Oops!

Mar 7th, 2010
2 comments

I had an incorrect port forwarding to my web server – probably for the last week or so – that prevented incoming traffic to it, one little missing digit in the port forwarding and the site disappears ;) Sorry about that.

Tags:

Hacking around the Japanese Buffalo WZR-HP-G300NH

Feb 23rd, 2010
7 comments

Please note before embarking on this adventure;

1) Opening your router’s casing instantly makes your warranty go *POFF*.

2) This is a reasonably technical article – if you don’t know how to solder cables to motherboards, don’t know how to set up a tftp server, don’t know what a terminal emulator is, can’t google to find out – then this article is not for you – it’s for people who are able to do what I’ve done and can understand what is going on. However, if you wish to learn, and know you will be capable of finding out how those tasks above are done, read on 8)

3) I take absolutely NO responsibility for any harm you may do to your hardware. None. Zip. Nada. What I outline here worked for me and still does. If you managed to burn down your house, or melt the Arctic ice cap, or flood your continent with the oceans, or any other disaster, then it was your fault for trying this and not mine. I didn’t ask you to, and this is for information purposes only for those interested.

So impressed was I with the specifications of this router that I just had to get it – even before I knew whether I could run alternate firmware on it or not – but I assumed that I would be able to.

So having returned home with prized router in hand I proceeded to unpack it, plug it in and set it up.

Now, I’m from the UK, but I now live and work in Japan. I’ve been studying Japanese for more than 2 years now but I’m really not that cut out to learn the language – too many other interesting things to do – like tinker with shiny new hardware for example.

So the router powers up, and I get to its configuration page. Ugh. Default Buffalo firmware (of course). Not only that, it’s in Japanese (it being the Japanese model of course) but not only that no option to set it to English. How considerate – not.

Question to the router manufacturers… WHY IS YOUR STOCK FIRMWARE ALWAYS SO AWFUL!?!?!

Ok, lets see if there’s dd-wrt support for it yet. Oh, a .tftp binary has been released for this model! Good. Oh it’s still a Work In Progress release (i.e. may contain many show-stopping bugs) but what the heck I’ll just upgrade the thing anyway because surely anything is better than the dreck which is lurking inside this router!

Downloaded, ok let’s follow the upgrade instructions – which are to power the router off, configure an ethernet port to 192.168.11.2, then run tftp, prepare that to send the image to 192.168.11.1, power up the router, send the image and them WHAMMO you have a nice shiny router with dd-wrt running on it and all my problems are over!

THINK AGAIN!

“Hmm. This firmware is not installing. How… annoying.”

After the umpteenth time performing this operation, it was time to go onto the dd-wrt forums and start asking questions. After about a week of that, and getting very little progress (I was still giving the Japanese Bufallo firmware blank stares), it was Time To Take Matters Into My Own Hands. So, here’s the skinny on this Japanese model router.

OK first thing I need is a serial console – how do I do that? There’s no serial interface on the unit I can simply plug into and go. There is however a serial interface on the motherboard – but its TTL level (3.3 volts) so I’d need to either build a TTL-serial converter circuit OR, and this is the nifty thing – I could by a conveniently available USB to TTL serial cable. Which has all the necessary electronics packed into the USB head, and the other end has 5 wires which I can use to solder onto the relevent motherboard connections. So that was that problem solved.

So, armed with Ubuntu, a USB-TTL serial cable wired to the motherboard, and my knowledge, I decided to have a poke around the unit…

Preamble and prerequisite:

This section describes what I found out about why dd-wrt would not install on the Japanese WZR-HP-G300N.

The sections after this one describe in detail how to get to the u-boot console and get the firmware installed. Note that since Brainslayer of dd-wrt has been working on the Japanese models, he has now been able to produce dd-wrt images which can be upgraded from the Buffalo web interface. This article is for those who like me, like tinkering at the console of these devices – or who have managed to somehow brick their router and who’s only way of getting the firmware installed is by using this method.

What you will need to do is have your own tftp server ready with the various firmware images you wish to transfer to the router for upgrading/testing/hacking.

A week or so ago a dd-wrt image for a WIP version for the WZR-HP-G300NH was available for download. Many WZR users could use this to upgrade their non-JP WZR’s via tftp. I and others could not on our JP models. I still have this image.

Buffalo Japan seems to have altered the version of u-boot they provide on the JP WZR’s so that even though it’ll TFTP an image file down from your PC or laptop, it’ll just jump straight to the existing firmware after at that and boot that up. Obviously to prevent nasty people like me from using non-Buffalo firmware 8)

During my tinkering, I managed to get into the u-boot console prompt and could experiment with the image files I had – Buffalo images and the dd-wrt image.

Via u-boot, I could use its tftpboot command to transfer a firmware image from a tftp server to a temp area of the unit’s memory, 0×81f00000.

Using u-boot’s iminfo command I could then see what u-boot thought of the image – good or bad – and found something interesting. u-boot thought the dd-wrt image mentioned above
had a bad magic number:

ar7100> tftpboot 81f00000 dd-wrt-wzrg300nh-firmware-ORIG.tftp
Trying eth0
eth0 is duplex
ag7100_check_link: _100BASET
Using eth0 device
TFTP from server 192.168.11.2; our IP address is 192.168.11.1
Filename 'dd-wrt-wzrg300nh-firmware-ORIG.tftp'.
Load address: 0x81f00000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################
done
Bytes transferred = 10895392 (a64020 hex)
ar7100> iminfo

## Checking Image at 81f00000 …
Bad Magic Number
ar7100>

“Interesting.”, I thought. “Why would that be?”, I wondered. A bit of googling later and I found the answer. The problem is u-boot is looking for a sequence of bytes at the beginning of the file – the magic number – but in this case is not finding it.

So I open up the dd-wrt tftp image file with a hex editor (Ghex on ubuntu)…

Click for a larger view.

dd-wrt tftp image file opened in Ghex

The dd-wrt tftp image has a header in front of this magic number which is confusing u-boot.

The sequence of bytes of the Magic Number is : 27 05 19 56, which on that dd-wrt is located at offset 0×20.

I have blurred out the sequence of bytes before the magic number in the hext image:

Magic number appears after blurred out text.

Magic number appears after the blurred out text.

Using the hex editor place the cursor over the 2 of the 27 and use Backspace to remove all the bytes before that sequence.

End result of removing the bytes before the magic number.

End result of removing the bytes before the magic number.

Save the file under a new filename. Now I have a dd-wrt image file which has the magic number right at the start of the file. I transferred the edited image from my tftp server and verified the image:

ar7100> iminfo

## Checking Image at 81f00000 …
Image Name: DD-WRT v24 Linux Kernel Image
Created: 2010-02-03 14:14:55 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1017569 Bytes = 993.7 kB
Load Address: 80002000
Entry Point: 802cd000
Verifying Checksum … OK
ar7100>

This looks much better!
So now we have a dd-wrt image file which looks good – keep that file for later – we’ll need it.

To summarise, basically, if you want the Buffalo Japan-provided u-boot loader to recognise your firmware image of choice, the firmware image needs to start with the magic number sequence mentioned above in order for the firmware image to be recognised.

This works for that dd-wrt image AND also the OpenWRT images they’re now producing for the WZR-HP-G300NH.

OK, here’s the main procedure, now that we have an image file which the JP u-boot will use:

1) Serial console required

Wire up a serial terminal to the WZR’s motherboard using a USB<—>TTL 3.3V serial cable. This gains you access to the serial console of the WZR where you can perform the magic. These cables can be bought from somewhere like RS Components. There are also cellphone cables available which do the same thing. Google is your friend.

2) Terminal emulator and u-boot console command prompt

From the terminal emulator of your choice (I’m using minicom configured for /dev/ttyUSB0 at 115200,8,N,1), watch the console messages as you power the WZR on. The power up sequence looks like this:

