Serial header:
Address me about this page at jabber slapinid nospam at gmail dot com (remove nospam) or at the same email or at slapin at hackndev dot com email.
All source is available using git:
git clone git://ossfans.org/git/di524up.git
Build is tested only on debian testing. I did not bother testing any other distro. It won't work on non-i386 system, and it won't work on x86_64 in native mode. If you found problem with build and succeed in fixing it for your system, I want to know it and I accept patches. Otherwise, don't bother, it is only for hardcore developers and very fragile.
To get working firmware from it use make firmware-2.4.28-stamp and that should build everything for you. Build requires about 1Gb of space.
To build old realtek kernel do the following: (not recommended actually)
You will need to have old compatibility libs
installed for closed source binaries to work. To build use make:
make linux_menuconfig (exit, then save)
make dep
make linux
You will need to make yourself a serial console. First you will need to find either MAX3232 or the like line driver, or some phone data cable (I used DKU-5). I will add more detais on that later.
Pinout for a board serial connector is (connector on left, from near you to far) TX, GND, VCC (3.3V), RX. Pin names are related to board. For using phone data cable you will need TX, GND, RX only. In case of using MAX3232, you will want to use VCC to power it.
Board:
Serial header:
Port speed is set to 38400, so configure your PC side of port appropriately. You will see the following on serial when you boot-up your router:
00.01.15(uClinux) (Mar 17 2006 16:07:36)
System Clock Rate: 200MHz, Memory Clock Rate: 130MHz
Detected flash size: total 4MB.
SDRAM MCR: E2A01000
SDRAM size: 16MB
Press 'w' for alpha's web upgrade.
Press 'r' to update run image, or 'a' to change config,
or 'l' to update loader, or 'g' to load run image without updating Flash,
or '2' to enter L2 switch mode(50A), or '3' to enter L2 switch mode(50B) ...
ForceRunLoader=0 ...
Loading runtime image ...
Imag Start Address =0xbe030000
Find a 7zip self-decompressed kernel image, Just GO!
************************************
Powered by Realtek RTL8650B SoC, rev 1
************************************
CPU revision is: 0000ff00
Init MMU (16 entries)
Primary instruction cache 0kB, linesize 0 bytes.
Primary data cache 0kB, linesize 0 bytes.
Linux version 2.4.26-uc0 (root@redhat9) (gcc version 3.3.3) #1 Mon May 15 14:23:11 CST 2006
Determined physical RAM map:
memory: 01000000 @ 00000000 (usable)
NOFS reserved @ 0x803d3540
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock3 rootfstype=squashfs
IRR(0)=c0000000
Calibrating delay loop... 199.06 BogoMIPS
Memory: 12280k/16384k available (2697k kernel code, 4104k reserved, 312k data, 96k init, 0k highmem)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
NEW PCI Driver...isLinuxCompliantEndianMode=False(Big Endian)
Found Realtek 8185 PCI Card, function=0!
IO Space 0, data=0xffffff01 size=0x100
Memory Space 1 data=0xfffffe00 size=0x200
PCI device exists: slot 0 function 0 VendorID 10ec DeviceID 8185 bbd40000
io mapping BAnum=0 slot=0 func=0
memory mapping BAnum=1 slot=0 func=0
assign mem base 1bf00000~1bf001ff at bbd40014 size=512
assign I/O base 1be00000~1be000ff at bbd40010 size=256
Find Total 1 PCI functions
Found 00:00 [10ec/8185] 000200 00
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SERIAL_PCI enabled
ttyS00 at 0xbd011100 (irq = 4) is a 16550A
ttyS01 at 0xbd011000 (irq = 3) is a 16550A
Probing RTL8651 home gateway controller...
Initialize RTL865x ASIC and driver
chip name: 8650B, chip revid: 1
Initialize mbuf...
creating default 2 interfaces...eth0 IRR(6)=c0040000
eth1 ...OK
>>>now is rome 3.4 running ........
PPP generic driver version 2.4.2
PPP BSD Compression module registered
SCSI subsystem driver Revision: 1.00
Amd/Fujitsu Extended Query Table v1.3 at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
Looking for mtd device mtd1:
Found a mtd1 image (0x20000), with size (0x10000).
Looking for mtd device mtd2:
Found a mtd2 image (0x30000), with size (0xc56b8).
Looking for mtd device mtd3:
Found a mtd3 image (0xf56b8), with size (0x17e000).
