NETGEAR WNAP210

The WNAP210 is a b/g/n wireless access point, capable of running OpenWrt.

Version

PBC revision is marked as rev:3

Hardware Highlights

Version / Model SoC WiFi Ethernet Ram Flash LAN USB Serial JTag
Unknown (maybe v1) Atheros AR9132 CPU@400MHz Atheros AR9103 Atheros AR8021 32MiB MX 25L6406EMI, 8MB 1 ? Yes Yes
v2 Atheros AR9132 CPU@400 MHz <unknown> Atheros AR8021 64MiB MX 25L6406EMI, 16MB 1 No Yes Yes

Serial console

The serial console connector (JP1), pinout: GND - TX - RX - VCC. Ground pin is near to flash chip. Serial setup is 115200 8N1.

Version 2 Pin ordering: P1: VCC (3.3V), P2: TX, P3: RX, P4: GND

LED table

GPIO LED Colour Active
1 Tick Orange High
6 WLAN Blue High

LOGS

Bootloader is u-boot. 

U-Boot 1.1.4-WNAP210-V2.2 (Mar 24 2009 - 18:08:52)

AP83 (ar9100 with SPI flash)
DRAM:  32 MB
        Found MXIC Flash. ID c22017
Flash:  8 MB
In:    serial
Out:   serial
Err:   serial
Net:   ag7100_enet_initialize...
        Fetching MAC Address from 0xbf7f1000
        MAC_CFG1 0xf MAC_CFG2 0x7114
        PHY Setting up...
        VSCXXX Found 0  unit 0:0  phy_addr: 1  id: 004dd04e
PHY:   Atheros AR8021
eth0:  10:0d:7f:45:43:80
        eth0 up

Manu data is valid!
Enter SPACE to drop into boot loader:  0
ar7100>
ar7100> bdinfo
cpufreq     = 200 MHz
cpuinfo     = AR9132
boot_params = 0x81F6BFA4
memstart    = 0x80000000
memsize     = 0x02000000
flashstart  = 0xBF000000
flashsize   = 0x00800000
flashoffset = 0x00037EDC
ethaddr     = 00:03:04:19:81:11
ip_addr     = 192.168.0.236
baudrate    = 115200 bps
ar7100>
ar7100> version

U-Boot 1.1.4-WNAP210-V2.2 (Mar 24 2009 - 18:08:52)
chiamgming@gmail.com
ar7100> showmd
ProductID   = WNAP210
HWVer       = 00:00:00:02
reginfo     = 0
numofimages = -1
currimage   = -1
basemac     = 100D7F454380
maccnt0     = -1
maccnt1     = -1
maccnt2     = -1
maccnt3     = -1
serno       = 22042A5D00CE7
cpufreq     = 200 MHz
cpuinfo     = AR9132
boot_params = 0x81F6BFA4
memstart    = 0x80000000
memsize     = 0x02000000
flashstart  = 0xBF000000
flashsize   = 0x00800000
flashoffset = 0x00037EDC
ethaddr     = 00:03:04:19:81:11
ip_addr     = 192.168.0.236
baudrate    = 115200 bps
ar7100>
ar7100> imls
Image at BF050000:
   Image Name:   Linux Kernel
   Created:      2011-10-05   7:31:11 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    917504 Bytes = 896 kB
   Load Address: 80060000
   Entry Point:  80214000
   Verifying Checksum ... OK
ar7100>
ar7100> iminfo

## Checking Image at 81000000 ...
   Bad Magic Number
ar7100> fsinfo
mtdparts variable not set, see 'help mtdparts'
ar7100> flinfo

Bank # 1: The hell do you want flinfo for??
ar7100>
ar7100> coninfo
List of available devices:
serial   80000003 SIO stdin stdout stderr
ar7100>

Default printenv 

ar7100> printenv
bootdelay=5
baudrate=115200
ethaddr=00:03:04:19:81:11
uboot_addr=0xbf000000
uboot_size=+0x40000
uboot_env_addr=0xbf040000
uboot_env_size=+0x10000
ap_config_addr=0xbf290000
ap_config_size=+0x10000
cvr_config_addr=0xbf2a0000
cvr_config_size=+0x10000
manu_addr=0xbf7e0000
manu_size=+0x10000
art_addr=0xbf7f0000
art_size=+0x10000
rootfs=burn
uimagename=u-boot.bin
erase_uimage=erase ${uboot_addr} ${uboot_size}
erase_eimage=erase ${uboot_env_addr} ${uboot_env_size}
erase_apimage=erase ${ap_config_addr} ${ap_config_size}
erase_cvrimage=erase ${cvr_config_addr} ${cvr_config_size}
erase_aimage=erase ${art_addr} ${art_size}
erase_ckmimage=erase ${ckm_addr} ${ckm_size}
erase_manuimage=erase ${manu_addr} ${manu_size}
uimage=${download} ${memtmp_addr} ${uimagename};run erase_uimage;cp.b ${memtmp_addr} ${uboot_addr} ${filesize}
apimage=${download} ${memtmp_addr} ap_user_config${USER};run erase_apimage;cp.b ${memtmp_addr} ${ap_config_addr} ${filesize}
cvrimage=${download} ${memtmp_addr} cvr_user_config${USER};run erase_cvrimage;cp.b ${memtmp_addr} ${cvr_config_addr} ${filesize}
aimage=${download} ${memtmp_addr} art_data_64k${USER};run erase_aimage;cp.b ${memtmp_addr} ${art_addr} ${filesize}
manuimage=${download} ${memtmp_addr} manu_data_64k${USER};run erase_manuimage;cp.b ${memtmp_addr} ${manu_addr} ${filesize}
clearenv=run erase_eimage
producttest=memtest ram 1;memtest flash 1;porttest lan;porttest gpio
ethact=eth0
kimagename=vmlinux.gz.uImage
rimagename=rootfs.squashfs
download=tftp
memtmp_addr=0x80060000
kernel_size=+0x100000
kernel_addr=0xbf050000
rootfs_size=+0x610000
rootfs_addr=0xbf150000
clear_var=era 0xbf760000 +0x80000
serverip=192.168.0.101
ipaddr=192.168.0.236
bootargs=console=ttyS0,115200 rootfstype=squashfs root=31:03 init=/sbin/init mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),1024k(vmlinux.gz.uImage),6208k(rootfs),512k(var),64k(manufacturing-data),64k(ART)
erase_kimage=erase ${kernel_addr} ${kernel_size}
erase_rimage=erase ${rootfs_addr} ${rootfs_size}
kimage=${download} ${memtmp_addr} ${kimagename};run erase_kimage;cp.b ${memtmp_addr} ${kernel_addr} ${filesize}
rimage=${download} ${memtmp_addr}  ${rimagename};run erase_rimage;cp.b ${memtmp_addr} ${rootfs_addr} ${filesize}
bootcmd=bootm 0xbf050000
flash_rootfs=run rimage
flash_kernel=run kimage
flash_all=run flash_kernel flash_rootfs clear_var
stdin=serial
stdout=serial
stderr=serial

Environment size: 2380/65532 bytes

Netgear firmware boot 

ar7100> bootd
## Booting image at bf050000 ...
   Image Name:   Linux Kernel
   Created:      2011-10-05   7:31:11 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    917504 Bytes = 896 kB
   Load Address: 80060000
   Entry Point:  80214000
   Verifying Kernel Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel @80214000...

Linux version 2.6.23-WNAP210_2.1.1 (root@build) (gcc version 4.2.4) #1 Wed Oct 5 12:52:10 IST 2011
flash_size passed from bootloader = 8
arg 1: console=ttyS0,115200
arg 2: rootfstype=squashfs
arg 3: root=31:03
arg 4: init=/sbin/init
arg 5: mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),1024k(vmlinux.gz.uImage),6208k(rootfs),512k(var),64k(manufacturing-data),64k(ART)
arg 6: mem=32M
CPU revision is: 00019374
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Built 1 zonelists in Zone order.  Total pages: 8128
Kernel command line: console=ttyS0,115200 rootfstype=squashfs root=31:03 init=/sbin/init mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),1024k(vmlinux.gz.uImage),6208k(rootfs),512k(var),64k(manufacturing-data),64k(ART) mem=32M
Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
PID hash table entries: 128 (order: 7, 512 bytes)
Using 200.000 MHz high precision timer.
console [ttyS0] enabled
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 30204k/32768k available (1433k kernel code, 2564k reserved, 307k data, 84k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
AR7100 GPIOC major 0
squashfs: version 3.3 (2007/10/31) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver $Revision: 1.90 $ 1 ports, IRQ sharing enabled
serial8250: ttyS0 at MMIO 0x0 (irq = 19) is a 16550A
serial8250.0: ttyS0 at MMIO 0x0 (irq = 19) is a 16550A
7 cmdlinepart partitions found on MTD device ar7100-nor0
Creating 7 MTD partitions on "ar7100-nor0":
0x00000000-0x00040000 : "u-boot"
0x00040000-0x00050000 : "u-boot-env"
0x00050000-0x00150000 : "vmlinux.gz.uImage"
0x00150000-0x00760000 : "rootfs"
0x00760000-0x007e0000 : "var"
0x007e0000-0x007f0000 : "manufacturing-data"
0x007f0000-0x00800000 : "ART"
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 84k freed

Mounting etc to ramfs.      [DONE]

Mounting var to jffs2.      [DONE]

Checking SSH keys.          [DONE]

Checking for run file.      [DONE]

Starting System Logger.     [DONE]

Starting Kernel Logger.     [DONE]

Starting Panel LED.         [DONE]

Starting watchdog.          [DONE]

Starting Reset Detect.      [DONE]

Checking Manufac. data      [DONE]

Checking board file.        [CREATED]

Loading Ethernet module.    [GENMAC]

                            [DONE]

Checking database.          [DONE]

Verifing checksum.          [DONE]

Loading Bridge module.      sh: yes: unknown operand
[DONE]

Loading wlan modules.       [DONE]

Creating vap interface.     [DONE]

Creating wds interface.     [DONE]

Starting configd.           [DONE]

Starting web server.        [DONE]

Starting Translator...      start-stop-daemon: cannot start /usr/bin/log_ro: No such file or directory
[syslog]

Starting Translator...      [password]

Starting Translator...      [ssh]

Starting Translator...      [snmp]

Starting Translator...      [telnet]

Starting Translator...      [dns]

Starting Translator...      route: SIOCADDRT: Invalid argument
[bridge_and_vlan_translator]

Starting Translator...      [hostapd_tr]

Starting Translator...      [timezone]

Starting Translator...      [ntp]

Starting Translator...      [nmbd_tr]

Starting Translator...      l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
[http_redirect_tr]

Starting Translator...      [sc_radio]

Sending ARPingARPING to 192.168.0.236 from 192.168.0.236 via brtrunk
Sent 1 probe(s) (1 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
l2_packet_receive - recvfrom: Network is down
ARPING to 192.168.0.236 from 192.168.0.236 via brtrunk
Sent 1 probe(s) (1 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
ARPING to 192.168.0.236 from 192.168.0.236 via brtrunk
Sent 1 probe(s) (1 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
ARPING to 192.168.0.236 from 192.168.0.236 via brtrunk
Sent 1 probe(s) (1 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
ARPING to 192.168.0.236 from 192.168.0.236 via brtrunk
Sent 1 probe(s) (1 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
ARPING to 192.168.0.236 from 192.168.0.236 via brtrunk
Sent 1 probe(s) (1 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
ARPING to 192.168.0.236 from 192.168.0.236 via brtrunk
Sent 1 probe(s) (1 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))

System initilization is ..  [DONE...]


Welcome to SDK.

Have a lot of fun...

netgear454388 login:

Default user/psd is admin/password. (Login as root for linux shell access.)

Inspection 

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00100000 00010000 "vmlinux.gz.uImage"
mtd3: 00610000 00010000 "rootfs"
mtd4: 00080000 00010000 "var"
mtd5: 00010000 00010000 "manufacturing-data"
mtd6: 00010000 00010000 "ART"

# cat /proc/cpuinfo
system type             : Atheros AR9100
processor               : 0
cpu model               : MIPS 24K V7.4
BogoMIPS                : 264.19
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 16
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16
VCED exceptions         : not available
VCEI exceptions         : not available

U-Boot recovery mode

If the checksum check fails, u-boot enters tftp recovery mode. It will listen on IP 192.168.0.236 and accept new factory images via tftp (don't forget to set binary mode). Recovery mode is indicated by the power led lighting up briefly in orange, followed by about 1-second interval green blinking. This can be used to go back to the stock firmware, by deliberately erasing the checksum partition. 

U-Boot 1.1.4-WNAP210-V2.2 (Mar 24 2009 - 18:08:52)

AP83 (ar9100 with SPI flash)
DRAM:  32 MB
        Found MXIC Flash. ID c22017
Flash:  8 MB
In:    serial
Out:   serial
Err:   serial
Net:   ag7100_enet_initialize...
        Fetching MAC Address from 0xbf7f1000
        MAC_CFG1 0x7 MAC_CFG2 0x7114
        PHY Setting up...
        VSCXXX Found 0  unit 0:0  phy_addr: 1  id: 004dd04e
PHY:   Atheros AR8021
eth0:  10:0d:7f:45:43:80
        eth0 up

Manu data is valid!
Enter SPACE to drop into boot loader:  0
## Booting image at bf050000 ...
Bad Magic Number
eth0 link down

The Router is in TFTP Server Firmware Recovery mode NOW!
Listening on Port : 69, IP Address: 192.168.0.236...

WIP WNAP 210

This is a work in progress. It is currently possible to compile OpenWrt onto the device and to get it to run, but there are still a few outstanding issues: https://github.com/rudihorn/openwrt-wnap210

Tags

How to add tags

, , , , , ,
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/12/05 11:52
  • by tmomas