Instruction set: MIPS Big Endian
Vendor: Infineon
Bootloader: Bootbase
System-On-Chip: ADM5120 (BGA)
CPU @Frq MIPS 4Kc @175MHz
Flash size: 4 MiB
Flash Chip: 1xMacronix MX29LV320BT-90
RAM size: 16 MiB
RAM Chip: 1xHynix SDR-133
Wireless: Texas Instruments TNETW1130GVF (mini-PCI) 802.11b/g
Switch: 5x (SoC)
USB: yes
Serial: Yes


Serial Pinout on the J1 header:

 A  | o o - VCC
 D  | o o - Tx
 M  |   o - Rx
 5  |   x
 1  |   o - GND
 2  |  J1
 0  |

9600 8n1

Services :

Password for services : 1234

Telnet FTP (root/1234) WEB IDENT

It is not possible to login via the web interface when you are logged by console, and probably vice versa.

Hacking the ZyXEL P-335WT

This device uses Bootbase as bootloader and ZynOS as Operating system. It runs in Big-endian mode (adm5120eb-2.6 target).

You will have to choose the "ramdisk" target in "Target image". This will produce a file : openwrt-adm5120eb-2.6-vmlinux-lzma-p-335wt.bin.

This file contains a LZMA decompressor that is capable of loading the Kernel+ramdisk image. There is no need for a second bootloader.

Here are several useful informations :

Entering advanced debug mode :


MAC Address
of LAN port	Password y for ATENx,y
...0 or ...8	10F0A563
...1 or ...9	887852B1
...2 or ...A	C43C2958
...3 or ...B	621E14AC
...4 or ...C	310F0A56
...5 or ...D	1887852B
...6 or ...E	8C43C295
...7 or ... F	C621E14A

Loading an image via Xmodem :


FLASH/ROM layout

ROMIO image start at bfc08000
code version:
code start: 80008000
code length: 1E80C2
memMapTab: 16 entries, start = bfc30000, checksum = FD5E
$RAM Section:
  0: BootExt(RAMBOOT), start=80008000, len=18000
  1: BootData(RAM), start=80020000, len=8000
  2: HTPCode(RAMCODE), start=80020000, len=18000
  3: HTPData(RAM), start=8003c000, len=14000
  4: RasCode(RAMCODE), start=80020000, len=6F0000
  5: RasData(RAM), start=80710000, len=8F0000
$ROM Section:
  6: BootBas(ROMIMG), start=bfc00000, len=4000
  7: DbgArea(ROMIMG), start=bfc04000, len=2000
  8: RomDir2(ROMDIR), start=bfc06000, len=2000
  9: BootExt(ROMIMG), start=bfc08030, len=17FD0
 10: HTPCode(ROMBIN), start=bfc20000, len=10000
     Version: HTP_P335WT V1.0, start: bfc20030

     Length: AE14, Checksum: 9AE0
     Compressed Length: 2CE5, Checksum: 80D9
 11: MemMapT(ROMMAP), start=bfc30000, len=C00
 12: termcap(ROMIMG), start=bfc30c00, len=400
 13: RomDefa(ROMIMG), start=bfc31000, len=2000
 14: tiwlan(ROMIMG), start=bfc33000, len=1F000
 15: RasCode(ROMBIN), start=bfc52000, len=1FE000
     Version: RAS P335WT, start: bfc52030
     Length: 4D31F0, Checksum: 010C
     Compressed Length: 19E0C1, Checksum: BF6A

Bootstrapping Linux

Thanks to Gabor Juhos and his LZMA decompressor, we can load a kernel+ramdisk image without using a second stage bootloader.

You will need to calculate the size of the ramdisk image to send :

ls -sk openwrt-adm5120eb-2.6-vmlinux-lzma-p-335wt.bin

will show you the size in Kbytes, now you just need to multiply it by 1024 and convert it in Hex to get the hex size to use as second argument to ATUP.


