Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
inbox:toh:arcadyan:astoria:prv3399b-e-lt [2021/09/27 11:09] – [Info] mandrake-leeinbox:toh:arcadyan:astoria:prv3399b-e-lt [2021/10/17 08:25] – [Info] mandrake-lee
Line 115: Line 115:
 ^ System-On-Chip   | BCM68380 - MIPS 24K V4.12   | ^ System-On-Chip   | BCM68380 - MIPS 24K V4.12   |
 ^ CPU/Speed        | 600 MHz                          | ^ CPU/Speed        | 600 MHz                          |
-^ Flash-Chip       | Toshiba TC58BVG033HTA00                  +^ Flash-Chip       | Toshiba/Kioxia [[https://business.kioxia.com/info/docget.jsp?did=14875&prodName=TC58BVG0S3HTA00|TC58BVG033HTA00]] \\ Winbond [[https://www.winbond.com/resource-files/W25X05CL_G%2008012019.pdf|W25x05CLSNFG]]                 
-^ Flash size       | 128 MiB (NAND)                           |+^ Flash size       | 128 MiB (NAND) \\ 512 KiB (NOR)                       |
 ^ RAM              | 256 MiB                           | ^ RAM              | 256 MiB                           |
 ^ Wireless         | BCM4321 2.4GHz 802.11bgn & Quantenna QT3740BC  | ^ Wireless         | BCM4321 2.4GHz 802.11bgn & Quantenna QT3740BC  |
 ^ Ethernet         | 10/100/1000 Mbit/s w/ vlan support    | ^ Ethernet         | 10/100/1000 Mbit/s w/ vlan support    |
 ^ Switch           | ?        | ^ Switch           | ?        |
-^ USB              | EXAMPLE 1x 2.0                           | +^ USB              | 1x 2.0                           | 
-^ Serial           EXAMPLE [[#Serial|Yes]]                  | +^ Serial           | [[#Serial|Yes]]                  | 
-^ JTAG             EXAMPLE [[#JTAG|Not populated]]          |+^ JTAG             Unknown [[#JTAG|Not populated]]          |
  
  
Line 154: Line 154:
 ==== Opening the case ==== ==== Opening the case ====
  
-<WRAP BOX> +You will need a phillips screwdriver. 
-FIXME //Describe what needs to be done to open the device, e.g. remove rubber feet, adhesive labels, screws, ...// +  - Remove 4x screws at the bottom of the device 
-</WRAP>+  - Detach from rear to frontthe upper case from the bottom case
  
 ==== Serial ==== ==== Serial ====
 -> [[docs:techref:hardware:port.serial]] general information about the serial port, serial port cable, etc. -> [[docs:techref:hardware:port.serial]] general information about the serial port, serial port cable, etc.
 +
 +**WARNING** This device has 2 sets of UART, one dedicated to the early boot i.e. bootloader, and the second for the operating system (OS) itself e.g. linux.
 +
 +The Tx pin for the OS, needed in order to reach Busybox, hasn't been discovered. It might be hard cancelled via resistor or soft cancelled via boot parameter.
  
 See photo below for the pinout of the Serial Port of this specific device:\\ See photo below for the pinout of the Serial Port of this specific device:\\
Line 173: Line 177:
 **This is not confirmed** but there're several unpopulated pins on the board. Some of them are known to be UART, it might be well that the rest of them are for JTAG:\\ **This is not confirmed** but there're several unpopulated pins on the board. Some of them are known to be UART, it might be well that the rest of them are for JTAG:\\
 {{ :media:arcadyan:prv3399b:prv3399b_uart_jtag_and_flash_hack.jpg?direct&400 |}} {{ :media:arcadyan:prv3399b:prv3399b_uart_jtag_and_flash_hack.jpg?direct&400 |}}
 +
 +
 +==== HACKS ====
 +=== Soft hacks ===
 +
 +== Access to web CFE ==
 +First, you will need to gain access to the bootloader CFE and stop the countdown.
 +
 +Once there, use your browser to reach:
 +<code>192.168.1.1</code>
 +
 +A fancy menu will pop-up as below:
 +{{ :media:arcadyan:prv3399b:prv3399b_cfe_web_backdoor.jpg?direct&400 |}}
 +
 +
 +== Enable CFE countdown ==
 +  - First you need to have access to the CFE. You might need this [[#Access to CFE menu|hack]]
 +  - Now enter command "c"
 +  - Select "Boot Image" 2
 +  - Leave the rest of parameters untouched by pressing "intro"
 +
 +
 +=== Hard hacks ===
 +During boot, specific NAND flash pins can be shorcircuited in order to provoke a boot fail and therefore access to bootloader.
 +
 +| {{:meta:icons:tango:48px-dialog-warning.svg.png?nolink}} | **WARNING:** This method is considered to be safe but use at your own discretion.\\ |
 +
 +== Access to CFE menu ==
 +This hack will need some training and skill. Don't give up!
 +Basically, we will let the system jump to CFE bootloader and corrupt the loading of any further image from NAND flash.
 +
 +  - Switch on the device
 +  - Let system jump to the "Copyright" line
 +  - Now shortcircuit pins 8&9. See diagram at the bottom. Use the tip of a needle, thin screwdriver, etc
 +  - After success, error messages will pop up and you will have access to the CFE command line as follows
 +
 +<WRAP bootlog>
 +<nowiki>
 +----
 +HELO
 +ZBSS
 +RAMI
 +
 +Copyright (C) 2019 Arcadyan Technology.
