User Tools

Site Tools


ru:toh:upvel:ur825ac

UPVEL UR-825AC

http://www.upvel.ru/items/ur-825ac.html

В данный момент прошивка OpenWRT для этого устройства в состоянии ранней беты, но дело движется!
Обсуждение на форуме OpenWRT на английском языке тут

Информация о железе

Architecture: Lexra/ Lexra RLX5281
Vendor: Realtek
Bootloader: RTL-boot
System-On-Chip: Realtek RTL8197DN
CPU Speed: 660 MHz
Flash Chip:ELM Technology GD25Q128
Flash size: 16MB
RAM chip: PME810816CBR-E7DN
RAM size: 64M
Wireless IEEE 802.11a/b/g/n: Realtek RTL8192ER
Wireless IEEE 802.11ac: Realtek RTL8812AR
Ethernet: Realtek RTL8367RB Gigabit
USB: 2*USB2.0
Serial: Есть
JTAG: Есть (?)
Power supply: 12V 1.5A

Фотографии платы устройства

UART Порт

UART порт на плате помечен как J21 и использует уровни 3.3 V на скорости 38400,8n1. Коннектор не распаян.

J21
1 2 3 4
Vcc RX TX GND

Не подключайте Vcc. При подключении Vcc роутер будет питаться от UART конвертера, или наоборот. Что вызовет сбои передачи данных или некорректную загрузку роутера.

JTAG

Вокруг чипа есть 8 контактных площадок, возможно это JTAG. Нет возможности проверить.

Восстановление прошивки

(процесс не отлажен до конца, но работа движется) JTAG для восстановления убитых прошивок пока не доступен, но на этой модели роутера используется 8pin SPI Flash накопитель. Есть возможность отпаять чип, и зашить новую прошивку через SPI программатор. Самый простой способ восстановить прошивку, это записать 24kb загрузчика в флэш (файл можно найти в ветке форума) и после успешной загрузки в TFTP режим, прошить роутер заводской прошивкой. Будьте бдительны, процессор поддерживает не любые чипы с объемом 16Mb за исключением GD25Q128 и некоторых других. Это связано с поддержкой чипов загрузчиком. В исходных кодах загрузчика, обнаружена поддержка следующих чипов:

S25FL004A
S25FL016A
S25FL032A
S25FL064A
S25FL128P (с некоторыми ограничениями)
S25FL032P
MX25L4005
MX25L1605D
MX25L3205D
MX25L6405D
MX25L12805D
MX25L1635D
MX25L3235D
MX25L6445E
MX25L12845E
SST25VF032B
SST26VF016
SST26VF032
W25Q80
W25Q16
W25Q32
EN25F32
EN25F16
EN25Q32
EN25Q16
GD25Q8
GD25Q16
GD25Q32
GD25Q64
GD25Q128
AT25DF161

… но не все из них 16Mb.

Лог загрузки заводской прошивки

Current firmware is v3.4.6.3. But it looks like the version doesn't matter. Its build is counting (19.11.14).

