Debricking Fonera Using a Serial cable Alone

La Fonera (2100) Hardware

  • CPU: Atheros AR531X_COBRA – MIPS 4KEc V6.4 – 183.50 MHz
  • RAM: Hynix hy57v281620etp-h – 16 MB
  • Flash: ST(84) H – 25P64V6P – MYS 636 – 8 MB
  • Ethernet: (1x) Altima AC101 (10/100 Mbit/s) [Auto-MDI(X)]
  • Wireless: IEEE 802.11b / 802.11g (up to 54 Mbps)
  • Serial Port exposed on PCB J2
  • Antenna Connector: RP-SMA Connector (Reverse SMA)
  • Antenna Omni-Directional detachable antenna (2dBi)
  • Power supply Input: 100-240V ~ 50-60 Hz 0.3A. Output: 5V DC, 2.0A
  • Power Consumption: 4 Watt

I will use the Serial Port to connect La Fonera, there are also other methods to flash Openwrt on La Fonera but my Router was bricked somehow I just had this solution (RedBoot) left..

MAX232 Serial level converter

When communicating with various micro processors one needs to convert the RS232 levels down to lower levels, typically 3.3 or 5.0 Volts. Here is a cheap and simple way to do that.

Serial RS-232 (V.24) communication works with voltages -15V to +15V for high and low. On the other hand, TTL logic operates between 0V and +5V. Modern low power consumption logic operates in the range of 0V and +3.3V or even lower.

RS-232 TTL Logic
-15V …  -3V +2V … +5V High
+3V … +15V 0V … +0.8V Low

Thus the RS-232 signal levels are far too high TTL electronics, and the negative RS-232 voltage for high can’t be handled at all by computer logic. To receive serial data from an RS-232 interface the voltage has to be reduced.  Also the low and high voltage level has to be inverted.

This level converter uses a Max232 and five capacitors. The max232 is quite cheap (less than 5 dollars) or if you’re lucky you can get a free sample from Maxim.

The MAX232 from Maxim was the first IC which in one package contains the necessary drivers and receivers to adapt the RS-232 signal voltage levels to TTL logic. It became popular, because it just needs one voltage (+5V or +3.3V) and generates the necessary RS-232 voltage levels.

The required parts:

1 x female serial port connector

1 x max 232

4 x 1uF capacitor

1 x 10uF capacitor

Soldering iron, wires, breadboard etc.

Schematic


Inside the Fonera router

Anxious to see what was inside I started disassembling. On the way i took some pictures for you all to see so read on!

As the router is small, it does not provide any additional LAN ports. One WAN portDC input and the External RP-SMA connector with antenna can be seen in the picture below.

Disassembling the foneros router

Remove the mounting screws that are located under the rubber paddings:

Remove the antenna:

Pry off the white casing using a flathead driver:

Below you can see the top side of the main board. It seems to have one additional antenna soldering point.

There is a serial port connector next to the two capacitors.

To access Fonera you can use any terminal application. HyperTerminal ships with windows and it will do fine. Connect your La Fonera to Com1 and Start HyperTerminal from:

Start->Programs->Accessories->Communications->HyperTerminal.

You will need to set up communication settings to

9600-8-N-1 and no flow control:

And here you have it:

It seems that the Fonera sometimes doesn’t want to boot when connected to serial. This problem is because of connected TX wire at the Fonera side. If you don’t see anything and the little sucker apparently isn’t booting at all, disconnect the TX from the Fonera and boot with RX connected only. Once you see the first line of output running over your screen, quickly connect TX line, too. Other people just tried booting and connecting the serial cable only 5sec later, though I suppose you will need some practice, as the point where you need to activate the RedBoot boot loader will come after only a few lines of serial output.

I just connected the power cable to La Fonera and 1-2s later I connected the TX and RX lines (GND was already connected). This worked like a charm.

When you make the session from your Fonera to HyperTerminal or SecureCRT, you will see some thing like this,

+PHY ID is 0022:5521l (TFTP)

Ethernet eth0: MAC address 00:18:84:17:01:4c

IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0

Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROMRAM]

Non-certified release, version v1.3.0 – built 16:57:58, Aug 7 2006

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.

Board: ap51

RAM: 0×80000000-0×81000000, [0x80040450-0x80fe1000] available

FLASH: 0xa8000000 – 0xa87f0000, 128 blocks of 0×00010000 bytes each.

== Executing boot script in 10.000 seconds – enter ^C to abort

RedBoot> fis load -l vmlinux.bin.l7

Image loaded from 0×80041000-0×80282085

RedBoot> exec

If your Fonera is bricked, you session will be hanged at this step. It will not let you access OpenWrt.

If you observe carefully, after booting, we have some time (here 10 sec) before which the boot loader will load Linux image and executes it. So we need to interrupt this process before that time. So power down your router and power it on again.

Hit Ctrl+C just after you see the following message on the HyperTerminal session

== Executing boot script in 10.000 seconds – enter ^C to abort

If everything went fine, you will get a RedBoot prompt.

Flashing OpenWrt onto Fonera

fconfig is the command for configuring RedBoot loader.

RedBoot> fconfig -l

Run script at boot: true

Boot script:

.. fis load -l vmlinux.bin.l7

.. exec

Boot script timeout (1000ms resolution): 10

Use BOOTP for network configuration: false

Gateway IP address: 0.0.0.0

Local IP address: 192.168.1.254

Local IP address mask: 255.255.255.0

Default server IP address: 0.0.0.0

Console baud rate: 9600

GDB connection port: 9000

Force console for special debug messages: false

Network debug at boot time: false

If you want to change these entries, just issue “fconfig” with out any switches. It will prompt you for new value for each entry as explained below.

Prepare for Networking

(Follow this step only if your Ethernet connection is detected by your computer if connected)

RedBoot> fconfig bootp_my_ip_mask 255.255.0.0
bootp_my_ip_mask: Setting to 255.255.0.0
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000:
… Program from 0x80ff0000-0×81000000 at 0xa87e0000:
RedBoot> fconfig bootp_my_ip 192.168.1.2
bootp_my_ip: Setting to 192.168.1.2
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .

… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
RedBoot> fconfig bootp_server_ip: Setting to 192.168.1.10
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
RedBoot> fconfig boot_script_timeout 10
boot_script_timeout: Setting to 10

Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000:
RedBoot> fconfig net_debug false
net_debug: Setting to false
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
RedBoot> reset

The reset is needed to accept your settings!

WARNING: the option “fconfig net_debug true” will enable RedBoot LAN access BUT your network performance will be arround 2500 b/s! So do NOT use it when you have a serial connection! You can enable this option when Openwrt runs on this beast so you don’t need to attach the serial cables anymore.

If you “fconfig” RedBoot you will see this

RedBoot> fconfig -l

Run script at boot: true

Boot script:

.. fis load -l vmlinux.bin.l7

.. exec

Boot script timeout (1000ms resolution): 10

Use BOOTP for network configuration: false

Gateway IP address: 0.0.0.0

Local IP address: 192.168.1.2

Local IP address mask: 255.255.0.0

Default server IP address: 192.168.1.10

Console baud rate: 9600

GDB connection port: 9000

Force console for special debug messages: false

Network debug at boot time: false

RedBoot>

Optional: A Baud rate of 9600 is very less. It makes your serial transfer very very slow, to over-ride this; you can increase the baud rate up to 115200. I tested this. But make sure to reset the baud rate to 9600 after flashing OpenWrt else you will have problems booting to Linux Kernel (I spent half-day figuring this out).

If to want to change the Baud Rate,

RedBoot> fconfig console_baud_rate 115200

Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000:

Reset Fonera to make changes effective and make sure you update the connection setting on your terminal application

Reboot Fonera

RedBoot> reset

Initialize flash image system:

RedBoot> fis list

Name FLASH addr Mem addr Length Entry point

RedBoot 0xA8000000 0xA8000000 0×00030000 0×00000000

vmlinux.bin.l7 0xA8030000 0×80041000 0x000C0000 0×80041000

rootfs 0xA80F0000 0×80041000 0x006F0000 0×00000000

FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0×00000000

RedBoot config 0xA87EF000 0xA87EF000 0×00001000 0×00000000

RedBoot> fis init

About to initialize [format] FLASH image system – continue (y/n)? y

*** Initialize FLASH Image System

… Erase from 0xa87e0000-0xa87f0000: .

… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .

RedBoot> fis list

Name FLASH addr Mem addr Length Entry point

RedBoot 0xA8000000 0xA8000000 0×00030000 0×00000000

FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0×00000000

RedBoot config 0xA87EF000 0xA87EF000 0×00001000 0×00000000

Now La Fonera is clean, the Kernel and the Root-File system are deleted.

Load vmlinux image into Ram disk:

Now the Kernel had to be transferred to La Fonera. You could use different protocols like TFTP, HTTP, Xmodem and Ymodem,

Fonera detected over LAN:

Before you start get the required files from the following link:

http://downloads.open-mesh.net/mesh-potato/

You will need

openwrt-atheros-2.6-vmlinux.lzma (kernel),

openwrt-atheros-2.6-root.squashfs (rootfs)

If your Fonera is detected by your computer over Ethernet use TFTP or HTTP, else you can use xmodem or ymodem which transfers the files to your Fonera over serial cable. You can use tftpd32 from Ph. Jounin (http://tftpd32.jounin.net/). Place tftpd32.exe and your files (openwrt-atheros-2.6-vmlinux.lzma and openwrt-atheros-2.6-root.squashfs) in a directory and start tftpd32.exe.

RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma

Using default protocol (TFTP)

Raw file loaded 0×80040800-0x801007ff, assumed entry at 0×80040800

Fonera not detected Over LAN:

If your Ethernet is not detected, there is no way you can transfer kernel image from your computer to FON using either TFTP or HTTP servers. In that case I would suggest you to download and install a software which allows xmodem and ymodem protocols. One such software is SecureCRT by Vandyke software. You could get a trial version on their website.

Disconnect your HyperTerminal connection. Connect your Fonera with SecureCRT over serial protocol with the same settings you used for HyperTerminal.

Issue the following command to make RedBoot to run ymodem server and immediately, start the kernel file transfer to Fonera over ymodem (ymodem is faster than xmodem) protocol as shown

RedBoot> load -r -v -b 0×80041000 -m ymodem

CCC

Starting ymodem transfer. Press Ctrl+C to cancel.

Transferring openwrt-atheros-vmlinux.lzma…

100% 768 KB 7 KB/s 00:01:47 0 Errors

Raw file loaded 0×80041000-0x80100fff, assumed entry at 0×80041000

xyzModem – CRC mode, 6146(SOH)/0(STX)/0(CAN) packets, 5 retries


Creating Flash image for vmlinux.bin.l7 partition:

Output (took about 2mins to store the file into the flash):

RedBoot> fis create vmlinux.bin.l7

… Erase from 0xa8030000-0xa80f0000: …………

… Program from 0×80041000-0×80101000 at 0xa8030000: …………

… Erase from 0xa87e0000-0xa87f0000: .

… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .

Now if you issue fis list this is how it looks

RedBoot> fis list

Name FLASH addr Mem addr Length Entry point

RedBoot 0xA8000000 0xA8000000 0×00030000 0×00000000

vmlinux.bin.l7 0xA8030000 0×80041000 0x000C0000 0×80041000

FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0×00000000

RedBoot config 0xA87EF000 0xA87EF000 0×00001000 0×00000000


Loading rootfs Filesystem into ram disk:

Fonera detected over Lan:

RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0×80040800-0x801607ff, assumed entry at 0×80040800

Fonera not detected Over LAN:

Similarly, on ymodem protocol,

RedBoot> load -r -b %{FREEMEMLO} -m ymodem

CC

Starting ymodem transfer. Press Ctrl+C to cancel.

Transferring openwrt-atheros-root.squashfs…

100% 1536 KB 7 KB/s 00:03:17 0 Errors

Raw file loaded 0×80040800-0x801c07ff, assumed entry at 0×80040800

xyzModem – CRC mode, 12290(SOH)/0(STX)/0(CAN) packets, 4 retries


Creating Flash image to store rootfs:

output (took about 4mins to store):

RedBoot> fis create rootfs

… Erase from 0xa80f0000-0xa8270000: ……………………

… Program from 0×80040800-0x801c0800 at 0xa80f0000: ……………………

… Erase from 0xa87e0000-0xa87f0000: .

… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .

Caution:

Earlier in this tutorial if you changed the baud rate from default value (9600), change it back after this step. Else your Linux image wont bootup.

RedBoot> fconfig console_baud_rate 9600

Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000:

Reboot Fonera

RedBoot> reset

If everything went well, you should see something like this

PHY ID is 0022:5521

Ethernet eth0: MAC address 00:18:54:97:21:0c

IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0

Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROMRAM]

Non-certified release, version v1.3.0 – built 16:57:58, Aug 7 2006

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.

Board: ap51

RAM: 0×80000000-0×81000000, [0x80040450-0x80fe1000] available

FLASH: 0xa8000000 – 0xa87f0000, 128 blocks of 0×00010000 bytes each.

== Executing boot script in 10.000 seconds – enter ^C to abort

RedBoot> fis load -l vmlinux.bin.l7

Image loaded from 0×80041000-0×80282085

RedBoot> exec

Now booting linux kernel:

Base address 0×80030000 Entry 0×80041000

Cmdline:.

Linux version 2.6.21.5 (ubuntu@ubuntu-laptop) (gcc version 4.1.2) #1 Sat Sep 29 11:04:17 CEST 2007

CPU revision is: 00019064

Determined physical RAM map:

memory: 01000000 @ 00000000 (usable)

Initrd not found or empty – disabling initrd

Built 1 zonelists. Total pages: 4064

Kernel command line: console=ttyS0,9600 rootfstype=squashfs,jffs2 init=/etc/preinit

Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.

Primary data cache 16kB, 4-way, linesize 16 bytes.

Synthesized TLB refill handler (20 instructions).

Synthesized TLB load handler fastpath (32 instructions).

Synthesized TLB store handler fastpath (32 instructions).

Synthesized TLB modify handler fastpath (31 instructions).

PID hash table entries: 64 (order: 6, 256 bytes)

Using 92.000 MHz high precision timer.

Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)

Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)

Memory: 13504k/16384k available (1955k kernel code, 2880k reserved, 292k data, 116k init, 0k highmem)

Mount-cache hash table entries: 512

NET: Registered protocol family 16

Radio config found at offset 0xf8(0x1f8)

Time: MIPS clocksource has been installed.

NET: Registered protocol family 2

IP route cache hash table entries: 1024 (order: 0, 4096 bytes)

TCP established hash table entries: 512 (order: 0, 4096 bytes)

TCP bind hash table entries: 512 (order: -1, 2048 bytes)

TCP: Hash tables configured (established 512 bind 512)

TCP reno registered

squashfs: version 3.0 (2006/03/15) Phillip Lougher

Registering mini_fo version $Id$

JFFS2 version 2.2. (NAND) (C) 2001-2006 Red Hat, Inc.

io scheduler noop registered

io scheduler deadline registered (default)

Serial: 8250/16550 driver $Revision: 1.90 $ 1 ports, IRQ sharing disabled

serial8250: ttyS0 at MMIO 0xb1100003 (irq = 37) is a 16550A

eth0: Dropping NETIF_F_SG since no checksum feature.

eth0: Atheros AR231x: 00:18:84:14:39:94, irq 4

cmdlinepart partition parsing not available

Searching for RedBoot partition table in spiflash at offset 0x7d0000

Searching for RedBoot partition table in spiflash at offset 0x7e0000

5 RedBoot partitions found on MTD device spiflash

Creating 5 MTD partitions on “spiflash”:

0×00000000-0×00030000 : “RedBoot”

0×00030000-0x000f0000 : “vmlinux.bin.l7″

0x000f0000-0x007e0000 : “rootfs”

0×00200000-0x007e0000 : “rootfs_data”

0x007e0000-0x007ef000 : “FIS directory”

0x007ef000-0x007f0000 : “RedBoot config”

nf_conntrack version 0.5.0 (128 buckets, 1024 max)

ip_tables: (C) 2000-2006 Netfilter Core Team

TCP vegas registered

NET: Registered protocol family 1

NET: Registered protocol family 17

802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>

All bugs added by David S. Miller <davem@redhat.com>

VFS: Mounted root (squashfs filesystem) readonly.

Freeing unused kernel memory: 116k freed

Warning: unable to open an initial console.

eth0: Configuring MAC for full duplex

Algorithmics/MIPS FPU Emulator v1.5

- preinit -

jffs2 not ready yet; using ramdisk

mini_fo: using base directory: /

mini_fo: using storage directory: /tmp/root

- init -

init started: BusyBox v1.4.2 (2007-09-26 19:44:01 CEST) multi-call binary

Please press Enter to activate this console. device eth0 entered promiscuous mode

br-lan: port 1(eth0) entering learning state

br-lan: topology change detected, propagating

br-lan: port 1(eth0) entering forwarding state

PPP generic driver version 2.4.2

wlan: 0.8.4.2 (svn r2568)

ath_hal: module license ‘Proprietary’ taints kernel.

ath_hal: 0.9.30.13 (AR5212, AR5312, RF2316, TX_DESC_SWAP)

ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (svn r2568)

ath_rate_minstrel: look around rate set to 10%

ath_rate_minstrel: EWMA rolloff level set to 75%

ath_rate_minstrel: max segment size in the mrr set to 6000 us

wlan: mac acl policy registered

ath_ahb: 0.9.4.5 (svn r2568)

ath_pci: switching rfkill capability off

ath_pci: switching per-packet transmit power control off

wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps

wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps

wifi0: H/W encryption support: WEP AES AES_CCM TKIP

wifi0: mac 11.0 phy 4.8 radio 7.0

wifi0: Use hw queue 1 for WME_AC_BE traffic

wifi0: Use hw queue 0 for WME_AC_BK traffic

wifi0: Use hw queue 2 for WME_AC_VI traffic

wifi0: Use hw queue 3 for WME_AC_VO traffic

wifi0: Use hw queue 8 for CAB traffic

wifi0: Use hw queue 9 for beacons

wifi0: Atheros 2315 WiSoC: mem=0xb0000000, irq=3

jffs2_scan_eraseblock(): End of filesystem marker found at 0×0

jffs2_build_filesystem(): unlocking the mtd device… done.

jffs2_build_filesystem(): erasing all blocks after the end marker… done.

mini_fo: using base directory: /

mini_fo: using storage directory: /jffs

BusyBox v1.4.2 (2007-09-26 19:44:01 CEST) Built-in shell (ash)

Enter ‘help’ for a list of built-in commands.

_______ ________ __

| |.—–.—–.—–.| | | |.—-.| |_

| – || _ | -__| || | | || _|| _|

|_______|| __|_____|__|__||________||__| |____|

|__| W I R E L E S S F R E E D O M

KAMIKAZE (7.09) ———————————–

* 10 oz Vodka Shake well with ice and strain

* 10 oz Triple sec mixture into 10 shot glasses.

* 10 oz lime juice Salute!

—————————————————

root@OpenWrt:/#

References

http://sodoityourself.com/max232-serial-level-converter/

http://sodoityourself.com/inside-the-fon-router/

http://sodoityourself.com/accessing-serial-console-on-the-fon/

http://www.neophob.com/serendipity/index.php?/archives/132-Using-Openwrt-on-La-Fonera-for-Dummies.html

http://wiki.openwrt.org/OpenWrtDocs/Hardware/Fon/Fonera

RedBoot Command Overview
ip_address — Set IP addresses
load — Download programs or data to the RedBoot platform
fis init — Initialize Flash Image System (FIS)
fis create — Create flash image
fis free — Free flash image
fis load — Load flash image

disks — List available disk partitions.
ping — Verify network connectivity (ping -h 192.168.1.10 -v -n 4)
baudrate — Set the baud rate for the system serial console
reset — Reset the device
.. this will be equivalent to a power-on reset condition.
version — Display RedBoot version information
go — Execute a program
exec — Execute a Linux kernel

RedBoot FIS Commands

Note: The commands listed below should be used only on the instruction of Advanced Relay Technical Support. Improper use of these commands may render the PXS inoperable.

Command Description
fis create [-b <base>][-l <image length>][-s <data length>][-f <flash address>][-e <entry>][-r <ram address>][-n] <name> Creates an image in FLASH from data in RAM
fis delete <name> Removes an image from FLASH
fis erase -f <flash address> -l <length> Erases an area of FLASH
fis free Shows which areas of FLASH are not in use
fis help Displays help for FIS commands
fis init [-f] Initializes FLASH
fis list [-c] List images in FLASH and information about them
The -c option displays image checksum instead of memory address
fis load [-b <base>][-c] <name> Loads an image from FLASH to RAM
The -c option displays the image checksum

Tags: , , ,