Discussion:
[Isl3893-devel] Dead USR5462 access point
Francesco Furnari
2008-02-07 21:38:01 UTC
Permalink
Hello everybody,

I've got a not working USR5462 AP. I opened it and connected my logic
analyser on the only connector I thought might be a serial interface. I
captured some intelligible data from the connector and so made a
ttl-to-rs232 converter. Now that I'm able to deal whit the box, I
started googling and wondered that many people have already done some
nice hacking on similar boxes. I would like to bring the box back to
life... but...here is the problem. The only output I got from the serial
console is

3893-rev0, ROM v1 (Sep 02 2002), 8MB SDRAM

rom >

this is the output Issuing a help command

rom > help
cont
copy src dst len
d addr [len]
db addr [len]
dw addr [len]
erase addr len
fill addr len data ...
flash addr
go addr
get name addr [len]
help
lines value
load [addr] len
print [area]
ping [name]
put name addr len
regs
mac
w addr data ...
wb addr data ...
ww addr data ...
rom >


I'm not able to start the rescue procedure trickling whit the reset
button nor any ethernet packets can be seen sniffing the ethernet. I
don't know how I can go ahead. Is the ISL3893 definitely dead? Anyone
can give me some hint?

Any help will be gratefully appreciated.

Bye

Francesco Furnari
Sebastien Bourdeauducq
2008-02-07 23:23:51 UTC
Permalink
Hi,

Most likely, the flash memory's contents are incorrect (perhaps because
somebody played with it...). Reflashing the box, e.g. with JTAG (tutorials
available online) should bring it back to life. If you don't have a JTAG
cable, you can also script the "flash" and "load" commands ;)

Sebastien
Post by Francesco Furnari
Hello everybody,
I've got a not working USR5462 AP. I opened it and connected my logic
analyser on the only connector I thought might be a serial interface. I
captured some intelligible data from the connector and so made a
ttl-to-rs232 converter. Now that I'm able to deal whit the box, I
started googling and wondered that many people have already done some
nice hacking on similar boxes. I would like to bring the box back to
life... but...here is the problem. The only output I got from the serial
console is
3893-rev0, ROM v1 (Sep 02 2002), 8MB SDRAM
rom >
this is the output Issuing a help command
rom > help
cont
copy src dst len
d addr [len]
db addr [len]
dw addr [len]
erase addr len
fill addr len data ...
flash addr
go addr
get name addr [len]
help
lines value
load [addr] len
print [area]
ping [name]
put name addr len
regs
mac
w addr data ...
wb addr data ...
ww addr data ...
rom >
I'm not able to start the rescue procedure trickling whit the reset
button nor any ethernet packets can be seen sniffing the ethernet. I
don't know how I can go ahead. Is the ISL3893 definitely dead? Anyone
can give me some hint?
Any help will be gratefully appreciated.
Bye
Francesco Furnari
Benjamin Henrion
2008-02-08 00:26:23 UTC
Permalink
Does your router has a JTAG interface?

I even did not know that this device was isl3893 based.

I have investigating the JTAG flashing this week-end, so I will be
able to tell you how to reflash it once I have my JTAG adaptor
working.

Can you take pictures of the board in the meantime to see if there is
a JTAG connector?

Best,

On Feb 8, 2008 12:23 AM, Sebastien Bourdeauducq
Post by Sebastien Bourdeauducq
Hi,
Most likely, the flash memory's contents are incorrect (perhaps because
somebody played with it...). Reflashing the box, e.g. with JTAG (tutorials
available online) should bring it back to life. If you don't have a JTAG
cable, you can also script the "flash" and "load" commands ;)
Sebastien
Post by Francesco Furnari
Hello everybody,
I've got a not working USR5462 AP. I opened it and connected my logic
analyser on the only connector I thought might be a serial interface. I
captured some intelligible data from the connector and so made a
ttl-to-rs232 converter. Now that I'm able to deal whit the box, I
started googling and wondered that many people have already done some
nice hacking on similar boxes. I would like to bring the box back to
life... but...here is the problem. The only output I got from the serial
console is
3893-rev0, ROM v1 (Sep 02 2002), 8MB SDRAM
rom >
this is the output Issuing a help command
rom > help
cont
copy src dst len
d addr [len]
db addr [len]
dw addr [len]
erase addr len
fill addr len data ...
flash addr
go addr
get name addr [len]
help
lines value
load [addr] len
print [area]
ping [name]
put name addr len
regs
mac
w addr data ...
wb addr data ...
ww addr data ...
rom >
I'm not able to start the rescue procedure trickling whit the reset
button nor any ethernet packets can be seen sniffing the ethernet. I
don't know how I can go ahead. Is the ISL3893 definitely dead? Anyone
can give me some hint?
Any help will be gratefully appreciated.
Bye
Francesco Furnari
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Isl3893-devel mailing list
https://lists.sourceforge.net/lists/listinfo/isl3893-devel
--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
Benjamin Henrion
2008-02-08 00:39:13 UTC
Permalink
Looking at the face of the ap, it seems to be a clone of a Minitar
(probably rebranding from the same OEM manufacturer in Taiwan):

