User Tools

Site Tools


toh:upvel:ur825ac

UPVEL UR-825AC

http://www.upvel.ru/items/ur-825ac.html

Currently OpenWRT for this device is in beta testing. And there is a lot of good results!
Discussions on the OpenWRT forum here

Hardware info

Architecture: Lexra/ Lexra RLX5281
Vendor: Realtek
Bootloader: RealTek
System-On-Chip: Realtek RTL8197DN
CPU Speed: 660 MHz
Flash Chip:ELM Technology GD25Q128
Flash size: 16MB
RAM chip: PME810816CBR-E7DN
RAM size: 64M
Wireless IEEE 802.11a/b/g/n: Realtek RTL8192ER
Wireless IEEE 802.11ac: Realtek RTL8812AR
Ethernet: Realtek RTL8367RB Gigabit
USB: 2*USB2.0
Serial: Yes
JTAG: Yes (?)
Power supply: 12V 1.5A

Board images

Serial

Console port J21 uses 3.3 V signaling at speed 38400,8n1. Header is not installed.

J21
1 2 3 4
Vcc RX TX GND

Do not connect Vcc. That will send power on SoC only and will not start device normaly.

JTAG

There are eight test points without any names near the SoC. Possible this is JTAG connection points. No chance to check it.

Firmware restoring

(this process wasn't test completely, but shoul work)

You can't use JTAG but there is just only 8 pins flash chip. So it is easier to unsolder the chip and reprogram it in something SPI programmator. You have to write 24Kb bootloader into the flash (try find it on OpenWRT forum) and after that you will be able to upload stock firmware through TFTP. Be noticed that there is not any 16MBytes chip supported except the GD25Q128 and some else. It's connected with bootloader possibilities. According the RealTek SDK there the bootloader support only these chips:

S25FL004A
S25FL016A
S25FL032A
S25FL064A
S25FL128P (with some limitations)
S25FL032P
MX25L4005
MX25L1605D
MX25L3205D
MX25L6405D
MX25L12805D
MX25L1635D
MX25L3235D
MX25L6445E
MX25L12845E
SST25VF032B
SST26VF016
SST26VF032
W25Q80
W25Q16
W25Q32
EN25F32
EN25F16
EN25Q32
EN25Q16
GD25Q8
GD25Q16
GD25Q32
GD25Q64
GD25Q128
AT25DF161
…not all of them are 16MBytes.

Stock firmware startup log

Current firmware is v3.4.6.3. But it looks like the version doesn't matter. Its build is counting (19.11.14).

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000002dh GD25Q128
@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
---RealTek(RTL8196D)at 2013.12.26-08:32+0800 v1.1 [16bit](700MHz)
no rootfs signature at 000E0000!
no rootfs signature at 000F0000!
no rootfs signature at 00130000!
no rootfs signature at 000E1000!
...
no rootfs signature at 0015E000!
no rootfs signature at 0015F000!

Jump to image start=0x80500000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003430
Realtek WLAN driver - version 1.6 (2013-02-21)
DFS function - version 1.0.20
8812 mp chip !! 


#######################################################
SKB_BUF_SIZE=3600 MAX_SKB_NUM=768
#######################################################



#######################################################
SKB_BUF_SIZE=3600 MAX_SKB_NUM=768
#######################################################




Probing RTL8186 10/100 NIC-kenel stack size order[3]...
chip name: 8196C, chip revid: 0
NOT YET
eth0 added. vid=9 Member port 0x1...
eth1 added. vid=8 Member port 0x10...
eth2 added. vid=9 Member port 0x2...
eth3 added. vid=9 Member port 0x4...
eth4 added. vid=9 Member port 0x8...
[peth0] added, mapping to [eth1]...
Realtek FastPath:v1.03

init started: BusyBox v1.13.4 (2014-11-19 11:53:27 MSK)
insmod: cannot insert '/lib/modules/2.6.30.9/kernel/fs/nlsnls_cp936.ko': unknown symbol in module, or unknown parameter
flat_open(/dev/mtd4,r) = 0
******************
sysconf init gw all 
***************
Init Start...
******************
sysconf wlanapp kill wlan0 
***************
!!! adjust 5G 2ndoffset for 8812 !!!
******************
sysconf wlanapp kill wlan1 
***************
Init bridge interface...
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
 <=== FirmwareDownload8812()
syslog will use 64KB for log(7 rotate, 1 original, 8KB for each)
Init Wlan application...

WiFi Simple Config v2.14-wps2.0 (2014.01.17-06:15+0000).

Register to wlan0
Register to wlan1
route: SIOCDELRT: No such process
IEEE 802.11f (IAPP) using interface br0 (v1.8)
Start setting IPv6[IPv6]
start samba
start vsftpd
uShare<main>ushare name: UR-825AC

uShare (version 1.1a), a lightweight UPnP A/V and DLNA Media Server.
Benjamin Zores (C) 2005-2007, for GeeXboX Team.
See http://ushare.geexbox.org/ for updates.
Listening on telnet port 1337
Initializing UPnP subsystem ...
UPnP MediaServer listening on 192.168.1.1:49200
Sending UPnP advertisement for device ...
Listening for control point connections ...
Looking for files in content directory : /var/tmp/usb/sda1/Media
scandir: No such file or directory
Found 3 files and subdirectories.
boa: server version Boa/0.94.14rc21
boa: server built Nov 19 2014 at 12:26:45.
boa: starting server pid=1365, port 80


ur-825ac login: 

…and the same output in Recovery mode (Hold Reset button on 3..5 seconds when PowerOn)

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000002dh GD25Q128
@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
---RealTek(RTL8196D)at 2013.12.26-08:32+0800 v1.1 [16bit](700MHz)
no rootfs signature at 000E0000!
no rootfs signature at 000F0000!
no rootfs signature at 00130000!
no rootfs signature at 000E1000!
no rootfs signature at 000E2000!
...
no rootfs signature at 0015E000!
no rootfs signature at 0015F000!
P0phymode=03, embedded phy

---Ethernet init Okay!

<RealTek>

A couple of commands:

<RealTek>?

----------------- COMMAND MODE HELP ------------------

HELP (?)    : Print this help message
DB <Address> <Len>
DW <Address> <Len>
EB <Address> <Value1> <Value2>...
EW <Address> <Value1> <Value2>...
CMP: CMP <dst><src><length>
IPCONFIG:<TargetAddress>
AUTOBURN: 0/1
LOADADDR: <Load Address>
J: Jump to <TargetAddress>
FLR: FLR <dst><src><length>
FLW <dst_ROM_offset><src_RAM_addr><length_Byte> <SPI cnt#>: Write offset-data to SPI from RAM
MDIOR:  MDIOR <phyid> <reg>
MDIOW:  MDIOW <phyid> <reg> <data>
PHYR: PHYR <PHYID><reg>
PHYW: PHYW <PHYID><reg><data>
D8 <Address>
E8 <Address> <Value>

<RealTek>ipconfig
 Target Address=192.168.1.6

Serial console

Unfortunately I can't get login/password for its serial console, but fortunately we can try to get an access through the Telnet. Go to the Web (you should pass authorization on main page before this):

http://<your device ip>/syscmd.htm
and send a command through it:
busybox /bin/telnetd -p 1112 -l/bin/sh
After that you can connect to your device on 1112 port:
telnet <your device IP> 1112

BusyBox version:

# busybox
BusyBox v1.13.4 (2014-11-19 11:53:27 MSK) multi-call binary
Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as!

Currently defined functions:
        adduser, ash, bunzip2, bzcat, cat, chroot, cp, cut, date, echo, eject,
        expr, false, free, getty, grep, halt, head, hostname, ifconfig, init,
        insmod, ip, kill, killall, klogd, ln, login, lpq, ls, lsmod, mdev,
        mkdir, modprobe, mount, passwd, ping, ping6, poweroff, ps, reboot,
        renice, rm, rmmod, route, sh, sleep, swapoff, swapon, syslogd, tail,
        telnetd, true, umount, vi, wc

CPU info

# cat /proc/cpuinfo
system type             : RTL819xD
processor               : 0
cpu model               : 56322
BogoMIPS                : 658.63
hardware watchpoint     : no
tlb_entries             : 32
mips16 implemented      : yes

=== MTD mapping ===
# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00160000 00001000 "boot+cfg+linux"
mtd1: 00880000 00001000 "root fs"
mtd2: 00620000 00001000 "flatfs"

=== Kernel supported devices ===
# cat /proc/devices
Character devices:
  1 mem
  2 pty
  3 ttyp
  4 ttyS
  5 /dev/tty
  5 /dev/console
 10 misc
 90 mtd
108 ppp
166 ttyACM
180 usb
188 ttyUSB
189 usb_device
254 usb_endpoint

Block devices:
259 blkext
  8 sd
 11 sr
 31 mtdblock
 65 sd
 66 sd
 67 sd
 68 sd
 69 sd
 70 sd
 71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd

There are no burn commands.

SerialPort params:

# cat /proc/cmdline
console=ttyS0,38400 root=/dev/mtdblock1

Linux kernel version:

# cat /proc/version
Linux version 2.6.30.9 (warlock@warlock-debian-PC) (gcc version 4.4.5-1.5.5p4 (GCC) ) #376 Wed Nov 19 12:29:05 MSK 2014

System version:

# cat /etc/version
RTL819xD v1.0 --  Wed Nov 19 12:27:04 MSK 2014
The SDK version is: Realtek SDK v3.4.6-r20732
Ethernet driver version is: 20468-20238
Wireless driver version is: 20631-20631
Fastpath source version is: 20238-20238
Feature support version is: 20022-14785

Process list:

# cd /proc
# ls
1                          fast_nat
1029                       fast_pppoe
1031                       fast_pptp
1052                       filesystems
1062                       filter_table
1065                       fs
1291                       gc_overflow_timout
131                        gpio
1322                       http_file
1324                       hw_nat
1328                       interrupts
1330                       iomem
1333                       ioports
1337                       irq
1342                       kcore
1343                       kpagecount
1344                       kpageflags
1346                       load_default
1347                       loadavg
1348                       locks
1350                       log_print_control
1351                       meminfo
1363                       misc
1365                       modules
1366                       mounts
1367                       mtd
1389                       net
1401                       pagetypeinfo
1407                       partitions
141                        peth0
158                        phyRegTest
159                        pptp_conn_ck
2                          qos
3                          reInitSwitchCore
4                          rf_switch
5                          rtk_multicast_scream_vid
725                        rtk_query_for_bridge_port
8                          rtk_vlan_support
StormCtrl                  rtl865x
alg                        rtl_8367r_vlan
br_igmpDb                  rtl_hw_vlan_support
br_igmpProxy               rtl_hw_vlan_tagged_mc
br_igmpQuerierInfo         scsi
br_igmpVersion             self
br_igmpquery               slabinfo
br_igmpsnoop               stat
br_mCastFastFwd            suspend_check
br_mldQuerierInfo          swaps
br_mldVersion              sys
br_mldquery                sysvipc
br_mldsnoop                timer_list
br_wlanblock               tty
buddyinfo                  uptime
bus                        usb_mode_detect
cmdline                    version
cpuinfo                    vmallocinfo
crypto                     vmstat
custom_Passthru            watchdog_reboot
custom_Passthru_wlan       wlan0
devices                    wlan0-va0
diskstats                  wlan0-va1
driver                     wlan0-va2
eee                        wlan0-va3
enable_dos                 wlan0-vxd
eth0                       wlan1
eth1                       wlan1-va0
eth2                       wlan1-va1
eth3                       wlan1-va2
eth4                       wlan1-va3
execdomains                wlan1-vxd
fast_l2tp                  zoneinfo

Loaded modules list:

