Co siedzi w Access Pointach edimax ? (Minitar, WI-1250, GetNet)

Po podpięciu konsoli (np. przez rs232 po zastosowaniu dopasowania poziomów np. max232) można uzyskać dostęp do shella.

UART1 output test ok
Uart init
Found 1 x 2M flash memory

---RealTek(RTL8181)at .... ... 7 11:22:57 CST 2003 version 1.0
no sys signature at 00010000!
Jump to image start=3D0x80300000...
display on
entering boot loader, turning on display
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
Linux version 2.4.18-MIPS-01.00 (root@localhost.localdomain) (gcc version 3.0.3) #2 Fri Aug 22 00:02:09 CST 2003
Determined physical RAM map:
memory: 00800000 @ 00000000 (usable)
Initial ramdisk at: 0x80166000 (405253 bytes)
On node 0 totalpages: 2048
zone(0): 2048 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=3D/dev/ram console=3D0 ramdisk_start=3D0 single
Calibrating delay loop... 204.39 BogoMIPS
Memory: 6104k/8192k available (1295k kernel code, 2088k reserved, 476k
data, 44k init, 0k highmem)
Dentry-cache hash table entries: 1024 (order: 1, 8192 bytes)
Inode-cache hash table entries: 512 (order: 0, 4096 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 2048 (order: 1, 8192 bytes) unavailable.
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
block: 64 slots per queue, batch=3D16
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Serial driver version 6.02 (2003-03-12) with no serial options enabled
ttyS00 at 0x00c3 (irq =3D 3) is a rtl_uart1
state->flags=3D00000000
RealTek E-Flash System Driver. (C) 2002 RealTek Corp.
Found 1 x 2MiB MXIC MX29LV160AB at 0xbfc00000
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
order=3D00000000 in rt_init
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
Starting kswapd
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 395k freed
VFS: Mounted root (ext2 filesystem).
Freeing unused kernel memory: 44k freed
mount /proc file system ok!
serial console detected. Disabling virtual terminals.
console=3D/dev/ttyS0
init started: BusyBox v0.60.1 (2003.09.16-11:50+0000) multi-call binary
BusyBox v0.60.1 (2003.09.16-11:50+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
Initialize WLAN interface
length=3D0?
length=3D0?
SIOCGIFFLAGS: No such device
bridge br0 doesn't exist!
bridge br0 doesn't exist; can't delete it
Setup bridge...
Algorithmics/MIPS FPU Emulator v1.5
device eth1 entered promiscuous mode
device wlan0 entered promiscuous mode
This is 8305SB
eth1: Promiscuous mode enabled.
eth1: Promiscuous mode enabled.
eth1: Promiscuous mode enabled.
eth1: Promiscuous mode enabled.
SIOCDELRT: No such process
SIOCDELRT: No such process
br0: port 2(wlan0) entering listening state
br0: port 1(eth1) entering listening state
br0: port 2(wlan0) entering learning state
br0: port 2(wlan0) entering forwarding state
br0: topology change detected, propagating
br0: port 1(eth1) entering learning state
br0: port 1(eth1) entering forwarding state
br0: topology change detected, propagating
SIOCDELRT: No such process
SIOCDELRT: No such process
udhcp server (v0.9.9-pre) started
iappauth.sh: not found
********** run Diagd **********
setting: port: 31727
running in daemon mode
251
------------------------------------------------------------ -----------------
Select Exit Enter
Please enter your Name and Password
User Name :

Po zalogowaniu (jako login: super haslo: lance@edimax.com.tw) mamy dostep do shella

# cat /proc/cpuinfo
system type : Philips Nino
processor : 0
cpu model : R3000 V0.0
BogoMIPS : 204.39
wait instruction : no
microsecond timers : no
tlb_entries : 64
extra interrupt vector : no
hardware watchpoint : no
VCED exceptions : not available
VCEI exceptions : not available
ll emulations : 0
sc emulations : 0
#

# cat /proc/loadavg
0.08 0.05 0.01 1/11 332

# ps ax
PID Uid Stat Command
1 root S init
2 root S [keventd]
3 root S [ksoftirqd_CPU0]
4 root S [mtdblockd]
5 root S [bdflush]
6 root S [kupdated]
7 root S [kswapd]
8 root S -sh
305 root S webs
307 root S /bin/diagd -d
335 root R ps ax

# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/root 1373 1320 53 96% /

# cat /proc/version
Linux version 2.4.18-MIPS-01.00 (root@localhost.localdomain) (gcc version 3.0.3) #13 Mon Sep 22 18:07:57 CST 2003

# cat /proc/rtl8180/stats
************ Current driver status ************
wlan0: rtl8180_pci_driver loaded.
ioaddr = 0xbd400000
irq = 2
STA is NOT acting as AP!
chip version is 0x03!


************ DCST statistics ************
bDCST = true
DCST_EvaluatePeriodCountdown = 0x00000002
DCST_Error = 0x00000031
DCST_TotalError = 0x000001d4
DCST_NumberUpgradeVote = 0x00000000
DCST_NumberFallbackVote = 0x00000002

DCST_CurrentThreshold = 0x0000009b
DCST_CurrentThreshold> = 0x98

DCST_UpgradeThreshold = 0x00002710
DCST_FallbackThreshold = 0x00001388


************ wlan station table watchdog timer parameters ************
wlan_sta_tbl_timeInt = 100, wlan_sta_expired_time = 30000


************ MIBs statisics ************
dot11DesiredBssType = 0x1
dot11OperationalRates = 0xf
dot11BeaconPeriod = 100
dot11DtimPeriod = 3
mActingAsAp = 0
mSsid = amsnet
mAId = 13
mAssoc = 1
mBasicRates = 0x3
mBssId = 00:0d:88:98:cc:c2
mCap = 0x41
mDisable = 0
mIbss = 0
mDtimCount = 0
dot11PrivacyOptionImplemented = 1
sCanBeAp = 1
SelfMacAddr = 00:50:fc:f4:1c:f9
wCtx->bWPA = 0
wCtx->dot11RSNAuthenticator.RSNEnabled = 0
wCtx->b802_1X_AUTH = 0
wCtx->pMIB.DefaultPort = 1
wCtx->bHW_WEP = 0
wCtx->bIAPP = 1
wCtx->bWEPKEYMAP = 1
wCtx->GROUPENCKeyLen = 0
wCtx->encryptmode = RTL_ENC_NONE
wepkeymode = WEP_MODE_OFF
AuthenAlg = opensystem
dot11RtsThreshold = 2347
dot11ExcludeUnencrypted = 0
dot11FragmentationThreshold = 2346
dot11MaxReceiveLifetime = 500
dot11PrivacyInvoked = 0
mReceiveDTIMs = 0
dot11WepDefaultKeyId = 0
dot11CurrentChannelNumber = 8
mHighestBasicRate = 0x4 (0x02->1Mbps)
HighestOperaRate = 0x16 (0x02->1Mbps)
CurrTxBasicRate = 0x4 (0x02->1Mbps)
CurrTxOperaRate = 0x16 (0x02->1Mbps)
DesiredNetworkType = NETWORKTYPE_INFRA
AP_support_authAlg = AUTH_ALG_OPENSYSTEM


************ Rx ************

-- Rx descriptor status --
CurrWaitRxDescIdx = 12667

************ Tx ************
-- TxHdrBufPool --
buf_addr = 0x80221000
free_hdr_cnt = 128
curr_free_hdr_entry_idx = 0
curr_used_hdr_entry_idx = 0
-- Tx low descriptor status --
CurrFreeTxLowDescIdx = 52
CurrWaitTxLowDescIdx = 52
CurrFreeTxNormalDescIdx = 58
CurrWaitTxNormalDescIdx = 58


************ TKIP_IV_COUNTER ************

rtl8180_proc_stats: wCtx->TkipIV.val.rdword[0] = 0x00000000 >> wCtx->TkipIV.val.rbyte[0]=0x00 [1]=0x00 [2]=0x00 [3]=0x00
rtl8180_proc_stats: wCtx->TkipIV.val.rdword[1] = 0x00000000 >> wCtx->TkipIV.val.rbyte[4]=0x00 [5]=0x00 [6]=0x00 [7]=0x00
#


# cat /etc/passwd
root:x:0:0:root:/root:/bin/tcsh
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/var/ftp:
nobody:x:99:99:Nobody:/:
nscd:x:28:28:NSCD Daemon:/:/bin/false
mailnull:x:47:47::/var/spool/mqueue:/dev/null
ident:x:98:98:pident user:/:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
john:x:500:500:John Huang:/home/john:/bin/tcsh
dliu:x:501:501::/home/dliu:/bin/tcsh
odysseus:x:502:502::/home/odysseus:/bin/tcsh
ygtai:x:503:503::/home/ygtai:/bin/tcsh
hcjong:x:504:504::/home/hcjong:/bin/tcsh
rpm:x:37:37::/var/lib/rpm:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
radvd:x:75:75:radvd user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
squid:x:23:23::/var/spool/squid:/dev/null
named:x:25:25:Named:/var/named:/bin/false
pcap:x:77:77::/var/arpwatch:/bin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false

# cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 6651904 4624384 2027520 0 65536 2392064
Swap: 0 0 0
MemTotal: 6496 kB
MemFree: 1980 kB
MemShared: 0 kB
Buffers: 64 kB
Cached: 2336 kB
SwapCached: 0 kB
Active: 660 kB
Inactive: 2244 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 6496 kB
LowFree: 1980 kB
SwapTotal: 0 kB
SwapFree: 0 kB

# ifconfig
br0 Link encap:Ethernet HWaddr 00:50:FC:F4:1C:F9
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8507 (8.3 kb) TX bytes:0 (0.0 b)

eth1 Link encap:Ethernet HWaddr 00:50:FC:F4:1C:F9
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6120 errors:0 dropped:0 overruns:0 frame:0
TX packets:5465 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:588021 (574.2 kb) TX bytes:1588004 (1.5 Mb)
Interrupt:5

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

wlan0 Link encap:Ethernet HWaddr 00:50:FC:F4:1C:F9
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5465 errors:0 dropped:0 overruns:0 frame:0
TX packets:6120 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:5180699 (4.9 Mb) TX bytes:0 (0.0 b)
Interrupt:2 Memory:bd400000-0

niestety tu jest pusto :

# cat /proc/net/wireless
Inter-| sta-| Quality | Discarded packets | Missed
face | tus | link level noise | nwid crypt frag retry misc | beacon

Bootowanie możemy przerwać przez ESC i wchodzimy wtedy do bootloadera. Możemy tu wgrać rownież nowy firmware przez tftp i zaprogramować Flash w przypadku gdy coś się wgra błędnie z poziomu www i AP nie działa.

UART1 output test ok
Uart init
Found 1 x 2M flash memory

---RealTek(RTL8181)at \uffffg.@ 12.\uffff 22 10:38:21 CST 2003 version 1.0
no sys signature at 00010000!
no sys signature at 00020000!
no sys signature at 00030000!
no sys signature at 00040000!



ls
Unknown command !
dls
Unknown command !
help
----------------- COMMAND MODE HELP ------------------
HELP (?) : Print this help message
D

IPCONFIG:
JUMP : Jump to
FLW: FLW
FLR: FLR
ipconfig
Target Address=192.168.2.1


Tu słucha tftpd, teraz możemy pchać firmware np.:
natalka:/ams/firmware/minitar# tftp 192.168.2.1
tftp> bi
tftp> put general-ap_upg_2.32_8m.bin
Sent 1030158 bytes in 5.9 seconds
tftp>

Dostajemy zawartość i programujemy flasha:

**TFTP Client Upload, File Name: general-ap_upg_2.32_8m.bin
-
**TFTP Client Upload File Size = 000FB80E Bytes at 80500000

Success!
flw 20000 80500000 000FB80E
Flash Program from 80500000 to 00020000 with 000FB80E bytes ?
(Y)es, (N)o->y
................Flash Write Successed!


---
pozdrawiam Andrzej Szreter