To sidebar

@nifty の VPN ゲートウェイ NV900W にアクセスしてみた

以前 @nifty で提供されていた VPN サービスで使われていた、NV900W という装置にアクセスしてみた。

開けると、基板上には、意味ありげな 4pin のピンヘッダが立っている。
チップ(DRAM)側から GND、RX?、TX、??? の順らしい。GND と TX をオシロスコープで見ると 3.3V くらい。

手元にあった Raspberry PI B でつないでみた。screen コマンドをインストールして、

$ sudo systemctl stop serial-getty@ttyS0.service
$ sudo systemctl disable serial-getty@ttyS0.service

/boot/config.txt で enable_uart=1 を設定して reboot、

$ sudo screen /dev/ttyAMA0 57600

データレートは 57600bps で U-Boot と Linux のブートメッセージは見られたけれど、テキストが送られない。

以下はブートメッセージ。

U-Boot 1.1.3 (Sep  5 2014 - 09:16:31)

Board: Ralink APSoC DRAM:  128 MB
relocate_code Pointer at: 87fb4000
flash manufacture id: c2, device id 20 18
find flash: MX25L12805D
============================================
Ralink UBoot Version: 4.1.1.0
--------------------------------------------
ASIC 6855A_MP (Port5<->None)
DRAM component: 1024 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 128 MBytes
Flash component: SPI Flash
Date:Sep  5 2014  Time:09:16:31
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 700 MHZ ####
 estimate memory size =128 Mbytes

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   6: Boot system code via Flash (TEST mode).
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.                     0

3: System Boot system code via Flash.
## Booting image at b0050000 ...
   Image Name:   Linux Kernel Image
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    5022141 Bytes =  4.8 MB
   Load Address: 80020000
   Entry Point:  80023f30
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80023f30) ...
## Giving linux memsize in MB, 128
linux_env[0]: memsize=128
linux_env[1]: initrd_start=0x00000000
linux_env[2]: initrd_size=0x0
linux_env[3]: flash_start=0x00000000
linux_env[4]: flash_size=0x1000000

Starting kernel ...

Linux version 2.6.36 (dit@localhost.localdomain) (gcc version 3.4.2) #2 Thu Jul 14 17:39:39 JST 2016
ISPRAM0: PA=00308000,Size=00008000,enabled
Ralink RT63165 SOC prom init
CPU revision is: 00019555 (MIPS 34Kc)
Determined physical RAM map:
 memory: 07fe0000 @ 00020000 (usable)
Wasting 1024 bytes for tracking 32 unused pages
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000020 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000020 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32480
Kernel command line:  es=1 root=/dev/ram0  console=ttyS0
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000680
Readback ErrCtl register=00000680
Memory: 122040k/130944k available (3008k kernel code, 8904k reserved, 1083k data, 3564k init, 0k highmem)
Hierarchical RCU implementation.
        RCU-based detection of stalled CPUs is disabled.
        Verbose stalled-CPUs detection is disabled.
NR_IRQS:64
CPU frequency 699.00 MHz
console [ttyS0] enabled
Calibrating delay loop... 465.30 BogoMIPS (lpj=2326528)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
start PCIe register access

*************** RT6855A PCIe RC mode *************
PCIE1 no card, disable it(RST&CLK)
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pci 0000:00:00.0: BAR 0: can't assign mem (size 0x80000000)
pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x200fffff]
pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x2000ffff]
pci 0000:01:00.0: BAR 0: set to [mem 0x20000000-0x2000ffff] (PCI address [0x20000000-0x2000ffff]
pci 0000:00:00.0: PCI bridge to [bus 01-01]
pci 0000:00:00.0:   bridge window [io  disabled]
pci 0000:00:00.0:   bridge window [mem 0x20000000-0x200fffff]
pci 0000:00:00.0:   bridge window [mem pref disabled]
** bus= 0, slot=0x0
BAR0 at slot 0 = 0
bus=0x0, slot = 0x0
res[0]->start = 0
res[0]->end = 0
res[1]->start = 0
res[1]->end = 0
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
** bus= 1, slot=0x0
bus=0x1, slot = 0x0
res[0]->start = 20000000
res[0]->end = 2000ffff
res[1]->start = 0
res[1]->end = 0
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RT3xxx EHCI/OHCI init.
fuse init (API version 7.15)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Ralink gpio driver initialized
ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162
brd: module loaded
flash manufacture id: c2, device id 20 18
MX25L12805D(c2 2018c220) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (0M) .erasesize = 0x00000010 (0K) .numeraseregions = 65536
Creating 5 MTD partitions on "raspi":
0x000000000000-0x000001000000 : "ALL"
0x000000000000-0x000000030000 : "Bootloader"
0x000000030000-0x000000040000 : "Config"
0x000000040000-0x000000050000 : "Factory"
0x000000050000-0x000001000000 : "Kernel"
rdm_major = 253
MAC_ADRH -- : 0x000000e0
SMACCR1 -- : 0x000000e0
MAC_ADRL -- : 0x2507d2a0
SMACCR0 -- : 0x2507d2a0
Ralink APSoC Ethernet Driver Initilization. v2.1  256 rx/tx descriptors allocated, mtu = 1500!
MAC_ADRH -- : 0x000000e0
SMACCR1 -- : 0x000000e0
MAC_ADRL -- : 0x2507d2a0
SMACCR0 -- : 0x2507d2a0
PROC INIT OK!
PPP generic driver version 2.4.2
PPP MPPE Compression module registered
NET: Registered protocol family 24
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller
rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1
rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x1fbb0000
rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller
rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2
rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x1fba1000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (1906 buckets, 7624 max)
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
lib80211: common routines for IEEE802.11 drivers
Freeing unused kernel memory: 3564k freed
init started: BusyBox v1.12.Algorithmics/MIPS FPU Emulator v1.5
1 (2017-04-12 13:04:22 JST)
sdevpts: called with bogus options
tarting pid 223, tty '': '/etc_ro/rcS'
Set: phy[0].reg[0] = 3100
Set: phy[1].reg[0] = 3100
Set: phy[2].reg[0] = 3100
Set: phy[3].reg[0] = 3100
Set: phy[4].reg[0] = 3100

*******************************************************************************
 Welcome to

         #####                                                   #####     #
 #      #     #   ####   #        ####   #    #  #####          #     #   # #
 #            #  #    #  #       #    #  #    #  #    #         #        #   #
 #       #####   #       #       #    #  #    #  #    #          #####  #     #
 #      #        #       #       #    #  #    #  #    #               # #######
 #      #        #    #  #       #    #  #    #  #    #         #     # #     #
 ###### #######   ####   ######   ####    ####   #####           #####  #     #

                                                        version  2.30

*******************************************************************************
Password for 'admin' changed
ifconfig: ioctl 0x8913 failed: No such device
brctl: bridge br0: No such device or address
##### config Ralink ESW vlan partition (LLLLW) #####
switch reg write offset=2004, value=ff0003
switch reg write offset=2104, value=ff0003
switch reg write offset=2204, value=ff0003
switch reg write offset=2304, value=ff0003
switch reg write offset=2404, value=ff0003
switch reg write offset=2504, value=ff0003
switch reg write offset=2010, value=810000c0
switch reg write offset=2110, value=810000c0
switch reg write offset=2210, value=810000c0
switch reg write offset=2310, value=810000c0
switch reg write offset=2410, value=810000c0
switch reg write offset=2510, value=810000c0
switch reg write offset=2610, value=81000000
switch reg write offset=2710, value=81000000
switch reg write offset=2604, value=20ff0003
switch reg write offset=2704, value=20ff0003
Special Tag Disabled
switch reg write offset=2610, value=81000000
switch reg write offset=2014, value=10001
switch reg write offset=2114, value=10001
switch reg write offset=2214, value=10001
switch reg write offset=2314, value=10001
switch reg write offset=2414, value=10002
switch reg write offset=2514, value=10001
REG_ESW_WT_MAC_ATC is 0x7ff0002
done.

phy_tx_ring = 0x064d6000, tx_ring = 0xa64d6000

phy_rx_ring0 = 0x064d7000, rx_ring0 = 0xa64d7000
MAC_ADRH -- : 0x000000e0
SMACCR1 -- : 0x000000e0
MAC_ADRL -- : 0x2507d2a0
SMACCR0 -- : 0x2507d2a0
CDMA_CSG_CFG = 81000000
GDMA1_FWD_CFG = C0090000
vconfig: ioctl error for rem: No such device
vconfig: ioctl error for rem: No such device
rmmod: 8021q: No such file or directory
insmod: 8021q.ko: module not found
device eth2 entered promiscuous mode
device eth2.1 entered promiscuous mode
Reset button is NOT pushed
starting pid 466, tty '/dev/ttyS0': '/bin/sh'


BusyBox v1.12.1 (2017-04-12 13:04:22 JST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# config_init: running config count = 78
eth2.1 MAC address = 00e02507d2a0
blink led1 green, turn off led2
usbcore: registered new interface driver lc_ether
usbcore: registered new interface driver usbserial
usbserial: USB Serial Driver core
USB Serial support registered for GSM modem (1-port)
usbcore: registered new interface driver option
option: v0.7.2:USB Driver for GSM modems
USB-WWAN is not found. Retry.

この後、USB-WWAN is not found. Retry. が延々と表示される。

パリティやストップビットを変更してみたけれど効果無し。

ロシア語サイト の翻訳を見ると、「Gemtek for Iotaは、シリアルポート経由の文字受信を無効にすることで、u-bootにログインする機能を削除しました。」とあり、この装置が同じ処置がされているとしたら、制御できないことになる。

基板上の意味ありげなデバッグポートっぽいところに何かつないだら、何かできるだろうか。意味ありげな 3pin のジャンパ用ポートもあるけど、場所的にフラッシュは WLAN チップの方に近いから、あまり関係無さそうだなあ。

Published on Wednesday, March 18 2020 by takagiwa

© pseudomoon.jp, after the WP Dusk To Dawn theme Powered by Dotclear