Connor McMillan

connor@mcmillan.website – http://github.com/mibs510

OpenWRT for WS-WN529B3

My previous attempt was trying to get OpenWrt running on a WL-WN575A3 which I ran to dead end as far as making it usable. I’ve got a hold on a WS-WN529B3 which happens to run on the same hardware just with an additional possible UART port which I’ve yet to determine which pin hole belongs to RX, TX, GND, and VCC. It is running on a OpenWrt root file system as seen on the telnet login page, the password is not set by the web interface like the previous device and is locked out. The possibilities on this device is unlike the other, since we know it’s running on a OpenWrt root file system there is a chance to (a) use a vanilla OpenWrt image + kernel module or (b) use the existing kernel on the device but reintroduce a vanilla OpenWrt root file system. I’m hoping that the kernel module for the radio wasn’t written like the other where the kernel module managed everything from startup to configuration but instead like any other typical wireless module.

 

Serial UART

Buad Rate: 57600

Parity: None

Bits: 8

Stopbits: 1

Flow control: None

EEPROM

After going through a lot of trial and error I got dumps of the stock partitions thanks to the person who deleted the existing curl since the old curl’s libraries were still intact. I recompiled curl removed the old libcurl* libraries copied over the new ones and properly linked them so that curl could use them. I believe the “firmware” partition will be the firmware you would upload to Uboot via a tftpd server like mentioned previously here. I haven’t tried the Uboot method yet nor have I tried uploading it via the web interface but will report shortly. If this is the case then “firmware.bin” is provided to you with telnet enabled on port 2323, the root password is toor, and I also provided curl along with it. Other than the mentioned everything is as it came from the factory.

Each of these partitions can be downloaded here.

Stock OpenWrt Firmware

Stock Uboot

Unlike the WL-WN575A3 the router’s IP address, the server’s IP address, and file name are all different.

The stock bootloader will not allow you to flash any uImage kernels into flash without them being signed or for what ever unknown reason. So essentially we are locked out so far. We can’t dd or cat into the /dev/mtd* blocks.

RESET MT7628 PHY!!!!!!

Please choose the operation: 

   1: Load system code to SDRAM via TFTP. 

   2: Load system code then write to Flash via TFTP. 

   3: Boot system code via Flash (default).

   4: Entr boot command line interface.

   7: Load Boot Loader code then write to Flash via Serial. 

   9: Load Boot Loader code then write to Flash via TFTP.

The only option which I can choose from 2, all the others do not respond. My next step from here is to flash the bootloader from WL-WN575A3 using a Minipro TL866CS onto the EEPROM directly.

Success!*

 

 

I desoldered the EEPROM from the board, I put onto a SOP8 socket, hooked it up to my TL866CS and voola! It read just fine,  I saved the EEPROM and opened it with a hex editor, I then selected the 0x00000000 – 0x0002FFFF and pasted the other bootloader from the WL-WN575A3 onto the selected address range, saved it and burned back. * OpenWrt Bleeding Edge is running with no problems, however unlikethe WL-WN575A3 the 2.4GHz radio is working and is recognized by OpenWrt as wlan0. My next step is to get 5Ghz radio working probably using the old driver. My working successful image can be located here.

Continuing

While I was handling the device I accidentally put too much pressure on the EEPROM which caused it to rip off two of the copper pads on the PCB board, at this point the device is pretty much useless. However since the WL-WN575A3 is pretty much similar to this device all my development so far has been transferred over to that device. What I’m currently working on is using the stock kernel, drivers, and for the most part the root filesystem while reintroducing opkg and the luci web interface, with these two the device will be giving a similar experience much like to any other device running pure OpenWrt.

Download OpenWrt testing image here.  Download openwrt-14.07-ramips-wn575a3-wn529b3-squashfs-sysupgrade.bin and upload it via tftp as instructed here.

