ESR-9750G

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Senao Devices
Goto page Previous  1, 2
Author Message
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17638
Location: Hesse/Germany

PostPosted: Tue Jul 21, 2009 15:34    Post subject: Reply with quote
we have some code problems with this device atm
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
Sponsor
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 6799
Location: Dresden, Germany

PostPosted: Wed Jul 22, 2009 20:26    Post subject: Reply with quote
who said this?

no we havent problems with it. we just dont have the device

_________________
one cigarette costs 2 minutes of your life.
one bottle of beer costs 4 minutes of your life.
one working day costs 8 hours of your life.

Yummee:
Linux DD-WRT 4.14.8 #42 SMP PREEMPT Thu Dec 21 18:11:16 CET 2017 armv7l DD-WRT
root@DD-WRT:/sys# nvram get DD_BOARD
Netgear R7800
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17638
Location: Hesse/Germany

PostPosted: Wed Jul 22, 2009 20:51    Post subject: Reply with quote
i thought it was the ESR-9750G...ok then it must be a different one...just had a consumer router in my mind...
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
keenanj
DD-WRT Novice


Joined: 06 Feb 2009
Posts: 11

PostPosted: Tue Jul 28, 2009 17:57    Post subject: Reply with quote
the esr-9750g has been replaced with the soon to be released ESR-9855

http://www.keenansystems.com/store/catalog/product_info.php?cPath=2_31&products_id=294
EnlightNZ
DD-WRT Novice


Joined: 09 Apr 2013
Posts: 3

PostPosted: Tue Apr 09, 2013 9:17    Post subject: Reply with quote
I got serial working Smile It's got the same weird baudrate as an asus with this chipset. 57600, and the JP1 header is indeed serial. pins furthest away are VCC and ground. Here's the serial output of mine (netcomm model)

Code:


U-Boot 1.1.3 (Apr 17 2008 - 13:26:01)

Board: RT2880 DRAM:  32 MB

 twe0 set to <NULL>

 toe0 set to <NULL>

 MX_ID_LV320TOP, Size = 00400000 bytes

 Set info->start[0]=BF000000
flash_protect ON: from 0xBF000000 to 0xBF026D8B
protect on 0
protect on 1
protect on 2
flash_protect ON: from 0xBF030000 to 0xBF03FFFF
protect on 3
============================================
ASIC -VerB/C (MAC to RTL8366SR Mode)
DRAM COMPONENT=128Mbits
DRAM BUS=32BIT
Total memory = 32Mbytes
Date:Apr 17 2008  Time:13:26:01
============================================
 D-CACHE set to 4 way
 I-CACHE set to 4 way

 ##### The CPU freq = 266 MHZ ####

 SDRAM bus set to 32 bit
 SDRAM size =32 Mbytes

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   5: Load ucos code to SDRAM via TFTP.                                       0

3: System Boot system code via Flash.
## Booting image at bf050000 ...
   Image Name:   Linux Kernel Image
   Created:      2009-11-19   1:12:31 UTC
System Control Status = 0x02910084
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1071278 Bytes =  1 MB
   Load Address: 8a000000
   Entry Point:  8a198040
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8a198040) ...
## Giving linux memsize in MB, 32

Starting kernel ...


THIS IS ASIC - VERSION B
ramsize = 32 MBytes
rambase not set, set to default (0x08000000)
MEMORY DESCRIPTOR dump:
[0,8a281be0]: base<0a000000> size<02000000> type<Free RAM memory>
PROC INIT OK!
init started: BusyBox v1.7.5 (2009-11-19 09:11:47 CST)
starting pid 10, tty '/dev/console': '/sbin/config_init'
Config Init version: 1.2.1.6 date: 2009/11/19
starting pid 57, tty '/dev/ttyS1': '/sbin/config_term'
************************************************************************
*                         ESR-9750G-netcomm                             *
************************************************************************

KernelApp/Ramdisk Ver:1.2.1.6                    Date:2009/11/19
console> sh: cannot create /lib/modules/2.4.30/modules.dep: Read-only file system
ln: /sbin/./apps_init: File exists


After that it wouldn't really allow me to do anything in the terminal, i tried everything, help -? ? etc etc. So i just kept pressing 4 repeatively and resetting the unit untill i managed to get into the bootloader option. I got this:

Code:


Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   5: Load ucos code to SDRAM via TFTP.

You choosed 4
                                                                              0
Net:
 eth_register
Eth0 (1000-M)
 enetvar=ethaddr,Eth addr:00:AA:BB:CC:DD:18
 00:AA:BB:CC:DD:18:

 eth_current->name = Eth0 (1000-M)


4: System Enter Boot Command Line Interface.

U-Boot 1.1.3 (Apr 17 2008 - 13:26:01)

 main_loop !!