BUFFALO U-BOOT Ver 1.02
AP83–539 (ar9100) U-boot 0.0.12
64 MB
Memory Test (address line)
Memory Test start(0×00000000) end(0×04000000) size(67108864)
Data line test start:0×00000000 pattern 0×00000001 0×00000003 0×00000007 0×0000000F 0×00000005 0×00000015 0×00000055 0xAAAAAAAA
Address line test start:0×00000000 len:0×4000000 pattern 0xAAAAAAAA 0×55555555
Fill test patnum:5
fill Pattern 5555AAAA Writing… Reading…
fill Pattern AAAA5555 Writing… Reading…
fill Pattern 0000FFFF Writing… Reading…
fill Pattern FFFF0000 Writing… Reading…
fill Pattern AAAAAAAA Writing… Reading…
Top of RAM usable for U-Boot at: 84000000
Reserving 250k for U-Boot at: 83fc0000
Reserving 256k for malloc() at: 83f80000
Reserving 44 Bytes for Board Info at: 83f7ffd4
Reserving 36 Bytes for Global Data at: 83f7ffb0
Reserving 128k for boot params() at: 83f5ffb0
Stack Pointer at: 83f5ff98
Now running in RAM – U-Boot at: 83fc0000
Dev ID2:2222
Name: AMD-SPANSION Flash id: 0×1227E, Size: 33554432 bytes.
Flash: 32 MB
In: serial
Out: serial
Err: serial
Memory Test
uboot use 83F5FFB0 – 84000000
Memory Test start(80000000) end(83F00000) size(03F00000)
Pattern 00000000 Writing… Reading…
Memory Test OK
### buf_ver=[1.02] U-Boot Ver.=[1.02]
### build_date(env)=[Feb 16 2009 - 10:47:08] build_date(bin)=[Feb 16 2009 - 10:47:08]
ag7100_enet_initialize…
: cfg1 0xf cfg2 0×7114
rtl8366sr_phy_setup ethUnit=0
Realtek 8366SR switch ID 0×8366
Realtek Greeen Ethernet Setup
eth0: 02:aa:bb:cc:dd:1a
eth0 up
: cfg1 0xf cfg2 0×7114
eth1: 02:aa:bb:cc:dd:1a
eth1 up
eth0 02:AA:BB:CC:DD:1A
, eth1 02:AA:BB:CC:DD:1A

Trying eth0
eth0 is duplex
ag7100_check_link: _100BASET
dup 1 speed 100
CFG_PLL_FREQ=5
CFG_HZ=bebc200
cpu pll=1050
eth pll=1032
eth0 clk pll=13000a44
eth0 mii=12
eth0 cfg1=f
eth0 cfg2=7115
eth0 fcfg_0=1d1f00
eth0 fcfg_1=7ff0000
eth0 fcfg_2=fff
eth0 fcfg_3=780008
eth0 fcfg_4=3ffff
eth0 fcfg_5=3ffff

3) Quickly interrupt u-boot at the tftp stage

It is when you see the following that you must press CTRL-C!!

tftp server(receive) go, waiting:4[sec]
Trying eth1
eth1 link down
FAIL
Trying eth0
eth0 is duplex
ag7100_check_link: _100BASET
Load address: 0×81f00000

Then you’ll get this:

Abort
no file was loaded.
### main_loop entered: bootdelay=4

### main_loop: bootcmd=”bootm 0×81f00000″
Hit any key to stop autoboot: 0


Hit CTRL-C again at this point!

The router will then stop the boot sequence and enter the u-boot console, which is where you
have complete control over what you can do with the router :)

ar7100>

While we’re at the u-boot console prompt, let’s take a look at the u-boot
environment variables, because that gives us a lot of useful information about how Buffalo has
configured this router.

We do this by using the printenv command as shown below…

ar7100> printenv
bootargs=console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ar9100-nor0:256k(u-boot),128k(u-boot-env),1024k(uImag)
bootdelay=4
baudrate=115200
ethaddr=02:AA:BB:CC:DD:1A
tmp_ram=81F00000
tmp_bottom=83F00000
fw_eaddr=BE060000 BFFDFFFF
uboot_eaddr=BE000000 BE03FFFF
u_fw=erase $fw_eaddr; cp.b $fileaddr BE060000 $filesize; bootm BE060000;
ut_fw=tftp $tmp_ram firmware.bin; erase $fw_eaddr; cp.b $fileaddr BE060000 $filesize; bootm BE060000;
ut_uboot=tftp $tmp_ram u-boot.bin; protect off $uboot_eaddr; erase $uboot_eaddr; cp.b $fileaddr BE000000 $filesize;
melco_id=RD_BB08009
hw_rev=0
tftp_wait=4
uboot_ethaddr=02:AA:BB:CC:DD:1A
DEF-p_wireless_ath0_11bg-authmode=psk
DEF-p_wireless_ath0_11bg-crypto=tkip+aes
DEF-p_wireless_ath0_11bg-authmode_ex=mixed-psk
custom_id=0
buf_ver=1.02
build_date=Feb 16 2009 – 10:47:08
pincode=51560850
DEF-p_wireless_ath0_11bg-wpapsk=0bm5ujdb4d884
buf_crc=22625AFC
mtdids=nor0=ar9100-nor0
bootcmd=bootm 0×81f00000
region=JP
bootm=0xbe060000
ipaddr=192.168.1.99
serverip=192.168.1.9
stdin=serial
stdout=serial
stderr=serial
loadaddr=81F00000
ethact=eth0

Environment size: 1160/131068 bytes
ar7100>

Note a couple of things about the about listing of the u-boot environment variables…

ipaddr=192.168.1.99
serverip=192.168.1.9

The DEFAULT values for these are ipaddr=192.168.11.1 and serverip=192.168.11.2.
Those are for when u-boot tries to get a firmware image via tftp as outlined on the dd-wrt
web pages. They’re also used for when you’re telling u-boot to tftp an image from your tftp
server.

I changed those values using the following command sequence:

ar7100> setenv ipaddr 192.168.1.99
ar7100> setenv serverip 192.168.1.9
ar7100>

I then made those changes permanent with:

ar7100> saveenv
Saving Environment to Flash…
Protect off BE040000 … BE05FFFF
Un-Protecting sectors 2..2 in bank 1
Un-Protected 1 sectors
Erasing Flash…Erase Flash from 0xbe040000 to 0xbe05ffff in Bank # 1 First 0×2 last 0×2
100%
Erased 1 sectors
Writing to Flash…
100%
done
Protecting sectors 2..2 in bank 1
Protected 1 sectors
ar7100>

Also,

bootm=0xbe060000

Memory location be060000 is where the WZR has its firmware it boots from permanently stored.

tmp_ram=81F00000
tmp_bottom=83F00000
fw_eaddr=BE060000 BFFDFFFF

tmp_ram is where u-boot will download tftp’d images to.

fw_eaddr is the area of flash memory which u-boot will erase before copying any tftp’ed images to.

4) Transfer the edited dd-wrt file from your tftp server to WZR temporary memory area

You need to set up a tftp server on your PC to do this. It’s not difficult to do and again
search Google on how to do this. Google really is your friend ;)
I named my dd-wrt image “wzrg300nh-firmwareM.tftp” in my example. (M == modified).

ar7100> tftpboot 81f00000 wzrg300nh-firmwareM.tftp
Trying eth0
eth0 is duplex
ag7100_check_link: _100BASET
Using eth0 device
TFTP from server 192.168.11.2; our IP address is 192.168.11.1
Filename ‘wzrg300nh-firmwareM.tftp’.
Load address: 0×81f00000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################
done
Bytes transferred = 10895360 (a64000 hex)

Take a note of where it says:

Bytes transferred = 10895360 (a64000 hex)

It will be a different number if the image size is different.
You need that hex number for the copy procedure.

VERIFY YOUR IMAGE!

ar7100> iminfo

## Checking Image at 81f00000 …
Image Name: DD-WRT v24 Linux Kernel Image
Created: 2010-02-03 14:14:55 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1017569 Bytes = 993.7 kB
Load Address: 80002000
Entry Point: 802cd000
Verifying Checksum … OK
ar7100>

If you see anything other than the above then you either transferred the wrong image or your have not corectly edited the image so that the header starts at the begining of the file. If so, then either transfer the image once more or re-edit an original dd-wrt tftp image file to make this the case, and then perform the tftp transfer once more.

5) Erase firmware area.

Before we copy, we need to clear the area of flash memory where the firmware is stored. This is done by the following:

ar7100> erase BE060000 BFFDFFFF

This will wipe the area of flash memory. It will take a few minutes to do so be patient.

