EdimaX ES-5224RM+

Ein schöner 24 Port 10/100Mb/s Level 2 Switch mit Webinterface, serieller Konsole und 2x GBit Uplink von Edimax

Orginal hergestellt wird er aber von:

wie aus der Firmware hervor geht ein ES-2126C

OEM Produkte

Aus der Firmware geht hervor, das der switch für weitaus mehr firmen gefertigt wird

Hardware

CPU

Im inneren Werkelt ein Samsung ARM CommunicationProcessor

Aufdruck:

SAMSUNG
S3C4510B
http://www.samsung.com/products/semiconductor/SystemLSI/Networks/PersonalNTASSP/CommunicationProcessor/S3C4510B/S3C4510B.htm

Part Number      S3C4510B
Function          ARM7TDMI 50MHz,Ethernet MAC,HDLC,UART,IIC
RTOS Support      V,P,N,L	
User's Manual     Now	
Package           208QFP	
Production Status Mass Production

Bernd 2006/11/11 16:21

 General Description
Samsung's S3C4530A 16/32-bit RISC microcontroller is a cost-effective, high-performance microcontroller solution for Ethernet-based systems. An integrated Ethernet controller, the S3C4530A, is designed for use in managed communication hubs and routers.
The S3C4530A is built around an outstanding CPU core: the 16/32-bit ARM7TDMI RISC processor designed by Advanced RISC Machines, Ltd. The ARM7TDMI core is a low-power, general purpose microprocessor macro-cell that was developed for use in application-specific and custom-specific integrated circuits. Its simple, elegant, and fully static design is particularly suitable for cost-sensitive and power-sensitive applications.
The S3C4530A offers a configurable 8-Kbyte unified cache/SRAM and Ethernet controller which reduces total system cost. Most of the on-chip function blocks have been designed using an HDL synthesizer and the S3C4530A has been fully verified in Samsung's state-of-the-art ASIC test environment. Important peripheral functions include two HDLC channels with buffer descriptor, two UART channels with full modem interface signal and 32byte buffer, 2-channel GDMA, two 32-bit timers, and 26 programmable I/O ports. On-board logic includes an interrupt controller, DRAM/ SDRAM controller, and a controller for ROM/SRAM and flash memory. The System Manager includes an internal 32-bit system bus arbiter and an external memory controller. The following integrated on-chip functions are described in detail in this user's manual:

8-Kbyte unified cache/SRAM
I2C interface
Ethernet controller
HDLC controller
GDMA
UART
Timers
Programmable I/O ports
Interrupt controller
Support SDRAM burst mode

Features
Architecture
- Integrated system for embedded ethernet applications
- Fully 16/32-bit RISC architecture
- Little/Big-Endian mode supported basically, the internal architecture is big-endian.
So, the little-endian mode only support for external memory.
- Efficient and powerful ARM7TDMI core
- Cost-effective JTAG-based debug solution
- Boundary scan
System Manager
- 8/16/32-bit external bus support for ROM/SRAM, flash memory, DRAM, and external I/O
- One external bus master with bus request/acknowledge pins
- Support for EDO/normal or SDRAM
- Programmable access cycle (0-7 wait cycles)
- Four-word depth write buffer
- Cost-effective memory-to-peripheral DMA interface
Unified Instruction/Data Cache
- Two-way, set-associative, unified 8-Kbyte cache
- Support for LRU (least recently used) protocol
- Cache is configurable as an internal SRAM
I2C Serial Interface
- Master mode operation only
- Baud rate generator for serial clock generation
Ethernet Controller
- DMA engine with burst mode
- DMA Tx/Rx buffers (256 bytes Tx, 256 bytes Rx)
- MAC Tx/Rx FIFO buffers (80 bytes Tx, 16 bytes Rx)
- Data alignment logic
- Endian translation
- 100/10-Mbit per second operation
- Full compliance with IEEE standard 802.3
- MII(10/100Mbps) or 7-wire 10-Mbps interface
- Station management signaling
- On-chip CAM (up to 21 destination addresses)
- Full-duplex mode with PAUSE feature
- Long/short packet modes
- PAD generation
HDLCs
-  HDLC protocol features:
. Flag detection and synchronization
. Zero insertion and deletion
. Idle detection and transmission
. FCS generation and detection (16-bit)
. Abort detection and transmission
-  Address search mode (expandable to 4 bytes)
-  Selectable CRC or No CRC mode
-  Automatic CRC generator preset
-  Digital PLL block for clock recovery
-  Baud rate generator
-  NRZ/NRZI/FM/Manchester data formats for Tx/Rx
-  Loop-back and auto-echo modes
-  Tx/Rx FIFOs have 8-word (8 x 32-bit) depth
-  Selectable 1-word or 4-word data transfer mode
-  Data alignment logic
-  Endian translation
-  Programmable interrupts
-  Modem interface
-  Up to 10 Mbps operation
-  HDLC frame length based on octets
-  2-channel DMA buffer descriptor for Tx/Rx on each HDLC
DMA Controller
-  2-channel General DMA for memory-to-memory, memory-to-UART, UART-to-memory data transfers
without CPU intervention
-  Initiated by a software or external DMA request
-  Increments or decrements a source or destination address in 8-bit, 16-bit or 32-bit data transfers
-  4-data burst mode
UARTs
-  Two UART (serial I/O) blocks with DMA-based or interrupt-based operation
-  High speed(460Kbps) UART support with 32 byte Tx/Rx FIFO and modem interface signals
-  Support for 5-bit, 6-bit, 7-bit, or 8-bit serial data transmit and receive
-  Automatic baud rate detection
-  Eight control character comparison for software control
-  Programmable baud rates
-  1 or 2 stop bits
-  Odd or even parity Operating Temperature Range
-  Break generation and detection
-  Parity, overrun, and framing error detection
-  x16 clock mode
-  Infra-red (IR) Tx/Rx support (IrDA)
Timers
-  Two programmable 32-bit timers
-  Interval mode or toggle mode operation
Programmable I/O
-  26 programmable I/O ports
-  Pins individually configurable to input, output, or I/O mode for dedicated signals
Interrupt Controller
-  21 interrupt sources, including 4 external interrupt sources
-  Normal or fast interrupt mode (IRQ, FIQ)
-  Prioritized interrupt handling
PLL
-  The external clock can be multiplied by on-chip PLL to provide high frequency system clock
-  The input frequency range is 10-40 MHz
-  The output frequency is 5 times of input clock. To get 50 MHz, input clock frequency should be 10 MHz.
Operating Voltage Range
-  3.3 V ± 5 %
Operating Temperature Range
- 0 °C to + 70 °C
Operating Frequency
-  Up to 50 MHz
Package Type
-  208 pin QFP

Switch Chip

Der 10/100Mb/s Switch ist ein

Broadcom
BCM5324MKPBG
HC0622 P12
785357 P2
Das heisst leider: Schlechte Doku!

Eventuell gibt es aber ein paar Linux ansätze für irgendwas davon.
Dann steht der eigenen Firmware nichts mehr im wege!

eventuell KÖNNTE man den Openwrt Treiber für den BCM5325/BCM536x Erweitern und Nutzen!

werden wir wohl mal das Zeug was wir haben dissassemblieren!

Bei den Gbit/s Pots gibt es zwei extra Chips auf denen die Kühlkörper mit wärmeleitkleber befestigt sind, desshabl weiss ich nicht was sich darunter verbirgt. Ich möchte ungern die Chips mitsamt dem Kühler durch mechanische gewalt von der Platine lösen. :-/

Bernd 2007/03/28 01:05

Flash Chip

Hacking Into the Edimax ES5224RM+

So nun Wir haben zwei Switchs derselben Sorte hier im Haus. Dachte ich zu Anfang jedenfalls. Tatsächlich stellte sich aber beim configurieren der Geräte heraus das die Firmware unterschiedlich ist. Darauf hin dann das es sich bei den Geräten, warum auch immer einmal um einen ES5224RS+ und einemal um einen ES5224RM+ Handelt, welcher neuerer und wesentlich besser ausgestattet ist.

Da aber die Hardware bis auf das vorhandensein einer Seriellen Schnittstelle identisch ist kam ich auf die Idee einfach die Firmware bei der Firma anzufordern und auf dem RS+ einzuspielen. Leider liess sich die Firmware aber nicht so einfach ordern.

Also beschloss ich einmal den switch genauer zu untersuchen. Ich öffente den RM+ mit der Seriellen Schnitstelle und steiss auf einen Jumper in der näher der CPU (CPU info siehe oben)

[ Bild ]

Nachdem ich diesen entfernt hatte fand ich zunächst das auch „normal“ zugängliche bios, in dem man neue Firmware einspielen kann.

BIOS

BIOS(0)> help
 ===========================================================
        BIOS Command line interface HELP     
 ===========================================================
 help       :  Help for bios command. 
 ls         :  Display the bios command list. 
 sysconf    :  System parameter configuration. 
 flash      :  Flash Device Utility. 
 load(r)    :  Excutable image download[load] & run[loadr] at free memory area. 
 boot       :  vLinux Boot Loader can be selected. 
 dump       :  Memory Dump Command. 
 sys        :  Usage : sys {model|mac{0|1}|prod|ser|hard|mech|ram|flash|show} value . 
 look       :  look ext 0 , 1 ,2 . 
 fill       :  fill memory (4 byte) . 
 sdram      :  SDRAM test . 
 spr        :  read spi register 
 spw        :  write spi register 
 gg         :  get gpio 
 gs         :  set gpio 
 rr         :  register read 
 rw         :  register write 
 ===========================================================

BIOS(20)> sysconf view

Read system parameters from IIC EEPROM...Done!

+==================================================+
|           System Configuration Table             |
+==================================================+
|  Configuration Parameter valid !!!               |
|               Boot Configuration                 |
+--------------------------------------------------+
|  BOOT Method : manual                            |
|  Boot File Name : es2126_edimax.img              |
|  TFTP Server IP Address : 192.168.1.176          |
+--------------------------------------------------+
|             Ethernet Configuration               |
+--------------------------------------------------+
|  Host Name : RubyTech                            |
|  Ethernet IP Address : 192.168.1.1               |
|  Ethernet Default Gateway : 192.168.1.254        |
|  Ethernet Default Subnet Mask : 255.255.255.0    |
|  Ethernet H/W Address : 00:40:c7:xxxxxxx        |

Nach einem Neustart liess ich die Firmware normal booten und staunte nicht schlecht als ich schliesslich eine promt erhielt. aber nicht den „normalen“ telnet promt zum configurieren des Switchs.

