Tuesday, May 18, 2010, 17:56
The Bootloader (SX762)
To put OpenWRT on the device, would had to fight through Siemens bootloader as while it is an U-boot it was modified slightly (bootm command just tries to boot runtime image from flash no matter if memory address given or not and most commands start with Siemens header checking).
Boot process as follows:
ROM VER: 1.0.3 CFG 01 Read EEPROMX X
This is Infineon Danube's ROM bootstrapped to boot from FLASH, there is a way to put the board into UART mode finding the correct bootstrap pins but myself had not much to do with electronics.
SHC Danube-External-Flash-Boot - Version V1.1 Mem-config: Flash: 8MB- 8MBx1 Ram: 32MB-32MBx1 Low level dbg is active... CPU0 MEMS
No idea what this part is think it is a debugger before first bootloader
-- Danube Primary loader --
Version : 4.1.23.52.0
Build Profile : sx76x_danube_a
Build Date : Jul 25 2008 - 17:47:44
--> Extract primary loader [ OK ]
--> Validate secondary loader (FLASH) [ OK ]
Here is one thing to notice primary loader is a modified u-boot "Validate secondary loader (FLASH)" is do checkings on secondary bootloader header (if it is for the board, have good sha256 checksum and that sha256 checksum is signed with Siemens 1024bit RSA private key), if it fails it just opens a tftp server and waiting for a correct secondary loader.
-- Danube Secondary loader --
Version : 4.1.26.52.0
Build Profile : sx76x_danube_b
Build Date : Jun 16 2008 - 18:02:01
--> Extract secondary loader [ OK ]
--> Press enter to activate cli [ 00 ]
sx76x >
And the secondary loader this one have command line interface but crippled down:
sx76x > help
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
bootd - boot default, i.e., run 'bootcmd'
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
erase - erase FLASH memory
flinfo - print FLASH memory information
go - start application at address 'addr'
help - print online help
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nm - memory modify (constant address)
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
tftpboot- boot image via network using TFTP protocol
and env variables ipaddr and serverip
upgrade - data_block_name srcAddr srcLen 0/1? - alias for 'help'
sx76x >
From here it is possible to upgrade primary, secondary loader or runtime.img to the device and while upgrade process not doing complete header checkings (header must exists but no sha256 and signature validation for the image) of course any tries to replace runtime with WRT result:
--> Validate runtime image (FLASH) wrong signature [FAILED] Trying tftp recovery download from 192.168.1.110 ... TFTP server 192.168.1.110; our IP 192.168.1.1 Filename 'runtime.img'. Load address: 0x80400000
"Signature checking failed", so seems like WRT plans went to dust unless:
1.) Get Siemens private key to sign firmare (not an option)
2.) Modify bootloader memory with u-boot (not an options for me at least)
3.) Try to load up a 3rd bootloader from memory (OpenWRT has one for a reference board)
So tried to compile Uboot-lantiq package from OpenWRT, here would like to thank Ralph for all his help and patience with me, if he is not i would gave it up already.
Seemed like Siemens Secondary go command unlike their bootm not doing firmware checkings. Still every single time i tried to upload U-boot into memory and run with go device just froze up. As a last try tried to flash it to runtime (with prepared siemens header) and start from there with go.
## Starting application at 0xB0020180 ... U-Boot 2009.11.1 (May 13 2010 - 06:34:35) Board: unknown, chip part number 0x12B V1.3, DDR Speed 166 MHz, CPU Speed 333 MHz DRAM: 32 MB Flash: 8 MB *** Warning - bad CRC, using default environment Net: lq_cpe_eth Type "run flash_nfs" to mount root filesystem over NFS Hit any key to stop autoboot: 0 DANUBE =>
Now have a working 3rd bootloader could try to launch openwrt image up:
DANUBE => run net_nfs
Using lq_cpe_eth device
TFTP from server 192.168.1.110; our IP address is 192.168.1.1
Filename 'openwrt-ifxmips-uImage'.
Load address: 0x80500000
Loading: *#################################################################
#
done
Bytes transferred = 964812 (eb8cc hex)
## Booting kernel from Legacy Image at 80500000 ...
Image Name: MIPS OpenWrt Linux-2.6.30.10
Created: 2010-05-18 17:32:53 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 964748 Bytes = 942.1 kB
Load Address: 80002000
Entry Point: 80002000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
Starting kernel ...
Linux version 2.6.30.10 (bcsaba@colinux) (gcc version 4.3.3 (GCC) ) #10 Tue May 18 17:32:44 UTC 2010
console [early0] enabled
CPU revision is: 00019641 (MIPS 24Kc)
This Danube system has a cpu rev of 3
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
Normal 0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128
Kernel command line: root=/dev/nfs rw nfsroot=192.168.1.110:/export ip=192.168.1.1:192.168.1.110:::::off
init=/etc/preinit console=ttyS1,115200 ethaddr=00:01:02:03:04:05
mtdparts=ifx-nor:448k(uboot)ro,64k(uboot_env)ro,64k(kernel),-(rootfs)
Primary instruction cache 16kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, VIPT, no aliases, linesize 32 bytes
Writing ErrCtl register=00052098
Readback ErrCtl register=00052098
NR_IRQS:256
PID hash table entries: 128 (order: 7, 512 bytes)
console handover: boot [early0] -> real [ttyS1]
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 29472k/32768k available (2266k kernel code, 3296k reserved, 474k data, 140k init, 0k highmem)
Calibrating delay loop... 221.69 BogoMIPS (lpj=443392)
Mount-cache hash table entries: 512
net_namespace: 784 bytes
NET: Registered protocol family 16
ifxmips_init_devices: adding 7 devs
using board definition EASY50712
PCI: Probing PCI hardware on host bus 0.
IFXMips PCI mapped to 0xB7000000
IFXMips PCI I/O mapped to 0xBAE00000
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
gptu: totally 6 16-bit timers/counters
gptu: misc_register on minor 63
gptu: succeeded to request irq 126
gptu: succeeded to request irq 127
gptu: succeeded to request irq 128
gptu: succeeded to request irq 129
gptu: succeeded to request irq 130
gptu: succeeded to request irq 131
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
msgmni has been set to 57
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler deadline registered (default)
ttyS0 at MMIO 0xbe100400 (irq = 104) is a asc0
ttyS1 at MMIO 0xbe100c00 (irq = 111) is a asc1
eth0 (): not using net_device_ops yet
eth0: using mac=00:01:02:03:04:05
ifxmips_mii: probed
eth0: ADM6996 PHY driver attached.
eth0: attached PHY driver [Infineon ADM6996] (mii_bus:phy_addr=0:00, irq=-1)
ifxmips_mii0: driver loaded!
Number of erase regions: 2
Primary Vendor Command Set: 0002 (AMD/Fujitsu Standard)
Primary Algorithm Table at 0040
Alternative Vendor Command Set: 0000 (None)
No Alternate Algorithm Table
Vcc Minimum: 2.7 V
Vcc Maximum: 3.6 V
No Vpp line
Typical byte/word write timeout: 128 µs
Maximum byte/word write timeout: 1024 µs
Typical full buffer write timeout: 128 µs
Maximum full buffer write timeout: 4096 µs
Typical block erase timeout: 1024 ms
Maximum block erase timeout: 16384 ms
Chip erase not supported
Device size: 0x800000 bytes (8 MiB)
Flash Device Interface description: 0x0002
- supports x8 and x16 via BYTE# with asynchronous interface
Max. bytes in buffer write: 0x20
Number of Erase Block Regions: 2
Erase Region #0: BlockSize 0x2000 bytes, 8 blocks
Erase Region #1: BlockSize 0x10000 bytes, 127 blocks
ifx-nor: Found 1 x16 devices at 0x0 in 16-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
4 cmdlinepart partitions found on MTD device ifx-nor
ifxmips_mtd: found 4 partitions from cmdline
ifxmips_mtd: invalid magic (0x59406D50) of kernel at 0x00080000
Creating 4 MTD partitions on "ifx-nor":
0x000000000000-0x000000070000 : "uboot"
0x000000070000-0x000000080000 : "uboot_env"
0x000000080000-0x000000090000 : "kernel"
0x000000090000-0x000000800000 : "rootfs"
split_squashfs: no squashfs found in "ifx-nor"
Creating 1 MTD partitions on "ifx-nor":
0x000000080000-0x000000800000 : "linux"
ifxmips_mtd: added ifx-nor flash with 8MB
ifxmips_wdt: loaded
Registered led device: ifxmips:led:00
Registered led device: ifxmips:led:01
Registered led device: ifxmips:led:02
Registered led device: ifxmips:led:03
Registered led device: ifxmips:led:04
Registered led device: ifxmips:led:05
Registered led device: ifxmips:led:06
Registered led device: ifxmips:led:07
Registered led device: ifxmips:led:08
Registered led device: ifxmips:led:09
Registered led device: ifxmips:led:10
Registered led device: ifxmips:led:11
Registered led device: ifxmips:led:12
Registered led device: ifxmips:led:13
Registered led device: ifxmips:led:14
Registered led device: ifxmips:led:15
Registered led device: ifxmips:led:16
Registered led device: ifxmips:led:17
Registered led device: ifxmips:led:18
Registered led device: ifxmips:led:19
Registered led device: ifxmips:led:20
Registered led device: ifxmips:led:21
Registered led device: ifxmips:led:22
Registered led device: ifxmips:led:23
TCP westwood registered
NET: Registered protocol family 17
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
IP-Config: Guessing netmask 255.255.255.0
IP-Config: Complete:
device=eth0, addr=192.168.1.1, mask=255.255.255.0, gw=255.255.255.255,
host=192.168.1.1, domain=, nis-domain=(none),
bootserver=192.168.1.110, rootserver=192.168.1.110, rootpath=
Looking up port of RPC 100003/2 on 192.168.1.110
Looking up port of RPC 100005/1 on 192.168.1.110
VFS: Mounted root (nfs filesystem) on device 0:11.
Freeing unused kernel memory: 140k freed
Please be patient, while OpenWrt loads ...
- init nfs -
Please press Enter to activate this console. NET: Registered protocol family 10
lo: Disabled Privacy Extensions
IFXOS, Version 1.5.12 (c) Copyright 2009, Lantiq Deutschland GmbH
Lantiq TAPI device driver, version 3.11.0.6, (c) 2001-2010 Lantiq Deutschland GmbH
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Lantiq MIPS24KEc MPS driver, version 2.2.1.0, (c) 2006-2010 Lantiq Deutschland GmbH
request_timer(3, 0x000001AE, 1)...successful!
Lantiq VMMC device driver, version 1.7.0.6, (c) 2006-2010 Lantiq Deutschland GmbH
NET: Registered protocol family 8
NET: Registered protocol family 20
PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
Driver 'sd' needs updating - please use bus_type methods
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
nf_conntrack version 0.5.0 (512 buckets, 2048 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
IMQ driver loaded successfully.
Hooking IMQ before NAT on PREROUTING.
Hooking IMQ after NAT on POSTROUTING.
xt_time: kernel timezone is -0000
ip6_tables: (C) 2000-2006 Netfilter Core Team
IFX MEI Version 5.00.00
Infineon CPE API Driver version: DSL CPE API V3.24.4.4
Infineon Technologies ATM driver version 1.0.8
Infineon Technologies ATM (A1) firmware version 0.1
ifxmips_atm: ATM init succeed
ath_hal: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 2009-05-08 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, RF2425, REGOPS_FUNC, XR)
ath_pci: trunk
wlan: trunk
wlan: mac acl policy registered
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk)
ath_rate_minstrel: look around rate set to 10%
ath_rate_minstrel: EWMA rolloff level set to 75%
ath_rate_minstrel: max segment size in the mrr set to 6000 us
PCI: Enabling device 0000:00:0e.0 (0000 -> 0002)
Atheros HAL provided by OpenWrt, DD-WRT and MakSat Technologies
wifi0: unable to attach hardware: 'No hardware present or device not yet supported' (HAL status 1)
ath_pci: ath_attach failed: 6
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
uhci_hcd: USB Universal Host Controller Interface driver
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver ums-alauda
usbcore: registered new interface driver ums-cypress
usbcore: registered new interface driver ums-datafab
usbcore: registered new interface driver ums-freecom
usbcore: registered new interface driver ums-isd200
usbcore: registered new interface driver ums-jumpshot
usbcore: registered new interface driver ums-karma
usbcore: registered new interface driver ums-sddr09
usbcore: registered new interface driver ums-sddr55
usbcore: registered new interface driver ums-usbat
BusyBox v1.15.3 (2010-05-07 13:00:32 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
Backfire (10.03, r21380) --------------------------
* 1/3 shot Kahlua In a shot glass, layer Kahlua
* 1/3 shot Bailey's on the bottom, then Bailey's,
* 1/3 shot Vodka then Vodka.
---------------------------------------------------
root@OpenWrt:/#
So device is capable for running OpenWRT, think Infineon's stuff working (DSL,VOIP) but yet to try. Wifi while lspci lists it:
root@OpenWrt:/# lspci -nn 00:0e.0 Ethernet controller [0200]: Atheros Communications Inc. Device [168c:ff16] (rev 01) 00:0e.1 Serial controller [0700]: Atheros Communications Inc. Device [168c:ff96] (rev 01)
Madwifi is not able to use it, and USB controller not even show up in lspci. When will have some free time going to try and look into it, but not sure have the skill to hack it.