Realtek

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Generic Questions
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
conjur
DD-WRT Novice


Joined: 06 Nov 2010
Posts: 42
Location: Harlem, GA

PostPosted: Sat Nov 20, 2010 12:43    Post subject: Reply with quote
Just to keep you guys informed;

I swapped out the Lexra crap for MIPS R3000, and it works great! a bit overclocked (540MHz); but it hasn't melted the case yet :)

I got the realtek module source that fixed the WiFi/USB/Ethernet issue; so the device is completely DD-WRT Compliant now... except..........


Going from Factory firmware; it has some serious anti-reverse engineering crap inplace- the web app has rejected every attempt at "unlocker" firmware "upgrade"... only way I can install DD-WRT now; is via UART/TFTP, and it's an involved process. reverting back to Sapido RB-1132 v1.0.14; from DD-WRT is easy as cake tho!

V/r,
Mike
Sponsor
A340
DD-WRT Novice


Joined: 23 Oct 2007
Posts: 41

PostPosted: Mon Nov 22, 2010 1:45    Post subject: Reply with quote
Hi Conjur,

I have the same Router RB-1132, and will like very much to have DD-WRT running on this unit.

Can you post your step by step guide please, so I can install DD-WRT on the unit.

Much Thanks

A340
mgranja
DD-WRT Novice


Joined: 22 Nov 2010
Posts: 3

PostPosted: Mon Nov 22, 2010 12:34    Post subject: Reply with quote
Hey Conjur,

I have a GR-1102, I wonder if your firmware would work on it? If so, how would I go about installing it?

Regards,
Moroni
conjur
DD-WRT Novice


Joined: 06 Nov 2010
Posts: 42
Location: Harlem, GA

PostPosted: Mon Nov 22, 2010 15:14    Post subject: Reply with quote
I'm still working on properly decrypting the bootloader; but here's my "discovery" log:

Factory Firmware Map for the RB-1132, v1.0.14
_FIRST__ _LAST___ _LEN___ Desc Example
00000000 00000003 04 Firmware Header: 3138366E (ascii:186n)
00000004 00000007 04 Firmware Header: Unknown 00000000
00000008 0000000B 04 Firmware Header: Unknown 00000000
0000000C 0000000F 04 Firmware Size (TOTAL) 00675BC2

00000010 00008095 8085 DEFAULT and CHECKSUM Firmware Values 36473530

dd if=firmware of=01_fw_default.bin ibs=1 skip=16 count=6
dd if=firmware ibs=1 skip=22 count=16445 | ./sapido_fix >>01_fw_default.bin

dd if=firmware ibs=1 skip=16467 count=6 >01_fw_current.bin
dd if=firmware ibs=1 skip=16473 count=16445 | ./sapido_fix >>01_fw_current.bin

//webs

00008096 00008099 04 Firmware Header: Unknown 77366267 // SPI:Webpages
0000809A 0000809D 04 Firmware Header: Unknown >mem 00030000
0000809E 000080A1 04 Firmware Header: Unknown >flsh 00030000
000080A2 000080A5 04 Firmware Header: Section Length 000422F6
000080A6 0004A39B 0422F6 BZ2 of goahead webs filesystem BZh9
dd if=firmware of=02_webs.bz2 ibs=1 skip=32934 count=271094

//boot + cfg + linux

0004A39C 0004A39F 04 Firmware Header: Unknown 63723662 // SPI:Linux Kernel (root-fs)
0004A3A0 0004A3A3 04 Firmware Header: Unknown >mem 80500000
0004A3A4 0004A3A7 04 Firmware Header: Unknown >flsh 000D0000
0004A3A8 0004A3AB 04 Firmware Header: Section Length 00110802
0004A3AC 0004C3AB 2000 bootloader
0004C3AC 0015ABAD 10E802 vmlinul? (lzma'd kernel)
dd if=firmware of=03_boot_cfg_linux.bin ibs=1 skip=304044 count=1116162
dd if=03_boot_cfg_linux.bin of=03_vmlinuz.lzma ibs=1 skip=8192 count=1107970
//root fs

0015ABAE 04 Firmware Header: Unknown 72366272 // SPI:Root filesystem
0015ABB2 04 Firmware Header: Unknown >mem 00210000
0015ABB6 04 Firmware Header: Unknown >flsh 00210000
0015ABBA 04 Firmware Header: Section Length 0051B002
0015ABBE 51B002 SQUASHFS FileSystem (Uncracked!) sqsh
00675BC0 00 End Of File
dd if=firmware of=04_filesystem.sqsh ibs=1 skip=1420222 count=5353474


Flash Structure:
00000000 thru 0020FFFF: mtd: (7,0)
000000 thru 005FFF: SPI BootLoader: 24576b MAX
- 0010A0 thru 004A1C: Realtek 8196BU Bootloader
dd if=mtd of=flash_0_02_rtl8196bu.lzma ibs=1 skip=4256 count=20320

