I have a gift for anyone who needs a SMC-7908-ISP
Topic: Is this router based on the infineon danube?
The content of this topic has been archived between 1 Oct 2014 and 1 May 2018. Unfortunately there are posts – most likely complete pages – missing.
Hello,
vpablos:
SMC7904 and SMC7908 are completely unrelated devices. SMC7908 is danube based running propietary software (maybe violating GPL, but who knows) and SMC7904 is rtl based running linux. I doubt that SMC release any sources, but who needs them anyway.
The info about BRN bootloader, was known, but it is not directly usable. firmware image headers and runtime checks differ. I doubt anybody cares about that if its possible to use u-boot.
blogic:
Voip needs the usage of some GPIO lines. Do you know how are them configured in arv4518 devices?
Thanks.
Currently, my main problem currently is the lack of USB support. With only 4 MB of flash memory in the arv4518 board, I need external storage for the root filesystem. Is there any news about USB support?
Hi
Buttons and all leds except voip/phone1/2 work. FXS ports work. The missing key is support for vmcc in zaptel/freeswitch or sip in tapidemo.
I am in a dead end with the usb. The driver should work, but i can not get the port out of disconnected state.
Does anybody have info on controlling voip leds?
Thanks.
Hi,
After many hours with objdump, I have found the missing puzzle to working usb:
3c 02 be 10 34 42 0b 10 8c 43 00 00 34 63 40 00 ac 43 00 00
Free translation: GPIO0 P14 somehow controls usb port power in arv4518.
Great work!
Hello,
I have managed to generate a firmware image to update by arcadyan propietary operating system. This update methos doesnt touche the brn bootloader, so you can revert to original ones.
The procedure is as follow:
generate a kernel plus ramdisk.
generate a u-boot to run from ram at 80002000 (arv4518_brnboot_config)
compress with lzma and "obfuscate"
generate firmware with sp700ex, using for 1 : uboot 2 (unused, I put a second uboot for sp700ex to work) 3 kernel+ramdisk 4 zero size file zero size file
add "BRNDANUBE" to this file (6th file from an original firmware).
And upload to router. Et voila: You have openwrt running.
I have put a image for testing (with adsl and usb, without wifi and voip) at: http://personales.ya.com/_ngp_/firmware … rt_bin.bz2
(Last edited by ngp on 28 Oct 2010, 16:27)
Good !!!
Thanks !!!
What about usb and voip?
I can't wait to test the image on my router ...
Are your changes into svn too?
ngp, you're my hero.
Unfortunately I cannot try it on my 7908ISP, since I rely on it both for internet access and voip (luckily not the yacom service), but I have a spare ARV7518PW-A-LF-LT (the one with wifi-n they sent in error to a handful of customers, bough on ebay for cheap), do you think I could flash it with your image?
After all the only difference should be the wifi chip, and since your image has no wifi it could work, don't you think?
BTW, do you know if the usb port can work in device (gadget) mode? Is it usb2.0 or 1.1?
Hello,
vpablos: usb is working in host mode. voip is working, but sip is not done. wifi works with madwifi and with ath5k, but none of them is included in my image (neither voip). The changes arent in svn, but you can get them from the links that I had posted. I think blogic is reworking the danube support including them. The code for "obfuscation" is the reverse of Luca Olivetti. Here it is:
#!/usr/bin/python
partname='ya-1'
f=open(partname+'.lzma','rb')
s=f.read()
f.close()
def rn(c):
b=ord(c)
return chr(b%16*16+b/16)
s2=''
s2= s2 + chr(0x21)
s2= s2 + chr(0x43)
s2= s2 + chr(0x65)
s2= s2 + chr(0x87)
i=32+68
for j in range(32):
s2=s2+s[i]
i=i+1
i=32
for j in range(68):
s2=s2+s[i]
i=i+1
i=0
for j in range(16):
s2=s2+rn(s[i+1])+rn(s[i])
i=i+2
s2=s2+s[132:]
f=open(partname+'.bin','wb')
f.write(s2)
f.close()
pipolippi: If the routers are identical, it should work, but maybe the bootloader makes some additional checks. Anyway, you can test it. If it does not work, you can use recovery mode (press reset button during poweron) to reflash the Ya.com provided firmware.
Hi again:
about usb in device mode: The ip core in danube seems to support it, but I think that the external phy/wiring/wathever does not. The original firmware does not implement it.
Ah, ok, I came across a device at work that has a normal a female connector and it can work both as a host (to drive memory sticks) and as a device (if I connect it to a pc with a male-male cable it sees an usb-ethernet adapter).
Hi
Some caveats:
sp700es pads filesizes to 1Kb. This offsets the kernel position from 0xb0060000 (address where firmware is stored). So in my case, part 1 size is 58486, padded to 59392. part 2 is the same. So offset of part 3 (the kernel) is 0x1d000. Add that to 0xb0060000 and you get 0xb007d000. That means: for u-boot autostarts, add "bootcmd=bootm 0xb007d000\0" to extra environment settings in u-boot-2010.03/include/configs/arv4518.h
lzma generated files had gotten me some headaches. Example:
lzma ya-1
lzmainfo ya-1.lzma
ya-1.lzma
Uncompressed size: Unknown
Dictionary size: 8 MB (2^23 bytes)
Literal context bits (lc): 3
Literal pos bits (lp): 0
Number of pos bits (pb): 2
If uncompressed size is unknown, That file will fail ZIP routines in brnboot, entering in recovery mode.
(Last edited by ngp on 28 Oct 2010, 21:29)
Hi
pipolippi:
Yes DWC usb ip cores support host and device modes, also OTG. Danube supports host and device modes, but not OTG. But it needs some external components that I dont think are in arv4518. But I have not tried it personally.
ngp,
Thanks a lot for your hard work on this! Unfortunately I'm missing an in depth linux and programming knowledge, but I’ have a good knowledge base as a WL500gP (oleg’s firmware) user. You mentioned that your image doesn’t contain wifi and voip. Does this mean that I can download them by ipkg once your image is running, like in oleg’s firmware? You also mentioned that however device mode is supported by the software, the port is not hardwired to support that. Does this mean that an usb flashdrive (mass storage) will not function there until a workaround hardware mod is available?
Is there an easy way to upload your image to the device, like Tftp for example. To be honest, the method you described is too high level for me ?
dp79
To control an usb flashdrive the port must be in host mode, not device, so it should work
hi
dp79:
The method is for generating the image. Use the router firmware update page to flash the image I did provide. Usb should work. opkg should work, but the rootfs is a ramdisk, so you los all the changes after reboot.
Quick and dirty program to generate flash images. You need to provide five files (First one is a u-boot configured to run from ram at 0x80002000 and bootm a kernel at 0xb007d000 and then lzmaed with known uncompress size. Second one can be a copy of the first one. Third is a kernel+ramdisk. Fourth and Fifth can be empty files) There is no check for uboot size, so beware)
/* $Id: mkarv4518fw.c,v 0.1 2010/10/29 20:49:08 $
*
* Based on the work of Petr Novak, BLFC from Openline ISP,
* Stefan Weil and Luca Olivetti.
*
* This software is distributed under the GNU public license (GPL).
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
/*
* Code to compute the CRC-32 table. Borrowed from
* gzip-1.0.3/makecrc.c.
*/
typedef unsigned long uint32_t;
static uint32_t crc_32_tab[256];
static void makecrc(void)
{
/* Not copyrighted 1990 Mark Adler */
unsigned long c; /* crc shift register */
unsigned long e; /* polynomial exclusive-or pattern */
int i; /* counter for all possible eight bit values */
int k; /* byte being shifted into crc apparatus */
/* terms of polynomial defining this crc (except x^32): */
static const int p[] = {0,1,2,4,5,7,8,10,11,12,16,22,23,26};
/* Make exclusive-or pattern from polynomial */
e = 0;
for (i = 0; i < sizeof(p)/sizeof(int); i++)
e |= 1L << (31 - p[i]);
crc_32_tab[0] = 0;
for (i = 1; i < 256; i++)
{
c = 0;
for (k = i | 256; k != 1; k >>= 1)
{
c = c & 1 ? (c >> 1) ^ e : c >> 1;
if (k & 1)
c ^= e;
}
crc_32_tab[i] = c;
}
}
unsigned long comp_crc(unsigned char *p, unsigned long len)
{
unsigned long crc = 0xFFFFFFFFUL;
while (len--) {
crc = crc_32_tab[(crc ^ *p++) & 0xff] ^ (crc >> 8);
}
return crc ^ 0xFFFFFFFFUL;
}
#define KiB 1024
#define MiB (KiB * KiB)
#define FLASH_SIZE 4*MiB
// available flas reduced by brnboot (0x0-0x6000) and board config (last sector)
#define FLASH_AVAIL (FLASH_SIZE - 0x60000 - 64 *KiB)
/* buffer must be large enough to contain firmware */
static unsigned char buffer[FLASH_AVAIL];
static char signature[10] = "BRNDANUBE";
static unsigned char rn (unsigned char b)
{
return b%16*16+b/16;
}
static int obfuscate(size_t si, char *in, char *out)
{
int j, i, o = 0;
out[o++] = 0x21;
out[o++] = 0x43;
out[o++] = 0x65;
out[o++] = 0x87;
i = 32+68;
for (j = 0; j < 32; j++)
out[o++]= in[i++];
i = 32;
for (j = 0; j < 68; j++)
out[o++] = in[i++];
i = 0;
for (j = 0; j < 16; j++, i++)
{
out[o++] = rn(in[j+i+1]);
out[o++] = rn(in[j+i]);
}
for (i = 132; i < si; i++)
out[o++] = in[i];
return si + 4;
}
static size_t add_file(char *filename, int obfus, unsigned char *buffer, size_t bytes_left)
{
unsigned long *p;
int fd;
size_t len;
static unsigned char *buffer_in;//[bytes_left];
unsigned long crc;
int i, n_ks, n_pad;
fd = open(filename, O_RDONLY);
if (fd < 0) {
perror(filename);
return 0;
}
if (obfus){
buffer_in = (unsigned char*)malloc(bytes_left);
len = read(fd, buffer_in, bytes_left-4);
}
else
len = read(fd, buffer, bytes_left);
close(fd);
if (len > bytes_left-(obfuscate ? 16 : 12)){
fprintf(stderr, "%s has %lu bytes, %lu bytes left: TOO BIG\n", filename, len, bytes_left);
return 0;
}
fprintf(stderr, "%s has %lu bytes, %lu bytes left\n", filename, len, bytes_left);
if (obfus){
obfuscate(len, buffer_in, buffer);
len += 4;
crc = comp_crc(buffer, len);
fprintf(stderr, "%s (%lu bytes) crc: 0x%lx\n", filename, len, crc);
}
else{
crc = comp_crc(buffer, len);
fprintf(stderr, "%s (%lu bytes) crc: 0x%lx\n", filename, len, crc);
}
n_ks = (len/1024) + 1;
p = (unsigned long *)(buffer + n_ks*1024 - 3*4);
*p++ = len;
*p++ = 0x12345678;
*p++ = crc;
return ((unsigned char*)p - buffer);
}
int main(int argc, char *argv[])
{
unsigned long *p;
int fd;
size_t len;
char *filename1 = 0;
char *filename2 = 0;
char *filename3 = 0;
char *filename4 = 0;
char *filename5 = 0;
char *fw_file = 0;
size_t total_size = FLASH_AVAIL;
size_t count = 0;
memset(buffer, 0xff, total_size);
filename1 = argv[1];
filename2 = argv[2];
filename3 = argv[3];
filename4 = argv[4];
filename5 = argv[5];
fw_file = argv[6];
makecrc();
count += add_file(filename1, 1, buffer+count, total_size - count);
count += add_file(filename2, 1, buffer+count, total_size - count);
count += add_file(filename3, 0, buffer+count, total_size - count);
count += add_file(filename4, 0, buffer+count, total_size - count);
// count += add_file(filename5, 0, buffer+count, total_size - count);
memcpy(buffer+count, signature, 10);
count += 10;
fprintf(stderr, "writing %s %lu bytes, %lu bytes left\n", fw_file, count, total_size - count);
fd = open(fw_file, O_CREAT|O_WRONLY|O_TRUNC, 0666);
if (fd < 0) {
perror(fw_file);
return 0;
}
write(fd, buffer, count);
close(fd);
return 1;
}
// available flas reduced by brnboot (0x0-0x6000) and board config (last sector)
#define FLASH_AVAIL (FLASH_SIZE - 0x60000 - 64 *KiB)
0x6000 or 0x60000?
I tried to dump the current firmware of my arv7518pw but the serial/usb adapter died :-(
Since the original firmware file for it isn't available anywhere, I cannot test your image
ngp,
Let me just confirm some things with you, before I upload your firmware....
I can upload this image to an smc7908A-ISP, even though your image is for arv4518.
I will be able to recover the original fw if I save the current fw prior the upload.
I just don't want to brick my router.....
And an other question. What has to be done in order to save permanent changes?
dp79
@ngp, I scavenged a max232 from by scrap bin and I managed to connect to the serial port of the arv7518pw (which, btw, it seems it has a different pin-out than the 4518).
Since there's no option to download the firmware, I have to dump it to the screen (with the "Read from memory" boot menu option) and decode it. I have a program somewhere to do it, but since it's slow and error prone, I'd like to know what to dump:
UPLOAD Flash
---------------------------------------
Area Address Length
---------------------------------------
[0] Boot 0xB0000000 128K
[1] Configuration 0xB0020000 256K
[2] None 0xB0060000 64K
[3] Special Area 0xB0070000 64K
[4] Primary Setting 0xB0080000 64K
[5] Code Image 0 0xB0090000 3776K
[6] Code Image 1 0xB0440000 3776K
[7] Boot Params 0xB07F0000 64K
[8] Flash Image 0xB0000000 8192K
---------------------------------------
Apparently your firmware starts at 0x60000 and doesn't overwrite the last partition, so I should dump [2],[3],[4],[5] and [6], right?
(Last edited by pippolippi on 30 Oct 2010, 14:59)
Mmh, the arv7518pw has double the flash (8Mbytes instead of 4) and a different disposition, this is the beginning of the bootlog of the arv4518
=======================================================================
Wireless ADSL Gateway DANUBE Loader 64M-V0.02 build Nov 22 2007 17:32:23
Arcadyan Technology Corporation
=======================================================================
EON EN29LV320B bottom boot 16-bit mode found
Copying boot params.....DONE
Press Space Bar 3 times to enter command mode ...
Flash Checking - fw/ui... Passed.
Image[1] at 0xb0060000, len:1378740, type:0
Image[2] at 0xb01b0c00, len:459767, type:10
Image[3] at 0xb0221400, len:174146, type:50
Image[4] at 0xb024c000, len:173329, type:60
Image[5] at 0xb0276800, len:316099, type:90
Firmware image at 0, ART image at -1
compared to the arv7518
=======================================================================
Wireless ADSL Gateway DANUBE Loader v1.04.00 build Feb 26 2010 20:49:17
Arcadyan Technology Corporation
=======================================================================
EON EN29LV640B bottom boot 16-bit mode found
Copying boot params.....DONE
Press Space Bar 3 times to enter command mode ...
Flash Checking [0] Passed.
Image[1] at 0xb0090000, len:1553932, type:0
Image[2] at 0xb020b800, len:477978, type:10
Image[3] at 0xb0280400, len:241582, type:9
Image[4] at 0xb02bb400, len:174146, type:50
Image[5] at 0xb02e6000, len:173329, type:60
Image[6] at 0xb0310800, len:316099, type:90
Firmware image at 0, ART image at 2
Hi,
pipolippi: Do no flash my image. It wont work. The flash size and flash layout are different. The uboot in my image will try to start a kernel at addr 0xb007d000 and probably in your flash it will be at 0xb009d000. Can you post a bootlog?
Alternatively, you can try to extract the uboot from my image (first or secon file) with sp700ex utility and unlzma the unscrambled one. Then load it at RAM address 0x80002000. If it works, you kan tftp the kernel (third file) and bootm.
dp79: smc7908A-ISP and arv4518 are the same router. My firmware image only replaces the firmware part of the flash, the original bootloader is kept intact, so if you have an ya/smc/whatever flash update, you can always reflash using the recovery procedure (pressing reset during powerup). But beware: my image is a test image, very far away from production state.
Greets.
pipolippi: Do no flash my image. It wont work. The flash size and flash layout are different. The uboot in my image will try to start a kernel at addr 0xb007d000 and probably in your flash it will be at 0xb009d000. Can you post a bootlog?
Yes, I already thought that I couldn't flash the image as is. Here is the bootlog:
http://pastebin.ca/1977895
Alternatively, you can try to extract the uboot from my image (first or secon file) with sp700ex utility and unlzma the unscrambled one. Then load it at RAM address 0x80002000. If it works, you kan tftp the kernel (third file) and bootm.
I'll try that.