Erase Flash from 0xbe060000 to 0xbffdffff in Bank # 1 First 0×3 last 0xfe
100%
Erased 252 sectors
ar7100>

Also, this will not wipe the flash memory where u-boot resides so don’t worry :)

6) Copy new firmware to the firmware area

The next step is to copy that area of memory to where the default booting firmware is stored.

Okay, so, we know we have downloaded the image to memory location 0×81f0000.
On this model I have, the stored firmware resides at 0xbe060000.

I know this by looking at the u-boot environment variables which we did above by using the “printenv” command.

Now we need to copy the tftp’ed image from the temporary area to the permanent firmware
area.

So, in my case, I need to copy a64000 bytes of memory from temporary ram area 81f0000 to the firmware storage area be060000.

ar7100> cp.b 81f00000 be060000 a64000
Copy to Flash…
Copy 10895360 byte to Flash…
100%
done
ar7100>

Again this will take a few minutes to complete.

7) Reboot into your new firmware

The moment you’ve been waiting for!

ar7100> bootm BE060000

And if you have done everything correctly you’ll get something like this:

## Booting image at be060000 …
Image Name:   DD-WRT v24 Linux Kernel Image
Created:      2010-02-03  14:14:55 UTC
Image Type:   MIPS Linux Kernel Image (lzma compressed)
Data Size:    1017569 Bytes = 993.7 kB
Load Address: 80002000
Entry Point:  802cd000
Verifying Checksum … OK
Uncompressing Kernel Image … OK
No initrd
## Transferring control to Linux (at address 802cd000) …
## Giving linux memsize in bytes, 67108864

Starting kernel …

Linux version 2.6.24.111 (root@dd-wrt) (gcc version 4.3.3 (GCC) ) #665 Wed Feb 3 15:00:08 CET 2010
flash_size passed from bootloader = 32
CPU revision is: 00019374
booting platform Atheros AR9132 rev 2 (0xb9)
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Built 1 zonelists in Zone order.  Total pages: 16256
Kernel command line: console=ttyS0,115200 root=1f02 rootfstype=squashfs noinitrd  init=/sbin/init
Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
PID hash table entries: 256 (order: 8, 1024 bytes)
Using 200.000 MHz high precision timer.
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 61524k/65536k available (2347k kernel code, 3956k reserved, 508k data, 124k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
gpio_proc: module loaded and /proc/gpio/ created
AR7100 GPIOC major 0
devfs: 2004-01-31 Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0×1
squashfs: version 3.0 (2006/03/15) Phillip Lougher
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver $Revision: 1.90 $ 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0×0 (irq = 19) is a 16550A
console [ttyS0] enabled
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
MPPE/MPPC encryption/compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V1.0
IMQ starting with 2 devices…
IMQ driver loaded successfully.
Hooking IMQ before NAT on PREROUTING.
Hooking IMQ after NAT on POSTROUTING.
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
AG7100: Length per segment 1536
AG7100: Max segments per packet 1
AG7100: Max tx descriptor count    100
AG7100: Max rx descriptor count    252
AG7100: fifo cfg 3 00780008
rtl_chip_type_select:RTL8366SR
AG7100CHH: Mac address for unit 0
AG7100CHH: ff:ff:ff:ff:ff:ff
rtl_chip_type_select:RTL8366SR
AG7100CHH: Mac address for unit 1
AG7100CHH: ff:ff:ff:ff:ff:ff
FLASH ID: AMD-SPANSION SIZE: (32 MB)
scanning for root partition

found squashfs at 159000
Creating 7 MTD partitions on “ar9100-nor0″:
0×00000000-0×00060000 : “RedBoot”
0×00060000-0×01fc0000 : “linux”
0×00159000-0×00ae0000 : “rootfs”
mtd: partition “rootfs” doesn’t start on an erase block boundary — force read-only
0×00ae0000-0×01fc0000 : “ddwrt”
0×01fc0000-0×01fe0000 : “nvram”
0×01fe0000-0×02000000 : “board_config”
0×00000000-0×02000000 : “fullflash”
usbmon: debugfs is not available
ar71xx-ehci ar71xx-ehci.0: Atheros AR91xx built-in EHCI controller
ar71xx-ehci ar71xx-ehci.0: new USB bus registered, assigned bus number 1
ar71xx-ehci ar71xx-ehci.0: irq 3, io mem 0×1b000000
ar71xx-ehci ar71xx-ehci.0: USB 2.0 started, EHCI 1.00, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Initializing USB Mass Storage driver…
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver usbserial
drivers/usb/serial/usb-serial.c: USB Serial Driver core
Software Watchdog Timer: 0.07 initialized. soft_noboot=0 soft_margin=60 sec (nowayout= 0)
GACT probability on
Mirror/redirect action on
Simple TC action Loaded
u32 classifier
Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
ctnetlink v0.93: registering with nfnetlink.
IPv4 over IPv4 tunneling driver
GRE over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
IPP2P v0.8.2 loading
ClusterIP Version 0.8 loaded successfully
TCP bic registered
TCP cubic registered
TCP westwood registered
TCP highspeed registered
TCP hybla registered
TCP htcp registered
TCP vegas registered
TCP scalable registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Welcome to PF_RING 3.2.1
(C) 2004-06 L.Deri <deri@ntop.org>
NET: Registered protocol family 27
PF_RING: bucket length    128 bytes
PF_RING: ring slots       4096
PF_RING: sample rate      1 [1=no sampling]
PF_RING: capture TX       No [RX only]
PF_RING: transparent mode Yes
PF_RING initialized correctly.
PF_RING: registered /proc/net/pf_ring/
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
decode 1f02
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 124k freed
start service
starting Architecture code for ap83
load ATH Ethernet Driver
configure eth0 to 00:1d:73:8f:4d:31
configure eth1 to 00:1d:73:8f:4d:31
ag7100_ring_alloc Allocated 1200 at 0×81104800
ag7100_ring_alloc Allocated 3024 at 0×803e3000
AG7100: cfg1 0×2f cfg2 0×7014
rtl8366sr_phy_setup  ethUnit=0
Realtek 8366SR switch ID 0×8366
SP1000
phyUnit=0 is link
phyUnit=1 is lostlink
phyUnit=2 is lostlink
phyUnit=3 is lostlink
AG7100: unit 0 phy is up…RGMii 1000Mbps full duplex
AG7100: pll reg 0×18050014: 0×1e000100  AG7100: cfg_1: 0×7ff0000
AG7100: cfg_2: 0xfff
AG7100: cfg_3: 0×7803ff
AG7100: cfg_4: 0xffff
AG7100: cfg_5: 0xfefef
AG7100: done cfg2 0×7215 ifctl 0×0 miictrl 0×22
Writing 4
ag7100_ring_alloc Allocated 1200 at 0×83d2b000
ag7100_ring_alloc Allocated 3024 at 0×83c8f000
AG7100: cfg1 0×3f cfg2 0×7014
rtl8366sr_phy_setup  ethUnit=1
phyUnit=4 is lostlink
Writing 6
load ATH 802.11 a/b/g Driver
load ATH 802.11n Driver
ath_mimo_hal: module license ‘Proprietary’ taints kernel.
ath_mimo_hal: 0.9.17.1 (AR5416, REGOPS_FUNC)
ath_ahb: 0.9.4.5 (Atheros/multi-bss)
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
wlan: 0.8.4.2 (Atheros/multi-bss)
wlan: mac acl policy registered
ath_rate_atheros: Version 2.0.1
Copyright (c) 2001-2004 Atheros Communications, Inc, All Rights Reserved
ar5416CheckEepromDef: Read Magic = 0xFFFF
EEPROM being read from flash @0xbfff1000
need_swap = False.
Howl Revision ID 0xb9
dfs_init_radar_filters: dfs->dfs_rinfo.rn_numradars: 0
1Mbps 2Mbps 5.5Mbps 11Mbps
1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
wifi0: mac 20.0 phy 10.2 radio 13.0
wifi0: Use hw queue 1 for WME_AC_BE traffic
wifi0: Use hw queue 0 for WME_AC_BK traffic
wifi0: Use hw queue 2 for WME_AC_VI traffic
wifi0: Use hw queue 3 for WME_AC_VO traffic
wifi0: Use hw queue 8 for CAB traffic
wifi0: Use hw queue 9 for beacons
wifi0: Use hw queue 7 for UAPSD
wifi0: Atheros AR9100 WiSoC: mem=0xb80c0000, irq=2
br0: Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature.
device br0 entered promiscuous mode
ag7100_ring_free Freeing at 0×81104800
ag7100_ring_free Freeing at 0×803e3000
ag7100_ring_alloc Allocated 1200 at 0×83d2b800
ag7100_ring_alloc Allocated 3024 at 0×803e3000
AG7100: cfg1 0×2f cfg2 0×7215
rtl8366sr_phy_setup  ethUnit=0
phyUnit=0 is link
phyUnit=1 is lostlink
phyUnit=2 is lostlink
phyUnit=3 is lostlink
AG7100: unit 0 phy is up…RGMii 1000Mbps full duplex
AG7100: pll reg 0×18050014: 0×1e000100  AG7100: cfg_1: 0×7ff0000
AG7100: cfg_2: 0xfff
AG7100: cfg_3: 0×7803ff
AG7100: cfg_4: 0xffff
AG7100: cfg_5: 0xfefef
AG7100: done cfg2 0×7215 ifctl 0×0 miictrl 0×22
Writing 4
ag7100_ring_free Freeing at 0×83d2b800
ag7100_ring_free Freeing at 0×803e3000
ag7100_ring_alloc Allocated 1200 at 0×83cf3800
ag7100_ring_alloc Allocated 3024 at 0×803e3000
AG7100: cfg1 0×2f cfg2 0×7215
rtl8366sr_phy_setup  ethUnit=0
phyUnit=0 is link
phyUnit=1 is lostlink
phyUnit=2 is lostlink
phyUnit=3 is lostlink
AG7100: unit 0 phy is up…RGMii 1000Mbps full duplex
AG7100: pll reg 0×18050014: 0×1e000100  AG7100: cfg_1: 0×7ff0000
AG7100: cfg_2: 0xfff
AG7100: cfg_3: 0×7803ff
AG7100: cfg_4: 0xffff
AG7100: cfg_5: 0xfefef
AG7100: done cfg2 0×7215 ifctl 0×0 miictrl 0×22
Writing 4
device eth0 entered promiscuous mode
sh: ead: not found
sh: can’t create /proc/sys/dev/wifi0/pollingmode: nonexistent directory
sh: can’t create /proc/sys/dev/wifi0/maxvaps: nonexistent directory