BIOS(0)> ...............................................................................................
RubyTechCorp Diag Mode
# 

Die Root Schell

Ich befand mich in einem mini Linux root!

ls /
bin dev etc home lib mnt proc tmp usr var

# mount
/dev/ram0 on /var type ext2 (rw)
/dev/ram1 on /etc/config type ext2 (rw)
/dev/flash3 on /mnt/flash type ext2 (rw)
none on /proc type proc (rw)
# ls /bin
8021X        8021XACCT    boot_init    chmod        config       default      
dhclient     diag         discard      echo         eventd       ifconfig     
inetd        ls           mount        ping         reboot       rg           
route        rs           sh           smsd         smtpd        snmpd        
telnetd      tftp         thttpd       trap_alarmd  writer    

# ls -al /bin
drwxr-xr-x  1 0        root           32  Jan 01 1970  .
drwxrwxrwx  1 0        root           32  Jan 01 1970  ..
-rwxr-xr-x  1 0        root        19528  Jan 01 1970  8021X
-rwxr-xr-x  1 0        root        19548  Jan 01 1970  8021XACCT
-rwxr-xr-x  1 0        root        86416  Jan 01 1970  boot_init
-rwxr-xr-x  1 0        root         7104  Jan 01 1970  chmod
-rwxr-xr-x  1 0        root       302796  Jan 01 1970  config
-rwxr-xr-x  1 0        root        19908  Jan 01 1970  default
-rwxr-xr-x  1 0        root       118480  Jan 01 1970  dhclient
-rwxr-xr-x  1 0        root         9752  Jan 01 1970  diag
-rwxr-xr-x  1 0        root         1124  Jan 01 1970  discard
-rwxr-xr-x  1 0        root         1300  Jan 01 1970  echo
-rwxr-xr-x  1 0        root        63336  Jan 01 1970  eventd
-rwxr-xr-x  1 0        root        38792  Jan 01 1970  ifconfig
-rwxr-xr-x  1 0        root        16924  Jan 01 1970  inetd
-rwxr-xr-x  1 0        root        18780  Jan 01 1970  ls
-rwxr-xr-x  1 0        root        81528  Jan 01 1970  mount
-rwxr-xr-x  1 0        root        34088  Jan 01 1970  ping
-rwxr-xr-x  1 0        root         7444  Jan 01 1970  reboot
-rwxr-xr-x  1 0        root         7236  Jan 01 1970  rg
-rwxr-xr-x  1 0        root        37740  Jan 01 1970  route
-rwxr-xr-x  1 0        root         7220  Jan 01 1970  rs
-rwxr-xr-x  1 0        root        50804  Jan 01 1970  sh
-rwxr-xr-x  1 0        root        61052  Jan 01 1970  smsd
-rwxr-xr-x  1 0        root        63192  Jan 01 1970  smtpd
-rwxr-xr-x  1 0        root       208340  Jan 01 1970  snmpd
-rwxr-xr-x  1 0        root        28740  Jan 01 1970  telnetd
-rwxr-xr-x  1 0        root        59796  Jan 01 1970  tftp
-rwxrwxrwx  1 0        root        87840  Jan 01 1970  thttpd
-rwxr-xr-x  1 0        root        65392  Jan 01 1970  trap_alarmd
-rwxr-xr-x  1 0        root        47924  Jan 01 1970  writer

# diag

-----------------------------------------------------------
         DIAGNOSTIC  PROGRAMMING (v2.23)

-----------------------------------------------------------
   Model_Name               : ES-2126
   RAM Read/Write Test      : OK ,16 M  
   Flash Read/Write Test    : OK ,0 M  
   EEPROM Test              : OK
   UART Test                : OK
-----------------------------------------------------------
   Series_Number            : 03100B0xxxxxx
   BIOS_version             : v1.03
   Firmware_Version         : v2.23

   Hardware-Mechanical      : v1.01-v1.01
-----------------------------------------------------------
ES-2126 is Pass.

# ls -al /home/httpd/
drwxr-xr-x  1 0        root           32  Jan 01 1970  .
drwxr-xr-x  1 0        root           32  Jan 01 1970  ..
-rw-r--r--  1 0        root         2030  Jan 01 1970  1xportmode.html
-rw-r--r--  1 0        root         5314  Jan 01 1970  1xportparam.html
-rw-r--r--  1 0        root         3052  Jan 01 1970  1xportsecurity.html
-rw-r--r--  1 0        root         4186  Jan 01 1970  1xstate.html
-rw-r--r--  1 0        root           56  Jan 01 1970  a.html
-rw-r--r--  1 0        root         3646  Jan 01 1970  accountadd.html
-rw-r--r--  1 0        root         4224  Jan 01 1970  accountconfig.html
-rw-r--r--  1 0        root         4444  Jan 01 1970  accountmodify.html
-rw-r--r--  1 0        root         4977  Jan 01 1970  autoping.html
-rw-r--r--  1 0        root          135  Jan 01 1970  b.html
-rw-r--r--  1 0        root         7856  Jan 01 1970  bwegress.html
-rw-r--r--  1 0        root         7862  Jan 01 1970  bwingress.html
-rw-r--r--  1 0        root         2779  Jan 01 1970  bwstorm.html
-rw-r--r--  1 0        root         3528  Jan 01 1970  configfile.html
-rw-r--r--  1 0        root         4415  Jan 01 1970  configuration.html
-rw-r--r--  1 0        root         2505  Jan 01 1970  css.html
-rw-r--r--  1 0        root        15184  Jan 01 1970  data_init0.js
-rw-r--r--  1 0        root         2436  Jan 01 1970  data_init1.js
-rw-r--r--  1 0        root          463  Jan 01 1970  data_init2.js
-rw-r--r--  1 0        root          294  Jan 01 1970  data_init3.js
-rw-r--r--  1 0        root         2199  Jan 01 1970  diag.html
-rw-r--r--  1 0        root         3054  Jan 01 1970  dsm.html
-rw-r--r--  1 0        root          318  Jan 01 1970  empty.html
-rwxr-xr-x  1 0        root       178572  Jan 01 1970  fake_cgi
-rw-r--r--  1 0        root            0  Jan 01 1970  fake_server.html
-rw-r--r--  1 0        root         2251  Jan 01 1970  firmware.html
-rw-r--r--  1 0        root          236  Jan 01 1970  ggrp_info.html
-rw-r--r--  1 0        root         2204  Jan 01 1970  group.html
-rw-r--r--  1 0        root          284  Jan 01 1970  group_frame.html
-rw-r--r--  1 0        root         7040  Jan 01 1970  gvrpconf.html
-rw-r--r--  1 0        root         4567  Jan 01 1970  gvrpcounter.html
-rw-r--r--  1 0        root         3458  Jan 01 1970  gvrpgroupedit.html
-rw-r--r--  1 0        root         3145  Jan 01 1970  gvrpgroupinfo.html
-rw-r--r--  1 0        root        12645  Jan 01 1970  icon.html
-rw-r--r--  1 0        root         7518  Jan 01 1970  icon.js
-rw-r--r--  1 0        root         1523  Jan 01 1970  iconfiber.html
-rw-r--r--  1 0        root         1600  Jan 01 1970  iconportdetail.html
-rw-r--r--  1 0        root         5348  Jan 01 1970  igmp.html
drwxr-xr-x  1 0        root           32  Jan 01 1970  images
-rw-r--r--  1 0        root         6069  Jan 01 1970  index.html
-rw-r--r--  1 0        root         1123  Jan 01 1970  inner_main_frame.html
-rw-r--r--  1 0        root         8001  Jan 01 1970  ipconfig.html
-rw-r--r--  1 0        root         2842  Jan 01 1970  isolated.html
-rw-r--r--  1 0        root         1289  Jan 01 1970  logout.html
-rw-r--r--  1 0        root         2255  Jan 01 1970  loopback.html
-rw-r--r--  1 0        root         3277  Jan 01 1970  loopdetect.html
-rw-r--r--  1 0        root         9366  Jan 01 1970  mac_tbl_info.html
-rw-r--r--  1 0        root         7891  Jan 01 1970  macalias.html
-rw-r--r--  1 0        root         4987  Jan 01 1970  macmaintain.html
-rw-r--r--  1 0        root         9138  Jan 01 1970  macstatic.html
-rw-r--r--  1 0        root         1159  Jan 01 1970  main.css
-rw-r--r--  1 0        root         1259  Jan 01 1970  main_frame.html
-rw-r--r--  1 0        root         6684  Jan 01 1970  manage_port.html
-rw-r--r--  1 0        root         9141  Jan 01 1970  manage_port.js
-rw-r--r--  1 0        root        12457  Jan 01 1970  mcfilter.html
-rw-r--r--  1 0        root        17205  Jan 01 1970  menu.html
-rw-r--r--  1 0        root         6589  Jan 01 1970  menu_func.js
-rw-r--r--  1 0        root         1208  Jan 01 1970  menucss.html
-rw-r--r--  1 0        root         2532  Jan 01 1970  mgtvlan.html
-rw-r--r--  1 0        root         4458  Jan 01 1970  mirror.html
-rw-r--r--  1 0        root         2708  Jan 01 1970  pingtest.html
-rw-r--r--  1 0        root         2979  Jan 01 1970  portconfig.html
-rw-r--r--  1 0        root        10715  Jan 01 1970  portcounterdetail.html
-rw-r--r--  1 0        root         4371  Jan 01 1970  portcountersimple.html
-rw-r--r--  1 0        root         2525  Jan 01 1970  portdescription.html
-rw-r--r--  1 0        root         1468  Jan 01 1970  portfiber.html
-rw-r--r--  1 0        root         4976  Jan 01 1970  portstatus.html
-rw-r--r--  1 0        root         2315  Jan 01 1970  qos1p.html
-rw-r--r--  1 0        root         4989  Jan 01 1970  qosconfig.html
-rw-r--r--  1 0        root         3520  Jan 01 1970  qosdscp.html
-rw-r--r--  1 0        root         2348  Jan 01 1970  qosdtype.html
-rw-r--r--  1 0        root         2356  Jan 01 1970  qosmtype.html
-rw-r--r--  1 0        root         2354  Jan 01 1970  qosrtype.html
-rw-r--r--  1 0        root         2353  Jan 01 1970  qosttype.html
-rw-r--r--  1 0        root         2213  Jan 01 1970  qosvip.html
-rw-r--r--  1 0        root          528  Jan 01 1970  reboot_frame.html
-rw-r--r--  1 0        root          264  Jan 01 1970  reboot_vsmframe.html
-rw-r--r--  1 0        root          160  Jan 01 1970  rebootact.html
-rw-r--r--  1 0        root         1869  Jan 01 1970  rebooting.html
-rw-r--r--  1 0        root          525  Jan 01 1970  rebootmsg.html
-rw-r--r--  1 0        root          794  Jan 01 1970  rebootwait.html
-rw-r--r--  1 0        root          785  Jan 01 1970  restoredefaultok.html
-rw-r--r--  1 0        root          782  Jan 01 1970  restoreuserok.html
-rw-r--r--  1 0        root         4132  Jan 01 1970  restricted.html
-rw-r--r--  1 0        root         7936  Jan 01 1970  snmpconfig.html
-rw-r--r--  1 0        root         5525  Jan 01 1970  stpconf.html
-rw-r--r--  1 0        root         1595  Jan 01 1970  stpconfirm.html
-rw-r--r--  1 0        root         3508  Jan 01 1970  stpportconf.html
-rw-r--r--  1 0        root         4828  Jan 01 1970  stpportstate.html
-rw-r--r--  1 0        root         3015  Jan 01 1970  stpstatus.html
-rw-r--r--  1 0        root         2319  Jan 01 1970  suppdhcp.html
-rw-r--r--  1 0        root         1433  Jan 01 1970  synch.html
-rw-r--r--  1 0        root         3674  Jan 01 1970  sysinfo.html
-rw-r--r--  1 0        root         7039  Jan 01 1970  syslog.html
-rw-r--r--  1 0        root        13650  Jan 01 1970  systime.html
-rw-r--r--  1 0        root         7106  Jan 01 1970  systime.js
-rw-r--r--  1 0        root         1955  Jan 01 1970  tftpserver.html
-rw-r--r--  1 0        root         8905  Jan 01 1970  trapalarm.html
-rw-r--r--  1 0        root         6170  Jan 01 1970  trapevent.html
-rw-r--r--  1 0        root         1159  Jan 01 1970  trunk_rule.html
-rw-r--r--  1 0        root         3770  Jan 01 1970  trunkport.html
-rw-r--r--  1 0        root         2540  Jan 01 1970  trunkpriority.html
-rw-r--r--  1 0        root         3738  Jan 01 1970  trunkview.html
-rw-r--r--  1 0        root         3142  Jan 01 1970  trunkviewdetail.html
-rw-r--r--  1 0        root         1851  Jan 01 1970  upgrade0.html
-rw-r--r--  1 0        root          846  Jan 01 1970  upgrade1.html
-rw-r--r--  1 0        root          793  Jan 01 1970  upgrade2.html
-rw-r--r--  1 0        root          822  Jan 01 1970  upgrade3.html
-rw-r--r--  1 0        root          808  Jan 01 1970  upgrade4.html
-rw-r--r--  1 0        root          822  Jan 01 1970  upgrade5.html
-rw-r--r--  1 0        root         5284  Jan 01 1970  verify_func.js
-rw-r--r--  1 0        root         3390  Jan 01 1970  vlanmode.html
-rw-r--r--  1 0        root         3250  Jan 01 1970  vlanportbasedgroup.html
-rw-r--r--  1 0        root         5917  Jan 01 1970  vlanportbasedgrouplist.html
-rw-r--r--  1 0        root         4677  Jan 01 1970  vlantagbasedgroup.html
-rw-r--r--  1 0        root         6154  Jan 01 1970  vlantagbasedgrouplist.html
-rw-r--r--  1 0        root         3791  Jan 01 1970  vlantagbasedpvid.html

Mit ifconfig kann man die netzwerkkarte configurieren, und mit tftp daten übertragen ein nfs Laufwerk zu mounten scheitert mit der meldung das es keine nfs unterstützung gibt.

Also ARM binarys der gängigen programme suchen und mit tftp übertragen!

Bernd 2007/03/08 17:46

* http://www.arm.com/products/CPUs/families/ARM7Family.html Infos about the CPU core ARM7TDMI

from http://opensrc.sec.samsung.com/

 	
the linux-2.6.4-hsc1 patch is announced
	
	
Hyok S. Choi announced the MMU-less ARM patch against linux-2.6.4 kernel, linux-2.6.4-hsc1.patch.gz on the download section.

This port includes ATMEL AT91xx(ARM7TDMI) platform support, which means GDB/ARMulator is supported also. And proc-arm940.S is included. (contributed by Hee-Chul Yun)

This patch is pending for being merged to 2.6.4-uc0 patch of uClinux developer team. 

openwrt runs on AT91xx * http://downloads.openwrt.org/snapshots/

Also wollen wir mal testen. . .

4510b und uClinux

   ARCH := armnommu
   CROSS_COMPILE = arm-elf-

Irgend ein Simu

Auf dem Weg zu nem cross compilerr lief mir noch so eien fehler über den weg error: array type has incomplete element type hier die Lösung:

ALTERNATIVE FIRMWARE

Also nach tagelangem, interessantem aber leider fruchtlosem gebastel: man nehme die 2.00 Firmware von http://www.rubytech.com.tw/EN/download.php für den „L2 Managed FE Switch-ES-2126C“
Und kanns diese auf EDIMAX ES5224RM+ Switchs einspielen.
Kann aber sein dass man damit ein Backdate macht, denn die Edimax Firmware gibt sich als V 2.23 aus.

Natürlich übernehme ich hier wiedermal keien Haftung. Ist euer Bier und nur nen Idee von mir.

Bernd 2007/03/15 19:36

wir knacken das dumme image file

cat  es2126_v2.00.img | gunzip >  es2126_v2.00.img
# ein bisschen mit dem hexeditor die datei durchstöbern
# -romfs- drin gefunden
# hex offset (D6F18) in dezimal umrechnen

mount -t romfs es2126_v2.00.img testmount/ -o loop,offset=880408
ls -al testmount/
drwxr-xr-x 1 root  root    32 1970-01-01 01:00 bin
drwxr-xr-x 1 root  root    32 1970-01-01 01:00 dev
drwxr-xr-x 1 root  root    32 1970-01-01 01:00 etc
drwxr-xr-x 1 root  root    32 1970-01-01 01:00 home
drwxr-xr-x 1 root  root    32 1970-01-01 01:00 lib
drwxr-xr-x 1 root  root    32 1970-01-01 01:00 mnt
drwxr-xr-x 1 root  root    32 1970-01-01 01:00 proc
drwxr-xr-x 1 root  root    32 1970-01-01 01:00 tmp
drwxr-xr-x 1 root  root    32 1970-01-01 01:00 usr
drwxr-xr-x 1 root  root    32 1970-01-01 01:00 var
file telnetd 
telnetd: BFLT executable - version 33554432
:-D das mit / ist 0xD6F18 oder 880408 dann gibt es noch einen -rom1fs- Eintrag bei 0x3F904 oder 260358 und einen 0x7E530 oder 517424 bei f8D00 steht es nochmal drin, ist aber nur im mount binary oder in ner lib, wo alle möglichen FS Typen gelistet sind. lassen sich aber alle nicht mounten.

Linux version 2.2.14-v1.9 (vincent@Server-3) (gcc version 2.9-vLinux-armtool-0523) #25 Wed Jul 6 15:22:15 CST 2005
wenn da mal kein linux ist. und Linux ist GPL! Ruby Tech und Edimax verletzen dei GPL!

Bernd 2007/03/22 02:37

Image Zerlegen

Habe das image jetzt in seine bestandtile Zerlegt Hier mal der cematische Aufbau:

|---- gzip -9 von kernel + romfs
| |--- kernel Image (plus Bios ???)
| |
| | -----  Offset : 0x000D6F18  ab dann romfs
| |
| |
| |----
|--- dannach an das GZ angehängt ein ID string   char ID[9]
00000000  45 53 2d 32 31 32 36 37  0a                       |ES-21267.|
00000009

Bernd 2007/03/23 01:46

Wir booten uns einen

Read system parameters from IIC EEPROM...Done!

BIOS v1.03 

BIOS(0)> 
 .....
BIOS(5)> sysconf view

Read system parameters from IIC EEPROM...Done!

+==================================================+
|           System Configuration Table             |
+==================================================+
|  Configuration Parameter valid !!!               |
|               Boot Configuration                 |
+--------------------------------------------------+
|  BOOT Method : net                               |
|  Boot File Name : es2126_edimax.img              |
|  TFTP Server IP Address : 192.168.1.176          |
+--------------------------------------------------+
|             Ethernet Configuration               |
+--------------------------------------------------+
|  Host Name : RubyTech                            |
|  Ethernet IP Address : 192.168.1.3               |
|  Ethernet Default Gateway : 192.168.1.254        |
|  Ethernet Default Subnet Mask : 255.255.255.0    |
|  Ethernet H/W Address : 00:40:c7:d0:00:00        |
+==================================================+


BIOS(7)> sysconf 

***  Configure the System parameters ***


Configurate Boot Method
 1. Auto 
 2. Manual 
 3. Net    
 4. Serial 
 5. Parallel 

-> Select number : 3
COMPANY NAME [RubyTech]> 
Boot file name [es2126_edimax.img]> 
Target system's IP [192:168:1:3]> 192.168.10.3
Server IP [192:168:1:176]> 192.168.10.21
Default Gateway [192:168:1:254]> 192.168.10.244
Config Netmask [255:255:255:0]> 
MAC address [00:40:c7:d0:00:00] > 

Write system parameters to IIC EEPROM...Done!


BIOS(8)> boot net

TFTP Boot image(es2126_edimax.img) loading at 0x8000...TFTP_ERROR: File not found


Read system parameters from IIC EEPROM...Done!

BIOS v1.03 

BIOS(0)> boot net
ETH_S3C4510  00:40:c7:d0:00:00 

TFTP Boot image(es2126_edimax.img) loading at 0x8000...TFTP_ERROR: File not found


Read system parameters from IIC EEPROM...Done!

BIOS v1.03 

BIOS(0)> boot net
error : Error bad command

BIOS(1)> boot net
ETH_S3C4510  00:40:c7:d0:00:00 

TFTP Boot image(es2126_edimax.img) loading at 0x8000.. 1319650 Bytes 
Now booting image...
kommt aber leider nichts mehr. . .

Bernd 2007/03/25 17:44

ok, da ist noch ein bisschen magie dabei

root=/dev/ram0 initrd=0x00200000,900K keepinitrd

eventuell das image vor das rom kitten und dass dann übertragen?

JTAG'in

Also wenn das so nciht geht, JTAGgen!

JTAG tolls also mit den zwei patches für den S3C4510b applied und compiliert, ein paar änderungen an den Device files, und schon erkennt er alles automatisch.

Bernd 2007/03/26 11:12

driast:/home/bernd# /usr/local/bin/jtag 
JTAG Tools 0.5.1
Copyright (C) 2002, 2003 ETC s.r.o.
JTAG Tools is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for JTAG Tools.

Warning: JTAG Tools may damage your hardware! Type "quit" to exit!

Type "help" for help.

jtag> detectflash
Error: Bus driver missing.
jtag> detect
Error: Cable not configured. Please use 'cable' command first!
jtag> 

jtag> cable parallel 0x378 DLC5
Initializing Xilinx DLC5 JTAG Parallel Cable III on parallel port at 0x378
jtag> detect
IR length: 4
Chain length: 1
Device Id: 00011111000011110000111100001111
  Manufacturer: Samsung
  Part:         s3c4510b
  Stepping:     0
  Filename:     /usr/local/share/jtag/samsung/s3c4510b/s3c4510b
jtag> print
 No. Manufacturer              Part                 Stepping Instruction          Register  
---------------------------------------------------------------------------------------------
   0 Samsung                   s3c4510b             0        BYPASS               BR        

Active bus:
*0: Samsung S3C4510B compatibile bus driver via BSR (JTAG part No. 0) RCS0=16bit
        start: 0x00000000, length: 0x100000000, data width: 16 bi
jtag> detect
IR length: 4
Chain length: 1
Device Id: 00011111000011110000111100001111
  Manufacturer: Samsung
  Part:         s3c4510b
  Stepping:     0
  Filename:     /usr/local/share/jtag/samsung/s3c4510b/s3c4510b
jtag> discovery
Detecting IR length ... 4
Detecting DR length for IR 1111 ... 1
Detecting DR length for IR 0000 ... 233
Detecting DR length for IR 0001 ... 1
Detecting DR length for IR 0010 ... 4
Detecting DR length for IR 0011 ... 233
Detecting DR length for IR 0100 ... 1
Detecting DR length for IR 0101 ... 1
Detecting DR length for IR 0110 ... 1
Detecting DR length for IR 0111 ... 1
Detecting DR length for IR 1000 ... 1
Detecting DR length for IR 1001 ... 1
Detecting DR length for IR 1010 ... 1
Detecting DR length for IR 1011 ... 1
Detecting DR length for IR 1100 ... 233
Detecting DR length for IR 1101 ... 1
Detecting DR length for IR 1110 ... 32
jtag> 
jtag> 
Type "help COMMAND" for details about a particular command.
jtag> detectflash
tap_capture_ir: Invalid state:  5
tap_shift_register: Invalid state:  8
tap_capture_dr: Invalid state: 16
tap_shift_register: Invalid state: 42
jedec_detect: mid 90, did 90
Flash not found!
jtag> detectflash
Query identification string:
        Primary Algorithm Command Set and Control Interface ID Code: 0x0002 (AMD/Fujitsu Standard Command Set)
        Alternate Algorithm Command Set and Control Interface ID Code: 0x0000 (null)
Query system interface information:
        Vcc Logic Supply Minimum Write/Erase or Write voltage: 2700 mV
        Vcc Logic Supply Maximum Write/Erase or Write voltage: 3600 mV
        Vpp [Programming] Supply Minimum Write/Erase voltage: 0 mV
        Vpp [Programming] Supply Maximum Write/Erase voltage: 0 mV
        Typical timeout per single byte/word program: 128 us
        Typical timeout for maximum-size multi-byte program: 0 us
        Typical timeout per individual block erase: 1024 ms
        Typical timeout for full chip erase: 0 ms
        Maximum timeout for byte/word program: 256 us
        Maximum timeout for multi-byte program: 0 us
        Maximum timeout per individual block erase: 16384 ms
        Maximum timeout for chip erase: 0 ms
Device geometry definition:
        Device Size: 2097152 B (2048 KiB, 2 MiB)
        Flash Device Interface Code description: 0x0002 (x8/x16)
        Maximum number of bytes in multi-byte program: 1
        Number of Erase Block Regions within device: 4
        Erase Block Region Information:
                Region 0:
                        Erase Block Size: 16384 B (16 KiB)
                        Number of Erase Blocks: 1
                Region 1:
                        Erase Block Size: 8192 B (8 KiB)
                        Number of Erase Blocks: 2
                Region 2:
                        Erase Block Size: 32768 B (32 KiB)
                        Number of Erase Blocks: 1
                Region 3:
                        Erase Block Size: 65536 B (64 KiB)
                        Number of Erase Blocks: 31
jtag> dr
01110110001111101100011110000000000000000101100001111110111001011111111111111111100000000000000000000000011001010101000000000000000000000010101010101010101010101010101010101101001001001101001101101001001001001001001101101001111100111
jtag> print
 No. Manufacturer              Part                 Stepping Instruction          Register  
---------------------------------------------------------------------------------------------
   0 Samsung                   s3c4510b             0        EXTEST               BSR       

Active bus:
*0: Samsung S3C4510B compatibile bus driver via BSR (JTAG part No. 0) RCS0=16bit
        start: 0x00000000, length: 0x100000000, data width: 16 bit
jtag>  readmem 0x00000000 20 testdump
address: 0x00000000
length:  0x0000000A
reading:
addr: 0x0000000A
Done.
jtag>  readmem 0x00000000 2097152 testdump
address: 0x00000000
length:  0x00100000
reading:
addr: 0x00100000
Done.
jtag>  readmem 0x00000000 0x00800000 testdump
address: 0x00000000
length:  0x00400000
reading:
addr: 0x00187800

Bernd 2007/03/26 12:56

Paar infos über die addressen und offsets vom Speicher und noch was über die Register

Bernd 2007/03/26 19:21

und er bootet doch

so nimmt man nun den atftp von gentoo dann kann man damit auch Dateien richtig zu dem teil übertragen. der atftd von debian Etch geht definitiv nicht! weiss der Geier warum! Dann nimmt man noch das ungezippte rubytech image und gebe das das edimax zum booten, dann bootet er auch!

mit [Ctrl]+[c] kann man übrigens den bootvorgang unterbrachen und bekommt die shell auf der Seriellen.

Start: no need to update flash..
User: no need to update flash..
# 
# 
# ls
bin   dev   etc   home  lib   mnt   proc  tmp   usr   var   

so, mal sehen ob es wirklich eine andere Firmware jetzt ist. .

Bernd 2007/03/26 22:55

Bernd 2007/03/27 00:27

und wir booten jeden scheiss!

Naja, gut, ich dachte er würde nicht booten! tut er aber doch! nur loggt er alles zu ttyS0 !! und das ist nicht zugänglich, es sei denn man Lötet! und das habe ich getan! an die TX und RX pins vom Samsung nen MAX232 dran und man bekommt was.

ttyS1 mit orginal Firmware und Bios : 57600 8N1 no stop no flow
ttyS0  (abhänging von kernel einstellung) : 19200 8N1 no stop no flow

ttyS00 at 0x3ffd000 (irq = 5) is a S3C4510B
ttyS01 at 0x3ffe000 (irq = 7) is a S3C4510B
RAMDISK driver initialized: 16 RAM disks of 1024K size 1024 blocksize
Samsung S3C4510 Ethernet driver version 0.1 (2002-02-20) <mac@os.nctu.edu.tw>
eth0: 00:40:95:36:35:34 
EVM50100 flash device: 200000 at 5000000
EVM50100 flash address remaped: at 5000000
Search for id:(38 01) interleave(1) type(1)
Search for id:(38 01) interleave(1) type(1)
Search for id:(38 01) interleave(1) type(1)
Search for id:(38 9f) interleave(1) type(2)
Search for id:(38 9f) interleave(1) type(2)
Search for id:(38 9f) interleave(1) type(2)
JEDEC: Found no EVM50100 flash device at location zero
mtd: Giving out device 0 to EVM50100 flash
EVM50100 using static partition definition
Creating 3 MTD partitions on "EVM50100 flash":
0x00000000-0x00020000 : "EVM50100 loader"
mtd: Giving out device 1 to EVM50100 loader
0x00020000-0x000c0000 : "EVM50100 kernel"
mtd: Giving out device 2 to EVM50100 kernel
0x000c0000-0x00200000 : "EVM50100 JFFS"
mtd: Giving out device 3 to EVM50100 JFFS
init_mtdchar: allocated major number 90.
init_mtdblock: allocated major number 31.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 1024)
mtdblock_open
ok
mtdblock: read on "EVM50100 JFFS" at 0x400, size 0x400
mtdblock_release
ok
mtdblock_open
ok
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000000: 0x4e07 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000004: 0x9107 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000008: 0xc93f instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0000000c: 0x6ef8 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0xef34 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000014: 0xa96b instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000018: 0x5232 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0000001c: 0x5a63 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000020: 0x37ce instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000024: 0xc3f7 instead
Further such events for this erase block will not be printed
Old JFFS2 bitmask found at 0x000139f8
You cannot use older JFFS2 filesystems with newer kernels
JFFS2: Erase block at 0x00000000 is not formatted. It will be erased
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00020000: 0x708c instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00020004: 0x926f instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00020008: 0xf3c2 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0002000c: 0xf6fc instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00020010: 0xff0b instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00020014: 0x0cf1 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00020018: 0xf5f5 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0002001c: 0x8897 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00020020: 0x310e instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00020024: 0xdb82 instead
Further such events for this erase block will not be printed
JFFS2: Erase block at 0x00020000 is not formatted. It will be erased
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00040000: 0x6c61 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00040004: 0x71d1 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00040008: 0x45b4 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0004000c: 0xc46b instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00040010: 0x7e7d instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00040014: 0xe653 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00040018: 0x9dd2 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0004001c: 0x4315 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00040020: 0x91fd instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00040024: 0xeb31 instead
Further such events for this erase block will not be printed
JFFS2: Erase block at 0x00040000 is not formatted. It will be erased
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060000: 0x5da3 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060004: 0x8ec0 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060008: 0xc1a9 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0006000c: 0x4743 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060010: 0x7652 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060014: 0x852c instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060018: 0xe8b3 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0006001c: 0xa819 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060020: 0x03c6 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060024: 0xa862 instead
Further such events for this erase block will not be printed
JFFS2: Erase block at 0x00060000 is not formatted. It will be erased
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00080000: 0xec60 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00080004: 0x4a50 instead
JFFS2: Erase block at 0x00100000 is not formatted. It will be erased
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00120048: 0x000b instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0012004c: 0x6f6d instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00120050: 0x6f74 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00120074: 0x0001 instead
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00120078: 0x000c instead
Further such events for this erase block will not be printed
JFFS2: Erase block at 0x00120000 is not formatted. It will be erased
Cowardly refusing to erase blocks on filesystem with no valid JFFS2 nodes
mtdblock_release
ok
Kernel panic: VFS: Unable to mount root fs on 1f:03

Ok, das er kein RootFS findet ist klar, weil keins da ist. und schon garkein jffs2 das war jetzt das uCrouter image für nen anderen AP

Bernd 2007/03/27 01:15

nimmt man einen Kernel vom Dell-True_mobile_1184 (R51714.EXE) der auf mit einem Linux auf einem s3c4510 läuft und bastelt sich selbst ein romfs dran, dann kann man das auch booten. und man bekommt einen promt, wenn man alles richtig macht. leider taugt der kenel nicht für den switch, weil er keine module für den switch einkompiliert hat.

im WRT54G_1.02.1_US_code.bin soll eine busybox stecken, die versuche ich mal zu extraieren. im image ist ein cramfs drin

kann ich aber leider vergessen, weil das ist MIPS und kein BFLT binary!

#cramfs
update für /dev/mtdblock1

-Compressed ROMFS
-mountbar auf der box oder auf big endian systemen.
-um updates zu mounten mit einem hexeditor  (big endian, also verkehrtrum) nach "28 CD 3D 45" suchen und alles vor der 28 löschen
mount -t cramfs -o loop mein.wsw /mnt2
- oder den offsset an der 28 rausfinden und -o loop, ofsset=<offset>

Nach der 4-Byte-Magic (0x28cd3d45) folgt die totale Länge (4 bytes, big-endian?) des cramfs. Hier ein Auszug aus cramfs_fs.h:


/*
* Superblock information at the beginning of the FS.
*/
struct cramfs_super {
u32 magic; /* 0x28cd3d45 - random number */
u32 size; /* length in bytes */
u32 flags; /* feature flags */
u32 future; /* reserved for future use */
u8 signature[16]; /* "Compressed ROMFS" */
struct cramfs_info fsid; /* unique filesystem info */
u8 name[16]; /* user-defined name */
struct cramfs_inode root; /* root inode data */

Bernd 2007/03/27 15:33

elektr/edimax-switch.txt · Zuletzt geändert: 2012/09/10 23:13 (Externe Bearbeitung)
 
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki