OpenWrt

cille75 · #1

Hello,

I have just disassembled the above device to look what kind of hardware this little thing provides.
It is sold in Germany by a company called "Pearl".
http://www.pearl.de/p/PE8074-7Links-6in … 4Mbit.html

The device is very small in size and already contains the switching power supply as a separate PCB.
The other PCB is the CPU board which hosts a Mini-PCI WLAN card with a Ralink 25xx chipset.
The CPU itself is a STR9105 with ARM922 core.
http://www.starsemi.com.tw/vChn/Prods/str9105.php
Flash memory is from Macronix (29lv640). DDR memory is from Nanya.
The CPU board contains a 20-pin standard ARM JTAG header. So far, I did not find out if there is a serial console, too.

Also, I did not find out which operating system the device is using. The CPU manufacturer Star provides support for Nucleus and Linux.
At the moment there are no firmware updates available, so no images to analyze.

The CPU board is named "Navi R120G" Rev3.0.

The webpage from Star also states that other members of the STR91xx family are used for Linksys devices like the WAP4400N or the WRVS4400N.

Looking on the Linksys webpage, I find:
ftp://ftp.linksys.com/opensourcecode/wa … v1.0.3.tgz
ftp://ftp.linksys.com/opensourcecode/wa … 1.2.11.tgz
ftp://ftp.linksys.com/opensourcecode/wa … 2.8.tar.gz

Those GPL source code packages contain the necessary kernel patches for the STR91xx family.

I am writing all this just for reference purposes. I searched the web for information about this device in particular, but I did not find very much. ;-)

Best regards!

sva · #2

Hello,
Concerning the serial console: Behind the usb connector is a 4 pin connector. TXD seems to be the pin close to the edge of the board, GND the opposite one. During boot time a connected scope shows some activity. I have not found further info about the device yet.
Stefan

jÃ¼rgen · #3

Hello,

I have just find some information at the sapido homepage
http://www.sapido.com.tw/EN/we1100-o.htm

I think the WE-1100, WE-1110 and WE-1200 use the same HW, but just different firmware-versions...

Best regards!

fabske · #4

What does it mean to the WRVS4400N? Can we run OpenWRT on it? I bought a WRVS4400N and have many problems. If somebody really wants to work on it and needs a WRVS4400N device, maybe he can take my one.

bobcov · #5

Hi,
That unit is manufactured by Amigo Technology and they have firmware you can examine on their website. http://www.amigo.com.tw/3R121g.htm
I have a unit but the brand name is Sapido. I am sorry to see that it does not support WPA2. It might be a limitation of the RT2561T chipset, but I am not sure.
I read a review on a German website which says the wireless is very poor, so I think I will put an external antenna on it and also I will try to put a power cord on it because it does not work well to plug it directly into the the outlet.
Have you tried to look at the serial console? Does it work? Is it Linux?
I notice that when I telnet to it, I get a prompt which looks like this: "pek>" and I don't know what to do with that. Do you?

Bob

yapoo · #6

Hi.

You can find 'partition/format sysdisk' image.
http://desireforwealth.com/diary/200810 … _ap2.shtml
File system type is selectable "ext3" or "fat32".
It seems that linux runs on it.

zukky

jonty · #7

The same device is sold by Solwise as the 3GWIFIMRW at http://www.solwise.co.uk/3g-routers.htm

I downloaded the firmware from http://www.amigo.com.tw/Download_Center.htm. File is called FNBENE3R121G2004-1.rar.

Unrared this to get a file called VER2.0.4 with size 5,649,268 bytes.

Used a binary editor to inspect it. Found the standard gzip header pattern x1F x8B x08 at offset 0x31F0. Chopped the file at this point and used gunzip. This produced a linux kernel with size 2,297,212 bytes.

Back to Ver2.0.4 and look for the next gzip header. Found x1F x8B x08 at offset xF2590. The zipped file is called ramdisk. Chopped again and unzipped to get a ramdisk file with size 18,227,200 bytes.

Scanned the ramdisk with binary editor for the telnet prompt "pek>". Found it at offset xC4340. Surrounding it are the strings used by the telnet command interpreter.

The most interesting string is "pekpekengeng" (without the quotes of course). Type this into the telnet prompt and suddenly the device comes alive.

After typing this magic string I can start typing regular unix commands such as ls and ps and I can see their output.

We have lift off!

Last edited by jonty (2008-11-24 19:23:32)

acoul · #8

how about a dmesg then? BTW, nice hacking!

jonty · #9

So for anyone who is unsure the process to get root access to the Solwise 3GWIFIMRW / Amigo 3R121g / Sapido WE1100 / 7links 6in1 / Star STR9105 is:

From a PC that is connected to the same network as the router use a telnet command with the address of the router (usually 192.168.1.1 or 10.64.64.64) and login with the administrator username and password (usually admin/admin):

Code:

  telnet 192.168.1.1

  Login:admin

  Password:admin

You are presented with a very limited program that displays a pek> prompt. You break out of this program by typing the magic word pekpekengeng.

Code:

  pek>pekpekengeng

  sh: pekpekeng: command not found

Now you can start any unix program you like. The most useful one is a shell so type sh and the root prompt # will appear:

Code:

  pek>sh

  #

You can go anywhere you like, run any program you like. Some interesting commands are:

Code:

  # uname -a

  # dmesg

  # ps

  # ls /bin

  # ls /sbin

  # lsmod

  # ifconfig

I would like to see posts from anyone who can confirm or deny that these commands work on other brands of the same box, or maybe on other models in the same family.

Last edited by jonty (2008-11-24 21:12:59)

jonty · #10

acoul wrote:
how about a dmesg then? BTW, nice hacking!

Okay, dmesg shows:

Linux version 2.4.27-uc0-pek3 (root@debian) (gcc version 3.3.6) #2 Ã¤Â¸â€° 9Ã¦Å“Ë† 10 15:13:23 CST 2008
CPU: Faraday FA526id(wb) revision 1
ICache:16KB enabled, DCache:16KB enabled, BTB support
Machine: STAR_STR9100
alloc_bootmem_low
memtable_init
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/ram0 mem=32M panic=1
Relocating machine vectors to 0xffff0000
IRQ Timer1 at interrupt number 0x0 and clock 100000000(Hz)
Calibrating delay loop... 153.60 BogoMIPS
Memory: 32MB = 32MB total
Memory: 25420KB available (1890K code, 535K data, 64K init)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
POSIX conformance testing by UNIFIX
PCI: bus0: Fast back to back transfers disabled
pci bridge found
AHB to bridge interrupt status : 24200000
pci_enable: bus: 0 devfn: 0
pci_enable: bus: 0 devfn: 10
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Journalled Block Device driver loaded
i2c-core.o: i2c core module version 2.6.1 (20010830)
i2c-dev.o: i2c /dev entries driver module version 2.6.1 (20010830)
i2c-core.o: driver i2c-dev dummy driver registered.
i2c-proc.o version 2.6.1 (20010830)
Str9100 Serial Driver version 5.05c (2001-07-08) with no serial options enabled
ttyS00 at 0xf7800000 (irq = 10) is a Star_UART
STAR star9100 Driver, v1.9pek-d20cm (11/03/2005) - by PEK & Star Semi.
RAMDISK driver initialized: 16 RAM disks of 14336K size 1024 blocksize
PPP generic driver version 2.4.2
PPP MPPE compression module registered
PPP Deflate Compression module registered
SCSI subsystem driver Revision: 1.00
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
physmap flash device: 800000 at 10000000
phys_mapped_flash: Found 1 x16 devices at 0x0 in 16-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
phys_mapped_flash: Swapping erase regions for broken CFI table.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
kmod: failed to exec /sbin/modprobe -s -k cmdlinepart, errno = 2
cmdlinepart partition parsing not available
kmod: failed to exec /sbin/modprobe -s -k RedBoot, errno = 2
RedBoot partition parsing not available
Using physmap partition definition
Creating 3 MTD partitions on "phys_mapped_flash":
0x00000000-0x00040000 : "bootROM"
0x00040000-0x007c0000 : "bootpImage"
0x007c0000-0x00800000 : "User FS"
Linux Kernel Card Services 3.1.22
options: [pci] [cardbus]
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
hcd.c: ehci_hcd @ EHCI, EHCI_HCdriver
hcd.c: irq 24, pci mem c3005000
usb.c: new USB bus registered, assigned bus number 1
USB 7.4 enabled, EHCI 1.00, driver 2003-Dec-29/2.4
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver acm
acm.c: v0.21:USB Abstract Control Model driver for USB modems and ISDN adapters
usb.c: registered new driver usblp
printer.c: v0.13: USB Printer Device Class driver
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
Linux video capture interface: v1.00
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
ip_conntrack version 2.1 (256 buckets, 2048 max) - 328 bytes per conntrack
ip_conntrack_pptp version $Revision: 1.8 $ loaded
ip_nat_pptp version $Revision: 1.4 $ loaded
ip_tables: (C) 2000-2002 Netfilter core team
ipt_recent v0.3.1: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Ebtables v2.0 registered
NET4: Ethernet Bridge 008 for NET4.0
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
Other stuff added by David S. Miller <davem@redhat.com>
NetWinder Floating Point Emulator V0.97 (double precision)
ds: no socket drivers loaded!
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 4404K
VFS: Mounted root (ext2 filesystem) readonly.
Freeing init memory: 64K
UART IRQ_ports = c0260d98
UART IRQ at interrupt number 0xa
usb-ohci_STR.c: USB OHCI at membase 0xc7025000, IRQ 23
usb-ohci_STR.c: usb-OHCI, OHCI_HCdriver
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
ovcamchip_core.c: v2.28 : OV camera chip I2C driver
i2c-core.o: driver ovcamchip registered.
usb.c: registered new driver ov511
ov511_core.c: v2.28 : ov511 USB Camera Driver
pwc Philips webcam module version 9.0.2 loaded.
pwc Supports Philips PCA645/646, PCVC675/680/690, PCVC720[40]/730/740/750 & PCVC830/840.
pwc Also supports the Askey VC010, various Logitech Quickcams, Samsung MPC-C10 and MPC-C30,
pwc the Creative WebCam 5 & Pro Ex, SOTEC Afina Eye and Visionite VCS-UC300 and VCS-UM100.
usb.c: registered new driver Philips webcam
pwc Philips webcam decompressor routines version 9.0-BETA-2
pwc Supports all cameras supported by the main module (pwc).
pwc Adding decompressor for model 645.
pwc Adding decompressor for model 646.
pwc Adding decompressor for model 675.
pwc Adding decompressor for model 680.
pwc Adding decompressor for model 690.
pwc Adding decompressor for model 720.
pwc Adding decompressor for model 730.
pwc Adding decompressor for model 740.
pwc Adding decompressor for model 750.
usb.c: registered new driver spca5xx
spca5xxx.c: spca5xx driver 00.60.01 registered
device eth0 entered promiscuous mode
device eth1 entered promiscuous mode
bre0: port 2(eth1) entering learning state
bre0: port 1(eth0) entering learning state
RT61: Vendor = 0x1814, Product = 0x0302
RT61: RfIcType= 3
bre0: port 2(eth1) entering forwarding state
bre0: topology change detected, propagating
bre0: port 1(eth0) entering forwarding state
bre0: topology change detected, propagating

