วันศุกร์ที่ 10 มกราคม พ.ศ. 2557

เปิดดูภายในเราเตอร์ BELKIN F5D7634-4 v2

เราเตอร์ตัวนี้ผมได้มาสภาพไม่ปกติคือ พอร์ตแลนใช้ได้ 2 ช่อง เลยลองแกะเล่นดูครับ แกะแล้วเห็นวงจรภายในไม่เหมือนใครดี มาดูกันครับ

ภายในเราเตอร์
ตัวเราเตอร์มี CPU 2 ตัว ตัวแรกเป็น CPU ของวงจร ADSL ชื่อ Infineon PSB 50600 HL

CPU1:  Infineon PSB 50600 HL

CPU ตัวที่ 2 เป็นส่วนทำหน้าที่เป็นเราเตอร์และปล่อย WiFi ชื่อ Ralink RT3050F

CPU2: Ralink RT3050F

RAM ของ ADSL CPU ชื่อ EtronTech EM639165TS-6G มีขนาด 16 MB

RAM1: EtronTech EM639165TS-6G

RAM ของ CPU เราเตอร์ชื่อ Zentel A3V64S40ETP-G6 มีขนาด 8MB

RAM2: Zentel A3V64S40ETP-G6


Flash Memory ของ ADSL CPU คือ MX29LV160DBTI-70G มีขนาด 2MB

Flash1: MX29LV160DBTI-70G

หน่วยความจำ CPU ของเราเตอร์เป็นไอซีไม่ทราบชนิดอาจจะเป็น eeprom หรือ Flash เบอร์ ATMLH940

 ATMLH940
ส่วนของภาคจ่ายไฟของเราเตอร์มีไอซี Switching ควบคุมอยู่สองตัวซึ่งเป็นเบอร์เดียวกันคือ WE16B8

WE16B8

ส่วนของพอร์ต Serial มี 2 ชุดคือของ ADSL กับ CPU เราเตอร์

ขา Serial
Boot log ของ ADSL

=======================================================================
Wireless ADSL Router AR4505SW 5-A-LF-AK Loader V0.03 build Jul  8 2009 17:49:21
                    Arcadyan Technology Corporation
=======================================================================
MXIC MX29LV160B bottom boot 16-bit mode found
Copying boot params.....DONE
Press Space Bar 3 times to enter command mode ...
Flash Checking
 Passed.
Unzipping firmware at 0x80002000 ... [ZIP 1]  done
[INIT] In c_entry() ...
[INIT] Install Exception ...
Co config = 80048483
[INIT] Install ISR ...
[INIT] bypass unzip web image to httpd
init GPIO#0 (as0:0,as1:0,dir:0)
init GPIO#10 (as0:0,as1:0,dir:1)
init GPIO#13 (as0:0,as1:0,dir:1)
init GPIO#2 (as0:0,as1:0,dir:1)
init GPIO#24 (as0:0,as1:0,dir:1)
init GPIO#3 (as0:0,as1:0,dir:1)
init GPIO#27 (as0:0,as1:0,dir:1)
init GPIO#4 (as0:0,as1:0,dir:1)
init GPIO#7 (as0:0,as1:0,dir:1)
init GPIO#12 (as0:0,as1:0,dir:1)
init GPIO#1 (as0:0,as1:0,dir:1)
gptu: totally 6 16-bit timers/counters
Init timer = 0
##### _ftext      = 0x80002000
##### _fdata      = 0x801BAC80
##### __bss_start = 0x801E937E
##### end         = 0x80770DD8
##### Backup Data from 0x801BAC80 to 0x80778DD8~0x807A74D6 len 190206
##### Backup Data completed
##### Backup Data verified
[INIT] System Log Pool startup ...
[INIT] MTinitialize ..
[INIT] usrclk
CPU Clock 266666666 Hz
mips_counter_frequency:133333333
r4k_offset: 00145855(1333333)
init_US_counter : time1 = 208323 , time2 = 32208373, diff 32000050
US_counter = 59
 cnt1 32788284 cnt2 32789538, diff 1254
Runtime code version: 2.00.20
System startup...
[INIT] Memory COLOR 0, 730000 bytes ..
[INIT] Memory COLOR 1, 100000 bytes ..
[INIT] Memory COLOR 2, 351200 bytes ..
MXIC MX29LV160B bottom boot 16-bit mode found
Set flash memory layout to BRN-BOOT
Boot Parameters found !!!
Bootcode version: V0.03
Serial number: 12951763400370
Hardware version: 01
MXIC MX29LV160B bottom boot 16-bit mode found

sizeof(struct III_Config_t) is 71544, nLen:71544, Magic:0x33343536
MXIC MX29LV160B bottom boot 16-bit mode found
my CFGVersionMagic = 33343536, old CFGVersionMagic on flash = 33343536
my CFGsize = 71552, my CFGDescSize = 15887
my Version = 2.00.20, Version on flash= 2.00.20
[CONFIG] flash version:[2.00.20], [2.0.2-0]
[CONFIG] code version:[2.00.20], [2.0.2-0]
CFGsize on flash = 71552, CFGDescSize on flash = 15887
MXIC MX29LV160B bottom boot 16-bit mode found
OldCfgHexSize:5716
Unzipping from 80353F1C to 803500FC ... [ZIP 1] done, Uncompressed size = 15885
Tail1 : END_III_Config_t
Size of Old CFG_DESC is :15885!!!
useCfgDesc:1
MyCfgHexSize:5716
Unzipping from 8034EA90 to 8034AC70 ... [ZIP 1] done, Uncompressed size = 15885
My CFGDescSize:15887
useCfgDesc:1
Tail : END_III_Config_t
useCfgDesc:3
Restore Config file from ver:2.00.20!!!
[CONFIG] Configuration in Flash is old version: 2.0.0
[CONFIG] DS_Tail:[t_F5D7634-4 v2]
default route: 0.0.0.0
BufferInit:
BUF_HDR_SZ=128 BUF_ALIGN_SZ=0 BUFFER_OFFSET=192
BUF_BUFSZ0=448 BUF_BUFSZ1=1888
NUM_OF_B0=100 NUM_OF_B1=600
BUF_POOL0_SZ=57600 BUF_POOL1_SZ=1209600
sizeof(BUFFER0)=576,sizeof(BUFFER1)=2016
*BUF0=0x804fe31c *BUF1=0x803d6dfc
Altgn *BUF0=0x804fe320 *BUF1=0x803d6e00
End at BUF0:0x8050c420, BUF1:0x804fe300
BUF0[0]=0x804fe320 BUF1[0]=0x803d6e00
buffer0 pointer init OK!
buffer1 pointer init OK!
ifno=  0, Link_Type= 4
IfInit(): LOOPBACK
time = 08/01/2003, 00:00:00
Interface 0 ip = 127.0.0.1
ifno=  1, Link_Type= 1
IfInit(): GEN_MAC_0
DMA g_desc_list=0x80349D40
Internal Clock
Selected EPHY_MODE
ETOP_CFG=4141
ENET_MAC_CFG=99f
ETOP MDIO CFG 40
EPHY ctl = 3100
EPHY Strapping = 5e08
waiting for EPHY auto-negociation complete...........................
EPHY Status = 786d
EPHY ctl = 3100
MAC Address: 94:44:52:0e:9e:cd
time = 08/01/2003, 00:00:00
Interface 1 ip = 192.168.1.212
ifno=  2, Link_Type= 1
IfInit(): HWLAN
dev=803c2acc->priv=803bcfb4
HWLAN: Ralink iNIC 94:44:52:0e:9e:cd
Update MAC(0)=94:44:52:0e:9e:cd
============= Init Thread ===================
RacfgTaskThread pid = 1
RacfgBacklogThread pid = 2
racfg_inband_hook_init(): end
wlan security on!
RUNTASK id=3 hwlan_light_isr...
RUNTASK id=4 InternetCheckTask...
time = 08/01/2003, 00:00:00
hwlan_ioctl(): begin
hwlan_ioctl(): end
Interface 2 ip = 192.168.1.212
hwlan_ioctl(): begin
hwlan_ioctl(): end
ifno=  3, Link_Type= 1
IfInit(): GEN_SAR_0
ppe: ATM init succeeded (firmware version 1.1.0.2.1.13)
ATM_UBR
Init SAR ifno:3 g_atm_vcc[0] CONN:1 VPI/VCI:0/100
MAC Address: 94:44:52:0e:9e:ce
Interface 3 ip = 0.0.0.0
ifno=  4, Link_Type= 0
ifno=  5, Link_Type= 0
ifno=  6, Link_Type= 0
ifno=  7, Link_Type= 0
ifno=  8, Link_Type= 0
ifno=  9, Link_Type= 0
ifno= 10, Link_Type= 0
ifno= 11, Link_Type= 0
ifno= 12, Link_Type= 0
ifno= 13, Link_Type= 0
ifno= 14, Link_Type= 0
ifno= 15, Link_Type= 0
ifno= 16, Link_Type= 0
ifno= 17, Link_Type= 0
ifno= 18, Link_Type= 0
ifno= 19, Link_Type= 0
ruleCheck()> Group: 0,  Error: Useless rule index will be truncated
ruleCheck()> Group: 1,  Error: Useless rule index will be truncated
ruleCheck()> Group: 2,  Error: Useless rule index will be truncated
CBAC rule format check succeed !!
reqCBACBuf()> init match pool, Have: 50
Memory Address: 0x807652b0 ~ 0x80765844
reqCBACBuf()> init timeGap pool, Have: 2000
Memory Address: 0x80765844 ~ 0x8076f498
reqCBACBuf()> init sameHost pool, Have: 200
Memory Address: 0x8076f498 ~ 0x80770db8
CBAC rule pool initialized !!
Init NAT data structure
RUNTASK id=5 if_task if0...
RUNTASK id=6 if_task if1...
RUNTASK id=7 if_task if2...
RUNTASK id=8 if_task if3...
RUNTASK id=9 timer_task...
RUNTASK id=10 conn_mgr...
ifno2dot1x_if[2]=0
dot1x_wireless_if_mask=0x4
RUNTASK id=11 period_task...
========== ADSL Modem initialization OK ! ======
RUNTASK id=12 dhcp_clt...on interface 3
---[ LZMA head start in 0xB0040000 ]---
found signature: 78h 56h 34h 12h
ulImgLens=517744, LENGTH[3]-12=1769460
length checking OK
[0] find End at 0xB00BE400 len=517744
---[ LZMA head start in 0xB00BE800 ]---
found signature: 78h 56h 34h 12h
ulImgLens=107388, LENGTH[3]-12=1769460
length checking OK
[1] find End at 0xB00D8800 len=107388
---[ LZMA head start in 0xB00D8C00 ]---
found signature: 78h 56h 34h 12h
ulImgLens=162008, LENGTH[3]-12=1769460
length checking OK
[2] find End at 0xB0100400 len=162008
---[ LZMA head start in 0xB0100800 ]---
found signature: 78h 56h 34h 12h
ulImgLens=341825, LENGTH[3]-12=1769460
length checking OK
[3] find End at 0xB0153C00 len=341825
Image[1] at 0xB0040000, len = 517744
Image[2] at 0xB00BE800, len = 107388
Image[3] at 0xB00D8C00, len = 162008
Image[4] at 0xB0100800, len = 341825
Unzipping from B00BE800 to 80EC2000 ... [ZIP 1] done, Uncompressed size = 194146
drive start addr[0]=80ec2000, [1]=80ef1670
[HTTPD] flash_init: failed!!
httpd: listen at 192.168.1.212:80
RUNTASK httpd...
RUNTASK id=15 dnsproxy...
UPnP is disabled
>>> belkin_wan_cfg task runs successfully, task_id = 16
RUNTASK id=18 wsc_Send_UPNP_packet...
UART RX Input
Starting Multitask...
run_project_task
RUNTASK id=19 CMV_task...
RUNTASK id=20 apAppInit...
RaCfg Task
RaCfg Backlog
iNIC Open HWLAN
netif_carrier_on() called ???
Op mode = 1
RaCfgOpenFile(): begin
iNic profile ...
===gen inic profile====
===gen profile end==1819
iNic profile : 0x802843CC, 1819
RaCfgOpenFile(): end
BssidNum=1
Wait for boot done...
Danube MEI version:1.00.07
Unzip DSP firmware ...
[ZIP 1] [dhcp_clt] enable dhcp client in interface ATM1[3]
iNicWscUpnpTask 1...
[17]pthread_mutex_init: resource No. 36
wsc_Send_eap_packet:udpFdupnp_wcn:18;;udpFdupnp:1a
[17]pthread_mutex_init: resource No. 37
idx=0 mem_ptr=0xA06D6000 size=65536
idx=1 mem_ptr=0xA06E6000 size=65536
idx=2 mem_ptr=0xA06F6000 size=65536
idx=3 mem_ptr=0xA0706000 size=65536
idx=4 mem_ptr=0xA0716000 size=60600
iNicWscUpnpTask 2...
Got MODEM_READY_MSG
ADSL Firmware: 3.4.3.2.0.1 [Annex A:0xb105 0x4]
RACFG_CMD_BOOT_NOTIFY
RaCfgOpenFile(): begin
Unzip iNic firmware ...
[ZIP 1] iNic firmware : 0x805A7924, 656640
RaCfgOpenFile(): end
RaCfgOpenFile(): begin
iNic profile ...
===gen inic profile====
===gen profile end==1819
iNic profile : 0x802843CC, 1819
RaCfgOpenFile(): end
RACFG_CMD_BOOT_INITCFG(0)
RACFG_CMD_BOOT_INITCFG(1)
Send Init Cfg Data Done(2 packets)
RACFG_CMD_BOOT_UPLOAD(0)
RACFG_CMD_BOOT_UPLOAD(1)
RACFG_CMD_BOOT_UPLOAD(2)
ADSL> READY
CRC:01 08 14 18 b4 36 cd 27 22 32 2e 30 2e 31 2e 35 22 00 00 00 32 30 30 39 30 38 32 31 00 00 00 00 00 00 00 00 d8 04 0a 00
Send RT3052iNIC Firmware Done
===================================
version: "2.0.1.5"
size:    656600 bytes
date:    20090821
===================================
Send STARTUP to RT3052iNIC
Close Firmware file
RACFG_CMD_BOOT_STARTUP
TODO !! wireless event flag rx 0x0210: (iNIC) STA(00:00:00:00:00:00) - BSS(0) disconnects with our wireless client
Update MAC(0)=94:44:52:0e:9e:cd
Sync Mac with MII master done
[HWLAN] [20] rapi_tmr_task running
WPS timeout flag cleared
TODO !! wireless event flag rx 0x020f: (iNIC) STA(00:00:00:00:00:00) - BSS(0) connects with our wireless client
TODO !! wireless event flag rx 0x020f: (iNIC) STA(00:00:00:00:00:00) - BSS(0) connects with our wireless client
Got MODEM_READY_MSG
ADSL Firmware: 3.4.3.2.0.1 [Annex A:0xb105 0x4]
ADSL> READY

====== console mode ======
  shift-0: enable debug
  ENTER  : show this help
==========================

Boot log ของ CPU เราเตอร์
=================================================================
        Ralink RT3052 iNIC on Aug 21 2009 <09:34:08>
                Used Memory 769K
                Free Memory Base = 0x800C56A4
                HZ = 1000
===================================================================
Check Firmware CRC (0x27cd36b4 ~ 0x27cd36b4) -- match
ILL_ACC_ADDR = 00000000, ILL_ACC_TYPE = 00000000
SYSCFG = 0x30030000
SDRAM CFG0 = 0xd1925282
SDRAM CFG1 = 0xc0010600
CPU revision is: 0001964c
MAX_MEMORY = 0x800000
Instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Data cache 16kB, 4-way, linesize 32 bytes.
CONFIG0 = 80010483
80010483 -- > CONFIG0
-> CONFIG0 = 80010483
DEBUG = 0201a004, Kernel
STATUS = 10000000, Kernel
=== EEPROM ===
0x0000 : 52 30 01 01 00 0c 43 30 52 88 ff ff ff ff ff ff
0x0010 : ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0x0020 : ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0x0030 : ff ff ff ff 11 05 24 00 ff ff 2e 01 55 77 a8 aa
rt_buf_init: 6 gets, 0 releases.  6092880 in use, 1290500 free, largest = 1290500
GPIOMODE(b0000060) = 00000000
OS_MAX_TASKS = 32
 RGMII Mode
SWITCH at DUMP MODE
=== GMAC Rx_Ring = a00a1d40, Tx_Ring0 = a00a1940 ===
Load RT2880 Timer Module(Wdg/Soft)

=== pAd = 80139180, size = 814384 ===
<-- RTMPAllocAdapterBlock, Status=0
RX DESC a00bab60  size = 1536
<-- RTMPAllocTxRxRingMemory, Status=0
WPAPSK_KEY, key len (should be 8~64) incorrect!!!, your key len = 0
I/F(ra0) Key1Str is Invalid key length! KeyLen = 0!
I/F(ra0) Key2Str is Invalid key length! KeyLen = 0!
I/F(ra0) Key3Str is Invalid key length! KeyLen = 0!
I/F(ra0) Key4Str is Invalid key length! KeyLen = 0!
============> Parameter MAC=94:44:52:0e:9e:cd
=====> Parameter GpioEnable=1
=====> Parameter GpioMode=12
=====> Parameter GpioPolarity=63
1. Phy Mode = 0
2. Phy Mode = 0
3. Phy Mode = 0
MCS Set = 00 00 00 00 00
Main bssid = 94:44:52:0e:9e:cd
The UUID Hex string is:bc329e001dd811b286019444520e9ecd
The UUID ASCII string is:bc329e00-1dd8-11b2-8601-9444520e9ecd!
<==== RTMPInitialize, Status=0
calling bridge_module_init()
Response MAC=94:44:52:0e:9e:cd
# Parameter1: No. Tasks
# Parameter2: CPU Usage in %
# Parameter3: No. Task switches/sec
<-PRESS 'ESC' TO QUIT->
(0<== Set_Debug_Proc(RTDebugLevel = 3)
0Set_WPAPSK_Proc::(WPAPSK=lorencia3040)
==> Set_Debug_Proc *******************
:0AsicSendCommandToMcu 0x60 ==> stop detection
Timer Value  = ffffff7f
AsicSendCommandToMcu 0x60 ==> stop detection
Timer Value  = ffffff7f
0:00) - 1003(0) 6 0 2353
(00:01:02) - 64100(0) 6 1 127158

จาก Boot log ด้านบนพอสรุปกระบวนการได้ คือ
  • ADSL CPU บูตตัวเองขึ้นมาก่อน แล้วส่งเฟิร์มแวร์ผ่านทาง Ethernet ภายในไปหา RT3050F 
  • หลังจากโหลดเสร็จ RT3050F บูตตัวเองจาก RAM 
ภายในเราเตอร์เป็น OS เฉพาะทางไม่น่าใช่ Linux ครับ 

2 ความคิดเห็น: