Trendnet TEW-632BRP
From X-Wrt
Contents
|
DISCLAIMER and EULA
Information contained here-in is for educational purposes only. Use of any custom firmwares, or use of information derived from this article, comes with no warranties, expressed or implied. The user must understand that modifying hardware and/or software has risks (i.e. having an inoperable unit, or other risks not mentioned here). The user agrees to accept ALL liability for any and all damages, tangible and intangible, resulting from the use or misuse of this information, firmware images, and/or other content. The user further agrees to not hold any other party liable for damages resulting from the use or misuse of information, firmwares, or other content on this page. In particular, the user agrees there is risk, acknowledges the risk, and agrees to not hold the authors responsible for any damages, tangible on intangible, resulting from the use or misuse of any content here. To be clear, by using information, firmwares, and/or other content on this page, you agree to assume ALL risks, and accept liability for ALL damages, tangible or intangible.
Trendnet TEW-632BRP Research and Development
This affordable 802.11n router is about to have OpenWrt Kamikaze running on it. It is an ideal candidate due to its unusually large amount of RAM (32MB), sufficient amount of FLASH ROM (4MB), and a Linux 2.6 kernel firmware in use by the vendor. It also has a fast processor, and is indeed a truly modern wireless access point.
My personal experiences with using this router are that it performs very well. I've not had any problems, such as those reported by consumers on some purchasing sites. The hardware, at least on the two I have, seems solid and reliable. I suspect any problems that do arise can be fixed easily now that we can rebuild the vendor firmware images, and OpenWrt Kamikaze will someday be available for this platform.
Router Specs
- Atheros 9130 System on a Chip - specs sheet - pdf press release
- 400Mhz NPU (Network Processing Unit)
- MIPS 32-bit CPU
- AG7100 ethernet controller
- AR5416 wifi 802.11n draft 2 compliant
- Serial and JTAG interfaces
- USB 2.0 host (unused in this router)
- 4MB FLASH
- 32MB DDR RAM
- 2 detachable dipole antennas
/proc # cat /proc/cpuinfo system type : Atheros AR9100 processor : 0 cpu model : MIPS 24K V7.4 BogoMIPS : 265.21 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes ASEs implemented : mips16 VCED exceptions : not available VCEI exceptions : not available
The boot loader
This router uses U-Boot 1.1.4. It passes the command line parameters that define the mtd partitions, and other things, on to the kernel. Therefore, customized kernels will probably need to ignore this command line and have the mtd partitions hard-coded (or dynamically calculated) in the MTD device driver.
AP81 (ar7100) U-boot DRAM: sri 32 MB Top of RAM usable for U-Boot at: 82000000 Reserving 175k for U-Boot at: 81fd4000 Reserving 192k for malloc() at: 81fa4000 Reserving 44 Bytes for Board Info at: 81fa3fd4 Reserving 36 Bytes for Global Data at: 81fa3fb0 Reserving 128k for boot params() at: 81f83fb0 Stack Pointer at: 81f83f98 Now running in RAM - U-Boot at: 81fd4000 id read 0x10000107 flash size 4MB, sector count = 64 Flash: 4 MB Using default environment In: serial Out: serial Err: serial Net: ag7100_enet_initialize... Fetching MAC Address from 0x81fee1a8 eth0: 54:b1:45:00:90:55 eth0 up eth0 httpd init ar7100> ar7100> printenv bootargs=console=ttyS0,115200 root=31:03 rootfstype=squashfs,jffs2 init=/sbin/init mtdparts=ar7100-nor0:128k(u- boot),64k(Config),1024k(vmlinux),2752k(rootfs),128k(ART) bootcmd=bootm 0xbf030000 baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee ipaddr=192.168.0.1 serverip=192.168.0.103 stdin=serial stdout=serial stderr=serial ethact=eth0 Environment size: 342/65532 bytes ar7100>
The PCB
The serial port
This device has a single serial port exposed in an unpopulated 4 pin header. It's a 5v serial port, running at 115200 8n1. You'll need a TTL convertor to raise it to voltages required by the serial ports on most PCs. Alternatively, you can connect it to another device with a serial port running at 3.3v.
Serial port:
pin 1 = +5V pin 2 = RX pin 3 = TX pin 4 = Ground
Pin orientation note: pin 1 is marked with a square on the PCB, it is the one farthest from the network switch. Therefore, in the pictures below (antennas on bottom), the orientation is "4 3 2 1".