006000 thru 007FFF: Hardware Config.
0000 thru 0003: identifier: h650
0004 thru 0005: file size: 426
0006 thru 0006: HW_BOARD_ID: 1
0007 thru 000C: HW_NIC0_ADDR
000D thru 0012: HW_NIC1_ADDR
0013 thru 0018: HW_WLAN_ADDR
0019 thru 0042: HW_WLAN_ADDR1 thru 9
0043 thru 0050: HW_TX_POWER_CCK
0051 thru 00F2: HW_TX_POWER_OFDM_1S
00F3 thru 0194: HW_TX_POWER_OFDM_2S
0195 thru 0195: HW_REG_DOMAIN
0196 thru 0196: HW_RF_TYPE
0197 thru 0197: HW_LED_TYPE
0198 thru 0198: HW_11N_XCAP
0199 thru 0199: HW_11N_LOFDMPWDA
019A thru 019A: HW_11N_LOFDMPWDB
019B thru 019A: HW_11N_TSSI1
019C thru 019C: HW_11N_TSSI2
019D thru 019D: HW_11N_THER
019E thru 01A5: HW_11N_RESERVED 1 THRU 8
01A6 thru 01AF: HW_WSC_PIN





008000 thru 00FFFF: DEFAULT NVRAM Variables
010000 thru 02FFFF: CURRENT NVRAM Variables?
030000 thru 072305: Web Archive (BZ2; loaded at boot time with special "flash" program)
072306 thru 0CFFFF: Unknown (Possible spam left from previous flashes?)
0D0000 thru 20FFFF: 03_boot_cfg_linux.bin; with lots of 00's after it.


00210000 thru 007FFFFF: mtdblock1 (7,1)
squashfs; directly imported from image, as defined above.


bootloader:
Checks for 73717368 (sqsh)
63733662 = Linux Kernel
63723662 = Linux Kernel (root-fs)
77366267 = Webpages
72366272 = Root filesystem
626F6F74 = Boot code
616C6C70 = Total Image
616C6C32 = Total Image (no check)

3647 = Default Settings Header (6G)
3667 = Current Settings Header (6g)






And; here is the source for sapido_fix.c; it decodes the factory settings, in the firmware file (first 0x8096 bytes or so):

#include <stdlib.h>
#include <string.h>
#include <stdio.h>

int main(int argc, char* argv[])
{
int c;

while ( (c = getchar()) != EOF ) {
c = 199 - c;
if (c < 0) { c = c + 256; }
printf("%c",c);
}


}

And last, but not least; the default root password should be:

swetop


use the reverse of the DD commands to re-assemble your chunks to the factory firmware; or use the onboard SPI to tftp your own chunks into it. IF you choose the latter; to NOT TOUCH 000000 thru 005FFF, while running the SPI (aka CPE)- over-writing a running program is bad ju-ju, I have 2 bricks to prove it.


I am still working on a solid F/W image that the RB-1132 will accept natively; but each sapido (or should I say amigo?) model has a slightly different firmware structure, hardcoded memory locations, etc.. short of replacing the flash, I can't think of a reliable (idiot-proof) way to flash them =(
mgranja
DD-WRT Novice


Joined: 22 Nov 2010
Posts: 3

PostPosted: Sun Nov 28, 2010 23:56    Post subject: A little over my head Reply with quote
Thanks for all the info, but it was a little over my head. When you say 'firmware' in the dd commands, that is the firmware file for the router, correct? Also, when I do it back to create the firmware, I would then upload it through the web interface? Will the router accept it?
A340
DD-WRT Novice


Joined: 23 Oct 2007
Posts: 41

PostPosted: Mon Nov 29, 2010 11:50    Post subject: Reply with quote
Same here, conjur. Can you break this down a bit more for the lay person to flash this router. This is awesome work however. Thanks




Joined: 01 Jan 1970
Posts:

PostPosted: Wed Dec 08, 2010 15:08    Post subject: Reply with quote
I have a RB-1132 and would like to load *Wrt on it. Any progress...?
conjur
DD-WRT Novice


Joined: 06 Nov 2010
Posts: 42
Location: Harlem, GA

PostPosted: Mon Dec 27, 2010 8:48    Post subject: Reply with quote
This project has struck a dead end.

The Sapido Devices come natively with a proprietary Realtek bootloader. I've got a functional decompilation/recompilation of the firmware to work with the RB-1132; but installing it is kind of complex, and involves some luck still.

Out of the 20 devices I had; 14 of them are now bricks; giving me about a 30% overall success rate.

If any devs would like to take on this project; all the info they need is a few posts up; covering the flash ("CPE") breakdown.

V/r,
Conjur




Joined: 01 Jan 1970
Posts:

PostPosted: Tue Dec 28, 2010 15:27    Post subject: Reply with quote
What a bitter news! I have had hopes that this will turn out fruitful.

I'm no developer but can this be of any help...?

http://www.linux-mips.org/wiki/Realtek_SOC

Or if we request the Linux kernel source from Realtek...?

What a sad day to pass.
wdaniels
DD-WRT Novice


Joined: 07 Mar 2011
Posts: 3

PostPosted: Mon Mar 07, 2011 4:05    Post subject: Reply with quote
onlyme wrote:
Or if we request the Linux kernel source from Realtek...?


