DGND3700 V1 Transmission Firmware Special Interest

From richud.com
Jump to: navigation, search


This page contains all the wierd and wonderful things needed to get this working!

Firewall manipulation

This firmware uses a propriety 'acos'? system, which after a lot of digging, fiddling and trial and error I managed to figure out how to manipulate it to do what is needed.

This is a dump of most of the useful info from /lib/libnat.so

Functions

NAT Firewall Device ALG
agApi_natAddConnTblEntry agApi_fwBlkServAdd agApi_setDeviceListenPort agApi_natDumpAlgTbl
agApi_natAddDnsQryIp agApi_fwBlkServDel agApi_setDeviceListenPortRange agApi_natSipAlgCfg
agApi_natDisable agApi_fwBlkServGet agApi_setAlg
agApi_natDumpAlgTbl agApi_fwBlkServGetCnt Nat_DumpAlgTable
agApi_natDumpConnTbl agApi_fwBlkServList
agApi_natDumpRuleTbl agApi_fwBlkServMod
agApi_natEnable agApi_fwBlkServModAction
agApi_natGetStatus agApi_fwBlkServMode
agApi_natHook agApi_fwConnTblShow
agApi_natInit agApi_fwDelTriggerConf
agApi_natIPsecHook agApi_fwDelTriggerConf2
agApi_NatIsEnabled agApi_fwDMZRuleSet
agApi_natLanHook agApi_fwDMZStatusGet
agApi_natLanUnhook agApi_fwDosEnableGet
agApi_natPptpWanHook agApi_fwDosEnableSet
agApi_natRuleAdd agApi_fwEchoRespGet
agApi_natRuleAdd2 agApi_fwEchoRespSet
agApi_natRuleAddForUpnp agApi_fwFilterAdd
agApi_natRuleClear agApi_fwFilterDel
agApi_natRuleDel agApi_fwFilterGet
agApi_natRuleGet agApi_fwFilterInsert
agApi_natRuleMod agApi_fwFilterList
agApi_natRulePortCheck agApi_fwFilterMod
agApi_natSetInboundFilter agApi_fwFilterMove
agApi_natSetReadyshareName agApi_fwFilterSche
agApi_natSetRegion agApi_fwGetAllServices
agApi_natSetTMDnsRedirectFlag agApi_fwGetFilterTable
agApi_natSetTMHttpHijackFlag agApi_fwGetFirstTriggerConf
agApi_natSetTMLimitCfg agApi_fwGetNextTriggerConf
agApi_natSetTrafficMeterFlag agApi_fwGetServiceByName
agApi_natSetWanLanConflictFlag agApi_fwGetServiceName
agApi_natShowConn agApi_fwGetTriggerConf
agApi_natShowConn_Icmp agApi_fwListenPortList
agApi_natShowConn_IcmpIn agApi_fwPolicyAdd
agApi_natShowConn_IcmpOut agApi_fwRuleSave
agApi_natShowConn_IcmpSelf agApi_fwServiceAdd
agApi_natShowConn_Other agApi_fwServiceDel
agApi_natShowConn_OtherIn agApi_fwServiceDelByName
agApi_natShowConn_OtherOut agApi_fwServiceGet
agApi_natShowConn_OtherSelf agApi_fwServiceGetCnt
agApi_natShowConn_Port agApi_fwServiceList
agApi_natShowConn_Tcp agApi_fwServiceMod
agApi_natShowConn_TcpIn agApi_fwSetTriggerConf
agApi_natShowConn_TcpOut agApi_fwSipStatusGet
agApi_natShowConn_TcpSelf agApi_fwSipStatusSet
agApi_natShowConn_Udp agApi_fwSpiStatusGet
agApi_natShowConn_UdpIn agApi_fwSpiStatusSet
agApi_natShowConn_UdpOut agApi_fwStatusGet
agApi_natShowConn_UdpSelf agApi_fwStatusSet
agApi_natSipAlgCfg agApi_fwTriggerConfStatusSet
agApi_natUnhook agApi_fwUBDStatusSet
agApi_natVerShow agApi_fwURLFilterAddKeyword
agApi_natWanIfCnt agApi_fwURLFilterDelAllKeywords
agApi_fwURLFilterDelKeyword
agApi_fwURLFilterEnable
agApi_fwURLFilterEnableTmSch
agApi_fwURLFilterSetTrustedIp

The key function is 'agApi_setDeviceListenPortRange', contained in libnat.so. This opens up some ports for Transmission using an unused set (i.e. a range of unknown ports that no other function in the router seemed to use, all but one other range could be identified.) from the 11 'port range blocks', see '/additions/transmission.sh' for more info.

The status can be read with 'agApi_fwListenPortList'. (If the end port of the range is below the start port, then it's 'disabled')

Manipulating Firewall via libnat.so

The code below wraps around libnat.so and lets you execute the functions within it.

(Some functions don't take int's as args so if you want to fiddle with those you will have to alter this)

The below two files make up nat5.tar.gz in the /sources folder.

nat5.c

/* code from http://www.tldp.org/HOWTO/Program-Library-HOWTO/more-examples.html 
   A few simple mods by richud.com to enable altering the Netgear ACOS_NAT firewall via the library 
   Loads the library and takes 5 args, the first is function name, next 4 are integer arguements. */
 
/* demo_dynamic.c -- demonstrate dynamic loading and
   use of the "hello" routine */
 
/* Need dlfcn.h for the routines to
   dynamically load libraries */
#include <dlfcn.h>
 
#include <stdlib.h>
#include <stdio.h>
 
/* Note that we don't have to include "libhello.h".
   However, we do need to specify something related;
   we need to specify a type that will hold the value
   we're going to get from dlsym(). */
 
/* The type "simple_demo_function" describes a function that
   takes no arguments, and returns no value: */
 
typedef void (*simple_demo_function)(int, int, int, int);
 
 
int main(int argc,char *argv[]) {
 const char *error;
 void *module;
 simple_demo_function demo_function;
 
 printf("Trying arg1 function %s\n",argv[1]);
 printf("Trying arg2 %s\n",argv[2]);
 printf("Trying arg3 %s\n",argv[3]);
 printf("Trying arg4 %s\n",argv[4]);
 printf("Trying arg5 %s\n",argv[5]);
 
 /* Load dynamically loaded library */
 module = dlopen("libnat.so", RTLD_LAZY);
 if (!module) {
   fprintf(stderr, "Couldn't open libnat.so: %s\n",
           dlerror());
   exit(1);
 }
 
 /* Get symbol */
 dlerror();
 demo_function = dlsym(module, argv[1]);
 if ((error = dlerror())) {
   fprintf(stderr, "Couldn't find %s : %s\n", argv[1],error);
   exit(1);
 }
 
 /* Now call the function in the DL library */
 (*demo_function)(atoi(argv[2]), atoi(argv[3]), atoi(argv[4]), atoi(argv[5]));
 
 /* All done, close things cleanly */
 dlclose(module);
 return 0;
}

Makefile

all:
	mips-linux-gcc nat5.c -o nat5 -ldl

install:
	echo "Copying nat5"
	$(STRIP) nat5
	cp -a nat5 $(TARGETDIR)/bin/

Ideally you can bypass all this making ioctl calls directly to /dev/acos_nat_cli [which is what libnat actually does]. However strace doesn't show you what is actually passed just the memory address it is at (I think). I believe you need ltrace to do that - I think ltrace is currently being patched right now for MIPS compilation.

other things you can poke about with using this method

Check out the functions by using readelf on for example the unstripped libnat.so

/opt/toolchains/uclibc-crosstools-gcc-4.2.3-3/usr/bin/mips-linux-uclibc-readelf -Wa ./DGND3700/targets/DGND3700/fs.install/lib/libnat.so

Or to get a quick list, you can do this on the router itself

strings /lib/libnat.so

You will see dozens of internal functions that you can usually get a result from, just guess the type/amount of args.

agApi_natRuleGet
agApi_fwGetFilterTable_Session2
agApi_fwDelTriggerConf2
agApi_natShowConn_UdpIn
agApi_tmschGetStatusByName
agApi_natDumpAlgTbl
etc. etc. etc.
  • compiling 'natx' above to take one arg - (be aware these were taken from my notes after the fact so possibly are not the right way around or cut n pasted not correctly, they are just in way of example of the kind of things you can dump.)
  • you can use nat5 in current firmware (at time of writing) to dump things taking no input with "nat5 agApi_natGetStatus 0 0 0 0"

In this example I just set a uPnP port forwarding up on port 12345 , this will dump any current portmappings(IGD).

~ # nat5 agApi_natDumpRuleTbl 0 0 0 0
Trying arg1 function agApi_natDumpRuleTbl
Trying arg2 0
Trying arg3 0
Trying arg4 0
Trying arg5 0

Current time: 331
 id wif lif          wan_ip          lan_ip        lan_mask fport1 fport2 s_port    time  timeout  type nat prot once resv confl       ForeignIp add_from
------------------------------------------------------------
 10  26   0   78.xxx.xx.xxx     192.168.0.0   255.255.255.0      0      0      0       0        0     0   1  TCP    0    1     0         0.0.0.0        0
------------------------------------------------------------
 41  26   0   78.xxx.xx.xxx     192.168.0.5         0.0.0.0  12345      0  12345       0        0     0   2  TCP    0    1     0         0.0.0.0        4
------------------------------------------------------------
Total 2 rules.

(The following are with nat instead of nat5)

  • some output gets output to dmesg rather than stdout!
/tmp/mnt/usb0/part0 # ./nat agApi_natEnable             
Trying function agApi_natEnableTrying port (null)
NAT Enabled
/tmp/mnt/usb0/part0 # ./nat agApi_natGetStatus               
Trying function agApi_natGetStatusTrying port (null)
NAT status : ON
agApi_natVerShow

Current NAT Version : ACOS NAT-Netfilter v3.0.0.4 (Linux Cone NAT Hot Patch 03/23/2010)

Shows uPNP mappings

~ # nat5 agApi_natRuleGet 0 0 0 0
Trying arg1 function agApi_natRuleGet
Trying arg2 0
Trying arg3 0
Trying arg4 0
Trying arg5 0

ID: 41, wan Ip: xx.xxx.xx.x, wan port: 6824 - 0, lan Ip: 192.168.0.93, lan port: 6824
ID: 42, wan Ip: xx.xxx.xx.x, wan port: 6824 - 0, lan Ip: 192.168.0.93, lan port: 6824

/tmp/mnt/usb0/part0 # ./nat agApi_fwServiceList
Trying function agApi_fwServiceListTrying port (null)
[service 0] name: 'ICMP_echo_req', protocol: 0x01, port 8-0
[service 1] name: 'eGRE', protocol: 0x2F, port 0-0
[service 2] name: 'AIM', protocol: 0x06, port 5190-5190
[service 3] name: 'AIM 6.x/SSL', protocol: 0x06, port 443-443
[service 4] name: 'Age-of-Empire', protocol: 0x11, port 47624-47624
[service 5] name: 'FTP', protocol: 0x06, port 20-21
---
/tmp/mnt/usb0/part0 # ./nat agApi_fwFilterList 
Trying function agApi_fwFilterListTrying port (null)

index 1, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, protocol 0x2F, dir 0x01, match: ALLOW, not match: N/A, enable: Y
----------------------------------------------------------------------
index 2, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 1, dir 0x01, match: ALLOW, not match: N/A, enable: Y
----------------------------------------------------------------------
index 3, rule type 1, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 0, dir 0x04, match: ALLOW, not match: N/A, enable: Y
----------------------------------------------------------------------
index 4, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, protocol 0x00, dir 0x70, match: ALLOW, not match: N/A, enable: Y
----------------------------------------------------------------------
total 4 rule(s)
  • agApi_fwConnTblShow dumps to dmesg not stdout
/tmp/mnt/usb0/part0 # ./nat agApi_fwConnTblShow

------------------------------------------------------------
Id:    55, 192.168.0.3:  123 -> 62.149.0.30:  123, state: CONN_IS_ESTAB
protocol: 17, alg id: -1, timestamp 933, timeout 0, pri 2
nat type: 1 (92.25.140.2:  123), self connection: N, inbound route 00000000, outbound route 00000000
------------------------------------------------------------
Id:    61, 192.168.0.3:  123 -> 91.189.94.4:  123, state: CONN_IS_ESTAB
protocol: 17, alg id: -1, timestamp 993, timeout 0, pri 2
nat type: 1 (92.25.140.2:  123), self connection: N, inbound route 00000000, outbound route 00000000
------------------------------------------------------------
<SNIP>
/tmp/mnt/usb0/part0 # ./nat acosNat_ShowTimeout
TCP time out: 1800
UDP time out: 300
ICMP time out: 60
ESP time out: 480
Current time: 0
Connection Table Begin
/tmp/mnt/usb0/part0 # ./nat agApi_natDumpAlgTbl
Trying function agApi_natDumpAlgTblTrying port (null)
FTP alg : 0, enabled
protocol[0] = 6, port[0] = 21

ICQC2S alg : 1, enabled
protocol[0] = 6, port[0] = 5190
protocol[1] = 17, port[1] = 5190

ICQP2P alg : 2, enabled
protocol[0] = 6, port[0] = 0
protocol[1] = 6, port[1] = 0
protocol[2] = 0, port[2] = 1
protocol[3] = 0, port[3] = 0
protocol[4] = 0, port[4] = 0

H323 alg : 3, enabled
protocol[0] = 6, port[0] = 1720
<SNIP>


nat5 agApi_natShowConn 0 0 0 0

This goes to dmesg output

---------------Begin----------------

total: 2304
used: 173
unused: 2131



TCP: 4
UDP: 169
ICMP: 0
others: 0



inbound: 0
outbound: 3
self: 170
----------------End----------------

nat5 agApi_fwStatusGet 0 0 0 0

Dumped to kernel log

Connection Table End
AA
AA urlfilter status =0
trust Ip =0.0.0.0
keyword num =0

logpoint = 2
alertPoint = 0
g_dos_enable = 1

Time Configuration List - 
Time Configure Name : tmrange1
               ID   : 1
             Enable : 1
             Status : 1
          [ Record 1 ]
             Time Rang : <0>D[<0>0 <0>1 <0>2 <0>3 <0>4 <0>5 <0>6 <0>] H[<0>0 - 23<0>] M[<0>0 - 58<0>]
                Enable : 1
                 Scope : 3
                  Mode : 3
                Period : 1 Minute
             Last TIme : 4934
        User Call-Back : c0231164
        User Parameter : c025fb60
                  Next : 00000000


Qos status = 0
-- Mac-based QoS table --0 records

-- QoS rule table -- 0 records

to update

nat5 libnvram.so nvram_dump ifname

Using WAN port as 5th switch port

The switch is a BCM 53115 and below are some links to 'similar' header files here for referencing the bit fields.

https://code.google.com/p/gfiber-gflt100/source/browse/bcmdrivers/opensource/net/enet/impl4/bcmmii.h and http://wl500g.googlecode.com/svn/trunk/utils/etc53xx.h

(This is now solved implemented in firmware, this is just for reference)

You can simply add this as a 5th switch port by bringing up the port eth0 and adding to the bridge.

# ifconfig eth0 up
# brctl addif br0 eth0
# brctl show
bridge name	bridge id		STP enabled	interfaces
br0		8000.841b5e36a110	no		eth1
							eth2
							eth3
							eth4
							wl0
							wl0.1
							wl0.2
							wl0.3
							wl1
							wl1.1
							wl1.2
							wl1.3
							eth0

You also need to remove the special 'feature' that isolates it from the other LAN network ports, this took a lot of figuring out!

echo "00 26 02 00 00" > /proc/switch53115

Also of note is the nvram parameter "lan_ifnames", if you remove other LAN interface names from this string it makes them not come up on boot. eth0 is special and brought up in another way with a different MAC, however adding it to this string makes it come up with the same MAC as eth1-4. (I am not sure if this has other consequences if you wished to switch back to using it as a WAN interface as it persists across reboots so in the firmware this nvram parameter is not altered.)

Netgear Main Startup Scripts

acos_init and acos_service are the same binary symlinked

acos_service taken from .20 beta as apparently 'fixed' 'some things'.

  • Note these are outputs from running it after boot hence errors

acos_init

Reading board data...
WSC UUID: 0x2f7837f617b49fff361c2dff1b138aa7
wps_uuid=0x2f7837f617b49fff361c2dff1b138aa7
insmod: can't insert '/lib/modules/2.6.21.5/kernel/net/ipsec/ipsec.ko': File exists
mkdir: can't create directory '/tmp/conf': File exists
ln: /dev/random: File exists

acos_service start

device br0 already exists; can't create bridge with the same name
br0: port 1(eth1) entering disabled state
br0: port 1(eth1) entering learning state
device eth1 is already a member of a bridge; can't enslave it to bridge br0.
br0: port 2(eth2) entering disabled state
device eth2 is already a member of a bridge; can't enslave it to bridge br0.
br0: port 3(eth3) entering disabled state
device eth3 is already a member of a bridge; can't enslave it to bridge br0.
br0: port 4(eth4) entering disabled state
br0: topology change detected, propagating
br0: port 1(eth1) entering forwarding state
device eth4 is already a member of a bridge; can't enslave it to bridge br0.
br0: port 5(wl0) entering disabled state
br0: port 5(wl0) entering learning state
device wl0 is already a member of a bridge; can't enslave it to bridge br0.
ARPING to 255.255.255.255 from 192.168.0.1 via br0
br0: topology change detected, propagating
br0: port 5(wl0) entering forwarding state
Sent 3 probe(s) (3 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
xtm command is xtm operate conn --createnetdev 1.0.38 atm0
DSL mode command is xdslctl start --bitswap on --sra off --lpair i --mod dlt2pem --up
BcmAdsl_Initialize=0xC010EA10, g_pFnNotifyCallback=0xC0142FD4
dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered
dnsmasq: failed to to create listening socket: Address already in use
telnetenabled main(): unable to spawn telnetd0.
save_router_stats(721): port=4
POT integrity check OK.
POT time is up.
192.168.0.1
c0a80001
mount: mounting none on /proc/bus/usb failed: Device or resource busy
mkdir /tmp/mnt failed
/tmp/mnt/not_approved0 failed
/tmp/mnt/not_approved1 failed

<SNIP>

/tmp/mnt/not_approved18 failed
/tmp/mnt/not_approved19 failed
/tmp/mnt/usb0 failed
/tmp/mnt/usb0/part0 failed
/tmp/mnt/usb0/part1 failed

<SNIP>

/tmp/mnt/usb5/part4 failed
/tmp/mnt/usb5/pIOCTL_AG_REGION_SET: English
art5 failed
/tmp/mnt/usb5/part6 failed
/tmp/mnt/usb5/part7 failed

<SNIP>

/tmp/mnt/usb25/part14 failed
/tmp/mnt/usb25/part15 failed
Info: No FWPT default policies.
ifconfig: SIOCSIFMTU: No such device
httpd: socket bound in 0.0.0.0:80.
Setting SSID "Xxxxxxxx"
automount: get SIGUSR1.
Setting SSID "Xxxxxxxx2"
mount: mounting /dev/mtdblock18 on /tmp/mnt/storage failed: Device or resource busy
killall: minidlna.exe: no process killed
Setting SSID "NETGEAR-3"
Setting SSID "NETGEAR-4"
/ # br0: port 5(wl0) entering disabled state
Chanspec set to 0x2e09
The kernel doesn't support the ebtables nat table.
The kernel doesn't support the ebtables nat table.
device wl0 is already a member of a bridge; can't enslave it to bridge br0.
device wl0.1 is already a member of a bridge; can't enslave it to bridge br0.
device wl0.2 entered promiscuous mode
device wl0.3 entered promiscuous mode
br0: port 5(wl0) entering learning state
br0: topology change detected, propagating
br0: port 5(wl0) entering forwarding state
UPnP daemon is ready to run
ftpRestart:
Start WPS !!
sendarp: applet not found
killall: bftpd: no process killed
http_d: got signal
killall: bftpd: no process killed
Setting SSID "NETGEAR-5G"
Setting SSID "NETGEAR-5G-2"
Setting SSID "NETGEAR-5G-3"
Setting SSID "NETGEAR-5G-4"
Chanspec set to 0x1d26
The kernel doesn't support the ebtables nat table.
The kernel doesn't support the ebtables nat table.
The kernel doesn't support the ebtables nat table.
The kernel doesn't support the ebtables nat table.
The kernel doesn't support the ebtables nat table.
The kernel doesn't support the ebtables nat table.
The kernel doesn't support the ebtables nat table.
The kernel doesn't support the ebtables nat table.
device wl1 is already a member of a bridge; can't enslave it to bridge br0.
device wl1.1 is already a member of a bridge; can't enslave it to bridge br0.
device wl1.2 entered promiscuous mode
device wl1.3 entered promiscuous mode
Reaped 1663
UPnP daemon is ready to run
Start WPS !!
sendarp: applet not found

Overcoming the web interface - original method

The 'web interface' is really just a single executable program that serves out html formatted text and takes some input from separate .html files, it isn't a web server as such. e.g. the basic settings page appears to post form data to 'pppoa.cgi', but there is no separate cgi, the httpd executable bundled parses the name and form data itself - it is closed source and unalterable. Quite how its actually put together I don't know but basically you cant modify it. I suspect its a simple enough web server and all the cgi pages are somehow linked into it when its compiled?

To get round this I use inotifyd, lots of html files and a bash script. [This is quite a lot to get your hear round, but in essence very simple]

How this works

  • on router startup some special main 'index' html files (services.html and adsl.html) are generated by part of rcs startup script calling services.sh and adsl.sh
  • inotifyd watches /www/watch, (all new html files generated by go.sh are in created in here)
  • you visit the routers web interface the web server reads your new special 'index' html files if selected (you can alter the routers main menu page ok as only html)
  • user clicks on a link, either an A HREF or javascript location.href and calls a 'action' html file in /www/watch
  • server accesses the 'action' file requested
  • the 'action' html file contains a timeout so at this point web server waits before returning anything.
  • inotifyd is triggered on web servers file read of 'action' file
  • inotifyd triggers a bash script (watch.sh) passing the name of the 'action' file called
  • watch.sh parses the 'action' filename, that corresponds to some action to perform, e.g start ntfs service
  • watch.sh calls services.sh or adsl.sh as appropriate to regenerate services.html or adsl.html with this new status
  • the initial 'action' html called (from /www/watch) timeout expires
  • the 'action' file then just returns the browser to the previous page, however it isn't cached, and is now displays the updated info.

Yes its horrible, (relying on timeouts, tons of 'action' html files [sadly inotifyd cant cope with symlinks] etc,) but it only incurs the overhead of one inotifyd instance running rather than having to run a new web server on another port constantly.

Overcoming the web interface - new Sept/2013

Necessity is the mother of all invention - so I managed to find a better way (than above). I worked out the original(& deprecated) miniDLNA web configuration page helpfully generates a config page and sets the NVRAM at the same time. This allows inotify to be set watching for the config page to be created/changed. By setting up a hidden iframe on a new web page, a submitted form containing new variables can be passed to the original minidlna 'cgi' page therin, viz

<form id=dlna method=POST action=dlna.cgi target=ifr>
<input type=hidden name=enable_ms value=1>
<input type=hidden name=ms_active_status value=1>
<input type=hidden name=media_server_name>
</form>

This submission triggers the config page and nvram write, which in turn triggers inotify daemon wathing. When inotify sees a change it then reads the new variable from nvram (which was originall the miniDLNA server name) and can act on it according to the data contained therein (i.e. an escaped string of variables in place of the minidlan servername). Thus this trick allows new web pages to be created, albeit it in a convoluted and awkward way.

(Incidently in updating some other stuff above I just noticed there is actually a function for just updating the name , agApi_natSetReadyshareName !)

adsl_phy.bin swapping

This has moved to DGND3700_V1_Transmission_Firmware_Reverse_Decompile_2

httpd remove blocking of non subnet traffic for openVPN

This has moved to DGND3700_V1_Transmission_Firmware_Reverse_Decompile

Original Firmware Failures

wifi fail on soft-reboot

This log is from the original unmodified .17 firmware.

It seems to happen about 80% of the time after a soft reboot, i.e. firmware flash now - I am not sure why but as the original firmware did it it is either some inherent fault or my router is just dodgy? (It manifests as not being able to authenticate to the wifi, i.e. you can try and join the wifi network but get endless prompts for your key)

PCI: Enabling device 0000:00:01.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:01.0 to 64
irq 21: nobody cared (try booting with the "irqpoll" option)
Call Trace:
[<80017ed4>] dump_stack+0x8/0x34
[<8004fd98>] __report_bad_irq+0x58/0xc4
[<8005000c>] note_interrupt+0x208/0x26c
[<80050e28>] handle_level_irq+0xa0/0x128
[<80011470>] plat_irq_dispatch+0x1dc/0x23c
[<80011da0>] ret_from_irq+0x0/0x4
[<8004f7c0>] setup_irq+0x208/0x274
[<8004f8e0>] request_irq+0xb4/0xf8
[<c02d5f00>] wl_pci_probe+0x3f0/0x4f0 [wl]
[<c03530ec>] wl_dslcpe_probe+0x20/0xfc [wl]
[<801107c4>] pci_device_probe+0x5c/0xa0
[<801264bc>] really_probe+0xc4/0x174
[<801267fc>] __driver_attach+0x9c/0x114
[<801256f4>] bus_for_each_dev+0x5c/0xa4
[<80125ab8>] bus_add_driver+0x74/0x1c8
[<80110a20>] __pci_register_driver+0x84/0xd0
[<8004d6e0>] sys_init_module+0x1588/0x16b8
[<80019720>] stack_done+0x20/0x3c

handlers:
[<c035a098>] (wl_isr+0x0/0x1ac [wl])
Disabling IRQ #21
wl0: Broadcom BCM4351 802.11 Wireless Controller 5.10.120.0.cpe4.404.8
dgasp: kerSysRegisterDyingGaspHandler: wl0 registered
irq 21: nobody cared (try booting with the "irqpoll" option)
Call Trace:
[<80017ed4>] dump_stack+0x8/0x34
[<8004fd98>] __report_bad_irq+0x58/0xc4
[<8005000c>] note_interrupt+0x208/0x26c
[<80050e28>] handle_level_irq+0xa0/0x128
[<80011470>] plat_irq_dispatch+0x1dc/0x23c
[<80011da0>] ret_from_irq+0x0/0x4
[<8004f7c0>] setup_irq+0x208/0x274
[<8004f8e0>] request_irq+0xb4/0xf8
[<80010d54>] BcmHalMapInterrupt+0x90/0xac
[<c0353170>] wl_dslcpe_probe+0xa4/0xfc [wl]
[<801107c4>] pci_device_probe+0x5c/0xa0
[<801264bc>] really_probe+0xc4/0x174
[<801267fc>] __driver_attach+0x9c/0x114
[<801256f4>] bus_for_each_dev+0x5c/0xa4
[<80125ab8>] bus_add_driver+0x74/0x1c8
[<80110a20>] __pci_register_driver+0x84/0xd0
[<8004d6e0>] sys_init_module+0x1588/0x16b8
[<80019720>] stack_done+0x20/0x3c

handlers:
[<c03531c8>] (wl_dslcpe_isr+0x0/0x4c [wl])
Disabling IRQ #21
PCI: Enabling device 0000:00:02.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:02.0 to 64
wl1: Broadcom BCM4350 802.11 Wireless Controller 5.10.120.0.cpe4.404.8
dgasp: kerSysRegisterDyingGaspHandler: wl1 registered
p8021ag: p8021ag_init entry
Broadcom Packet Flow Cache learning via BLOG disabled.

how the kernel used to crash on original firmware

CPU seemed to get overloaded, this causes line to drop, sometimes it managed to re-connect ('SIOCSIFHWADDR: Operation not supported', at this point it either had a kernel oops or recovered) but eventually it didn't and would always fail eventually like this.....quality. I think lots of messages on the forum related to this happeneing, I think the red light illuminated at this point (I am writing this bit from notes nearly 9 months old so cannot be sure)

  • Since using my firmware I have never seen this happen !!
# ppp rx 0 (0)
link failure
PPP: pppoa0 Connection Down.
killall: udhcpc: no process killed
killall: udhcpc: no process killed
pppoa0: Network is down
pppoa0: No such process
SIOCSIFHWADDR: Operation not supported
CPU 0 Unable to handle kernel paging request at virtual address 0000013c, epc == 801a5034, ra == 801a5bcc
Oops[#1]:
Cpu 0
$ 0   : 00000000 10008400 00000000 87126320
$ 4   : 00000000 00000000 802f6954 802f6990
$ 8   : 00000000 800261f2 8007fd80 fffffff8
$12   : 27d23558 802f0000 802f0000 802f0000
$16   : 87126388 87126320 7fa1b9b0 800261f2
$20   : 814b1e30 802c44dc 004406a4 00440000
$24   : 00000000 2ab4d1f0
$28   : 83376000 83377d88 00440000 801a5bcc
Hi    : 00000000
Lo    : 00000000
epc   : 801a5034 bcmxtmrt_xmit+0x28/0xba8     Tainted: P
ra    : 801a5bcc bcmxtmrt_pppoatm_send+0x18/0x28
Status: 10008403    KERNEL EXL IE
Cause : 00000008
BadVA : 0000013c
PrId  : 0002a031
Modules linked in:
 ipsec init_addr(00000000 - 00000000), core_addr(c03db000 - c040f0c0)
 acos_nat(P) init_addr(00000000 - 00000000), core_addr(c01d2000 - c0211464)
 p8021ag(P) init_addr(00000000 - 00000000), core_addr(c007d000 - c007df78)
 multissidcontrol(P) init_addr(00000000 - 00000000), core_addr(c0064000 - c0064300)
 wl(P) init_addr(00000000 - 00000000), core_addr(c02be000 - c0365764)
 bcm_enet(P) init_addr(00000000 - 00000000), core_addr(c00d8000 - c00e63e4)
 bcmprocfs(P) init_addr(00000000 - 00000000), core_addr(c0077000 - c007759c)
 adsldd(P) init_addr(00000000 - 00000000), core_addr(c010c000 - c0136e98)
 bcmxtmcfg(P) init_addr(00000000 - 00000000), core_addr(c00ac000 - c00b5390)
 pktcmf(P) init_addr(00000000 - 00000000), core_addr(c0090000 - c009afac)
 pktflow(P) init_addr(00000000 - 00000000), core_addr(c006b000 - c006e840)

Process pppd (pid: 1670, threadinfo=83376000, task=86d60c08)
Stack : 00000001 00441008 86a9b6d0 00440000 00440000 80241970 00000000 7fa1b9a8
        8505fdd0 fffffff0 10008401 8006f5a8 8002a574 00100100 8505fe38 802b77ec
        10008401 8006f5a8 802b7790 80c4ae90 8014a7cc 8505fdd0 8505fe38 802b77ec
        8505fe38 802b77ec 80123aec 80123adc 85671c00 fffffff0 10008401 8006f5a8
        87126388 87126320 7fa1b9b0 800261f2 814b1e30 802c44dc 004406a4 00440000
        ...
Call Trace:
[<801a5034>] bcmxtmrt_xmit+0x28/0xba8
[<801a5bcc>] bcmxtmrt_pppoatm_send+0x18/0x28
[<801a5e20>] bcmxtmrt_atm_ioctl+0x1f8/0x2bc
[<80238b24>] vcc_ioctl+0x2ac/0x358
[<801af570>] sock_ioctl+0x2ac/0x300
[<8007fa2c>] do_ioctl+0x2c/0x78
[<8007fd50>] vfs_ioctl+0x2d8/0x308
[<8007fdd0>] sys_ioctl+0x50/0x90
[<80019720>] stack_done+0x20/0x3c


Code: afb20088  afb10084  afb00080 <8cb3013c> 00a0b821  0c00cebb  afa400a8  8e630090  24020001

I found this comment in their modified ppp code... hmmm

	    /* foxconn wklin modified start, 08/24/2007, for the fix of "no lcp echo 
	     * reply" link down due to heavy traffic. Per NETGEAR's request 
	     * */

plugging in two devices that router cannot power

The router has two ports, but cannot supply 500mA to each at the same time. (Not a failure as such just design flaw, the firmware is irrelevant to this problem)

If two devices are plugged in that want full current (i.e. 2 x 2.5" drives), this is what you may see as they crap out.

usb 1-2: new high speed USB device using ehci_hcd and address 6
usb 1-2: configuration #1 chosen from 1 choice
scsi2 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 6
usb-storage: waiting for device to settle before scanning
scsi 2:0:0:0: Direct-Access     Generic  USB Disk         9.02 PQ: 0 ANSI: 2
SCSI device sdb: 58605120 512-byte hdwr sectors (30006 MB)
sdb: Write Protect is off
sdb: Mode Sense: 03 00 00 00
sdb: assuming drive cache: write through
SCSI device sdb: 58605120 512-byte hdwr sectors (30006 MB)
sdb: Write Protect is off
sdb: Mode Sense: 03 00 00 00
sdb: assuming drive cache: write through
 sdb:<6>usb 1-2: reset high speed USB device using ehci_hcd and address 6
usb 1-2: device descriptor read/64, error -71
usb 1-2: device descriptor read/64, error -71
usb 1-2: reset high speed USB device using ehci_hcd and address 6
usb 1-2: device descriptor read/64, error -71
usb 1-2: device descriptor read/64, error -71
usb 1-2: reset high speed USB device using ehci_hcd and address 6
usb 1-2: device not accepting address 6, error -71
usb 1-2: reset high speed USB device using ehci_hcd and address 6
usb 1-2: device not accepting address 6, error -71
sd 2:0:0:0: SCSI error: return code = 0x00070000
end_request: I/O error, dev sdb, sector 0
printk: 66 messages suppressed.
Buffer I/O error on device sdb, logical block 0
usb 1-2: USB disconnect, address 6
sd 2:0:0:0: SCSI error: return code = 0x00070000
end_request: I/O error, dev sdb, sector 0
Buffer I/O error on device sdb, logical block 0
ldm_validate_partition_table(): Disk read failed.
sd 2:0:0:0: SCSI error: return code = 0x00070000
end_request: I/O error, dev sdb, sector 0
 unable to read partition table

Writing to original 'Logs'

To write into the original 'log' (Content Filtering > Log) echo what you want to write to /dev/aglog.

echo "test" > /dev/aglog

3800 Firmware rebuild

The netgear GPL source for DGND3800 v3.0.12 doesn't build a working kernel, giving 'sh: '/lib/libcms_msg.so' is not an ELF file' when acos_service start begins.

Use fmk to extract the pre-compiled .chk firmware file and get find image_parts/root.img (filesystem plus kernel), then use dd to pull the packed kernel out.

Note there is a sort of header before the lz file, i.e. extract from 0x7B2000 , (whereas the .lz starts at 0x7B000C)

rich@i5-Ubuntu:~/firmware-mod-kit/3800_orig/image_parts$ dd if=rootfs.img skip=$((0x7B2000)) bs=1 of=test.lz
1108630+0 records in
1108630+0 records out
1108630 bytes (1.1 MB) copied, 2.70337 s, 410 kB/s

This can be reinserted into a new build by modifying the main Makefile, replacing vmlinuz.lz with test.lz in the bcmImageBuilder sections, under 'buildimage'.

Modifying the BCM53115 switch

RAM dump shows the following

        echo "${i}${j} ${k}${l} 08" > /proc/switch53115
        echo "${i}${j} ${k}${l} 08" > /proc/switch53115
echo "00 0%d 01 01" > /proc/switch53115
        echo "00 26 02 00 00" > /proc/switch53115
        echo "00 26 02 00 01" > /proc/switch53115
echo "00 0F 01 0F" > /proc/switch
echo "00 0F 01 00" > /proc/switch


Testing pppd connection by running debug mode

Append -d 0 after the command line

~ # pppd -c ppp0 -a 0.0.38 -u xxxxx@yyyyyyyy.net -p zzzzzzzzzzzzzzz -t 1492 -f 0 -k -d 0
using channel 2
Using interface ppp0
Connect: ppp0 <--> 
Couldn't increase MTU to 1500
Couldn't increase MRU to 1500
sent [LCP ConfReq id=0x1 <magic 0xf9e5a385>]
rcvd [LCP ConfReq id=0x67 <mru 1500> <auth chap MD5> <magic 0x76507d88>] 07 01 bb dd b2 c7 07 34 90 b1 54 3a 80 80 10 19 3d a5 7a 00 00 01 01 08 0a c2 17 ca c1 00 18 5c ...
sent [LCP ConfAck id=0x67 <mru 1500> <auth chap MD5> <magic 0x76507d88>]
rcvd [LCP ConfAck id=0x1 <magic 0xf9e5a385>] a8 bc d0 4a cd 14 c0 a8 00 07 01 bb dd b4 d9 6e c4 f4 a9 63 ff 78 80 10 19 3d ee e6 00 00 01 01 ...
Couldn't increase MTU to 1500
sent [LCP EchoReq id=0x0 magic=0xf9e5a385]
rcvd [CHAP Challenge id=0x1 <f57ba8816223cf27d9fe02a3681040b9578c10b1dc26badb6243fc4ca6ea0d9c66b59d48d8ed6f32ecf1d6d502178f59239f0b004546db278959f2>, name = "acc-aln5.mtf"]
sent [CHAP Response id=0x1 <eab3709247e97cc2b46e6ede62bbb094>, name = "xxxxx@yyyyyyyy.net"]
rcvd [LCP EchoRep id=0x0 magic=0x76507d88] d0 4a cd 14 c0 a8 00 07 01 bb dd b6 6b 3c 30 ef 1a f9 3b 96 80 10 11 90 4b 0a 00 00 01 01 08 0a ...
rcvd [CHAP Success id=0x1 "CHAP authentication success"] 78 80 18 19 3d a2 7f 00 00 01 01 08 0a c2 17 ca d2 00 18 5c e0 01 86 49 8c 91 c2
Remote message: CHAP authentication success
sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <compress VJ 0f 01> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
sent [IPV6CP ConfReq id=0x1 <addr fe80::a5da:f176:61e6:ef66>]
rcvd [IPCP ConfReq id=0xaf <addr 172.16.17.33>] a7 ce d0 4a cd 14 c0 a8 00 07 01 bb dd b4 d9 6e ca b1 a9 63 ff 78 80 11 19 3d e9 20 00 00 01 01 ...
sent [IPCP ConfAck id=0xaf <addr 172.16.17.33>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>] a2 63 d0 4a cd 14 c0 a8 00 07 01 bb dd b4 d9 6e c4 f4 a9 63 ff 78 80 10 19 3d d9 0a 00 00 01 01 ...
sent [IPCP ConfReq id=0x2 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
rcvd [IPCP ConfNak id=0x2 <addr 51.7.67.240> <ms-dns1 212.159.6.9> <ms-dns3 212.159.6.10>] a5 be 1c 14 aa 0a 07 66 ce 6c 80 10 01 3e 19 96 00 00 01 01 08 0a fd 25 c3 68 00 18 5d 0e 17 03 ...
sent [IPCP ConfReq id=0x3 <addr 51.7.67.240> <ms-dns1 212.159.6.9> <ms-dns3 212.159.6.10>]
rcvd [IPCP ConfAck id=0x3 <addr 51.7.67.240> <ms-dns1 212.159.6.9> <ms-dns3 212.159.6.10>] dd ba 88 f3 02 5c fc ed 0d 1e a0 12 10 68 7d f0 00 00 02 04 05 78 01 01 08 0a c2 17 ca e3 00 18 ...
local  IP address 51.7.67.240
remote IP address 172.16.17.33
primary   DNS address 212.159.6.9
secondary DNS address 212.159.6.10
PPP: ppp0 Connection Up.
Script /var/ppp/ip-up started (pid 14600)
sent [IPV6CP ConfReq id=0x1 <addr fe80::a5da:f176:61e6:ef66>]
Script /var/ppp/ip-up finished (pid 14600), status = 0x0
sent [IPV6CP ConfReq id=0x1 <addr fe80::a5da:f176:61e6:ef66>]
IPV6CP: timeout sending Config-Requests
rcvd [LCP EchoReq id=0x0 magic=0x76507d88] 5d b8 dc 61 c0 a8 00 07 01 bb a5 c0 3c c9 e7 ea df e5 26 ff 80 10 01 43 7a 2e 00 00 01 01 08 0a ...
sent [LCP EchoRep id=0x0 magic=0xf9e5a385]
rcvd [LCP EchoReq id=0x1 magic=0x76507d88] d0 4a cd 14 c0 a8 00 07 01 bb dd 90 52 85 c4 ea 27 66 ce ce 80 10 18 ee 32 95 00 00 01 01 08 0a ...
sent [LCP EchoRep id=0x1 magic=0xf9e5a385]
rcvd [LCP EchoReq id=0x2 magic=0x76507d88] 13 08 00 00 00 00 08 04 00 00 00 01 01 01 01 0c 0a 24 13 00 ff ff fc aa 00 00 00 0a 0b 68 02 00 ...
sent [LCP EchoRep id=0x2 magic=0xf9e5a385]
<SNIP>

The LCP echo sent/rcvd continues while connection is up

And terminating the task....

Terminating on signal 15.
PPP: ppp0 Connection Down.
Script /var/ppp/ip-down started (pid 14797)
Couldn't increase MTU to 1500
Couldn't increase MRU to 1500
sent [LCP TermReq id=0x2 "User request"]
rcvd [LCP TermAck id=0x2] 3f e6 00 00 3a 11 b9 af 08 08 08 08 33 07 43 f0 00 35 80 6e 00 3d 68 56 bf ab 81 80 00 01 00 01 ...
Connection terminated.
Connect time 18.3 minutes.
Sent 710406 bytes, received 4847467 bytes.
Script /var/ppp/ip-down finished (pid 14797), status = 0x0

Comments

blog comments powered by Disqus