Site made with: Template Toolkit

MGB100

MGB100 is a WLAN access point with a user-supplied 2.5-inch hard disk. The firmware is a Linux 2.4.28 based system coming with several closed source binaries from AMIT.

Vendors

The device is availabe from several vendors, which are:

Hardware

After removing the enclosure it looks like this:

The board mainly consists of:

Except for the hardware clock (RTC) the board seems to be PC compatible.

Enable telnet access

The original firmware doesn't allow one to log in via telnet. But it is quite easy to modify the firmware to enable telnet access. To do this we download the original firmware from the vendor's website. If the version actually running on our device is not available we frist upgrade our MGB100 to an available version. The firmware file usually contains several parts:

The root file system is build upon Busybox , which also contains a telnetd. To enable telnet access we must change the startup scripts to start telnetd when booting. This can be done by modifying the rootfs. We need two small prgramms for this:

First, we have to compile these programms: 

bunzip2 splitamitbin.c.bz2
cc -o splitamitbin splitamitbin.c
bunzip2 makeamitbin.c.bz2
cc -o makeamitbin makeamitbin.c

Now we are able to split the downloaded firmware into its parts. Let's assume the firmware file is called WAP-0007(R4.00b5)_2006-01-13.zip: 

# unzip the firmware
unzip "WAP-0007(R4.00b5)_2006-01-13.zip"
# we have a BIN file now, we split it
./splitamitbin "WAP-0007(R4.00b5)_2006-01-13.BIN"
# see the product ID, remember this for later
# in this example it is: DDC_RUS001
# in your case it might be different
# see what we've got
ls -l

The biggest file is probably the root file system. We will mount it using the loop back device and then modify it to our needs. 

# first make a copy of it
cp "WAP-0007(R4.00b5)_2006-01-13.BIN-part03" root.gz
# now unzip the root fs
gunzip root.gz
# create a directory to hold the root fs
mkdir rootfs
# become root
su
# mount the root fs
mount -o loop root rootfs
# make sure, we have a telnetd
find rootfs | grep telnetd
# modify startup script to start telnetd
vi rootfs/etc/rc.d/rc.bridge
# insert this after "#!/bin/ash" to start telnetd:
# ->   /sbin/telnetd &
# save file, quit
# unmount the root fs
umount rootfs
# back to normal user
exit
rmdir rootfs
# zip rootfs
gzip -9 root

Now we have a root file system, that automatically starts telnetd on bootup. We create a valid firmware file: 

# replace DDC_RUS001 by your product ID
./makeamitbin -1 DDC_RUS001 -o root.bin ramdisk root.gz

Now we can upgrade the firmware of our device via the web interface. The file to use is called root.bin. After upgrading, the box will restart automatically and we can login via telnet. Username is root, the passwort is the admin passwort set before with the web interface (default: admin).

If busybox isn't compiled with telnetd support you can either compile a stand alone version of telnetd or use Christian's solution.

Backup original firmware

It is always a good idea to have a backup of the original firmware. Since we have telnet access now, this is quite easy to achieve. We login as root. We must delete some files on the ramdisk to have enough place to store the flash image (unless we attach a harddisk or a memory stick). The biggest files we can delete are the samba daemons and e2fsck. Using 'ps' we can see the process IDs of nmbd and smbd. We kill these processes by 'kill <pid>'. Now we can delete the 3 files. 

rm /sbin/smbd
rm /sbin/nmbd
rm /sbin/e2fsck

Now there is enough space on the ramdisk to hold the flash image with the original firmware. We can get this via /dev/mtd0. 

cat /dev/mtd0 > /share/mgb100.img

Now there should be a 4 MB image in /share. We logout and copy the file to our PC via ftp (User: anonymous, no password, binary mode!).

If there's not enough free space on the ramdisk check out Christian's solution.

Bootloader

To load and execute the Linux kernel we need a boot loader. The original firmware has the so called "RDC BIOS" to do this. But this is not well suited for development, because this BIOS does not allow us to flash new images. Only one small mistake and your device is a brick. Well, not really, you still have a chance to flash a new images with JTAG.

Redboot is a powerful bootloader, which fills this gap. It allows one to write images to flash memory or to boot over the network. It is Open Source, so it can be adopted to your needs. You can change to location of kernel or ramdisk as needed. Also the command line for the kernel can be changed.

RDC BIOS cannot easily be changed due to the lack of the source code. The Linux kernel must be at location 000010h and the ramdisk must be at 100010h. The maximum size for the kernel is 1,048,560 bytes. For the ramdisk it's 2,621,424 bytes. The command line for the kernel is constant.

Before using Redboot, we must understand, that it takes 128kB of flash memory, wheras RDC BIOS only is 24 kB. So flashing Redboot overwrites these parts:

This also means that the original firmware (at least the Amit binaries) doesn't work with redboot. So it is important to backup the flash before.

To install Redboot on your MGB100 you can do: 

# coming soon....
# -> src/redboot/

Linux kernel

The original firmware contains a (somehow ugly) patched Linux kernel. The RTC can only be set by the (closed source) Amit binaries. LEDs and the two buttons are also controlled by these Amit binaries. The configuration data for this device is in a 64 kB segment in flash, but the data structure is unknown. The situation is nonsatisfying.

this document is outdated. Please have a look at the german version. Or maybe you can try: Google Translate