Yesterday I posted about my new Linksys router, I had to open it because I flashed a wrong firmware image to it.
All it did was flashing a blue led.. but there’s a cure.
In this post I will explain how to connect a serial console to your Linksys WRT320N router!
Remember the solder pads from the last post? Here’s a closeup image:
The pads are labeled, it’s a serial connection. Connecting only the RX/TX signals and the GND signal is sufficient.
Please note that you need a logic level converter (such as a max232, or telephone datacables) to convert the signal.
Now that we have a possibility to connect to the console of the router, we can all sorts of cool stuff. Including interrupting the bootloader to flash a new firmware image!
Here’s a boot log of the router with a dd-wrt (big) image:
CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Fri Jul 24 07:15:00 EDT 2009 (root@Raymond.Lai)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.
Initializing Arena
Initializing Devices.
No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found a 8MB ST compatible serial flash
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 0004001B (28)
os #02 0004001C -> 007F7FFF (8093668)
nvram #03 007F8000 -> 007FFFFF (32768)
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 007F7FFF (8093696)
nvram #02 007F8000 -> 007FFFFF (32768)
BCM47XX_GMAC_ID
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.56.9
CPU type 0x19740: 354MHz
Total memory: 32768 KBytes
Total memory used by CFE: 0x80700000 - 0x807A1D80 (662912)
Initialized Data: 0x80735D20 - 0x80738920 (11264)
BSS Area: 0x80738920 - 0x8073BD80 (13408)
Local Heap: 0x8073BD80 - 0x8079FD80 (409600)
Stack Area: 0x8079FD80 - 0x807A1D80 (8192)
Text (code) segment: 0x80700000 - 0x80735D18 (220440)
Boot area (physical): 0x007A2000 - 0x007E2000
Relocation Factor: I:00000000 - D:00000000
Boot version: v5.4
The boot is CFE
Nothing...
### CLKDIV= 0x80a082c, SFlashClkDiv=8 clkdivsf=2 ###
### Change it to 0x20a082c (2) ###
CMD: [ifconfig eth0 -addr=192.168.1.1 -mask=255.255.255.0]
Device eth0: hwaddr 68-7F-74-96-43-CC, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
CMD: [go;]
Check CRC of image1
Len: 0x6E0000 (7208960) (0xBC040000)
Offset0: 0x1C (28) (0xBC04001C)
Offset1: 0x9A8 (2472) (0xBC0409A8)
Offset2: 0x14CC00 (1362944) (0xBC18CC00)
Header CRC: 0x853EE8DC
Calculate CRC: 0x853EE8DC
Image 1 is OK
Try to load image 1.
Waiting for 5 seconds to upgrade ...
CMD: [load -raw -addr=0x807a1d80 -max=0x185e280 :]
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: _tftpd_open(): retries=0/5
_tftpd_open(): retries=1/5
_tftpd_open(): retries=2/5
_tftpd_open(): retries=3/5
_tftpd_open(): retries=4/5
### Start=486462851 E=1250622957 Delta=764160106 ###
Failed.
Could not load :: Timeout occured
CMD: [boot -raw -z -addr=0x80001000 -max=0x6ff000 flash0.os:]
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3856 bytes read
### Start=1257679943 E=1260915130 Delta=3235187 ###
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
Linux version 2.6.24.111 (root@dd-wrt) (gcc version 4.1.2) #1987 Sat Aug 7 02:06:16 CEST 2010
CPU revision is: 00019740
Found a 8MB ST compatible serial flash
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Built 1 zonelists in Zone order. Total pages: 8128
Kernel command line: console=ttyS0,115200 root=1f02 rootfstype=squashfs noinitrd
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 128 (order: 7, 512 bytes)
CPU: BCM4716 rev 1 at 354 MHz
Using 177.000 MHz high precision timer.
console [ttyS0] enabled
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27344k/32768k available (3144k kernel code, 5424k reserved, 1479k data, 144k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
Generic PHY: Registered new driver
PCI: Using membase 8000000
PCI: Disabled
PCI: Fixing up bus 0
PCI: Fixing up bus 1
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
devfs: 2004-01-31 Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
squashfs: version 3.0 (2006/03/15) Phillip Lougher
io scheduler noop registered
io scheduler deadline registered (default)
HDLC line discipline: version $Revision: 4.8 $, maxframe=4096
N_HDLC line discipline registered.
Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x0 (irq = 8) is a 16550A
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
MPPE/MPPC encryption/compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V1.0
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky
eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.56.27
pflash: found no supported devices
bootloader size: 262144
sflash: Filesystem type: squashfs, size=0x585356
partition size = 5846016
Creating 5 MTD partitions on "sflash":
0x00000000-0x00040000 : "cfe"
0x00040000-0x007f0000 : "linux"
0x0018cc00-0x00720000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
0x007f0000-0x00800000 : "nvram"
0x00720000-0x007f0000 : "ddwrt"
Broadcom Watchdog Timer: 0.07 initialized.
u32 classifier
Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
ctnetlink v0.93: registering with nfnetlink.
IPv4 over IPv4 tunneling driver
GRE over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
ClusterIP Version 0.8 loaded successfully
TCP bic registered
TCP cubic registered
TCP westwood registered
TCP highspeed registered
TCP hybla registered
TCP htcp registered
TCP vegas registered
TCP scalable registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Welcome to PF_RING 3.2.1
(C) 2004-06 L.Deri
NET: Registered protocol family 27
PF_RING: bucket length 128 bytes
PF_RING: ring slots 4096
PF_RING: sample rate 1 [1=no sampling]
PF_RING: capture TX No [RX only]
PF_RING: transparent mode Yes
PF_RING initialized correctly.
PF_RING: registered /proc/net/pf_ring/
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
decode 1f02
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 144k freed
start service
starting Architecture code for broadcom
Booting device: Linksys WRT320N
loading bcm57xx
[USB] checking...
sh: can't create /proc/switch/eth0/reset: nonexistent directory
sh: can't create /proc/switch/eth1/reset: nonexistent directory
sh: can't create /proc/switch/eth0/vlan/1/ports: nonexistent directory
sh: can't create /proc/switch/eth0/vlan/1/ports: nonexistent directory
sh: can't create /proc/switch/eth0/vlan/2/ports: nonexistent directory
sh: can't create /proc/switch/eth0/vlan/2/ports: nonexistent directory
/etc/preinit: line 66: can't create /proc/sys/net/ipv4/ip_conntrack_max: nonexistent directory
Unlocking ddwrt ...
eth1: Operation not supported
wl0.1: No such device
wl0.2: No such device
wl0.3: No such device
nbw = 20
eth1: Operation not supported
eth1: Operation not supported
eth1: Operation not supported
eth1: Operation not supported
br0: Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature.
device br0 entered promiscuous mode
Algorithmics/MIPS FPU Emulator v1.5
br0: Bad file descriptor
device vlan1 entered promiscuous mode
device eth0 entered promiscuous mode
br0: Bad file descriptor
eth1: Operation not supported
wl0.1: No such device
wl0.2: No such device
wl0.3: No such device
nbw = 20
eth1: Operation not supported
eth1: Operation not supported
eth1: Operation not supported
eth1: Operation not supported
device eth1 entered promiscuous mode
br0: port 2(eth1) entering learning state
br0: port 1(vlan1) entering learning state
device br0 left promiscuous mode
device br0 entered promiscuous mode
device br0 left promiscuous mode
device br0 entered promiscuous mode
device vlan2 entered promiscuous mode
br0: topology change detected, propagating
br0: port 2(eth1) entering forwarding state
br0: topology change detected, propagating
br0: port 1(vlan1) entering forwarding state
Key is a RSA key
Wrote key to '/tmp/root/.ssh/ssh_host_rsa_key'
device vlan2 left promiscuous mode
Key is a DSS key
Wrote key to '/tmp/root/.ssh/ssh_host_dss_key'
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
etherip: Ethernet over IPv4 tunneling driver
The Milkfish Router Services
ERROR: Necessary service setting not found: milkfish_username - aborting.
The Milkfish Router Services
Restoring SIP ddsubscriber database from NVRAM...
Empty.
The Milkfish Router Services
Restoring SIP ddaliases database from NVRAM...
Empty.