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000002dh GD25Q128
@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
---RealTek(RTL8196D)at 2013.12.26-08:32+0800 v1.1 [16bit](700MHz)
no rootfs signature at 000E0000!
no rootfs signature at 000F0000!
no rootfs signature at 00130000!
no rootfs signature at 000E1000!
no rootfs signature at 000E2000!
no rootfs signature at 000E3000!
no rootfs signature at 000E4000!
no rootfs signature at 000E5000!
no rootfs signature at 000E6000!
no rootfs signature at 000E7000!
no rootfs signature at 000E8000!
no rootfs signature at 000E9000!
no rootfs signature at 000EA000!
no rootfs signature at 000EB000!
no rootfs signature at 000EC000!
no rootfs signature at 000ED000!
no rootfs signature at 000EE000!
no rootfs signature at 000EF000!
no rootfs signature at 000F1000!
no rootfs signature at 000F2000!
no rootfs signature at 000F3000!
no rootfs signature at 000F4000!
no rootfs signature at 000F5000!
no rootfs signature at 000F6000!
no rootfs signature at 000F7000!
no rootfs signature at 000F8000!
no rootfs signature at 000F9000!
no rootfs signature at 000FA000!
no rootfs signature at 000FB000!
no rootfs signature at 000FC000!
no rootfs signature at 000FD000!
no rootfs signature at 000FE000!
no rootfs signature at 000FF000!
no rootfs signature at 00100000!
no rootfs signature at 00101000!
no rootfs signature at 00102000!
no rootfs signature at 00103000!
no rootfs signature at 00104000!
no rootfs signature at 00105000!
no rootfs signature at 00106000!
no rootfs signature at 00107000!
no rootfs signature at 00108000!
no rootfs signature at 00109000!
no rootfs signature at 0010A000!
no rootfs signature at 0010B000!
no rootfs signature at 0010C000!
no rootfs signature at 0010D000!
no rootfs signature at 0010E000!
no rootfs signature at 0010F000!
no rootfs signature at 00110000!
no rootfs signature at 00111000!
no rootfs signature at 00112000!
no rootfs signature at 00113000!
no rootfs signature at 00114000!
no rootfs signature at 00115000!
no rootfs signature at 00116000!
no rootfs signature at 00117000!
no rootfs signature at 00118000!
no rootfs signature at 00119000!
no rootfs signature at 0011A000!
no rootfs signature at 0011B000!
no rootfs signature at 0011C000!
no rootfs signature at 0011D000!
no rootfs signature at 0011E000!
no rootfs signature at 0011F000!
no rootfs signature at 00120000!
no rootfs signature at 00121000!
no rootfs signature at 00122000!
no rootfs signature at 00123000!
no rootfs signature at 00124000!
no rootfs signature at 00125000!
no rootfs signature at 00126000!
no rootfs signature at 00127000!
no rootfs signature at 00128000!
no rootfs signature at 00129000!
no rootfs signature at 0012A000!
no rootfs signature at 0012B000!
no rootfs signature at 0012C000!
no rootfs signature at 0012D000!
no rootfs signature at 0012E000!
no rootfs signature at 0012F000!
no rootfs signature at 00131000!
no rootfs signature at 00132000!
no rootfs signature at 00133000!
no rootfs signature at 00134000!
no rootfs signature at 00135000!
no rootfs signature at 00136000!
no rootfs signature at 00137000!
no rootfs signature at 00138000!
no rootfs signature at 00139000!
no rootfs signature at 0013A000!
no rootfs signature at 0013B000!
no rootfs signature at 0013C000!
no rootfs signature at 0013D000!
no rootfs signature at 0013E000!
no rootfs signature at 0013F000!
no rootfs signature at 00140000!
no rootfs signature at 00141000!
no rootfs signature at 00142000!
no rootfs signature at 00143000!
no rootfs signature at 00144000!
no rootfs signature at 00145000!
no rootfs signature at 00146000!
no rootfs signature at 00147000!
no rootfs signature at 00148000!
no rootfs signature at 00149000!
no rootfs signature at 0014A000!
no rootfs signature at 0014B000!
no rootfs signature at 0014C000!
no rootfs signature at 0014D000!
no rootfs signature at 0014E000!
no rootfs signature at 0014F000!
no rootfs signature at 00150000!
no rootfs signature at 00151000!
no rootfs signature at 00152000!
no rootfs signature at 00153000!
no rootfs signature at 00154000!
no rootfs signature at 00155000!
no rootfs signature at 00156000!
no rootfs signature at 00157000!
no rootfs signature at 00158000!
no rootfs signature at 00159000!
no rootfs signature at 0015A000!
no rootfs signature at 0015B000!
no rootfs signature at 0015C000!
no rootfs signature at 0015D000!
no rootfs signature at 0015E000!
no rootfs signature at 0015F000!

Jump to image start=0x80500000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003430
Realtek WLAN driver - version 1.6 (2013-02-21)
DFS function - version 1.0.20
8812 mp chip !! 


