www.8devices.com
|
|
Author |
Message |
zorromymy
Joined: 27 May 2013, 14:45 Posts: 13
|
I have just discovered that the internal ROM of AR9331 has code to boot from USB instead of serial SPI. As discribed in AR9331 datasheet pulling down GPIO1 at powerup trig this feature... Does someone has more information about that and how to exploit it ? Question for 8devices 's people... Do you use the feature to upload the serial flash or do you use JTAG ?
Here is the log from Uart...
Hornet USB booting... VID=0xcf3,PID=0x9330 iManufacturer=0x10,iProduct=0x20,iSerialNumber=0x30 bMaxPower=0xfa -> COLD_START bUSBPhyBias=0x3 RUN Default State HS HS HS HS HS
|
12 Sep 2013, 13:09 |
|
|
FPeter
Joined: 21 Aug 2013, 21:21 Posts: 101
|
|
12 Sep 2013, 21:37 |
|
|
zorromymy
Joined: 27 May 2013, 14:45 Posts: 13
|
Don't know, if USB configures as host or device... Probably "Host" because of GPIO13 (High level by default on Carambola2, see AR9331 datasheet). I try to attach USB-Key... Log on uart stops after "RUN" line until the key is removed I try to attach USB-Serial... same behaviour... I try to attach to a Host... No reaction !
Will try faking a VID=0xcf3,PID=0x9330 device...
Is the boot rom memory mapped when running from SPI ? in that case, reversing the code may help...
I suppose the code is loaded by Atheros because you can trig the same log from TpLink MR3220 Any chance to get this information from Atheros ?
regards
|
13 Sep 2013, 08:31 |
|
|
zorromymy
Joined: 27 May 2013, 14:45 Posts: 13
|
One more step... Pulling down GPIO1 (SPI/ROM) and GPIO13 (HOST/DEVICE) at powerup configures the AR9331 as a device. It registers (as expected) as VID=0xcf3,PID=0x9330 device on the desktop...
|
13 Sep 2013, 09:02 |
|
|
FPeter
Joined: 21 Aug 2013, 21:21 Posts: 101
|
|
13 Sep 2013, 09:15 |
|
|
FPeter
Joined: 21 Aug 2013, 21:21 Posts: 101
|
there is an additional configuration function on GPIO16, called "FW_DOWNLOAD" - but its already set to low:USB mode - i think its a bootlader mode selector for internal ROM mode: You can switch between USB bootloader and wired network (MDIO) bootloader mode
if You set it to high, then You should see different mode on UART console during startup
|
13 Sep 2013, 09:51 |
|
|
zorromymy
Joined: 27 May 2013, 14:45 Posts: 13
|
Here is the linux dmesg log...
[ 1.526243] usb 1-1: new high-speed USB device number 2 using ehci_hcd [ 1.873459] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9330 [ 1.873473] usb 1-1: New USB device strings: Mfr=16, Product=32, SerialNumber=48 [ 1.873484] usb 1-1: Product: USB2.0 WLAN [ 1.873493] usb 1-1: Manufacturer: ATHEROS [ 1.873503] usb 1-1: SerialNumber: 12345
|
13 Sep 2013, 12:13 |
|
|
zorromymy
Joined: 27 May 2013, 14:45 Posts: 13
|
Yes, GPIO16 High + GPIO1 Low start MDIO mode... Here is the uart output:
MAC booting... ROM>:mdio download ready
|
13 Sep 2013, 12:30 |
|
|
gedass
Joined: 07 Dec 2011, 16:01 Posts: 525 Location: Lithuania
|
|
13 Sep 2013, 14:09 |
|
|
zorromymy
Joined: 27 May 2013, 14:45 Posts: 13
|
|
13 Sep 2013, 14:48 |
|
|
Who is online |
Users browsing this forum: No registered users |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum
|
|