|
| LinksysWrt54g |
UserPreferences |
| SeattleWireless | FrontPage | RecentChanges | TitleIndex | WordIndex | SiteNavigation | HelpContents |
This is a linksys AP running a linux 2.4.5 kernel.
You can get at the firmware by following the ![[WWW]](/img/moin-www.gif "[WWW]"){kind=small}
steps here
Ports:
Speed: 54 Mbps (wireless), 10/100 Mbps (Ethernet)
LED Indicators: Power, DMZ, Diag
Channels: 11 (USA)
Power: 15 dBm
System requirements: One PC (200MHz or Faster Processor) with: 64MB RAM, Internet Explorer 4.0 or Netscape Navigator 4.7 or Higher for Web-based Configuration, CD-ROM Drive, Microsoft Windows 98, Me, 2000, or XP, a Wireless-G or 802.11b Wireless Adapter with TCP/IP Protocol Installed or Network Adapter with Category 5 Ethernet network cable and TCP/IP Protocol installed
In the box: Wireless-G Broadband Router, Power Adapter, Setup CD-ROM with User Guide, Ethernet Network Cable, Quick Installation guide, Registration Card
Width: 7.32 inches
Height: 1.89 inches
Depth: 6.89 inches
Warranty, parts: 1-year limited
Warranty, labor: 1-year limited
Anyone Know the receive sensitivty for these babies?
seems to be -65db for ofdm 802.11g 54megs
-80db for dsss 802.11b 11megs
can someone confirm this???
To turn on ripd and zebra, go to Advanced -> Routing -> Dynamic Routing and click Apply.
RAM: 2 x IC42S16400?, 64Mbit (4M X 16) RAM chips (16MB)
Flash: AMD AM29LV320DB-90EI, a 32Mbit chip (4MB)
CPU: Broadcom BCM4702KPB, with a 125MHz MIPS and two 10/100 Ethernet controllers
Ethernet: ADMtek ADM6996 5 port 10/100 switch
Mini PCI slot with Linksys/Broadcom radio FCC ID PKW-WM54G, dual Hirosi antenna connectors
Dual external RP-TNC antenna ports, 4 LAN / 1 WAN 10/100 Ethernet ports, Power 5V @ 2.0A, center +
Dissasembly Pictures WAP54G dissasembly pics
Extract the header from any firmware upgrade like this:
dd if=WRT54G_1.30.1_US_code.bin of=header bs=32c count=24577cAnd get the cramfs image with this:
dd if=WRT54G_1.30.1_US_code.bin of=linksys.img bs=32c skip=24577cQuestion: I'm trying to disect the 1.30.7 firmware. How can you tell where the kernel stops and the cramfs starts?
The header is a Linux 2.4.5 kernel with a bit of header info in the first several bytes. The first four bytes are "W54G" (0x57 0x35 0x34 0x47).
Diff on headers between v1.01.4, v1.02.1, and v1.30.1:
0x0000 57 35 34 47 00 00 00 00 03 01 1D 01 01 04 00 00 0x0000 57 35 34 47 00 00 00 00 03 03 04 01 02 01 55 32 0x0000 57 35 34 47 00 00 00 00 03 06 17 01 1E 01 55 32
(starting at Byte 0) Byte 0x8 Year. 03 == 2003 Byte 0x9 Month. 06 == June, 03 == Mar, 01 == Jan. Byte 0xA Day. 04 == Mar. 04, 17 == Jun. 23, 1D == Jan. 29 Byte 0xB Major version. Byte 0xC Middle version number. 02 matches 1.02.1, 1e == 30 hex, which matches 1.30.1 Byte 0xD Minor version.More bytes changed:
0x0020 48 44 52 30 00 80 28 00 BE 5E F9 57 00 80 00 00 0x0020 48 44 52 30 00 80 2A 00 A8 58 EF DF 00 80 00 00 0x0020 48 44 52 30 00 D0 29 00 78 53 6C D5 00 00 01 00
These sets of 16 start with the bytes "HDR0". Short for header, like the WAP54G?
Bytes 0x24 - 0x27 == file size in little endian, sort of.
v1.01.4: 00 80 28 00 v1.02.1: 00 80 2A 00 v1.30.1: 00 D0 29 00Convert to big endian
v1.01.4: 00 28 80 00 v1.02.1: 00 2A 80 00 v1.30.1: 00 29 D0 00Then to decimal:
v1.01.4: 2654208 vs. 2655232 actual size (1024 difference) v1.02.1: 2785280 vs. 2786304 actual size (1024 difference) v1.30.1: 2740224 vs. 2741248 actual size (1024 difference)I can find no correlation to this size with anything obvious. Let's assume that you just add 1024 for now.
Bytes 0x28-0x2B are the checksum. In the WAP54G, this was computed by taking the bits just after the checksum and performing a CRC32, followed by a one's complement (flip all bits, for example by subtracting the result from 0xffffffff). This works reliably for the WAP54G, but doesn't work out for this AP.
To calculate it for the original Linksys WRT54G firmware, first strip the trailing 992 0xFF bytes of the file. Then calculate the CRC32 of bytes 0x2C to the end, take the one's complement, and reverse the byte order.
To build your own, use wrtgen (see links at the bottom). Or combine the kernel with a CramFS image, compute the CRC32, and take the one's complement. To finish building your own .bin file, compute the ultimate file size, subtract 1024, reverse the byte order, stick that and the CRC at the beginning, along with the other preamble bytes described above, and append 992 0xFF bytes to the end. Simple, eh?
*Do you always add 992 0xFF bytes to the end... or do you just pad to the nearest 1024 byte boundary?*
*It has been 992 bytes in every firmware I've encountered. I think that they are already padding the kernel with however many nulls it takes to be a multiple of 1024.*
** Actually, if you will notice, 992+32 = 1024, which may help explain why the filesize is off by 1024 in the image--the first 32 bytes and the last 992 bytes are STRIPPED OUT before being written to /dev/mtd1. The Linux kernel is ALWAYS 786432 bytes long (0xC0000)--this is because of how the flash memory is set up: /dev/mtd1 starts at 0x40000 in flash and extends to 0x3F0000, /dev/mtd2 starts at 0x100000, overlapping /dev/mtd1, and is where the cramfs partition starts. The cramfs partition is allocated the rest of flash memory up to 0x3F0000, where the nvram is located. I also found out something even MORE insteresting while digging around: The WAP54G 1.02 firmware, while it has a different compiles version of Linux 2.4.5, has IDENTICAL module files (wl.o and et.o) as the WRT54g 1.02 firmware does, and that several of the installed utilities, including /usr/sbin/wl, are also identical between these two products. The firmware files for the WAP54G are formatted the same except that they left off the 32-byte header and the extra 992 bytes--my guess is that this helps stop us from loading firmware for other products onto this one. One of these days I may test it...