#######################################################
SKB_BUF_SIZE=3600 MAX_SKB_NUM=768
#######################################################



#######################################################
SKB_BUF_SIZE=3600 MAX_SKB_NUM=768
#######################################################




Probing RTL8186 10/100 NIC-kenel stack size order[3]...
chip name: 8196C, chip revid: 0
NOT YET
eth0 added. vid=9 Member port 0x1...
eth1 added. vid=8 Member port 0x10...
eth2 added. vid=9 Member port 0x2...
eth3 added. vid=9 Member port 0x4...
eth4 added. vid=9 Member port 0x8...
[peth0] added, mapping to [eth1]...
Realtek FastPath:v1.03

init started: BusyBox v1.13.4 (2014-11-19 11:53:27 MSK)
insmod: cannot insert '/lib/modules/2.6.30.9/kernel/fs/nlsnls_cp936.ko': unknown symbol in module, or unknown parameter
flat_open(/dev/mtd4,r) = 0
******************
sysconf init gw all 
***************
Init Start...
******************
sysconf wlanapp kill wlan0 
***************
!!! adjust 5G 2ndoffset for 8812 !!!
******************
sysconf wlanapp kill wlan1 
***************
Init bridge interface...
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
invalid vlan parameter!
 <=== FirmwareDownload8812()
syslog will use 64KB for log(7 rotate, 1 original, 8KB for each)
Init Wlan application...

WiFi Simple Config v2.14-wps2.0 (2014.01.17-06:15+0000).

Register to wlan0
Register to wlan1
route: SIOCDELRT: No such process
IEEE 802.11f (IAPP) using interface br0 (v1.8)
Start setting IPv6[IPv6]
start samba
start vsftpd
uShare<main>ushare name: UR-825AC

uShare (version 1.1a), a lightweight UPnP A/V and DLNA Media Server.
Benjamin Zores (C) 2005-2007, for GeeXboX Team.
See http://ushare.geexbox.org/ for updates.
Listening on telnet port 1337
Initializing UPnP subsystem ...
UPnP MediaServer listening on 192.168.1.1:49200
Sending UPnP advertisement for device ...
Listening for control point connections ...
Looking for files in content directory : /var/tmp/usb/sda1/Media
scandir: No such file or directory
Found 3 files and subdirectories.
boa: server version Boa/0.94.14rc21
boa: server built Nov 19 2014 at 12:26:45.
boa: starting server pid=1365, port 80


ur-825ac login: 

…тот же лог но в Recovery mode (Зажмите кнопку Reset/WPS и включите роутер. Держите 3 - 5 секунд)

