Doc GOMI

Doc GOMI

Unbrick tenda A6 router

I've been buying Tenda A6 wifi router for object/arduino connection to internet : it's very litlle, chip, wifi, ethernet and usb powering enable.

 

Interesting option for "internet of things".

 

Two versions : one has only three modes, and chinese only, the other has 5 modes and is in english.

If you have chinese one, here is the firmware to transform in english 5 modes version .A5S-to-A6_EN.jpg

Rename this file .bin

 

After changing to last version, 20.ENG , Tenda A6 has brick.

Still don't know why....

I had to find a solution to unbrick it.

 

After opening the box, you can see an unpopulated USB connector.

This was not useful (i tried soldering usb connector, but this didn't give acess to console mode).

I had to search for Tx / RX /GND.

 

I am using FTDI connector you can see here : FTDI 2303 for ATMEGA sketch upload : some problems resolved.

I have been wiring + 5V and GND to USB connector, and founded RX and TX on PCB.

Here is power connection : GND and 5V :

IMG_0632TA.jpg

 

 

Here is the RX pad soldered , TX pad is just below

IMG_0630TA.jpg

 

 

 

 

After this i used FTDI to connect to my computer.

Using putty to open terminal/console ; baud rate is 56700.

 

Now you are logged in , Tenda A6 is speaking to you ;-)  

 

Capture d’écran 2014-05-27 à 21.12.30.png

 

After that you have to run TFTP server on your computer, connect via Ethernet, and configure option for uploading firmware.

 

Anything is well explained  here :

 

Next setup your computer ip address to 192.168.0.2 and install a tftp server (I used the one provided by TENDA) you can find it here ->http://www.tenda.cn/uploadfile/downloads/uploadfile/200911/TENDA%20TFTP.zip 

Regarding the tftp server: 
Create a folder called "tftp" to your c: partition and extract into the "tftp" folder the content of the archive "TENDA 20TFTP.zip" (TENDA TFTP.exe file), than move into the "tftp" folder the firmware that you want to upload (let`s call it "new_firmware.bin") and run "TENDA TFTP.exe", click the "browse" button and select "c: ftp" and hit "ok". The tftp server it runs on port 69. 

Now download "putty" from here -> http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html 
Run "putty.exe", setup -> on "Connection type" select "Serial", on "Host name" enter "COM3" (note I have COM3 but it might be any number you can check it in Device Manager) and click OPEN. 

Now, using a UTP Cable connect your computer to the switch port 1-4 of the router, next connect the serial cable (level converter...etc) to the router and the power cable to the router (power led of the router will turn green). 

Back to putty window: 
As soon as you see in your putty window this output press 2 (key 2) you have 1 second to do that: 

Quote:
Code:
U-Boot 1.1.3 (Feb 13 2009 - 09:48:32) 

Board: Ralink APSoC DRAM:  32 MB 
relocate_code Pointer at: 81fac000 
flash_protect ON: from 0xBF000000 to 0xBF01FFAF 
protect on 0 
protect on 1 
protect on 2 
protect on 3 
protect on 4 
protect on 5 
protect on 6 
protect on 7 
protect on 8 
flash_protect ON: from 0xBF030000 to 0xBF03FFFF 
protect on 10 
*** Warning - bad CRC, using default environment 

============================================ 
Ralink UBoot Version: 3.2 
-------------------------------------------- 
ASIC 3052_MP2 (Port5<->None) 
DRAM COMPONENT: 128Mbits 
DRAM BUS: 32BIT 
Total memory: 32 MBytes 
Date:Feb 13 2009  Time:09:48:32 
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768 
dcache: sets:128, ways:4, linesz:32 ,total:16384 

 ##### The CPU freq = 384 MHZ #### 

 SDRAM bus set to 32 bit 
 SDRAM size =32 Mbytes 

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default). 
   4: Entr boot command line interface. 
   9: Load Boot Loader code then write to Flash via TFTP.



Press 2 fast (max 1 second to do that...you need to be fast) 

If you got it you will see this: 

Quote:
Code:
You choosed 2 
                                                                                                                                                           0 

 eth_register 
Eth0 (10/100-M) 
 enetvar=ethaddr,Eth addr:00:AA:BB:CC:DD:10 
 00:AA:BB:CC:DD:10: 

 eth_current->name = Eth0 (10/100-M) 


2: System Load Linux Kernel then write to Flash via TFTP. 
 Warning!! Erase Linux in Flash then burn new one. Are you sure?(Y/N)



Hit Y (key Y) and you will see this: 

Quote:
Code:
 Please Input new ones /or Ctrl-C to discard 
        Input device IP (10.10.10.123) ==: 



Write the ip of the W311R (192.168.0.1) like this and hit enter: 

Quote:
Code:
       Input device IP (10.10.10.123) ==:192.168.0.1 



Next you will see: 

Quote:
Code:
        Input server IP (10.10.10.3) ==:



Write the ip of your computer (where the tftp server is running 192.168.0.2) like this and hit enter: 

Quote:
Code:
        Input server IP (10.10.10.3) ==:192.168.0.2



Next you will see: 

Quote:
Code:
        Input Linux Kernel filename () ==:



Write the firmware name that you want to upload (and it is located under c: ftp folder ... in our case new_firmware.bin) like this and hit enter 

Quote:
Code:
        Input Linux Kernel filename () ==:new_firmware.bin




Now, if you did all that I said and not other things you will see this: 

Quote:
Code:
... netboot_common, argc= 3 
 *************buf = 0x81fcc120 
 **********NexTxPacket = 81fe4200 

 NetTxPacket = 0x81FE4200 

 NetRxPackets[0] = 0x81FE4800 

 NetRxPackets[1] = 0x81FE4E00 

 NetRxPackets[2] = 0x81FE5400 

 NetRxPackets[3] = 0x81FE5A00 

 NetRxPackets[4] = 0x81FE6000 

 NetRxPackets[5] = 0x81FE6600 

 NetRxPackets[6] = 0x81FE6C00 

 NetRxPackets[7] = 0x81FE7200 

 NetRxPackets[8] = 0x81FE7800 

 NetRxPackets[9] = 0x81FE7E00 

 NetRxPackets[10] = 0x81FE8400 

 NetRxPackets[11] = 0x81FE8A00 

 NetRxPackets[12] = 0x81FE9000 

 NetRxPackets[13] = 0x81FE9600 

 NetRxPackets[14] = 0x81FE9C00 

 NetRxPackets[15] = 0x81FEA200 

 NetRxPackets[16] = 0x81FEA800 

 NetRxPackets[17] = 0x81FEAE00 

 NetRxPackets[18] = 0x81FEB400 

 NetRxPackets[19] = 0x81FEBA00 

 KSEG1ADDR(NetTxPacket) = 0xA1FE4200 

 NetLoop,call eth_halt ! 

 NetLoop,call eth_init ! 
Trying Eth0 (10/100-M) 

 Waitting for RX_DMA_BUSY status Start... done 

 Header Payload scatter function is Disable !! 

 ETH_STATE_ACTIVE!! 
Using Eth0 (10/100-M) device 
TFTP from server 192.168.0.2; our IP address is 192.168.0.1 
Filename 'new_firmware.bin'. 

 TIMEOUT_COUNT=10,Load address: 0x80100000 
Loading: Got ARP REPLY, set server/gtwy eth addr (xx:xx:xx:xx:xx:xx) 
Got it 
T # 
 first block received 
################################################################ 
         ################################################################# 
         ################################################################# 
         ################################################################# 
         ################################################################# 
         ################################################################# 
         ##################################################### 
done 
Bytes transferred = 2263332 (228924 hex) 
NetBootFileXferSize= 00228924 
Erase linux kernel block !! 
From 0xBF050000 To 0xBF27FFFF 

 b_end =BF3FFFFF 
Erase Flash from 0xbf050000 to 0xbf27ffff in Bank # 1 

 erase sector  = 12 
sect = 12,s_last = 46,erase poll = 1162313 

 erase sector  = 13 
*sect = 13,s_last = 46,erase poll = 1129504 

 erase sector  = 14 
sect = 14,s_last = 46,erase poll = 1140228 

 erase sector  = 15 
*sect = 15,s_last = 46,erase poll = 1157035 

 erase sector  = 16 
sect = 16,s_last = 46,erase poll = 1139250 

 erase sector  = 17 
*sect = 17,s_last = 46,erase poll = 1129126 

 erase sector  = 18 
sect = 18,s_last = 46,erase poll = 1139748 

 erase sector  = 19 
*sect = 19,s_last = 46,erase poll = 1129480 

 erase sector  = 20 
sect = 20,s_last = 46,erase poll = 1139490 

 erase sector  = 21 
*sect = 21,s_last = 46,erase poll = 1143826 

 erase sector  = 22 
*sect = 22,s_last = 46,erase poll = 1162855 

 erase sector  = 23 
sect = 23,s_last = 46,erase poll = 1128879 

 erase sector  = 24 
*sect = 24,s_last = 46,erase poll = 1139675 

 erase sector  = 25 
sect = 25,s_last = 46,erase poll = 1129157 

 erase sector  = 26 
*sect = 26,s_last = 46,erase poll = 1139747 

 erase sector  = 27 
sect = 27,s_last = 46,erase poll = 1129426 

 erase sector  = 28 
*sect = 28,s_last = 46,erase poll = 1166804 

 erase sector  = 29 
sect = 29,s_last = 46,erase poll = 1129289 

 erase sector  = 30 
*sect = 30,s_last = 46,erase poll = 1139221 

 erase sector  = 31 
sect = 31,s_last = 46,erase poll = 1129088 

 erase sector  = 32 
*sect = 32,s_last = 46,erase poll = 1139862 

 erase sector  = 33 
*sect = 33,s_last = 46,erase poll = 1129024 

 erase sector  = 34 
sect = 34,s_last = 46,erase poll = 1140403 

 erase sector  = 35 
*sect = 35,s_last = 46,erase poll = 1129116 

 erase sector  = 36 
sect = 36,s_last = 46,erase poll = 1155807 

 erase sector  = 37 
*sect = 37,s_last = 46,erase poll = 1152082 

 erase sector  = 38 
sect = 38,s_last = 46,erase poll = 1157580 

 erase sector  = 39 
*sect = 39,s_last = 46,erase poll = 1134264 

 erase sector  = 40 
sect = 40,s_last = 46,erase poll = 1130220 

 erase sector  = 41 
*sect = 41,s_last = 46,erase poll = 1130296 

 erase sector  = 42 
sect = 42,s_last = 46,erase poll = 1130919 

 erase sector  = 43 
*sect = 43,s_last = 46,erase poll = 1118854 

 erase sector  = 44 
*sect = 44,s_last = 46,erase poll = 1130192 

 erase sector  = 45 
sect = 45,s_last = 46,erase poll = 1118694 

 erase sector  = 46 
*sect = 46,s_last = 46,erase poll = 1185088 
 done 
Erased 35 sectors 
 Copy linux image[2263332 byte] to Flash[0xBF050000].... 
Copy to Flash... 
 Copy 2263332 byte to Flash... 
 addr = 0xBF0A33B6 ,cnt=1922414 
 addr = 0xBF0F6762 ,cnt=1581506 
 addr = 0xBF149AE6 ,cnt=1240638 
 addr = 0xBF19CE7E ,cnt=899750 
 addr = 0xBF1F01F8 ,cnt=558892 
 addr = 0xBF243588 ,cnt=218012 done 
## Booting image at bf050000 ... 
   Image Name:   linkn Kernel Image 
   Created:      2009-02-09  13:26:01 UTC 

 System Control Status = 0x20440000 
   Image Type:   MIPS Linux Kernel Image (lzma compressed) 
   Data Size:    2263268 Bytes =  2.2 MB 
   Load Address: 80000000 
   Entry Point:  803cd000 
   Verifying Checksum ... OK 
   Uncompressing Kernel Image ... OK 
No initrd 
## Transferring control to Linux (at address 803cd000) ... 
## Giving linux memsize in MB, 32 

Starting kernel ... 


LINUX started... 

 THIS IS ASIC 
Linux version 2.6.21 (root@linux-6091) (gcc version 3.4.2) #452 Mon Feb 9 21:25:31 CST 2009 

 The CPU feqenuce set to 384 MHz 
CPU revision is: 0001964c 
Determined physical RAM map: 
 memory: 02000000 @ 00000000 (usable) 
Initrd not found or empty - disabling initrd 
Built 1 zonelists.  Total pages: 8128 
Kernel command line: console=ttyS1,57600n8 root=/dev/ram0 
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes. 
Primary data cache 16kB, 4-way, linesize 32 bytes. 
Synthesized TLB refill handler (20 instructions). 
Synthesized TLB load handler fastpath (32 instructions). 
Synthesized TLB store handler fastpath (32 instructions). 
Synthesized TLB modify handler fastpath (31 instructions). 
Cache parity protection disabled 
cause = 800068, status = 1100ff00 
PID hash table entries: 128 (order: 7, 512 bytes) 
calculating r4koff... 00177000(1536000) 
CPU frequency 384.00 MHz 
Using 192.000 MHz high precision timer. 
Console: colour dummy device 80x25 
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) 
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) 
Memory: 27328k/32768k available (3378k kernel code, 5440k reserved, 510k data, 1116k init, 0k highmem)
Mount-cache hash table entries: 512 
NET: Registered protocol family 16 
NET: Registered protocol family 2 
Time: MIPS clocksource has been installed. 
IP route cache hash table entries: 1024 (order: 0, 4096 bytes) 
TCP established hash table entries: 1024 (order: 1, 8192 bytes) 
TCP bind hash table entries: 1024 (order: 0, 4096 bytes) 
TCP: Hash tables configured (established 1024 bind 1024) 
TCP reno registered 
detected lzma initramfs 
detected lzma initramfs 
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=1048576,origSize=3976704 
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com>.............................................................Load RT2880 Timer Module(Wdg/Soft) 
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher 
squashfs: LZMA suppport for slax.org by jro 
io scheduler noop registered (default) 
FLASH_API: MAN_ID=C2 DEV_ID=22A8 SIZE=4MB 
Ralink gpio driver initialized 
HDLC line discipline: version $Revision: 1.1.1.1 $, maxframe=4096 
N_HDLC line discipline registered. 
Serial: 8250/16550 driver $Revision: 1.3 $ 2 ports, IRQ sharing disabled 
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A 
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A 
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize 
loop: loaded (max 8 devices) 
rdm_major = 254 
GDMA1_MAC_ADRH -- : 0x00000000 
GDMA1_MAC_ADRL -- : 0x00000000 
Ralink APSoC Ethernet Driver Initilization. v1.60  256 rx/tx descriptors allocated, mtu = 1500! 
NAPI enable, weight = 0, Tx Ring = 256, Rx Ring = 256 
GDMA1_MAC_ADRH -- : 0x00000100 
GDMA1_MAC_ADRL -- : 0x000c4330 
PROC INIT OK! 
PPP generic driver version 2.4.2 
PPP BSD Compression module registered 
NET: Registered protocol family 24 
2860 version : 2.0.0.0 (Feb  9 2009) 


=== pAd = c0000000, size = 485320 === 

<-- RTMPAllocAdapterBlock, Status=0 
ralink flash device: 0x1000000 at 0xbf000000 
Ralink SoC physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank 
 Amd/Fujitsu Extended Query Table at 0x0040 
number of CFI chips: 1 
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. 
Creating 4 MTD partitions on "Ralink SoC physically mapped flash": 
0x00000000-0x00030000 : "Bootloader" 
0x00030000-0x00040000 : "Config" 
0x00040000-0x00050000 : "Factory" 
0x00050000-0x00400000 : "Kernel" 
block2mtd: version $Revision: 1.1.1.1 $ 
nf_conntrack version 0.5.0 (256 buckets, 2048 max) 
arp_tables: (C) 2002 David S. Miller 
IPv4 over IPv4 tunneling driver 
GRE over IPv4 tunneling driver 
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Fully Cone 
TCP cubic registered 
NET: Registered protocol family 1 
NET: Registered protocol family 10 
NET: Registered protocol family 17 
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> 
All bugs added by David S. Miller <davem@redhat.com> 
Freeing unused kernel memory: 1116k freed 
init started: BusyBox v1.12.1 (2009-02-09 21:19Algorithmics/MIPS FPU Emulator v1.5 
:29 CST) 
starting pid 14, tty '': '/etc_ro/rcS' 
devpts: called with bogus options 
mount: mounting none on /proc/bus/usb failed: No such file or directory 
Welcome to 
     _______  _______  ___     __  ____   _kernel reg pid 21 success . 
  _   ___ 
    |  ___  |   __  ||   |   |__||    | || | /  / 
    | |___| ||  |__| ||   |__  __ |     | || |/  / 
    |   _   /|   _   ||      ||  || |     ||      
    |__| __|__| |__||______||__||_| ____||_|___ 

                     =System Architecture Department= 



Yes: 

      ****** WeLoveLinux ****** 

 Welcome to ... 
httpd Reg gpio hook success . 
starting pid 25, tty '/dev/ttyS1': '/bin/sh' 


BusyBox v1.12.1 (2009-02-09 21:19:29 RX DESC a04ad000  size = 2048 
CST) built-in shell (ash) 
Enter<-- RTMPAllocTxRxRingMemory, Status=0 
 'help' for a list of built-in commands. 

# 1. Phy Mode = 9 
2. Phy Mode = 9 
3. Phy Mode = 9 
MCS Set = ff 00 00 00 01 
Main bssid = 00:b0:0c:01:45:78 
The UUID Hex string is:2880288028801880a88000b00c014578 
The UUID ASCII string is:28802880-2880-1880-a880-00b00c014578! 
<==== RTMPInitialize, Status=0 
0x1300 = 00064380 
getIfLive: device eth2.1 not found. 
Commit crc = d253c90f 
maclist: 
WLan[00:B0:0C:01:45:78] 
Lan[00:B0:0C:01:45:78] 
Wan[00:B0:0C:GDMA1_MAC_ADRH -- : 0x00000100 
01:45:7d] 
GDMA1_MAC_ADRL -- : 0x00b00c01 

phy_tx_ring = 0x01d81000, tx_ring = 0xa1d81000, size: 16 bytes 

phy_rx_ring = 0x01d82000, rx_ring = 0xa1d82000, size: 16 bytes 
GDMA1_FWD_CFG = 10000 
eth2.1: Setting MAC address to  xx xx xx xx xx xx. 
VLAN (eth2.1):  Underlying device (eth2) has same MAC, not checking promiscious mode. 
eth2.2: Setting MAC address to  xx xx xx xx xx xx. 
device eth2 entered promiscuous mode 
VLAN (eth2.2):  Setting underlying device (eth2) to promiscious mode. 
getIfLive: device br0 not found. 
eth2.1: dev_set_promiscuity(master, 1) 
device eth2.1 entered promiscuous mode 
Router ip address config success. 
br0: port 1(eth2.1) entering learning state 
device ra0 entered promiscuous mode 
br0: port 2(ra0) entering learning state 
libupnp: using UDP SSDP_PORT = 1900 
br0: topology change detected, propagating 
br0: port 1(eth2.1) entering forwarding state 
br0: topology change detected, propagating 
br0: port 2(ra0) entering forwarding state 
killall: udhcpd: no process killed 
ND -> Bad_Sig_entry [18]... 
httpd listen ip = 192.168.0.1 port = 80 
MfgThread start loop. 
TendaLog -> ok rtn. 
macBcast uses obsolete (PF_INET,SOCK_PACKET) 
IsSameNET [192.168.0.1/255.255.255.0][192.168.1.1/255.255.255.0] 
sntp: host not found 
killall: dnrd: no process killed 
iptables: Bad rule (does a matching rule exist in that chain?) 
iptables: Bad rule (does a matching rule exist in that chain?) 
route: ioctl 0x890b failed: File exists 
libupnp: using UDP SSDP_PORT = 1900 
upnpd[289]: UPnP SDK Successfully Initialized. 
Mar 29 09:36:22 upnpd[289]: UPnP SDK Successfully Initialized. 
upnpd[289]: Succesfully set the Web Server Root Directory. 
Mar 29 09:36:22 upnpd[289]: Succesfully set the Web Server Root Directory. 
upnpd[289]: IGD root device successfully registered. 
Mar 29 09:36:23 upnpd[289]: IGD root device successfully registered. 
iptables: No chain/target/match by that name 
iptables: No chain/target/match by that name 
iptables: No chain/target/match by that name 
Startnat end. 
upnpd[289]: Advertisements Sent.  Listening for requests ... 
Mar 29 09:36:25 upnpd[289]: Advertisements Sent.  Listening for requests ... 
............ wan unlink ..4. 
............ wan unlink ..5. 



Now your router is back on track and it can be accessed from http://192.168.0.1 with user: admin and password: admin . Don`t forget to do a "reset to default" to be sure that all settings are set to default. 

 

 

Same thing for other routers : you have to find RX/TX/ground, and have a firmware/bootloader if you want.

Don't know if DDWRT is compatible, A6 hardware is interesting (16MB) wifi, ethernet...now RX / TX and baudrate are public, hope it's help.

 



27/05/2014
2 Poster un commentaire

A découvrir aussi


Inscrivez-vous au blog

Soyez prévenu par email des prochaines mises à jour

Rejoignez les 52 autres membres