http://isl3893.wikidot.com/minitar-mn54g4r

I wonder how much of flash those routers have?

If they have 2MB, I am definitely interested to boot linux on those.
If they have 1MB it is a it useless.

We have now 5 different isl3893 based routers running a different OS than linux.
Post by Francesco Furnari
Hello everybody,
I've got a not working USR5462 AP. I opened it and connected my logic
analyser on the only connector I thought might be a serial interface. I
captured some intelligible data from the connector and so made a
ttl-to-rs232 converter. Now that I'm able to deal whit the box, I
started googling and wondered that many people have already done some
nice hacking on similar boxes. I would like to bring the box back to
life... but...here is the problem. The only output I got from the serial
console is
3893-rev0, ROM v1 (Sep 02 2002), 8MB SDRAM
rom >
this is the output Issuing a help command
rom > help
cont
copy src dst len
d addr [len]
db addr [len]
dw addr [len]
erase addr len
fill addr len data ...
flash addr
go addr
get name addr [len]
help
lines value
load [addr] len
print [area]
ping [name]
put name addr len
regs
mac
w addr data ...
wb addr data ...
ww addr data ...
rom >
I'm not able to start the rescue procedure trickling whit the reset
button nor any ethernet packets can be seen sniffing the ethernet. I
don't know how I can go ahead. Is the ISL3893 definitely dead? Anyone
can give me some hint?
Any help will be gratefully appreciated.
Bye
Francesco Furnari
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Isl3893-devel mailing list
https://lists.sourceforge.net/lists/listinfo/isl3893-devel
--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
Benjamin Henrion
2008-02-08 00:53:04 UTC
Permalink
The FCC pics seems to show that the board has a 2x7 pins JTAG connector:

https://fjallfoss.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=819177&fcc_id='RAXWG4005D-U5'

But the flash chip is covered by a sticker, I cannot identify if it is
a 1MB or a 2MB version.

Francesco, can you tell us what is the flash chip on your board?

Best,
Post by Benjamin Henrion
Looking at the face of the ap, it seems to be a clone of a Minitar
http://isl3893.wikidot.com/minitar-mn54g4r
I wonder how much of flash those routers have?
If they have 2MB, I am definitely interested to boot linux on those.
If they have 1MB it is a it useless.
We have now 5 different isl3893 based routers running a different OS than linux.
Post by Francesco Furnari
Hello everybody,
I've got a not working USR5462 AP. I opened it and connected my logic
analyser on the only connector I thought might be a serial interface. I
captured some intelligible data from the connector and so made a
ttl-to-rs232 converter. Now that I'm able to deal whit the box, I
started googling and wondered that many people have already done some
nice hacking on similar boxes. I would like to bring the box back to
life... but...here is the problem. The only output I got from the serial
console is
3893-rev0, ROM v1 (Sep 02 2002), 8MB SDRAM
rom >
this is the output Issuing a help command
rom > help
cont
copy src dst len
d addr [len]
db addr [len]
dw addr [len]
erase addr len
fill addr len data ...
flash addr
go addr
get name addr [len]
help
lines value
load [addr] len
print [area]
ping [name]
put name addr len
regs
mac
w addr data ...
wb addr data ...
ww addr data ...
rom >
I'm not able to start the rescue procedure trickling whit the reset
button nor any ethernet packets can be seen sniffing the ethernet. I
don't know how I can go ahead. Is the ISL3893 definitely dead? Anyone
can give me some hint?
Any help will be gratefully appreciated.
Bye
Francesco Furnari
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Isl3893-devel mailing list
https://lists.sourceforge.net/lists/listinfo/isl3893-devel
--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
Francesco Furnari
2008-02-08 09:07:21 UTC
Permalink
Hi Benjamin

I'm very excited at this point. A very interesting scenario now opens
for my hacking passion thus I ever trickled with micros and generally
electronics stuff but never SOC before. I will provide all you need to
share information on this device too. I will follow up soon. In the mean
time, I can say that the JTAG connector is present but solder filled.
Can you tell me where can I upload pictures?

