offset=40, value=1001 switch reg write offset=44, value=1001 switch reg write offset=48, value=1002 switch reg write offset=70, value=ffff506f can't get info can't get info can't get info ########### WeMo ra0 configuration ########## Setting ra0 configuration.... Bring up ra0 interface.... rt2860v2_ap: module license 'unspecified' taints kernel. === pAd = c009b000, size = 635240 === <-- RTMPAllocAdapterBlock, Status=0 RX DESC a1d92000 size = 2048 <-- RTMPAllocTxRxRingMemory, Status=0 RTMP_TimerListAdd: add timer obj c0106b58! RTMP_TimerListAdd: add timer obj c00a3004! RTMP_TimerListAdd: add timer obj c00a2bd4! RTMP_TimerListAdd: add timer obj c00a2fb0! RTMP_TimerListAdd: add timer obj c00a2fd8! RTMP_TimerListAdd: add timer obj c00a3230! RTMP_TimerListAdd: add timer obj c00d394c! RTMP_TimerListAdd: add timer obj c00d351c! RTMP_TimerListAdd: add timer obj c00d38f8! RTMP_TimerListAdd: add timer obj c00d3920! RTMP_TimerListAdd: add timer obj c00d3978! RTMP_TimerListAdd: add timer obj c00d39a4! RTMP_TimerListAdd: add timer obj c00d39d0! RTMP_TimerListAdd: add timer obj c0107078! RTMP_TimerListAdd: add timer obj c0107050! RTMP_TimerListAdd: add timer obj c0107028! RTMP_TimerListAdd: add timer obj c00dc8d4! RTMP_TimerListAdd: add timer obj c00dc9d8! RTMP_TimerListAdd: add timer obj c00dc8fc! RTMP_TimerListAdd: add timer obj c00d3eb4! RTMP_TimerListAdd: add timer obj c00a0488! RTMP_TimerListAdd: add timer obj c00d3bd0! Key1Str is Invalid key length(0) or Type(0) Key2Str is Invalid key length(0) or Type(0) Key3Str is Invalid key length(0) or Type(0) Key4Str is Invalid key length(0) or Type(0) 1. Phy Mode = 9 2. Phy Mode = 9 3. Phy Mode = 9 RTMPSetPhyMode: channel is out of range, use first channel=0 MCS Set = ff 00 00 00 01 SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l SYNC - BBP R4 to 20MHz.l RTMP_TimerListAdd: add timer obj c00d41f4! Main bssid = 08:86:3b:c7:16:78 <==== rt28xx_init, Status=0 0x1300 = 00064380 bridge br0 doesn't exist! No need to change ra0 to Nintendo NDS capable No need to change ra0 to Nintendo NDS capable...Complete ra0 mac: [0x00001300]:00063330 ra0 mac: [0x00001304]:000a3700 killall: rt2860apd: no process killed /bin/sh: rt2860apd: not found can't get info killall : No such file or directory WPS BUTTON press!! killall: wscd: no process killed ra0 mac: [0x0000102c]:0f031e46 can't get macaddr of ra1 vlan1: Setting MAC address to 08 86 3b c7 16 78. device eth2 entered promiscuous mode VLAN (vlan1): Setting underlying device (eth2) to promiscious mode. vlan1: dev_set_promiscuity(master, 1) device vlan1 entered promiscuous mode device ra0 entered promiscuous mode never heard of command [sethello] commands: addbr <bridge> add bridge addbr0: port 2(ra0) entering listening state if <bridge> <debr0: port 1(vlan1) entering listening state vice> add interface to bridge delbr <bridge> delete bridge delif <bridge> <device> delete interface from bridge show show a list of bridges showbr <bridge> show bridge info showmacs <bridge> show a list of mac addrs setfd <bridge> <time> set bridge forward delay stp <bridge> <state> {dis,en}able stp never heard of command [setageing] commands: addbr <bridge> add bridge addif <bridge> <device> add interface to bridge delbr <bridge> delete bridge delif <bridge> <device> delete interface from bridge show show a list of bridges showbr <bridge> show bridge info showmacs <bridge> show a list of mac addrs setfd <bridge> <time> set bridge forward delay stp <bridge> <state> {dis,en}able stp # lan services init...... can't get info can't get info /bin/sh: httpd: not found Start UPnP can't get info /usr/sbin/upnp: No such file or directory route: resolving gw route: resolving gw route: resolving gw route: resolving gw route: resolving gw can't get info killall : No such file or directory killall: wscd: no process killed (2427)Service enable wireless /bin/sh: self-healing: not found /bin/sh: easyconf: not found can't get info (easytest.c->main(1109)) Start easytest 20060525 (easytest.c->main(1114)) lan_ip is 10.22.22.1 (easytest.c->main(1116)) mcast_ip is 234.2.2.9 (easytest.c->main(1118)) mcast_port is 14675 (easytest.c->main(1200)) Waiting product test packet... # wan_init...... Set country code to us!!! SIOCSIFHWADDR: Device or resource busy /bin/sh: if_traffic: not found /bin/shGTK LED Status: GMTK_SYSTEM_READY : lld2d: not found Get_bootstate_to_nvram... Reading 4096 bytes......success Uboot CRC is BAE4434C, Uboot env CRC is BAE4434C Get_bootstate_to_nvram : bootstate is [2] Executing script "/etc/Belkin_startup.sh"... killall: psmon: no process killed killall: wan_connect: no process killed killall: ledctrl: no process killed killall: udhcpc: no process killed /bin/sh: dropbearkey: not found /bin/sh: dropbearkey: not found /bin/sh: dropbear: not found GetBelkinParameter - ParameterName = PVT_LOG_ENABLE PVT_LOG_ENABLE: SetBelkinParameter - ParameterName = Belkin_daemon_success , ParameterValue = 1 gemtek_api: *Status=[0], reboot_status_last=[0], *UTC_Seconds=[0] EnableSoftWatchDog, second = 300 killall: watchdog: no process killed remove softdog... close_softdog: cannot open /dev/watchdog rmmod: softdog: No such file or directory SetBelkinParameter - ParameterName = settime_sec , ParameterValue = GetBelkinParameter - ParameterName = home_id GetBelkinParameter - ParameterName = SmartDeviceId GetBelkinParameter - ParameterName = SmartPrivatekey ...

GPL source code

Buildable source code is available at http://www.belkin.com/support/opensource/

Tags

toh/belkin/f7c027.txt · Last modified: 2015/10/31 10:01 by tmomas