 +
 +NANDFLASH:
 +    DEVICE ID: 0x98f18015f2, size: 131072KB, type: SLC
 +    block: 128KB(1024), page: 2KB, oob: 64Bytes
 +nandflash_bbt_scan_block: detect bad block marker @ 0x6000000
 +
 +NVRAM(0) MAGIC checking passed!
 +NVRAM(0) CRC checking passed!
 +total 10 of NVRAM(0) entries loaded
 +
 +NVRAM(1) MAGIC checking passed!
 +NVRAM(1) CRC checking passed!
 +total 10 of NVRAM(1) entries loaded
 +
 +BOOTLOADER version 1.2.4 for PRV3397B_E_LT
 +Build Date: Tue Apr 25 13:45:35 2017 (tinghung_chen@buildbed)
 +
 +Chip ID: BCM68380B0 MIPS: 600MHz, DDR: 533MHz, Bus: 240MHz, RDP: 800MHz
 +Memory Test Passed!
 +Total Memory: 268435456 bytes (256MB)
 +*** Press any key to stop auto run (0 seconds) ***
 +Auto run second count down: 0
 +Loading secondary image ...
 +ERROR: data is invalid and not correctable at offset 0x2b00000
 +Could not read from flash: CFE error -4
 +enable IH Wan-Wan forwarding...
 +data_path_go Done!!
 +Set EMAC4 as RGMII
 +Creating CPU ring for queue number 0 with 32 packets descriptor=0x8b58cb60
 + Done initializing Ring 0 Base=0xad0141e0K End=0xad0143e0K calculated entries= 32 RDD Base=0x0d0141e0K descriptor=0x8b58cb60
 +Open PHY 1 on MAC 0 : link state = Down
 +Open PHY 2 on MAC 1 : link state = Down
 +Open PHY 3 on MAC 2 : link state = Down
 +Open PHY 4 on MAC 3 : link state = Down
 +Open PHY 0 on MAC 4 : link state = Down
 +web info: Waiting for connection on socket 0.
 +PRV3397B_E_LT>
 +</nowiki>
 +</WRAP>
 +\\
 +**Congratulations!** Now you can consider enabling the bootloader countdown and therefore have CFE always reachable. See [[#Enable CFE countdown|this]]
 +
 +{{ :media:arcadyan:prv3399b:prv3399b_uart_jtag_and_flash_hack.jpg?direct&400 |}}
 +
 +==== CFE menu ====
 +Using the CFE hack above, now you can enter the menu of the bootloader:
 +
 +This is a piece of obscured software; seems an Arcadyan customized version of the CFE with little options.
 +
 +<code>
 +RV3397B_E_LT>  help
 +Available commands:
 +
 +sc                  Update certificate
 +show devices        Display information about the installed devices.
 +erasepart           Erase the specified partition
 +m                   Change the board's manufacture setting
 +c                   Change the board's setting
 +uc                  Update certificate file
 +u                   Update 1st/2nd flash image or bootloader
 +br                  Boot program from 1st/2nd cferam2
 +r                   Reset the board
 +help                Obtain help for CFE commands
 +
 +</code>
 +
 +===== Flash partition =====
 +==== OEM partition ====
 +As reported by bootloader:
 +<code>
 +PRV3397B_E_LT>show devices
 +Device Name          Description
 +-------------------  ---------------------------------------------------------
 +uart0                BCM63xx DUART channel 0
 +nandflash0.bootldr   offset 00000000 size 512KB
 +nandflash0.ca        offset 00080000 size 512KB
 +nandflash0.manufac   offset 00100000 size 512KB
 +nandflash0.nvram     offset 00180000 size 512KB
 +nandflash0.pri_boot  offset 00200000 size 512KB
 +nandflash0.pri_linu  offset 00280000 size 5120KB
 +nandflash0.pri_root  offset 00780000 size 35840KB
 +nandflash0.sec_boot  offset 02A80000 size 512KB
 +nandflash0.sec_linu  offset 02B00000 size 5120KB
 +nandflash0.sec_root  offset 03000000 size 35840KB
 +nandflash0.pri_cfg   offset 05300000 size 512KB
 +nandflash0.sec_cfg   offset 05380000 size 512KB
 +nandflash0.softrip   offset 05400000 size 512KB
 +nandflash0.softuser  offset 05480000 size 512KB
 +nandflash0.ubifs     offset 05500000 size 43008KB
 +nandflash0.oops_dat  offset 07F00000 size 1024KB
 +eth0
 +                     YàYYYE$
 +                            Yø
 +*** command status = 0
 +PRV3397B_E_LT>
 +</code>
  
 ===== Bootlogs ===== ===== Bootlogs =====
-==== OEM bootlog ====+==== OEM Early bootlog ==== 
 +This info is taken from the early UART.
 <WRAP bootlog> <WRAP bootlog>
 <nowiki> <nowiki>
Line 324: Line 469:
 </nowiki> </nowiki>
 </WRAP>\\ </WRAP>\\
 +
 +==== OEM OS bootlog ====
 +This info is taken from the OS UART.