Last edited by jonty (2008-11-24 20:55:23)

jonty · #11

For anyone who wants to play around with the web interface you should know that this firmware runs the boa webserver (http://www.boa.org) with the following settings:

Configuration file boa.conf:

Code:

User root

Group root

#ServerAdmin root@localhost

# PidFile /var/run/boa.pid

ErrorLog /dev/null

AccessLog /dev/null

#ErrorLog /var/log/boa/error_log

#AccessLog /var/log/boa/access_log

# CGILog /var/log/boa/cgi_log

SinglePostLimit 10000000

#UseLocaltime

#VerboseCGILogs

DocumentRoot /home/httpd

#UserDir public_html

DirectoryIndex enter.html

DirectoryMaker /bin/boa_indexer

# DirectoryCache /var/spool/boa/dircache

KeepAliveMax 1000

KeepAliveTimeout 10

MimeTypes /dev/null

DefaultType text/plain

CGIPath /bin:/usr/bin:/usr/local/bin

#AddType application/x-httpd-cgi cgi

Alias /doc /usr/doc[

ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/

AddType text/plain  txt

AddType image/gif   gif

AddType text/html   html

AddType text/html   htm

AddType text/xml    xml

AddType image/jpeg  jpe

AddType image/jpeg  jpeg

AddType image/jpeg  jpg

AddType image/x-icon    ico

ServerName Navi_3r121g

Port 80

List of static pages in /home/httpd:

Code:

Reset.html

boa.conf

boa_ori.conf

camerror.gif

cgi-bin

close_parent.html

copyright.js

copyright.js~

enter.html

enter.html~

enter_client.html

enter_client.html~

enter_main.html

enter_main.html~

errormsg.conf

ftp_msg1.html

ftp_msg2.html

ftp_msg3.html

ftp_msg4.html

images

index.html

js

personal_close.html

pstyle.css

pstyle.css~

style.css

style.css~

top.html

top.html~

treemenu.html

treemenu.html~

version.txt

webcam.html

webcam_null.html

webcam_null.html_b

webcam_redir.html

webcam_show.html

welcome.html

welcome_ap.html

welcome_client.html

welcome_router.html

List of scripts in /home/httpd/cgi-bin:

Code:

Checkfs.cgi

DDNS.cgi

DHCP_IP_error.html

DHCP_start_end_error.html

DMZ.cgi

DMZ.html

DNS_IP_error0.html

DNS_IP_error1.html

DNS_Mode_error.html

Dynamic_DNS.html

Dynamic_DNS_Mode_error.html

Dynamic_DNS_WAN_error.html

Dynamic_DNS_error.html

Dynamic_DNS_passwd_error.html

Dynamic_DNS_username_error.html

Dynamic_IP_Mode_error.html

Dynamic_IP_error.html

E_IP_range_error.html

E_address_error.html

E_gateway_error.html

E_netmask_error.html

Ethernet.cgi

Ethernet_ap.html

Ethernet_router.html

FTP_Server_IT_error.html

FTP_Server_input_error.html

FTP_Server_port_error.html

FTP_server.cgi

File_Access.html

Firewall.cgi

Firewall.html

Firewall_Action_error.html

Firewall_DayWeek_error.html

Firewall_Dev_error.html

Firewall_Dst_Port_error.html

Firewall_Dst_error.html

Firewall_IP_rule_error.html

Firewall_Inout_error.html

Firewall_Log_error.html

Firewall_Mac_rule_error.html

Firewall_Protocol_error.html

Firewall_Src_Port_error.html

Firewall_Src_error.html

Firewall_Syn_error.html

Firewall_Time_error.html

Firewall_maxuser_error.html

Firewall_mode_error.html

Firewall_redirect.html

Format.html

Format_status.cgi

Fwall_Level_error.html

MAC_Filter.cgi

MAC_Filter.html

MAC_Filter_Addr_error.html

MAC_Filter_DayWeek_error.html

MAC_Filter_Desc_error.html

MAC_Filter_Log_error.html

MAC_Filter_Time_error.html

MAC_Filter_maxuser_error.html

MAC_Filter_mode_error.html

MAC_Filter_redirect.html

MaxIPFragCount_error.html

MinIPFragSize_error.html

NIC.cgi

PPPoE_username_error.html

PPTP_IT_error.html

PPTP_MTU_error.html

PPTP_account_error.html

PPTP_hostname_error.html

PPTP_input_error.html

PPTP_mode_error.html

PPTP_passwd_error.html

Printer.cgi

Printer.html

Printer_Access_error.html

Printer_ap.html

Printer_descript_error.html

Printer_mode_error.html

Printer_name_error.html

QOS.cgi

QOS.html

QOS_Application_Priority_error.html

QOS_Application_Status_error.html

QOS_Priority_error.html

QOS_band_error.html

QOS_mode_error.html

Repartition.cgi

Reset.cgi

Reset.html

Reset_error.html

SambaServer.cgi

Station_Mode.cgi

Station_Mode.html

Station_Mode.html.bak

Station_Mode_Frag_Threshold_error.html

Station_Mode_PSK_Key_error.html

Station_Mode_RTS_Threshold_error.html

Station_Mode_SSID_empty_error.html

Station_Mode_SSID_error.html

Station_Mode_Site_Survey.html

Station_Mode_Tx_10_digits_error.html

Station_Mode_Tx_26_digits_error.html

Station_WEP_ascii_error.html

Station_error.html

Station_error1.html

Station_error2.html

Station_error3.html

Status.cgi

Status.html

Time_Server_mode_error.html

Time_server.cgi

Time_server.html

Time_server_ap.html

Time_server_router.html

UPNP.cgi

UPNP_error.html

URL_Filter.cgi

URL_Filter.html

URL_Filter_DayWeek_error.html

URL_Filter_Desc_error.html

URL_Filter_Key_error.html

URL_Filter_Log_error.html

URL_Filter_Time_error.html

URL_Filter_maxuser_error.html

URL_Filter_mode_error.html

URL_Filter_redirect.html

Upgrade.cgi

Upload_Vformat_error.html

Upload_crc_value_error.html

Upload_dev_error.html

Upload_error.html

Upload_error_1.html

Upload_file_null_error.html

Upload_format_error.html

Upload_magic_error.html

Upload_size_error.html

Upload_socket_error.html

Upload_write_error.html

User_Edit_Name_error.html

User_Same_Name_error.html

User_account.cgi

User_account.html

User_account_list.cgi

User_account_list.html

User_act_error.html

User_maxcount_error.html

User_name_error.html

User_password_error.html

User_path_error.html

User_samba_error.html

Virtaul_server_mode_error.html

Virtual_server.cgi

Virtual_server.html

Virtual_server_Hour_error.html

Virtual_server_Minute_error.html

Virtual_server_Time_error.html

Virtual_server_Week_error.html

Virtual_server_descript_error.html

Virtual_server_privateIP_error.html

Virtual_server_privatePORT_error.html

Virtual_server_private_port_error.html

Virtual_server_protocol_error.html

Virtual_server_prublic_port_error.html

Virtual_server_pubPORT_error.html

Virtual_server_redirect.html

Virtual_server_schedule_error.html

W0_WDS_error.html

WAN.cgi

WAN.html

WAN_Dynamic_IP_error.html

WAN_Mode_error.html

WAN_PPPoE_IT_error.html

WAN_PPPoE_IT_input_error.html

WAN_PPPoE_MTU_error.html

WAN_PPPoE_MTU_input_error.html

WAN_PPPoE_error.html

WAN_PPPoE_passwd_error.html

WAN_address_error.html

WAN_dns.html

WAN_dynamiciIP_error.html

WAN_gateway_error.html

WAN_netmask_error.html

Wait_Restart.html

Wait_download.html

Wireless.cgi

Wireless_AuthMode_error.html

Wireless_Beacon_error.html

Wireless_Channel_error.html

Wireless_Encrypt_error.html

Wireless_HideSSID_error.html

Wireless_Key_Type_error.html

Wireless_Mode_error.html

Wireless_RADIUS_port_error.html

Wireless_RADIUS_server_error.html

Wireless_RTS_error.html

Wireless_Rekey_time_error.html

Wireless_Sharekey_error.html

Wireless_TxPreamble_error.html

Wireless_TxRate_error.html

Wireless_WDS_mac_error.html

Wireless_WEP_Key_Mode_error.html

Wireless_WEP_passphrase_error.html

Wireless_WEPpw_error.html

Wireless_WPAPSK_asciikey_error.html

Wireless_WPAPSK_hexkey_error.html

Wireless_WPA_Encrypt_error.html

Wireless_essid_error.html

Wireless_setting.html

Wireless_setting.html.bak

apply_error.html

attacks_blocking.cgi

attacks_blocking.html

bt_quick_show.html

bt_show.html

bt_speed.html

bt_upload.html

camopt.cgi

camopt_Enable_server_error.html

camopt_FTP_PW_empty_error.html

camopt_FTP_dir_empty_error.html

camopt_FTP_dir_error.html

camopt_FTP_port_error.html

camopt_FTP_server_empty_error.html

camopt_FTP_server_error.html

camopt_FTP_user_empty_error.html

camopt_NAS_path_error.html

camopt_general.html

camopt_record.html

camopt_sec_error.html

cdma.cgi

client_Ethernet.cgi

client_Ethernet.html

clients.cgi

command.html

config_save.cgi

disk_explorer.cgi

dmz_address_error.html

download_ftp.html

download_server.html

eventlog.cgi

eventlog.html

finish.html

ftp_server.html

ftp_server_ap.html

get.cgi

hddtools.cgi

hddtools.html.bak

index.html

index.html~

inithd.cgi

inithd.html

ip_thesame_error.html

logout.cgi

modify_mac.html

my_document.cgi

my_status.cgi

my_status.html

my_status.html~

my_status_tmp

passwd.cgi

passwd.html

passwd_diff_error.html

passwd_newpwd_error.html

passwd_pwd_error.html

personal_entrance.html

personal_entrance.html~

personal_entrance_tmp

personal_login.cgi

personal_login.html

personal_login_fail.html

personal_login_fail.html~

profiles_save.cgi

profiles_save.html

quick

quick_finish.cgi

quick_finish.html

quick_selection.cgi

quick_selection_ap.html.bak

quick_selection_ap_application.html

quick_selection_ap_basic.html

quick_selection_application.html

quick_selection_basic.html

quick_selection_client_application.html

quick_selection_client_basic.html

quick_selection_router.html.bak

quick_selection_router_application.html

quick_selection_router_basic.html

remote.cgi

remote.html

remote_descript_error.html

remote_http_port_error.html

remote_ip_error.html

remote_mode_error.html

remote_telnet_port_error.html

router_login.cgi

router_login.html

router_login_ap.html

router_login_client.html

router_login_fail.html

router_login_fail.html~

router_login_router.html

router_relogin.html

samba_desc_error.html

samba_mode_error.html

samba_name_error.html

samba_printer_error.html

samba_server.html

samba_server.html~

samba_workgroup_error.html

showcam.cgi

showstate.html

start_inetd.html

syslog.cgi

syslog.html

syslog_tmp

upgrade.html

upnp_set.html

webcam_login.cgi

webcam_login.html

webcam_show.cgi

webcamimg.cgi

webcamimg.html

welcome_ap.html.nouse.bak

welcome_client.html.nouse.bak

welcome_router.html.nouse.bak

wireless_clients.html

mazilo · #12

fabske wrote:
What does it mean to the WRVS4400N? Can we run OpenWRT on it? I bought a WRVS4400N and have many problems. If somebody really wants to work on it and needs a WRVS4400N device, maybe he can take my one.

I just sent you a PM.

jonty · #13

So that you don't have to open your router here is a guided tour of the Solwise 3GWIFIMRW.

I managed to open the case by sliding my thumbnail round the groove and popping open the catches one at a time.
http://img246.imageshack.us/img246/8028 … 054dm8.jpg

The case slides up and open with the power supply and tiny wifi aerial in the top half and the main circuitry in the bottom:
http://img383.imageshack.us/img383/1316 … 056qc6.jpg

To separate the top and bottom take the power supply plug (red, yellow, black wires in the picture) out of its socket and gently remove the wifi lead (black wire) from its connector. The blue wires you can see carry mains voltage into the power supply, so only young children and pets should play with these:
http://img155.imageshack.us/img155/4862 … 061si7.jpg

The wifi transmitter has its own board, with spring clips at each edge to hold it in place. Open the spring clips and the wifi board lifts out as a separate unit:
http://img212.imageshack.us/img212/7702 … 064zt6.jpg

The wifi board in detail. There are no components on the reverse of this board. Notice that it has two aerial connectors in the bottom left corner (the circular gold connectors). The one at the outside corner is not used in the 3gwifimrw:
http://img179.imageshack.us/img179/6361 … 070am7.jpg

The main circuit board is held in place with two small screws. Take them out and the board lifts out of the case. Most of this side of the board is covered with surface mount, passive components so there isn't much to see here. The components are covered with a protective plastic sheet so they are insulated them from the wifi board when it is installed:
http://img246.imageshack.us/img246/4353 … 072sf1.jpg

Now for the fun side of the main circuit board:
http://img512.imageshack.us/img512/4628 … 075vh7.jpg

And for those of you who like your chips:
http://img209.imageshack.us/img209/1459 … 076bh3.jpg
http://img149.imageshack.us/img149/6823 … 077fl2.jpg

Now, back to the passive side of the main board and we find something interesting. Just behind the USB sockets there is a four pin connector. Rumor has it that this is the serial port for the machine. Through this we can talk to the armboot software and gain complete control over how the router boots and configures itself. And in front of the 4 pins you can see 20 solder pads in a 2x10 grid for a JTAG connector:
http://img155.imageshack.us/img155/8788 … 081ad2.jpg

That's the end of the tour. Please visit the gift shop on the way out.

Jonty

armijn · #14

Sources: ftp://ftp.pearl.de/treiber/PE8074_src.rar (92999 KB)

jonty · #15

armijn wrote:
Sources: ftp://ftp.pearl.de/treiber/PE8074_src.rar (92999 KB)

Unpacking the source and poking around inside we find the file config.in which starts with:

mainmenu_name 'SnapGear Embedded Linux Configuration'

So we hop over to http://www.snapgear.org and http://ftp.snapgear.org/pub/snapgear/tools/arm-linux/. Here we find a set of tools for compiling source code in arm-linux-tools-20070808.tar.gz. This is a chunky 270MB so you will probably only download it if you are sure you need it. The gz unpacks into /usr/local and gives you a set of tools such as arm-linux-gcc and arm-linux-gfortran for compiling different languages.

I typed in a simple hello.c:

#include <stdio.h>
void main(int argc, char **argv) {
printf("Hello World\n");
}

It compiled into a static binary it with the commands:

$ arm-linux-gcc -Wl,-static -o hello hello.c
$ arm-linux-strip hello

I transferred it to my Solwise 3GWIFIMRW using netcat:

(On the 3GWIFIMRW) # nc -l -p 8888 > hello
(On the build machine) $ nc 192.168.1.1 < hello

Fix the permissions and execute it:

# chmod +x hello
# ./hello
Hello World

So it works. But it is only a demo, and it has several limits:

* The hello file is only in RAM, not flash memory. It will be lost every time the router restarts.
* Linking the program statically does not test if this compiler can work with the dynamic libraries in the router.
* The only kernel call tested by this program is write() and there are a lot of other kernel calls that need testing.

I'd be interested to see posts from anyone else who tries this compiler.

Jonty

Last edited by jonty (2008-12-08 22:06:39)

Cyberg · #16

Hello,

has anybody "successfully" tried to upgrade a Perl PE-8074 or the Sapdio WE-1100 to a firmware with UMTS/3G support?

I have tried to install the other firmware and got an error message...

Version format error!

Or is there any other custom firmware, - maybe command line only?

Bye

Cyberg

rdj · #17

Has anybody managed / looked at porting OpenWRT to this device (The Amigo 3R121g) or it's big brother (3R621g)?

If not, I may be able to arrange a bounty to help out...

-rdj

pkucan · #18

Hi, i have also 7links, and tried to cahnge firmware but without any luck.

it has the same info..

pek>^H

pek>pekpekengeng
sh: pekpekengeng: command not found

pek>sh
# lsmod
Module Size Used by Tainted: P
rt61ap 245416 2
pwcx 91948 0 (unused)
pwc 43744 0 [pwcx]
ov511 63496 0 (unused)
ovcamchip 15312 0 (unused)
# ifconfig
bre0 Link encap:Ethernet HWaddr 00:D0:41:B4:4E:82
inet addr:192.168.2.254 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:120 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

eth0 Link encap:Ethernet HWaddr 00:D0:41:B4:AC:66
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

eth1 Link encap:Ethernet HWaddr 00:D0:41:B4:AC:67
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:120 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

ra0 Link encap:Ethernet HWaddr 00:D0:41:B4:4E:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
Interrupt:6 Base address:0xb000

# ps
PID Uid VmSize Stat Command
1 root 472 S /bin/init
2 root SW [keventd]
3 root SWN [ksoftirqd_CPU0]
4 root SW [kswapd]
5 root SW [bdflush]
6 root SW [kupdated]
9 root SW [mtdblockd]
12 root SW [khubd]
53 root 208 S inetd
108 root 268 S /bin/pekcmd
109 root 288 S /bin/boa -d
110 root 268 S /bin/dnsmasq --no-daemon --no-hosts -i bre0 -r /etc/r
111 root 300 S /bin/syslogger 2>&1>/dev/null
113 root 176 S /bin/urlblocker
114 root 208 S /bin/telnetd
115 root 300 S pekcmd -l
117 root 644 S sh
120 root 276 R ps
# unname -a
sh: unname: command not found
# uname -a
Linux defaulthost 2.4.27-uc0-pek3 #3 ňŤŤ 7Šťł 10 10:59:50 CST 2008 armv4l unknow
n
# dmesg
Linux version 2.4.27-uc0-pek3 (root@cheiron-desktop) (gcc version 3.3.2) #3 ňŤŤ
7Šťł 10 10:59:50 CST 2008
CPU: Faraday FA526id(wb) revision 1
ICache:16KB enabled, DCache:16KB enabled, BTB support
Machine: STAR_STR9100
alloc_bootmem_low
memtable_init
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/ram0 mem=32M panic=1
Relocating machine vectors to 0xffff0000
IRQ Timer1 at interrupt number 0x0 and clock 100000000(Hz)
Calibrating delay loop... 153.60 BogoMIPS
Memory: 32MB = 32MB total
Memory: 25480KB available (1818K code, 436K data, 64K init)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
POSIX conformance testing by UNIFIX
PCI: bus0: Fast back to back transfers disabled
pci bridge found
AHB to bridge interrupt status : 24200000
pci_enable: bus: 0 devfn: 0
pci_enable: bus: 0 devfn: 10
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Journalled Block Device driver loaded
i2c-core.o: i2c core module version 2.6.1 (20010830)
i2c-dev.o: i2c /dev entries driver module version 2.6.1 (20010830)
i2c-core.o: driver i2c-dev dummy driver registered.
i2c-proc.o version 2.6.1 (20010830)
Str9100 Serial Driver version 5.05c (2001-07-08) with no serial options enabled
ttyS00 at 0xf7800000 (irq = 10) is a Star_UART
STAR star9100 Driver, v1.9pek-d20cm (11/03/2005) - by PEK & Star Semi.
RAMDISK driver initialized: 16 RAM disks of 17408K size 1024 blocksize
PPP generic driver version 2.4.2
PPP MPPE compression module registered
PPP Deflate Compression module registered
SCSI subsystem driver Revision: 1.00
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
physmap flash device: 800000 at 10000000
phys_mapped_flash: Found 1 x16 devices at 0x0 in 16-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
phys_mapped_flash: Swapping erase regions for broken CFI table.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
kmod: failed to exec /sbin/modprobe -s -k cmdlinepart, errno = 2
cmdlinepart partition parsing not available
kmod: failed to exec /sbin/modprobe -s -k RedBoot, errno = 2
RedBoot partition parsing not available
Using physmap partition definition
Creating 3 MTD partitions on "phys_mapped_flash":
0x00000000-0x00040000 : "bootROM"
0x00040000-0x007c0000 : "bootpImage"
0x007c0000-0x00800000 : "User FS"
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
hcd.c: ehci_hcd @ EHCI, EHCI_HCdriver
hcd.c: irq 24, pci mem c3005000
usb.c: new USB bus registered, assigned bus number 1
USB 1.0 enabled, EHCI 1.00, driver 2003-Dec-29/2.4
hub.c: USB hub found
hub.c: 2 ports detected
host/usb-ohci.c: USB OHCI at membase 0xc700c000, IRQ 23
host/usb-ohci.c: usb-OHCI, OHCI_HCdriver
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver usblp
printer.c: v0.13: USB Printer Device Class driver
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
Linux video capture interface: v1.00
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
ip_conntrack version 2.1 (256 buckets, 2048 max) - 328 bytes per conntrack
ip_conntrack_pptp version $Revision: 1.8 $ loaded
ip_nat_pptp version $Revision: 1.4 $ loaded
ip_tables: (C) 2000-2002 Netfilter core team
ipt_recent v0.3.1: Stephen Frost <sfrost@snowman.net>. http://snowman.net/proje
cts/ipt_recent/
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Ebtables v2.0 registered
NET4: Ethernet Bridge 008 for NET4.0
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
Other stuff added by David S. Miller <davem@redhat.com>
NetWinder Floating Point Emulator V0.97 (double precision)
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 4516K
VFS: Mounted root (ext2 filesystem) readonly.
Freeing init memory: 64K
UART IRQ_ports = c02368b8
UART IRQ at interrupt number 0xa
ovcamchip_core.c: v2.28 : OV camera chip I2C driver
i2c-core.o: driver ovcamchip registered.
usb.c: registered new driver ov511
ov511_core.c: v2.28 : ov511 USB Camera Driver
pwc Philips webcam module version 9.0.2 loaded.
pwc Supports Philips PCA645/646, PCVC675/680/690, PCVC720[40]/730/740/750 & PCVC
830/840.
pwc Also supports the Askey VC010, various Logitech Quickcams, Samsung MPC-C10 a
nd MPC-C30,
pwc the Creative WebCam 5 & Pro Ex, SOTEC Afina Eye and Visionite VCS-UC300 and
VCS-UM100.
usb.c: registered new driver Philips webcam
pwc Philips webcam decompressor routines version 9.0-BETA-2
pwc Supports all cameras supported by the main module (pwc).
pwc Adding decompressor for model 645.
pwc Adding decompressor for model 646.
pwc Adding decompressor for model 675.
pwc Adding decompressor for model 680.
pwc Adding decompressor for model 690.
pwc Adding decompressor for model 720.
pwc Adding decompressor for model 730.
pwc Adding decompressor for model 740.
pwc Adding decompressor for model 750.
device eth0 entered promiscuous mode
device ra0 entered promiscuous mode
bre0: port 2(ra0) entering learning state
bre0: port 1(eth0) entering learning state
bre0: port 2(ra0) entering disabled state
bre0: port 2(ra0) entering disabled state
device ra0 left promiscuous mode
device ra0 entered promiscuous mode
bre0: port 2(ra0) entering learning state
device eth1 entered promiscuous mode
bre0: port 3(eth1) entering learning state
bre0: port 1(eth0) entering forwarding state
bre0: topology change detected, propagating
bre0: port 2(ra0) entering forwarding state
bre0: topology change detected, propagating
bre0: port 3(eth1) entering forwarding state
bre0: topology change detected, propagating
#

Connection to host lost.

is thera any other way to chanfe firmware .....

has any one tried the jtag

is there possibility to change it over telnet or tftp....

Where is difference in firmware.???

any one cen provide me help ?

pkucan · #19

too bad that this topic is dead

ariaci · #20

Hello!

I've flashed the 7links NAS with Amigo firmware ... it was a hard way but now it works!

At first I've corrupted my router by flashing firmware to mtdblock2 using linux-shell and "pekpekengeng"-hack ...
After this my router didn't respond to nothing anymore! No ping, no DHCP - nothing ...

I've opened my router and used a serial cable to connect to my NAS.
I've built my own cable. For reference purposes I've used this sites to built it - Thanx to the authors!

http://www.neolics.com/pdfs/dku-5.pdf
http://buffalo.nas-central.org/wiki/Use … inkstation

After this and connecting serial cable to my PC USB I could see the messages posted here:

https://forum.openwrt.org/viewtopic.php?id=22688

After some testing I found the keystroke to press: CTRL-C
Press this keystroke immediately after seeing the message: Hit any key to stop autoboot: 1

After pressing this keystroke in my terminal (I've used Putty) I've entered the ArmBoot-Console-Mode. Here you can repair the firmware using TFTPBOOT-command. At first use "printenv"-command to see all environment variables of ArmBoot. "ipaddr" is the address of your NAS and "serverip" is the IP of your TFTP-Server. Now setup your LAN-connection to the given serverip, connect a LAN-cable between the NAS and your PC and use this commands to boot another firmware:

tftpboot 0xcf00000 Ver2.0.4 > Enter
go 0xcf00000 > Enter

Now you should see all kernel messages of linux booting up ... You should know, that a reboot of your router will still boot the old firmware. With tftpboot we wrote the firmware to RAM not to flash.

I haven't found some commands in this ArmBoot-Version to permanently write the changes to flash. Because of this lack I've used the web-interface of the newly booted firmware via serial cable to write the same image again (used for tftpboot) to flash ...

That's it! For questions write into this topic ...

Ciao, ariaci - have fun!

pkucan · #21

Hi ariaci

i have question dis you use 3 pin or 4 pin cable where did you conect it and what is the pinout?

thank you

i am trying to change firmware but i can not get to ARM boot

ariaci · #22

Hi pkucan!

You need a connection to all FOUR pins to build your own serial cable. This is needed because you will need power and ground to work with some USB to serial adapters. Besides this you should add a LED like in the linked pdf to see if you've used the ciorrect pins ...

The serial port of the PE8074 is located behind the two USB connectors. You will see a small triangle in front of the first pin. This is the PWD pin. The layout is the following:

PWD - TX - RX - GND

This is taken from the PDF ... the colors of the cables of the USB to serial adapter are taken from nas-central ...

Feel free to ask other questions :-)
I think this is all you need to get a connection to ARMboot of the PE8074 ...

Ciao
ariaci

pkucan · #23

ariaci wrote:
Hi pkucan!

You need a connection to all FOUR pins to build your own serial cable. This is needed because you will need power and ground to work with some USB to serial adapters. Besides this you should add a LED like in the linked pdf to see if you've used the ciorrect pins ...

The serial port of the PE8074 is located behind the two USB connectors. You will see a small triangle in front of the first pin. This is the PWD pin. The layout is the following:

PWD - TX - RX - GND

This is taken from the PDF ... the colors of the cables of the USB to serial adapter are taken from nas-central ...

Feel free to ask other questions :-)
I think this is all you need to get a connection to ARMboot of the PE8074 ...

Ciao
ariaci

hi

i think i have found my problem i dont have an Original DKU5

but i have PL2303

could be this my problem?

ariaci · #24

Hi again!

My first cable used also an PL2303 chip. But I've had problems with this chip. Sometimes there was an output in Putty and sometimes not. That's why I've bought another cable. The second one is using a chip from ArkMicro. The complete USB to serial was named "ArkMicro USB to Serial" ... in the inner of this main cable you can find five or six cables (I don't know the exact number at this time because I've hidden all inner cables and can't see them anymore).

Please try another cable. I think this is the PL2303 chip causing all problems ...

Ciao
ariaci

Last edited by ariaci (2010-01-14 18:11:35)

GrahamMurphy · #25

I've had no problems with the Prolific 2302 USB to serial converter. However, I did end up having to examine the serial port a bit more closely. The triangle at one end of the header denotes pin 1. From memory (IE, I could have got Tx and Rx mixed up), the pinout is as follows:

1. TxD from computer
2. N/A - could be a 3.3V supply, could be something else?
3. RxD from computer
4. GND

Your terminal program needs to be set NOT to use hardware handshaking (CTS/RTS/DTR/DSR), as this is not available. The line settings are 38400, 8 data bits and 1 stop bit. Note, this is 3.3V logic, NOT RS232, so you'll need an appropriate USB to serial converter that runs at 3.3V. The Ctrl+C handling is a little odd, but I haven't looked into this yet.

Last edited by GrahamMurphy (2010-04-06 18:57:12)

OpenWrt

Announcement

7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Code:

Code:

Code:

Code:

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

acoul wrote:

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Code:

Code:

Code:

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

fabske wrote:

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

armijn wrote:

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

ariaci wrote:

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Re: 7Links 6in1 Multi-WLAN Router ( PE-8074 ) / Processor Star STR9105

Board footer