Recently I dug out my old and cheapo Sitecom N300 X2 (WLR-2100) router because I wanted to use it to attach my lab server to it via ethernet and set up a route to my other router which is responsible for the internet connection. That is a Telekom Speedport router which is capable of using the “splitter-less” ADSL2+ non-standard Annex J, but I digress. Yes, I am really naive. Of course this doesn’t work because you can’t setup routes on either of these devices. In theory you could try to setup WDS (Wireless Distribution System), but this isn’t a standard either.
Still I wanted to see if I can install OpenWRT on the Sitecom to at least make some use of it instead of just taking it to the waste dump. So first thing is to open the device up and try to find the “serial” UART. When you are lucky the manufacturer has printed the actual pinout on the board. In my case there was no labeling of any kind, so the only indication I had for the location of the UART interface was finding four soldering holes in a row. I had to remove the solder of three holes and cautiously drill another hole, because for some unknown reason one hole was filled with something else / not drilled at all. Then I soldered a pin header to those four holes.
To connect a device with an UART with a computer, the easiest way is to use some kind of UART/Serial/USB connector such as the FTDI friend. After you have installed the requisite driver (on Windows or OS X - Linux usually ships them) and you plug in the FTDI friend, you will see a new device node such as /dev/cu.usbserial-A5027XOG on the Mac. When you are a lucky Linux user, there’s an abundance of terminal programs (why is every other thing on Unix called a terminal?) like Minicom or Kermit. Another option, also available on OS X, is the terminal multiplexer screen:
screen /dev/cu.usbserial-A5027XOG 115200
(the last number is the “baud” rate). To exit screen, use Ctrl-A (the standard screen command prologue”) followed by “k” (kill). You can also enable logging by starting screen with the -L command line switch.
Now to figure out the pinout. People say that the VCC pin usually has a thicker connection, so when I found one pin with one I just figured it would be VCC. You can easily measure out ground with a multimeter by connecting the pins to some shield on the board and see if it’s connected. I guess the reason for not drilling the fourth pin is that the manufacturer is getting a ground connection from somewhere else on the board. Then there are two pins left: TX and RX. As far as I know there’s not much that can happen when you mix them up, so I just tried it out and got it right on the secondy try. Don’t connect the VCC pins but only ground, TX and RX! When you are lucky, you now have a serial connection to the device and a shell or something like that. Don’t blame me if you fry your board or UART adapter.
So, this is what the boot sequence on the Sitecom N300 looks like. It’s using the U-Boot bootloader and MIPS Linux. I wonder what the hell they are doing in their OS when they are running killall on various processes repeatedly (because what you see at the end of the logfile just goes on and on). In case you are wondering, the “Amazon” you can see on the logs has nothing to do with the book seller of the same name but is the product name of a series of SoCs (“AMAZON SE”) developed by Infineon (PSB 5060x). This cheapo router has a PSB 50600 manufactured by Lantiq.
ROM VER: 1.2.0
CFG 04
EEPROM Data OK
U-Boot 1.1.5-2.0 (Nov 5 2009 - 14:22:31)
relocate_code start
relocate_code finish.
Flash: 4 MB
amazon_se_spi_init success!!
In: serial
Out: serial
Err: serial
Net: Internal Clock
SET_CLASS_A_VALUE = 1.
Selected EPHY_MODE
AMAZON_SE Switch
Type "run flash_nfs" to mount root filesystem over NFS
Hit any key to stop autoboot: 3
2
1
0
Check FW intergality...OK
## Booting image at 00030000 ...
Image Name: MIPS Linux-2.4.31-Amazon_SE-3.6.
Created: 2010-06-08 9:51:18 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 565011 Bytes = 551.8 kB
Load Address: 80002000
Entry Point: 801a8040
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
Starting kernel ...
MC_PRIO = 0x0 -> 0xc0
flash_start=0x0
flash_size=4194304l
CPU revision is: 0001906c
Primary instruction cache 8kB, physically tagged, 4-way, linesize 16 bytes.