 +<WRAP bootlog>
 +<nowiki>
 +Quantenna Mini U-Boot
 +Version: v37.4.0.28 Built: Oct 26 2015 at 19:23:50
 +br
 +1G-FD
 +Using br device
 +TFTP from server 1.1.1.1; our IP address is 1.1.1.2
 +Filename 'u-boot.bin'.
 +Load address: 0x88000000
 +Loading: T ##############
 +done
 +Bytes transferred = 69872 (0x110f0)
 +Boot reached stage 13
 +Boot reached stage 12
 +Valid CRC found in flash restoring env...
 +Boot reached stage 11
 +hw_config_id 65535: 'QTM840_5S3_MAC'
 +Cold boot
 +Reset status: 0x00000001
 +
 +Info: data uncached: addr=0xc0000000 size=1024MB
 +Info: text at 0x88040000, stack at 0x88013ffc(8192), heap at 0x88000000(73728), uboot size 173708
 +Info: i-cache is enabled
 +Info: d-cache is enabled
 +Info: CPU freq is 500000000, dev freq is 125000000
 +
 +Info: Quantenna U-Boot version:v37.4.0.136
 +Info: build date 'May 10 2019', time '23:46:47'
 +
 +SPI flash info:
 +        name             : w25x05
 +        jedec_id         : 0xef3010
 +        sector size      : 4096
 +        number of sector : 16
 +        frequency        : 104000000
 +        flags            : 0x2
 +        lock             :
 +DDR_INIT: type = 16, speed = 2, size = 134217728, rev = 0x43, param = 0x0
 +DDR_INIT: replacing invalid param = 0x0 with default 0xe7b
 +500MHz
 +BDA at 0x80002000
 +In:    serial
 +Out:   serial
 +Err:   serial
 +Boot reached stage 64
 +Boot reached stage 65
 +br
 +Hit any key to stop autoboot:  0
 +Boot reached stage 80
 +1G-FD
 +Using br device
 +TFTP from server 1.1.1.1; our IP address is 1.1.1.2
 +Filename 'topaz-linux.lzma.img'.
 +Load address: 0x83000000
 +Loading: #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         #################################################################
 +         ##################################
 +done
 +Bytes transferred = 5831576 (0x58fb98)
 +Boot reached stage 81
 +Boot reached stage 84
 +Boot reached stage 1
 +## Booting kernel from Legacy Image at 83000000 ...
 +Boot reached stage 2
 +Boot reached stage 3
 +   Image Name:   topaz-linux
 +   Image Type:   arc Linux Kernel Image (lzma compressed)
 +   Data Size:    5823384 Bytes =  5.6 MB
 +   Load Address: 8493a000
 +   Entry Point:  8493a000
 +   Qtn flags:    00000001
 +   Verifying Checksum ... OK
 +Boot reached stage 4
 +Boot reached stage 5
 +Boot reached stage 6
 +Boot reached stage 14
 +   Uncompressing Kernel Image ... OK
 +Boot reached stage 7
 +Boot reached stage 8
 +Command line TAG setup
 +Params->u.cmdline.cmdline console=ttyS0,115200n8 earlyprintk=1 hw_config_id=65535
 +p console=ttyS0,115200n8 earlyprintk=1 hw_config_id=65535
 +##  Unset TAG qtn_flags 1
 +## Transferring control to Linux (at address 8493a000) ATAG parameters 88067d94 - 88067dec...
 +[    0.000000] Linux version 2.6.35.12 (tinghung_chen@buildbed) (gcc version 4.2.1 (ARC_2.3)) #2 Tue May 28 16:51:36 CST 2019
 +[    0.000000] Parsing ATAG parameters from bootloader
 +[    0.000000] ATAG_CORE: successful parsing
 +[    0.000000] ATAG_CMDLINE: command line = console=ttyS0,115200n8 earlyprintk=1 hw_config_id=65535
 +[    0.000000] Board id: 65535
 +[    0.000000] ATAG_HW_CONFIG_ID: hw_config_id = 65535
 +[    0.000000]
 +[    0.000000] Processor Family: ARC 700 [0x33]
 +[    0.000000] CPU speed :      500.00 Mhz
 +[    0.000000] Timers:  TIMER1 TIMER0
 +[    0.000000] Interrupt Vect Base:     0x88052400
 +[    0.000000] Peripheral Base: NOT present; assuming 0xCOFC0000
 +[    0.000000] Data UNCACHED Base (I/O): start 0xc0 Sz, 1024 MB
 +[    0.000000] ARC700 MMU Ver [2]
 +[    0.000000]    PAGE SIZE 8k
 +[    0.000000]    JTLB 128 x 2 = 256 entries
 +[    0.000000]    uDTLB 8 entr, uITLB 4 entr
 +[    0.000000] TLB Refill "will NOT" Flush uTLBs
 +[    0.000000] Detected I-cache :
 +[    0.000000]   Type=2 way set-assoc, Line length=32, Size=16K (enabled)
 +[    0.000000] Detected D-cache :
 +[    0.000000]   Type=4 way set-assoc, Line length=32, Size=16K (enabled)
 +[    0.000000] Extensions:
 +[    0.000000]    MPY: 32x32 with ANY Result Reg   MAC MPY: Dual 16 x 16 and 32 x 16
 +[    0.000000]    DCCM: N/A  ICCM: N/A
 +[    0.000000]    CRC: N/A,   SWAP: Present   NORM: Present
 +[    0.000000]    Min-Max: Present,   Barrel Shifter: Present
 +[    0.000000]    Ext Arith Insn: Present
 +[    0.000000] Floating Point Extension: N/A
 +[    0.000000] On node 0 totalpages: 16383
 +[    0.000000] free_area_init_node: node 0, pgdat 85b55dac, node_mem_map 85c06024
 +[    0.000000]   Normal zone: 72 pages used for memmap
 +[    0.000000]   Normal zone: 0 pages reserved
 +[    0.000000]   Normal zone: 16311 pages, LIFO batch:3
 +[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16311
 +[    0.000000] Kernel command line: console=ttyS0,115200n8 earlyprintk=1 hw_config_id=65535
 +[    0.000000] bootconsole [ruby_early0] enabled
 +[    0.000000] PID hash table entries: 512 (order: -2, 2048 bytes)
 +[    0.000000] Dentry cache hash table entries: 16384 (order: 3, 65536 bytes)
 +[    0.000000] Inode-cache hash table entries: 8192 (order: 2, 32768 bytes)
 +[    0.000000] Memory: 36088KB available (2165K code,1202K data, 15872K init)
 +[    0.000000] Hierarchical RCU implementation.
 +[    0.000000]  RCU debugfs-based tracing is enabled.
 +[    0.000000]  Verbose stalled-CPUs detection is disabled.
 +[    0.000000] clockevent mode switch to [1]
 +[    0.000000] clockevent mode switch to [2]
 +[    0.000000] Calibrating delay loop... 249.03 BogoMIPS (lpj=622592)
 +[    0.115000] pid_max: default: 4096 minimum: 301
 +[    0.120000] Mount-cache hash table entries: 1024
 +[    0.125000] Starting run_ksoftirqd, stack (thread_info) at 85b7a000 cpu 0
 +[    0.130000] NET: Registered protocol family 16
 +[    0.135000] Topaz heap 1 in SRAM 88016360<->88020000
 +[    0.140000] Topaz heap 2 in SRAM 88011000<->88012000
 +[    0.150000] bio: create slab <bio-0> at 0
 +[    0.160000] watch64: 2003/08/22 Josef 'Jeff' Sipek <jeffpc@xxxxxxxxxxxxx>
 +[    0.165000] watch64: Enabling Watch64 extensions...done.
 +[    0.170000] Switching to clocksource ARC Timer1
 +[    0.175000] NET: Registered protocol family 2
 +[    0.180000] IP route cache hash table entries: 2048 (order: 0, 8192 bytes)
 +[    0.185000] TCP established hash table entries: 4096 (order: 2, 32768 bytes)
 +[    0.195000] TCP bind hash table entries: 4096 (order: 1, 16384 bytes)
 +[    0.200000] TCP: Hash tables configured (established 4096 bind 4096)
 +[    0.205000] TCP reno registered
 +[    0.210000] NET: Registered protocol family 1
 +[    0.815000] JFFS2 version 2.2. (NAND) c 2001-2006 Red Hat, Inc.
 +[    0.820000] msgmni has been set to 70
 +[    0.825000] io scheduler noop registered (default)
 +[    1.250000] Serial: 8250/16550 driver, 2 ports, IRQ sharing enabled
 +[    1.255000] serial8250.0: ttyS0 at MMIO 0xf0000000 (irq = 48) is a 16550A
 +[    1.260000] console [ttyS0] enabled, bootconsole disabled
 +[    1.260000] console [ttyS0] enabled, bootconsole disabled
 +[    1.265000] brd: module loaded
 +[    1.275000] loop: module loaded
 +[    1.280000] spi_flash: Force not to support Protect Mode
 +[    1.285000] Creating 3 MTD partitions on "spi_flash":
 +[    1.290000] 0x000000000000-0x000000005000 : "uboot"
 +[    1.300000] 0x000000005000-0x00000000b000 : "uboot_env"
 +[    1.310000] 0x00000000b000-0x000000010000 : "data"
 +[    1.315000] spi_flash: SPI flash driver initialized successfully!
 +[    1.320000] ruby_health loading
 +[    1.325000] HBM pool: emac rx 0x0 to 0x8000, wmac rx 0x8000 to 0xa000
 +[    1.720000] HBM meta: emac rx 0x63c040 to 0x6bc040, wmac rx 0x6bc080 to 0x6dc080
 +[    1.725000] topaz_hbm_init_pool_list pool 0 pool_list 0x88000000 bus_range 0x16ec400 to 0x26ec400 sz 2048 count 8192
 +[    1.725000] topaz_hbm_init_pool_list pool 1 pool_list 0x88008000 bus_range 0x26fc400 to 0x48fc400 sz 17408 count 2048
 +[    1.725000] topaz_hbm_init_pool_list pool 3 pool_list 0x8800a000 bus_range 0x0 to 0x0 sz 0 count 4096
 +[    1.730000] topaz_busmon_init success
 +[    1.735000] topaz_temp_sens_init success
 +[    1.740000] u32 classifier
 +[    1.740000]     input device check on
 +[    1.745000]     Actions configured
 +[    1.750000] Netfilter messages via NETLINK v0.30.
 +[    1.755000] nf_conntrack version 0.5.0 (563 buckets, 2252 max)
 +[    1.760000] ip_tables: (C) 2000-2006 Netfilter Core Team
 +[    1.765000] TCP cubic registered
 +[    1.770000] NET: Registered protocol family 10
 +[    1.775000] NET: Registered protocol family 17
 +[    1.780000] 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
 +[    1.785000] All bugs added by David S. Miller <davem@redhat.com>
 +[    1.795000] Freeing unused kernel memory: 15872k freed [8493a000] TO [858ba000]
 +[    1.800000] Common mmap addr-space starts 2c0f0000
 +init started: BusyBox v1.10.3 (2019-05-28 16:43:09 CST)
 +starting pid 44, tty '': '/etc/init.d/rcS'
 +[    2.180000] load_module: 'bootcfg' using DRAM (offset:0x85800000, size:0x96b0)
 +Starting portmap: done
 +Initializing random number generator... done.
 +/mnt/jffs2/wireless_conf.txt not found. Creating a default conf file
 +restore_wireless_conf
 +restore_wireless_conf: wifi_mode = default
 +restore_wireless_conf: Setting default wireless config params
 +restore_wireless_conf: board_id = 65535
 +restore_wireless_conf: board_name = QTM840_5S3_MAC
 +restore_wireless_conf: Writing config params to /mnt/jffs2/wireless_conf.txt
 +Starting network...
 +[    3.500000] load_module: 'rtl8367b' using DRAM (offset:0x86700000, size:0x32a77)
 +[    3.505000] rtl8367b: module license 'unspecified' taints kernel.
 +[    3.510000] Disabling lock debugging due to kernel taint
 +[    3.565000] load_module: 'emaclib' using DRAM (offset:0x85870000, size:0x53c1)
 +[    3.685000] load_module: 'switch_vlan' using DRAM (offset:0x85858000, size:0x2739), SRAM (offset:0x88016368, size:0x1)
 +[    3.790000] load_module: 'switch_tqe' using DRAM (offset:0x85850000, size:0x3b3a), SRAM (offset:0x88016378, size:0x1a10)
 +[    3.840000] tqe_descs_alloc: 2048 tqe_rx_descriptors at kern uncached 0x580e1da0 bus 0x80017da0
 +[    3.920000] load_module: 'fwt_if' using DRAM (offset:0x85898000, size:0x1af7)
 +[    3.955000] load_module: 'fwt_ctrl' using DRAM (offset:0x86740000, size:0x23a01)
 +[    4.010000] load_module: 'dpi' using DRAM (offset:0x85892000, size:0x1d9f)
 +[    4.045000] load_module: 'switch_emac' using DRAM (offset:0x85cec000, size:0x2563), SRAM (offset:0x88011a40, size:0x2f8)
 +[    4.110000] emac wbsp: 0
 +[    4.115000] enable A2 (single)
 +[    4.175000] Random stuff 2D
 +emac0 is eth1_0, emac1 is unused
 +Stateless mode. Using temporary ip address:
 +Using IP address 1.1.1.2
 +Netmask is not set
 +[    4.445000] emac_lib eth1_0: force link (1000/Full)
 +[    4.565000] device eth1_0 entered promiscuous mode
 +[    4.570000] br0: port 1(eth1_0) entering forwarding state
 +[    4.575000] br0: port 1(eth1_0) entering forwarding state
 +[    4.605000] FWT: [00:aa:bb:cc:dd:02] add entry, port:emac0 node:0 index:876 4addr:0 entries:1
 +/sbin/ifup -a
 +ifconfig: SIOCGIFFLAGS: No such device
 +Version of /proc/bootcfg/qtn_regulatory_db.bin is Regulatory db version: v37.3.0.21
 +Version of /etc/qtn_regulatory_db.bin is Regulatory db version: v37.4.0.171
 +Selected database version: Regulatory db version: v37.4.0.171
 +Using /etc/qtn_regulatory_db.bin
 +Starting qevt_server
 +Starting inetd ...
 +/scripts/cmdloop starting /sbin/qevt_server, at 00:00:05 up 0 min, load average: 0.08, 0.01, 0.00
 +[    5.880000] load_module: 'hw_rev' using DRAM (offset:0x85834000, size:0x374c)
 +Starting wireless...
 +restore_default_config -nr
 +restore_wireless_conf ap
 +restore_wireless_conf: wifi_mode = ap
 +restore_wireless_conf: Setting default wireless config params
 +restore_wireless_conf: board_id = 65535
 +restore_wireless_conf: board_name = QTM840_5S3_MAC
 +restore_wireless_conf: Writing config params to /mnt/jffs2/wireless_conf.txt
 +restore_default_config: Updating security config files for mode ap
 +restore_default_config: Removing block ACK restrictions
 +restore_default_config: Configuration has been set to default values. Reboot after customizing to ensure correct operation.
