OpenWrt Forum Archive

Topic: Di-624

The content of this topic has been archived between 29 Mar 2018 and 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

unicorn, can you explain more about redboot. I found redboot_cobra. Make redboot by command:
make ENET_PHY=marvell ap51
and recieve few files:
redboot.elf
redboot.img
redboot.rom
redboot.srec

I need to run your perl script with redboot.rom?

(Last edited by loadi624 on 15 Dec 2009, 19:00)

Ok i make very bad working redboot firmware. Router suddenly reboots after few seconds. I only see command prompt of redboot and then router halts sad I apply your patch by hands to my version of redboot. I think i made something wrong. I have romram redboot version in my router now.

Ok, i compiled redboot as rom startup version, but it reboots in a few seconds, what is it? bad version of redboot? enabled watchdog? can you help me with it please, unicorn?

(Last edited by loadi624 on 20 Dec 2009, 08:34)

loadi624, is it actually working? i mean, do you see the prompt on the serial console, etc?
If it works, it looks like watchdog is enabled.
It seem to be disabled in startup code of redboot, but i'm not sure now. It was way too long ago.

yes i see prompt of redboot, if i work quickly i can execute some commands. Like version smile
And bad thing that i see code, wich is used for disabling watchdog. Can you tell me what version of redboot you use in your case? Maybe you can provide some sources or ready redboot rom? It will be very cool smile

(Last edited by loadi624 on 30 Dec 2009, 14:16)

unicorn wrote:

Theli,

a) make sure backup loader works on your hardware: power up router holding reset button.
(board should use 192.168.0.1 as LAN address and running single html page proposing to upload new firmware)

b) use IDA or some other tool to disassemble the original firmware...

c) to experiment you should learn how to compose firmware images - it's quite easy:
* pack up NML.MEM to NML.ARJ
* pad it with zeroes to be exactly 0xe0000 (917504) bytes len
* add signature as in original firmware (string like "AP52-AR2316-RT       -00" - you should take it from original image) at the same offset at the end of the file.
* add checksum (32bit XOR all over the file with constant 0xabbbba) at the last 32bit word

You can use something like this to make fw image from NML.ARJ file:

#!/usr/bin/perl 

undef $/; 

$board="AP52-AR2316-RT       -00";
$buf=<>;
$buf=pack "a" . (0xe0000-0x20) . "a" . (0x20-4), $buf, $board;

$s=0xaabbbbaa; 
$s ^= $_ foreach unpack "N*", $buf; 

print $buf, pack "N", $s;

..well.. not much helping, I know. sorry. at least i'm tring not to speak with riddles

Very useful. Actually I realized many D-Link's use that same checksum (same on my old DI-604 guinea-pig), and i found a page/guide on DWL-900AP+ that showed the same, with C code that does pretty much the same thing as your example perl script smile

For reference, here's the page: DWL-900AP+/800AP+/810+ firmware checksum calculator

Firmware Modification Instructions

    * Unarj some_firmware.bin (is actually an arj archive)
    * Modify NML.MEM image
    * Arj NML.MEM back to some_firmware.bin
    * Pad zeros to end of some_firmware.bin until it reaches size 0xe0000
    * Copy hardware version string starting at address 0xdffe0
    * Compile dwl_checksum.c:
          o gcc -o dwl_checksum dwl_checksum.c
    * Calculate 32bit checksum:
          o dwl_checksum < some_firmware.bin
    * Copy 32bit checksum (lsbyte to msbyte) at address 0xdfffc

dwl_checksum.c

#include <stdio.h>
#include <stdint.h>

#define SIZE  0xe0000
#define MAGIC 0xaabbbbaa

int
main (void)
{
  int data;
  uint32_t checksum = 0;
  uint32_t cnt = 0;

  while ((data = fgetc (stdin)) != EOF)
    {
      checksum ^= ((uint32_t) data) << ((cnt % sizeof checksum) * 8);
      cnt++;
    }

  checksum ^= MAGIC;

  if (cnt != SIZE)
    fprintf (stderr,
         "WARNING: Firmware size incorrect! Should be exactly %d bytes.\n",
         SIZE);
  else
    fprintf (stdout, "Checksum: 0x%x\nFile Size: %d bytes\n", checksum, cnt);

  return 0;
}

I got a D-Link DI-624 rev. D2 (on label, D1 on board) with erased firmware - completely dead, only POWER, WAN and all LAN LEDs were on. Removed the SPI flash (MX25L1605) and connected to a SPI "programmer" (in fact, 4 resistors and parallel port - http://rayer.ic.cz/elektro/spipgm.htm ). Dumped the flash and it was all FFs only.

So I downloaded a 1MB firmware that includes boot loader ( ftp://ftp.dlink.com/Gateway/di624_revD/ … re_404.bin ) and flashed (to address 0 of the 2MB flash). This was not correct but allowed the boot loader to start and restore the firmware using web interface.

The router now booted but MAC addresses were 00:11:22:33:44:55 and 00:11:22:33:44:56. Found that the first MAC address is stored in the boot loader at offset 0x40 - so edited the firmware and reflashed again (using the programmer, the web interface will not change it). Now MAC addresses are OK.

But last problem remains: wifi does not work. The WLAN led is off and clicking on the wireless button in web interface does nothing. Found something that might be serial console at JP1 (lower pins from left: 3.3V, RX, NC, NC, TX, GND) but there's no output (probably disabled in firmware?). At least tftp can be used to get some files: dbgout.txt, ar5maco.dat and ar5eepo.dat.

dbgout.txt shows that there's a problem with WLAN EEPROM:

Created Inet main task.
Created clock tick task.
Created PING application task.
channel = 6, 2437
cipher: ENCRYPTION_TKIP
pWLAN->wirelessMode = 0
pWLAN->turbo = 0
wmm disabled
Wireless Mode = 0x08, Data Rate = best
wlan0 : abolt = 0
wlan0 : autoChan:0, preamble = 1
wlan0 : apCfgCipherGet() = 5
wlan0 : apCfgAuthTypeGet() = 6
wlan0 : apCfgEncryptionGet() = 1
usrEndLibInit: enet not found.
ar5212Attach: Could not allocate space to cache the EEPROM
Error initializing wireless software state.
apInit: no wlan device
AP initilization failed!
Initializing 802.11g(A) Interface...Failure !
mux_0 applied.
pkt_send_0 applied.
WAN port speed = 10M
WAN port duplex = Half
WAN port flow control = On
CPU port flow control = On
Created Bridge Aging task.
eth_brdg/eth_dev_add: add the 0th device eth-0, type = ethernet device
mctest init called
Created httpd task.
Created smtp task.
Created ntp task.
Created upnp task.
Created dhcps_main task.
Created rad_client task.
System ready ...

Created upnp_http task.
Created ssdp task.

ar5maco.dat looks like WLAN MAC address that's empty sad

00000000   30 78 20 20 20 30 20 2D 20 30 30 3A 30 30 3A 30   0x   0 - 00:00:0
00000010   30 3A 30 30 3A 30 30 3A 30 30 00 00 00 00 00 00   0:00:00:00......

WLAN EEPROM (ar5eepo.dat) is empty too - 2048 bytes of FFs

The TFTP server ignores PUT so these must be flashed using the SPI programmer. But where can I get the EEPROM dump? Anyone has complete flash dump of DI-624 rev. D?

(Last edited by Rainbow on 28 Jan 2012, 16:38)

Bought the same router in working order and dumped the flash. Changed MAC (at offset 0x40 - this should be set to the MAC from label minus 1) and flashed to the non-working one. Here's the file (changed MAC to 00:11:22:33:44:55, configuration deleted): http://www.rainbow-software.org/linux_f … l_dump.zip
It's some old firmware, update it to 4.04b47 after reviving the router.

MAC address from 0x40 is used for both LAN and WLAN. WAN address is the same, only incremented by 1 (should match the label). The ar5maco.dat file from TFTP is bogus, it shows completely different MAC.

The discussion might have continued from here.