Of course, until you populate the empty pin holes, there will be no pins ;).
SERIAL OUTPUT FROM SYSTEM BOOT OF VENDOR FIRMWARE FOLLOWS:
U-Boot 1.1.4 (Aug 23 2007 - 14:10:59)
AP81 (ar7100) U-boot
DRAM:
sri
32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 175k for U-Boot at: 81fd4000
Reserving 192k for malloc() at: 81fa4000
Reserving 44 Bytes for Board Info at: 81fa3fd4
Reserving 36 Bytes for Global Data at: 81fa3fb0
Reserving 128k for boot params() at: 81f83fb0
Stack Pointer at: 81f83f98
Now running in RAM - U-Boot at: 81fd4000
id read 0x10000107
flash size 4MB, sector count = 64
Flash: 4 MB
Using default environment
In: serial
Out: serial
Err: serial
Net: ag7100_enet_initialize...
Fetching MAC Address from 0x81fee1a8
eth0: 54:b1:45:00:90:55
eth0 up
eth0
## Booting image at bf030000 ...
Image Name: Linux Kernel Image
Created: 2008-06-02 4:38:22 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 847106 Bytes = 827.3 kB
Load Address: 80060000
Entry Point: 802ab000
Verifying Checksum ... OK
LZMA Umcompressing Kernel Image ... Image loaded from 80060000-802cc084
OK
No initrd
## Transferring control to Linux (at address 802ab000) ...
## Giving linux memsize in bytes, 33554432
Starting kernel ...
Linux version 2.6.15--LSDK-7.1.2.27 (root@localhost.localdomain) (gcc version 3.4.4) #641 Mon Jun 2 12:28:49 CST 2008
setup_arch:
cpu_probe:
PRID_COMP_MIPS CPU
prom_init:flash_size passed from bootloader = 4M
arg 1: console=ttyS0,115200
arg 2: root=31:03
arg 3: rootfstype=squashfs,jffs2
arg 4: init=/sbin/init
arg 5: mtdparts=ar7100-nor0:128k(u-boot),64k(Config),1024k(vmlinux),2752k(rootfs),128k(ART)
cpu_report:CPU revision is: 00019374
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
setup_arch: end
Built 1 zonelists
Kernel command line: console=ttyS0,115200 root=31:03 rootfstype=squashfs,jffs2 init=/sbin/init mtdparts=ar7100-nor0:128k(u- boot),64k(Config),1024k(vmlinux),2752k(rootfs),128k(ART)
Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
PID hash table entries: 256 (order: 8, 4096 bytes)
Using 200.000 MHz high precision timer.
Console: colour dummy device 80x25
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 29120k/32768k available (1951k kernel code, 3632k reserved, 392k data, 136k init, 0k highmem)
Mount-cache hash table entries: 512
Checking for 'wait' instruction... available.
NET: Registered protocol family 16
calling simple_config callback..
SCSI subsystem initialized
TC classifier action (bugs to netdev@vger.kernel.org cc hadi@cyberus.ca)
AR7100 GPIOC major 0
squashfs: version 3.1 (2006/08/19) Phillip Lougher
Initializing Cryptographic API
io scheduler noop registered
io scheduler deadline registered
HDLC line discipline: version $Revision: 1.1.1.1 $, maxframe=4096
N_HDLC line discipline registered.
Serial: 8250/16550 driver $Revision: 1.1.1.1 $ 4 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x0 (irq = 19) is a 16550A
RAMDISK driver initialized: 1 RAM disks of 8192K size 1024 blocksize
PPP generic driver version 2.4.2
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPTP driver version 0.7.12
5 cmdlinepart partitions found on MTD device ar7100-nor0
Creating 5 MTD partitions on "ar7100-nor0":
0x00000000-0x00020000 : "u-boot"
0x00020000-0x00030000 : "Config"
0x00030000-0x00130000 : "vmlinux"
0x00130000-0x003e0000 : "rootfs"
0x003e0000-0x00400000 : "ART"
GACT probability on
Mirror/redirect action on
Simple TC action Loaded
netem: version 1.1
u32 classifier
Perfomance counters on
input device check on
Actions configured
NET: Registered protocol family 2
IP route cache hash table entries: 512 (order: -1, 2048 bytes)
TCP established hash table entries: 2048 (order: 1, 8192 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
ip_conntrack version 2.4 (256 buckets, 2048 max) - 232 bytes per conntrack
ip_conntrack_pptp version 3.1 loaded
ip_nat_pptp version 3.0 loaded
ip_tables: (C) 2000-2002 Netfilter core team
ipt_time loading
ipt_recent v0.3.1: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/
ClusterIP Version 0.8 loaded successfully
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
ar7100wdt_init: Registering WDT success
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 136k freed
init started: BusyBox v1.01 (2008.06.02-04:29+0000) multi-call binary
Algorithmics/MIPS FPU Emulator v1.5
Please press Enter to activate this console. insmod /lib/modules/2.6.15/net/ag7100_mod.ko wan_speed=auto
ag7100_mod: module license 'unspecified' taints kernel.
AG7100: Length per segment 1536
ifconfig eth0 down
ifconfig eth0 hw ether 0014d1509ca6
ifconfig eth0 up
Writing 4
eth0: Cannot assign requested address
ifconfig eth1 down
ifconfig eth1 hw ether 00508d7f8952
ifconfig eth1 up
ATHRS26: resetting s26
ATHRS26: s26 reset done
Writing 6
eth1: Cannot assign requested address
brctl addbr br0
brctl stp br0 off
brctl setfd br0 0
brctl addif br0 eth0
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
ImgCheckSum=671a095
hostname "TEW-632BRP"
date -s 060212292008
Mon Jun 2 12:29:00 UTC 2008
syslogd -s 20 -b 0 &
insmod /lib/modules/2.6.15/net/gpio_mod.ko
Entry gpio_ioctl init_module !!
sh: dcc: not found
lld2d br0 &
rc is BUSY now!
eth1: Cannot assign requested address
/var/sbin/wantimer &
udhcpc -w dhcpc -i eth1 -H "TEW-632BRP" -s /usr/share/udhcpc/default.bound-dns &
ifconfig eth1 mtu 1500
DHCP client start.
eth0: Cannot assign requested address
udhcpd &
insmod /lib/modules/2.6.15/net/ath_hal.ko
domain empty
Failure parsing line 19 of /var/etc/udhcpd.conf
Failure parsing line 20 of /var/etc/udhcpd.conf
Failure parsing line 21 of /var/etc/udhcpd.conf
DHCP server start.
device_lan_ip=192.168.1.99 , device_lan_subnet_mask=255.255.255.0
max_leases value (254) not sane, setting to 80 instead
Unable to open /var/misc/udhcpd.leases for reading
ath_hal: 0.9.17.1 (AR5416, DEBUG, REGOPS_FUNC, WRITE_EEPROM, 11D)
insmod /lib/modules/2.6.15/net/wlan.ko
wlan: 0.8.4.2 (Atheros/multi-bss)
insmod /lib/modules/2.6.15/net/ath_rate_atheros.ko
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
rg2Country regdomain =16insmod /lib/modules/2.6.15/net/ath_dev.ko regdomain=58 countrycode=840
ath_dev: no version for "_ath_hal_attach" found: kernel tainted.
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
insmod /lib/modules/2.6.15/net/ath_ahb.ko
ath_ahb: 0.9.4.5 (Atheros/multi-bss)
Howl Revision ID 0xb4 <6>No MBSSID aggregation support<6>wifi0: Atheros AR9100 WiSoC: mem=0xb80c0000, irq=2
insmod /lib/modules/2.6.15/net/wlan_xauth.ko
insmod /lib/modules/2.6.15/net/wlan_ccmp.ko
insmod /lib/modules/2.6.15/net/wlan_tkip.ko
insmod /lib/modules/2.6.15/net/wlan_wep.ko
insmod /lib/modules/2.6.15/net/wlan_acl.ko
wlan: mac acl policy registered
insmod /lib/modules/2.6.15/net/ath_pktlog.ko
eth1 Link encap:Ethernet HWaddr 00:50:8D:7F:89:52
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
insmod /lib/modules/2.6.15/net/wlan_scan_ap.ko
ifconfig wifi0 hw ether 0014d1509ca6
deleting routers
route: SIOC[ADD|DEL]RT: No such process
wlanconfig ath0 create wlandev wifi0 wlanmode ap
ath0
ifconfig ath0 hw ether 0014d1509ca6
iwpriv ath0 ar 0
iwpriv ath0 chanbw 0
iwconfig ath0 essid "nnet"
ifconfig eth1 0.0.0.0
iwconfig ath0 rts 2346
Sending discover...
iwconfig ath0 frag 2346
iwpriv ath0 countryie 0
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
iwpriv ath0 bgscan 0
iwpriv wifi0 HALDbg 0
iwpriv ath0 dbgLVL 0x100
ifconfig ath0 txqueuelen 1000
ifconfig wifi0 txqueuelen 1000
iwpriv ath0 shortgi 1
iwpriv ath0 mode 11NGHT40MINUS
ieee80211_ioctl_setmode: CHH Mode: 11NGHT40MINUS
iwpriv wifi0 ForBiasAuto 1
iwpriv ath0 cwmmode 1
iwpriv wifi0 AMPDU 1
ath_set_config: Setting ATH parameter
iwpriv wifi0 AMPDUFrames 32
ath_set_config: Setting ATH parameter
iwpriv wifi0 AMPDULim 50000
ath_set_config: Setting ATH parameter
iwpriv ath0 ampdumin 32768
iwpriv wifi0 ANIEna 0
iwpriv wifi0 txchainmask 5
ath_set_config: Setting ATH parameter
iwpriv wifi0 rxchainmask 5
ath_set_config: Setting ATH parameter
echo 1 > /proc/sys/dev/ath/htdupieenable
iwpriv ath0 puren 1
iwpriv ath0 extoffset -1
iwconfig ath0 channel 7
iwpriv ath0 privacy 1
iwpriv ath0 wpa 2
ieee80211_ioctl_setparam: IOCTL Set WPA: 2
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
iwpriv ath0 wmm 0
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
iwpriv ath0 wds 0
iwpriv ath0 hide_ssid 0
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
iwpriv ath0 bintval 100
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
iwpriv ath0 dtim_period 1
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
iwpriv ath0 maccmd 0
brctl addif br0 ath0
device ath0 entered promiscuous mode
hostapd -B /tmp/hostapd.conf.0.0
ifconfig eth1 0.0.0.0
Sending discover...
Configuration file: /tmp/hostapd.conf.0.0
Using interface ath0 with hwaddr 00:14:d1:50:9c:a6 and ssid 'nnet'
wantimer: dhcpc_release (VCT_DISCONNECT)
DHCPC Received SIGUSR2=>DHCPC Release
Performing a DHCPC release
Entering released state
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
ieee80211_ioctl_setparam: IOCTL Set WPA: 2
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
ieee80211_ioctl_setparam: CHH Calling ieee80211_open
Country ie is US
br0: port 2(ath0) entering learning state
br0: topology change detected, propagating
br0: port 2(ath0) entering forwarding state
Flushing old station entries
Deauthenticate all stations
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
ifconfig ath0 up
tftpd &
TFTP main
standard_tftp_server launched on port 69.
miniupnpd &
dnsmasq -i br0 &
date -s 060212292008
Mon Jun 2 12:29:00 UTC 2008
igmpproxy &
ERRO: There must be at least 2 Vif's where one is upstream.
wan_ipaddr == NULL, firewall don't start
Start Firewall: Clear iptables
rc is IDLE now!
Then a process listing (through serial shell):
/ # ps -a PID Uid VmSize Stat Command 1 root 368 S init 2 root SWN [ksoftirqd/0] 3 root SW [watchdog/0] 4 root SW< [events/0] 5 root SW< [khelper] 6 root SW< [kthread] 7 root SW< [kblockd/0] 8 root SW [pdflush] 9 root SW [pdflush] 11 root SW< [aio/0] 10 root SW [kswapd0] 12 root SW [mtdblockd] 19 root 1092 S rc init 21 root 456 S /bin/ash 53 root 304 S syslogd -s 20 -b 0 59 root 244 S klogd 61 root 168 S /sbin/gpio SYSTEM check 63 root 392 S httpd 65 root 288 R timer 73 root 252 S lld2d br0 77 root 260 S gpio STATUS_LED blink 79 root 324 S /var/sbin/wantimer 83 root 332 S udhcpc -w dhcpc -i eth1 -H TEW-632BRP -u -s /usr/shar 103 root 264 S miniupnpd 115 nobody 308 S dnsmasq -i br0 131 root 208 S tftpd 137 root 260 S mailosd 167 root 352 R ps -a
JTAG
The (E)JTAG is exposed via a 14-pin header.
Ref1: [1]
Probable pin layout (untested, the grounds appear correct though):
nTRST 1 2 GND TDI 3 4 GND TDO 5 6 GND TMS 7 8 GND TCK 9 10 GND nSRST 11 12 -key DINT 13 14 VCC
Building apps for this device
The toolchain
The cross-compiler, linker, and other platform specific build utilities are now available in the distributed toolchain. Download the vendor GPL sources to get the toolchain.
Firmware image format
The firmware image is extremely simple. It doesn't even have a checksum count, which I find appalling. You can put in a new squashfs-lzma compressed filesystem image and won't have to change another byte in the firmware. The firmware is always padded to be the size of the ROM minus the boot loader and config areas (0x3B0000 = 3,866,624). Then an device id tag is added, making it a little bigger (24 bytes).
The squashfs filesystem will start at a 64KB boundary, and will probably always be static at 1MB 0x100000. It is a squahfs-lzma 3.2-r2 filesystem. Unsquashfs-lzma can handle it, but you need to make sure you use the same lzma variant when recompressing it with mksquashfs-lzma. I've included this variant (ripped from the TEW-637AP GPL source) in the Firmware Modification Kit under the 'src/squashfs-3.2-r2-lzma' directory, but have not really integrated it with the scripts in the kit.
I wrote utility to deal with this format, but it turns out so simple, maybe just using a little shell script is the best way to manipulate it.
Cursory layout:
0x000000: [compressed linux kernel image (lzma)] - currently linux 2.6.15
0x100000: [squashfs-lzma 3.2-r2 rootfs image] - squashfs-lzma 3.2-r2
-- padded and aligned to end of ROM --- to 0x3B0000
0x3B0000: [footer, image id] - "AP81-AR9130-RT-070614-00" (TEW632BRP 1.0) || "AP81-AR9130-RT-070614-02" (DIR-615)
Default vendor firmware attributes
- Linux 2.6.15 MIPS-32 kernel
- Simple web UI, few features. Only the most basic.
- Simple non-TRX image format, no obfuscation or encryption.
- SquashFS 3.3-r2 /w LZMA patches
- TFTP server active and open post-boot, presumably accepting firmware image PUTs.
- Telnetd and SSH (dropbear or opensshd) not present in the firmware image.
- Open shell in serial console only.
- WDS, client mode, and repeater mode not supported in web UI - script support exist ( see /etc/ath )
- multi-SSID not supported in web UI, script support exists ( see /etc/ath )
Loaded kernel modules
/ # lsmod Module Size Used by wlan_scan_ap 10592 0 - Live 0xc00af000 ath_pktlog 16288 0 - Live 0xc00f2000 wlan_acl 5536 1 - Live 0xc00b6000 wlan_wep 7168 0 - Live 0xc00b3000 wlan_tkip 14752 1 - Live 0xc0098000 wlan_ccmp 9760 0 - Live 0xc009d000 wlan_xauth 1568 0 - Live 0xc0013000 ath_ahb 55504 0 - Live 0xc00c3000 ath_dev 112768 2 ath_pktlog,ath_ahb, Live 0xc00d5000 ath_rate_atheros 41776 2 ath_pktlog,ath_dev, Live 0xc00a3000 wlan 250544 10 wlan_scan_ap,ath_pktlog,wlan_acl,wlan_wep,wlan_tkip,wlan_ccmp,wlan_xauth,ath_ahb,ath_dev, Live 0xc0022000 ath_hal 204336 4 ath_pktlog,ath_ahb,ath_dev, Live 0xc0061000 ip_nat_ftp 3072 0 - Live 0xc000d000 ip_conntrack_ftp 6736 1 ip_nat_ftp, Live 0xc0015000 gpio_mod 1888 4 - Live 0xc000f000 ag7100_mod 31792 0 - Live 0xc001900
GPL source code
After requesting Trendnet post the GPL source code on their download site, they did so. I've now retrieved it and committed it to a project at Berlios. If you would like commit access to this project, email jeremy.collake@gmail.com .
Building the vendor firmware
One of the first issues you'll see is that hard coded absolute paths are utilized. You'll need to follow the instructions in the readme for now and set up the build environment like it suggest. Next you'll encounter some cases of lost filenames because PKZIP compressed the distribution without case sensitivity.
The apps can be built independently of the kernel with 'make apps'. You can configure Busybox through its own menu config, which isn't exposed in the root menu config. You'll see the target filesystem in the 'target' directory.
