The device is availabe from several vendors, which are:
- Level-One (WAP-0007)
- Comet Labs (MGB100)
- Conceptronic (CHD2WLANU)
- Micronica (MGB100)
- OvisLink (WMU-6000FS)
- Safecom (SWSAPUR-5400)
- SMC (WAPS-G EU)
- Pearl (PE6643)
After removing the enclosure it looks like this:
The board mainly consists of:
- AMRISC 20000 (R3210 i386 compatible CPU + 2 x eth, UART, DMA, INT, SDRAM controller, 59 GPIO, TIMER, USB 1.1, USB 2.0)
- IT8211F (IDE controller)
- RT2560F (WLAN 54Mbit)
- AT93C46 (1 kBit EEPROM)
- IP101A (Ethernet Transceiver)
- MX29LV320A Flash Mem (4 MByte)
- 42S16160 SDRAM (32 MByte)
- PCF8563 (RTC)
- 4 hard wired LEDs, 4 programmable LEDs
- 2 buttons
Except for the hardware clock (RTC) the board seems to be PC compatible.
The original firmware doesn't allow one to log in via telnet. But it is quite easy to modify the firmware to enable telnet access. To do this we download the original firmware from the vendor's website. If the version actually running on our device is not available we frist upgrade our MGB100 to an available version. The firmware file usually contains several parts:
- Linux kernel
- Ramdisk containing root file system
- Partition with HTML files
- Recovery loader
- AMIT BIOS
The root file system is build upon Busybox , which also contains a telnetd. To enable telnet access we must change the startup scripts to start telnetd when booting. This can be done by modifying the rootfs. We need two small prgramms for this:
First, we have to compile these programms:
bunzip2 splitamitbin.c.bz2 cc -o splitamitbin splitamitbin.c bunzip2 makeamitbin.c.bz2 cc -o makeamitbin makeamitbin.c
Now we are able to split the downloaded firmware into its parts. Let's assume the firmware file is called WAP-0007(R4.00b5)_2006-01-13.zip:
# unzip the firmware unzip "WAP-0007(R4.00b5)_2006-01-13.zip" # we have a BIN file now, we split it ./splitamitbin "WAP-0007(R4.00b5)_2006-01-13.BIN" # see the product ID, remember this for later # in this example it is: DDC_RUS001 # in your case it might be different # see what we've got ls -l
The biggest file is probably the root file system. We will mount it using the loop back device and then modify it to our needs.
# first make a copy of it cp "WAP-0007(R4.00b5)_2006-01-13.BIN-part03" root.gz # now unzip the root fs gunzip root.gz # create a directory to hold the root fs mkdir rootfs # become root su # mount the root fs mount -o loop root rootfs # make sure, we have a telnetd find rootfs | grep telnetd # modify startup script to start telnetd vi rootfs/etc/rc.d/rc.bridge # insert this after "#!/bin/ash" to start telnetd: # -> /sbin/telnetd & # save file, quit # unmount the root fs umount rootfs # back to normal user exit rmdir rootfs # zip rootfs gzip -9 root
Now we have a root file system, that automatically starts telnetd on bootup. We create a valid firmware file:
# replace DDC_RUS001 by your product ID ./makeamitbin -1 DDC_RUS001 -o root.bin ramdisk root.gz
Now we can upgrade the firmware of our device via the web interface. The file to use is called root.bin. After upgrading, the box will restart automatically and we can login via telnet. Username is root, the passwort is the admin passwort set before with the web interface (default: admin).
If busybox isn't compiled with telnetd support you can either compile a stand alone version of telnetd or use Christian's solution.
It is always a good idea to have a backup of the original firmware. Since we have telnet access now, this is quite easy to achieve. We login as root. We must delete some files on the ramdisk to have enough place to store the flash image (unless we attach a harddisk or a memory stick). The biggest files we can delete are the samba daemons and e2fsck. Using 'ps' we can see the process IDs of nmbd and smbd. We kill these processes by 'kill <pid>'. Now we can delete the 3 files.
rm /sbin/smbd rm /sbin/nmbd rm /sbin/e2fsck
Now there is enough space on the ramdisk to hold the flash image with the original firmware. We can get this via /dev/mtd0.
cat /dev/mtd0 > /share/mgb100.img
Now there should be a 4 MB image in /share. We logout and copy the file to our PC via ftp (User: anonymous, no password, binary mode!).
If there's not enough free space on the ramdisk check out Christian's solution.
To load and execute the Linux kernel we need a boot loader. The original firmware has the so called "RDC BIOS" to do this. But this is not well suited for development, because this BIOS does not allow us to flash new images. Only one small mistake and your device is a brick. Well, not really, you still have a chance to flash a new images with JTAG.
Redboot is a powerful bootloader, which fills this gap. It allows one to write images to flash memory or to boot over the network. It is Open Source, so it can be adopted to your needs. You can change to location of kernel or ramdisk as needed. Also the command line for the kernel can be changed.
RDC BIOS cannot easily be changed due to the lack of the source code. The Linux kernel must be at location 000010h and the ramdisk must be at 100010h. The maximum size for the kernel is 1,048,560 bytes. For the ramdisk it's 2,621,424 bytes. The command line for the kernel is constant.
Before using Redboot, we must understand, that it takes 128kB of flash memory, wheras RDC BIOS only is 24 kB. So flashing Redboot overwrites these parts:
- Recovery loader
- MAC address
- parts of the GUI
This also means that the original firmware (at least the Amit binaries) doesn't work with redboot. So it is important to backup the flash before.
To install Redboot on your MGB100 you can do:
# coming soon.... # -> src/redboot/
The original firmware contains a (somehow ugly) patched Linux kernel. The RTC can only be set by the (closed source) Amit binaries. LEDs and the two buttons are also controlled by these Amit binaries. The configuration data for this device is in a 64 kB segment in flash, but the data structure is unknown. The situation is nonsatisfying.