Bye

Fra
Post by Benjamin Henrion
https://fjallfoss.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=819177&fcc_id='RAXWG4005D-U5'
But the flash chip is covered by a sticker, I cannot identify if it is
a 1MB or a 2MB version.
Francesco, can you tell us what is the flash chip on your board?
Best,
Post by Benjamin Henrion
Looking at the face of the ap, it seems to be a clone of a Minitar
http://isl3893.wikidot.com/minitar-mn54g4r
I wonder how much of flash those routers have?
If they have 2MB, I am definitely interested to boot linux on those.
If they have 1MB it is a it useless.
We have now 5 different isl3893 based routers running a different OS than linux.
Post by Francesco Furnari
Hello everybody,
I've got a not working USR5462 AP. I opened it and connected my logic
analyser on the only connector I thought might be a serial interface. I
captured some intelligible data from the connector and so made a
ttl-to-rs232 converter. Now that I'm able to deal whit the box, I
started googling and wondered that many people have already done some
nice hacking on similar boxes. I would like to bring the box back to
life... but...here is the problem. The only output I got from the serial
console is
3893-rev0, ROM v1 (Sep 02 2002), 8MB SDRAM
rom >
this is the output Issuing a help command
rom > help
cont
copy src dst len
d addr [len]
db addr [len]
dw addr [len]
erase addr len
fill addr len data ...
flash addr
go addr
get name addr [len]
help
lines value
load [addr] len
print [area]
ping [name]
put name addr len
regs
mac
w addr data ...
wb addr data ...
ww addr data ...
rom >
I'm not able to start the rescue procedure trickling whit the reset
button nor any ethernet packets can be seen sniffing the ethernet. I
don't know how I can go ahead. Is the ISL3893 definitely dead? Anyone
can give me some hint?
Any help will be gratefully appreciated.
Bye
Francesco Furnari
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Isl3893-devel mailing list
https://lists.sourceforge.net/lists/listinfo/isl3893-devel
--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
Benjamin Henrion
2008-02-08 10:11:18 UTC
Permalink
Post by Francesco Furnari
Hi Benjamin
I'm very excited at this point. A very interesting scenario now opens
for my hacking passion thus I ever trickled with micros and generally
electronics stuff but never SOC before. I will provide all you need to
share information on this device too. I will follow up soon. In the mean
time, I can say that the JTAG connector is present but solder filled.
Can you tell me where can I upload pictures?
I have created a page on wikidot:

http://isl3893.wikidot.com/usrobotics-usr5462

I can add you as an editor of the website if you create a login on
wikidot (create account on the top right).

--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
Francesco Furnari
2008-02-08 11:10:31 UTC
Permalink
Thanks
I'm going to create the account right now.

Have a nice day

Fra
Post by Benjamin Henrion
Post by Francesco Furnari
Hi Benjamin
I'm very excited at this point. A very interesting scenario now opens
for my hacking passion thus I ever trickled with micros and generally
electronics stuff but never SOC before. I will provide all you need to
share information on this device too. I will follow up soon. In the mean
time, I can say that the JTAG connector is present but solder filled.
Can you tell me where can I upload pictures?
http://isl3893.wikidot.com/usrobotics-usr5462
I can add you as an editor of the website if you create a login on
wikidot (create account on the top right).
--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403
Benjamin Henrion
2008-02-08 15:30:22 UTC
Permalink
Post by Benjamin Henrion
https://fjallfoss.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=819177&fcc_id='RAXWG4005D-U5'
But the flash chip is covered by a sticker, I cannot identify if it is
a 1MB or a 2MB version.
Francesco, can you tell us what is the flash chip on your board?
The flash is an ATMEL AT49BV162A 16Mbit chip. Here is the link to the
datasheet at atmel.

http://www.atmel.com/dyn/resources/prod_documents/doc3349.pdf

Good news, it has 2MB of flash.

I will try to get JTAG working this week-end on my Netgear, I keep you
updated with my findings.

--
Benjamin Henrion <bhenrion at ffii.org>
FFII Brussels - +32-484-566109 - +32-2-4148403

Loading...