Done! Downloadable from this page or direct from Amigo (slower & unstable).

Probably not any kind of magic bullet for solving the problems here, but might help a bit.
wdaniels
DD-WRT Novice


Joined: 07 Mar 2011
Posts: 3

PostPosted: Fri Mar 11, 2011 13:52    Post subject: Reply with quote
Well, one thing the GPL source has revealed so far is how to do the checksum on a new firmware image. Basically they just sum (big-endian unsigned short) the root squashfs and expect it to come out zero, which seems to be achieved just by throwing the correct 2 bytes on the end.

A made a quick C prog to calculate that:

Code:
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
  FILE *fp;
  unsigned short sum=0, n=0, x;

  if((fp = fopen(argv[ 1 ],"r"))==NULL) {
    printf("Cannot open file.\n");
    exit(1);
  }

  while(fread(&n, 2, 1, fp)) {
    // swap words for big-endian on mips (assumes x86 host)
    n = ((unsigned short)(((n>>8)&0xff) | ((n<<8)&0xff00)));
    sum += n;
  }
  fclose(fp);

  x = ~sum + 1; sum += x;
  printf("checksum value: %x\nfinal sum: %x\n", x, sum);
  return 0;
}


Succeeded in loading a new firmware via the web interface that way, but my new rootfs is still producing bricks :(

But if somebody has a full kernel & rootfs for DD-WRT that definitely work on the hardware, it should be simple enough now to create an uploadable firmware?




Joined: 01 Jan 1970
Posts:

PostPosted: Tue Mar 15, 2011 19:36    Post subject: Reply with quote
Glad to see someone is still working on this...

One question through, are we talking about GR-1102 or RB-1132??? Cause they seem to use different platforms...

The GR-1102 seems to be rocking STR91xx

The RB-1132 instead runs on RTL8196BU (or is it RTL8652?)

The 3R161n referenced above seems to be the GR-1102.
wdaniels
DD-WRT Novice


Joined: 07 Mar 2011
Posts: 3

PostPosted: Tue Mar 15, 2011 20:31    Post subject: Reply with quote
onlyme wrote:
The GR-1102 seems to be rocking STR91xx

The RB-1132 instead runs on RTL8196BU (or is it RTL8652?)

The 3R161n referenced above seems to be the GR-1102.


I'm actually working with a Solwise NET-3G-3G11nMRW which is using a RTL8651C SoC (reported as RTL8652). It's a R3000 MIPS architecture with 8MB flash and 32MB SDRAM like the RB-1132.

I believe this is the same as what is currently the Sapido GR-1102, although there was a previous Solwise model (NET-3G-3GWIFIMRW) in the exact same casing that was indeed based on a Star STR9105 (again 8MB flash & 32MB RAM).

Form what I've gathered the Solwise = Sapido = Amigo (OEM) models correspond like this:

[ARM] Solwise NET-3G-3GWIFIMRW = Sapido GR-1100 = Amigo 3R121G
[MIPS] Solwise NET-3G-3G11nMRW = Sapido GR-1102 = Amigo 3R161N

There may be some differences with the RB-1132 (Amigo BR182N) but I think it's probably the same Realtek SDK used by the OEM for the GR-1102 and RB-1132 (since they are the same architecture) or at least sufficiently similar to be of use.

For example, the GPL source for the 3R161N yields a usable squashfs-lzma implementation that works for squashing and unsquashing the rootfs where no other sources I found could read anything more than the superblock, and I expect would be able to read/generate rootfs for the RB-1132 also. And the firmware structure looks the same for both so the checksum method ought to work for the RB-1132. So there's two of the issues Conjur had problems with sorted out potentially.

I haven't had chance yet to look at the bootloader code (or even to see if it's included, though there is certainly a bootloader.bin file I spotted). I expect if the bootloader relies on some specific memory addresses for loading the kernel that could be one place where the GR-1102 and RB-1132 differ? But I'm no expert when things get that low-level. I did some assembler once, but that was 20 years ago on Motorola 68k and I've stuck to high-level languages and userspace tools pretty much ever since...it's a bit of a learning curve but I'll get there eventually :D

So really just trying to post anything I can find that might help progress here. For my own purposes I only actually need to replace the rootfs, not the kernel/bootloader, but since I've had to go to this much trouble already I will probably try to finish the job and get complete replacement distros (like DD-WRT) running on it as well.

I'm an experienced programmer but could certainly use some help from anybody with more experience messing with this kind of stuff. I have over 100 of these Solwise routers and would happily post a couple to any serious devs willing to assist.




Joined: 01 Jan 1970
Posts:

PostPosted: Sun Mar 20, 2011 12:47    Post subject: Reply with quote
Don't have the expertise on coding but willing to help testing. Very Happy




Joined: 01 Jan 1970
Posts:

PostPosted: Sun May 01, 2011 15:04    Post subject: Reply with quote
I would like to give this a try despite the risk, can you give me a pointer and the files?

BTW, once dd-wrt is loaded, how can I update it?

Thx.
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 2 of 6
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Generic Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum