Topic: HooToo Wireless, Ethernet, USB ... thing HT-TM02

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

cnlohr

2 Jun 2014, 06:35

http://www.amazon.com/gp/product/B00HZW … &psc=1

This little badboy is pretty sweet. At $19.99, with ethernet, USB, and wifi, it looks like the makings for a multitude of hacks, so I bought it and tried messing with it.

Really, I REALLY REALLY want OpenWRT on this thing, so I tried some things first. But, what I'm really after is what can I do to try to get OpenWRT ported for this thing?

Things I found:

(1) You can telnet into it as "admin" a restricted user who an read/write to the home folder. It's running an old 2.6 kernel. I tried running some binaries I compiled with the bootstrapped openwrt for the arch, but couldn't get them to run. Not sure why. I want root.

(2) I tried using the password change feature in the UI, and modified the request to try a different user. I can edit users like nobody, or daemon, but it won't let me change the root password. No "sudo" either.

(3) I can get full read/write access to /dev/mtdX, I ripped a disk image, it's got the funny lzma with backwards signature "shsq". I uncompressed it, tweaked one of the group files, recompressed, and overwrote the dev/mtd file with the rootfs.

(4) I bricked my device. So, I bought another.

In the mean time, I will try to find some serial debug pins and post what I find.

I have all of the flash banks dumped if that would be of any use to progressing this.

*EDIT* Here's the cpuinfo

system type             : Ralink SoC
processor               : 0
cpu model               : MIPS 24K V4.12
BogoMIPS                : 239.61
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp
VCED exceptions         : not available
VCEI exceptions         : not available

Charles

(Last edited by cnlohr on 4 Jun 2014, 06:55)

Post #2

cnlohr

4 Jun 2014, 00:36

So, here's the serial output from my bricked one:

U-Boot 1.1.3 (Oct 22 2013 - 09:52:33)

DRAM:  32 MB
Initialize usb ehci ohci
find flash: MX25L6405D
.*** Warning - bad CRC, using default environment

============================================ 
UBoot Version: 3.6.0.0
-------------------------------------------- 
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping 
DRAM_TYPE: SDRAM 
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 32 MBytes
Flash component: SPI Flash
Date:Oct 22 2013  Time:09:52:33
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384 

 ##### The CPU freq = 360 MHZ #### 
 estimate memory size =32 Mbytes
.
Initialize vs configure module
.Initialize GPIO
Input i key to enter menu 0 
........................## Booting image at 80500000 ...
   Image Name:   Linux Kernel Image
   Created:      2013-11-01   5:37:54 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1442281 Bytes =  1.4 MB
   Load Address: 80000000
   Entry Point:  80441000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80441000) ...
## Giving linux memsize in MB, 32

Starting kernel ...


LINUX started...

 THIS IS ASIC
PROC INIT OK!
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,8)

But, cool as it is, it also includes this if I press I:

Enter menu option

|-------------------------------|
|         IOVST MAIN MENU       |
|-------------------------------|
| 6 Test USB                    |
| 8 Test ethernet               |
| B Boot the Kernel             |
| E Test PIO                    |
| I Test system params          |
| U SPIFlash Upgrade            |
| T SMT test program            |
| X Update the license          |
| R Reboot                      |
| Z Enter Command Line Interface|
|-------------------------------|
 Please input test item

Here's what happens if I try holding the reboot button on power on. Any ideas how I could TFTP this thing back to life?

ArpTimeoutCheck 
Using Eth0 (10/100-M) device
TFTP from server 10.10.10.254; our IP address is 10.10.10.128
Filename 'kernel'.

 TIMEOUT_COUNT=10,Load address: 0x80500000
Loading: *
ArpTimeoutCheck 
T T T T T T T T T T 
Retry count exceeded; starting again
Trying Eth0 (10/100-M)

 ETH_STATE_ACTIVE!! 

ArpTimeoutCheck

Post #3

qasdfdsaq

4 Jun 2014, 01:13

Change your IP to 10.10.10.254 and run a tftp server serving the file "kernel"? That or flash it using the serial CLI

Post #4

cnlohr

4 Jun 2014, 07:02

How do I know which image to use? I.e. which one to download and put on the tftp server? It's this:

Ralink SoC, MIPS 24K V4.12

Linux version 2.6.21 (hsq@localhost.localdomain) (gcc version 3.4.2) #6 Fri Nov 1 13:37:43 CST 2013

 The CPU feqenuce set to 360 MHz
CPU revision is: 0001964c
Determined physical RAM map:
[debug]Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
On node 0 totalpages: 8192
  DMA zone: 64 pages used for memmap
  DMA zone: 0 pages reserved
  DMA zone: 8128 pages, LIFO batch:0
  Normal zone: 0 pages used for memmap
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock8 rootfstype=squashfs quiet
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
cause = c0808060, status = 11000000
PID hash table entries: 128 (order: 7, 512 bytes)
calculating r4koff... 0015f900(1440000)
CPU frequency 360.00 MHz
Using 180.000 MHz high precision timer.
Console: colour dummy device 80x25
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27852k/32768k available (3415k kernel code, 4916k reserved, 937k data, 148k init, 0k highmem)
Calibrating delay loop... 239.61 BogoMIPS (lpj=479232)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Time: MIPS clocksource has been installed.
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
detected lzma initramfs
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=1048576,origSize=512
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com>.deice id : c2 20 17 c2 20 (2017c220)
MX25L6405D(c2 2017c220) (8192 Kbytes)
mtd .name = raspi, .size = 0x00800000 (8M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 9 MTD partitions on "raspi":
0x00000000-0x00800000 : "ALL"
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "Config"
0x00040000-0x00050000 : "Factory"
0x00050000-0x001d0000 : "Kernel_RootFS"
0x001d0000-0x001e0000 : "params"
0x001e0000-0x001f0000 : "user_backup"
0x001f0000-0x00200000 : "user"
0x00200000-0x00800000 : "Rootfs"
arch/mips/rt2880/nvram.c 275: len=0x3ffc, fb[0].env.crc=0xeea9d7d3
arch/mips/rt2880/nvram.c 275: len=0x1ffc, fb[1].env.crc=0xffffffff
arch/mips/rt2880/nvram.c 279: index:1, Bad CRC ffffffff, ignore values in flash.
arch/mips/rt2880/nvram.c 275: len=0x1ffc, fb[2].env.crc=0xffffffff
arch/mips/rt2880/nvram.c 279: index:2, Bad CRC ffffffff, ignore values in flash.
arch/mips/rt2880/nvram.c 275: len=0x4ffc, fb[3].env.crc=0xffffffff
arch/mips/rt2880/nvram.c 279: index:3, Bad CRC ffffffff, ignore values in flash.
Ralink Kernel NVRAM initialized
RT3xxx EHCI/OHCI init.
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
NTFS driver 2.1.28 [Flags: R/O].
fuse init (API version 7.8)
io scheduler noop registered (default)
HDLC line discipline: version $Revision: 1.1.1.1 $, maxframe=4096
N_HDLC line discipline registered.
Reset button driver registered
vs_pio_major = 100
vs_pio_major = 100
vs pio driver started!
vstinfo: Module loaded.
Serial: 8250/16550 driver $Revision: 1.7 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A
RAMDISK driver initialized: 8 RAM disks of 4096K size 1024 blocksize
loop: loaded (max 8 devices)
rdm_major = 253
Ralink APSoC Ethernet Driver Initilization. v2.1  256 rx/tx descriptors allocated, mtu = 1500!
MAC_ADRH -- : 0x0000001c
MAC_ADRL -- : 0xc20f26f9
PROC INIT OK!
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V0.17
PPTP driver version 0.8.1


=== pAd = c0019000, size = 629088 ===

 RTMPAllocAdapterBlock, Status=0
block2mtd: version $Revision: 1.1.1.1 $
rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller
rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1
rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x101c0000
rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ohci_hcd: 2006 August 04 USB 1.1 'Open' Host Controller (OHCI) Driver
rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller
rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2
rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x101c1000
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
usbcore: registered new interface driver cdc_acm
drivers/usb/class/cdc-acm.c: v0.25:USB Abstract Control Model driver for USB modems and ISDN adapters
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver libusual
usbcore: registered new interface driver usbserial
drivers/usb/serial/usb-serial.c: USB Serial Driver core
drivers/usb/serial/usb-serial.c: USB Serial support registered for GSM modem (1-port)
usbcore: registered new interface driver option
drivers/usb/serial/option.c: USB Driver for GSM modems: Cathay usbdongle 1.2: v0.7.1
drivers/usb/serial/usb-serial.c: USB Serial support registered for Sierra USB modem (1 port)
drivers/usb/serial/usb-serial.c: USB Serial support registered for Sierra USB modem (3 port)
usbcore: registered new interface driver sierra
drivers/usb/serial/sierra.c: USB Driver for Sierra Wireless USB modems: v.1.0.6
hso: drivers/usb/serial/hso.c: 1.6.1-Option Option Wireless Cathay
usbcore: registered new interface driver hso
nf_conntrack version 0.5.0 (256 buckets, 2048 max)
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Match the module's license!
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 148k freed
Algorithmics/MIPS FPU Emulator v1.5
tntfs: module license 'Commercial. For support email ntfs-support@tuxera.com.' taints kernel.
Tuxera NTFS driver 3013.2.5 [Flags: R/W MODULE].
Tuxera exFAT driver 3013.2.9 [Flags: R/W MODULE].
arch/mips/rt2880/nvram.c 472: len=0x3ffc, crc_value=0xeea9d7d3, fb[0].env.crc=0xeea9d7d3
arch/mips/rt2880/nvram.c 502: Same CRC
arch/mips/rt2880/nvram.c 423: --> nvram_clear 0
arch/mips/rt2880/nvram.c 445: clear flash from 0x2004 for 0x3ffc bytes
arch/mips/rt2880/nvram.c 527: --> nvram_commit 0
phy_tx_ring = 0x01357000, tx_ring = 0xa1357000

phy_rx_ring0 = 0x01294000, rx_ring0 = 0xa1294000
MAC_ADRH -- : 0x0000001c
MAC_ADRL -- : 0xc20f26f9
RT305x_ESW: Link Status Changed
vs_port_link_status=0
RX DESC a1d33000  size = 2048
 RTMPAllocTxRxRingMemory, Status=0
1. Phy Mode = 9
2. Phy Mode = 9
3. Phy Mode = 9
RTMPSetPhyMode: channel is out of range, use first channel=0 
MCS Set = ff 00 00 00 01
SYNC - BBP R4 to 20MHz.l
RTMP_TimerListAdd: add timer obj c0052244!
Main bssid = 00:1c:c2:0f:26:f8
== rt28xx_init, Status=0
0x1300 = 00064380
eth2.2: Setting MAC address to  00 1c c2 0f 26 f9.
VLAN (eth2.2):  Underlying device (eth2) has same MAC, not checking promiscious mode.
eth2.2: add 33:33:00:00:00:01 mcast address to master interface
eth2.2: add 01:00:5e:00:00:01 mcast address to master interface
eth2.2: add 33:33:ff:0f:26:f9 mcast address to master interface
device ra0 entered promiscuous mode
br0: port 1(ra0) entering learning state
br0: topology change detected, propagating
br0: port 1(ra0) entering forwarding state
eth2: no IPv6 routers present
ra0: no IPv6 routers present
br0: no IPv6 routers present
eth2.2: no IPv6 routers present
enter reset int_handler
gpio_intp:0x4000, gpio_edge:0x5204, reset mask:0x400, power mask:0x2
Send the net switch signal
High level, Wireless WiFi
Send SIGINT signal
arch/mips/rt2880/nvram.c 527: --> nvram_commit 0
eth2.2: del 33:33:ff:0f:26:f9 mcast address from vlan interface
eth2.2: del 33:33:ff:0f:26:f9 mcast address from master interface
eth2.2: del 01:00:5e:00:00:01 mcast address from vlan interface
eth2.2: del 01:00:5e:00:00:01 mcast address from master interface
eth2.2: del 33:33:00:00:00:01 mcast address from vlan interface
eth2.2: Setting MAC address to  00 1c c2 0f 26 f9.
VLAN (eth2.2):  Underlying device (eth2) has same MAC, not checking promiscious mode.
eth2.2: add 33:33:00:00:00:01 mcast address to master interface
eth2.2: add 01:00:5e:00:00:01 mcast address to master interface
eth2.2: add 33:33:ff:0f:26:f9 mcast address to master interface
br0: port 1(ra0) entering disabled state
device ra0 left promiscuous mode
br0: port 1(ra0) entering disabled state
device ra0 entered promiscuous mode
eth2.2: del 33:33:ff:0f:26:f9 mcast address from vlan interface
eth2.2: del 33:33:ff:0f:26:f9 mcast address from master interface
eth2.2: del 01:00:5e:00:00:01 mcast address from vlan interface
eth2.2: del 01:00:5e:00:00:01 mcast address from master interface
eth2.2: del 33:33:00:00:00:01 mcast address from vlan interface
eth2.2: del 33:33:00:00:00:01 mcast address from master interface
ra2880stop()...Done
Free TX/RX Ring Memory!
br0: port 1(ra0) entering learning state
br0: topology change detected, propagating
br0: port 1(ra0) entering forwarding state
br0: no IPv6 routers present
apcli0: no IPv6 routers present
RTMP_TimerListAdd: add timer obj c00996d0!
RTMP_TimerListAdd: add timer obj c0099884!
RTMP_TimerListAdd: add timer obj c00acf30!
AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(4)=TKIP