 +complete
 +/scripts/cmdloop starting /sbin/qcsapi_rpcd, at 00:00:07 up 0 min, load average: 0.08, 0.01, 0.00
 +/scripts/cmdloop starting /sbin/call_qcsapi_rpcd, at 00:00:07 up 0 min, load average: 0.08, 0.01, 0.00
 +'monitor_temperature' is not enabled/set
 +MAUI service started
 +/etc/init.d/S91dhclient: line 26: syntax error: "else" unexpected
 +/scripts/cmdloop starting /sbin/qharvestd, at 00:00:10 up 0 min, load average: 0.47, 0.09, 0.03
 +Starting httpd
 +cp: cannot stat '/etc/minihttpd.conf': No such file or directory
 +qharvestd[notice]: qharvestd v1.32.2 started
 +starting pid 691, tty '/dev/console': '/bin/sh -l'
 +
 +
 +BusyBox v1.10.3 (2019-05-28 16:43:09 CST) built-in shell (ash)
 +Enter 'help' for a list of built-in commands.
 +
 +quantenna # qharvestd[error]: qcsapi[interface_get_mac_addr] failed, err code = -19 (No such device)
 +
 +/scripts/readmem: line 10: cannot create /proc/wlanmem: nonexistent directory
 +cat: can't open '/proc/wlanmem': No such file or directory
 +qharvestd[error]: qcsapi[get_carrier_id] failed, err code = -19 (No such device)
 +
 +qharvestd[error]: failed to get device MAC address
 +qharvestd[notice]: qharvest terminated
 +Using IP address 1.1.1.2
 +Netmask is not set
 +ifconfig: bad address ''
 +Loading modules
 +[   13.550000] load_module: 'qtn_debug' using DRAM (offset:0x85838800, size:0x377)
 +[   13.670000] load_module: 'i2cbus' using DRAM (offset:0x85856000, size:0x1ce2)
 +[   13.825000] load_module: 'qtsens' using DRAM (offset:0x850d6000, size:0x7b6)
 +[   13.955000] load_module: 'pm_interval' using DRAM (offset:0x84960000, size:0x13b2)
 +[   14.140000] load_module: 'wlan' using DRAM (offset:0x84a00000, size:0xb9100)
 +[   14.485000] wlan: 0.8.4.2 (0.9.3.3)
 +[   14.650000] load_module: 'auc_fw' using DRAM (offset:0x866ec000, size:0x8cb)
 +[   14.755000] load_module: 'qvspmod' using DRAM (offset:0x84eb0000, size:0x3f39)
 +[   14.785000] QVSP module init
 +[   14.860000] load_module: 'qdrv' using DRAM (offset:0x84c00000, size:0xa9a40)
 +[   15.170000] qdrv wbsp: 0
 +[   15.315000] load_module: 'wlan_xauth' using DRAM (offset:0x84eb9000, size:0x32f)
 +[   15.330000] br0: no IPv6 routers present
 +[   15.485000] load_module: 'wlan_ccmp' using DRAM (offset:0x84962000, size:0x1782)
 +[   15.660000] load_module: 'wlan_tkip' using DRAM (offset:0x85860000, size:0x2636)
 +Loading MuC driver (qtn_driver.qtn_ruby.0.bin)
 +no keyfile specified
 +unable to load Public Key
 +Waiting for Wireless Events from interfaces...
 +Found power table in /etc/power_tables
 +[   16.985000] set power_selection 2
 +[   16.990000] qdrv_soc_publish_params: parames->tqe_sem_en 0, auc_tqe_sem_en 0
 +[   17.000000] ..... Current RFIC Chip ID -- 4
 +[   17.295000] AuC SRAM start 0x88040000 end 0x88080000 size 262144
 +[   17.300000] AuC is configured for non-MU SRAM layout
 +[   17.305000] AuC SRAM bank 0 start 0x88040000 end 0x88050000
 +[   17.310000] AuC SRAM bank 1 start 0x88050000 end 0x88060000
 +[   17.315000] AuC SRAM bank 2 start 0x88060000 end 0x88070000
 +[   17.320000] AuC SRAM bank 3 start 0x88070000 end 0x88080000
 +[   17.350000] MuC: g_tqe_sem_en 0
 +[   17.350000] MuC: build date Wed, 03 Oct 2018 14:35:42 -0700
 +[   17.355000] MuC: slow heap begin=0x002a33e0 end=0x004203e0
 +[   17.360000] MuC: fast heap begin=0x80030800 end=0x80037000
 +[   17.365000] MuC: stack start=0x8003ef80 sp=0x8003f6d4
 +[   17.370000] MuC: calstate is 3 (prod), dcache on
 +[   17.375000] MuC: RFIC version 1 rev 0
 +[   17.405000] qdrv_mac_reserve_clear: mac reservation table cleared
 +[   17.430000] QDRV: I2C dapter not found
 +[   17.445000] MuC: bb_init: FEM 0x7 bw_mode 0 chan 0 11b 0 11a 1
 +[   17.450000] MuC: set max/nrm gain(0x27) done.
 +[   17.455000] MuC: set cca threshold!
 +[   17.455000] MuC: rf_optimizing_rf_register_map, set rf to 0x75
 +[   17.460000] MuC: os_uc, after bb_rf_complete_attach.
 +[   17.465000] MuC: WMAC0: hal fd start=0xe5040300 count=48 size=108 end=0xe5041740
 +[   17.470000] MuC: WMAC1: hal fd start=0xe5140d50 count=8 size=84 end=0xe5140ff0
 +[   17.475000] MuC: freq 1 proj 1
 +[   17.475000] MuC: dynamic one-bit autocorrelation enabled
 +[   17.480000] MuC: QMAT SRAM base 0x80070000
 +[   17.485000] MuC: enable IRQs
 +[   17.610000] qdrv_mu_stat_init
 +[   17.685000] MuC: AuC enabled 0xe5101cd0/0x60063630 il 0xe5101284/0xe5101288 stats 0x60061170/0x600633700x6007e140
 +[   17.690000] MuC: Update MU debug flag failed. keep old value : 0x00000000
 +[   17.695000] QDRV: hardware is 4x4 11ac FO RGMII/PCIe QV840
 +[   17.700000] MuC boot succeeded 0.085 seconds
 +start-vap ap
 +[   19.280000] load_module: 'wlan_scan_ap' using DRAM (offset:0x85f20000, size:0x3176)
 +[   19.360000] QTM daemon registered
 +[   19.480000] qvsp_nl_node_init: QVSP not initialized
 +[   19.485000] MuC: qtn_mu_ndpa_setup: bw_cap 2 done
 +[   19.500000] VAP create succeeded 0.010 seconds
 +[   19.510000] MuC: qtn_mu_ndpa_setup: bw_cap 2 done
 +[   19.995000] MuC: calibration ver 0x801
 +bss_tm set to 1
 +neigh_repo reset to 0
 +radar in 80MHZ mode
 +Setting mode to 11ac80
 +set_region: Setting regulatory region dev_name=wifi0 region=es mode=ap repeater=0
 +radar start with[   21.865000] DFS_s_radio: parameters updated, region: eu
 + regulatory eu
 +[   21.870000] MuC: macfw: radar_start.........
 +[   21.875000] MuC: radar_start, region eu = 2
 +[   22.120000] qdrv_radar_enable_action: ERROR - radar already enabled
 +ICAC: max_boot_cac is greater than 0, hence the parameter non_dfs_channel is ignored. To avoid doing initial CAC set max_boot_cac to 0.
 +dfs_s_radio 1 dfs 0 non-dfs 0 scan 0 auto-channel  channel 0
 +Configure max_boot_cac to 70
 +[   23.005000] device wifi0 entered promiscuous mode
 +[   23.125000] Enabling SSDP flooding
 +Beamforming enabled
 +[   24.175000] Enabling SCS
 +SCS enabled
 +QTM: load profile off
 +QTM enabled: 0
 +[   25.375000] MuC: Beacon scheme updated to 1
 +[   25.420000] Starting DFS seamless radio...
 +[   25.435000] BRIDGE WLAN report flood-forwarding enabled
 +QCS API error 1010: Cannot contact security manager
 +No core dump generated
 +QCS API error 34: Parameter value out of range
 +[   27.280000] Build name:            v37.4.0.180
 +[   27.285000] Build revision:        86411
 +[   27.290000] Build type:            SDK
 +[   27.295000] Build timestamp:       1538603078
 +[   27.300000] Platform ID:           432
 +[   27.300000] Hardware ID:           QV840
 +[   27.305000] Hardware revision:     bbic4_rev_a2
 +[   27.310000] Band:                  5GHz
 +[   27.315000] Kernel version:        2.6.35
 +[   27.320000] Calibration version:   disabled
 +[   27.325000] DC/IQ cal version:     V8.1
 +[   27.325000] Power cal version:     V8.1
 +[   27.330000] MuC firmware:          qtn_driver.qtn_ruby.0.bin
 +[   27.335000] DSP firmware:          rdsp_driver.0.bin
 +[   27.340000] AuC firmware:          auc_driver.nomu.0.bin
 +[   27.345000] MAC address 0:         4c:1b:86:59:4e:59
 +[   27.350000] MAC address 1:         00:00:00:00:00:00
 +[   27.355000] Recommended U-Boot:    v37.4.0.136
 +Carrier ID 0, uboot update flag 0
 +complete
 +MU-MIMO is not supported on this device
 +Starting qrpe daemon...
 +qtna-rpe(7.0.10-7e833fa) started
 +PTA request polarity set to 0
 +PTA grant polarity set to 0
 +PTA disabled
 +/scripts/cmdloop starting /sbin/qharvestd, at 01:00:32 up 0 min, load average: 0.80, 0.20, 0.06
 +qharvestd[notice]: qharvestd v1.32.2 started
 +radar start with regulatory eu
 +[   32.395000] qdrv_radar_is_rdetection_required: ERROR - channel not yet set
 +[   32.395000] qdrv_radar_enable_action: ERROR - radar already enabled
 +qharvestd[notice]: Pktlogger support detected
 +qharvestd[info]: rest for 120s (120s 0ms after adjustment)
 +[   32.830000] channel 52 is added into non-primary channel list
 +[   32.870000] channel 56 is added into non-primary channel list
 +[   32.910000] channel 60 is added into non-primary channel list
 +[   32.950000] channel 64 is added into non-primary channel list
 +[   32.950000] Warning: all the sub channels are not in primary channel list!
 +[   32.995000] channel 116 is added into non-primary channel list
 +[   33.035000] channel 120 is added into non-primary channel list
 +[   33.075000] channel 124 is added into non-primary channel list
 +[   33.115000] channel 128 is added into non-primary channel list
 +[   33.115000] Warning: all the sub channels are not in primary channel list!