Primary data cache 8kB, 2-way, linesize 16 bytes.
Linux version 2.4.31-Amazon_SE-3.6.10.4.patch.3-R0416V36_BSP_SPI_FLASH_A4 (root@apbs) (gcc version 3.3.6) #6 Tue Jun 8 17:51:13 CST 2010
Can't analyze prologue code at 8001da70
Determined physical RAM map:
User-defined physical RAM map:
memory: 01000000 @ 00000000 (usable)
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock5 ip=192.168.1.1:192.168.1.2::::eth0:on console=ttyS0,115200 ethaddr=00:0c:f6:a6:00:0e mem=16M panic=1
ethaddr_setup: mac address 0- c-f6-a6- 0- e
mips_hpt_frequency:133333333
r4k_offset: 00145855(1333333)
Using 133.333 MHz high precision timer.
[ifx_asc_init_hardware 1081]: ASC ID = 0x101044c4
[ifx_asc_init_hardware 1083]: TxFIFO size = 16, RxFIFO size = 16
[ifx_asc_init_hardware 1085]: TxFIFO CON = 0x1f01, RxFIFO CON = 0x1f01
Calibrating delay loop...
266.24 BogoMIPS
MIPS CPU counter frequency is fixed at 133333333 Hz
Memory: 14160k/16384k available (1673k kernel code, 2224k reserved, 108k data, 84k init, 0k highmem)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
amazon_se_dma_init
dma_chip_init
LSP Revision 1
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
Squashfs 2.2 (released 2005/07/03) (C) 2002-2004, 2005 Phillip Lougher
pty: 256 Unix98 ptys configured
ttyS%d0 at MEM 0xbe100c00 (irq = 66) is a IFX_ASC
Infineon Technologies Synchronous Serial Controller (SSC) driver version 0.2.1
Amazon_SE MEI version:2.04.00
cgu: misc_register on minor = 63
amazon_se_gptu_init:<6>gptu: totally 6 16-bit timers/counters
gptu: misc_register on minor 62
gptu: succeeded to request irq 25
gptu: succeeded to request irq 26
gptu: succeeded to request irq 27
gptu: succeeded to request irq 28
gptu: succeeded to request irq 29
gptu: succeeded to request irq 30
cgu_get_fpi_bus_clock(2) = 133333333, clock_divider = 1
bus clock = 5000000, clock_divider = 1
divider = 33333332
set_timer(0, 4000), divider = 33333332
request_timer(0, 0x0000010D, 33333332)
reload value = 33333332
led: misc_register on minor = 151
Infineon CPE API Driver version: DSL CPE API V3.20.5.1
PPP generic driver version 2.4.2
amazon_se ETOP driver loaded!
Internal Clock
Selected EPHY_MODE
oamk: init_module() called.
Opening oam kernel socket
oamk: init_module() returned.
ppe: ATM init succeeded (firmware version 1.1.0.2.1.13)
[init_amazon_se_mtd 438]: AMAZON_SE_EBU_CON 0x40000060, AMAZON_SE_EBU_CON0 0x1d7fd
init_amazon_se_mtd: start_scan_addr: a0000000
init_amazon_se_mtd: chip probing count 0
Amazon_se: probing address:a0000000
Amazon_se: No support flash chips found!
Infineon Technologies Synchronous SPI flash driver version 0.0.1
MTD driver for SPI flash.
Probing for Serial flash ...
Creating 7 MTD partitions on "amazon_se-spi":
0x00000000-0x00010000 : "U-Boot"
0x00010000-0x00020000 : "ENV_MAC"
0x00030000-0x00400000 : "ROOTFS_KERNEL"
0x00020000-0x00030000 : "NVRAM"
0x00030000-0x000d0000 : "KERNEL"
0x000d0000-0x00400000 : "ROOTFS"
0x00030000-0x00400000 : "ROOTFS_KERNEL"
usb.c: registered new driver hub
dwc_otg: version 2.40a 10-APR-2006
DWC_otg: Using DMA mode
dwc_otg_hcd: irq 31, addr be101000
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 1 port detected
DWC_otg: Init: Port Power? op_state=1
DWC_otg: Init: Power Port (0)
dwc_otg proc initialization okay!
pegasus.c: v0.4.32 (2003/06/06):Pegasus/Pegasus II USB Ethernet driver
usb.c: registered new driver pegasus
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
Linux IP multicast router 0.06 plus PIM-SM
ip_conntrack version 2.1 (128 buckets, 1024 max) - 352 bytes per conntrack
tuple->src.u.port[0]=517
tuple->src.u.port[1]=518
ip_tables: (C) 2000-2002 Netfilter core team
netfilter PSD loaded - (c) astaro AG
ipt_random match loaded
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Amazon_Se Port Initialization
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory:
init started: BusyBox v1.1.0 (2010.06.08-09:06+0000) multi-call binary
Starting pid 13, console /dev/console: '/etc/rcS'
Algorithmics/MIPS FPU Emulator v1.5
mkdir: Cannot create directory `/var/run': File exists
Created character device /dev/amazon_se-port with major[253] and minor[0]
Created character device /dev/dsl_cpe_api with major[107] and minor[0]
Created character device /dev/ifx_mei with major[105] and minor[0]
create PNAT path proc
create proc path for PNAT success
Warning: loading rt3052_iNIC will taint the kernel: no license
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
RT3052iNIC: 802.11n WLAN MII driver v2.2.0.0 (Sept. 15, 2009)
===> Sync Mac with MII master
============= Init Thread ===================
RacfgTaskThread pid = 44
RacfgBacklogThread pid = 45
Org bridge hook = 80168fc4
Change bridge hook = c002c920
ra0: Ralink iNIC at 0x0, 00:0c:f6:a6:00:0e
Warning: loading led will taint the kernel: non-GPLled module init ...
create_proc_entry push_button
after init sema license - Proprietary
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
<6>device eth0 entered promiscuous mode
ap_name=printk action=start
ap_name=adsl action=start
ap_name=lan action=start
ap_name=wlan action=restart
DSL_CPE: using script notification file - /etc/xdslrc.sh
DSL_CPE: using 1st firmware file - /firmware/modemhwe_b.bin
DSL_CPE: Device /dev/dsl_cpe_api opened successfully
Invalid command : set
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
Invalid command : set
ra1 no private ioctls.
sh: /tmp/vlan_config: not found
ap_name=syslogd action=start
killall: syslogd: no process killed
ap_name=httpd action=start
ap_name=dhcpd action=start
start dhcpd ......start dhcpd ... creat config 2...
create dhcpd config -- ok ...
excute command 2 ...
ap_name=ntp action=start
ap_name=route action=start
ap_name=ripd action=start
rm: cannot remove `/tmp/wan_uptime': No such file or directory
ap_name=(null) action=stop
RTNETLINK answers: No such file or directory
Cannot find device "nas0"
sh: cannot create /proc/sys/net/ipv4/conf/nas0/force_igmp_version: Directory nonexistent
killall: IGMPProxy: no process killed
rm: cannot remove `/tmp/wan_ipaddr': No such file or directory
interface nas0 does not exist!
sh: cannot create /etc/ppp/ip-down: Read-only file system
killall: pppd: no process killed
killall: udhcpc: no process killed
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
killall: br2684ctld0: no process killed
killall: atmarpd: no process killed
ap_name=schedule action=create
ap_name=upnp action=start
route: SIOC[ADD|DEL]RT: No such process
killall: miniupnpd: no process killed
Starting pid 257, console /dev/console: '/bin/sh'
BusyBox v1.1.0 (2010.06.08-09:06+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ #