Last week I attended the first Freifunk meeting in my hometown. The decision was made to participate to FFBsee with my old Buffalo WHR-HP-G300N router.
Before flashing the latest Freifunk firmware I tried to install a vanilla OpenWrt image for this router. But the outdated DD-WRT image on this router refused to get updated.
After several retries I gave up on the suggested tftp method. I tried several combinations of MAC-Addresses and interfaces always without success. Luckily Kevin Cave on Scarygliders pointed out that the U-Boot on the router can be interrupted with CTRL-C when it tries to request a firmware by tftp.
He also pointed out that the OpenWrt image is prefixed with some 0x20 byte header. So I tweaked the U-Boot environment a bit so I could skip to alter the firmware.
1234567
tftp server(receive) go, waiting:4[sec]
Load address: 0x80f00000
Abort
no file was loaded.
ar7240> <INTERRUPT>
ar7240>
There are some interesting environment variables related to firmware update
After setting up a TFTP server and changing your host system to the IPv4 address off 192.168.11.2 You can download a firmware image right from the U-BOOT command prompt:
1234567891011121314151617
ar7240> tftp $tmp_ram openwrt-ar71xx-generic-whr-hp-g300n-squashfs-tftp.bin
Using eth1 device
TFTP from server 192.168.11.2; our IP address is 192.168.11.1
Filename 'openwrt-ar71xx-generic-whr-hp-g300n-squashfs-tftp.bin'.
Load address: 0x80f00000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
##############################
done
Bytes transferred = 3145764 (300024 hex)
So let’s check if the image also suffer from this 0x20 bytes offset
12345
ar7240> iminfo $fileaddr
## Checking Image at 80f00000 ...
Bad Magic Number
ar7240>
Of course it is as-well padded by this 0x20 byte offset. Just out of curiosity
In the line starting with 80f00020 we can see the magic 27051956 ,the expected uImage header, which Kevin Cave on Scarygliders pointed out. So let’s skip this header
1
ar7240> setenv fileaddr 80F00020
Please do not save the environment after this modification otherwise your router will may not work properly after this. This is just a temporary modification!
After this modification the test should past fine
1234567891011
ar7240> iminfo $fileaddr
## Checking Image at 80f00020 ...
Image Name: MIPS OpenWrt Linux-3.18.23
Created: 2016-01-30 14:35:12 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1136162 Bytes = 1.1 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum ... OK
ar7240>
Bingo! This looks promising. We now have to erase the flash and copy the image to it’s new place.
123456789
ar7240> erase $fw_eaddr
Erase Flash from 0xbf040000 to 0xbf3effff in Bank # 1
First 0x40 last 0x3ef sector size 0x1000 992
Erased 944 sectors
ar7240> cp.b $fileaddr BF040000 $filesize
Copy to Flash...
Copy 3145764 byte to Flash... write addr: bf040000
done
ar7240>
Now it is time to check if everything went fine or if we have created something for the dust bin.
ar7240> bootm BF040000
## Booting image at bf040000 ...
Image Name: MIPS OpenWrt Linux-3.18.23
Created: 2016-01-30 14:35:12 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1136162 Bytes = 1.1 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 33554432
Starting kernel ...
[ 0.000000] Linux version 3.18.23 (chris@quadros) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r48532) ) #1 Sat Jan 30 15:35:03 CET 2016
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[ 0.000000] SoC: Atheros AR7240 rev 2
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 02000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x01ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[...]
BusyBox v1.23.2 (2016-01-30 15:30:41 CET) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
CHAOS CALMER (Chaos Calmer, r48532)
-----------------------------------------------------
* 1 1/2 oz Gin Shake with a glassful
* 1/4 oz Triple Sec of broken ice and pour
* 3/4 oz Lime Juice unstrained into a goblet.
* 1 1/2 oz Orange Juice
* 1 tsp. Grenadine Syrup
-----------------------------------------------------
root@OpenWrt:/#
This looks like full success to me. Next step will be increasing the flash size to 8 MB to provide enough space for the FFBsee firmware.