Rcv Wcid(1) AddBAReq
Start Seq = 00000049
RTMP_TimerListAdd: add timer obj c00aeb40!
RTMP_TimerListAdd: add timer obj c00acf68!
AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(4)=TKIP

(Last edited by cnlohr on 4 Jun 2014, 07:02)

Post #5

cnlohr

4 Jun 2014, 07:23

I'm trying to upgrade the kernel, and I'm using the uimage file. I get this when I try booting now.

*EDIT* I found openwrt-ramips-rt305x-uImage.bin seems to try to boot... ish...

   Image Name:   MIPS Opt Linux-3.3.8
   Created:      2013-03-23:00:53 UTC
   Image Type:   MIPS Linux Ke Image (lzma compressed)
   Data Size:    88683tes = 866 kB
   Load Address: 80000000
  try Point:  80000000
   Verifying Checksum OK
   mpressing Kernel Image ... OK
No initrd
## Transferr control to Linux (at address 80000000) ... Giving linux memsize in MB, 32

Starting kern..

[    0.000000] Linux vers3.3.8 (blogic@Debian-60-squeeze-64-minimal)cc version 4.6.3 20120201 (prerelease) (LinGCC 4.6-2012.02) ) #1 Sat Mar 23 19:00:46 2013
[    0.000000] bootconsole [early0] led
[    0.000000] CPU revision is: 000196(MIPS 24KEc)
[    0.000000] Ralink RT5350  rev:3 running at 360.00 MHz
[    0.00000etermined physical RAM map:
[    0.000000]  mem 02000000 @ 00000000 (usable)
[    0.00] Initrd not found or empty - disabling in
[    0.000000] Zone PFN ranges:
[    0.000]   Normal   0x00000000 -> 0x00002000
[ .000000] Movable zone start PFN for each n
[    0.000000] Early memory PFN ranges
[0.000000]     0: 0x00000000 -> 0x00002000
[    0.000000]lt 1 zonelists in Zone order, mobility grog on.  Total pages: 8128
[    0.000000] Kernel and line:  rootfstype=squashfs,jffs2
[   00000] PID hash table entries: 128 (order: 512 bytes)
[    0.000000] Dentry cache hatable entries: 4096 (order: 2, 16384 bytes)    0.000000] Inode-cache hash table entrie048 (order: 1, 8192 bytes)
[ .000000] Primary instruction cache 32kB, V 4-way, linesize 32 bytes.
[    0.000000]mary data cache 16kB, 4-way, VIPT, no alia linesize 32 bytes
[    0.000000] WritirrCtl register=0003fe9f
[    0.000000] ReadbackCtl register=0003fe9f
[    0.000000] Memory: 29672k/32768ailable (2046k kernel code, 3096k reserved,0k data, 176k init, 0k highmem)
[    0.000 SLUB: Genslabs=9, HWalign=32, Order=0-3, bjects=0, CPUs=1, Nodes=1
[    0.000000] RQS:48
[    0.000000] console [ttyS0] end, bootconsole disabled

If I try: openwrt-ramips-rt3883-uImage.bin I get:

[    0.00] Primary instruction cache 32kB, VIPT, 4-w linesize 32 bytes.
[    0.000000] Primarya cache 16kB, 4-way, VIPT, no aliases, line 32 bytes
[    0.000000] Writing ErrCtgister=0007fc2f
[    0.000000] Readback El register=0007fc2f
[    00000] Memory: 256960k/262144k available (21kernel code, 5184k reserved, 370k data, 17ni
t, 0k highmem)
[    0.000000] Unhandlednel unaligned access[#1]:
[    0.000000] 0
[    0.000000] $ 0   : 00000000 00000000000000 00000001
[    0.000000] $ 4   : ddba 00000000 00000074 00000080
[    0.00000 8   : fffffffe 0000000a ffffffff 00000005
[   00000] $12   : 00000000 00000100 00000000 0000
[    0.000000] $16   : ddbaddba 80230 00000080 00000000
[    0.000000] $20   : 0080 802302d4 00000080 00000001
[    0.00] $24   : 00000000 00000014               
[    0.000000] $28   : 8025c000 8025de68 8f40 80073648
[    0.000000] Hi    : 00000
[    0.000000] Lo    : 00000005
[    0.00] epc   : 8007364c 0x8007364c
[    0.000     Not tainted
[    0.000000] ra    : 8648 0x80073648
[    0.000000] Status: 11000002 ERNEL EXL 
[    0.000000] Cause : 40808014    0.000000] BadVA : ddbaddfa
[    0.0000PrId  : 0001964c (MIPS 24KEc)
[    0.0000Modules linked in:
[    0.000000] Processpper (pid: 0, threadinfo=8025c000, task=802c0, tls=00000000)
[    0.000000] Stack : 1002 0000001c 00000005 baddbae1 40808014 80f4 80268720 8004ea54
[    0.000000]      dbaddba 00000007 802c752c 80270000 802c75227dd18 802c0000 802781c4
[    0.000000]        a0000 0003ebc0 00000000 00000000 00001440 00172 80292dc8 802a0000
[    0.000000]     80290000 8029818f 80260000 00000000 81fec00000000 81fec000 802736ec
[    0.000000]     00000000 80292dc8 ffffffff 00000018 802dc 00000000 80298174 00000000
[    0.00000       ...
[    0.000000] Call Trace:[<80f4>] 0x80072df4
[    0.000000] [<8004ea54x8004ea54
[    0.000000] [<8027dd18>] 0x8d18
[    0.000000] [<802781c4>] 0x802781c4   0.000000] [<80292dc8>] 0x80292dc8
[    0.000] [<80290000>] 0x80290000
[    0.000000] [736ec>] 0x802736ec
[    0.000000] [<80292] 0x80292dc8
[    0.000000] [<802730dc>] 2730dc
[    0.000000] 
[    0.000000] 
[ 0.000000] Code: 0c041c60  00808021  8fa200ae110040> ae140010  ae020030  ae120038  ae04  ae0
0003c

(Last edited by cnlohr on 4 Jun 2014, 07:45)

Post #6

cnlohr

4 Jun 2014, 08:21

I know I'm posting a lot, but I tried updating "all" firmware, and superbricked my device. Now, not even the bootloader is coming up.

I guess time to crack open the other. That makes me kind of nervous, since then I can't poke around with a working model.

I feel like a monkey in a mercury capsule.

Post #7

cnlohr

6 Jun 2014, 06:58

I guess I'll just keep posting here until I can figure out how to more properly register devices.

I updated my USB - serial dongle that I made with an ATMega32u2.

U-Boot 1.1.3 (Oct 22 2013 - 09:52:33)
DRAM:  32 MB
Initialize usb ehci ohci
find flash: MX25L6405D
.*** Warning - bad CRC, using default environment
=========================================== 
UBoot Version: 3.6.0.0
-------------------------------------------- 
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping 
DRAM_TYPE: SDRAM 
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 32 MBytes
Flash component: SPI Flash
Date:Oct 22 2013  Time:09:52:33
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384 

##### The CPU freq = 360 MHZ #### 
 estimate memory size =32 Mbytes
.
Initialize vs configure module
.Initialize GPIO
Input i key to enter menu:   1  0 
........................## Booting image at 80500000 ...
   Image Name:   Linux Kernel Image
   Created:      2013-11-01   5:37:54 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1442281 Bytes =  1.4 MB
   Load Address: 80000000
   Entry Point:  80441000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80441000) ...
## Giving linux memsize in MB, 32
Starting kernel ...
LINUX started...
 THIS IS ASIC
PROC INIT OK!
enter init
Start rootfs
mounted
echo 6 > /proc/sys/kernel/printk
tntfs: module license 'Commercial. For support email ntfs-support@tuxera.com.' taints kernel.
init dev files
mounted end
Sun Jan  1 00:00:00 UTC 2012
Get time information first
tz_minuteswest=0
Set time information
offset=0  tz.tz_minuteswest=0
Get time information again
tz_minuteswest=0
GMT-00:00
arch/mips/rt2880/nvram.c 472: len=0x3ffc, crc_value=0xeea9d7d3, fb[0].env.crc=0xeea9d7d3
arch/mips/rt2880/nvram.c 502: Same CRC
Finish the check crc
SSID_PREFIX:TripMateNano
wireless port last two bytes:-26f8!
tmp1 = TripMateNano-26F8!
Default SSID:TripMateNarch/mips/rt2880/nvram.c 423: --> nvram_clear 0
ano-26F8!
arch/mips/rt2880/nvram.c 445: clear flash from 0x2004 for 0x3ffc bytes
arch/mips/rt2880/nvram.c 527: --> nvram_commit 0
init net
status=0

phy_tx_ring = 0x006dc000, tx_ring = 0xa06dc000

phy_rx_ring0 = 0x006dd000, rx_ring0 = 0xa06dd000
MAC_ADRH -- : 0x0000001c
MAC_ADRL -- : 0xc20f26f9
RT305x_ESW: Link Status Changed
vs_port_link_status=0
RX DESC a1cca000  size = 2048
<-- RTMPAllocTxRxRingMemory, Status=0
RTMP_TimerListAdd: add timer obj c0083b68!
RTMP_TimerListAdd: add timer obj c0020fe4!
RTMP_TimerListAdd: add timer obj c0020bb4!
RTMP_TimerListAdd: add timer obj c0020f90!
RTMP_TimerListAdd: add timer obj c0020fb8!
RTMP_TimerListAdd: add timer obj c0021210!
RTMP_TimerListAdd: add timer obj c0024104!
RTMP_TimerListAdd: add timer obj c0023cd4!
RTMP_TimerListAdd: add timer obj c00240b0!
RTMP_TimerListAdd: add timer obj c00240d8!
RTMP_TimerListAdd: add timer obj c0024330!
RTMP_TimerListAdd: add timer obj c0027224!
RTMP_TimerListAdd: add timer obj c0026df4!
RTMP_TimerListAdd: add timer obj c00271d0!
RTMP_TimerListAdd: add timer obj c00271f8!
RTMP_TimerListAdd: add timer obj c0027450!
RTMP_TimerListAdd: add timer obj c002a344!
RTMP_TimerListAdd: add timer obj c0029f14!
RTMP_TimerListAdd: add timer obj c002a2f0!
RTMP_TimerListAdd: add timer obj c002a318!
RTMP_TimerListAdd: add timer obj c002a570!
RTMP_TimerListAdd: add timer obj c002d464!
RTMP_TimerListAdd: add timer obj c002d034!
RTMP_TimerListAdd: add timer obj c002d410!
RTMP_TimerListAdd: add timer obj c002d438!
RTMP_TimerListAdd: add timer obj c002d690!
RTMP_TimerListAdd: add timer obj c0030584!
RTMP_TimerListAdd: add timer obj c0030154!
RTMP_TimerListAdd: add timer obj c0030530!
RTMP_TimerListAdd: add timer obj c0030558!
RTMP_TimerListAdd: add timer obj c00307b0!
RTMP_TimerListAdd: add timer obj c00336a4!
RTMP_TimerListAdd: add timer obj c0033274!
RTMP_TimerListAdd: add timer obj c0033650!
RTMP_TimerListAdd: add timer obj c0033678!
RTMP_TimerListAdd: add timer obj c00338d0!
RTMP_TimerListAdd: add timer obj c00367c4!
RTMP_TimerListAdd: add timer obj c0036394!
RTMP_TimerListAdd: add timer obj c0036770!
RTMP_TimerListAdd: add timer obj c0036798!
RTMP_TimerListAdd: add timer obj c00369f0!
RTMP_TimerListAdd: add timer obj c005170c!
RTMP_TimerListAdd: add timer obj c00512dc!
RTMP_TimerListAdd: add timer obj c00516b8!
RTMP_TimerListAdd: add timer obj c00516e0!
RTMP_TimerListAdd: add timer obj c0051738!
RTMP_TimerListAdd: add timer obj c0051764!
RTMP_TimerListAdd: add timer obj c0051790!
RTMP_TimerListAdd: add timer obj c0084088!
RTMP_TimerListAdd: add timer obj c0084060!
RTMP_TimerListAdd: add timer obj c0084038!
RTMP_TimerListAdd: add timer obj c005a924!
RTMP_TimerListAdd: add timer obj c005aa28!
RTMP_TimerListAdd: add timer obj c005a94c!
RTMP_TimerListAdd: add timer obj c0051c74!
RTMP_TimerListAdd: add timer obj c001e468!
RTMP_TimerListAdd: add timer obj c0021588!
RTMP_TimerListAdd: add timer obj c00246a8!
RTMP_TimerListAdd: add timer obj c00277c8!
RTMP_TimerListAdd: add timer obj c002a8e8!
RTMP_TimerListAdd: add timer obj c002da08!
RTMP_TimerListAdd: add timer obj c0030b28!
RTMP_TimerListAdd: add timer obj c0033c48!
RTMP_TimerListAdd: add timer obj c0051990!
Key1Str is Invalid key length(0) or Type(1)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
2b:39:24:2f:fa:ec:b9:89:8a:13:f5:bf:4f:f5:ad:e5:
3c:c5:ec:f7:dd:a4:66:7e:16:08:be:a5:e1:23:d7:96:

1. Phy Mode = 9
2. Phy Mode = 9
3. Phy Mode = 9
RTMPSetPhyMode: channel is out of range, use first channel=0 
MCS Set = ff 00 00 00 01
SYNC - BBP R4 to 20MHz.l
RTMP_TimerListAdd: add timer obj c0052244!
Main bssid = 00:1c:c2:0f:26:f8
<==== rt28xx_init, Status=0
0x1300 = 00064380
vconfig: ioctl error for rem: Invalid argument
eth2.2: Setting MAC address to  00 1c c2 0f 26 f9.
VLAN (eth2.2):  Underlying device (eth2) has same MAC, not checking promiscious mode.
ifconfig: ioctl 0x8913 failed: No such device
brctl: bridge br0: No such device or address
switch reg write offset=14, value=405555
switch reg write offset=50, value=2001
switch reg write offset=98, value=7f3f
switch reg write offset=e4, value=3f
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1002
switch reg write offset=70, value=ffff506f
Set: phy[0].reg[0] = 3900
Set: phy[1].reg[0] = 3900
Set: phy[2].reg[0] = 3900
Set: phy[3].reg[0] = 3900
aaaaa
do_cmd:mkdir /tmp/led_tmp
BEGIN:=======================================2455 to wait child 2457
END:=======================================2455 to wait child 2457
### adapter index 9
### adapter hardware address 00:1c:c2:0f:26:f9
udhcpc (v1.12.1) started
### vfork'ing and execle'ing /sbin/udhcpc.sh
/etc/rc.d/rc1.d/S73ddns start
/etc/rc.d/rc1.d/S75fileserv start
/etc/rc.d/rc1.d/S80webd start
/etc/rc.d/rc1.d/S82upnpd start
/etc/rc.d/rc1.d/S99local start

TM02 login:

Info from console:

$ cat /proc/cpuinfo
system type             : Ralink SoC
processor               : 0
cpu model               : MIPS 24K V4.12
BogoMIPS                : 239.61
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp
VCED exceptions         : not available
VCEI exceptions         : not available

$ cat /proc/meminfo
MemTotal:        28000 kB
MemFree:          9616 kB
Buffers:          1032 kB
Cached:           7100 kB
SwapCached:          0 kB
Active:           4104 kB
Inactive:         5940 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:               0 kB
Writeback:           0 kB
AnonPages:        1944 kB
Mapped:           1328 kB
Slab:             6340 kB
SReclaimable:     2284 kB
SUnreclaim:       4056 kB
PageTables:        260 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:     14000 kB
Committed_AS:     4756 kB
VmallocTotal:  1048404 kB
VmallocUsed:      1572 kB
VmallocChunk:  1046368 kB

$ cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00800000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00180000 00010000 "Kernel_RootFS"
mtd5: 00010000 00010000 "params"
mtd6: 00010000 00010000 "user_backup"
mtd7: 00010000 00010000 "user"
mtd8: 00600000 00010000 "Rootfs"

$ cat /proc/partitions
major minor  #blocks  name

  31     0       8192 mtdblock0
  31     1        192 mtdblock1
  31     2         64 mtdblock2
  31     3         64 mtdblock3
  31     4       1536 mtdblock4
  31     5         64 mtdblock5
  31     6         64 mtdblock6
  31     7         64 mtdblock7
  31     8       6144 mtdblock8

$ cat /proc/cmdline
console=ttyS1,57600n8 root=/dev/mtdblock8 rootfstype=squashfs quiet

$ cat /proc/iomem
00000000-01ffffff : System RAM
  00000000-00355c3f : Kernel code
  00355c40-004400bf : Kernel data
101c0000-101c0fff : rt3xxx-ehci
  101c0000-101c0fff : ehci_hcd
101c1000-101c1fff : rt3xxx-ohci
  101c1000-101c1fff : ohci_hcd

$ /sbin/ifconfig
br0       Link encap:Ethernet  HWaddr 00:1C:C2:0F:26:F8  
          inet addr:10.10.10.254  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::21c:c2ff:fe0f:26f8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:818 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:260586 (254.4 KiB)

eth2      Link encap:Ethernet  HWaddr 00:1C:C2:0F:26:F9  
          inet6 addr: fe80::21c:c2ff:fe0f:26f9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:50856 (49.6 KiB)
          Interrupt:3 

eth2.2    Link encap:Ethernet  HWaddr 00:1C:C2:0F:26:F9  
          inet6 addr: fe80::21c:c2ff:fe0f:26f9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:50388 (49.2 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ra0       Link encap:Ethernet  HWaddr 00:1C:C2:0F:26:F8  
          inet6 addr: fe80::21c:c2ff:fe0f:26f8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2130 errors:0 dropped:0 overruns:0 frame:0
          TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:207502 (202.6 KiB)  TX bytes:0 (0.0 B)
          Interrupt:4

Post #8

cnlohr

6 Jun 2014, 07:44

Ok - now for a news post.

I can't figure out how to flash this thing. It has a small, 1.5MB "kernel" partition that it will boot if I chop off the HDR0 header, and make it start with the kernel header. It has a much large root partiton later. It gives me a few options. I can either upgrade things individually, or I can do them piecemeal.

I cannot flash full images into the kernel room because it's too small, and I'm terrified to upgrade the whole thing since that's how I bricked it last time.

Conveniently, I can "boot kernel with filesystem in RAM." I found the dir600b which has the same processor as my guy (the RT5350). I can get it to start booting, however it also does the whole panic thing... but, MUCH later.

I have two questions:

(1) How can I split the kernel and the rootfs back apart?
(2) Is it possible for me to safe?-ly? repartition my MTD so it is friendlier to OpenWRT?
(3) Are there other firmwares I can try network booting? Right now, I'm just stripping off the header and letting it have fun.
(4) Can I disable the nvram search from the kernel command line (not sure if I can edit that)

Linux version 3.2.54-svn23571 (root@dd-wrt.buildserver) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.01 r39555) ) #4076 Wed Feb 19 10:39:14 CET 2014
bootconsole [early0] enabled
CPU revision is: 0001964c (MIPS 24KEc)
Ralink RT5350 id:1 rev:3 running at 360.00 MHz
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line:  console=ttyS1,57600n8 root=/dev/mtdblock4 rootfstype=squashfs noinitrd
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, VIPT, no aliases, linesize 32 bytes
Writing ErrCtl register=000395b5
Readback ErrCtl register=000395b5
Memory: 29764k/32768k available (1992k kernel code, 3004k reserved, 296k data, 156k init, 0k highmem)
NR_IRQS:48
console [ttyS1] enabled, bootconsole disabled
console [ttyS1] enabled, bootconsole disabled
Calibrating delay loop... 239.61 BogoMIPS (lpj=1198080)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 3.0 (2006/03/15) Phillip Lougher
msgmni has been set to 58
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x10000500 (irq = 13) is a 16550A
serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
Ralink gpio driver initialized
system type: RT5350
boot type: 3
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
PPP generic driver version 2.4.2
PPP BSD Compression module registered
PPP Deflate Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
Ralink APSoC Hardware Watchdog Timer
u32 classifier
    Performance counters on
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (465 buckets, 1860 max)
ctnetlink v0.93: registering with nfnetlink.
IPv4 over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
IPP2P v0.8.2 loading
ipt_CLUSTERIP: ClusterIP Version 0.8 loaded successfully
TCP bic registered
TCP cubic registered
TCP westwood registered
TCP highspeed registered
TCP hybla registered
TCP htcp registered
TCP vegas registered
TCP scalable registered
NET: Registered protocol family 17
Bridge firewalling registered
8021q: 802.1Q VLAN Support v1.8
searching for nvram
Unhandled kernel unaligned access[#1]:
Cpu 0
$ 0   : 00000000 00000001 ffffffed 00000001
$ 4   : 80236d4c 00000000 00000001 00000000
$ 8   : 00000065 80230000 00000008 726f6620
$12   : 81c17de0 d3ea6662 a9a3c5be 02c65c16
$16   : 00000000 00000020 80290000 8020f6c0
$20   : 00010000 00000000 00000000 00000000
$24   : 00000018 800feb0c                  
$28   : 81c16000 81c17e80 00000000 8024a3bc
Hi    : 00000000
Lo    : cf14e000
epc   : 8024a3c4 0x8024a3c4
    Not tainted
ra    : 8024a3bc 0x8024a3bc
Status: 11008403    KERNEL EXL IE 
Cause : 00800010
BadVA : 00000021
PrId  : 0001964c (MIPS 24KEc)
Modules linked in:
Process swapper (pid: 1, threadinfo=81c16000, task=81c14888, tls=00000000)
Stack : 00000000 81005320 a4431fb9 fffffff0 00000000 8001f308 80263464 8024a30c
        00000000 80260000 80260000 800081d8 00003933 00000000 80230000 800b2058
        0000002f 80230000 00000000 80048d38 00000000 80263464 80263474 00000000
        00000000 00000000 00000000 8023d948 fa7ebaf7 bf7fbfff fffdfe9f ebdfefdf
        fffffff7 ffffff7f 00000000 00000000 00000000 80009194 fffdffff bfffffff
        ...
Call Trace:[<8001f308>] 0x8001f308
[<8024a30c>] 0x8024a30c
[<800081d8>] 0x800081d8
[<800b2058>] 0x800b2058
[<80048d38>] 0x80048d38
[<8023d948>] 0x8023d948
[<80009194>] 0x80009194
[<8023d88c>] 0x8023d88c
[<80009184>] 0x80009184


Code: 02002821  10400031  ae4294a0 <8c430034> 02602021  90650000  90810000  24630001  14250004 
---[ end trace 47637d2ce341a65a ]---
Kernel panic - not syncing: Attempted to kill init!
Rebooting in 1 seconds..

Post #9

cnlohr

6 Jun 2014, 08:48

Success... sort of... The binary from here works and boots, but no wifi seems to be available.

https://github.com/JiapengLi/OpenWrt-RT … ter/mpr-a1

I'll take another crack at it some other time.

Edit, this one seems to work better:
https://github.com/JiapengLi/OpenWrt-RT … r/hlk-rm04
hlk-rm04-32m-luci-usb-mjpg.bin

The ddwrt- one doesn't seem to boot.

(Last edited by cnlohr on 6 Jun 2014, 17:38)

Post #10

tman

6 Jun 2014, 18:21

You can't just load in a random image from another router and expect it to work 100%. It may have the same Ralink SoC but there are differences like how the GPIO pins are assigned for things like the reset button, the mode switch and LEDs. The flash layout listed in your boot log doesn't appear to be same as the HLK-RM04 either.

You need to download the OpenWRT source and set up a new target device with the correct configuration for this HooToo router. Read http://wiki.openwrt.org/doc/howto/build for more details on how to set up the source.

The reason why it completely died when you did flash all is because you overwrote the bootloader. The only way to recover that is to remove the flash chip from the board, reprogram it and then solder it back on. The JTAG interface doesn't seem to be broken out or enabled in any of these Ralink based boards.

Post #11

cnlohr

7 Jun 2014, 01:32

...To answer a question or two from above... You can just use the "openwrt-ramips-rt305x-hlk-rm04-squashfs-sysupgrade.bin" and upgrade as "kernel" it seems to plow right over any of the limits and works.

Thanks, Tman! Got the source, set it up, compiled a few kernels... After a bit, got some that boot and started doing stuff. I've tried a few different base pieces of hardware, including the hlk-rm04, mpr-a1 and mpr-a2. I now have USB, ethernet, etc. working. There are some oddities:

(1) I have to change the configuration to give the physical ethernets a MAC address. I'm not sure how to go about doing this... I have been copying-over a new /etc/config/network file every time I re-install.

(2) LEDs don't seem to be mapped to any available IO. I keep getting

[  458.230000] rt2880-pinmux pinctrl.1: pin 3 is not set to gpio mux
[  458.240000] rt2880-pinmux pinctrl.1: request() failed for pin 3
[  458.260000] rt2880-pinmux pinctrl.1: pin-3 (pio:3) status -22

for most of the GPIO. No LEDs turn on whether I try turning the pins either direction.

The LEDs are on before the kernel gets moving. Once the kernel gets moving they turn off.

Is it possible to modify the kernel source to give me unrestricted access across all known GPIO chips?

(3) Wifi will not ... actually ... work. The wifi wakes up, gets configured by the system, but doesn't see any other networks, and it can't be seen. I am suspicious there may be a GPIO-based kill switch of some sort. But, no GPIO = no ability to poke around and try to find it.

(4) If I work all these bugs out (may or may not. I'm quickly running out of "care" juice) how difficult would it be to properly make this into its own device in that list and push the changes back into openwrt? Right now, I'm just editing whatever I'm working with at the time.

[   17.420000] rt2800_wmac 10180000.wmac: failed to load eeprom property
[   17.430000] ieee80211 phy0: rt2x00lib_request_eeprom_file: Info - Loading EEPROM data from 'soc_wmac.eeprom'.
[   17.450000] ieee80211 phy0: rt2x00_set_rt: Info - RT chipset 5350, rev 0500 detected
[   17.470000] ieee80211 phy0: rt2x00_set_rf: Info - RF chipset 5350 detected
[   21.820000] rt305x-esw 10110000.esw: link changed 0x00
[   23.410000] rt305x-esw 10110000.esw: link changed 0x10
procd: - init complete -
[   28.500000] device eth0.2 entered promiscuous mode
[   28.510000] device eth0 entered promiscuous mode
[   28.530000] br-lan: port 1(eth0.2) entered forwarding state
[   28.540000] br-lan: port 1(eth0.2) entered forwarding state
[   28.570000] device eth0.1 entered promiscuous mode
[   28.620000] br-wan: port 1(eth0.1) entered forwarding state
[   28.630000] br-wan: port 1(eth0.1) entered forwarding state
[   30.370000] cfg80211: Calling CRDA for country: US
[   30.410000] cfg80211: Regulatory domain changed to country: US
[   30.420000] cfg80211:  DFS Master region: FCC
[   30.430000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   30.450000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[   30.460000] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 1700 mBm), (N/A)
[   30.480000] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz), (N/A, 2300 mBm), (0 s)
[   30.500000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[   30.510000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
[   30.540000] br-lan: port 1(eth0.2) entered forwarding state
[   30.630000] br-wan: port 1(eth0.1) entered forwarding state

(Last edited by cnlohr on 7 Jun 2014, 01:32)

Post #12

curious

1 Aug 2014, 05:57

Root password appears to be 20080826 if this can help further progress with openwrt on this thing

Post #13

wingspinner

14 Aug 2014, 20:10

curious wrote:

Root password appears to be 20080826 if this can help further progress with openwrt on this thing

Too bad I didn't find this until after I had found a backdoor to change the passwd and shadow files! Anyhow, all is not lost, I put together a fake firmware upgrade file that starts up telnetd, installs it to rc.d so it will start at boot, and backs up the /etc to flash so it all will stick when you reboot. You can get it from github: https://github.com/wingspinner/HooTooTM … master.zip

Just apply it as a firmware upgrade, wait a minute or so and refresh your screen (it doesn't reboot). telnetd will be running if all went well and if you reboot it should restart also. (The file is the one called: fw-WiFiPortTPatch-HooToo-TM02-2.000.016. The other file modifies the password file but we don't need that anymore ). You may need to have a USB memory device attached. I did get a "not enough memory" error at least once when applying it.

BTW, you can't just modify the file and have it work - you have to recalc the crcsum for the file content after the third line and update the CRCSUM= line in the file otherwise the device will choke on it. The code to do that is:

#!/bin/sh
sed '1,3d' $1|cksum|sed -e 's/ /Z/' -e 's/   /Z/'|cut -dZ -f1

Another tip, once you are in, if you change anything in the /etc directory or use any command that changes anything (like pwd) then you must run /etc/init.d/etcsync to write changes to the MTD. Otherwise all will revert back on the next boot. It doesn't actually update the rootfs in flash but rather saves changes in MTD partition 7 and reapplies them at boot time .

I hope this helps others discover more about his device as well as getting a robust Openwrt release going.

BTW, the rootfs image is in a strange format. I tried a number of things to decompress and mount it to no avail. (scratch this, I built a patched version of unsquash that worked) The signature is Big endian (and perhaps the entire file) but converting it to LE doesn't seem to help. If there are any experts on squashfs and uboot that could take a look, that would be appreciated. Let me know where to upload the file.

Update 09/27/2014 - Turns out factory rootfs format isn't anything too odd. Only the signature is in BE and there is an older, patched version of squash tools floating around that works with it.

Ron

(Last edited by wingspinner on 28 Sep 2014, 00:28)

Post #14

wingspinner

18 Sep 2014, 00:17

Ok, I've got patches mostly done to add this device to the latest trunk revision. Would have had it last week but their was a bug in the opkg postconfigure stuff that only got fixed recently that I was chasing down in parallel. Networking, USB, etc. are all working and the wifi works quite well. Only thing not sorted out are the GPIO mapping for the LED's. I've sent an email as well as a voicemail to HooToo asking them if they'll provide the mapping as I don't want to risk destroying one of my devices desoldering the SOC. Luci works great and performance is good.

I did end up replacing the existing uboot with one from somewhere else. The stock uboot actually has some neat functionality built-in but I don't know how to change it's default partitioning (does that require a recompile or is there another way). I'll post the patches in a few days - once I'm sure it's all good. Stay tuned.

Ron

Post #15

cnlohr

21 Sep 2014, 08:00

I am tuned and waiting.

Post #16

wingspinner

27 Sep 2014, 07:35

Patches moved to separate dedicated thread here:

https://forum.openwrt.org/viewtopic.php?id=53014

(Last edited by wingspinner on 1 Oct 2014, 02:23)

Post #17

shawnperkins

27 Sep 2014, 21:01

Thanks for the great work Ron!

Post #18

cherry31459

30 Sep 2014, 14:42

wingspinner wrote:

Ok, here it is....

Regarding installation, would it be possible to use mtd_write by breaking
the original image to various chunks that fit factory flash layout? So, the
procedure would be something like this:

1. write new bootloader
2. break kernel/rootfs into partition size parts
3. write parts to appropriate partitions
4. reboot to OpenWrt

This avoids opening up the units. If there's a screw up, then the recovery
would be to open up the unit and connect the serial port.

Post #19

wingspinner

30 Sep 2014, 20:12

cherry31459 wrote:

wingspinner wrote:
Ok, here it is....
Regarding installation, would it be possible to use mtd_write by breaking
the original image to various chunks that fit factory flash layout? So, the
procedure would be something like this:
1. write new bootloader
2. break kernel/rootfs into partition size parts
3. write parts to appropriate partitions
4. reboot to OpenWrt
This avoids opening up the units. If there's a screw up, then the recovery
would be to open up the unit and connect the serial port.

Took me awhile but Ive been able to build a "factory " image which uses the HooToo factory firmware upgrade process. It writes a new boot loader and retains their original "config" and "factory" partitions. I'll post links later today. I'll start a new thread though

Post #20

p4721cx

2 Mar 2015, 22:49

Just got mine today. I got for use on the road with my RPi, and chromecast though openWRT would be awesome on this thing.
How did you know that you bricked it? other than it not working, obviously.

Mine just flashes the wifi (blue) LED, and I do not see the ESSID when its plugged in. It's fresh out of the box... WTH?

Anyone have this happen?

Post #21

nemik

3 Mar 2015, 02:10

Unbricking isn't too bad, but you need to open the case. Inside, it has pads exposed for UART and even labels GND, RX, TX, and VCC. What I did was take a USB-to-serial adapter and taped small leads to the pads. I do this because I accidentally lifted such pads before when soldering to them, and regular tape is stable enough for a very short time.

Anyway, set the baud rate to 57600 and open up screen/minicom/hyperterminal/whatever and power the unit on/off. You should see its boot sequence play and if you messed up a config and have openwrt running, you can just interrupt it and run failsafe mode.

It's annoying, but not too bad really. This is a super nice unit. Has 8MB of flash too, double of my previous go-to, the WR703n and even cheaper on Amazon.

(Last edited by nemik on 3 Mar 2015, 02:11)

The discussion might have continued from here.

Page 1 of 1