OpenWrt Forum Archive

Topic: GN-BR404W

The content of this topic has been archived on 3 Feb 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Firmware 1.21 uses kernel 2.4.20 and busybox, IPsec provided by Free/SWAN 2.00.
I've waiting for reply from Gigabyte about the source.

The router will arrive in a few days, I will give here more details about it. At least it has a pccard slot wink

Okay, the little cutie is here. Let's see, what's inside (I will do some photos later):

CPU: Renesas 6417751R - 240MHz SH4
Flash: AMD AM29LV320DB - 4Mb
Memory: 2x IC42S16400-6T - 2x8Mb = 16Mb RAM
Ethernet: 2x Realtek RTL8100BL - 2x 10/100 Ethernet (CPU->WAN, CPU->Switch)
Switch: Realtek RTL8305SB - 5 port switch (supports vlan!)
PCCard controller: Texas Instruments PCI1410APGE
Wireless: GN-WMAG PCCard - Atheros 5002G chipset

All binaries are stripped and compiled statically agains uClibc 0.9.15 with gcc 3.0.4.

I wasn't able to find something like the "ping bug" in the firmware, so it seems I have to put my busybox-telnetd into the cramfs. I compiled a static binary, let's hope it will work.
To do the modification, I took another look at the firmware to be able to reconstruct it. Here comes the broken-out stuff:


* Gigabyte kernel spliter

__________GBT_SPLITER_________KERNEL_IMG:

* zImage
* Gigabyte kernel info

GBT_IMG_INFO + binary stuff (needs investigation)

* Gigabyte kernel checksum spliter

_________GBT_SPLITER__________KERNEL_CHECKSUM:

* kernel md5 (WARNING! md5sum of kernel + gbt kernel info)
* Gigabyte rootfs spliter

_________GBT_SPLITER__________ROOTFS_IMG:

* cramfs image
* Gigabyte rootfs info

GBT_IMG_INFO + binary stuff (needs investigation)

* Gigabyte rootfs checksum spliter

_________GBT_SPLITER__________ROOTFS_CHECKSUM:

* rootfs md5 (WARNING! md5sum of cramfs + gbt rootfs info)
* Gigabyte tail spliter

_________GBT_SPLITER__________TAIL

Okay, here comes the firmware-rebuilder v0.1 smile
You need the following files:
kernel - linux kernel
cramfs - cramfs image
finfo - rootfs info binary
kinfo - kernel info binary

#!/bin/sh

if [ -z "$1" ]; then
    echo Usage: $0 new_firmware_filename
    exit 0
fi

SPLITER=__________GBT_SPLITER__________

echo -n "Generating firmware... "
echo -n $(echo $SPLITER)"KERNEL_IMG:" > $1
cat kernel > zImage
echo -n "GBT_IMG_INFO" >> zImage
cat kinfo >> zImage
cat zImage >> $1
echo -n $(echo $SPLITER)"KERNEL_CHECKSUM:" >> $1
md5sum zImage >> $1
echo -n $(echo $SPLITER)"ROOTFS_IMG:" >> $1
cat cramfs > rootfs.mtd.cramfs.img
echo -n "GBT_IMG_INFO" >> rootfs.mtd.cramfs.img
cat finfo >> rootfs.mtd.cramfs.img
cat rootfs.mtd.cramfs.img >> $1
echo -n $(echo $SPLITER)"ROOTFS_CHECKSUM:" >> $1
md5sum rootfs.mtd.cramfs.img >> $1
echo -n $(echo $SPLITER)"TAIL" >> $1
echo "done."

Okay, let's examine the binary info parts.
(If anyone has an idea, please post a reply!)

hexdump of kernel info

firmware v1.17: (kernel size: 750353)

0000000 1173 0b00 0473 2cf4 8fa4 55e3 d8f0 8c4b
0000010 b280 3432
0000014

firmware v1.19: (kernel size: 750356)

0000000 1473 0b00 89d1 b9b1 8a55 f14e 8be4 c73e
0000010 21dd 6b5a
0000014

firmware v1.21: (kernel size: 750369)

0000000 2173 0b00 7379 d945 35db f3a6 4350 2b9b
0000010 d3b0 ae3d
0000014

hexdump of rootfs info:

firmware v1.17: (cramfs size: 2576384)

0000000 0050 2700 8d0a 82f8 398c 4df8 882a 7182
0000010 36b4 90a9
0000014

firmware v1.19: (cramfs size: 2809856)

0000000 00e0 2a00 ab98 59fd afa8 13c6 18d2 1064
0000010 8612 1125
0000014

firmware v1.21: (cramfs size: 2846720)

0000000 0070 2b00 f669 d875 db7b a15a edcc 7722
0000010 5ed6 264f
0000014

IMHO theese are firmware versions and file sizes, but I'm not sure.

Okay, while I'm trying to figure out those, I examined the firmware a little more. Almost all interesting stuff happens via /bin/SetData.cgi, which is a binary file, too. Parts of it and a file called upgrade.boot tells me that the box has some kind of bootloader (like pmon/cfe on the wrt), which sits on mtd/0.

It should be added to the firmware as

__________GBT_SPLITER__________BOOT_IMG:
__________GBT_SPLITER__________BOOT_CHECKSUM:

Maybe it needs another GBT_IMG_INFO field, too.

The kernel sits on mtd/2, rootfs on mtd/3. The MAC address is on mtd/4. It looks like mtd/1 holds the settings. While operating /img/ramdisk.img is expanded to rd0 and mounted as /ramdisk. /img/upgrade.img is expanded to rd1 and mounted as /upgrade.

eth0 is WAN, eth1 is the LAN, wlan0 is the wireless. eth1 and wlan0 is in br0.

This cutie drops a shell on the serial port, so I have to get a multimeter to check if it's 3.3V or 12V.

Hmz.. Gigabyte uses their own binary to expand the two ramdisk images. However ramdisk.img holds the build date and the firmware version.. So now I have no idea, what the GBT_IMG_INFO fields can be..

Okay, slowly everything goes clear:

kernel info from v1.21 (kernel size: 750369):

0000000 2173 0b00 7379 d945 35db f3a6 4350 2b9b 
0000010 d3b0 ae3d 
0000014

750369 is b7321 in hexa, changing the endianness gives us 21 73 0b.. Hehe, we're almost there big_smile

Okay, it was long ago when I posted last roll

Anyway, I managed to get a serial console on the unit. Pinouts, photos will follow soon.

for now, here's the dmesg of the original firmware, have fun! smile

=========================================================================
===                    SH IPL+g version 1.03 - 16M                    ===
=========================================================================


Booting from flash!
Setup Linux Kernel Parameters!
mem=16M sh_mv=MN75XX console=ttySC0,115200 root=/dev/mtdblock3 ro 
Copy Linux Kernel & File System from flash to dram
Uncompressing Linux... Ok, booting the kernel.
Linux version 2.4.20 (cuh@NPCD94) (gcc version 3.0.4) #97 Wed Dec 1 16:38:26 CST 2004
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: mem=16M sh_mv=MN75XX console=ttySC0,115200 root=/dev/mtdblock3 ro 
Setting GDB trap vector to 0x80000100
SH RTC: invalid value, resetting to 1 Jan 2000
CPU clock: 240.01MHz
Bus clock: 120.00MHz
Module clock: 60.00MHz
Interval = 150010
Calibrating delay loop... 239.20 BogoMIPS
Memory: 13904k/16384k available (1217k kernel code, 2480k reserved, 186k data, 48k init)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
CPU: SH7750/SH7751
POSIX conformance testing by UNIFIX
PCI: Using configuration type 1
SH7751 PCI: Finished initialization of the PCI controller
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
pty: 256 Unix98 ptys configured
SuperH SCI(F) driver initialized
ttySC0 at 0xffe00000 is a SCI
ttySC1 at 0xffe80000 is a SCIF
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
8139too Fast Ethernet driver 0.9.26
PCI: Enabling device Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (0000 -> 0003)
PCI: Setting latency timer of device Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ to 64
eth0: RealTek RTL8139 Fast Ethernet at 0xbd000000, 00:20:ed:07:b0:29, IRQ 2
PCI: Enabling device Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (#2) (0000 -> 0003)
PCI: Setting latency timer of device Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (#2) to 64
eth1: RealTek RTL8139 Fast Ethernet at 0xbd000100, 00:20:ed:07:b0:28, IRQ 5
Cronyx Ltd, Synchronous PPP and CISCO HDLC (c) 1994
Linux port (c) 1998 Building Number Three Ltd & Jan "Yenya" Kasprzak.
HDLC support module revision 1.02 for Linux 2.4
physmap flash device: 4000000 at 8000000
CFI: Found no Physically mapped flash device at location zero
Probing for flash chips at 0x00000000:
Found: AMD AM29LV320DB
number of JEDEC chips: 1
7751RGN : Flash at 0x00000000
Using configured partition at 0x00008000.
Creating 5 MTD partitions on "7751RGN FLASH":
0x00000000-0x00008000 : "flash_boot"
0x00008000-0x00010000 : "data_setting"
0x00010000-0x00100000 : "kernel"
0x00100000-0x003f0000 : "file_system"
0x003f0000-0x00400000 : "default_mac"
Reset BRW404 Configure Data Button Driver version 1.0 
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
ip_conntrack version 2.1 (512 buckets, 4096 max) - 292 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
RAMDISK: Couldn't find valid RAM disk image starting at 0.
Freeing initrd memory: 640k freed
VFS: Mounted root (cramfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 48k freed
mount -t proc none /proc
echo 1 > /proc/sys/net/ipv4/ip_forward
expand /img/ramdisk.img /dev/rd/0
mount /dev/rd/0 /ramdisk
mountdatasetting -m -r -d
mountdatasetting: umount /romdisk > /dev/null 2>&1 (nResult=256)
mountdatasetting: mount -t cramfs /dev/mtdblock/1 /romdisk > /dev/null 2>&1 (nResult=0)
cp /romdisk/* /ramdisk/etc -f
umount /dev/mtdblock/1
gethwtype > /dev/null 2>&1
loadregioninfo > /dev/null 2>&1
tar xf /img/htdocs.tar -C /ramdisk/htdocs
About.htm
AddFirewall.htm
AddVPN.htm
BackUpRestore.htm
BasicDynamicIPAddress.htm
BasicLANSetup.htm
BasicPPPoE.htm
BasicPPPoELan.htm
BasicStaticIPAddress.htm
BasicWANSel.htm
BasicWizSetComp.htm
ChangeMAC.htm
ChangePassword.htm
DNSConfiguration.htm
DNSReplay.htm
DynamicIPAddress.htm
EditFirewall.htm
EditURLBlocking.htm
EditVPN.htm
FileFormatError.htm
Firewall1.htm
Firewall2.htm
Firewall3.htm
Initialization.htm
InternalError.htm
Layer3ForwardDesc.xml
Log1.htm
Log2.htm
Log3.htm
Logout.htm
MACcontrol11a.htm
MACcontrol11b.htm
MACcontrol11g.htm
MemoryLow.htm
NetworkSetup1.htm
NetworkSetup2.htm
NetworkSetup3.htm
OSInfoDesc.xml
PPPMonitor.htm
PPPoE.htm
PPPoELan.htm
Ping.htm
Reboot.htm
Restarting.htm
RootDeviceDesc.xml
Save.htm
SmartSetup.htm
SmartSetupDynamicIPAddress.htm
StaticIPAddress.htm
StaticRouting.htm
URLBlocking.htm
UpgradeFirmware.htm
Upgrading.htm
UpnpStatus.htm
VPN.htm
VirtualServer1.htm
VirtualServer2.htm
VirtualServer3.htm
WANComIfConfDesc.xml
WANEtherLinkConfDesc.xml
WANPPPConnectDesc.xml
WANSel.htm
WANTypeDel.htm
WAN_LINK_DOWN.htm
WDSa.htm
WDSb.htm
WDSg.htm
Welcome.htm
WirelessSetup1.htm
WirelessSetup2B.htm
WirelessSetup2G.htm
WirelessSetup3a.htm
WirelessSetup3b.htm
WirelessSetup3g.htm
WirelessSetupNoMiniPCI.htm
WirelessSetupNoPCMCIA.htm
banner.htm
detecting.htm
index.htm
index_pnpsetup.htm
p.htm
status.htm
style.css
bringup_atheros > /dev/null 2>&1
/etc/pcmcia/rc.pcmcia start > /dev/null 2>&1 &
sleep 3
Linux PCMCIA Card Services 3.2.1
  kernel build: 2.4.19 #205 Thu Oct 17 10:18:23 CST 2002
  options:  [pci] [cardbus]
Intel ISA/PCI/CardBus PCIC probe:
PCI: Enabling device Texas Instruments PCI1410 PC card Cardbus Controller (0000 -> 0002)
  TI 1410 rev 02 PCI-to-CardBus at slot 00:0a, mem 0xfd001000
    host opts [0]: [serial pci & irq] [pci irq 8] [lat 168/176] [bus 1/4]
    PCI card interrupts, polling interval = 1000 ms
cs: cb_alloc(bus 1): vendor 0x168c, device 0x0013
gbt_ar5k: init_module, Atheros AR5K 802.11a PCI/CardBus WLAN registering pci device.
cs: cb_config(bus 1)
  fn 0 bar 1: mem 0xfd110000-0xfd11ffff
  irq 8
gbt_ar5k: gbt_atheros_attach(device 01:00.0)
gbt_ar5k: ATTENTION, AP start up without file system supported!
H/W_probe Set wlan0 radio frequency 0
rxQueue phy addr : 0CB4C000
gbt_ar5k: gbt_atheros_probe register_netdev [wlan1]
wirelesspageconfig > /dev/null 2>&1
versionchk -d
versionchk: szVersionInRootfs: 1.25
versionchk: szDateInRootfs: Wed, 01 Dec 2004 08:41:22 +0000
versionchk: szDataVersionInRootfs: gbtbrw.001
versionchk: szVersionInFlash: 1.25
versionchk: szDateInFlash: Wed, 01 Dec 2004 08:41:22 +0000
versionchk: szDataVersionInFlash: gbtbrw.001
genhtpasswd -o /wwwroot/htdocs/.htpasswd
gn_sub -s
file input error
mn_resolv
start=====
wan_type_group=0
session_info=0
session_selected[0]=0
session_selected[1]=0
session_selected[2]=0
session_selected[3]=0
session_select_valur[0]=0
session_select_valur[1]=0
session_select_valur[2]=0
session_select_valur[3]=0
DynamicDNSCofigure > /dev/null &
networkrestart > /dev/null 2>&1
eth1: Setting 100mbps full-duplex based on auto-negotiated partner ability 45e1.
eth1: Promiscuous mode enabled.
device eth1 entered promiscuous mode
Reading Configuration File "/var/apcfg_cb".
gbt_ar5k: ar5k module starts wlan0.
gbt_ar5k: ar5k module multiDomainCapEnabled TRUE
gbt_ar5k: swRadioDisable = 0, calibrationTime = 30
gbt_ar5k: wlan0 athCalibrationTask
gbt_ar5k: tApHouseKeeping alive.
gbt_ar5k: tApListKeeping alive.
gbt_ar5k: 802.1x built
gbt_ar5k: wlan0 pdevInfo @ 0x8cd20000 BSS start
wireless access point starting...
wlan0 Ready
Ready
device wlan1 entered promiscuous mode
br0: port 2(wlan1) entering listening state
br0: port 1(eth1) entering listening state
updatehtml -f ALL
smart_setup eth0 > /dev/null &
SecurityServ &###########################################
###
###   Build Version: 1.25
###   Data Version: gbtbrw.001
###   Build Date: Wed, 01 Dec 2004 08:41:22 +0000
###
###########################################


BusyBox v0.60.3 (2004.12.01-08:39+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# Security server up(1.15)---
SecurityServ: open socket3!!
SecurityServ: bind success!!
SecurityServ: listen ok!!
SecurityServ: waiting for data on port TCP 1500
SecurityServ: cliLen=16

# uname -a
Linux (none) 2.4.20 #97 Wed Dec 1 16:38:26 CST 2004 sh4 unknown
# cat /proc/cpuinfo
cpu family: SH-4
cache size: 8K-byte/16K-byte
bogomips: 239.20

Machine: Gigabyte 7751Rgn
CPU clock: 240.01MHz
Bus clock: 120.00MHz
Peripheral module clock: 60.00MHz
# cat /proc/pci
PCI devices found:
  Bus  0, device   8, function  0:
    Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 16).
      IRQ 2.
      Master Capable.  Latency=64.  Min Gnt=32.Max Lat=64.
      I/O at 0x4000 [0x40ff].
      Non-prefetchable 32 bit memory at 0xfd000000 [0xfd0000ff].
  Bus  0, device   9, function  0:
    Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (#2) (rev 16).
      IRQ 5.
      Master Capable.  Latency=64.  Min Gnt=32.Max Lat=64.
      I/O at 0x4400 [0x44ff].
      Non-prefetchable 32 bit memory at 0xfd000100 [0xfd0001ff].
  Bus  0, device  10, function  0:
    CardBus bridge: Texas Instruments PCI1410 PC card Cardbus Controller (rev 2).
      IRQ 8.
      Master Capable.  Latency=168.  
      Non-prefetchable 32 bit memory at 0xfd001000 [0xfd001fff].
  Bus  1, device   0, function  0:
    Ethernet controller:  (rev 1).
      IRQ 8.
      Master Capable.  Latency=64.  Min Gnt=10.Max Lat=28.
# lsmod
Module                  Size  Used by
atheros               500376   2 
cb_enabler              2704   2 [atheros] 
ds                      7472   1 [cb_enabler] 
i82365                 23436   1 
pcmcia_core            40556   0 [cb_enabler ds i82365] 
# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    4.8M      4.8M         0 100% /
/dev/root                 4.8M      4.8M         0 100% /
/dev/rd/0                 1.2M    619.0k    624.0k  50% /ramdisk
# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro)
none on /dev type devfs (rw)
none on /proc type proc (rw)
/dev/rd/0 on /ramdisk type ext2 (rw)
# ifconfig
br0       Link encap:Ethernet  HWaddr 00:20:ED:07:B0:28  
          inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth0      Link encap:Ethernet  HWaddr 00:20:ED:07:B0:29  
          inet addr:10.0.0.1  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:2 

eth1      Link encap:Ethernet  HWaddr 00:20:ED:07:B0:28  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:1080 (1.0 kb)
          Interrupt:5 Base address:0x100 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

wlan1     Link encap:Ethernet  HWaddr 00:20:ED:08:D3:9E  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:219 errors:3845 dropped:0 overruns:0 frame:0
          TX packets:19 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:14580 (14.2 kb)  TX bytes:1254 (1.2 kb)
          Interrupt:8 

#

(Last edited by Kaloz on 21 Apr 2005, 20:20)

Can you give a hint about the serial or the jtag on the br404w?

Edit:
I found it "already"
JP5:

 ? O O TX
RX O Q ?

When a jumper is set on JP7 you get the recovery menu:

========================================================================
===                    SH IPL+g version 1.03 - 16M                    ===
=========================================================================

GBT_BR404W>
GBT_BR404W> h

SH IPL+g version 1.00
    ? --- Show this message (HELP)
    e --- Ether Download & Programming Flash
    r --- RS232 Download & Programming Flash
    l --- RS232 Download & Programming Flash - Boot
    k --- RS232 Download & Programming Flash - Kernel
    s --- RS232 Download & Programming Flash - File System
    b --- Booting System From Flash
    t --- Board Test
GBT_BR404W>

(Last edited by goof on 4 Apr 2006, 22:20)

The discussion might have continued from here.