Saturday, August 6, 2011

Belkin F7D3302 Hacking

I bought a cheap Wireless-N router which supports USB the Belkin F7D3302.

http://en-us-support.belkin.com/app/product/detail/p/5132

Immediately I loaded dd-wrt on it, and got hacking.


How to install DD-WRT on Belkin F7D3302
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=603693&sid=7edc20fe8941b0c8001cf0039d3de589




Seems no one has yet documented the power supply or serial port (Which I'm planning on using for controlling my Roomba)

Serial Port:
Connector J3 - already has header :)

Pin 1: Vcc (3.3V)
Pin 2:RX
Pin 3:TX
Pin 4: Gnd

I hooked it up using my trusty Bus Pirate, I don't know how I did things without it; its seriously the most useful and important tool I have.

Below is a capture of the bus pirate session; and monitoring the bootup of the router.




No mode set, M for mode
HiZ>
* Syntax error, type ? for help
HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. JTAG
7. RAW2WIRE
8. RAW3WIRE
9. PC KEYBOARD
10. LCD
(1) >3
Mode selected
Set serial port speed: (bps)
1. 300
2. 1200
3. 2400
4. 4800
5. 9600
6. 19200
7. 38400
8. 57600
9. 115200
10. 31250 (MIDI)
(1) >9
Data bits and parity:
1. 8, NONE *default
2. 8, EVEN
3. 8, ODD
4. 9, NONE
(1) >
Stop bits:
1. 1 *default
2. 2
(1) >
Receive polarity:
1. Idle 1 *default
2. Idle 0
(1) >
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1) >
READY
UART>
* Syntax error, type ? for help
UART>
* Syntax error, type ? for help
UART>?
MENUS
? Help
I Status info
M Bus mode
B Terminal speed
O Data display format
V Check supply voltages
F Frequency count on AUX
G Frequency generator/PWM on AUX
C AUX pin assignment
L Bit order
P Pullup resistors
= HEX/DEC/BIN converter
~ Self test
# Reset
$ Bootloader
SYNTAX
A/a/@ AUX output toggle H/L/read
W/w Power supply toggle on/off
d (D) Measure voltage on ADC probe (continuous)
[ ({) Start (with read)
] or } Stop
R or r Read byte
0b Write BIN byte
0h or 0x Write HEX byte
0-255 Write DEC byte
, Delimiter (also space)
& 1uS delay
: Repeat (r:2, 0x0a:4, &:20, ^:2, etc.)
(#) Run macro, (0) for macro list
RAW BUS OPERATIONS
/\ Clock H/L
-/_ Data H/L
. Read data input pin state
^ Clock tick
! Read bit
UART>(0)
0.Macro menu
1.Transparent UART bridge
2. Live UART monitor
3.UART bridge with flow control
UART>(2)
Raw UART input. Space to exit.
Decompressing...done
Decompressing...done
Init Arena
Init Devs.
Boot partition size = 131072(0x20000)
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.128.0
CPU type 0x19740: 453MHz
Tot mem: 65536 KBytes
CFE mem: 0x80700000 - 0x8079A400 (631808)
Data: 0x80731500 - 0x807338B0 (9136)
BSS: 0x807338B0 - 0x80734400 (2896)
Heap: 0x80734400 - 0x80798400 (409600)
Stack: 0x80798400 - 0x8079A400 (8192)
Text: 0x80700000 - 0x80731500 (201984)
Copying boot params.....DONE
Bootloader version 0.08e boot_version 0.08e
Project name : WG7016F22 1-LF-AK
Press space bar to cancel startup...
Device eth0: hwaddr 94-44-52-99-E0-4B, ipaddr 192.168.1.50, mask 255.255.255.0
gateway not set, nameserver not set
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3916 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
Linux version 2.6.24.111 (eko@dd-wrt) (gcc version 4.1.2) #3050 Tue May 17 17:23:53 CEST 2011
CPU revision is: 00019740
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Zone PFN ranges:
Normal 0 -> 16384
HighMem 16384 -> 16384
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0 -> 16384
Built 1 zonelists in Zone order. Total pages: 16384
Kernel command line: console=ttyS0,115200 root=1f02 rootfstype=squashfs noinitrd
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 512 (order: 9, 2048 bytes)
CPU: BCM4716 rev 1 at 453 MHz
Using 226.500 MHz high precision timer.
console [ttyS0] enabled
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 58732k/65536k available (3386k kernel code, 6748k reserved, 1437k data, 188k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
Generic PHY: Registered new driver
PCI: Using membase 8000000
PCI: Initializing host
PCI: Reset RC
PCI: no core
PCI: Fixing up bus 0
PCI/PCIe coreunit 0 is set to bus 1.
PCI: Fixing up bridge
PCI: Fixing up bridge
PCI: Enabling device 0000:01:00.1 (0004 -> 0006)
PCI: Fixing up bus 1
Device 0 map irq 0
result->irq 6
HND PCIE device corerev 14 found at 1/0/0
Device 0 map irq 0
result->irq 6
HND PCIE device corerev 14 found at 1/0/1
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
F7D3301v1/3302v1/4302v1 - F5D8235v3 GPIO Init
devfs: 2004-01-31 Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
squashfs: version 3.0 (2006/03/15) Phillip Lougher
io scheduler noop registered
io scheduler deadline registered (default)
HDLC line discipline: version $Revision: 4.8 $, maxframe=4096
N_HDLC line discipline registered.
Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x0 (irq = 8) is a 16550A
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
MPPE/MPPC encryption/compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V1.0
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky
eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.60.127.4
Physically mapped flash: Found 1 x16 devices at 0x0 in 8-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Flash device: 0x800000 at 0x1c000000
Found Belkin TRX magic
bootloader size: 196608
nvram size: 32768
Found Belkin TRX magic
Physically mapped flash: Filesystem type: squashfs, size=0x6049fb
partition size = 6315008
Creating 5 MTD partitions on "Physically mapped flash":
0x00000000-0x00030000 : "cfe"
0x00030000-0x007f0000 : "linux"
0x0018a400-0x00790000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
0x007f0000-0x00800000 : "nvram"
0x00790000-0x007f0000 : "ddwrt"
Found a 0MB serial flash
sflash: found no supported devices
Broadcom Watchdog Timer: 0.07 initialized.
u32 classifier
Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
ctnetlink v0.93: registering with nfnetlink.
IPv4 over IPv4 tunneling driver
GRE over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
ClusterIP Version 0.8 loaded successfully
TCP bic registered
TCP cubic registered
TCP westwood registered
TCP highspeed registered
TCP hybla registered
TCP htcp registered
TCP vegas registered
TCP scalable registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Welcome to PF_RING 3.2.1
(C) 2004-06 L.Deri
NET: Registered protocol family 27
PF_RING: bucket length 128 bytes
PF_RING: ring slots 4096
PF_RING: sample rate 1 [1=no sampling]
PF_RING: capture TX No [RX only]
PF_RING: transparent mode Yes
PF_RING initialized correctly.
PF_RING: registered /proc/net/pf_ring/
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
decode 1f02
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 188k freed
start service
starting Architecture code for broadcom
starting hotplug
done
Booting device: Belkin F7D3302 / F7D7302 v1
loading switch-core
loading switch-robo
roboswitch: Probing device eth0: found a 5325!
[USB] checking...
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
USB20H mdio control register : 0x80000008
ehci_hcd 0000:00:04.1: EHCI Host Controller
ehci_hcd 0000:00:04.1: new USB bus registered, assigned bus number 1
ehci_hcd 0000:00:04.1: irq 5, io mem 0x18004000
ehci_hcd 0000:00:04.1: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
USB Universal Host Controller Interface driver v3.0
USB20H mdio control register : 0x80000008
ohci_hcd 0000:00:04.0: OHCI Host Controller
ohci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 2
ohci_hcd 0000:00:04.0: irq 5, io mem 0x18009000
usb 1-1: new high speed USB device using ehci_hcd and address 2
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usb 1-1: configuration #1 chosen from 1 choice
SCSI subsystem initialized
Initializing USB Mass Storage driver...
scsi0 : SCSI emulation for USB Mass Storage devices
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
/bin/sh: can't create /proc/switch/eth1/reset: nonexistent directory
/etc/preinit: line 66: can't create /proc/sys/net/ipv4/ip_conntrack_max: nonexistent directory
/etc/preinit: line 66: can't create /proc/sys/net/ipv4/ip_conntrack_max: nonexistent directory
eth1: Operation not supported
wl0.1: No such device
wl0.2: No such device
wl0.3: No such device
eth1: Operation not permitted
nbw = 20
eth1: Invalid argument
eth1: Invalid argument
eth1: Operation not supported
eth1: Operation not supported
/bin/sh: can't create /proc/sys/net/bridge/bridge-nf-call-arptables: nonexistent directory
/bin/sh: can't create /proc/sys/net/bridge/bridge-nf-call-ip6tables: nonexistent directory
/bin/sh: can't create /proc/sys/net/bridge/bridge-nf-call-iptables: nonexistent directory
br0: Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature.
device br0 entered promiscuous mode
br0: No such file or directory
device vlan1 entered promiscuous mode
device eth0 entered promiscuous mode
br0: No such file or directory
eth1: Operation not supported
wl0.1: No such device
wl0.2: No such device
wl0.3: No such device
eth1: Operation not permitted
eth1: Invalid argument
nbw = 20
eth1: Invalid argument
eth1: Invalid argument
eth1: Operation not supported
eth1: Operation not supported
device eth1 entered promiscuous mode
br0: No such file or directory
device vlan2 entered promiscuous mode
br0: port 3(vlan2) entering learning state
br0: port 2(eth1) entering learning state
br0: port 1(vlan1) entering learning state
device br0 left promiscuous mode
device br0 entered promiscuous mode
device br0 left promiscuous mode
device br0 entered promiscuous mode
scsi 0:0:0:0: Direct-Access OCZ ET1208AD 1.0 PQ: 0 ANSI: 2
sd 0:0:0:0: [sda] 4095999 512-byte hardware sectors (2097 MB)
sd 0:0:0:0: [sda] Write Protect is off
sd 0:0:0:0: [sda] Assuming drive cache: write through
sd 0:0:0:0: [sda] 4095999 512-byte hardware sectors (2097 MB)
sd 0:0:0:0: [sda] Write Protect is off
sd 0:0:0:0: [sda] Assuming drive cache: write through
/dev/scsi/host0/bus0/target0/lun0: p1
sd 0:0:0:0: [sda] Attached SCSI removable disk
br0: topology change detected, propagating
br0: port 3(vlan2) entering forwarding state
br0: topology change detected, propagating
br0: port 2(eth1) entering forwarding state
br0: topology change detected, propagating
br0: port 1(vlan1) entering forwarding state
Key is a RSA key
Wrote key to '/tmp/root/.ssh/ssh_host_rsa_key'
Key is a DSS key
Wrote key to '/tmp/root/.ssh/ssh_host_dss_key'
SIOCGIFFLAGS: No such device
/bin/sh: hdparm: not found
[USB Device] partition:
[USB Device] partition: --- /dev/discs/disc0/disc
[USB Device] partition: Block device, size 1.953 GiB (2097151488 bytes)
[USB Device] partition: DOS/MBR partition map
[USB Device] partition: Partition 1: 1.952 GiB (2096342016 bytes, 4094418 sectors from 62)
[USB Device] partition: Type 0x83 (Linux)
[USB Device] partition: Ext2 file system
[USB Device] file system: Ext2 file system
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
etherip: Ethernet over IPv4 tunneling driver
The Milkfish Router Services
ERROR: Necessary service setting not found: milkfish_username - aborting.
The Milkfish Router Services
Restoring SIP ddsubscriber database from NVRAM...
Empty.
The Milkfish Router Services
Restoring SIP ddaliases database from NVRAM...
Empty.
UART>





Power Supply:
I measured the current on the input by removing; and it peaked at 400mA while reading USB, and at idle was around 300mA.

My next goal was to see if the power supply would accept the higher voltage from the Roomba; or if I would be required to step it down.

Below is a picture of the power supply; the input is 12VDC at maximum 1A.  By visual inspection I believe the power supply to have two primary rails;  A 5V rail used for USB; and a 3.3V Rail used for the logic.  There are linear regulators to drop the 3.3V rail to 1.8V for the main processor and the wired Ethernet switch.





3.3V Regulator:

  • Apw7080: 4A, 26V, 380kHz, Asynchronous Step-Down Converter
  • Datasheet: http://moddedreality.dreamhosters.com/Apw7080.pdf
  • 4.5 to 26V input
  • 3.3 or 5V output; in this case 3.3V
  • Pin 2 is enable; this may be useful for automatic power up/down of the router when interfaced to roomba
5V Regulator:
  • Zt1413s ASYNC switching regulator Input: 4.75~23V Output:0.92~15V 2A 380KHz 95% SOP8EPMP
  • Datasheets seem non existent for this regulator;

Reducing Power Consumption for battery powered operation:

I'm looking for ways to reduce the power consumption of the router because I'm planning on having it battery powered; currently drawing around 400mA @12V (4.8W) with USB connected its not too power hungry; but less the better. I havn't done full measurements with high traffic; at this point I'm getting some estimates.

Idea 1:
Add a means to remove power to the wired Ethernet switch.
Part: Broadcom BCM5325: http://www.broadcom.com/products/BCM5325
Power: The full datasheet isn't available; but in the product brief it says < 1.4W, assuming its around 1W idle (warm to the touch so this is likely a reasonable estimate); I could save 20% by removing power.

Near Ethernet Switch there is another regulator to drop the 3.3V rail to 1.8V

Ld1117a - http://www.st.com/stonline/products/literature/ds/2572.pdf

My plan is to add a switch to be able to switch the the wired ethernet switch on and off, I would prefer to have this controlled via software; I'll need to find a GPIO in order to do this. This way I can keep in on by default and power it off when connected to the roomba.

5 comments:

monton1999 said...

Very interesting post, thanks.

I don't understand the "Bus Pirate" thing, though. Wouldn't it be possiible to connect to the router via the serial port directly from the computer, using Putty?

If yes, how would yo configure the connection. With my current setup (115200, 8, 1, no parity, no flow control) I'm only getting garbage output...

Anonymous said...

Great article!

Thanks a lot.


Domi1 from Belgium

SINternet said...

Looks real good except for one thing. What type of cable did you use for your serial connection. CA-42? Maybe a picture of your actual connections would be nice.

Scott
stkpc@stkpc.com

Angel M said...

...some years later... thanks for the article. I want to load whatever other linux firmware and for what ever reason the CEF interface does not want to load a mini dd-wrt firmware. Let see if via serial is better. I only need to figure out how. Well, in any case, some comments to help people to complete your article:
Serial parameters:
bit rate: 115200
parity: none
stopbit: 1
flow control: hw (at least mine goes ok)

What is wrong in the description is the pins distribution. The right one is: Vcc,RX,TX,GND.
To avoid to build your own TTL serial cable, http://www.dealextreme.com/details.dx/sku.13638. but it may be already out of stock.

Nothing more, I hope it helps like to me.
Angel

Angel M said...

:-) i mix the pin distribution up myself :-) The article is right as well.
By the way, if someone know how to load a dd-wrt via serial, I would appreciate some help to start.

Regards,