# lsmod

ext3 109920 - - Live 0xc0307000
jbd 31056 - - Live 0xc02bb000
mbcache 4128 - - Live 0xc02a1000
msdos 6480 - - Live 0xc028f000
vfat 8656 - - Live 0xc0281000
fat 42032 - - Live 0xc026a000
ntfs 226576 - - Live 0xc0211000
nls_cp950 98432 - - Live 0xc018a000
nls_utf8 768 - - Live 0xc0167000
nls_cp437 4336 - - Live 0xc0157000
hw_cdc_driver 21536 - - Live 0xc0142000
rndis_host 4368 - - Live 0xc012e000
cdc_ether 2752 - - Live 0xc0123000
cdc_eem 1984 - - Live 0xc0118000
asix 10176 - - Live 0xc010c000
usbnet 10560 - - Live 0xc00fb000
cdc_wdm 7840 - - Live 0xc00eb000
cdc_acm 11120 - - Live 0xc00dc000
mii 3216 - - Live 0xc00ca000
scsi_wait_scan 320 - - Live 0xc00ba000
crc32 3104 - - Live 0xc00ae000
bitrev 784 - - Live 0xc00a7000

Memory information:

# cat /proc/meminfo
MemTotal:          49020 kB
MemFree:           26908 kB
Buffers:            2052 kB
Cached:             6200 kB
SwapCached:            0 kB
Active:             4308 kB
Inactive:           6456 kB
Active(anon):       2512 kB
Inactive(anon):        0 kB
Active(file):       1796 kB
Inactive(file):     6456 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          2516 kB
Mapped:             2104 kB
Slab:               9952 kB
SReclaimable:        472 kB
SUnreclaim:         9480 kB
PageTables:          252 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       24508 kB
Committed_AS:      19732 kB
VmallocTotal:    1048404 kB
VmallocUsed:        1000 kB
VmallocChunk:    1045192 kB

Mounted devices:

# cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / squashfs ro,relatime 0 0
proc /proc proc rw,relatime 0 0
ramfs /var ramfs rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0

Ethernet configuration:

(current device is in Bridge mode. So WAN-port, all LAN-ports and WLAN-ports are consolidated into the br0)

# ifconfig
br0       Link encap:Ethernet  HWaddr D4:BF:**:**:**:**
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::****:7fff:****:****/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12785 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1170 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2199478 (2.0 MiB)  TX bytes:226615 (221.3 KiB)

eth0      Link encap:Ethernet  HWaddr D4:BF:**:**:**:**
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13457 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9716 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4944461 (4.7 MiB)  TX bytes:1175082 (1.1 MiB)
          Interrupt:12

eth1      Link encap:Ethernet  HWaddr D4:BF:**:**:**:**
          inet6 addr: fe80::****:7fff:****:****/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:12

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr D4:BF:**:**:**:**
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:210 errors:0 dropped:0 overruns:0 frame:0
          TX packets:186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:24798 (24.2 KiB)  TX bytes:74214 (72.4 KiB)
          Interrupt:14

wlan1     Link encap:Ethernet  HWaddr D4:BF:**:**:**:**
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:112382 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17600 errors:10 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:20672649 (19.7 MiB)  TX bytes:5465792 (5.2 MiB)
          Interrupt:11

FLASH dump structure

Start address Description Signature Comments eth_tftpd.c variable
0x00000000Bootloader
0x00006000hw-configH601HW settings (MAC addr etc…)COMP_HS_SIGNATURE
0x00008000configCOMPDSSW default settings COMP_DS_SIGNATURE
0x0000C000configCOMPCSSW current settings COMP_CS_SIGNATURE
0x00010000Linux-kernelcr6c
0x00160000root Squash FShsqs! w/o r6cr signature !

Bootloader

There is Realtek bootloder with tftp support. An address for tftp 192.168.1.6 by default. For access to bootloader prompt mode press Reset button before power-on and keep it pressed 3..5 seconds.

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000002dh GD25Q128
@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
---RealTek(RTL8196D)at 2013.12.26-08:32+0800 v1.1 [16bit](700MHz)
...
[skipped]
...
<RealTek>

You can get help page just press "? enter".

Using bootloader commands

If you want write something to you flash (ROM) you should have working bootlodaer at least. After that you can upload throug TFTP any file with limited size by RAM. By default TFTP load file into 0x080500000. Do not forget to switch autoburning off. Than you can check what was loaded into the RAM. For example I had loaded hardware config (binary file without any signature):

<RealTek>autoburn 0
AutoBurning=0
<RealTek>
**TFTP Client Upload, File Name: hw-config.bin
-
**TFTP Client Upload File Size = 00002000 Bytes at 80500000

Success!
<RealTek>db 80500000
 [Addr]   .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .A .B .C .D .E .F
80500000: 48 36 30 31 00 00 0c 8e 01 XX XX XX XX XX XX XX     H601.....XXXXXXX
<RealTek>

It looks correct. Some bytes were hidden by myself.
So, after that you can burn your laded file from RAM to the flash (ROM).

<RealTek>flw 6000 80500000 2000
Write 0x00002000 Bytes to SPI flash#1, offset 0x00006000<0xbd006000>, from RAM 0x80500000 to 0x80502000
(Y)es, (N)o->y
..<RealTek>

Hardware config

Hardware config is placed in flash ROM at address 0x06000h. I suppose that there are variables which can be found in dump through syscmd.htm of original firmware (flash allhw). Possible somebody or I will "disassemble" binary config deeper, but now you can generate it with perl script:

#!/usr/bin/perl
#
use IO::File;
#
# Change it if you want have another output filename with binary h/w config
$out_filename="./hw-config-out.bin";
#
# !!!! Change it to the WAN address from your router enclosure label or any else you want.
$new_hw_addr="D4:BF:AA:AA:AA:AA";
#
#
$new_hw_addr=~s/://g;

$mac_eth0=sprintf("%.12X",(hex($new_hw_addr)));
$mac_eth1=sprintf("%.12X",(hex($new_hw_addr)-1));
$mac_wlan0=$mac_eth0;
$mac_wlan0_va0=sprintf("%.12X",(hex($new_hw_addr)+1));
$mac_wlan0_va1=sprintf("%.12X",(hex($new_hw_addr)+2));
$mac_wlan0_va2=sprintf("%.12X",(hex($new_hw_addr)+3));
$mac_wlan0_va3=sprintf("%.12X",(hex($new_hw_addr)+4));
$mac_8=sprintf("%.12X",(hex($new_hw_addr)+3239894));
$mac_9=sprintf("%.12X",(hex($new_hw_addr)+3239895));
$mac_10=sprintf("%.12X",(hex($new_hw_addr)+3239896));
$mac_wlan1=sprintf("%.12X",(hex($new_hw_addr)+5));
$mac_wlan1_va0=sprintf("%.12X",(hex($new_hw_addr)+5));
$mac_wlan1_va1=sprintf("%.12X",(hex($new_hw_addr)+6));
$mac_wlan1_va2=sprintf("%.12X",(hex($new_hw_addr)+7));
$mac_wlan1_va3=sprintf("%.12X",(hex($new_hw_addr)+8));
$mac_16=sprintf("%.12X",(hex($new_hw_addr)+3239910));
$mac_17=sprintf("%.12X",(hex($new_hw_addr)+3239911));
$mac_18=sprintf("%.12X",(hex($new_hw_addr)+3239912));

$fh1 = new IO::File $out_filename, "w";
$fh1->write("H601");    #signature
$fh1->write(chr(0).chr(0).chr(0x0C).chr(0x8E).chr(1));

@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_eth0);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_eth1);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_wlan0);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_wlan0_va0);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_wlan0_va1);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_wlan0_va2);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_wlan0_va3);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_8);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_9);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_10);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
$fh1->write(chr(0x00)x98);
$fh1->write(pack("C4 x2 C x4 C",hex("0C"),hex("0A"),hex("00"),hex("1F"),hex("21"),hex("01")));
$fh1->write(chr(0x00)x40);
$fh1->write("#"x5);
$fh1->write("\""x8);
$fh1->write("!"x16);
$fh1->write(","x48);
$fh1->write("+"x8);
$fh1->write("*"x8);
$fh1->write(")"x16);
$fh1->write("*"x9);
$fh1->write(")"x16);
$fh1->write("'"x8);
$fh1->write(chr(0x00)x54);
$fh1->write("'"x5);
$fh1->write("#"x8);
$fh1->write("!"x8);
$fh1->write(chr(0x1E)x8);
$fh1->write("&"x40);
$fh1->write("%"x8);
$fh1->write("\$"x16);
$fh1->write("#"x16);
$fh1->write("%"x25);
$fh1->write("&"x8);
$fh1->write(chr(0x00)x607);
# HW_WLAN1_WSC_PIN
$fh1->write("05294176");
$fh1->write(chr(0x00)x99);
$fh1->write(chr(0x02)x14);
$fh1->write(chr(0xEE)x14);
$fh1->write(chr(0x00)x56);
$fh1->write(chr(0xE0)x14);
$fh1->write(chr(0x00)x126);
$fh1->write(chr(0x02)x14);
$fh1->write(chr(0xEE)x14);
$fh1->write(chr(0x00)x56);
$fh1->write(chr(0xE0)x14);
$fh1->write(chr(0x00)x28);

@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_wlan1);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_wlan1_va0);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_wlan1_va1);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_wlan1_va2);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_wlan1_va3);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_16);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_17);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));
@mac[1..6] = unpack ("A2 A2 A2 A2 A2 A2",$mac_18);
$fh1->write(pack("C6",hex($mac[1]),hex($mac[2]),hex($mac[3]),hex($mac[4]),hex($mac[5]),hex($mac[6])));

$fh1->write("*"x3);
$fh1->write("+"x6);
$fh1->write(","x5);
$fh1->write(")"x14);
$fh1->write(","x14);
$fh1->write("+"x14);
$fh1->write(chr(0x00)x14);
$fh1->write(chr(0x11)x28);
$fh1->write(chr(0x0C));
$fh1->write(chr(0x0A));
$fh1->write(chr(0x0D));
$fh1->write(chr(0x21));
$fh1->write(chr(0x00));
$fh1->write(chr(0x00));
$fh1->write(chr(0x20));
$fh1->write(chr(0x00)x990);
$fh1->write("05294176");
$fh1->write(chr(0x00)x449);
$fh1->write(chr(0xBB));
$fh1->write(chr(0xFF)x4970);

undef($fh1);

…and than you can check created MAC address with the script:

#!/usr/bin/perl
#
use IO::File;

if(not defined $ARGV[0]) {
    print "Usage:\n\t test <input_file> \n";
    exit;
}

if(! -e $ARGV[0]) {print "Input file doesn't exist\n"; exit; }

$fh = new IO::File $ARGV[0], "r";

if (defined $fh) {
        $fh->read($buffer, 9);  # skip some unknown bytes for config only file
#        $fh->read($buffer, 24585);  # skip some unknown bytes for full flash dump
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"eth0 MAC address  #1",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"eth1 (WAN) MAC address  #2",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"wlan0 MAC address  #3",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"wlan0-va0 MAC address  #4",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"wlan0-va1 MAC address  #5",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"wlan0-va2 MAC address  #6",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"wlan0-va3 MAC address  #7",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"??? MAC address  #8",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"??? MAC address  #9",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"??? MAC address #10",@m_h[1..6]);
        $fh->read($buffer, 1552);  # skip some unknown bytes
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"wlan1 MAC address #11",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"wlan1-va0 MAC address #12",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"wlan1-va1 MAC address #13",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"wlan1-va2 MAC address #14",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"wlan1-va3 MAC address #15",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"??? MAC address #16",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"??? MAC address #17",@m_h[1..6]);
        $fh->read($buffer, 6);
        (@m_h[1..6]) = unpack ("C6",$buffer);
        printf("%#.8X: %20s: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",$fh->tell,"??? MAC address #18",@m_h[1..6]);
    undef $fh;
}

Firmware structure

Current firmware binary file has two parts:

linux-kernel
root-fs

Every part has 16 bytes header that make possible to upload and flash these parts separately and Router will understand where it should be placed into the flash.

Linux-kernel part:

signature(cr6c)dst.in RAMdst.in Flashimg size-16B(*)etc…
6372366380500000000100000014900200000000

* real part size is 0x149012h instead of 0x149002h

Root-fs part (SquashFS 4.0 w/LMZA):

signature(r6cr)(?)dst.in RAMdst.in Flashimg size-16B(*)SqFS sign.(hsqsp)etc…
72366372002D00000016000000365002687371737003000000

* real part size is 0x365012h instead of 0x365002h

You can use Perl-script to split complited bin-file into its functional part:

#!/usr/bin/perl
#
use IO::File;
#
# Uncomment this if you want skip some bytes before signature found
#$skip=112;
#
#struct Header {
#    char signature[4];
#    int dest_ram;
#    int dest_flash;
#    int img_size;
#};

if(not defined $ARGV[0]) {
    print "Usage:\n\t test <input_file> [-C]\nOption:\n\t\t -C - combine header with body. After that img-file can be TFTP-uploaded sepparately.\n";
    exit;
}

$combine=0;
if(defined $ARGV[1]) {
    if ($ARGV[1]=="-C"||"-c") {$combine=1;}
}

$fno = $ARGV[0].".out";

if(! -e $ARGV[0]) {print "Input file doesn't exist\n"; exit; }

$fh = new IO::File $ARGV[0], "r";

$fn_idx=1;
if (defined $fh) {
    if(defined $skip) {$fh->read($buffer, $skip);}
    while ($fh->read($buffer, 16)) {
        ($signature,$dest_ram,$dest_flash,$img_size) = unpack ("Z4 N N N",$buffer);
        (@sig_h[1..4]) = unpack ("C4",$buffer);
        print("\n===== Part $fn_idx =====\n");
        printf("%20s: %15s(%#.2x %#.2x %#.2x %#.2x)\n","Signature",$signature,@sig_h[1..4]);
        printf("%20s: %15u(%#.8x)\n","Destination in RAM",$dest_ram,$dest_ram);
        printf("%20s: %15u(%#.8x)\n","Destination in FLASH",$dest_flash,$dest_flash);
        printf("%20s: %15u(%#.8x)\n","Image (body) size",$img_size+16,$img_size+16);
        printf("%20s: %s\n","Filename",$fno.".$fn_idx.*");


        $fn2 = $fno.".$fn_idx.hdr";
        $fh2 = new IO::File $fn2, "w";
        $fh2->write($buffer);
        undef $fh2;

        $fn1 = $fno.".$fn_idx.img";
        $fh1 = new IO::File $fn1, "w";
        if ($combine==1) {$fh1->write($buffer);}
        $fh->read($buffer, $img_size);
        $fh1->write($buffer);
        undef $fh1;
        $fn_idx++;
    }
    undef $fh;
}

Signatures:

PlatformWEB/vpnWEB/gwWEB/apWEB/clFW w/ROOTFWROOTCERTBOOTALL
RTL_8196Bw6bvw6bgw6baw6bccr6bcs6br6brcertbootallp
RTL_8196Cw6cvw6cgw6caw6cccr6ccs6cr6cr
RTL_8198
RTL_819XD
RTL_8196E
RTL_8198B
otherwebvwebgwebawebccsrocsysroot

* - empty cells mean similar signature like previous top one.

You can use cvimg from Realtek SDK to convert binary file to binary file with header for tftp loading. Sources of this tool and some else can be found …/rtl819x/users/boa/tools/…

toh/upvel/ur825ac.txt · Last modified: 2016/02/07 23:53 by andygo