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000002dh GD25Q128
@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
---RealTek(RTL8196D)at 2013.12.26-08:32+0800 v1.1 [16bit](700MHz)
no rootfs signature at 000E0000!
no rootfs signature at 000F0000!
no rootfs signature at 00130000!
no rootfs signature at 000E1000!
no rootfs signature at 000E2000!
no rootfs signature at 000E3000!
no rootfs signature at 000E4000!
no rootfs signature at 000E5000!
no rootfs signature at 000E6000!
no rootfs signature at 000E7000!
no rootfs signature at 000E8000!
no rootfs signature at 000E9000!
no rootfs signature at 000EA000!
no rootfs signature at 000EB000!
no rootfs signature at 000EC000!
no rootfs signature at 000ED000!
no rootfs signature at 000EE000!
no rootfs signature at 000EF000!
no rootfs signature at 000F1000!
no rootfs signature at 000F2000!
no rootfs signature at 000F3000!
no rootfs signature at 000F4000!
no rootfs signature at 000F5000!
no rootfs signature at 000F6000!
no rootfs signature at 000F7000!
no rootfs signature at 000F8000!
no rootfs signature at 000F9000!
no rootfs signature at 000FA000!
no rootfs signature at 000FB000!
no rootfs signature at 000FC000!
no rootfs signature at 000FD000!
no rootfs signature at 000FE000!
no rootfs signature at 000FF000!
no rootfs signature at 00100000!
no rootfs signature at 00101000!
no rootfs signature at 00102000!
no rootfs signature at 00103000!
no rootfs signature at 00104000!
no rootfs signature at 00105000!
no rootfs signature at 00106000!
no rootfs signature at 00107000!
no rootfs signature at 00108000!
no rootfs signature at 00109000!
no rootfs signature at 0010A000!
no rootfs signature at 0010B000!
no rootfs signature at 0010C000!
no rootfs signature at 0010D000!
no rootfs signature at 0010E000!
no rootfs signature at 0010F000!
no rootfs signature at 00110000!
no rootfs signature at 00111000!
no rootfs signature at 00112000!
no rootfs signature at 00113000!
no rootfs signature at 00114000!
no rootfs signature at 00115000!
no rootfs signature at 00116000!
no rootfs signature at 00117000!
no rootfs signature at 00118000!
no rootfs signature at 00119000!
no rootfs signature at 0011A000!
no rootfs signature at 0011B000!
no rootfs signature at 0011C000!
no rootfs signature at 0011D000!
no rootfs signature at 0011E000!
no rootfs signature at 0011F000!
no rootfs signature at 00120000!
no rootfs signature at 00121000!
no rootfs signature at 00122000!
no rootfs signature at 00123000!
no rootfs signature at 00124000!
no rootfs signature at 00125000!
no rootfs signature at 00126000!
no rootfs signature at 00127000!
no rootfs signature at 00128000!
no rootfs signature at 00129000!
no rootfs signature at 0012A000!
no rootfs signature at 0012B000!
no rootfs signature at 0012C000!
no rootfs signature at 0012D000!
no rootfs signature at 0012E000!
no rootfs signature at 0012F000!
no rootfs signature at 00131000!
no rootfs signature at 00132000!
no rootfs signature at 00133000!
no rootfs signature at 00134000!
no rootfs signature at 00135000!
no rootfs signature at 00136000!
no rootfs signature at 00137000!
no rootfs signature at 00138000!
no rootfs signature at 00139000!
no rootfs signature at 0013A000!
no rootfs signature at 0013B000!
no rootfs signature at 0013C000!
no rootfs signature at 0013D000!
no rootfs signature at 0013E000!
no rootfs signature at 0013F000!
no rootfs signature at 00140000!
no rootfs signature at 00141000!
no rootfs signature at 00142000!
no rootfs signature at 00143000!
no rootfs signature at 00144000!
no rootfs signature at 00145000!
no rootfs signature at 00146000!
no rootfs signature at 00147000!
no rootfs signature at 00148000!
no rootfs signature at 00149000!
no rootfs signature at 0014A000!
no rootfs signature at 0014B000!
no rootfs signature at 0014C000!
no rootfs signature at 0014D000!
no rootfs signature at 0014E000!
no rootfs signature at 0014F000!
no rootfs signature at 00150000!
no rootfs signature at 00151000!
no rootfs signature at 00152000!
no rootfs signature at 00153000!
no rootfs signature at 00154000!
no rootfs signature at 00155000!
no rootfs signature at 00156000!
no rootfs signature at 00157000!
no rootfs signature at 00158000!
no rootfs signature at 00159000!
no rootfs signature at 0015A000!
no rootfs signature at 0015B000!
no rootfs signature at 0015C000!
no rootfs signature at 0015D000!
no rootfs signature at 0015E000!
no rootfs signature at 0015F000!
P0phymode=03, embedded phy

---Ethernet init Okay!

<RealTek>

Доступные команды:

<RealTek>?

----------------- COMMAND MODE HELP ------------------

HELP (?)    : Print this help message
DB <Address> <Len>
DW <Address> <Len>
EB <Address> <Value1> <Value2>...
EW <Address> <Value1> <Value2>...
CMP: CMP <dst><src><length>
IPCONFIG:<TargetAddress>
AUTOBURN: 0/1
LOADADDR: <Load Address>
J: Jump to <TargetAddress>
FLR: FLR <dst><src><length>
FLW <dst_ROM_offset><src_RAM_addr><length_Byte> <SPI cnt#>: Write offset-data to SPI from RAM
MDIOR:  MDIOR <phyid> <reg>
MDIOW:  MDIOW <phyid> <reg> <data>
PHYR: PHYR <PHYID><reg>
PHYW: PHYW <PHYID><reg><data>
D8 <Address>
E8 <Address> <Value>

<RealTek>ipconfig
 Target Address=192.168.1.6

UART консоль

Unfortunately I can't get login/password for its serial console, but fortunately we can try to get an access through the Telnet. Go to the Web (you should pass authorization on main page before this):

http://<your device ip>/syscmd.htm

and send a command through it:

busybox /bin/telnetd -p 1112 -l/bin/sh

After that you can connect to your device on 1112 port:

telnet <your device IP> 1112

BusyBox version:

# busybox
BusyBox v1.13.4 (2014-11-19 11:53:27 MSK) multi-call binary
Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as!

Currently defined functions:
        adduser, ash, bunzip2, bzcat, cat, chroot, cp, cut, date, echo, eject,
        expr, false, free, getty, grep, halt, head, hostname, ifconfig, init,
        insmod, ip, kill, killall, klogd, ln, login, lpq, ls, lsmod, mdev,
        mkdir, modprobe, mount, passwd, ping, ping6, poweroff, ps, reboot,
        renice, rm, rmmod, route, sh, sleep, swapoff, swapon, syslogd, tail,
        telnetd, true, umount, vi, wc

CPU info

# cat /proc/cpuinfo
system type             : RTL819xD
processor               : 0
cpu model               : 56322
BogoMIPS                : 658.63
hardware watchpoint     : no
tlb_entries             : 32
mips16 implemented      : yes

=== MTD mapping ===
# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00160000 00001000 "boot+cfg+linux"
mtd1: 00880000 00001000 "root fs"
mtd2: 00620000 00001000 "flatfs"

=== Kernel supported devices ===
# cat /proc/devices
Character devices:
  1 mem
  2 pty
  3 ttyp
  4 ttyS
  5 /dev/tty
  5 /dev/console
 10 misc
 90 mtd
108 ppp
166 ttyACM
180 usb
188 ttyUSB
189 usb_device
254 usb_endpoint

Block devices:
259 blkext
  8 sd
 11 sr
 31 mtdblock
 65 sd
 66 sd
 67 sd
 68 sd
 69 sd
 70 sd
 71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd

There are no burn commands.

SerialPort params:

# cat /proc/cmdline
console=ttyS0,38400 root=/dev/mtdblock1

Linux kernel version:

# cat /proc/version
Linux version 2.6.30.9 (warlock@warlock-debian-PC) (gcc version 4.4.5-1.5.5p4 (GCC) ) #376 Wed Nov 19 12:29:05 MSK 2014

System version:

# cat /etc/version
RTL819xD v1.0 --  Wed Nov 19 12:27:04 MSK 2014
The SDK version is: Realtek SDK v3.4.6-r20732
Ethernet driver version is: 20468-20238
Wireless driver version is: 20631-20631
Fastpath source version is: 20238-20238
Feature support version is: 20022-14785

Process list:

# cd /proc
# ls
1                          fast_nat
1029                       fast_pppoe
1031                       fast_pptp
1052                       filesystems
1062                       filter_table
1065                       fs
1291                       gc_overflow_timout
131                        gpio
1322                       http_file
1324                       hw_nat
1328                       interrupts
1330                       iomem
1333                       ioports
1337                       irq
1342                       kcore
1343                       kpagecount
1344                       kpageflags
1346                       load_default
1347                       loadavg
1348                       locks
1350                       log_print_control
1351                       meminfo
1363                       misc
1365                       modules
1366                       mounts
1367                       mtd
1389                       net
1401                       pagetypeinfo
1407                       partitions
141                        peth0
158                        phyRegTest
159                        pptp_conn_ck
2                          qos
3                          reInitSwitchCore
4                          rf_switch
5                          rtk_multicast_scream_vid
725                        rtk_query_for_bridge_port
8                          rtk_vlan_support
StormCtrl                  rtl865x
alg                        rtl_8367r_vlan
br_igmpDb                  rtl_hw_vlan_support
br_igmpProxy               rtl_hw_vlan_tagged_mc
br_igmpQuerierInfo         scsi
br_igmpVersion             self
br_igmpquery               slabinfo
br_igmpsnoop               stat
br_mCastFastFwd            suspend_check
br_mldQuerierInfo          swaps
br_mldVersion              sys
br_mldquery                sysvipc
br_mldsnoop                timer_list
br_wlanblock               tty
buddyinfo                  uptime
bus                        usb_mode_detect
cmdline                    version
cpuinfo                    vmallocinfo
crypto                     vmstat
custom_Passthru            watchdog_reboot
custom_Passthru_wlan       wlan0
devices                    wlan0-va0
diskstats                  wlan0-va1
driver                     wlan0-va2
eee                        wlan0-va3
enable_dos                 wlan0-vxd
eth0                       wlan1
eth1                       wlan1-va0
eth2                       wlan1-va1
eth3                       wlan1-va2
eth4                       wlan1-va3
execdomains                wlan1-vxd
fast_l2tp                  zoneinfo

Loaded modules list:

# lsmod

ext3 109920 - - Live 0xc0307000
jbd 31056 - - Live 0xc02bb000
mbcache 4128 - - Live 0xc02a1000
msdos 6480 - - Live 0xc028f000
vfat 8656 - - Live 0xc0281000
fat 42032 - - Live 0xc026a000
ntfs 226576 - - Live 0xc0211000
nls_cp950 98432 - - Live 0xc018a000
nls_utf8 768 - - Live 0xc0167000
nls_cp437 4336 - - Live 0xc0157000
hw_cdc_driver 21536 - - Live 0xc0142000
rndis_host 4368 - - Live 0xc012e000
cdc_ether 2752 - - Live 0xc0123000
cdc_eem 1984 - - Live 0xc0118000
asix 10176 - - Live 0xc010c000
usbnet 10560 - - Live 0xc00fb000
cdc_wdm 7840 - - Live 0xc00eb000
cdc_acm 11120 - - Live 0xc00dc000
mii 3216 - - Live 0xc00ca000
scsi_wait_scan 320 - - Live 0xc00ba000
crc32 3104 - - Live 0xc00ae000
bitrev 784 - - Live 0xc00a7000

Memory information:

# cat /proc/meminfo
MemTotal:          49020 kB
MemFree:           26908 kB
Buffers:            2052 kB
Cached:             6200 kB
SwapCached:            0 kB
Active:             4308 kB
Inactive:           6456 kB
Active(anon):       2512 kB
Inactive(anon):        0 kB
Active(file):       1796 kB
Inactive(file):     6456 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          2516 kB
Mapped:             2104 kB
Slab:               9952 kB
SReclaimable:        472 kB
SUnreclaim:         9480 kB
PageTables:          252 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       24508 kB
Committed_AS:      19732 kB
VmallocTotal:    1048404 kB
VmallocUsed:        1000 kB
VmallocChunk:    1045192 kB

Mounted devices:

# cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / squashfs ro,relatime 0 0
proc /proc proc rw,relatime 0 0
ramfs /var ramfs rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0

Ethernet configuration:

(current device is in Bridge mode. So WAN-port, all LAN-ports and WLAN-ports are consolidated into the br0)

# ifconfig
br0       Link encap:Ethernet  HWaddr D4:BF:**:**:**:**
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::****:7fff:****:****/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12785 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1170 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2199478 (2.0 MiB)  TX bytes:226615 (221.3 KiB)

eth0      Link encap:Ethernet  HWaddr D4:BF:**:**:**:**
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13457 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9716 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4944461 (4.7 MiB)  TX bytes:1175082 (1.1 MiB)
          Interrupt:12

eth1      Link encap:Ethernet  HWaddr D4:BF:**:**:**:**
          inet6 addr: fe80::****:7fff:****:****/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:12

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr D4:BF:**:**:**:**
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:210 errors:0 dropped:0 overruns:0 frame:0
          TX packets:186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:24798 (24.2 KiB)  TX bytes:74214 (72.4 KiB)
          Interrupt:14

wlan1     Link encap:Ethernet  HWaddr D4:BF:**:**:**:**
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:112382 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17600 errors:10 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:20672649 (19.7 MiB)  TX bytes:5465792 (5.2 MiB)
          Interrupt:11

FLASH dump structure

Start address Description Signature Comments eth_tftpd.c variable
0x00000000Bootloader
0x00006000(?)hw-configH601HW settings (MAC addr etc…)COMP_HS_SIGNATURE
0x00008000configCOMPDSSW default settings COMP_DS_SIGNATURE
0x0000C000configCOMPCSSW current settings COMP_CS_SIGNATURE
0x00010000Linux-kernelcr6c
0x00160000root Squash FShsqs! w/o r6cr signature !

Bootloader

There is Realtek bootloder with tftp support. An address for tftp 192.168.1.6 by default. For access to bootloader prompt mode press Reset button before power-on and keep it pressed 3..5 seconds.

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000002dh GD25Q128
@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
---RealTek(RTL8196D)at 2013.12.26-08:32+0800 v1.1 [16bit](700MHz)
...
[skipped]
...
<RealTek>

Firmware structure

Current firmware binary file has two parts:

linux-kernel
root-fs

Every part has 16 bytes header that make possible to upload and flash these parts separately and Router will understand where it should be placed into the flash.

Linux-kernel part:

signature(cr6c)dst.in RAMdst.in Flashimg size-16B(*)etc…
6372366380500000000100000014900200000000

* real part size is 0x149012h instead of 0x149002h

Root-fs part (SquashFS 4.0 w/LMZA):

signature(r6cr)(?)dst.in RAMdst.in Flashimg size-16B(*)SqFS sign.(hsqsp)etc…
72366372002D00000016000000365002687371737003000000

* real part size is 0x365012h instead of 0x365002h

You can use Perl-script to split complited bin-file into its functional part:

test.pl
#!/usr/bin/perl
#
use IO::File;
#
# Uncomment this if you want skip some bytes before signature found
#$skip=112;
#
#struct Header {
#    char signature[4];
#    int dest_ram;
#    int dest_flash;
#    int img_size;
#};

if(not defined $ARGV[0]) {
    print "Usage:\n\t test <input_file> [-C]\nOption:\n\t\t -C - combine header with body. After that img-file can be TFTP-uploaded sepparately.\n";
    exit;
}

$combine=0;
if(defined $ARGV[1]) {
    if ($ARGV[1]=="-C"||"-c") {$combine=1;}
}

$fno = $ARGV[0].".out";

if(! -e $ARGV[0]) {print "Input file doesn't exist\n"; exit; }

$fh = new IO::File $ARGV[0], "r";

$fn_idx=1;
if (defined $fh) {
    if(defined $skip) {$fh->read($buffer, $skip);}
    while ($fh->read($buffer, 16)) {
        ($signature,$dest_ram,$dest_flash,$img_size) = unpack ("Z4 N N N",$buffer);
        (@sig_h[1..4]) = unpack ("C4",$buffer);
        print("\n===== Part $fn_idx =====\n");
        printf("%20s: %15s(%#.2x %#.2x %#.2x %#.2x)\n","Signature",$signature,@sig_h[1..4]);
        printf("%20s: %15u(%#.8x)\n","Destination in RAM",$dest_ram,$dest_ram);
        printf("%20s: %15u(%#.8x)\n","Destination in FLASH",$dest_flash,$dest_flash);
        printf("%20s: %15u(%#.8x)\n","Image (body) size",$img_size+16,$img_size+16);
        printf("%20s: %s\n","Filename",$fno.".$fn_idx.*");


        $fn2 = $fno.".$fn_idx.hdr";
        $fh2 = new IO::File $fn2, "w";
        $fh2->write($buffer);
        undef $fh2;

        $fn1 = $fno.".$fn_idx.img";
        $fh1 = new IO::File $fn1, "w";
        if ($combine==1) {$fh1->write($buffer);}
        $fh->read($buffer, $img_size);
        $fh1->write($buffer);
        undef $fh1;
        $fn_idx++;
    }
    undef $fh;
}

Signatures:

PlatformWEB/vpnWEB/gwWEB/apWEB/clFW w/ROOTFWROOTCERTBOOTALL
RTL_8196Bw6bvw6bgw6baw6bccr6bcs6br6brcertbootallp
RTL_8196Cw6cvw6cgw6caw6cccr6ccs6cr6cr
RTL_8198
RTL_819XD
RTL_8196E
RTL_8198B
otherwebvwebgwebawebccsrocsysroot

* - empty cells mean similar signature like previous top one.

ru/toh/upvel/ur825ac.txt · Last modified: 2018/02/20 18:52 by bobafetthotmail