 In main_loop !!



 CONFIG_BOOTDELAY
### main_loop entered: bootdelay=1

### main_loop: bootcmd="tftp"
RT2880 #
RT2880 # help
?       - alias for 'help'
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
cp      - memory copy
echo    - echo args to console
erase   - erase FLASH memory
help    - print online help
loopback   - Ralink eth loopback test !!
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
mw      - memory write (fill)
nm      - memory modify (constant address)
printenv- print environment variables
protect - enable or disable FLASH write protection
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
spicmd  - read/write data from/to eeprom or vtss
tftpboot- boot image via network using TFTP protocol
version - print monitor version
RT2880 #

EnlightNZ
DD-WRT Novice


Joined: 09 Apr 2013
Posts: 3

PostPosted: Tue Apr 09, 2013 9:53    Post subject: Reply with quote
Info on unprotecting the flash
Code:
RT2880 # help protect
protect on  start end
    - protect FLASH from addr 'start' to addr 'end'
protect on  N:SF[-SL]
    - protect sectors SF-SL in FLASH bank # N
protect on  bank N
    - protect FLASH bank # N
protect on  all
    - protect all FLASH banks
protect off start end
    - make FLASH from addr 'start' to addr 'end' writable
protect off N:SF[-SL]
    - make sectors SF-SL writable in FLASH bank # N
protect off bank N
    - make FLASH bank # N writable
[color=red][b]protect off all[/b][/color]
    - make all FLASH banks writable


What i got from printenv command
Code:

RT2880 # printenv
bootcmd=tftp
baudrate=57600
preboot=echo;echo
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off
addmisc=setenv bootargs $(bootargs) console=ttyS0,$(baudrate) ethaddr=$00:60:64:2C:A0:18
flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr)
kernel_addr=BFC40000
u-boot=u-boot.bin
load=tftp 8A100000 $(u-boot)
u_b=protect off 1:0-1;era 1:0-1;cp.b 8A100000 BC400000 $(filesize)
loadfs=tftp 8A100000 root.cramfs
u_fs=era bc540000 bc83ffff;cp.b 8A100000 BC540000 $(filesize)
test_tftp=tftp 8A100000 root.cramfs;run test_tftp
mage"=root_uImage
=uImage
ethact=Eth0 (1000-M)
sn=089285863
wanaddr=00:60:64:24:49:10
wlanaddr=00:AA:BB:CC:DD:12
hw_ver=1.0.0
pro_id=000
country=000
op_mode=0
domain=1
athaddr=00:AA:BB:CC:DD:10
eth_en=0
bootdelay=1
SR-9750G-CG"=uImageNSR-9750G-CG
hw_id=03080003
SR-9750g"=uImageESR-9750g
SR-9750G-netcomm"=uImageESR-9750G-netcomm
filesize=10401b
fileaddr=8A800000
ipaddr=192.168.99.9
serverip=192.168.99.8
autostart=no
bootfile=uImageESR-9750G-netcomm
stdin=serial
stdout=serial
stderr=serial
EnlightNZ
DD-WRT Novice


Joined: 09 Apr 2013
Posts: 3

PostPosted: Sun Apr 14, 2013 0:54    Post subject: Reply with quote
I found out something cool. After bricking the router trying to get ddrwt on it (LZMA error 1, i think it has something to do with the U-Boot having a too small malloc region, any idea how to increase it without me having to JTAG it? Otherwise ill just have to.)

Anyhow, i had to use header.x86 from the GPL release to decode the DLF, then remove the first couple of lines using a hex editor so the magic number was at the start and uploaded the kernel over tftp, it worked again after that but i couldn't login to upload the rest of the firmware.

I ended up using binwalker to unpack the kernel binary but that gave me heaps of random files. I ended up using strings on the romfs file and after heaps of useless information i found a little string called "svcm". I remember the esr-9752 having a sd2350 or something to activate console so i tried and it worked! i got the busybox console after entering svcm.

So to activate the console on any ESR-9750, use svcm.


I also managed to flash the engenious firmware on my netcomm NP802n without trouble this way. So if it can be figured out how to increase the malloc region OR to compile an image that uses less malloc memory i think DD-WRT can work on any ESR-9750.

Some commands from the busybox used (their all linked to busybox)
Code:
# ls /
apps      dev       kernel    opt       storage   usr
appscore  etc       lib       proc      sys       var
bin       init      mnt       sbin      tmp
# cd usr
# ls
bin    lib    local  sbin
# cd bin
# ls
*            cmp          id           md5sum       test         uptime
[            config_init  ipcs         printf       tftp         wc
[[           config_term  killall      sort         time         wget
basename     expr         logger       tail         tty
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Senao Devices All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum