@nifty の VPN ゲートウェイ NV900W にアクセスしてみた
以前 @nifty で提供されていた VPN サービスで使われていた、NV900W という装置にアクセスしてみた。
開けると、基板上には、意味ありげな 4pin のピンヘッダが立っている。
チップ(DRAM)側から GND、RX?、TX、??? の順らしい。GND と TX をオシロスコープで見ると 3.3V くらい。
手元にあった Raspberry PI B でつないでみた。screen コマンドをインストールして、
$ sudo systemctl stop serial-getty@ttyS0.service $ sudo systemctl disable serial-getty@ttyS0.service
/boot/config.txt で enable_uart=1 を設定して reboot、
$ sudo screen /dev/ttyAMA0 57600
データレートは 57600bps で U-Boot と Linux のブートメッセージは見られたけれど、テキストが送られない。
以下はブートメッセージ。
U-Boot 1.1.3 (Sep 5 2014 - 09:16:31) Board: Ralink APSoC DRAM: 128 MB relocate_code Pointer at: 87fb4000 flash manufacture id: c2, device id 20 18 find flash: MX25L12805D ============================================ Ralink UBoot Version: 4.1.1.0 -------------------------------------------- ASIC 6855A_MP (Port5<->None) DRAM component: 1024 Mbits DDR, width 16 DRAM bus: 16 bit Total memory: 128 MBytes Flash component: SPI Flash Date:Sep 5 2014 Time:09:16:31 ============================================ icache: sets:512, ways:4, linesz:32 ,total:65536 dcache: sets:256, ways:4, linesz:32 ,total:32768 ##### The CPU freq = 700 MHZ #### estimate memory size =128 Mbytes Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 6: Boot system code via Flash (TEST mode). 7: Load Boot Loader code then write to Flash via Serial. 9: Load Boot Loader code then write to Flash via TFTP. 0 3: System Boot system code via Flash. ## Booting image at b0050000 ... Image Name: Linux Kernel Image Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 5022141 Bytes = 4.8 MB Load Address: 80020000 Entry Point: 80023f30 Verifying Checksum ... OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 80023f30) ... ## Giving linux memsize in MB, 128 linux_env[0]: memsize=128 linux_env[1]: initrd_start=0x00000000 linux_env[2]: initrd_size=0x0 linux_env[3]: flash_start=0x00000000 linux_env[4]: flash_size=0x1000000 Starting kernel ... Linux version 2.6.36 (dit@localhost.localdomain) (gcc version 3.4.2) #2 Thu Jul 14 17:39:39 JST 2016 ISPRAM0: PA=00308000,Size=00008000,enabled Ralink RT63165 SOC prom init CPU revision is: 00019555 (MIPS 34Kc) Determined physical RAM map: memory: 07fe0000 @ 00020000 (usable) Wasting 1024 bytes for tracking 32 unused pages Initrd not found or empty - disabling initrd Zone PFN ranges: Normal 0x00000020 -> 0x00008000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000020 -> 0x00008000 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32480 Kernel command line: es=1 root=/dev/ram0 console=ttyS0 PID hash table entries: 512 (order: -1, 2048 bytes) Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=00000680 Readback ErrCtl register=00000680 Memory: 122040k/130944k available (3008k kernel code, 8904k reserved, 1083k data, 3564k init, 0k highmem) Hierarchical RCU implementation. RCU-based detection of stalled CPUs is disabled. Verbose stalled-CPUs detection is disabled. NR_IRQS:64 CPU frequency 699.00 MHz console [ttyS0] enabled Calibrating delay loop... 465.30 BogoMIPS (lpj=2326528) pid_max: default: 32768 minimum: 301 Mount-cache hash table entries: 512 NET: Registered protocol family 16 start PCIe register access *************** RT6855A PCIe RC mode ************* PCIE1 no card, disable it(RST&CLK) registering PCI controller with io_map_base unset bio: create slab <bio-0> at 0 SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb pci 0000:00:00.0: BAR 0: can't assign mem (size 0x80000000) pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x200fffff] pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x2000ffff] pci 0000:01:00.0: BAR 0: set to [mem 0x20000000-0x2000ffff] (PCI address [0x20000000-0x2000ffff] pci 0000:00:00.0: PCI bridge to [bus 01-01] pci 0000:00:00.0: bridge window [io disabled] pci 0000:00:00.0: bridge window [mem 0x20000000-0x200fffff] pci 0000:00:00.0: bridge window [mem pref disabled] ** bus= 0, slot=0x0 BAR0 at slot 0 = 0 bus=0x0, slot = 0x0 res[0]->start = 0 res[0]->end = 0 res[1]->start = 0 res[1]->end = 0 res[2]->start = 0 res[2]->end = 0 res[3]->start = 0 res[3]->end = 0 res[4]->start = 0 res[4]->end = 0 res[5]->start = 0 res[5]->end = 0 ** bus= 1, slot=0x0 bus=0x1, slot = 0x0 res[0]->start = 20000000 res[0]->end = 2000ffff res[1]->start = 0 res[1]->end = 0 res[2]->start = 0 res[2]->end = 0 res[3]->start = 0 res[3]->end = 0 res[4]->start = 0 res[4]->end = 0 res[5]->start = 0 res[5]->end = 0 cfg80211: Calling CRDA to update world regulatory domain Switching to clocksource MIPS NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 4096 (order: 3, 32768 bytes) TCP bind hash table entries: 4096 (order: 2, 16384 bytes) TCP: Hash tables configured (established 4096 bind 4096) TCP reno registered UDP hash table entries: 256 (order: 0, 4096 bytes) UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) NET: Registered protocol family 1 RT3xxx EHCI/OHCI init. fuse init (API version 7.15) io scheduler noop registered io scheduler deadline registered io scheduler cfq registered (default) Ralink gpio driver initialized ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162 brd: module loaded flash manufacture id: c2, device id 20 18 MX25L12805D(c2 2018c220) (16384 Kbytes) mtd .name = raspi, .size = 0x01000000 (0M) .erasesize = 0x00000010 (0K) .numeraseregions = 65536 Creating 5 MTD partitions on "raspi": 0x000000000000-0x000001000000 : "ALL" 0x000000000000-0x000000030000 : "Bootloader" 0x000000030000-0x000000040000 : "Config" 0x000000040000-0x000000050000 : "Factory" 0x000000050000-0x000001000000 : "Kernel" rdm_major = 253 MAC_ADRH -- : 0x000000e0 SMACCR1 -- : 0x000000e0 MAC_ADRL -- : 0x2507d2a0 SMACCR0 -- : 0x2507d2a0 Ralink APSoC Ethernet Driver Initilization. v2.1 256 rx/tx descriptors allocated, mtu = 1500! MAC_ADRH -- : 0x000000e0 SMACCR1 -- : 0x000000e0 MAC_ADRL -- : 0x2507d2a0 SMACCR0 -- : 0x2507d2a0 PROC INIT OK! PPP generic driver version 2.4.2 PPP MPPE Compression module registered NET: Registered protocol family 24 ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1 rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x1fbb0000 rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00 hub 1-0:1.0: USB hub found hub 1-0:1.0: 2 ports detected ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2 rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x1fba1000 hub 2-0:1.0: USB hub found hub 2-0:1.0: 2 ports detected Initializing USB Mass Storage driver... usbcore: registered new interface driver usb-storage USB Mass Storage support registered. Netfilter messages via NETLINK v0.30. nf_conntrack version 0.5.0 (1906 buckets, 7624 max) ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone TCP cubic registered NET: Registered protocol family 10 IPv6 over IPv4 tunneling driver NET: Registered protocol family 17 Bridge firewalling registered 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> lib80211: common routines for IEEE802.11 drivers Freeing unused kernel memory: 3564k freed init started: BusyBox v1.12.Algorithmics/MIPS FPU Emulator v1.5 1 (2017-04-12 13:04:22 JST) sdevpts: called with bogus options tarting pid 223, tty '': '/etc_ro/rcS' Set: phy[0].reg[0] = 3100 Set: phy[1].reg[0] = 3100 Set: phy[2].reg[0] = 3100 Set: phy[3].reg[0] = 3100 Set: phy[4].reg[0] = 3100 ******************************************************************************* Welcome to ##### ##### # # # # #### # #### # # ##### # # # # # # # # # # # # # # # # # # # ##### # # # # # # # # ##### # # # # # # # # # # # # # ####### # # # # # # # # # # # # # # # ###### ####### #### ###### #### #### ##### ##### # # version 2.30 ******************************************************************************* Password for 'admin' changed ifconfig: ioctl 0x8913 failed: No such device brctl: bridge br0: No such device or address ##### config Ralink ESW vlan partition (LLLLW) ##### switch reg write offset=2004, value=ff0003 switch reg write offset=2104, value=ff0003 switch reg write offset=2204, value=ff0003 switch reg write offset=2304, value=ff0003 switch reg write offset=2404, value=ff0003 switch reg write offset=2504, value=ff0003 switch reg write offset=2010, value=810000c0 switch reg write offset=2110, value=810000c0 switch reg write offset=2210, value=810000c0 switch reg write offset=2310, value=810000c0 switch reg write offset=2410, value=810000c0 switch reg write offset=2510, value=810000c0 switch reg write offset=2610, value=81000000 switch reg write offset=2710, value=81000000 switch reg write offset=2604, value=20ff0003 switch reg write offset=2704, value=20ff0003 Special Tag Disabled switch reg write offset=2610, value=81000000 switch reg write offset=2014, value=10001 switch reg write offset=2114, value=10001 switch reg write offset=2214, value=10001 switch reg write offset=2314, value=10001 switch reg write offset=2414, value=10002 switch reg write offset=2514, value=10001 REG_ESW_WT_MAC_ATC is 0x7ff0002 done. phy_tx_ring = 0x064d6000, tx_ring = 0xa64d6000 phy_rx_ring0 = 0x064d7000, rx_ring0 = 0xa64d7000 MAC_ADRH -- : 0x000000e0 SMACCR1 -- : 0x000000e0 MAC_ADRL -- : 0x2507d2a0 SMACCR0 -- : 0x2507d2a0 CDMA_CSG_CFG = 81000000 GDMA1_FWD_CFG = C0090000 vconfig: ioctl error for rem: No such device vconfig: ioctl error for rem: No such device rmmod: 8021q: No such file or directory insmod: 8021q.ko: module not found device eth2 entered promiscuous mode device eth2.1 entered promiscuous mode Reset button is NOT pushed starting pid 466, tty '/dev/ttyS0': '/bin/sh' BusyBox v1.12.1 (2017-04-12 13:04:22 JST) built-in shell (ash) Enter 'help' for a list of built-in commands. # config_init: running config count = 78 eth2.1 MAC address = 00e02507d2a0 blink led1 green, turn off led2 usbcore: registered new interface driver lc_ether usbcore: registered new interface driver usbserial usbserial: USB Serial Driver core USB Serial support registered for GSM modem (1-port) usbcore: registered new interface driver option option: v0.7.2:USB Driver for GSM modems USB-WWAN is not found. Retry.
この後、USB-WWAN is not found. Retry. が延々と表示される。
パリティやストップビットを変更してみたけれど効果無し。
ロシア語サイト の翻訳を見ると、「Gemtek for Iotaは、シリアルポート経由の文字受信を無効にすることで、u-bootにログインする機能を削除しました。」とあり、この装置が同じ処置がされているとしたら、制御できないことになる。
基板上の意味ありげなデバッグポートっぽいところに何かつないだら、何かできるだろうか。意味ありげな 3pin のジャンパ用ポートもあるけど、場所的にフラッシュは WLAN チップの方に近いから、あまり関係無さそうだなあ。
Published on Wednesday, March 18 2020 by takagiwa