Todo
Acx100 stuff between the cpu and the cardbus card Acx100ReverseEngineering
Compiling other stuff
Fit them in 1MB flash
Packaging new firmware
Ad-hoc and managed mode only (the acx100 driver is not YET capable of hostap like master mode to replace an ap)
Dig into the sources of the Dell Truemobile 1184 (specially how the prism chipset is initialized): http://linux.dell.com/files/truemobile/tm1184/vLinux_Dell_tm1184.tar.gz
Hardware
SOC
Specifications: cfr samsung
Integrated system for embedded ethernet applications
Fully 16/32-bit RISC architecture
Little/Big-Endian mode supported basically,the internal architecture is big-endian. So, the little-endian mode only support for external memory.
Efficient and powerful ARM7TDMI core (50MHz: 10MHz * 5)
Cost-effective JTAG-based debug solution
Boundary scan
Routers
This CPU samsung4510 is present in a lot of Access Points (warning: check the revisions!!!):
[Gl2422AP GL2422AP] : the OEM name for for dlink AP and other vendors, (sorry can't make link)
BeWan6104W the same as the Draytek2600we
Billion BIPAC 650 SE
CNET CNWR-811P Are there any pictures of the board?
Dell Truemobile 1184: linux inside already; seems that some versions has no JTAG; made by Gemtek
DlinkDwl900Ap+ RevA and RevB (not RevC) here and here
Dlink DWL1000ap+
Draytek2600we
Linksys wap11 ver 2.2 same as the USR2249
Nokia MP5121 ADSL router (same as ZyXEL Prestige 642R).
PheeNet WL-522BA; same as the USR2249
SMC2455W same as the USR2249
SMC Barricade 7004AWBR Made by Accton; FCC-ID: HED7004ACC
SMC Barricade 7404WBRA Made by Accton; FCC-ID: HED7404WBRAACC
Trendnet TEW-310APB: the same as the usr2249
USR2249: cfr picture above
ZyXEL Prestige 642R ADSL router
Zyxel b-1000 11mb bridge
Netgear MR314: which revision? which wifi card?
Netgear MR814 Wireless Router
01tech Zero one technology AF411W boardband dsl/cable wireless firewall router
1stWave Wavemaxx Pro, same as the AF411W. Has Prism2 PCMCIA Card inside, two antennas, printer port, no console
Complete list: http://www.vallstedt-networks.de/vendors/GST_Vendors/
Others: search on FCC for every 22mbps routeur, usr8022?, siemens 22mbps speedstream? etc...
Model |
FCC-ID |
Flash |
RAM |
WLAN card |
Pictures |
Board Manufacturer |
Comments |
Owners |
JWP-AWL500 |
MX29LV800BTC-90 |
HY57V16160DTC-7 |
PCMCIA Benq AWL100 |
|
|
wifimaarten AatT hotmail DdOotT com |
||
BeWan6104W |
XXX-XXXXX |
|
|
|
|
|
meATamDOTcom |
|
Dell Truemobile1184 |
MXF-R910604 |
|
|
Prism2 |
Gemtek |
No JTAG? |
||
DI-614+RevA |
O7J-GL2422040T |
chipxxx: 1MB |
chipxxx: 8MB |
acx100 cardbus |
Global Sun Tech |
|
bhATudevDOTorg |
|
DWL-900AP+RevA |
O7J-GL242204-0T |
MXe021451:2MB |
samsung k4s643232e:8MB |
ACX100 pcmcia |
Global sun tech |
|
bcnw at barcelonawireless point net |
|
DWL-900AP+RevB |
KA2DWL900AP-PLUS |
|
|
|
|
|
meATamDOTcom |
|
DWL-1000AP+ |
KA2DWL-1000APPLUS |
|
|
|
|
|
meATamDOTcom |
|
Draytek2200we |
XXX-XXXXX |
|
|
|
|
|
|
meATamDOTcom |
Draytek2600we |
XXX-XXXXX |
|
|
|
|
|
meATamDOTcom |
|
PheeNet WL-522BA (GL2422AP-OT V1.1) |
O7J-GL2422AP |
MX 29LV800BTC-90: 1MB |
Hynix HY57V643220CT-6: 8MB |
|
Global Sun Tech, most likely |
ACX100 driver main developer |
andi AT lisas DOT de |
|
SMC2455W |
O7J-GL2422AP |
MX29LV800BTC-90: 1MB |
Hynix HY57V643220CT-6: 8MB |
ACX100 PCMCIA card |
Global Sun Tech. |
|
sgaleano AT badalonawireless DOT net |
|
SMC 7004AWBR |
HED7004ACC |
|
|
|
|
|
meATamDOTcom |
|
SMC 7404WBRA |
HED7004ACC |
|
|
|
|
|
meATamDOTcom |
|
TEW-310APB |
XXX-XXXXX |
|
|
|
|
|
meATamDOTcom |
|
TEW-310APBX |
XXX-XXXXX |
|
|
|
|
|
meATamDOTcom |
|
USR2249 |
XXX-XXXXX |
|
|
|
|
|
meATamDOTcom |
|
Netgear MR314 |
XXX-XXXXX |
|
|
|
|
|
meATamDOTcom |
Is it a serial connector at the top left?
Serial access
Thanks to good fingers and skills from Greg Holger
JTAG
Pinout
The pinout and pictures are given here: http://www.x123.info/?menu=614
Adaptator on // port
Jtag-tools
apt-get install jtag-tools
Kernel Sources
http://sourceforge.net/projects/samsung-uclinux/
Cross compilation
Installation of cross compilator for arm
apt-get install binutils-arm-linux
HackingSessions
Here are pictures of the hacking session:
http://www.ffii.org/~zoobab/bh.udev.org/filez/projects/uClinux-samsung4510/hackparty031019/
http://www.ffii.org/~zoobab/bh.udev.org/filez/projects/uClinux-samsung4510/hackparty031101/
We succeed in reflashing the DI-614+, but we still need to modify the bios to support differents IO, so as to boot the kernel on it...
There are some comments on Slashdot (02nov2003)
Booter
Booter for Samsung S3C4510B: http://sourceforge.net/projects/bios-lt/
Kernel
Results: no problem for booting the kernel:
Compex BIOS for SAMSUNG S3C4510B v1.20-lt74 Press Enter for Menu, Esc for Safe Mode Initializing system .... Done Found M29W800DB at 0x00000000 Loading Image From Net ................ bios_eth_cfg, from: 0001011c Mini TFTP Server 1.0 (IP : 192.168.42.2) Starting the TFTP download... Starting the TFTP download... .............................. Done <4>Linux version 2.4.22-uc0 (root@codecarver) (gcc version 2.95.2 20000313 (Debian GNU/Linux)) #81 Sun Nov 2 15:24:47 CET 2003 <4>Processor: Samsung S3C4510B revision 6 <4>Architecture: SNDS100 <4>On node 0 totalpages: 2048 <4>zone(0): 0 pages. <4>zone(1): 2048 pages. <4>zone(2): 0 pages. <4>Kernel command line: ip=192.168.42.2:192.168.42.1:192.168.42.1:255.255.255.0:hackme:eth0:none nfsroot=192.168.42.1:/home/p2/uclinux-arm-root <4>Calibrating delay loop... 24.83 BogoMIPS <6>Memory: 8MB = 8MB total <5>Memory: 6988KB available (848K code, 175K data, 48K init) <6>Dentry cache hash table entries: 1024 (order: 1, 8192 bytes) <6>Inode cache hash table entries: 512 (order: 0, 4096 bytes) <6>Mount cache hash table entries: 512 (order: 0, 4096 bytes) <6>Buffer cache hash table entries: 1024 (order: 0, 4096 bytes) <4>Page-cache hash table entries: 2048 (order: 1, 8192 bytes) <4>POSIX conformance testing by UNIFIX <6>Linux NET4.0 for Linux 2.4 <6>Based upon Swansea University Computer Society NET3.039 <4>Initializing RT netlink socket <4>Starting kswapd <6>Samsung S3C4510 Serial driver version 0.9 (2001-12-27) with no serial options enabled <6>ttyS00 at 0x3ffd000 (irq = 5) is a S3C4510B <6>ttyS01 at 0x3ffe000 (irq = 7) is a S3C4510B <6>Samsung S3C4510 Ethernet driver version 0.1 (2002-02-20) <mac@os.nctu.edu.tw> <6>eth0: 00:40:95:36:35:34 <6>NET4: Linux TCP/IP 1.0 for NET4.0 <6>IP Protocols: ICMP, UDP, TCP <6>IP: routing cache hash table of 512 buckets, 4Kbytes <6>TCP: Hash tables configured (established 512 bind 512) <4>IP-Config: Complete: <4> device=eth0, addr=192.168.42.2, mask=255.255.255.0, gw=192.168.42.1, <4> host=hackme, domain=, nis-domain=(none), <4> bootserver=192.168.42.1, rootserver=192.168.42.1, rootpath= <4>ip_tables: (C) 2000-2002 Netfilter core team <6>NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. <5>Looking up port of RPC 100003/2 on 192.168.42.1 <5>Looking up port of RPC 100005/1 on 192.168.42.1 <4>VFS: Mounted root (nfs filesystem). <4>Freeing init memory: 48K
We've used the bios-lt ucdist to compile the kernel.
Links
http://www.wirelessleiden.nl/wcl/cgi-bin/moin.cgi/BenqAwl500
http://linux.derkeiler.com/Newsgroups/comp.os.linux.embedded/2003-07/0003.html
Questions
Q: One interesting thing about at least some ACX100-based APs is that (in order to save costs?) designers use some "16-bit slave" mode of the chipset. I.e. the card included in DWL-900AP+ isn't really a PCMCIA or cardbus device, but rather some kind of zombie. Does anyone have ACX100 docs? Furthermore it looks like at least on this device they use a PLD to multiplex an 8-bit signal from the 4510. Anyone know anything about this? -- JerrittCollord
A: It's a real 22mbps cardbus card, like other 22mbps cardbus card based on the TI chipset -- bhATudev.org
A: Yes, it's a real cardbus card (from the HW's point of view), but in the serial eeprom of the card, the card is configured to the simple slave io mode. The signals, however, are still in the cardbus layout, so it seems impossible to use any other cardbus or pcmcia card. the register space is mapped to 0x7600000 of the arm's address space. take a look at http://debugmo.de/download/acx100.c. Yes this is very ugly code, but shows the basic interfacing.
Maybe it's possible to merge this with the sourceforge's acx100 driver. you need a firmware image called apfw_image, and the radio firmware image called apfw2.
Q: There's a security flaw in usr2249 clones, exploit decribed here. Could it be useful to make a test/firmware upgrade for those boards in TFTP (without reflashing)?
Q: Any thoughts about replacing the pcmcia card in units such as the 900+ with a prism based card and just using the hostap driver?
A: As noted above, this won't work, since it's a proprietary slave-io-on-cardbus-pinout. Sorry.
Q: What's about the GSTSEARCH backdoor?
A: They claimed to remove the backdoor, which enabled you to read out configuration data without knowing any password, but in reality, they just encrypted it.
Look at http://debugmo.de/download/dwl900.tar.gz for a DWL900AP+(revA) exploit. It won't work with other brands, they have different keys.
Suggestions
Hacking other AP with JTAG that have high probability to run linux: OtherAPwithJTAG
Dig into the FCC search site with the following FCC-IDs of those routers: http://www.google.be/search?q=cache:xFoLT9FZZR8J:www.netopia.com/3DReach/News_IQ_Labs_Report.pdf+netgear+mr814+fcc-id&hl=fr&ie=UTF-8
Some ZyXEL routers and derivatives (Netgear etc) with SC4510 run a bootloader with powerful commandline interface, more info about that and about image formats here at http://www.ixo.de/info/zyxel_uclinux/