Belkin F7C027

The WeMo Case Belkin's WeMo SmartSwitch is a wifi-controlled 120V relay.

Supported Versions

Version/Model Launch Date S/N OpenWrt Version Supported Model Specific Notes
v1 - WiP -

Hardware Highlights

CPU Ram Flash Network USB Serial JTag
Ralink RT5350F 32MiB 16MiB RT2860 Wifi No Yes ?

Hardware

Info

CPU: Ralink RT5350F
RAM: Winbond W9825G6JH - The W9825G6JH is a 256M (32MB) SDRAM 
Flash: mx25L12835emi - 128Mbit (16MB) SPI Flash
Wi-Fi: Ralink RT2820

Serial port

Serials console baudrate is : 57600,8n1

Serial console is available on two test points:

TP2 - TX from board
TP3 - RX into board

5-pin header

1 White (GPIO13) - AC Relay control
2 Black - Gnd
3 Red - 5V
4 3.3V
5 GPIO14 - 0V off (default) 3.3V on

GPIOs

GPIO Inverted Purpose
7 Yes Blue status LED
9 Yes Blue power On/Off LED
10 Yes Top button
11 Yes Orange status LED
12 Yes Power On/Off button
13 No AC relay control
14 No Pin 5 of header

System Information

Status

Currently, a WeMo has been booted into OpenWrt, however, those changes have not yet been checked into the main tree.

Things look very promising: Wifi works, all of the buttons and LEDs work, and the AC relay control works.

Stock firmware images

At this time, the only way to work with a WeMo initially is to use the RS232 pads and load firmware using the stock OS. This is somewhat tricky, as after WeMo image WeMo_US_2.00.2176.PVT_SNS, the firmware requires a root password to log in over serial. On previous firmware versions, firmware can be loaded using wget and the stock 'fwupgrade' utility.

The stock firmware images are distributed in a standard 'sysupgrade' format with a 19-byte header prepended to the file, and then the entire thing is PGP encrypted for a Belkin-owned PGP key. Oddly, PGP is used to encrypt the file, but not to sign it, making it possible to build firmware images without the Belkin PGP key, but harder to read the belkin-distributed firmware upgrades.

Bootloader

The bootloader appears to be a modified U-Boot. It's built to allow the device to attempt a firmware upgrade, and then be able to fail back to the original firmware.

It does this by keeping two complete copies of the kernel and rootfs, and uses two environment variables to track the state during an upgrade. The first is "check_boot", set to 1 when the bootloader is first testing a new firmware image, and set to 0 on successful boot. The second is bootstate, which appears to be set to 0 or 2 in normal operation, or 1 or 3 in "let's try this new firmware once" mode. Values of 0 or 1 will boot from the first kernel, 2 or 3 will boot from the second.

This means that Openwrt can be loaded into the first kernel and rootfs partitions, and be consistently booted with bootstate=0 and check_boot=0. To recover, you can set bootstate=2, and go back to the stored (stock) firmware in the the alternate kernel and rootfs partitions.

The command 'bootm' has been modified, it is not working how it is intended. It is still trying to load stuff from flash. Loading and booting an openWrt over serial line is possible if you compile a cmdline into your kernel.

loadb 0x80000000
go 0x80000000

U-Boot environment

Note: The bootdelay is 1 seconds or less. You need to send bytes repeatedly while the device is booting to get uboot stop the normal boot procedure.


U-Boot 1.1.3 (Oct 14 2011 - 16:53:20)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fb4000
spi_wait_nsec: 21
spi device id: c2 20 18 c2 20 (2018c220)
find flash: MX25L12805D
raspi_read: from:30000 len:1000
.raspi_read: from:30000 len:1000
.============================================
Ralink UBoot Version: 3.5.0.0
--------------------------------------------
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping
DRAM_TYPE: SDRAM
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 32 MBytes
Flash component: SPI Flash
Date:Oct 14 2011  Time:16:53:20
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384

 ##### The CPU freq = 360 MHZ ####
 estimate memory size =32 Mbytes
set GPIO 7, 9, 11, 13 to 1 Output
set GPIO 10, 12, 14 to 0 Iutput

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.

You choosed 3
                                                                                                                              0

3: System Boot system code via Flash.
Trying to boot from B...bootstate=[2]
Boot B addr_str=[0xBC7C0000]
## Booting image at bc7c0000 ...
raspi_read: from:7c0000 len:40
.   Image Name:   Linux Kernel Image
   Created:      2012-11-23  13:14:06 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    817143 Bytes = 798 kB
   Load Address: 80000000
   Entry Point:  80255000
raspi_read: from:7c0040 len:c77f7
.............   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80255000) ...
## Giving linux memsize in MB, 32

Starting kernel ...



RT5350 # help
?       - alias for 'help'
bootm   - boot application image from memory
cp      - memory copy
erase   - erase SPI FLASH memory
flash_test - test flash status, argv => test_pattern_start test_pattern_end test_repeat
go      - start application at address 'addr'
help    - print online help
loadb   - load binary file over serial line (kermit mode)
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
mw      - memory write (fill)
nm      - memory modify (constant address)
printenv- print environment variables
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveenv - save environment variables to persistent storage
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version

RT5350 # printenv
bootcmd=tftp
bootdelay=1
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off
addmisc=setenv bootargs $(bootargs) console=ttyS0,$(baudrate) ethaddr=$(ethaddr) panic=1
flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr)
kernel_addr=BFC40000
u-boot=u-boot.bin
load=tftp 8A100000 $(u-boot)
u_b=protect off 1:0-1;era 1:0-1;cp.b 8A100000 BC400000 $(filesize)
loadfs=tftp 8A100000 root.cramfs
u_fs=era bc540000 bc83ffff;cp.b 8A100000 BC540000 $(filesize)
test_tftp=tftp 8A100000 root.cramfs;run test_tftp
ethact=Eth0 (10/100-M)
ipaddr=192.168.2.1
serverip=192.168.2.10
bootfile=
autostart=no
bootargs=console=ttyS1,57600n8 root=/dev/mtdblock4
bootstate=2
check_boot=0
stdin=serial
stdout=serial
stderr=serial

Environment size: 865/4092 bytes
RT5350 # 

OEM Bootlog

  Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80255000) ...
## Giving linux memsize in MB, 32

Starting kernel ...


LINUX started...

 THIS IS ASIC
Linux version 2.6.21 (root@agnity-desktop) (gcc version 3.4.2) #53 Sun Nov 20 16:47:58 IST 2011

 The CPU feqenuce set to 360 MHz
CPU revision is: 0001964c
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock4
root_dev_setup: line=[/dev/mtdblock4]
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
cause = c0808040, status = 11000000
PID hash table entries: 128 (order: 7, 512 bytes)
calculating r4koff... 0015f900(1440000)
CPU frequency 360.00 MHz
Using 180.000 MHz high precision timer.
Console: colour dummy device 80x25
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 29888k/32768k available (2073k kernel code, 2880k reserved, 310k data, 108k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
deice id : c2 20 18 c2 20 (2018c220)
MX25L12805D(c2 2018c220) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 10 MTD partitions on "raspi":
0x00000000-0x00050000 : "uboot"
0x00050000-0x007c0000 : "A - Kernel and Rootfs"
0x00150000-0x007c0000 : "A - Rootfs"
0x007c0000-0x00f30000 : "B - Kernel and Rootfs"
0x008c0000-0x00f30000 : "B - Rootfs"
0x00fe0000-0x00ff0000 : "Nvram"
0x00ff0000-0x01000000 : "User_Factory"
0x00040000-0x00050000 : "Factory"
0x00f30000-0x00fd0000 : "Belkin_settings"
0x00030000-0x00040000 : "Uboot_env"
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered (default)
reg1_gpio_dir ori = [0x003FABFF]
 ################################################
 #                                              #
 #            SDK - PLUGIN_BOARD_DVT            #
 #                                              #
 ################################################
reg1_gpio_dir after 1 = [0x003FABFF]
reg1_gpio_dir after 2 = [0x003FABFF]
Ralink gpio driver initialized
Gemtek LED init...
################## Don't Restore to Factory Defaults ###################
Serial: 8250/16550 driver $Revision: 1.7 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A
loop: loaded (max 8 devices)
rdm_major = 254
MAC_ADRH -- : 0x00000000
MAC_ADRL -- : 0x00000000
Ralink APSoC Ethernet Driver Initilization. v2.0  256 rx/tx descriptors allocated, mtu = 1500!
MAC_ADRH -- : 0x0000000c
MAC_ADRL -- : 0x43535077
PROC INIT OK!
block2mtd: version $Revision: 1.1.1.1 $
nf_conntrack version 0.5.0 (256 buckets, 2048 max)
IPv4 over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
tunl0: Disabled Privacy Extensions
Mobile IPv6
IPv6 over IPv4 tunneling driver
sit0: Disabled Privacy Extensions
NET: Registered protocol family 17
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
saved_root_name is [/dev/mtdblock4]
root_device_name is [/dev/mtdblock4]
name is [/dev/root]
fs_names is [squashfs]
fs_names p is [squashfs], flags is 0x8001
VFS: [/dev/root] Mounted root (squashfs filesystem) readonly.
mount_fail 0 is 0
Freeing unused kernel memory: 108k freed

phy_tx_ring = 0x01372000, tx_ring = 0xa1372000

phy_rx_ring0 = 0x01373000, rx_ring0 = 0xa1373000
RT305x_ESW: Link Status Changed


BusyBox v1.1.0 (2012.11.23-13:09+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# #sysinit: [sysinGTK LED Status: GMTK_SYSTEM_BOOT
it]
insmod: reset_btn.ko: no module by that name found
Done
# update nvram with default list!
##############################################
#               Check EEPROM                 #
##############################################
Reading 4096 bytes......success
Reading 4096 bytes......success
08, 86, 3B, C7, 16, 78,
50-50, 53-53, 00-00, 01-01, 08-08, 86-86, 3B-3B, C7-C7, 16-16, 78-78,
# interfaces_init......
can't get info
can't get info
switch reg write offset=14, value=405555
switch reg write offset=50, value=2001
switch reg write offset=98, value=7f3f
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1002
switch reg write offset=70, value=ffff506f
can't get info
can't get info
can't get info
########### WeMo ra0 configuration ##########
Setting ra0 configuration....
Bring up ra0 interface....
rt2860v2_ap: module license 'unspecified' taints kernel.


=== pAd = c009b000, size = 635240 ===

<-- RTMPAllocAdapterBlock, Status=0
RX DESC a1d92000  size = 2048
<-- RTMPAllocTxRxRingMemory, Status=0
RTMP_TimerListAdd: add timer obj c0106b58!
RTMP_TimerListAdd: add timer obj c00a3004!
RTMP_TimerListAdd: add timer obj c00a2bd4!
RTMP_TimerListAdd: add timer obj c00a2fb0!
RTMP_TimerListAdd: add timer obj c00a2fd8!
RTMP_TimerListAdd: add timer obj c00a3230!
RTMP_TimerListAdd: add timer obj c00d394c!
RTMP_TimerListAdd: add timer obj c00d351c!
RTMP_TimerListAdd: add timer obj c00d38f8!
RTMP_TimerListAdd: add timer obj c00d3920!
RTMP_TimerListAdd: add timer obj c00d3978!
RTMP_TimerListAdd: add timer obj c00d39a4!
RTMP_TimerListAdd: add timer obj c00d39d0!
RTMP_TimerListAdd: add timer obj c0107078!
RTMP_TimerListAdd: add timer obj c0107050!
RTMP_TimerListAdd: add timer obj c0107028!
RTMP_TimerListAdd: add timer obj c00dc8d4!
RTMP_TimerListAdd: add timer obj c00dc9d8!
RTMP_TimerListAdd: add timer obj c00dc8fc!
RTMP_TimerListAdd: add timer obj c00d3eb4!
RTMP_TimerListAdd: add timer obj c00a0488!
RTMP_TimerListAdd: add timer obj c00d3bd0!
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
1. Phy Mode = 9
2. Phy Mode = 9
3. Phy Mode = 9
RTMPSetPhyMode: channel is out of range, use first channel=0
MCS Set = ff 00 00 00 01
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
RTMP_TimerListAdd: add timer obj c00d41f4!
Main bssid = 08:86:3b:c7:16:78
<==== rt28xx_init, Status=0
0x1300 = 00064380
bridge br0 doesn't exist!
No need to change ra0 to Nintendo NDS capable
No need to change ra0 to Nintendo NDS capable...Complete
ra0       mac:
[0x00001300]:00063330
ra0       mac:
[0x00001304]:000a3700
killall: rt2860apd: no process killed
/bin/sh: rt2860apd: not found
can't get info
killall : No such file or directory
WPS BUTTON press!!
killall: wscd: no process killed
ra0       mac:
[0x0000102c]:0f031e46
can't get macaddr of ra1
vlan1: Setting MAC address to  08 86 3b c7 16 78.
device eth2 entered promiscuous mode
VLAN (vlan1):  Setting underlying device (eth2) to promiscious mode.
vlan1: dev_set_promiscuity(master, 1)
device vlan1 entered promiscuous mode
device ra0 entered promiscuous mode
never heard of command [sethello]
commands:
        addbr           <bridge>                add bridge
        addbr0: port 2(ra0) entering listening state
if              <bridge> <debr0: port 1(vlan1) entering listening state
vice>   add interface to bridge
        delbr           <bridge>                delete bridge
        delif           <bridge> <device>       delete interface from bridge
        show                                    show a list of bridges
        showbr          <bridge>                show bridge info
        showmacs        <bridge>                show a list of mac addrs

        setfd           <bridge> <time>         set bridge forward delay
        stp             <bridge> <state>        {dis,en}able stp
never heard of command [setageing]
commands:
        addbr           <bridge>                add bridge
        addif           <bridge> <device>       add interface to bridge
        delbr           <bridge>                delete bridge
        delif           <bridge> <device>       delete interface from bridge
        show                                    show a list of bridges
        showbr          <bridge>                show bridge info
        showmacs        <bridge>                show a list of mac addrs

        setfd           <bridge> <time>         set bridge forward delay
        stp             <bridge> <state>        {dis,en}able stp
# lan services init......
can't get info
can't get info
/bin/sh: httpd: not found
Start UPnP
can't get info
/usr/sbin/upnp: No such file or directory
route: resolving gw
route: resolving gw
route: resolving gw
route: resolving gw
route: resolving gw
can't get info
killall : No such file or directory
killall: wscd: no process killed
(2427)Service enable wireless
/bin/sh: self-healing: not found
/bin/sh: easyconf: not found
can't get info
(easytest.c->main(1109)) Start easytest 20060525
(easytest.c->main(1114)) lan_ip is 10.22.22.1
(easytest.c->main(1116)) mcast_ip is 234.2.2.9
(easytest.c->main(1118)) mcast_port is 14675
(easytest.c->main(1200)) Waiting product test packet...

# wan_init......
Set country code to us!!!
SIOCSIFHWADDR: Device or resource busy
/bin/sh: if_traffic: not found
/bin/shGTK LED Status: GMTK_SYSTEM_READY
: lld2d: not found
Get_bootstate_to_nvram...
Reading 4096 bytes......success
Uboot CRC is BAE4434C, Uboot env CRC is BAE4434C
Get_bootstate_to_nvram : bootstate is [2]
Executing script "/etc/Belkin_startup.sh"...
killall: psmon: no process killed
killall: wan_connect: no process killed
killall: ledctrl: no process killed
killall: udhcpc: no process killed
/bin/sh: dropbearkey: not found
/bin/sh: dropbearkey: not found
/bin/sh: dropbear: not found
GetBelkinParameter -  ParameterName = PVT_LOG_ENABLE
PVT_LOG_ENABLE:
SetBelkinParameter - ParameterName = Belkin_daemon_success , ParameterValue = 1
gemtek_api: *Status=[0], reboot_status_last=[0], *UTC_Seconds=[0]
EnableSoftWatchDog, second = 300
killall: watchdog: no process killed
remove softdog...
close_softdog: cannot open /dev/watchdog
rmmod: softdog: No such file or directory
SetBelkinParameter - ParameterName = settime_sec , ParameterValue =
GetBelkinParameter -  ParameterName = home_id
GetBelkinParameter -  ParameterName = SmartDeviceId
GetBelkinParameter -  ParameterName = SmartPrivatekey
...

GPL source code

Buildable source code is available at http://www.belkin.com/support/opensource/

Tags

Back to top

toh/belkin/f7c027.txt · Last modified: 2014/03/19 00:42 (external edit)