ath_numswbaperbc = 4(1)adj=51200
ath0
Invalid command : maxassoc
Invalid command : wdssep
device ath0 entered promiscuous mode
br0: port 2(ath0) entering learning state
br0: port 1(eth0) entering learning state
device br0 left promiscuous mode
device br0 entered promiscuous mode
device br0 left promiscuous mode
device br0 entered promiscuous mode
Ethernet Channel Bonding Driver: v3.1.3 (June 13, 2007)
bonding: MII link monitoring set to 100 ms
alarmpacket: bind: No such file or directory
device eth1 entered promiscuous mode
device eth1 left promiscuous mode
br0: topology change detected, propagating
br0: port 2(ath0) entering forwarding state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
nvram was changed, needs commit, waiting 10 sec.
etherip: Ethernet over IPv4 tunneling driver
The Milkfish Router Services
ERROR: Necessary service setting not found: milkfish_username – aborting.
The Milkfish Router Services
Restoring SIP ddsubscriber database from NVRAM…
Empty.
The Milkfish Router Services
Restoring SIP ddaliases database from NVRAM…
Empty.
Freeing node: 00:1d:73:8f:4d:31
ic->ic_cwm.cw_width :0, ic->ic_cwm.cw_extoffset: 0

And there you have it. You had bricked your Japanese WZR-HP-G300N and now you have managed to install
DD-wrt using the tftp image and a few u-boot commands.

This procedure will also work for other firmware, like OpenWRT (And it the X-WRT project which makes a web front-end to OpenWRT).

I hope this has been helpful!

Tags: ,

I Return!

Feb 2nd, 2010
1 comment

The blog is back!

Had a horrific server crash which totalled the old blog. At least now I have a blank slate and all the previous cruft has been erased.

Tags: