User Tools

Site Tools


toh:linksys:wag160n

Linksys WAG160N

The WAG160N is not officially supported but images are available for WAG160N v1 (without DSL support).

Barrier Breaker: https://forum.openwrt.org/viewtopic.php?id=50852

The Linksys WAG160N is an ADSL gateway with wireless acccess point integrated.

The source code tarball is available from the Linksys GPL Code Center:
WAG160N 1.00.15 Annex A
WAG160N 1.00.15 Annex B

Supported Versions

Version/Model wifi Supported
WAG160Nv1 AR5416 WIP
WAG160Nv2 AR9223 WIP

Hardware

Info v1

Architecture: MIPS
Vendor: Broadcom
Bootloader: CFE
Board Id: 96358GW
System-On-Chip: Broadcom BCM6358SKFBG
CPU/Speed BMIPS4350 V1.0 / 300 Mhz BMIPS Dual Core
Flash-Chip: MX29LV320AB
Flash size: 4MB
RAM-Chip: EtronTech EM6AA160TS-5G / DDR-400
RAM size: 32MB
Wireless: Atheros AR5416
Ethernet: Broadcom BCM5325 w/ vlan support swconfig
USB: No
Serial: Yes
JTAG: ?

v2 Hardware

The PCB is a bit redesigned. Most noticeable points are the presence of an actual power button (top left in photos), and that J10 is labeled (anyway, I've not been able to get anything from there neither with 115200 8N1 nor with other speeds). There is also a plastic sheet covering the bottom of the PCB, maybe to help heat dissipation.

Not so noticeable is the fact that the LED corresponding to port1 is doubled, being similar to the power led. Also the wireless seems different, as chip is labelled as AR9223-AC1A.

Tftp upload of firmware seems not straightforward. According to information found on the linksys forums, requires the "password enabled" tftp utility from linksys.

See this page for details and pictures of the WAG160Nv2.

LEDs & Buttons

LED Color GPIO
Internet green 0
Internet red 1
Power red 3
Power green 4
DSL green 28
WPS green 36
Wireless green 37


Button GPIO
WPS 34

Opening the case

Remove the four screws on the base of the case. The case is then secured by one small and one large gray clip (from rear to front) on each side of the case. At the front of the case, there are two large black clips.

Prise the top of the router from the bottom using a small screwdriver - I found this easier by starting at the front. It's not a nice process!

Even if all of the gray clips are broken or removed, the case is perfectly adequately sealed using only the front black clips and the four screws. This also makes the case far easier to open. I found this easiest to do by working around the case from the back with a medium-sized screwdriver, being careful not to be upsetting the antennas and wires which are located around the edges of the case. Once the top has been removed, using pliers, the broken or remaining gray clips can be tidied up by twisting off what remains of them.

Photos

Top of PCB Bottom of PCB (JTAG encircled)
wag160n_top.jpg wag160n_bottom.jpg

Serial

Serial console can be attached to J10 which is located at the bottom right of the board (when looking at the unit from the front). On my unit; the J10 label was obscured by a sticky pad.

Serial Port (J10)
wag160n_j10.jpg

There is no connector soldered to the board. If you want to add one, it needs to be of pitch 2.5mm.

Legend (in arrow direction):
1  GND
2  Tx
3  VCC (3,3V)
4  RX
The settings for the serial console are "115200 bauds, 8 bits, no parity, 1 stop bit (115200 8N1)", with hardware and software flow control both disabled.

NOTE: You cannot plug directly those pins to your pc serial port. You need a RS232-TTL level adapter (or just set the jumper on your USB→Serial-converter to 3.3V if it provides that option). See serial_console

Flashing - Only v1!

Read on if you're sure you have the WAG160N V1. You can get the firmware here - Barrier Breaker, r40862.

You can find an older version from Virus here: here - Attitude Adjustment, r34073.

You may find more information on the related wag160n_v1 forum thread.

Activating the flash mode

To activate the flash mode you need to stop the boot. You have two solutions :

1. Staple method

When you power the modem, you have 1s to activate the Recovery Mode. The trick is to rub a stapple or a wire between the pin 4 (in red) and the pin 1 (in orange) while booting. Do not solder anything, the goal is not to generate a clean signal but to generate noise !

The easiest way is to hold the stapple between pin 1 and 4 (do not shortcut pin 1 and 3) and to rub it slightly when it boots. It should activate the recovery mode almost everytime. If it doesn't work you can also rub the stapple between pin 4 (in red) and pin 3 (+3.3V, next to pin 4). If you succeed, the power LED goes off and the Ethernet LED should be blinking. If the power LED is still on 5s after you plugged the router, it failed. Just unplug the modem and try again. If the ethernet light is off verify you plugged the ethernet cable properly.

2. Serial port method

You can also solder a LVTTL adapter to the board to use the serial port. You can use minicom, putty or hyperterminal for this part. You need to connect with the following parameters: 115200 bauds, 8 bits, no parity, 1 stop bit (115200 8N1), with hardware and software flow control both disabled.

Plug the modem, when the following message is displayed:

*** Press any key to stop auto run (1 seconds) *** 
Push any key. It will stop the boot. Then you have two methods to flash the firmware:

Flashing the firmware

To flash the firmware you can use the CFE Web Interface (easier). If you used the staple method this is the only solution. If you are connected to serial, you can also use a TFTP server.

1. CFE Web Interface

Assign 192.168.1.2 to your computer with a subnet mask of 255.255.255.0. Go to 192.168.1.1 with your browser and upload the firmware through the "Update Software" web interface. The router will reboot by itself after 30s and you're done.

2. TFTP Method: (only if you used serial connection) Setup a tftpd server e.g.

sudo apt-get install tftpd-hpa tftp
make sure it works by putting some file in /var/lib/tftpboot e.g.
sudo sh -c 'echo "hello" > /var/lib/tftpboot/test'

tftp localhost
get test
if you get sth. like
Received 7 bytes in 0.0 seconds
*thumbsup*

Copy your downloaded/built openwrt image to to /var/lib/tftpboot.

sudo cp openwrt-WAG160Nv1-squashfs-cfe-attitude-adjustment-beta-2.bin /var/lib/tftpboot/bcm963xx_fs_kernel
File name needs to be bcm963xx_fs_kernel because that's what the wag160n CFE expects.

Connect to your router with an ethernet cable. Assign 192.168.1.100 to your computer with a subnet mask of 255.255.255.0 - because that's what the wag160n will try pull the boot image from (192.168.1.100 as gateway).

If you followed the activated the flash mode by serial port, the following message should be displayed in your terminal:

CFE> 
*nice*

Make sure again that your router is a WAG160N V1

Press f

The flash should begin:

Loading 192.168.1.100:bcm963xx_fs_kernel ...                                    
Finished loading 2752516 bytes

Flashing root file system and kernel at 0xbfc10000: ............................
                                                                                                                                                              
*** Image flash done *** !                                                      
Resetting board...

*done*

JTAG

JTAG Port (J1)
wag160n_j1.jpg

Bootlogs

OEM bootlog

CFE version 1.0.37-5.4 for BCM96358 (32bit,SP,BE) Build Date: 四 1月 10 19:25:21 CST 2008 (root@9DavidZhang2) Copyright (C) 2000-2005 Broadcom Corporation. Boot Address 0xbfc00000 Initializing Arena. Initializing Devices. Parallel flash device: name MX29LV320AB, id 0x22a8, size 4096KB CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz Total memory: 33554432 bytes (32MB) Total memory used by CFE: 0x80401000 - 0x80528800 (1210368) Initialized Data: 0x8041E550 - 0x8041FF60 (6672) BSS Area: 0x8041FF60 - 0x80426800 (26784) Local Heap: 0x80426800 - 0x80526800 (1048576) Stack Area: 0x80526800 - 0x80528800 (8192) Text (code) segment: 0x80401000 - 0x8041E544 (120132) Boot area (physical): 0x00529000 - 0x00569000 Relocation Factor: I:00000000 - D:00000000 Board IP address : 192.168.1.1 Host IP address : 192.168.1.100 Gateway IP address : Run from flash/host (f/h) : f Default host run file name : vmlinux Default host flash file name : bcm963xx_fs_kernel Boot delay (0-9 seconds) : 1 Board Id Name : 96358GW Psi size in KB : 24 Number of MAC Addresses (1-32) : 10 Base MAC Address : 00:1d:7e:b3:9b:52 Ethernet PHY Type : Internal Memory size in MB : 32 CMT Thread Number : 0 *** Press any key to stop auto run (1 seconds) ***

OpenWrt bootlog

Linux version 2.6.32.9 (virus@Virion) (gcc version 4.3.3 (GCC) ) #18 Mon Mar 15 16:16:55 CET 2010 Detected Broadcom 0x6358 CPU revision a1 CPU frequency is 300 MHz 32MB of RAM installed registering 40 GPIOs board_bcm963xx: CFE version: 1.0.37-5.4 bootconsole [early0] enabled CPU revision is: 0002a010 (Broadcom BCM6358) board_bcm963xx: board name: 96358GW Determined physical RAM map: memory: 02000000 @ 00000000 (usable) Initrd not found or empty - disabling initrd Zone PFN ranges: Normal 0x00000000 -> 0x00002000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00002000 On node 0 totalpages: 8192 free_area_init_node: node 0, pgdat 8026b500, node_mem_map 81000000 Normal zone: 64 pages used for memmap Normal zone: 0 pages reserved Normal zone: 8128 pages, LIFO batch:0 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200 PID hash table entries: 128 (order: -3, 512 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Primary instruction cache 32kB, VIPT, 2-way, linesize 16 bytes. Primary data cache 16kB, 2-way, VIPT, cache aliases, linesize 16 bytes Memory: 29724k/32768k available (2050k kernel code, 3044k reserved, 363k data, 136k init, 0k highmem) Hierarchical RCU implementation. NR_IRQS:128 Calibrating delay loop... 299.00 BogoMIPS (lpj=598016) Mount-cache hash table entries: 512 NET: Registered protocol family 16 ath: Register ath_data_device at address 0x1ffe1000 registering PCI controller with io_map_base unset bio: create slab at 0 pci 0000:00:01.0: reg 10 32bit mmio: [0x000000-0x00ffff] Switching to clocksource MIPS NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered NET: Registered protocol family 1 audit: initializing netlink socket (disabled) type=2000 audit(0.197:1): initialized squashfs: version 4.0 (2009/01/31) Phillip Lougher Registering mini_fo version $Id$ JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc. msgmni has been set to 58 io scheduler noop registered io scheduler deadline registered (default) gpiodev: gpio device registered with major 254 gpiodev: gpio platform device registered with access mask FFFFFFFF bcm63xx_uart.0: ttyS0 at MMIO 0xfffe0100 (irq = 10) is a bcm63xx_uart console [ttyS0] enabled, bootconsole disabled bcm963xx_flash: 0x00400000 at 0x1fc00000 bcm963xx: Found 1 x16 devices at 0x0 in 16-bit bank Amd/Fujitsu Extended Query Table at 0x0040 number of CFI chips: 1 cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. bcm963xx_flash: Read Signature value of CFE1CFE1 bcm963xx_flash: CFE bootloader detected bcm963xx_flash: CFE boot tag found with version 6, board type 96358GW, and tagid bc310. bcm963xx_flash: Partition 0 is CFE offset 81ce1e48 and length 0 bcm963xx_flash: Partition 1 is kernel offset d2b and length 0 bcm963xx_flash: Partition 2 is rootfs offset d6c and length 0 bcm963xx_flash: Partition 3 is ath_data offset dad and length 0 bcm963xx_flash: Partition 4 is nvram offset df0 and length 0 bcm963xx_flash: Spare partition is 2a0000 offset and length 150000 Creating 5 MTD partitions on "bcm963xx": 0x000000000000-0x000000010000 : "CFE" 0x000000010100-0x0000000f0000 : "kernel" mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only 0x0000000f0000-0x0000003e0000 : "rootfs" mtd: partition "rootfs" set to be root filesystem mtd: partition "rootfs_data" created automatically, ofs=2A0000, len=140000 0x0000002a0000-0x0000003e0000 : "rootfs_data" 0x0000003e0000-0x0000003f0000 : "ath_data" 0x0000003f0000-0x000000400000 : "nvram" bcm63xx_enet MII bus: probed bcm63xx_wdt started, timer margin: 30 sec TCP westwood registered NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear All bugs added by David S. Miller VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 136k freed Please be patient, while OpenWrt loads ... mini_fo: using base directory: / mini_fo: using storage directory: /jffs eth1: link forced UP - 100/full - flow control off/off Generic kernel compatibility enabled based on linux-next next-20100113 device eth1.1 entered promiscuous mode device eth1 entered promiscuous mode br-lan: port 1(eth1.1) entering forwarding state cfg80211: Calling CRDA to update world regulatory domain roboswitch: Probing device eth0: roboswitch: [/home/virus/kamikaze/build_dir/linux-brcm63xx/kmod-switch/switch-robo.c:130] SIOCGETCPHYRD failed! roboswitch: [/home/virus/kamikaze/build_dir/linux-brcm63xx/kmod-switch/switch-robo.c:130] SIOCGETCPHYRD failed! No Robo switch in managed mode found, phy_id = 0xffffffff roboswitch: Probing device eth1: found a 5325! It's a 5350. PCI: Enabling device 0000:00:01.0 (0000 -> 0002) # reading ath_data ath: eepdata = 0x00000cb8, el = 0x0000065c, ath: eepdata = 0x000081fe, el = 0x0000065c, ath: sum = 0x0000ffff, length = 0x00000cb8, checksum = 0x000063d1 ath: EEPROM regdomain: 0x0 ath: EEPROM indicates default country code should be used ath: doing EEPROM country->regdmn map search ath: country maps to regdmn code: 0x3a ath: Country alpha2 being used: US ath: Regpair used: 0x3a phy0: Selected rate control algorithm 'minstrel_ht' Registered led device: ath9k-phy0::radio Registered led device: ath9k-phy0::assoc Registered led device: ath9k-phy0::tx Registered led device: ath9k-phy0::rx phy0: Atheros AR5416 MAC/BB Rev:2 AR2122 RF Rev:81 mem=0xc0360000, irq=39 cfg80211: Calling CRDA for country: US PPP generic driver version 2.4.2 cfg80211: Regulatory domain changed to country: US (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm) (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm) (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm) ip_tables: (C) 2000-2006 Netfilter Core Team NET: Registered protocol family 24 nf_conntrack version 0.5.0 (466 buckets, 1864 max) ath_hal: module license 'Proprietary' taints kernel. Disabling lock debugging due to kernel taint ath_hal: 2009-05-08 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, RF2425, REGOPS_FUNC, XR) ath_pci: trunk wlan: trunk wlan: mac acl policy registered ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk) ath_rate_minstrel: look around rate set to 10% ath_rate_minstrel: EWMA rolloff level set to 75% ath_rate_minstrel: max segment size in the mrr set to 6000 us device wlan0 entered promiscuous mode br-lan: port 2(wlan0) entering forwarding state device wlan0 left promiscuous mode br-lan: port 2(wlan0) entering disabled state device wlan0 entered promiscuous mode br-lan: port 2(wlan0) entering forwarding state

Hints

Backup ath_data

Before flashing OpenWrt make sure to backup "ath_data" (/dev/mtdblock4). It's calibration data for wireless device. You have to include this data into OpenWrt, and modify ath9k driver to read it durning device initialisation.

Normally the dd command would be used for copying such data; however the Linksys provided OS does not include this command. Using the cp command would result in just the inode information being copied, so instead use the cat command - placing the result within the /tmp directory which is a writable part of the filesystem,

cat /dev/mtdblock4 > /tmp/ath_data

You then need to get this image off the router. As there is no ftp client installed; use the in-built web server. As you can't write to the directory currently used by the http server, let's just hijack the daemon for a short while,

/usr/sbin/rc httpd stop
/usr/sbin/mini_httpd -d /tmp

You should now be able to download mtdblock4 from another system, using something smilar to,

wget --user=admin --password=adminpass -O ath_data http://192.168.1.1/ath_data

Once you've downloaded mtdb4 kill the mini-httpd and restart the web server using its normal configuration,

killall mini_httpd
/usr/sbin/rc httpd start

Tags

toh/linksys/wag160n.txt · Last modified: 2014/05/31 19:48 by belotv