OpenWrt bootlog

Bootbase Version: V1.05 | 04/20/2004 10:36:26 RAM: Size=16384 Kbytes DRAM POST: Testing: 16384K OK FLASH: AMD 32M ZyNOS Version: V3.60(JO.4) | 03/03/2006 16:30:00 Press any key to enter debug mode within 3 seconds. ....... Enter Debug Mode ATEN1,C43C2958 OK ATUP80020000,1FD000 Starting XMODEM upload (CRC mode).... C Total 2076800 bytes received OK ATGO80020000 LZMA loader for ADM5120, Copyright (C) 2007 OpenWrt.org decompressing kernel... done! launching kernel... Linux version (fainelli@anaconda.int-evry.fr) (gcc version 4.1.2) #1 Sat Jun 2 20:48:26 CEST 2007 ADM5120 revision 8, running at 175MHz Boot loader is: Bootbase Booted from : NOR flash Board is : ZyXEL Prestige 335/335WT GETENV: envname is memsize GETENV: returning 0x001000000 CPU revision is: 0001800b ADM5120 board setup Determined physical RAM map: memory: 00c18000 @ 003e8000 (usable) Wasting 32000 bytes for tracking 1000 unused pages Initrd not found or empty - disabling initrd Built 1 zonelists. Total pages: 4064 Kernel command line: console=ttyS0,115200 rootfs=jffs2,squashfs init=/etc/preinit Primary instruction cache 8kB, physically tagged, 2-way, linesize 16 bytes. Primary data cache 8kB, 2-way, linesize 16 bytes. Synthesized TLB refill handler (20 instructions). Synthesized TLB load handler fastpath (32 instructions). Synthesized TLB store handler fastpath (32 instructions). Synthesized TLB modify handler fastpath (31 instructions). PID hash table entries: 64 (order: 6, 256 bytes) Using 87.500 MHz high precision timer. Dentry cache hash table entries: 2048 (order: 1, 8192 bytes) Inode-cache hash table entries: 1024 (order: 0, 4096 bytes) Memory: 12236k/12384k available (2193k kernel code, 148k reserved, 330k data, 1360k init, 0k highmem) Mount-cache hash table entries: 512 NET: Registered protocol family 16 adm5120: system has PCI BIOS registering PCI controller with io_map_base unset usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb PCI: mapping irq for device 0000:00:02.0, slot:2, pin:1, irq:15 Time: MIPS clocksource has been installed. NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 512 (order: 0, 4096 bytes) TCP bind hash table entries: 512 (order: -1, 2048 bytes) TCP: Hash tables configured (established 512 bind 512) TCP reno registered squashfs: version 3.0 (2006/03/15) Phillip Lougher Registering mini_fo version $Id$ JFFS2 version 2.2. (NAND) (SUMMARY) (C) 2001-2006 Red Hat, Inc. io scheduler noop registered io scheduler deadline registered (default) Registered led device: adm5120:led ttyS0 at I/O 0x12600000 (irq = 9) is a ADM5120 ttyS1 at I/O 0x12800000 (irq = 10) is a ADM5120 eth0: ADM5120 switch port0 eth1: ADM5120 switch port1 eth2: ADM5120 switch port2 eth3: ADM5120 switch port3 eth4: ADM5120 switch port4 adm5120 : flash init : 0x1fc00000 0x00400000 adm5120 physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank Amd/Fujitsu Extended Query Table at 0x0040 number of CFI chips: 1 cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. Flash device: 0x400000 at 0x1fc00000 block2mtd: version $Revision: 1.30 $ nf_conntrack version 0.5.0 (96 buckets, 768 max) ip_tables: (C) 2000-2006 Netfilter Core Team TCP vegas registered NET: Registered protocol family 1 NET: Registered protocol family 17 NET: Registered protocol family 15 Bridge firewalling registered 802.1Q VLAN Support v1.8 Ben Greear All bugs added by David S. Miller Freeing unused kernel memory: 1360k freed Warning: unable to open an initial console. Algorithmics/MIPS FPU Emulator v1.5 device eth0 entered promiscuous mode br-lan: port 1(eth0) entering learning state br-lan: topology change detected, propagating br-lan: port 1(eth0) entering forwarding state PPP generic driver version 2.4.2 wlan: (svn r2414) ath_hal: module license 'Proprietary' taints kernel. ath_hal: (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, REGOPS_FUNC) ath_rate_minstrel: 1.2 (svn r2414) Minstrel automatic rate control algorithm. Look around rate set to 10% EWMA rolloff level set to 75% Max Segment size in the mrr set to 6000 us wlan: mac acl policy registered ath_pci: (svn r2414) init started: BusyBox v1.4.2 (2007-06-02 10:18:29 CEST) multi-call binary Please press Enter to activate this console. BusyBox v1.4.2 (2007-06-02 10:18:29 CEST) Built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - | _ | -__| | | | | _| _| |_ ^ |_____|__| ^ ^ | |____| |__| W I R E L E S S F R E E D O M KAMIKAZE (bleeding edge, r7437) ------------------- * 10 oz Vodka Shake well with ice and strain * 10 oz Triple sec mixture into 10 shot glasses. * 10 oz lime juice Salute! --------------------------------------------------- root@OpenWrt:/# br-lan: port 1(eth0) entering disabled state device eth0 left promiscuous mode br-lan: port 1(eth0) entering disabled state device eth0 entered promiscuous mode br-lan: port 1(eth0) entering learning state br-lan: topology change detected, propagating br-lan: port 1(eth0) entering forwarding state br-lan: port 1(eth0) entering disabled state device eth0 left promiscuous mode br-lan: port 1(eth0) entering disabled state device eth0 entered promiscuous mode br-lan: port 1(eth0) entering learning state br-lan: topology change detected, propagating br-lan: port 1(eth0) entering forwarding state

Untouched switch mapping

By default the switch mapping is a bit complicated :

port2 -> eth2
port1 -> eth3
port4 -> eth0
port3 -> eth1
wan -> eth4


