Joined: 06 Nov 2010 Posts: 42 Location: Harlem, GA
Posted: Sat Nov 20, 2010 12:43 Post subject:
Just to keep you guys informed;
I swapped out the Lexra crap for MIPS R3000, and it works great! a bit overclocked (540MHz); but it hasn't melted the case yet :)
I got the realtek module source that fixed the WiFi/USB/Ethernet issue; so the device is completely DD-WRT Compliant now... except..........
Going from Factory firmware; it has some serious anti-reverse engineering crap inplace- the web app has rejected every attempt at "unlocker" firmware "upgrade"... only way I can install DD-WRT now; is via UART/TFTP, and it's an involved process. reverting back to Sapido RB-1132 v1.0.14; from DD-WRT is easy as cake tho!
008000 thru 00FFFF: DEFAULT NVRAM Variables
010000 thru 02FFFF: CURRENT NVRAM Variables?
030000 thru 072305: Web Archive (BZ2; loaded at boot time with special "flash" program)
072306 thru 0CFFFF: Unknown (Possible spam left from previous flashes?)
0D0000 thru 20FFFF: 03_boot_cfg_linux.bin; with lots of 00's after it.
00210000 thru 007FFFFF: mtdblock1 (7,1)
squashfs; directly imported from image, as defined above.
bootloader:
Checks for 73717368 (sqsh)
63733662 = Linux Kernel
63723662 = Linux Kernel (root-fs)
77366267 = Webpages
72366272 = Root filesystem
626F6F74 = Boot code
616C6C70 = Total Image
616C6C32 = Total Image (no check)
while ( (c = getchar()) != EOF ) {
c = 199 - c;
if (c < 0) { c = c + 256; }
printf("%c",c);
}
}
And last, but not least; the default root password should be:
swetop
use the reverse of the DD commands to re-assemble your chunks to the factory firmware; or use the onboard SPI to tftp your own chunks into it. IF you choose the latter; to NOT TOUCH 000000 thru 005FFF, while running the SPI (aka CPE)- over-writing a running program is bad ju-ju, I have 2 bricks to prove it.
I am still working on a solid F/W image that the RB-1132 will accept natively; but each sapido (or should I say amigo?) model has a slightly different firmware structure, hardcoded memory locations, etc.. short of replacing the flash, I can't think of a reliable (idiot-proof) way to flash them =(
Posted: Sun Nov 28, 2010 23:56 Post subject: A little over my head
Thanks for all the info, but it was a little over my head. When you say 'firmware' in the dd commands, that is the firmware file for the router, correct? Also, when I do it back to create the firmware, I would then upload it through the web interface? Will the router accept it?
Joined: 06 Nov 2010 Posts: 42 Location: Harlem, GA
Posted: Mon Dec 27, 2010 8:48 Post subject:
This project has struck a dead end.
The Sapido Devices come natively with a proprietary Realtek bootloader. I've got a functional decompilation/recompilation of the firmware to work with the RB-1132; but installing it is kind of complex, and involves some luck still.
Out of the 20 devices I had; 14 of them are now bricks; giving me about a 30% overall success rate.
If any devs would like to take on this project; all the info they need is a few posts up; covering the flash ("CPE") breakdown.
Well, one thing the GPL source has revealed so far is how to do the checksum on a new firmware image. Basically they just sum (big-endian unsigned short) the root squashfs and expect it to come out zero, which seems to be achieved just by throwing the correct 2 bytes on the end.
A made a quick C prog to calculate that:
Code:
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
FILE *fp;
unsigned short sum=0, n=0, x;
while(fread(&n, 2, 1, fp)) {
// swap words for big-endian on mips (assumes x86 host)
n = ((unsigned short)(((n>>8)&0xff) | ((n<<8)&0xff00)));
sum += n;
}
fclose(fp);
x = ~sum + 1; sum += x;
printf("checksum value: %x\nfinal sum: %x\n", x, sum);
return 0;
}
Succeeded in loading a new firmware via the web interface that way, but my new rootfs is still producing bricks :(
But if somebody has a full kernel & rootfs for DD-WRT that definitely work on the hardware, it should be simple enough now to create an uploadable firmware?
The RB-1132 instead runs on RTL8196BU (or is it RTL8652?)
The 3R161n referenced above seems to be the GR-1102.
I'm actually working with a Solwise NET-3G-3G11nMRW which is using a RTL8651C SoC (reported as RTL8652). It's a R3000 MIPS architecture with 8MB flash and 32MB SDRAM like the RB-1132.
I believe this is the same as what is currently the Sapido GR-1102, although there was a previous Solwise model (NET-3G-3GWIFIMRW) in the exact same casing that was indeed based on a Star STR9105 (again 8MB flash & 32MB RAM).
Form what I've gathered the Solwise = Sapido = Amigo (OEM) models correspond like this:
There may be some differences with the RB-1132 (Amigo BR182N) but I think it's probably the same Realtek SDK used by the OEM for the GR-1102 and RB-1132 (since they are the same architecture) or at least sufficiently similar to be of use.
For example, the GPL source for the 3R161N yields a usable squashfs-lzma implementation that works for squashing and unsquashing the rootfs where no other sources I found could read anything more than the superblock, and I expect would be able to read/generate rootfs for the RB-1132 also. And the firmware structure looks the same for both so the checksum method ought to work for the RB-1132. So there's two of the issues Conjur had problems with sorted out potentially.
I haven't had chance yet to look at the bootloader code (or even to see if it's included, though there is certainly a bootloader.bin file I spotted). I expect if the bootloader relies on some specific memory addresses for loading the kernel that could be one place where the GR-1102 and RB-1132 differ? But I'm no expert when things get that low-level. I did some assembler once, but that was 20 years ago on Motorola 68k and I've stuck to high-level languages and userspace tools pretty much ever since...it's a bit of a learning curve but I'll get there eventually :D
So really just trying to post anything I can find that might help progress here. For my own purposes I only actually need to replace the rootfs, not the kernel/bootloader, but since I've had to go to this much trouble already I will probably try to finish the job and get complete replacement distros (like DD-WRT) running on it as well.
I'm an experienced programmer but could certainly use some help from anybody with more experience messing with this kind of stuff. I have over 100 of these Solwise routers and would happily post a couple to any serious devs willing to assist.