There is a good deal of padding in all three files:
v1.01.4: 0x000000d5 - 0x000000e4 are all $ (0x24). v1.02.1: 0x000000d5 - 0x000000e5 are all $ (0x24). v1.30.1: 0x000000d5 - 0x000000e4 are all H (0x48). v1.01.4: 0x0000037b - 0x000003d1 are all 0x12. v1.02.1: 0x0000037d - 0x000003d3 are all H (0x48). v1.30.1: 0x0000037b - 0x000003d0 are all 0x84. v1.01.4: 0x00000448 - 0x00000461 are all B (0x42). v1.02.1: 0x0000044a - 0x00000463 are all ! (0x21). v1.30.1: 0x00000448 - 0x00000462 are all $ (0x24). v1.01.4: 0x0008b7eb - end are all 0x00 v1.02.1: 0x0008b3ef - end are all 0x00 v1.30.1: 0x0008d81c - end are all 0x00
The 16 bytes starting at 0x10 are identical in 1.02.1 and 1.30.1, but are all nulls in 1.01.4. The 16 bytes starting at 0x30 are identical in all three. Everything from 0x40 to the end (except the null padding) is different.
Also, you can't write to an existing cramfs. Make a new one.
A file on the image reveals that it is an old cramfs, not the nice kind that the SourceForge cramfs generates. I found an old version of cramfs here:
ftp://ftp.handhelds.org/pub/linux/x86/utils/mkcramfs
...which generated a similar cramfs according to file, but this probably isn't necessary. CramFS v1.1 seemed to work just fine on initial tests, but now I'm not so sure. There have been reports that just changing an asp page or two has nuked some WRT54Gs? using CramFS 1.1. YMMV.
A alpha version perl script to compute the CRC and file size for your custom root directory, and build a valid .bin: wrtgen
Be warned: You can very, very easily kill your AP by uploading bad firmware!
Hack night, 7/29. As a couple of people have reported, you can execute arbitrary shell code on the WRT54G without uploading new firmware!
First, go to http://192.168.1.1/Ping.asp . In the IP address field, enter something like this:
`ps ax > /tmp/ping.log`
Yes, those are backticks around that command. Now click the "Ping" button, and the results will be posted in the ping results window. The ping command is evidently executed through a subshell, and the web interface expects the results to be written to /tmp/ping.log, so it will obligingly interpret the backticks, and display the results when the command has run.
You will likely run into the limitations of the web interface very quickly, as they only allow 31 characters for the IP address input field. No problem. Save the source to Ping.asp to your desktop as ping-of-fun.html, then do the following:
* Add this line somewhere in the HEAD section:
<base href="http://192.168.1.1/">
...naturally, substituting the IP of your WRT54G for the IP address above.
* Next, find "INPUT maxLength=31" and replace it with "INPUT maxLength=128", or however long you like.
Now open this HTML file and enter your lengthy commands. Note that after they run, you will be redirected to Ping.asp running on the AP. Just go back in your browser, and enter your next command.
This method is much safer than trying to flash the firmware, as the filesystem is cramfs, and can't easily be modified through the shell. If you crash the box, just cycle the power. That's not to say that it's impossible to fry the box (particularly if fiddling with the nvram commands), but you can ls, grep, cat, or whatever with impunity.
Through this method, we have determined that it does in fact have 16MB ram (about 7.5 free). The layout of the flash is still something of a mystery (check out /dev/mtd/*), but it is definitely running a cramfs out of /, devfs on /dev, and everybody's favorite, /proc.
See below for details on getting a shell.
# ls -al total 8 drwxr-xr-x 11 root root 288 Jul 22 11:19 . drwxr-xr-x 4 root root 176 Jul 22 11:16 .. drwxr-xr-x 2 root root 672 Jul 22 11:16 bin drwxr-xr-x 2 root root 48 Dec 31 1969 dev drwxr-xr-x 2 root root 136 Dec 31 1969 etc drwxr-xr-x 3 root root 256 Dec 31 1969 lib drwxr-xr-x 2 root root 48 Dec 31 1969 proc drwxr-xr-x 2 root root 416 Dec 31 1969 sbin drwxr-xr-x 2 root root 48 Jul 22 11:19 tmp drwxr-xr-x 5 root root 144 Dec 31 1969 usr lrwxrwxrwx 1 root root 7 Jul 22 11:16 var -> tmp/var drwxr-xr-x 4 root root 1688 Dec 31 1969 www
# ls -al bin total 266 drwxr-xr-x 2 root root 672 Jul 22 11:16 . drwxr-xr-x 11 root root 288 Jul 22 11:19 .. -rwxr-xr-x 1 root root 268408 Jul 22 11:16 busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 cat -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 chmod -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 cp -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 date -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 dd -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 df -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 echo -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 false -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 grep -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 kill -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 ln -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 ls -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 mkdir -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 more -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 msh -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 mv -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 ping -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 ps -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 rm -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 rmdir -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 sh -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 sync -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 touch -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 true -> busybox lrwxrwxrwx 1 root root 7 Jul 22 11:16 uname -> busybox # ls -al usr/bin total 1 drwxr-xr-x 2 root root 176 Dec 31 1969 . drwxr-xr-x 5 root root 144 Dec 31 1969 .. lrwxrwxrwx 1 root root 17 Jul 22 11:16 free -> ../../bin/busybox lrwxrwxrwx 1 root root 17 Jul 22 11:16 killall -> ../../bin/busybox lrwxrwxrwx 1 root root 17 Jul 22 11:16 route -> ../../bin/busybox lrwxrwxrwx 1 root root 17 Jul 22 11:16 traceroute -> ../../bin/busybox lrwxrwxrwx 1 root root 17 Jul 22 11:16 uptime -> ../../bin/busybox # ls -la usr/sbin total 2322 drwxr-xr-x 2 root root 896 Dec 31 1969 . drwxr-xr-x 5 root root 144 Dec 31 1969 .. -rwxr-xr-x 1 root root 35408 Dec 31 1969 brctl -rwxr-xr-x 1 root root 44620 Dec 31 1969 cron -rwxr-xr-x 1 root root 9584 Dec 31 1969 dumpleases -rwxr-xr-x 1 root root 43140 Dec 31 1969 epi_ttcp -rwxr-xr-x 1 root root 9972 Dec 31 1969 et lrwxrwxrwx 1 root root 8 Jul 22 11:16 filter -> /sbin/rc lrwxrwxrwx 1 root root 8 Jul 22 11:16 filtersync -> /sbin/rc lrwxrwxrwx 1 root root 7 Jul 22 11:16 fw -> netconf -rwxr-xr-x 1 root root 249796 Dec 31 1969 httpd -rwxr-xr-x 1 root root 81224 Dec 31 1969 iptables -rwxr-xr-x 1 root root 85480 Dec 31 1969 iptables-restore lrwxrwxrwx 1 root root 8 Jul 22 11:16 iptqueue -> /sbin/rc -rwxr-xr-x 1 root root 79368 Dec 31 1969 ipupdate lrwxrwxrwx 1 root root 8 Jul 22 11:16 ipupdated -> /sbin/rc -rwxr-xr-x 1 root root 153968 Dec 31 1969 mDNSResponderPosix -rwxr-xr-x 1 root root 9988 Dec 31 1969 netconf -rwxr-xr-x 1 root root 34920 Dec 31 1969 ntpclient lrwxrwxrwx 1 root root 8 Jul 22 11:16 ntpd -> /sbin/rc -rwxr-xr-x 1 root root 9956 Dec 31 1969 nvram -rwxr-xr-x 1 root root 283432 Dec 31 1969 pppd -rwxr-xr-x 1 root root 159976 Dec 31 1969 pppoecd -rwxr-xr-x 1 root root 65232 Dec 31 1969 pptp lrwxrwxrwx 1 root root 8 Jul 22 11:16 resetbutton -> /sbin/rc -rwxr-xr-x 1 root root 392544 Dec 31 1969 ripd -rwxr-xr-x 1 root root 74916 Dec 31 1969 tftpd lrwxrwxrwx 1 root root 6 Jul 22 11:16 udhcpc -> udhcpd -rwxr-xr-x 1 root root 56744 Dec 31 1969 udhcpd -rwxr-xr-x 1 root root 118848 Dec 31 1969 upnp -rwxr-xr-x 1 root root 69108 Dec 31 1969 wl lrwxrwxrwx 1 root root 8 Jul 22 11:16 write_boot -> /sbin/rc lrwxrwxrwx 1 root root 8 Jul 22 11:16 write_mac -> /sbin/rc -rwxr-xr-x 1 root root 268800 Dec 31 1969 zebra # ls -al usr/bin total 0 lrwxrwxrwx 1 root root 17 Dec 31 1969 basename -> ../../bin/busybox* lrwxrwxrwx 1 root root 17 Dec 31 1969 dirname -> ../../bin/busybox* lrwxrwxrwx 1 root root 17 Dec 31 1969 free -> ../../bin/busybox* lrwxrwxrwx 1 root root 17 Dec 31 1969 killall -> ../../bin/busybox* lrwxrwxrwx 1 root root 17 Dec 31 1969 logger -> ../../bin/busybox* lrwxrwxrwx 1 root root 17 Dec 31 1969 route -> ../../bin/busybox* lrwxrwxrwx 1 root root 17 Dec 31 1969 uptime -> ../../bin/busybox* lrwxrwxrwx 1 root root 17 Dec 31 1969 wget -> ../../bin/busybox* Ross: Is the above usr/bin from a wrt54g? It doesn't match the contents of my usr/bin (firmware 1.30.1) The above usr/bin directory listing is from WRT54G_1.02.1_US_code.bin which is what is currently up on the Linksys download site. Note that it has wget. If we can modify a web page invoke wget, download a binary and run it... this may be a safe way to test if a binary is compatible.
# ls -al www total 264 -rw-r--r-- 1 root root 615 Dec 31 1969 Config.asp -rwxr-xr-x 1 root root 712 Jul 22 14:25 Cysaja.asp -rw-r--r-- 1 root root 2063 Dec 31 1969 DB.asp -rw-r--r-- 1 root root 9945 Dec 31 1969 DDNS.asp -rw-r--r-- 1 root root 9259 Dec 31 1969 DHCP.asp -rw-r--r-- 1 root root 2822 Dec 31 1969 DHCPTable.asp -rw-r--r-- 1 root root 738 Dec 31 1969 Fail.asp -rw-r--r-- 1 root root 738 Dec 31 1969 Fail_s.asp -rw-r--r-- 1 root root 438 Dec 31 1969 Fail_u_s.asp -rw-r--r-- 1 root root 7602 Dec 31 1969 FilterIPMAC.asp -rw-r--r-- 1 root root 1761 Dec 31 1969 FilterSummary.asp -rw-r--r-- 1 root root 14644 Dec 31 1969 Filters.asp -rw-r--r-- 1 root root 16010 Dec 31 1969 Forward.asp -rw-r--r-- 1 root root 5354 Dec 31 1969 Help.asp -rw-r--r-- 1 root root 1107 Dec 31 1969 Log_incoming.asp -rw-r--r-- 1 root root 1117 Dec 31 1969 Log_outgoing.asp -rw-r--r-- 1 root root 1228 Dec 31 1969 New_device.asp -rw-r--r-- 1 root root 1218 Dec 31 1969 Old_device.asp -rw-r--r-- 1 root root 4226 Dec 31 1969 Ping.asp -rw-r--r-- 1 root root 12251 Dec 31 1969 PortTriggerTable.asp -rw-r--r-- 1 root root 1903 Dec 31 1969 Radius.asp -rw-r--r-- 1 root root 3149 Dec 31 1969 Register.asp -rw-r--r-- 1 root root 1288 Dec 31 1969 Register_fail.asp -rw-r--r-- 1 root root 1336 Dec 31 1969 Register_ok.asp -rw-r--r-- 1 root root 1942 Dec 31 1969 RouteTable.asp -rw-r--r-- 1 root root 10148 Dec 31 1969 Routing.asp -rw-r--r-- 1 root root 10295 Dec 31 1969 Security.asp -rw-r--r-- 1 root root 11925 Dec 31 1969 Status.asp -rw-r--r-- 1 root root 711 Dec 31 1969 Success.asp -rw-r--r-- 1 root root 757 Dec 31 1969 Success_s.asp -rw-r--r-- 1 root root 386 Dec 31 1969 Success_u_s.asp -rw-r--r-- 1 root root 22 Dec 31 1969 SysInfo.htm -rw-r--r-- 1 root root 11955 Dec 31 1969 System.asp -rw-r--r-- 1 root root 3196 Dec 31 1969 Traceroute.asp -rw-r--r-- 1 root root 2802 Dec 31 1969 WEP.asp -rw-r--r-- 1 root root 3807 Dec 31 1969 WL_ActiveTable.asp -rw-r--r-- 1 root root 2578 Dec 31 1969 WL_FilterTable.asp -rw-r--r-- 1 root root 11889 Dec 31 1969 WL_WEPTable.asp -rw-r--r-- 1 root root 7528 Dec 31 1969 WL_WPATable.asp -rw-r--r-- 1 root root 9000 Dec 31 1969 WPA.asp -rw-r--r-- 1 root root 1250 Dec 31 1969 WPA_Preshared.asp -rw-r--r-- 1 root root 2571 Dec 31 1969 WPA_Radius.asp -rw-r--r-- 1 root root 9984 Dec 31 1969 Wireless.asp -rw-r--r-- 1 root root 8957 Dec 31 1969 common.js -rw-r--r-- 1 root root 3272 Dec 31 1969 firmware_upgrade.asp drwxr-xr-x 1 root root 268 Dec 31 1969 help drwxr-xr-x 1 root root 348 Dec 31 1969 image -rw-r--r-- 1 root root 25120 Dec 31 1969 index.asp -rw-r--r-- 1 root root 2128 Dec 31 1969 index_pppoe.asp -rw-r--r-- 1 root root 4626 Dec 31 1969 index_pptp.asp -rw-r--r-- 1 root root 4771 Dec 31 1969 index_static.asp -rw-r--r-- 1 root root 565 Dec 31 1969 style.css
These asp files are calling gozila_cgi and apply.cgi which don't appear to be on the filesystem... grepping the http binary shows them:
# strings usr/sbin/httpd | grep -i cgi get_cgi init_cgi do_upgrade_cgi gozila_cgi apply.cgi* upgrade.cgi* Gozila.cgi*
The webserver itself is acme mini_httpd (see the http licence).
# ls /lib/modules 2.4.5
cat /proc/kmsg | grep Linux <4>Linux version 2.4.5 (root@honor) (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) #4 ?g?@ 6?? 23 14:45:24 CST 2003
# file bin/busybox bin/busybox: ELF 32-bit LSB MIPS-I executable, MIPS, version 1 (SYSV), for GNU/Linux 2.3.99, dynamically linked (uses shared libs), stripped
# strings lib/modules/2.4.5/kernel/drivers/net/wl/wl.o
[...]
May 21 2003
21:49:42
%s: Broadcom BCM43XX 802.11 Wireless Controller %s (Compiled in %s at %s on %s)
3.21.9.0
%s: %s driver failed with code %d
wds%d.%d
wl%d: %s %s version %s
kernel BUG at %s:%d!
/projects/hnd_swbuild/build_linux/D11_REL_3_21_RC9/linux-external-router-partial-src/2003.5.21.0/src/linux/linux/include/linux/skbuff.h
[...]
# strings usr/sbin/wl
-> Tons of interesting text:
[...]
promisc
set promiscuous mode ethernet address reception
0 - disable
1 - enable
[...]
monitor
set monitor mode
0 - disable
1 - enable active monitor mode (interface still operates)
[...]
Comment : In the wl.o you can see some functions like wl_rate ... there some other functions in this lib like wlc_****. It seems to be client functions command. The WL executable file doesn't permit the client mode. So what I think , maybe trying to use this feature (wlc_***) by writting a prgrm we can make a client Linux driver for broadcom 430x card on wrt54g.
# strings lib/modules/2.4.5/kernel/drivers/net/et/et.o [...] Broadcom BCM4310 10/100 Mbps Ethernet Controller Broadcom BCM4307 10/100 Mbps Ethernet Controller Broadcom BCM47xx 10/100 Mbps Ethernet Controller Broadcom BCM4402 10/100 Mbps Ethernet Controller [...] kernel_version=2.4.5
here # strings tftpd [...] upgrade_filename=%s http_passwd boot.bin Rec filename=%s %s from %s filename %s remapped to %s %s from %s filename %s mac.bin code.bin /tmp/code.bin /tmp/boot.bin /tmp/mac.bin [...] Write Image To Flash Failuer! Write MAC to Flash Failure! MAC Address Flash space is full Wrong Image File Name Wrong Code Pattern Multiple TFTP Session! [...] Will go firmware_write Will go firmware_write action_service tftp_upgrade RAM Write completed! [...] tftp-hpa: $Id: tftpsubs.c,v 1.2 2003/03/07 11:21:13 barry Exp $ W54G [...] POST %s /%s HTTP/1.1 Host: %s User-Agent: wget Authorization: Basic %s Range: bytes=%ld- Connection: close HTTP request sent, awaiting response... line=[%s] Content-Length: Transfer-Encoding: chunked Content-Type: application/x-www-form-urlencoded Content-Length: %d %s%sCannot allocate %lu bytes after allocating %lu bytes [...]
It looks like the tftpd may interact with the web server during firmware upgrades??
Here's a dump of /proc/kmsg from a running WRT54G. That "!unable to setup serial console!" is a little disappointing for all of us bricklayers.
Re: unable to setup serial console:
/proc/tty/driver/serial reports the following over and over :
... 60: uart:unknown port:0 irq:0 61: uart:unknown port:0 irq:0 62: uart:unknown port:0 irq:0 63: uart:unknown port:0 irq:0 ...
# cat /proc/kmsg <4>Loading BCM4710 MMU routines. <4>CPU revision is: 00024000 <4>Primary instruction cache 8kb, linesize 16 bytes (2 ways) <4>Primary data cache 4kb, linesize 16 bytes (2 ways) <4>Number of TLB entries 32. <4>Linux version 2.4.5 (root@honor) (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) #4 ?g?@ 6?? 23 14:45:24 CST 2003 <4>Determined physical RAM map: <4> memory: 01000000 @ 00000000 (usable) <4>On node 0 totalpages: 4096 <4>zone(0): 4096 pages. <4>zone(1): 0 pages. <4>zone(2): 0 pages. <4>Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200 <4>New MIPS time_init() invoked. <4>CPU: BCM4710 rev 0 at 125 MHz <4>!unable to setup serial console! <4>Calibrating delay loop... 82.94 BogoMIPS <4>Memory: 14508k/16384k available (1189k kernel code, 1876k reserved, 85k data, 60k init) <4>Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes) <4>Inode-cache hash table entries: 1024 (order: 1, 8192 bytes) <4>Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) <4>Page-cache hash table entries: 4096 (order: 2, 16384 bytes) <4>Checking for 'wait' instruction... unavailable. <4>POSIX conformance testing by UNIFIX <4>PCI: Fixing up bus 0 <4>PCI: Fixing up bridge <4>PCI: Fixing up bus 1 <6>Linux NET4.0 for Linux 2.4 <6>Based upon Swansea University Computer Society NET3.039 <4>Initializing RT netlink socket <4>Starting kswapd v1.8 <4>devfs: v0.102 (20000622) Richard Gooch (rgooch@atnf.csiro.au) <4>devfs: boot_options: 0x0 <4>pty: 256 Unix98 ptys configured <6>Serial driver version 5.05a (2001-03-20) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled <4>block: queued sectors max/low 9528kB/3176kB, 64 slots per queue <6>PPP generic driver version 2.4.2 <4> Amd/Fujitsu Extended Query Table v1.1 at 0x0040 <4>number of JEDEC chips: 1 <4>0: offset=0x0,size=0x2000,blocks=8 <4>1: offset=0x10000,size=0x10000,blocks=63 <5>flash device: 400000 at 1fc00000 <5>Physically mapped flash: cramfs filesystem found at block 1024 <5>Creating 4 MTD partitions on "Physically mapped flash": <5>0x00000000-0x00040000 : "pmon" <5>0x00040000-0x003f0000 : "linux" <5>0x00100000-0x003f0000 : "rootfs" <5>0x003f0000-0x00400000 : "nvram" <3>sflash: chipcommon not found <6>NET4: Linux TCP/IP 1.0 for NET4.0 <6>IP Protocols: ICMP, UDP, TCP <4>IP: routing cache hash table of 512 buckets, 4Kbytes <4>TCP: Hash tables configured (established 1024 bind 2048) <4>ip_conntrack (128 buckets, 1024 max) <4>ip_tables: (c)2000 Netfilter core team <4>ipt_time loading <6>NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. <6>NET4: Ethernet Bridge 008 for NET4.0 <4>VFS: Mounted root (cramfs filesystem) readonly. <4>Mounted devfs on /dev <4>Freeing unused kernel memory: 60k freed <4>Warning: unable to open an initial console. <4>Algorithmics/MIPS FPU Emulator v1.4 <4>eth0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.21.9.0 <4>eth1: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.21.9.0 <4>PCI: Enabling device 01:08.0 (0004 -> 0006) <4>eth2: Broadcom BCM43XX 802.11 Wireless Controller 3.21.9.0 (Compiled in . at 21:49:42 on May 21 2003) <4>bug: kernel timer added twice at c000ad54. <6>device eth0 entered promiscuous mode <6>device eth2 entered promiscuous mode <6>br0: port 2(eth2) entering listening state <6>br0: port 1(eth0) entering listening state <6>br0: port 2(eth2) entering learning state <6>br0: port 1(eth0) entering learning state <6>br0: port 2(eth2) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 1(eth0) entering forwarding state <6>br0: topology change detected, propagating <4>diag_loop: Reset LED. <4>bug: kernel timer added twice at c000ad54.
BusyBox (for core system utils) mini_httpd (probably?) tftp-hpa Gnu Zebra Using the Ping.asp() trick, above, one can download arbitrary files using /usr/sbin/epi-ttcp. So we download a mips compiled faucet and launch a shell. see this post by Ross Jordan. C. J. Collier coded up a perl script to simplify the process.
Related links:
netcat faucet wrt54g_tools package ttcp.c (link fixed) snort Mini Linux distribution for the wrt54g here. about WAP54G wrtgen Linksys' GPL release Discussion at wirelessnederlan tftp client with password support Linux distribution for wrt54g And this what I've got after two weeks of caling Linksys support:
> Dear Mr. Kulakowski, > Thank you for contacting us again. > > I already follow up your concern to our second level support. If you want, > you may contact them at the number listed below. I apologize for the > inconvenience this has caused you.
And: > Thank you for contacting us again.
> Kindly bear with us a little longer. I shall follow-up your concern to our > Second Level Support. I apologize for the inconvenience this has caused you.
-tko
Just execute "/usr/sbin/iptables --flush FORWARD" on the router to solve this (at least until the next reboot). --markonen
wl_antdiv Set antenna diversity for RX: 0 force use of antenna 0 (Left?); 1 force use of antenna 1; 3 automatic selection of antenna diversity ;
wl_txant Set the transmit antenna TX: 0 force use of antenna 0; 1 force use of antenna 1; 3 use the RX antenna selection that was in force during the most recently received good PLCP header
To set just add these parameters to the Advanced Wireless URL (at the end): http://<IP_address>/apply.cgi?submit_button=Wireless&change_action=&action=Apply&wl_macmode1=disabled&wl_auth=0&wl_rate=0&wl_rateset=default&wl_gmode_protection=auto&wl_frameburst=off&wl_bcn=100&wl_rts=2347&wl_frag=2346&wl_dtim=3&wl_antdiv=0&wl_txant=0
Other interesting parameters at * Discussion at wirelessnederlan
-tko
Question: If you can run commands via ping.asp, and there's a wget on the box, can't you use that to download binaries and execute them without touching the firmware?
Answer: The firmware versions with Ping.asp and with wget are mutually exclusive.
Question: Use the ping.asp hack to add the link for wget to /usr/bin (link it to busybox) I bet that the busybox binary supports wget but the link is just missing. -ar
Answer: That was one of the first things I tried: the busybox no longer has wget compiled in -Ross
I extracted busybox from the older version of firmware, uploaded it to the box, and tried to run it with the following results :
/tmp/busybox /tmp/busybox: error while loading shared libraries: /tmp/busybox: symbol gethostbyaddr, version GLIBC_2.0 not defined in file libc.so.6 with link time reference
I guess to do this right, one will need a MIPS cross-compliation environment and do static builds.
-jbuzbee
If anyone is interested in advertising the box's webserver using rendezvous, executing this command either through the "ping hack" or the shell interface did the trick for me :
/usr/sbin/mDNSResponderPosix? -p 80 -t _http._tcp. -n "Linksys Web Server" &
-jbuzbee
These RPM packages may be usable for building MIPS LSB binaries on x86:
The SRPM is located to:
I tried to build a static binary of hexdump included in util-linux. It can run on my WRT54G.
-tmp
I almost went mad trying to get a cross-compilation toolchain working. Crosstool was my saviour. It can download, patch, and compile known good combinations of GCC, Bintools and GLIBC for MIPS. Highly recommended.
- dave
Answer: No formal project, but it is the goal of several of us...
-Ross
-- raja@spammenot.DataCracker.com
http://linksys.com/download/ website and downloaded the "WPC54G - Wireless-G Notebook Adapter" driver. This worked fine for Windows XP, now I booted into Linux and no driver (at least to my knowledge). I did some searching and reading on Broadcom and Linksys politics with the GPL, but did not find the kernel patch or module I was looking for. Does anyone have knowledge or an actual kernel patch for this card? Answer: There is no linux driver at the moment (and don't think there ever will be).
Answer 2: The miniPCI and the cardbus from BROADCOM are designed on the same chip (BCM94306). This chip seems to be also used in WET54 (CB version) which have the client mode enable under a linux kernel (ref to Linksys customer). More of this the belkin wireless routeur (7130) has the same chip onboard and has also a wireless ap client mode enable. So I have a question : is it possible that somebody can extract from WET54 or Belkin 7130 the lib that could allow us to have broadcom client car under linux os ?
-- A
Answer 3: The WET54 firmware file availabe for download from Linksys does not use Linux. The WAP54G's don't actually implement client mode--what they actually use in bridging mode is Wireless Distribution System, or wds. I've found that you can easily enable wds on the WRT54G's by using the ping trick or telnet to issue a command such as: /usr/sbin/wl wds 00:06:f4:23:34:e1. The Mac address here should be the mac address of the peer WAP (or WRT), and the system will create a subinterface wrt0.2 and add it to the bridging group (br0). It actually relies on the Linux bridging code to bridge between the wrt0.2 interface and clients associated with this access point. You may be able to configure the WRT to automatically reassociate with the remote AP by using nvram (nvram set wl_wrt=00:06:f4:23:34:e1). There must be something else happening because nvram setting aren't saved automatically--only way I've found to save an nvram setting is to go into the web interface and hit apply on one of the pages. Don't know why.
If Linksys ever DOES add client support to their WAP54 product, we should be able to copy the driver over to the WRT54 as well (the 1.02 firmwares of both products use identical driver modules) We may even be able to modify the firmware file and upload it to the WRT54 box. (warning: untested)
Answer: telnetd is available from the tools package linked above. It's not SSH but it's more than enough to start poking around...
If there are Broadcom references in the kernel tree proper, and there is no source available for those references, this is a GPL violation on the part of Linksys. I assume the bulk of the Broadcom driver code is a binary module which is OK, but one should be able to build a kernel image with the source provided by Linksys. I would not be surprised if there are Broadcom specific changes that had to be made to the kernel initialization sequence before modules can be loaded.
I also just blindly tried insmod wl.o and came up with an ELF incompatibility. Maybe there is a way to force this module with knowledge that it is for a different kernel?
Answer: Unless you have a MIPS based PC, this will never work. The Wrt54g is a MIPS based system...
Answer 2: No there isn't enough info in the kernel to be able to build the wireless module.
NEW INFO: Linksys has announced this unit: http://www.linksys.com/splash/wrv54g_splash.asp From what I can tell it is exactly what is being described in this request. Anyone have more insight into what the hardware differences between these two boxes are? Could we add the functionality to the WRT54g without going out to buy the new unit?
NEWS: With the information in this and other pages I'v found a simple way to increase the power of the WRT54G, we just need to execute the command /usr/sbin/wl -i eth2 txpwr 84 using the "ping hack" already described.
Here goes my view of the network architecture of the WRT54G (and other clones) A hardware switch with 5 ports, 4 are the external lan ports (1 to 4), the fifth is connected to the "router" module that has 3 ports (eth0, eth1 and eth2, in Linux terms), eth0 made the connection to the switch module, eth1 is the WAN port that connects to the outside world (ADSL, CABLE, etc.) and finally eth2 connect to the wireless module ... Have you missed something ??? I hope so, if you question is "eth2 and eth0 aren't in the same layer2 lan ?", that's the right point! eth2 and eth0 seem to be software bridged by the Linux kernel an act as a unique L3 interface as "br0". This is a nice thing, in the future we probably can split the wireless (eth2) and the switch (eth0) and do a better control of the traffic (iptables) between them.
PS: Sorry for my bad English! -- pribeiro @net.ipl.pt
Comment: It seems that one MII interface on the CPU connects directly to the switch controller (ADM6996), which connects directly to the WAN port. If you look at the ![[WWW]](http://freenetworks.org/~mattw/photos/linksyswrt54g/gallery/fullsize/IMG_3425.JPG "[WWW]"){kind=small}
full size picture, you can clearly see that pins 123-4,6-7 are connected to the single-port transformer T2 (TS6121) for the WAN. Maybe there is two MACs on the chip itself, but the output is multiplexed over a single MII interface with VLAN tagging, which is the reason why they needed to use the ADM6996 to demultiplex the signal to the WAN and LAN. The ADM documentation actually documents this on page 31 as the recommended way of doing this!
** I just checked, and I can definitely verify that Linux is seeing eth0 and eth1 as separate interfaces, but I do see what you mean; the AMD6996 is a 6-port switch with vlan support built in. My theory is that the et.o module is implementing VLAN on a single ethernet interface or something. Oddly enough, ifconfig shows different interrupts and base addresses for eth0 and eth1:
![[FTP]](/img/moin-ftp.gif "[FTP]"){kind=small}
toolchain-i386-20020423-1.i386.rpm
# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:41:3F:72:F8
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:276069 errors:0 dropped:0 overruns:0 frame:0
TX packets:27329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:28541837 (27.2 Mb) TX bytes:3557147 (3.3 Mb)
Interrupt:3 Base address:0x2000
# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0C:41:3F:72:F9
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:27947 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:16600518 (15.8 Mb)
Interrupt:4 Base address:0x8000
The box is definitely listening to eth1 for WAN access: # ps 476 0 S udhcpc -i eth1 -p /var/run/udhcpc.pid -s /tmp/udhcpc(I don't have the wan side hooked up to anything)
Comment: That's not a problem, dhcp packets are bridged thru br0 from eth0 to eth2 ! if dhcpd was listening/sending in both eth's there were problems with duplicate packets!
The kmesg (listed elsewhere) clearly shows that eth0 is part of the bridge device, br0, along with eth2 (the wireless interface, wl.o). If you use the WDS to bridge multiple units together, then a dummy interface such as wds0.2 is created and also added to the br0 bridge interface. (Try "wl wds 00:06:25:F7:2C:74", replacing the mac address with the mac address of another WRT box, and do the same on that box. Just be carefull about creating a loop because you can set off a broadcast storm pretty easily)
---
Nice! Quick question - any issues with raising the tx power that high? Does it actually improve the distance you get from the AP, or does it just introduce noise into the signal? Also, any problems with heat on the WRT54G itself? Cheers.
Answer: I think heat is a problem in this equipment, even with the normal power I'm thinking adding a little fan in the bottom or in the top, I haven't seen long term heating with increased power because the router is working with the default power now, for my little home is enough! I'll write more details of heating and distance as soon as I have some time to test it. (WAP11v2.2 seem to heat a little more than WRT54G with the default full power for both)
Looks like /usr/sbin/wl has a lot of capabilities :
# /usr/sbin/wl Usage: wl [-a|i <adapter>] [-hu] <command> [arguments] -a, -i adapter name or number -h, -u this message
| ver | get version information | |
| up | reinitialize and mark adapter up (operational) | |
| down | reset and mark adapter down (disabled) | |
| out | mark adapter down but do not reset hardware(disabled) | |
| On dualband cards, cards must be bandlocked before use. | ||
| clk | set board clock state. return error for set_clk attempt if the driver is not down | |
| 0: clock off | ||
| 1: clock on | ||
| ucflags | Get/Set ucode flags | |
| radio | Set the radio on or off. | |
| "on" or "off" | ||
| dump | print driver software state and chip registers to stdout | |
| srdump | print contents of SPROM to stdout | |
| msglevel | ||
| set driver console debugging message bitvector | ||
| type 'wl msglevel ?' for values | ||
| PM | set driver power management mode: | |
| 0: CAM (constantly awake) | ||
| 1: PS (power-save) | ||
| wake | set driver power-save mode sleep state: | |
| 0: core-managed | ||
| 1: awake | ||
| promisc | set promiscuous mode ethernet address reception | |
| 0 - disable | ||
| 1 - enable | ||
| monitor | set monitor mode | |
| 0 - disable | ||
| 1 - enable active monitor mode (interface still operates) | ||
| frag | Set the fragmentation threshhold. (integer [256, 2346]) | |
| rts | Set the RTS threshhold. (integer [0, 2347]) | |
| cwmin | Set the cwmin. (integer [1, 255]) | |
| cwmax | Set the cwmax. (integer [256, 2047]) | |
| srl | Set the short retry limit. (integer [1, 255]) | |
| lrl | Set the long retry limit. (integer [1, 255]) | |
| rate | force a fixed rate: | |
| valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54) | ||
| valid values for 802.11b are (1, 2, 5.5, 11) | ||
| valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54) | ||
| -1 (default) means automatically determine the best rate | ||
| mrate | force a fixed multicast rate: | |
| valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54) | ||
| valid values for 802.11b are (1, 2, 5.5, 11) | ||
| valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54) | ||
| -1 (default) means automatically determine the best rate | ||
| infra | Set Infrastructure mode: 0 (IBSS) or 1 (Infra BSS) | |
| ap | Set AP mode: 0 (STA) or 1 (AP) | |
| bssid | Get the BSSID value, error if STA and not associated | |
| channel | Set the channel: | |
| valid channels for 802.11a are: | ||
| 36, 40, 44, 48, 52, 56, 60, 64, | ||
| 100, 104, 108, 112, 116,120, 124, 128, 132, 136, 140, | ||
| 149, 153, 157, 161, | ||
| 184, 188, 192, 196, 200, 204, 208, 212, 216 | ||
| valid channels for 802.11b/g are 1-14 | ||
| tssi | Get the tssi value from radio | |
| txpwr | Set tx power in milliwatts. Range [1, 84]. | |
| txpathpwr | Turn the tx path power on or off on 2050 radios | |
| powerindex | Set the transmit power for A band(0-63). | |
| -1 - default value | ||
| atten | Set the transmit attenuation for B band. Args: bb radio txctl1. | |
| auto to revert to automatic control | ||
| phyreg | Get/Set a phy register. | |
| radioreg | Get/Set a radio register. | |
| shmem | Get/Set a shared memory location. | |
| antdiv | Set antenna diversity for rx | |
| 0 - force use of antenna 0 | ||
| 1 - force use of antenna 1 | ||
| 3 - automatic selection of antenna diversity | ||
| txant | Set the transmit antenna | |
| 0 - force use of antenna 0 | ||
| 1 - force use of antenna 1 | ||
| 3 - use the RX antenna selection that was in force during | ||
| the most recently received good PLCP header | ||
| plcphdr | Set the plcp header. | |
| "long" or "auto" or "debug" | ||
| phytype | Get phy type | |
| scbdump | print driver scb state to stdout | |
| ratedump | print driver rate selection tunables and | |
| per-scb state to stdout, valid scb values are | ||
| 0 through NSCB-1 | ||
| rateparam | set driver rate selection tunables | |
| arg 1: tunable id | ||
| arg 2: tunable value | ||
| wepstatus | Set or Get WEP status | |
| wepstatus [on|off] | ||
| addwep | Set an encryption key. The key must be 5, 13 or 16 bytes long, or | |
| 10, 26, 32, or 64 hex digits long. The encryption algorithm is | ||
| automatically selected based on the key size. keytype is accepted | ||
| only when key length is 16 bytes/32 hex digits and specifies | ||
| whether AES-OCB or AES-CCM encryption is used. Default is ccm. | ||
| addwep <keyindex> <keydata> [ocb | ccm] [notx] [xx:xx:xx:xx:xx:xx] | ||
| rmwep | Remove the encryption key at the specified key index. | |
| scan | Initiate an active scan across all channels. | |
| Optional SSID argument specifies a particular SSID to scan. | ||
| With no SSID argument, a broadcast SSID scan is performed. | ||
| passive | Puts scan engine into passive mode | |
| regulatory | Get/Set regulatory domain mode (802.11d). Driver must be down. | |
| scanresults | Return results from last scan. | |
| assoc | Print information about current network association. | |
| (also known as "status") | ||
| status | Print information about current network association. | |
| (also known as "assoc") | ||
| disassoc | Disassociate from the current BSS/IBSS. | |
| chanlist | Return valid channels for the current settings. | |
| evm | Start an EVM test on the given channel, or stop EVM test. | |
| Arg 1 is channel number 1-14, or "off" or 0 to stop the test. | ||
| Arg 2 is optional rate (1, 2, 5.5 or 11) | ||
| rateset | Returns or sets the supported and basic rateset, (b) indicates basic | |
| With no args, returns the rateset. Args are | ||
| rateset "default" | "all" | <arbitrary rateset> | ||
| default - driver defaults | ||
| all - all rates are basic rates | ||
| arbitrary rateset - list of rates | ||
| List of rates are in Mbps and each rate is optionally followed | ||
| by "(b)" or "b" for a Basic rate. Example: 1(b) 2b 5.5 11 | ||
| At least one rate must be Basic for a legal rateset. | ||
| roam_trigger | Set the roam trigger RSSI threshold. (integer) | |
| roam_delta | Set the roam candidate qualification delta. (integer) | |
| roam_scan_period | Set the roam candidate qualification delta. (integer) | |
| suprates | Returns or sets the 11g override for the supported rateset | |
| With no args, returns the rateset. Args are a list of rates, | ||
| or 0 or -1 to specify an empty rateset to clear the override. | ||
| List of rates are in Mbps, example: 1 2 5.5 11 | ||
| scan_channel_time | Get/Set scan channel time | |
| scan_unassoc_time | Get/Set unassociated scan channel time | |
| scan_home_time | Get/Set scan home channel time | |
| scan_passes | Get/Set scan pass count | |
| prb_resp_timeout | Get/Set probe response timeout | |
| channel_qa | Get last channel quality measurment | |
| channel_qa_start | Start a channel quality measurment | |
| country | Select Country code for use with 802.11d. Use either long name | |
| or abbreviation from ISO 3166. Use 'wl country list' for the complete list. | ||
| locale | Select the country: | |
| Worldwide | ||
| Thailand | ||
| Israel | ||
| Jordan | ||
| China | ||
| Japan | ||
| USA/Canada/ANZ | ||
| Europe | ||
| USAlow | ||
| JapanHigh? | ||
| All | ||
| join | Join a specified network SSID. | |
| Join syntax is: join <name|ssid> [key xxxxx] [imode bss|ibss] [amode open|shared] | ||
| mac | Set or get the list of source MAC address matches. | |
| wl mac xx:xx:xx:xx:xx:xx [xx:xx:xx:xx:xx:xx ...] | ||
| To Clear the list: wl mac none | ||
| macmode | Set the mode of the MAC list. | |
| 0 - Disable MAC address matching. | ||
| 1 - Deny association to stations on the MAC list. | ||
| 2 - Allow association to stations on the MAC list. | ||
| wds | Set or get the list of WDS member MAC addresses. | |
| Set using a space separated list of MAC addresses. | ||
| wl wds xx:xx:xx:xx:xx:xx [xx:xx:xx:xx:xx:xx ...] | ||
| lazywds | Set or get "lazy" WDS mode (dynamically grant WDS membership to anyone). | |
| noise | Get noise (moving average) right after tx in dBm | |
| fqacurcy | Manufacturing test: set frequency accuracy mode. | |
| freqacuracy syntax is: fqacurcy <channel> | ||
| Arg is channel number 1-14, or 0 to stop the test. | ||
| crsuprs | Manufacturing test: set carrier suppression mode. | |
| carriersuprs syntax is: crsuprs <channel> | ||
| Arg is channel number 1-14, or 0 to stop the test. | ||
| int | Interrupt Test - remember to precede by 'wl down' and follow by 'wl up' | |
| lbt | Loopback Test - remember to precede by 'wl down' and follow by 'wl up' | |
| band | Returns or sets the current band | |
| auto - auto switch between available bands (default) | ||
| a - force use of 802.11a band | ||
| b - force use of 802.11b band | ||
| bands | Return the list of available 802.11 bands | |
| phylist | Return the list of available phytypes | |
| shortslot | Get 11g Short Slot Timing mode. (0=long, 1=short) | |
| shortslot_override | Get/Set 11g Short Slot Timing mode override. (-1=auto, 0=long, 1=short) | |
| shortslot_restrict | Get/Set AP Restriction on associations for 11g Short Slot Timing capable STAs. | |
| 0 - Do not restrict association based on ShortSlot? capability | ||
| 1 - Restrict association to STAs with ShortSlot? capability | ||
| ignore_bcns | AP only (G mode): Check for beacons without NONERP element (0=Examine beacons, 1=Ignore beacons) | |
| pktcnt | Get the summary of good and bad packets. | |
| upgrade | Upgrade the firmware on an embedded device | |
| gmode | Set the 54g Mode (LegacyB|Auto|GOnly|BDeferred|Performance|LRS) | |
| gmode_protection | Get G protection mode. (0=disabled, 1=enabled) | |
| gmode_protection_control | Get/Set 11g protection mode control alg. (0=always off, 1=monitor local association, 2=monitor overlapping BSS) | |
| gmode_protection_cts | Get/Set 11g protection type to CTS (0=disable, 1=enable) | |
| gmode_protection_override | Get/Set 11g protection mode override. (-1=auto, 0=disable, 1=enable) | |
| legacy_erp | Get/Set 11g legacy ERP inclusion (0=disable, 1=enable) | |
| scb_timeout | AP only: inactivity timeout value for authenticated stas | |
| assoclist | AP only: Get the list of associated MAC addresses. | |
| rssi | Get the current RSSI val, for an AP you must specify the mac addr of the STA | |
| isup | Get driver operational state (0=down, 1=up) | |
| fasttimer | Get/Set High frequency watchdog timeout (tx_power) [15 sec] | |
| slowtimer | Get/Set Low frequency watchdog timeout (nrssislope) [60 sec] | |
| interference | Get/Set interference mitigation mode. Choices are: | |
| 0= none | ||
| 1 = non wlan | ||
| 2 = wlan manual | ||
| frameburst | Disable/Enable frameburst mode | |
| pwr_percent | Get/Set power output percentage | |
Some neat utils are included in CJ Collier's busybox, including insmod and mount. Add the /tmp/incoming directory to your path, and then make the programs in busybox easier to get to by creating some more symlinks: ln -s busybox insmod; ln -s busybox mount etc. The modules in nfs.tar.gz can then be loaded using insmod sunrpc.o; insmod lockd.o; insmod nfs.o Then mount an NFS share using mkdir mnt; mount linux.box.ip:/path/to/dir mnt
A copy of /proc/kcore (if available) would also be most useful. Thanks... (couldn't get that one...)
Excellent, thanks all. I now have a few copies of this material. If anyone is interested in receiving a copy, please mail me at the above address.
Answer: The unit already runs a mini webserver, which by default is used to serve the configuration pages. If you want to customise what is served, you can mount an NFS volume over the top of the /www directory on the unit.
here. You'll need to edit the bpalogin.conf file with your settings, and use the WRT54G tools linked above to upload the files. Also, you'll need to upload the files every time you reset the router. I know this is far from elegant, but at least it's a solution.
Interesting tid bit: Above program seems to run fine on the unit without being statically compiled...
MRTG package for the router? It would be nice to monitor the bandwidth and other stuff with it. Would it run with the router? Comment: Problem with MRTG is that it would "start clean" once the router is rebooted. Better idea is to provide SNMP capabilities so that you could run MRTG on an external box (and keep the histories regardless of reboots).
Comment: Those source are pretty much original source that doesn't have the "improvements" neceesary to run the router (ie, the driver for the wireless card, etc.).
WVC11B actually contains some useful things like the linux loader and their toolchain. Heres the readme:
============ Packages List ================================================
toolchain.tgz ToolChain (x86 version RedHat 7.x)
toolchain.src.tgz ToolChain source codes
wvc11b_v205.src.tgz WVC11B F/W Source codes
============ WVC11B source codes ==========================================
wvc11b_v205.src.tgz
Foilder/file Description
----------------------- -----------------------------------------------
/WVC11B_V205/setenv To setup TI DSC21 toolchain working environment
variables.
/WVC11B_V205/rrload/ Linux_Loader
/WVC11B_V205/mtcode/ MT_Code
/WVC11B_V205/linux/ Linux_Kernel
/WVC11B_V205/fs/ Linux file system --------------+--> File_System
/WVC11B_V205/kmods/ Kernel modules |
/WVC11B_V205/rrmodules/ Kernel modules' binary files |
/WVC11B_V205/apps/ Application --------------------+
/WVC11B_V205/Makefile A make file to build "Linux_Kernel" and "File_System"
========= WVC11B FW binary (WVC11B_V205.bin) build procedure ==============
1. Install TI DSC21 toolchain in RedHat 7.x (x86 version for IBM PC)
Un-tar "toolchain.tgz" to "/opt/" folder.
2. Install WVC1B source codes and change to the source code folder
Un-tar "wvc11B_v205.src.tgz" to a source code folder.
change to the source code folder.
3. Setup TI DSC21 toolchain workiing environment variables
#. setenv
4. Clear all objects and libraires
#make distclean
5. Build "Loader"
Change to "Loader" source code folder
#cd loader
5.1 Build "Linux_Loader" (.../WVC11B_V205/rrload/export/rrload.stripped.binary)
#cd rrload
#makeclean
#make
#cd ..
5.2 Build "MT_Code" (.../WVC11B_V205/mtcode/export/rrload.stripped.binary)
#cd mtcode
#makeclean
#make
6. Generate kernel configuration file
#cd linux
#make menuconfig
save new kernel configuration
#make dep
#cd ..
7. Build "Linux_Kernel" and "File_System" and copy binaries
to ".../WVC11B_V205/FW/" folder.
#make -f Makefile
#cp linux/linux.stripped.binary FW/kernel
#cp linux/romdisk.img FW/filesystem
8. Combine Linux_Loader, Linux_kernel and File_System in one binary file.
-mbm
| Bandwidth Provided By: |
 |