Boot log

U-Boot 1.1.3 (Jun 16 2016 - 20:48:53)


Board: Ralink APSoC DRAM:  64 MB

relocate_code Pointer at: 83fb8000

flash manufacture id: c8, device id 40 17

find flash: GD25Q64B

*** Warning - bad CRC, using default environment


============================================ 

Ralink UBoot Version: 4.3.0.0

-------------------------------------------- 

ASIC 7628_MP (Port5None)

DRAM component: 512 Mbits DDR, width 16

DRAM bus: 16 bit

Total memory: 64 MBytes

Flash component: SPI Flash

Date:Jun 16 2016  Time:20:48:53

============================================ 

icache: sets:512, ways:4, linesz:32 ,total:65536

dcache: sets:256, ways:4, linesz:32 ,total:32768 


 ##### The CPU freq = 575 MHZ #### 

 estimate memory size =64 Mbytes

RESET MT7628 PHY!!!!!!

Please choose the operation: 

   1: Load system code to SDRAM via TFTP. 

   2: Load system code then write to Flash via TFTP. 

   3: Boot system code via Flash (default).

   4: Entr boot command line interface.

   7: Load Boot Loader code then write to Flash via Serial. 

   9: Load Boot Loader code then write to Flash via TFTP. 



You choosed 3


 0 

   

3: System Boot system code via Flash.

## Booting image at bc050000 ...

   Image Name:   WAVLINK_529B3EN

   Image Type:   MIPS Linux Kernel Image (lzma compressed)

   Data Size:    1451214 Bytes =  1.4 MB

   Load Address: 80000000

   Entry Point:  80000000

   Verifying Checksum ... OK

   Uncompressing Kernel Image ... OK

No initrd

## Transferring control to Linux (at address 80000000) ...

## Giving linux memsize in MB, 64


Starting kernel ...



LINUX started...

 THIS IS ASIC
Linux version 3.10.14+ (root@wiair-desktop) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r6900) ) #205 Mon Jul 18 17:36:36 CST 2016

 The CPU feqenuce set to 575 MHz
CPU0 revision is: 00019655 (MIPS 24KEc)
Software DMA cache coherency
Determined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone ranges:
  Normal   [mem 0x00000000-0x03ffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x00000000-0x03ffffff]
Primary instruction cache 64kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock5 rootfstype=squashfs,jffs2
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Writing ErrCtl register=0005a009
Readback ErrCtl register=0005a009
Memory: 60412k/65536k available (3151k kernel code, 5124k reserved, 842k data, 228k init, 0k highmem)
NR_IRQS:128
console [ttyS1] enabled
Calibrating delay loop... 382.46 BogoMIPS (lpj=764928)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
RALINK_GPIOMODE = 54054405 
RALINK_GPIOMODE = 54044405 
***** Xtal 40MHz *****
start PCIe register access
RALINK_RSTCTRL = 2400000
RALINK_CLKCFG1 = fdbfffc0

*************** MT7628 PCIe RC mode *************
PCIE0 enabled
Port 0 N_FTS = 1b105000
init_rt2880pci done
bio: create slab  at 0
vgaarb: loaded
PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [mem 0x20000000-0x2fffffff]
pci_bus 0000:00: root bus resource [io  0x10160000-0x1016ffff]
pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
pci 0000:00:00.0: BAR 0: can't assign mem (size 0x80000000)
pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x200fffff]
pci 0000:00:00.0: BAR 9: assigned [mem 0x20100000-0x201fffff pref]
pci 0000:00:00.0: BAR 1: assigned [mem 0x20200000-0x2020ffff]
pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff 64bit]
pci 0000:01:00.0: BAR 6: assigned [mem 0x20100000-0x2010ffff pref]
pci 0000:00:00.0: PCI bridge to [bus 01]
pci 0000:00:00.0:   bridge window [mem 0x20000000-0x200fffff]
pci 0000:00:00.0:   bridge window [mem 0x20100000-0x201fffff pref]
BAR0 at slot 0 = 0
bus=0x0, slot = 0x0
res[0]->start = 0
res[0]->end = 0
res[1]->start = 20200000
res[1]->end = 2020ffff
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
bus=0x1, slot = 0x0
res[0]->start = 20000000
res[0]->end = 200fffff
res[1]->start = 0
res[1]->end = 0
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
Switching to clocksource MIPS
NET: Registered protocol family 2
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) (SUMMARY)  (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
msgmni has been set to 117
io scheduler noop registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x10000d00 (irq = 21) is a 16550A
serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
Ralink gpio driver initialized
brd: module loaded
flash manufacture id: c8, device id 40 17
GD25Q64B(c8 40170000) (8192 Kbytes)
mtd .name = raspi, .size = 0x00800000 (8M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 5 MTD partitions on "raspi":
0x000000000000-0x000000800000 : "ALL"
0x000000000000-0x000000030000 : "Bootloader"
0x000000030000-0x000000040000 : "Config"
0x000000040000-0x000000050000 : "Factory"
0x000000050000-0x0000007f0000 : "firmware"
0x0000001b250e-0x0000007f0000 : "rootfs"
mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
mtd: partition "rootfs_data" created automatically, ofs=0x3f0000, len=0x400000
0x0000003f0000-0x0000007f0000 : "rootfs_data"
PPP generic driver version 2.4.2
PPP BSD Compression module registered
PPP Deflate Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
rdm_major = 253
netif_napi_add() called with weight 128 on device eth0
GMAC1_MAC_ADRH -- : 0x0000803f
GMAC1_MAC_ADRL -- : 0x5d71cd1d
Ralink APSoC Ethernet Driver Initilization. v3.1  384 rx/tx descriptors allocated, mtu = 1500!
NAPI enable, Tx Ring = 384, Rx Ring = 384
GMAC1_MAC_ADRH -- : 0x0000803f
GMAC1_MAC_ADRL -- : 0x5d71cd1d
PROC INIT OK!
u32 classifier
nf_conntrack version 0.5.0 (943 buckets, 3772 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
Type=Linux
----------------------------
--------igd inited----------
----------------------------
TCP: cubic registered
NET: Registered protocol family 17
8021q: 802.1Q VLAN Support v1.8
registered taskstats version 1
VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
Freeing unused kernel memory: 228K (803e7000 - 80420000)
procd: Console is alive
procd: - preinit -
Raeth v3.1 (NAPI
,SkbRecycle)

phy_tx_ring = 0x0358c000, tx_ring = 0xa358c000

phy_rx_ring0 = 0x0358e000, rx_ring0 = 0xa358e000
GMAC1_MAC_ADRH -- : 0x0000803f
GMAC1_MAC_ADRL -- : 0x5d71cd1d
RT305x_ESW: Link Status Changed
/etc/preinit: line 1: netmsg: not found
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
kmod: ran 1 iterations
jffs2: notice: (267) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (1 unchecked, 0 orphan) and 6 of xref (0 dead, 0 orphan) found.
block: extroot: no root or overlay mount defined
jffs2 is ready
jffs2 is ready
jffs2: notice: (264) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (1 unchecked, 0 orphan) and 6 of xref (0 dead, 0 orphan) found.
switching to overlay
ra2880stop()...Done
Free TX/RX Ring Memory!
procd: - early -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
register rt2860


=== pAd = c0601000, size = 2094384 ===

CSRBaseAddress =0xc0500000, csr_addr=0xc0500000!
device_id =0x7662
==>rlt_wlan_chip_onoff(): OnOff:1, Reset= 1, pAd->WlanFunCtrl:0x0, Reg-WlanFunCtrl=0x20a
E2pAccessMode=2
cfg_mode=14
cfg_mode=14
wmode_band_equal(): Band Not Equal!
APSDCapable[0]=0
APSDCapable[1]=0
APSDCapable[2]=0
APSDCapable[3]=0
APSDCapable[4]=0
APSDCapable[5]=0
APSDCapable[6]=0
APSDCapable[7]=0
APSDCapable[8]=0
APSDCapable[9]=0
APSDCapable[10]=0
APSDCapable[11]=0
APSDCapable[12]=0
APSDCapable[13]=0
APSDCapable[14]=0
APSDCapable[15]=0
default ApCliAPSDCapable[0]=0
Key1Str is Invalid key length(0) or Type(1)
Key1Str is Invalid key length(0) or Type(1)
Key2Str is Invalid key length(0) or Type(1)
Key2Str is Invalid key length(0) or Type(1)
Key3Str is Invalid key length(0) or Type(1)
Key3Str is Invalid key length(0) or Type(1)
Key4Str is Invalid key length(0) or Type(1)
Key4Str is Invalid key length(0) or Type(1)
RtmpChipOpsEepromHook::e2p_type=2, inf_Type=5
NVM is FLASH mode (pAd->flash_offset = 0x48000)
get_dev_name_prefix(): dev_idx = 1, dev_name_prefix=rai
safe: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
regiester url hooks finish
l7 inited
Raeth v3.1 (NAPI
,SkbRecycle)

phy_tx_ring = 0x02dee000, tx_ring = 0xa2dee000

phy_rx_ring0 = 0x02df0000, rx_ring0 = 0xa2df0000
GMAC1_MAC_ADRH -- : 0x0000803f
GMAC1_MAC_ADRL -- : 0x5d71cd1d
RT305x_ESW: Link Status Changed
device eth0.1 entered promiscuous mode
device eth0 entered promiscuous mode
-------->fdb_create, 470!!!
nl socket is null !
br-lan: port 1(eth0.1) entered forwarding state
br-lan: port 1(eth0.1) entered forwarding state
efuse_probe: efuse = 10000002
procd: - init complete -
tssi_1_target_pwr_g_band = 33
device ra0 entered promiscuous mode
br-lan: port 2(ra0) entered forwarding state
br-lan: port 2(ra0) entered forwarding state
-------->fdb_create, 470!!!
nl socket is null !
device ra1 entered promiscuous mode
-------->fdb_create, 470!!!
nl socket is null !
build time = 
20141115060606a
rom patch for E3 IC

platform = 
ALPS
hw/sw version = 

patch version = 

FW Version:0.0.00 Build:1
Build Time:201507311614____
fw for E3 IC
RX[0] DESC a2ca7000 size = 4096
RX[1] DESC a2cd0000 size = 4096
E2pAccessMode=2
cfg_mode=14
cfg_mode=14
wmode_band_equal(): Band Not Equal!
APSDCapable[0]=0
APSDCapable[1]=0
APSDCapable[2]=0
APSDCapable[3]=0
APSDCapable[4]=0
APSDCapable[5]=0
APSDCapable[6]=0
APSDCapable[7]=0
APSDCapable[8]=0
APSDCapable[9]=0
APSDCapable[10]=0
APSDCapable[11]=0
APSDCapable[12]=0
APSDCapable[13]=0
APSDCapable[14]=0
APSDCapable[15]=0
default ApCliAPSDCapable[0]=0
Key1Str is Invalid key length(0) or Type(1)
Key1Str is Invalid key length(0) or Type(1)
Key2Str is Invalid key length(0) or Type(1)
Key2Str is Invalid key length(0) or Type(1)
Key3Str is Invalid key length(0) or Type(1)
Key3Str is Invalid key length(0) or Type(1)
Key4Str is Invalid key length(0) or Type(1)
Key4Str is Invalid key length(0) or Type(1)
1. Phy Mode = 49
get_chl_grp:illegal channel (167)
get_chl_grp:illegal channel (167)
get_chl_grp:illegal channel (169)
get_chl_grp:illegal channel (169)
get_chl_grp:illegal channel (171)
get_chl_grp:illegal channel (171)
/home/wiair/cs/n/project/7628/kernel//mt76x2e-p4rev-160126/build/../src/chips/mt76x2.c:2840 assert (ad->TxPower[choffset].Channel == 42)failed
Country Region from e2p = ffff
mt76x2_read_temp_info_from_eeprom:: is_temp_tx_alc=0, temp_tx_alc_enable=0
mt76x2_read_tx_alc_info_from_eeprom:: is_ePA_mode=1, ePA_type=0
mt76x2_read_tx_alc_info_from_eeprom:: [5G band] high_temp_slope=15, low_temp_slope=9
mt76x2_read_tx_alc_info_from_eeprom:: [2G band] high_temp_slope=13, low_temp_slope=16
mt76x2_read_tx_alc_info_from_eeprom:: [5G band] tc_lower_bound=-7, tc_upper_bound=4
mt76x2_read_tx_alc_info_from_eeprom:: [2G band] tc_lower_bound=-7, tc_upper_bound=5
mt76x2_get_external_lna_gain::LNA type=0x0, BLNAGain=0xffffff8c, ALNAGain0=0xffffff89, ALNAGain1=0xffffff89, ALNAGain2=0xffffff89
2. Phy Mode = 49
3. Phy Mode = 49
andes_pci_fw_init
0x1300 = 00073200
AntCfgInit: primary/secondary ant 0/1
andes_load_cr:cr_type(2)
ChipStructAssign(): MT76x2 hook !
RTMPSetPhyMode: channel is out of range, use first channel=0 
MCS Set = ff ff 00 00 01
mt76x2_bbp_adjust():rf_bw=2, ext_ch=1, PrimCh=149, HT-CentCh=151, VHT-CentCh=155
APStartUp(): AP Set CentralFreq at 155(Prim=149, HT-CentCh=151, VHT-CentCh=155, BBP_BW=2)
mt76x2_calibration(channel = 155)
Main bssid = 80:3f:5d:71:cd:20
mt76x2_reinit_agc_gain:original agc_vga0 = 0x4e, agc_vga1 = 0x4e
mt76x2_reinit_agc_gain:updated agc_vga0 = 0x4e, agc_vga1 = 0x4e
mt76x2_reinit_hi_lna_gain:original hi_lna0 = 0x30, hi_lna1 = 0x30
mt76x2_reinit_hi_lna_gain:updated hi_lna0 = 0x30, hi_lna1 = 0x30
original vga value(chain0) = 4e
original vga value(chain1) = 4e
<==== rt28xx_init, Status=0 get_dev_name_prefix(): dev_idx = 1, dev_name_prefix=rai get_dev_name_prefix(): dev_idx = 1, dev_name_prefix=apclii RTMPDrvOpen(1):Check if PDMA is idle! RTMPDrvOpen(2):Check if PDMA is idle! device rai0 entered promiscuous mode br-lan: port 4(rai0) entered forwarding state br-lan: port 4(rai0) entered forwarding state -------->fdb_create, 470!!!
nl socket is null !
device rai1 entered promiscuous mode
-------->fdb_create, 470!!!
nl socket is null !
device eth0.2 entered promiscuous mode
br-lan: port 6(eth0.2) entered forwarding state
br-lan: port 6(eth0.2) entered forwarding state
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
nl socket is null !
main[79]:reset start
wps_init[8]:wps init
resetd_init[37]:flag:38
br-lan: port 1(eth0.1) entered forwarding state
Jan  1 00:00:15 miniupnpd[1087]: HTTP listening on port 53152

Jan  1 00:00:15 miniupnpd[1087]: Listening for NAT-PMP traffic on port 5351

br-lan: port 2(ra0) entered forwarding state
br-lan: port 4(rai0) entered forwarding state
procd: Instance log::instance1 s in a crash loop 6 crashes, 0 seconds since last crash
br-lan: port 6(eth0.2) entered forwarding state

DROP A COMMENT

Your email address will not be published. Required fields are marked *