The filesystem, kernel, and combined firmware images can be created with the scripts and utilities you see in the tools directory.
Unbricking the router
Recovery mode - UBoot httpd
If you hold down the hard reset button and power on the device, the boot loader will enter an emergency flash mode and load an httpd. Go to 192.168.10.1. Interestingly, the router is identified as a D-Link DIR-615. Thanks to Mr. Fizz for discovering this.
DRAM: sri 32 MB Top of RAM usable for U-Boot at: 82000000 Reserving 175k for U-Boot at: 81fd4000 Reserving 192k for malloc() at: 81fa4000 Reserving 44 Bytes for Board Info at: 81fa3fd4 Reserving 36 Bytes for Global Data at: 81fa3fb0 Reserving 128k for boot params() at: 81f83fb0 Stack Pointer at: 81f83f98 Now running in RAM - U-Boot at: 81fd4000 id read 0x10000107 flash size 4MB, sector count = 64 Flash: 4 MB In: serial Out: serial Err: serial Net: ag7100_enet_initialize... Fetching MAC Address from 0x81fee1a8 eth0: 54:b1:45:00:90:55 eth0 up eth0 httpd init .... [omitted].. is 3866648,0x3b0018 Image Hardware ID is AP81-AR9130-RT-070614-00 HWID_LOCATION = 0xbf000400 Upgrade Firmware......... entry point = 80060000, flash base = bf030000 total_filesize = 3b0018 First 0x3 last 0x3f write addr: bf030000
JTAG
See the section on JTAG. I've not completed this research yet.
Aftermarket Firmwares
TrendNet /w telnetd and more (db90h edition)
This is a little modified version of the TrendNet vendor firmware. It has an extended Busybox build, with telnetd and more so you can login to the router and play with it. A more useful alternate firmware will come soon.
- WARNING: as a debug/toy build, telnetd is enabled /w 'root' login and no password.
- WARNING 2: USE AT YOUR OWN RISK. THE CODE IS NOT COMPLETE. IT IS A TOY TO LET PEOPLE TELNET INTO THEIR ROUTERS AND PLAY.
Supports both A1.0 and A1.1 versions of the TEW-632BRP. Download: TrendNet TEW-632BRP db90h Edition Firmwares
D-Link DIR615RevC Firmware
The D-Link DIR615 runs the same hardware as the TrendNet TEW-632BRP. Therefore, with a little tweak to the platform ID, the DIR615's firmware images can therefore be flashed onto it.
Supports both A1.0 and A1.1 versions of the TEW-632BRP. Download: DIR615 Modified for TEW-632BRP, another source is DD-WRT forum link.
OpenWrt progress
OpenWrt Kamikaze will boot on this device, but it still needs more work to be fully functional.
Hacking features in
Creating multiple wireless interfaces
The platform fully supports multiple virtual wireless network interfaces (multi-BSSID).
You can create new interfaces using the Atheros configuration scripts in /etc/Ath and/or the wlanconfig utilty. For those experienced with linux network and wireless networking, it should be pretty easy. You can create virtual wireless interfaces in master (AP), managed (station), wds, and other? modes. As a side note, you can also use wlanconfig the tool to scan for available access points and more (i.e. wlanconfig ath0 list scan).
I've personally successfully created a virtual station/client network interface and had it connect to another TEW-632BRP in AP mode. I didn't use any encryption, but everything should work. I didn't finish setting up the linux network interfaces and bridges so that LAN and WLAN clients on the station mode router could 'see' the other router -- but the station mode router itself could communicate freely to the managed mode router (telnet'ing in). Anyway, a secondary WLAN client-mode interface does indeed seem to work just fine.
Manual usage of Atheros scripts (create ath1 in managed client mode -- assuming only ath0 has been created thus far):
makeVAP sta my_ssid activateVAP ath1 br0 NONE
Pictures
Unmodified top view
Unmodified bottom view
Serial port installed
Full images:
External links
- Project hosting for modified vendor firmware (vendor source /w fixes here)
- Trendnet Download Site
- GPL source code
- Firmware Mod Kit I've added preliminary support for these images to it
- DD-WRT Forum thread about AR9130 devices
- OpenWrt forum thread (current progress for TEW-632BRP firmware)
- Stephen Gutknecht's builds of OpenWrt for TEW-632BRP