 +[   33.160000] channel 132 is added into non-primary channel list
 +[   33.200000] channel 136 is added into non-primary channel list
 +[   33.240000] channel 140 is added into non-primary channel list
 +[   33.325000] Starting DFS seamless radio...
 +[   33.620000] MuC: #RX data path optimal flag 0
 +[   33.625000] MuC: rx_post_init: free 0 rxq 9 9 394 descr 0x8000f000/6592 cache 0x8002aa00/13184
 +[   33.625000] MuC: auto cs is enabled
 +[   33.660000] WPS:
 +                    [  110.560000] RADAR: CAC completed for channel 108 (5540 MHz)
 +[  117.810000] channel 52 is removed from non-primary channel list
 +[  117.855000] channel 56 is removed from non-primary channel list
 +[  117.900000] channel 60 is removed from non-primary channel list
 +[  117.945000] channel 64 is removed from non-primary channel list
 +update_5g_channel: 108
 +[  119.510000] FWT: [00:2a:bb:cc:dd:04] add entry, port:emac0 node:0 index:58 4addr:0 entries:2
 +[  126.140000] VAP create succeeded 0.010 seconds
 +[  126.170000] device wifi1 entered promiscuous mode
 +[  135.350000] br0: port 3(wifi1) entering forwarding state
 +[  135.350000] br0: port 3(wifi1) entering forwarding state
 +[  137.970000] VAP create succeeded 0.010 seconds
 +[  138.000000] device wifi2 entered promiscuous mode
 +[  149.465000] VAP create succeeded 0.010 seconds
 +[  149.490000] device wifi3 entered promiscuous mode
 +qharvestd[info]: start oauth processing at 153.436828331
 +qharvestd[info]: target: https://qharvest-prod.quantenna.com/api/auth/token
 +qharvestd[info]: request: { "username": "1072|4c:1b:86:59:4e:59", "password": "0000", "grant_type": "password", "scope": "device" }
 +qharvestd[error]: curl_easy_perform(): Couldn't resolve host 'qharvest-prod.quantenna.com'
 +
 +qharvestd[info]: finish oauth processing at 153.530159547 (in 93ms)
 +qharvestd[info]: poll_request: exponential backoff scale is 3
 +qharvestd[info]: next poll_request will be in 10 seconds
 +qharvestd[info]: rest for 10s (9s 907ms after adjustment)
 +qharvestd[info]: start oauth processing at 163.451312751
 +qharvestd[info]: target: https://qharvest-prod.quantenna.com/api/auth/token
 +qharvestd[info]: request: { "username": "1072|4c:1b:86:59:4e:59", "password": "0000", "grant_type": "password", "scope": "device" }
 +qharvestd[error]: curl_easy_perform(): Couldn't resolve host 'qharvest-prod.quantenna.com'
 +
 +qharvestd[info]: finish oauth processing at 163.456939859 (in 5ms)
 +qharvestd[info]: poll_request: exponential backoff scale is 4
 +qharvestd[info]: next poll_request will be in 24 seconds
 +qharvestd[info]: rest for 24s (23s 995ms after adjustment)
 +iwpriv wifi0 set_owl_beacon 1
 +iwpriv wifi0 set_coc_ndfs 0
 +update_24g_channel: 1
 +[  182.285000] ARC_24G_CHAN_IN_5G=1
 +qharvestd[info]: start oauth processing at 187.465876831
 +qharvestd[info]: target: https://qharvest-prod.quantenna.com/api/auth/token
 +qharvestd[info]: request: { "username": "1072|4c:1b:86:59:4e:59", "password": "0000", "grant_type": "password", "scope": "device" }
 +qharvestd[error]: curl_easy_perform(): Couldn't resolve host 'qharvest-prod.quantenna.com'
 +
 +qharvestd[info]: finish oauth processing at 187.471585747 (in 5ms)
 +qharvestd[info]: poll_request: exponential backoff scale is 5
 +qharvestd[info]: next poll_request will be in 33 seconds
 +qharvestd[info]: rest for 33s (32s 995ms after adjustment)
 +qharvestd[info]: start oauth processing at 220.480904255
 +qharvestd[info]: target: https://qharvest-prod.quantenna.com/api/auth/token
 +qharvestd[info]: request: { "username": "1072|4c:1b:86:59:4e:59", "password": "0000", "grant_type": "password", "scope": "device" }
 +qharvestd[error]: curl_easy_perform(): Couldn't resolve host 'qharvest-prod.quantenna.com'
 +
 +qharvestd[info]: finish oauth processing at 220.486698935 (in 5ms)
 +qharvestd[info]: poll_request: exponential backoff scale is 6
 +qharvestd[info]: next poll_request will be in 93 seconds
 +qharvestd[info]: rest for 93s (92s 995ms after adjustment)
 +qharvestd[info]: start oauth processing at 313.496165543
 +qharvestd[info]: target: https://qharvest-prod.quantenna.com/api/auth/token
 +qharvestd[info]: request: { "username": "1072|4c:1b:86:59:4e:59", "password": "0000", "grant_type": "password", "scope": "device" }
 +qharvestd[error]: curl_easy_perform(): Couldn't resolve host 'qharvest-prod.quantenna.com'
 +</nowiki>
 +</WRAP>\\
 +
  
 ==== OpenWrt bootlog ==== ==== OpenWrt bootlog ====
  • Last modified: 2022/10/28 08:50
  • by danitool