Jump to: navigation, search

Interesting Atheros SoC based low-cost device with 4 port switch

Flashing a low-cost router D-Link DIR-300 based on Atheros AR2317 SoC

The Atheros AR2317 is a highly integrated low-cost chipset for wireless routers, which we are considering for the hardware design of the mesh potato. In order to test the chipset with OpenWRT we bought a few D-LINK DIR-300 routers to test with a existing product. The DIR-300 is available for ~26 Euro from cheap retail shops in Germany - that is less then half the price of a Linksys WRT54GL and about a third the price of a Ubiquiti NS-2. It features 4MB flash and 16MB RAM, 4 port switch, 1 WAN port, a 180MHz Mips (Big Endian) CPU, Redboot Open-Source bootloader, a switched mode onboard DC/DC converter, one R-SMA antenna socket, on-board serial port and JTAG port. The device is much smaller than the Linksys WRT54GL, so outdoor boxes can be much cheaper and easier to mount than outdoor boxes for the Linksys.

I'll assume that the workstation you use is running Linux. Most operations require root privileges, and we have to work on the command line interface.

Like always here the usual disclaimer: You will void the guarantee and you may brick your router. You can always revive it using JTAG - as long as you don't physically damage the hardware - but bootstrapping a router with broken bootloader involves more advanced hacking and soldering. You have been warned! In case this warning comes already too late or you just want to get your hands dirty in the basement of your router, you can find JTAG instructions and a JTAG tool to flash every bit in the flash chips of the MP01 or DIR-300 routers here: [[1]] Note that you can not flash the DIR-300/Airlink AR430W with the RedBoot bootloader from the Mesh-Potato! RAM and ROM size are different so you have to use the RedBoot file ap61.rom which is linked from this page. The JTAG pin header is also different:

DIR-300 AR430W JTAG-Header.gif

If you are not eager to hack with JTAG I'd strongly recommend that you don't disconnect the device from power while you perform the operations described below - unless you absolutely have to - chances are that you may brick it. So take care that the power supply is stable and you are not relying on loose contacts. Again: Don't blame us - you have been warned!

  • Open a shell (terminal) and become system administrator root:
     sudo su 
  • Install a TFTP server like *atftpd* - using Debian or Ubuntu you can just perform
     apt-get install atftpd 
  • Create a directory /tftpboot:
     mkdir /tftpboot 
  • Copy openwrt-atheros-root.squashfs and openwrt-atheros-vmlinux.lzma from http://downloads.open-mesh.net/mesh-potato/ into the /tftpboot directory.
  • Download ap61.ram and ap61.rom from http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads/v24/Atheros+WiSoc/Airlink+101+AR430W and copy both files into the /tftpboot directory.
  • Start atftpd:
     atftpd --daemon 
  • Connect the WAN port of the DIR-300 directly to the workstations ethernet port with a network cable (straight or cross-link doesn't matter, but don't use a switch!)
  • Configure the IP address of the ethernet interface of your notebook or workstation to be 192.168.20.80/24 (assuming it is eth0, could be different on your machine):
     ip a add 192.168.20.80/24 dev eth0 
  • Ensure the interface is up:
     ip link set dev eth0 up 
  • Press and hold the reset button on the backside of the DIR-300 with a paperclip or the like while it is powered off.
  • Connect power while holding the reset button. Hold the reset button for 30 seconds while the device is booting.
  • Telnet to 192.168.20.81 port 9000, you should see the Redboot command line prompt now.
  • Perform
     load ap61.ram 
  • Then enter and execute
     go 

You will be disconnected from the telnet session, it will look like the telnet program is stuck. Stop the telnet program by typing ^] (Ctrl+]), quit telnet, but do not reboot the D-Link!

  • Add yet another IP address to your ethernet port:
     ip a add 192.168.1.2/24 dev eth0 label eth0:0
  • Telnet to 192.168.1.1 port 9000, you should see the command line prompt again. You are running a different Redboot bootloader now from RAM. The bootloader prompt will tell you it is DD-WRT now. So far we haven't changed anything permanently, if you would reboot the DIR-300 now the new bootloader is gone (and you would have to start over again by pressing the reset button).

We are now about to flash the Redboot bootloader and make the new bootloader permanent. Perfom this with care, it is a critical step - if the bootloader update fails you have no means to talk to the device anymore via a serial console or network access. There is still a way to revive it, however: This requires soldering JTAG pins to the board and flashing a new Redboot bootloader with a JTAG cable.

  • Enter the commands as shown here:
 
DD-WRT> fconfig -i
Initialize non-volatile configuration - continue (y/n)? y
Run script at boot: false
Use BOOTP for network configuration: true
Default server IP address:
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
… Erase from 0xbffe0000-0xbfff0000: .
… Program from 0x80ff0000-0×81000000 at 0xbffe0000: .
DD-WRT> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
… Erase from 0xbffe0000-0xbfff0000: .
… Program from 0x807f0000-0x80800000 at 0xbffe0000: .

DD-WRT> ip_address -h 192.168.1.2
Default server: 192.168.1.2

DD-WRT> load -r -b %{FREEMEMLO} ap61.rom
Using default protocol (TFTP)
Raw file loaded 0x80080000-0x800a8717, assumed entry at 0x80080000

DD-WRT> fis create -l 0x30000 -e 0xbfc00000 RedBoot
An image named ‘RedBoot’ exists - continue (y/n)? y
 … Erase from 0xbfc00000-0xbfc30000: …
 … Program from 0x80080000-0x800a8718 at 0xbfc00000: …
 … Erase from 0xbffe0000-0xbfff0000: .
 … Program from 0x807f0000-0x80800000 at 0xbffe0000: .
DD-WRT> reset

The device will now reboot.

  • Wait about 30 seconds.
  • Telnet to 192.168.1.1 port 9000, you should see the command line prompt again.
  • Enter the commands as shown here:
 


DD-WRT> ip_address -h 192.168.1.2
Default server: 192.168.1.2

DD-WRT> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80040800-0x801007ff, assumed entry at 0x80040800
DD-WRT> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
... Erase from 0xbfc30000-0xbfcf0000: ............
... Program from 0x80040800-0x80100800 at 0xbfc30000: ............
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0x80040800-0x802207ff, assumed entry at 0x80040800
DD-WRT> fis create rootfs
... Erase from 0xbfcf0000-0xbffe0000: ...............................................
... Program from 0x80040800-0x80220800 at 0xbfcf0000: ..............................
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> fconfig -d
Run script at boot: true
Boot script:
Enter script, terminate with empty line
>> fis load -l vmlinux.bin.l7
>> exec
>>
Boot script timeout (1000ms resolution): 5
Use BOOTP for network configuration: false
Gateway IP address: 192.168.1.2
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.2
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> reset


The device will now reboot and start the newly installed firmware. After about 1-2 minutes you can telnet to the device. Since it is running Openwrt Kamikaze now the IP address is yet again different. The Mesh-Potato image is by default configured to use the IP address 192.168.1.20. Hence you can telnet to 192.168.1.20 without entering a port number. As a first step you should now set a password using the
 passwd 
command. This will disable telnet access (unsafe) and enable ssh (encrypted). So after the next reboot you have to use the ssh command, the device will not respond to telnet access anymore.