Creating 4 MTD partitions on "Physically mapped flash":
0x00000000-0x00020000 : "ldr"
0x00020000-0x00030000 : "alphafs"
0x00030000-0x000f56b8 : "kernel"
0x000f56b8-0x002736b8 : "squashfs"
RTL8185(for RTL865xB platform) driver version 1.10 (2005-11-23)
pcibios_set_master: already done when device probed.
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
USB configurate change f0000001
host/usb-ohci-rtl865x.c: USB OHCI at membase 0xbd000000, IRQ 1
host/usb-ohci-rtl865x.c: usb-
usb.c: new USB bus registered, assigned bus number 1
IRR(1)=f0040000
write minterval 27782edf swap df2e7827
read fminterval 27782edf swap df2e7827
hub.c: USB hub found
hub.c: 1 port detected
usb.c: registered new driver usblp
printer.c: v0.13: USB Printer Device Class driver
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
GRE over IPv4 tunneling driver
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 96k freed
IRR(3)=f3040000
initial console created on /dev/tts/1
Shell invoked to run file: /etc/rc
Command: #### Stanley dynamic mknode ####
Command: mknod /dev/wlchr0 c 13 0
Command: mknod /dev/wlchr1 c 13 1
Command: mknod /dev/ptyp0 c 2 0
Command: mknod /dev/ptyp1 c 2 1
Command: mknod /dev/ptyp2 c 2 2
Command: mknod /dev/ptyp3 c 2 3
Command: mknod /dev/ptyp4 c 2 4
Command: mknod /dev/ptyp5 c 2 5
Command: mknod /dev/ptyp6 c 2 6
Command: mknod /dev/ptyp7 c 2 7
Command: mknod /dev/ptyp8 c 2 8
Command: mknod /dev/ptyp9 c 2 9
Command: mknod /dev/ptypa c 2 10
Command: mknod /dev/ptypb c 2 11
Command: mknod /dev/ptypc c 2 12
Command: mknod /dev/ptypd c 2 13
Command: mknod /dev/ptype c 2 14
Command: mknod /dev/ptypf c 2 15
Command: mknod /dev/tty0 c 4 0
Command: mknod /dev/tty1 c 4 1
Command: mknod /dev/tty2 c 4 2
Command: mknod /dev/tty3 c 4 3
Command: mknod /dev/tty4 c 4 4
Command: mknod /dev/tty5 c 4 5
Command: mknod /dev/ttyS0 c 4 64
Command: mknod /dev/ttyS1 c 4 65
Command: mknod /dev/ttyp0 c 3 0
Command: mknod /dev/ttyp1 c 3 1
Command: mknod /dev/ttyp2 c 3 2
Command: mknod /dev/ttyp3 c 3 3
Command: mknod /dev/ttyp4 c 3 4
Command: mknod /dev/ttyp5 c 3 5
Command: mknod /dev/ttyp6 c 3 6
Command: mknod /dev/ttyp7 c 3 7
Command: mknod /dev/ttyp8 c 3 8
Command: mknod /dev/ttyp9 c 3 9
Command: mknod /dev/ttypa c 3 10
Command: mknod /dev/ttypb c 3 11
Command: mknod /dev/ttypc c 3 12
Command: mknod /dev/ttypd c 3 13
Command: mknod /dev/ttype c 3 14
Command: mknod /dev/ttypf c 3 15
Command: mknod /dev/video0 c 81 0
Command: mknod /dev/usblp0 c 180 0
Command: mknod /dev/node c 254 0
Command: mknod /dev/node1 c 254 1
Command: #### end dynamic mknode ####
Command: mount -t proc proc /proc
Command: mount -t ramfs ramfs /var
Command: mount -t usbdevfs none /proc/bus/usb
Command: mkdir /var/tmp
Command: mkdir /var/ppp/
Command: mkdir /var/log
Command: mkdir /var/run
Command: mkdir /var/lock
Command: mkdir /var/flash
Command: mkdir /var/usbmnt
Command: mkdir /var/webcam
Command: mkdir /var/spool
Command: mkdir /var/spool/lpd
Command: mkdir /var/spool/lpd/lp0
Command: mkdir /var/spool/lpd/lp1
Command: mkdir /var/spool/lpd/lp2
Command: mkdir /var/spool/lpd/lp3
Command: # add hostname for lprng.
Command: # /etc/hosts also need have same name.
Command: hostname alpharg
Command: #lpd
Command: #iwcontrol is required for RTL8185 Wireless driver
Command: #iwcontrol auth &
Command:
Command: #busybox insmod /lib/modules/2.4.26-uc0/kernel/drivers/usb/quickcam.o
Command: #++++ Stanley add for Di-524up english and chinese 2005.10.18
Command: ln -s /webpage/en /var/www
Command: #---- Stanley
Command: /bin/webs -u root -d /www -i /var/run/thttpd.pid &
[24]
Command:
Command: #ifconfig wlan0 up promisc
Command:
Command:
Command:
Command:
Execution Finished, Exiting
Sash command shell (version 1.1.1)
/> System initializing...Check the crc=0xe07b26be,file_des->chksum=0xe07b26be!
Config info:
table total size[49548|0xc18c] === max[196608|0x30000]!
rtl8651_user_pid set to 24
WAN/LAN, Bring up ext port 6..
Rx shift=10002
cfg wan to static ...
target default
================runDNSProxy==================
[31]
Set IGMP Default Upstream interface (eth0) ... SUCCESS!!
[35]
[37]
PPPoE Passthru disabled.
Drop Unknown PPPoE PADT disabled.
IPv6 Passthru disabled.
IPX Passthru disabled.
NETBIOS Passthru disabled.
WebRemoteAccessCset drule=0
onfig
ReadPPPoESessionInfo: idx=0 id = 0
ReadPPPoESessionInfo: idx=1 id = 0
/www/Status/st_blocked.htm: No such file or directory
[40]
get lan ip a000001
enable my host is =routers.dlink.com=Now set the wan uplink bandwidth as 100000000!
ratio = 100!
WLAN, Setting Regulator domain to 0
===Total 1 wlan cards
ifconfig wlan0 down
interface: eth1
config : /var/neap.conf
get vendor = ALPHA
get model = DI-524UP
get version = v0.5.0
get secret = xxx
eth1: ip:10.0.0.1, mask:255.255.255.0, mac 00:17:9a:db:02:dc
eth1 (ip) = 10.0.0.1, (netmask) = 255.255.255.0, adapter index 3
adapter hardware address 00:17:9a:db:02:dc
Into Server listen!!
IRR(5)=f3040000
Request IRQ5, ret=0
Reserve port 6 for peripheral device use. (0x40)
Total WLAN/WDS links: 1
Device wlan0 on vlan ID 9 using Link ID 1. Loopback/Ext port is 6
Delete port 0 from peripheral port set. (0x40)
Total WLAN/WDS links: 0
Device wlan0's link ID 1 unregistered.
==========wlan_init: wlan0 work arround
Setup WLAN device 0...
busybox iwpriv wlan0 set_mib chipVersion=11
busybox iwpriv wlan0 set_mib regdomain=3
ifconfig wlan0 hw ether 00:17:9A:DB:02:DC
busybox iwpriv wlan0 set_mib rxChargePump=3
busybox iwpriv wlan0 set_mib txChargePump=6
busybox iwpriv wlan0 set_mib opmode=16
busybox iwpriv wlan0 set_mib RFChipID=7
busybox iwpriv wlan0 set_mib Diversity=1
busybox iwpriv wlan0 set_mib DIG_enable=1
busybox iwpriv wlan0 set_mib HighPowerChk=1
busybox iwpriv wlan0 set_mib AntDvrsty=1
busybox iwpriv wlan0 set_mib DefaultAnt=0
busybox iwpriv wlan0 set_mib dtimperiod=1
busybox iwpriv wlan0 set_mib expired_time=30000
busybox iwpriv wlan0 set_mib longretry=6
busybox iwpriv wlan0 set_mib shortretry=6
/var/8185wpa.conf: ssid = "slapin"
busybox iwpriv wlan0 set_mib channel=6
busybox iwpriv wlan0 set_mib fragthres=2346
busybox iwpriv wlan0 set_mib rtsthres=2346
busybox iwpriv wlan0 set_mib band=3
busybox iwpriv wlan0 set_mib disable_protection=0
busybox iwpriv wlan0 set_mib deny_legacy=0
busybox iwpriv wlan0 set_mib basicrates=15
busybox iwpriv wlan0 set_mib TxPowerOFDM=0,18
busybox iwpriv wlan0 set_mib TxPowerCCK=0,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=1,18
busybox iwpriv wlan0 set_mib TxPowerCCK=1,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=2,18
busybox iwpriv wlan0 set_mib TxPowerCCK=2,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=3,18
busybox iwpriv wlan0 set_mib TxPowerCCK=3,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=4,18
busybox iwpriv wlan0 set_mib TxPowerCCK=4,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=5,18
busybox iwpriv wlan0 set_mib TxPowerCCK=5,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=6,18
busybox iwpriv wlan0 set_mib TxPowerCCK=6,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=7,18
busybox iwpriv wlan0 set_mib TxPowerCCK=7,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=8,18
busybox iwpriv wlan0 set_mib TxPowerCCK=8,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=9,18
busybox iwpriv wlan0 set_mib TxPowerCCK=9,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=10,18
busybox iwpriv wlan0 set_mib TxPowerCCK=10,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=11,18
busybox iwpriv wlan0 set_mib TxPowerCCK=11,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=12,18
busybox iwpriv wlan0 set_mib TxPowerCCK=12,12
busybox iwpriv wlan0 set_mib TxPowerOFDM=13,18
busybox iwpriv wlan0 set_mib TxPowerCCK=13,12
busybox iwpriv wlan0 set_mib bcnint=100
busybox iwpriv wlan0 set_mib preamble=0
busybox iwpriv wlan0 set_mib cts2self=1
busybox iwpriv wlan0 set_mib autorate=1
busybox iwpriv wlan0 set_mib oprates=4095
busybox iwpriv wlan0 set_mib hiddenAP=0
/var/8185wpa.conf: encryption = 2
/var/8185wpa.conf: unicastCipher = 3
busybox iwpriv wlan0 set_mib encmode=2
busybox iwpriv wlan0 set_mib 802_1x=1
/var/8185wpa.conf: enableMacAuth = 0
/var/8185wpa.conf: supportNonWpaClient = 0
/var/8185wpa.conf: groupRekeyTime = 3600
busybox iwpriv wlan0 set_mib authtype=0
/var/8185wpa.conf: enable1x = 0
/var/8185wpa.conf: authentication = 2
/var/8185wpa.conf: usePassphrase = 1
/var/8185wpa.conf: psk = "xxx"
busybox iwpriv wlan0 set_mib aclmode=0
ifconfig wlan0 up
IRR(5)=f3040000
Request IRQ5, ret=0
Reserve port 6 for peripheral device use. (0x40)
Total WLAN/WDS links: 1
Device wlan0 on vlan ID 9 using Link ID 1. Loopback/Ext port is 6
auth wlan0 eth0 auth /var/8185wpa.conf &
[173]
auth uses obsolete (PF_INET,SOCK_PACKET)
Initiate IEEE 802.1X (WPA) daemon, version 1.7 (2005-11-14)
iwcontrol wlan0
Open wlan0...
the printer cmdline=lpd -Z 1 -U 1 &!
[180]
[182]
2000/1/1 3:0 day=6
==== MSNTP simple version, cilent only ====
[185]
serverp_tableDriverAccess: rtl8651_delNaptServerPortMapping() ret:-3
serverp_tableDriverAccess: rtl8651_delNaptServerPortMapping() ret:-3
serverp_tableDriverAccess: rtl8651_delNaptServerPortMapping() ret:-3
serverp_tableDriverAccess: rtl8651_delNaptServerPortMapping() ret:-3
target 239.0.0.0
SIOCDELRT: No such process
target 239.0.0.0
[187]
nothing to monitor
[191]
info, server (v0.9.9-pre) started
error, max_leases value (254) not sane, setting to 100 instead
error, Unable to open /var/udhcpd.leases for reading
sntp operation : op_client, count:1
accept:auto ,en ,zh-tw ,french ,german ,italian ,korea ,spanish ,dir = /www
msntp: no acceptable packets received
0, count:1, attempts:1Intializing UPnP
with desc_doc_url=http://10.0.0.1:52869/picsdesc.xml
ipaddress=10.0.0.1 port=52869
conf_dir_path=/etc/pseudoicsd/
shiang(180): Set_lpd_pid(5)
shiang_lpd:s=515, Lpd_listen_port_DYN=(null), Lpd_port_DYN=515
shiang_Ipp:s=off, Ipp_listen_port_DYN=off
shiang_Unix:s=/var/run/lprng, Unix_socket_path_DYN=/var/run/lprng
192: the pid_str=192 pofd 17 17!
192: jobQueue_Init success!
192: Into printer_Hotplug_Action()!
192: After reset pDev_Queue, we check each entries!
192: pclose!
192: Into printer_pofdConfig_Action!
192: create socket success!
192:The unix socket file path=/var/run/pof.d
To continue hacking you will need the following things:
Unpack firmware tarball somewhere. Source is quite durty, so expect having to hack it around to make build
Remove all broken symlinks from include directory
Fix uClibc symlink in lib directory: cd lib && rm -f uClibc && ln -s ../uClibc .
Edit Makefile and config.arch. Values to edit are: PATH in Makefile. Edit first part to point to your toolchain bin dir. And don't fprget to modify CROSS_COMPILE in config.arch to point to your toolchain binaries' prefix.
Some source code is pre-configured to weird paths. You will have to re-configure it
since Makefiles won't do it for you. E.g for gsasl, config line will be:
./configure --disable-gssapi --host=mips-linux
(don't forget to make distclean beforehand)
To build code you have to run 'make dep' folowed by 'make'
Paths are relative to top dir you unpacked source into.
Attaching hard drive itself is not that of a problem. I used self-powered USB box for that, I never tested flash drives et al. Kernel contains Compiled-in USB mass storage support. User manual for device tells you you can't attach anything but printer to this port, but they have some WLAN-configuration stuff from Microsoft implemented there. So they thought about some uses at least.
Most problems here are:This part contains some random things I found during my research of bootloader. Most of this is actually useless, though.
Well, to serve bootp you can use either bootp server or dhcp server.
Since I find setting-up dhcp simpler, I used ISC dhcp server. I will just provide my config here without much detail, since it is out of scope of this page and there is a lot of documentation on the subject.
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "int";
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility daemon;
subnet 10.1.0.0 netmask 255.255.255.0 {
next-server 10.1.0.1;
range dynamic-bootp 10.1.0.5 10.1.0.200;
filename "firmware.bix";
}
I don't need to mention that my interface configuration is 10.1.0.0/24, and most important part is within subnet declaration.
You will need tftp server. To write firmware name without path, you will need tftpd which supports specifying root path. Otherwise you will need to specify filename "/tftpboot/firmware.bix" or something like this. If something is wrong consult your logs for hints. And appropriate documentation.
You don't need to do this to flash over tftp, and this actually doesn't work due to bugs in bootloader. Skip below.
System Clock Rate: 200MHz, Memory Clock Rate: 130MHz Detected flash size: total 4MB. SDRAM MCR: E2A01000 SDRAM size: 16MB Press 'w' for alpha's web upgrade. Press 'r' to update run image, or 'a' to change config, or 'l' to update loader, or 'g' to load run image without updating Flash, or '2' to enter L2 switch mode(50A), or '3' to enter L2 switch mode(50B) ...
Press 'a' here (or before, but not later). Then press enter 4 times (so to accept defaults for first four lines of input you get).
!! Change configuration !! Input MAC address(00-17-9a-db-02-dc): Input run image start address in ram, default 0x80080000 (0x80080000): Input run image start offset in flash, default 0x20000 (0x20000): Input run image max size, default 0x1e0000 (0x3d0000):
Press 1 on the following line. That will enable booting over network using BOOTP protocol. To undo this, repeat whole procedure and put 0 here.
Input Boot Sequence, 0:BOOT_FROM_FLASH 1:BOOT_FROM_BOOTP 2:L2 Switch(50A), 3:L2 Switch(50B), default 0 (0):1 Writing FlashROM... SUCCESS
Booting seems to be done via interface attached to switch. Since I use my roter mostly over wifi, I dedicated plain ethernet interface on my laptop for booting, so I just run dhcp server on it. (I use isc-dhcp3 package on Debian). So connect your boot interface to one of switch ports. I was unable to make device boot though, it says it can't setup VLAN.
00.01.15(uClinux) (Mar 17 2006 16:07:36) System Clock Rate: 200MHz, Memory Clock Rate: 130MHz Detected flash size: total 4MB. SDRAM MCR: E2A01000 SDRAM size: 16MB Press 'w' for alpha's web upgrade. Press 'r' to update run image, or 'a' to change config, or 'l' to update loader, or 'g' to load run image without updating Flash, or '2' to enter L2 switch mode(50A), or '3' to enter L2 switch mode(50B) ... ForceRunLoader=0 ... !!Load Run Image Without Updating Flash !! Press 'i' for ICE raw mode, or 'b' for BOOTP ... (b) MAC: 00-17-9a-db-02-dc. Creating vlan fails:17
If you press 'i' you will see this:
00.01.15(uClinux) (Mar 17 2006 16:07:36) System Clock Rate: 200MHz, Memory Clock Rate: 130MHz Detected flash size: total 4MB. SDRAM MCR: E2A01000 SDRAM size: 16MB Press 'w' for alpha's web upgrade. Press 'r' to update run image, or 'a' to change config, or 'l' to update loader, or 'g' to load run image without updating Flash, or '2' to enter L2 switch mode(50A), or '3' to enter L2 switch mode(50B) ... ForceRunLoader=0 ... !!Load Run Image Without Updating Flash !! Press 'i' for ICE raw mode, or 'b' for BOOTP ... (b) ! Stop MULTI, type: 'memload raw run.bix 0x80600000' Then, input the image length (in bytes):
I tried googling for memload and MULTI, for first I found nothing, for second I see http://www.ghs.com/products/MULTI_IDE.html but I don't know if that is related.
Btw, you can get more promising screen if you press w at beginning:
00.01.15(uClinux) (Mar 17 2006 16:07:36) System Clock Rate: 200MHz, Memory Clock Rate: 130MHz Detected flash size: total 4MB. SDRAM MCR: E2A01000 SDRAM size: 16MB Press 'w' for alpha's web upgrade. Press 'r' to update run image, or 'a' to change config, or 'l' to update loader, or 'g' to load run image without updating Flash, or '2' to enter L2 switch mode(50A), or '3' to enter L2 switch mode(50B) ... MAC: 00-17-9a-db-02-dc VLAN_init finished enet_init finished TFTP Server Started ... Load image/code to 192.168.0.1 Web Server Staring...
Ethernet works in this case, but all ports are brifged in this mode, so you'd better remove your wan cable from device to reduce danger on you chaced by your ISP staff :)
But anyway I did not manage to make this mode work either :( but that might be due to not enough effort so I'll retry in a few days. Standard web firmware burner works though, I need to look into it better
Ok, finally, flashing over tftp works. It seems not possible to test your image without flashing it first, but, flashing perfectly works.
First, I need to mention that if you put something strange as your firmware on tftp, that won't work since it checks for image magic number. Same thing happens when you put stock update firmware. In both cases you will see the following picture:
System Clock Rate: 200MHz, Memory Clock Rate: 130MHz Detected flash size: total 4MB. SDRAM MCR: E2A01000 SDRAM size: 16MB Press 'w' for alpha's web upgrade. Press 'r' to update run image, or 'a' to change config, or 'l' to update loader, or 'g' to load run image without updating Flash, or '2' to enter L2 switch mode(50A), or '3' to enter L2 switch mode(50B) ...
Press 'r' here, this is only mode which is working for reflashing. Other modes does not work due to bootloader bugs. No, you don't want to change bootloader w/o proper equipment for recovery (JTAG).
!!Update Run Image !! Press 'i' for ICE raw mode, or 'b' for BOOTP ... (b) MAC: 00-17-9a-db-02-dc. BOOTP request sent BOOTP: IP 10.1.0.199, server 10.1.0.1, boot file 'firmware.bix' TFTP request: server 10.1.0.1, file 'firmware.bix' addr 0x80600000 start 0x00000000 TFTP: downloaded 2038108 bytes Image type error!
This thing happens due to the fact that actual image should have magic number 0x59a0e842 (big endian) as first four bytes, and 0x8dc9 (big endian) as following 2. If you look at your firmware update from D-Link site, you will find that these numbers start from 4th byte. So skip these 4 bytes to update stock firmware. I do this very inefficient, but simple way using dd if=original.bix of=proper.bix skip=4 bs=1 command.
So next time we have success:
00.01.15(uClinux) (Mar 17 2006 16:07:36) System Clock Rate: 200MHz, Memory Clock Rate: 130MHz Detected flash size: total 4MB. SDRAM MCR: E2A01000 SDRAM size: 16MB Press 'w' for alpha's web upgrade. Press 'r' to update run image, or 'a' to change config, or 'l' to update loader, or 'g' to load run image without updating Flash, or '2' to enter L2 switch mode(50A), or '3' to enter L2 switch mode(50B) ... !!Update Run Image !! Press 'i' for ICE raw mode, or 'b' for BOOTP ... (b) MAC: 00-17-9a-db-02-dc. BOOTP request sent BOOTP: IP 10.1.0.199, server 10.1.0.1, boot file 'firmware.bix' TFTP request: server 10.1.0.1, file 'firmware.bix' addr 0x80600000 start 0x00000000 TFTP: downloaded 2381624 bytes Writing Runtime Image ... Please DON'T Shutdown!! SUCCESS !Imag Start Address =0xbe030000
and image will boot. To flash your custom firmware use 7krun.bix in images directory of your source, as generated by D-Link's source.
Alas, these four bytes at the beginning of stock firmware are added by closed tool. They are needed by web flash tool. I don't know anything about their purpose.
Working on this now, so to be able to check that custom formware contains all needed files, and to remove need for closed tools
Header for BIX file. All numbers are big endian if not stated otherwise.
| Field name | Field size in bytes | Comment |
| productMagic | 4 | uint32, always 0x59a0e842 |
| imageType | 2 | uint16 0xea43for run image |
| imageHdrVer | 1 | uint8 (always 1) |
| reserved1 | 1 | for 32-bit alignment |
| date | 4 | unint32 Image Creation Date (in Network Order) * B1B2:year(0..65535) (BigEndian) * B3:month(1..12) * B4:day(1..31) |
| time | 4 | uint32 Image Creation Time (in Network Order) * B1:hour(0..23) * B2:minute(0..59) * B3:second(0..59) |
| imageLen | 4 | image header length not counted in |
| reserved2 | 2 | uint16 |
| imageBdyCksm | 1 | uint8 cheacksum cover range: image body |
| imageHdrCksm | 1 | uint8 cheacksum cover range: image header |
| The following fields are written to flash | ||
| sugnature | 4 | string A7KZ in my case, written by alpha_pack |
| uncompressor address | 4 | Inserted by bcat, probably a starting point |
| kernel_size | 4 | uint32 Aligned kernel image size (use 4 for alignment value) |
| filesys_no | 4 | uint32 Number of filesystems within image, usually 1 |
| fs1_size | 4 | uint32, padded |
| fs2_size | 4 | uint32, padded |
| fs3_size | 4 | uint32, padded |
| fs4_size | 4 | uint32, padded |
| 0 | 4 | uint32 always 0, seems to be reserved |
| 0 | 4 | uint32 always 0, seems to be reserved |
| kernel | kernel_size | kernel image itself |
| filesystems | fs1_size+fs2_size+...+fs4_size | filesystems images concatenated padded |
As I will be able to decode .bix format, then I will be able to replace kernel in stock firmware, to achieve step-by-step evolution paradigm
You can get the following tools to put on your router via attached USB mass storage:
busybox 1.1.0 I was unable to make 1.7.2 version to work yet (and never
tried hard)
strace
These prebuilt images are made from public packages. strace was taken from debian testing with following patch applied (from buildroot)
iff -ur strace-4.5.15/signal.c strace-4.5.15-patched/signal.c
--- strace-4.5.15/signal.c 2007-01-11 16:08:38.000000000 -0600
+++ strace-4.5.15-patched/signal.c 2007-02-06 20:49:34.714320249 -0600
@@ -1440,7 +1440,7 @@
tcp->u_rval = tcp->u_error = 0;
if(tcp->u_arg[0] == 0)
return 0;
- tcp->auxstr = sprintsigmask("mask now ", tcp->u_arg[1]);
+ tcp->auxstr = sprintsigmask("mask now ", tcp->u_arg[1], 0);
return RVAL_NONE | RVAL_STR;
}
return 0;
Busybox was built w/o any patching, I just had to disable some applets (e.g. sort).
I've got a problem with busybox:
/var/usbmnt/disk0(-ST3120022A)/modules> ./busybox mkswap -v0 swapfile mkswap: Assuming pages of size 65536 Setting up swapspace version 0, size = 20905984 bytes /var/usbmnt/disk0(-ST3120022A)/modules> ./busybox swapon swapfile Unable to find swap-space signature swapon: swapfile: Invalid argument pid 395: failed 256 /var/usbmnt/disk0(-ST3120022A)/modules>
Interesting, what could be wrong...