Debricking Fonera Using a Serial cable Alone
La Fonera (2100) Hardware
- CPU: Atheros AR531X_COBRA – MIPS 4KEc V6.4 – 183.50 MHz
- RAM: Hynix hy57v281620etp-h – 16 MB
- Flash: ST(84) H – 25P64V6P – MYS 636 – 8 MB
- Ethernet: (1x) Altima AC101 (10/100 Mbit/s) [Auto-MDI(X)]
- Wireless: IEEE 802.11b / 802.11g (up to 54 Mbps)
- Serial Port exposed on PCB J2
- Antenna Connector: RP-SMA Connector (Reverse SMA)
- Antenna Omni-Directional detachable antenna (2dBi)
- Power supply Input: 100-240V ~ 50-60 Hz 0.3A. Output: 5V DC, 2.0A
- Power Consumption: 4 Watt
I will use the Serial Port to connect La Fonera, there are also other methods to flash Openwrt on La Fonera but my Router was bricked somehow I just had this solution (RedBoot) left..
MAX232 Serial level converter
When communicating with various micro processors one needs to convert the RS232 levels down to lower levels, typically 3.3 or 5.0 Volts. Here is a cheap and simple way to do that.
Serial RS-232 (V.24) communication works with voltages -15V to +15V for high and low. On the other hand, TTL logic operates between 0V and +5V. Modern low power consumption logic operates in the range of 0V and +3.3V or even lower.
| RS-232 | TTL | Logic |
| -15V … -3V | +2V … +5V | High |
| +3V … +15V | 0V … +0.8V | Low |
Thus the RS-232 signal levels are far too high TTL electronics, and the negative RS-232 voltage for high can’t be handled at all by computer logic. To receive serial data from an RS-232 interface the voltage has to be reduced. Also the low and high voltage level has to be inverted.
This level converter uses a Max232 and five capacitors. The max232 is quite cheap (less than 5 dollars) or if you’re lucky you can get a free sample from Maxim.
The MAX232 from Maxim was the first IC which in one package contains the necessary drivers and receivers to adapt the RS-232 signal voltage levels to TTL logic. It became popular, because it just needs one voltage (+5V or +3.3V) and generates the necessary RS-232 voltage levels.
The required parts:
1 x female serial port connector
1 x max 232
4 x 1uF capacitor
1 x 10uF capacitor
Soldering iron, wires, breadboard etc.
Schematic
Inside the Fonera router
Anxious to see what was inside I started disassembling. On the way i took some pictures for you all to see so read on!
As the router is small, it does not provide any additional LAN ports. One WAN port, DC input and the External RP-SMA connector with antenna can be seen in the picture below.
Disassembling the foneros router
Remove the mounting screws that are located under the rubber paddings:
Remove the antenna:
Pry off the white casing using a flathead driver:
Below you can see the top side of the main board. It seems to have one additional antenna soldering point.
There is a serial port connector next to the two capacitors.
To access Fonera you can use any terminal application. HyperTerminal ships with windows and it will do fine. Connect your La Fonera to Com1 and Start HyperTerminal from:
Start->Programs->Accessories->Communications->HyperTerminal.
You will need to set up communication settings to
9600-8-N-1 and no flow control:
And here you have it:
It seems that the Fonera sometimes doesn’t want to boot when connected to serial. This problem is because of connected TX wire at the Fonera side. If you don’t see anything and the little sucker apparently isn’t booting at all, disconnect the TX from the Fonera and boot with RX connected only. Once you see the first line of output running over your screen, quickly connect TX line, too. Other people just tried booting and connecting the serial cable only 5sec later, though I suppose you will need some practice, as the point where you need to activate the RedBoot boot loader will come after only a few lines of serial output.
I just connected the power cable to La Fonera and 1-2s later I connected the TX and RX lines (GND was already connected). This worked like a charm.
When you make the session from your Fonera to HyperTerminal or SecureCRT, you will see some thing like this,
+PHY ID is 0022:5521l (TFTP)
Ethernet eth0: MAC address 00:18:84:17:01:4c
IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0
Default server: 0.0.0.0
RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version v1.3.0 – built 16:57:58, Aug 7 2006
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Board: ap51
RAM: 0×80000000-0×81000000, [0x80040450-0x80fe1000] available
FLASH: 0xa8000000 – 0xa87f0000, 128 blocks of 0×00010000 bytes each.
== Executing boot script in 10.000 seconds – enter ^C to abort
RedBoot> fis load -l vmlinux.bin.l7
Image loaded from 0×80041000-0×80282085
RedBoot> exec
If your Fonera is bricked, you session will be hanged at this step. It will not let you access OpenWrt.
If you observe carefully, after booting, we have some time (here 10 sec) before which the boot loader will load Linux image and executes it. So we need to interrupt this process before that time. So power down your router and power it on again.
Hit Ctrl+C just after you see the following message on the HyperTerminal session
== Executing boot script in 10.000 seconds – enter ^C to abort
If everything went fine, you will get a RedBoot prompt.
Flashing OpenWrt onto Fonera
fconfig is the command for configuring RedBoot loader.
RedBoot> fconfig -l
Run script at boot: true
Boot script:
.. fis load -l vmlinux.bin.l7
.. exec
Boot script timeout (1000ms resolution): 10
Use BOOTP for network configuration: false
Gateway IP address: 0.0.0.0
Local IP address: 192.168.1.254
Local IP address mask: 255.255.255.0
Default server IP address: 0.0.0.0
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
If you want to change these entries, just issue “fconfig” with out any switches. It will prompt you for new value for each entry as explained below.
Prepare for Networking
(Follow this step only if your Ethernet connection is detected by your computer if connected)
RedBoot> fconfig bootp_my_ip_mask 255.255.0.0
bootp_my_ip_mask: Setting to 255.255.0.0
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000:
… Program from 0x80ff0000-0×81000000 at 0xa87e0000:
RedBoot> fconfig bootp_my_ip 192.168.1.2
bootp_my_ip: Setting to 192.168.1.2
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
RedBoot> fconfig bootp_server_ip: Setting to 192.168.1.10
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
RedBoot> fconfig boot_script_timeout 10
boot_script_timeout: Setting to 10
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000:
RedBoot> fconfig net_debug false
net_debug: Setting to false
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
RedBoot> reset
The reset is needed to accept your settings!
WARNING: the option “fconfig net_debug true” will enable RedBoot LAN access BUT your network performance will be arround 2500 b/s! So do NOT use it when you have a serial connection! You can enable this option when Openwrt runs on this beast so you don’t need to attach the serial cables anymore.
If you “fconfig” RedBoot you will see this
RedBoot> fconfig -l
Run script at boot: true
Boot script:
.. fis load -l vmlinux.bin.l7
.. exec
Boot script timeout (1000ms resolution): 10
Use BOOTP for network configuration: false
Gateway IP address: 0.0.0.0
Local IP address: 192.168.1.2
Local IP address mask: 255.255.0.0
Default server IP address: 192.168.1.10
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
RedBoot>
Optional: A Baud rate of 9600 is very less. It makes your serial transfer very very slow, to over-ride this; you can increase the baud rate up to 115200. I tested this. But make sure to reset the baud rate to 9600 after flashing OpenWrt else you will have problems booting to Linux Kernel (I spent half-day figuring this out).
If to want to change the Baud Rate,
RedBoot> fconfig console_baud_rate 115200
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000:
Reset Fonera to make changes effective and make sure you update the connection setting on your terminal application
Reboot Fonera
RedBoot> reset
Initialize flash image system:
RedBoot> fis list
Name FLASH addr Mem addr Length Entry point
RedBoot 0xA8000000 0xA8000000 0×00030000 0×00000000
vmlinux.bin.l7 0xA8030000 0×80041000 0x000C0000 0×80041000
rootfs 0xA80F0000 0×80041000 0x006F0000 0×00000000
FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0×00000000
RedBoot config 0xA87EF000 0xA87EF000 0×00001000 0×00000000
RedBoot> fis init
About to initialize [format] FLASH image system – continue (y/n)? y
*** Initialize FLASH Image System
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
RedBoot> fis list
Name FLASH addr Mem addr Length Entry point
RedBoot 0xA8000000 0xA8000000 0×00030000 0×00000000
FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0×00000000
RedBoot config 0xA87EF000 0xA87EF000 0×00001000 0×00000000
Now La Fonera is clean, the Kernel and the Root-File system are deleted.
Load vmlinux image into Ram disk:
Now the Kernel had to be transferred to La Fonera. You could use different protocols like TFTP, HTTP, Xmodem and Ymodem,
Fonera detected over LAN:
Before you start get the required files from the following link:
http://downloads.open-mesh.net/mesh-potato/
You will need
openwrt-atheros-2.6-vmlinux.lzma (kernel),
openwrt-atheros-2.6-root.squashfs (rootfs)
If your Fonera is detected by your computer over Ethernet use TFTP or HTTP, else you can use xmodem or ymodem which transfers the files to your Fonera over serial cable. You can use tftpd32 from Ph. Jounin (http://tftpd32.jounin.net/). Place tftpd32.exe and your files (openwrt-atheros-2.6-vmlinux.lzma and openwrt-atheros-2.6-root.squashfs) in a directory and start tftpd32.exe.
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0×80040800-0x801007ff, assumed entry at 0×80040800
Fonera not detected Over LAN:
If your Ethernet is not detected, there is no way you can transfer kernel image from your computer to FON using either TFTP or HTTP servers. In that case I would suggest you to download and install a software which allows xmodem and ymodem protocols. One such software is SecureCRT by Vandyke software. You could get a trial version on their website.
Disconnect your HyperTerminal connection. Connect your Fonera with SecureCRT over serial protocol with the same settings you used for HyperTerminal.
Issue the following command to make RedBoot to run ymodem server and immediately, start the kernel file transfer to Fonera over ymodem (ymodem is faster than xmodem) protocol as shown
RedBoot> load -r -v -b 0×80041000 -m ymodem
CCC
Starting ymodem transfer. Press Ctrl+C to cancel.
Transferring openwrt-atheros-vmlinux.lzma…
100% 768 KB 7 KB/s 00:01:47 0 Errors
Raw file loaded 0×80041000-0x80100fff, assumed entry at 0×80041000
xyzModem – CRC mode, 6146(SOH)/0(STX)/0(CAN) packets, 5 retries
Creating Flash image for vmlinux.bin.l7 partition:
Output (took about 2mins to store the file into the flash):
RedBoot> fis create vmlinux.bin.l7
… Erase from 0xa8030000-0xa80f0000: …………
… Program from 0×80041000-0×80101000 at 0xa8030000: …………
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
Now if you issue fis list this is how it looks
RedBoot> fis list
Name FLASH addr Mem addr Length Entry point
RedBoot 0xA8000000 0xA8000000 0×00030000 0×00000000
vmlinux.bin.l7 0xA8030000 0×80041000 0x000C0000 0×80041000
FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0×00000000
RedBoot config 0xA87EF000 0xA87EF000 0×00001000 0×00000000
Loading rootfs Filesystem into ram disk:
Fonera detected over Lan:
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0×80040800-0x801607ff, assumed entry at 0×80040800
Fonera not detected Over LAN:
Similarly, on ymodem protocol,
RedBoot> load -r -b %{FREEMEMLO} -m ymodem
CC
Starting ymodem transfer. Press Ctrl+C to cancel.
Transferring openwrt-atheros-root.squashfs…
100% 1536 KB 7 KB/s 00:03:17 0 Errors
Raw file loaded 0×80040800-0x801c07ff, assumed entry at 0×80040800
xyzModem – CRC mode, 12290(SOH)/0(STX)/0(CAN) packets, 4 retries
Creating Flash image to store rootfs:
output (took about 4mins to store):
RedBoot> fis create rootfs
… Erase from 0xa80f0000-0xa8270000: ……………………
… Program from 0×80040800-0x801c0800 at 0xa80f0000: ……………………
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
Caution:
Earlier in this tutorial if you changed the baud rate from default value (9600), change it back after this step. Else your Linux image wont bootup.
RedBoot> fconfig console_baud_rate 9600
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000:
Reboot Fonera
RedBoot> reset
If everything went well, you should see something like this
PHY ID is 0022:5521
Ethernet eth0: MAC address 00:18:54:97:21:0c
IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0
Default server: 0.0.0.0
RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version v1.3.0 – built 16:57:58, Aug 7 2006
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Board: ap51
RAM: 0×80000000-0×81000000, [0x80040450-0x80fe1000] available
FLASH: 0xa8000000 – 0xa87f0000, 128 blocks of 0×00010000 bytes each.
== Executing boot script in 10.000 seconds – enter ^C to abort
RedBoot> fis load -l vmlinux.bin.l7
Image loaded from 0×80041000-0×80282085
RedBoot> exec
Now booting linux kernel:
Base address 0×80030000 Entry 0×80041000
Cmdline:.
Linux version 2.6.21.5 (ubuntu@ubuntu-laptop) (gcc version 4.1.2) #1 Sat Sep 29 11:04:17 CEST 2007
CPU revision is: 00019064
Determined physical RAM map:
memory: 01000000 @ 00000000 (usable)
Initrd not found or empty – disabling initrd
Built 1 zonelists. Total pages: 4064
Kernel command line: console=ttyS0,9600 rootfstype=squashfs,jffs2 init=/etc/preinit
Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.
Primary data cache 16kB, 4-way, linesize 16 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 64 (order: 6, 256 bytes)
Using 92.000 MHz high precision timer.
Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
Memory: 13504k/16384k available (1955k kernel code, 2880k reserved, 292k data, 116k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
Radio config found at offset 0xf8(0x1f8)
Time: MIPS clocksource has been installed.
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP reno registered
squashfs: version 3.0 (2006/03/15) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver $Revision: 1.90 $ 1 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0xb1100003 (irq = 37) is a 16550A
eth0: Dropping NETIF_F_SG since no checksum feature.
eth0: Atheros AR231x: 00:18:84:14:39:94, irq 4
cmdlinepart partition parsing not available
Searching for RedBoot partition table in spiflash at offset 0x7d0000
Searching for RedBoot partition table in spiflash at offset 0x7e0000
5 RedBoot partitions found on MTD device spiflash
Creating 5 MTD partitions on “spiflash”:
0×00000000-0×00030000 : “RedBoot”
0×00030000-0x000f0000 : “vmlinux.bin.l7″
0x000f0000-0x007e0000 : “rootfs”
0×00200000-0x007e0000 : “rootfs_data”
0x007e0000-0x007ef000 : “FIS directory”
0x007ef000-0x007f0000 : “RedBoot config”
nf_conntrack version 0.5.0 (128 buckets, 1024 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP vegas registered
NET: Registered protocol family 1
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 116k freed
Warning: unable to open an initial console.
eth0: Configuring MAC for full duplex
Algorithmics/MIPS FPU Emulator v1.5
- preinit -
jffs2 not ready yet; using ramdisk
mini_fo: using base directory: /
mini_fo: using storage directory: /tmp/root
- init -
init started: BusyBox v1.4.2 (2007-09-26 19:44:01 CEST) multi-call binary
Please press Enter to activate this console. device eth0 entered promiscuous mode
br-lan: port 1(eth0) entering learning state
br-lan: topology change detected, propagating
br-lan: port 1(eth0) entering forwarding state
PPP generic driver version 2.4.2
wlan: 0.8.4.2 (svn r2568)
ath_hal: module license ‘Proprietary’ taints kernel.
ath_hal: 0.9.30.13 (AR5212, AR5312, RF2316, TX_DESC_SWAP)
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (svn r2568)
ath_rate_minstrel: look around rate set to 10%
ath_rate_minstrel: EWMA rolloff level set to 75%
ath_rate_minstrel: max segment size in the mrr set to 6000 us
wlan: mac acl policy registered
ath_ahb: 0.9.4.5 (svn r2568)
ath_pci: switching rfkill capability off
ath_pci: switching per-packet transmit power control off
wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: H/W encryption support: WEP AES AES_CCM TKIP
wifi0: mac 11.0 phy 4.8 radio 7.0
wifi0: Use hw queue 1 for WME_AC_BE traffic
wifi0: Use hw queue 0 for WME_AC_BK traffic
wifi0: Use hw queue 2 for WME_AC_VI traffic
wifi0: Use hw queue 3 for WME_AC_VO traffic
wifi0: Use hw queue 8 for CAB traffic
wifi0: Use hw queue 9 for beacons
wifi0: Atheros 2315 WiSoC: mem=0xb0000000, irq=3
jffs2_scan_eraseblock(): End of filesystem marker found at 0×0
jffs2_build_filesystem(): unlocking the mtd device… done.
jffs2_build_filesystem(): erasing all blocks after the end marker… done.
mini_fo: using base directory: /
mini_fo: using storage directory: /jffs
BusyBox v1.4.2 (2007-09-26 19:44:01 CEST) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
_______ ________ __
| |.—–.—–.—–.| | | |.—-.| |_
| – || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (7.09) ———————————–
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
—————————————————
root@OpenWrt:/#
References
http://sodoityourself.com/max232-serial-level-converter/
http://sodoityourself.com/inside-the-fon-router/
http://sodoityourself.com/accessing-serial-console-on-the-fon/
http://wiki.openwrt.org/OpenWrtDocs/Hardware/Fon/Fonera
RedBoot Command Overview
ip_address — Set IP addresses
load — Download programs or data to the RedBoot platform
fis init — Initialize Flash Image System (FIS)
fis create — Create flash image
fis free — Free flash image
fis load — Load flash image
disks — List available disk partitions.
ping — Verify network connectivity (ping -h 192.168.1.10 -v -n 4)
baudrate — Set the baud rate for the system serial console
reset — Reset the device
.. this will be equivalent to a power-on reset condition.
version — Display RedBoot version information
go — Execute a program
exec — Execute a Linux kernel
Note: The commands listed below should be used only on the instruction of Advanced Relay Technical Support. Improper use of these commands may render the PXS inoperable.
| Command | Description |
| fis create [-b <base>][-l <image length>][-s <data length>][-f <flash address>][-e <entry>][-r <ram address>][-n] <name> | Creates an image in FLASH from data in RAM |
| fis delete <name> | Removes an image from FLASH |
| fis erase -f <flash address> -l <length> | Erases an area of FLASH |
| fis free | Shows which areas of FLASH are not in use |
| fis help | Displays help for FIS commands |
| fis init [-f] | Initializes FLASH |
| fis list [-c] | List images in FLASH and information about them The -c option displays image checksum instead of memory address |
| fis load [-b <base>][-c] <name> | Loads an image from FLASH to RAM The -c option displays the image checksum |
