zoobab: Intellectual Ventures starts to racket Samsung and LG Electronics: http://i5.be/RC More lawsuits now! The more the better!

zoobab: EPO judges are part of the patent family, expect a disaster when it comes to reinterpretation of software "as such" http://i5.be/Rm

zoobab: Lobby the European Commission and impose software patents on standards: http://i5.be/QY

zoobab: IP Ventures licenses Microsoft Research technology to entrepreneurs and companies in order to foster innovation http://i5.be/QX

zoobab: @EPOorg Welcome OHIM! At least they are under some European Parliament scrutiny, not like you!

zoobab: Microsoft and Philips don't know what a Turing machine is: http://i5.be/QV

zoobab: Microsoft lobbying for software patents in Brussels with Alison Brimelow: http://i5.be/Qt

zoobab: IBM's letter with the "software patents enables open source and open standards" fallacy quoted here: http://i5.be/Qr

zoobab: LG Electronics poxying lawsuits through patent trolls: http://i5.be/Qa

zoobab: Bilski hearing next 9 November in Washington DC: http://i5.be/P8

zoobab: Maria Berger, ex PSE MEP involved in the swpat directive, now judge at the ECJ: http://i5.be/Pz

zoobab: Microsoft says royalties do not conflict with the "free" business model: http://i5.be/Pj

zoobab: Sun could assert patents against a fork vendor, which might not even be able to afford to defend itself: http://is.gd/4r34h

zoobab: Patent lawyers hates the subject matter criteria, push for business method patents and software patents: http://i5.be/OT

zoobab: I have added another quote on why the UPLS will validate software patents in Europe via central caselaw: http://i5.be/Nn

zoobab: RedHat CEO about software patents, nobody can write software without risking a lawsuit http://i5.be/M3

zoobab: FSFE smoking weed: "The company must also make a binding commitment not to enforce its patents against Free Software" http://i5.be/MU

zoobab: Microsoft had only 77 patents in 1995, was already in a monopoly position: http://i5.be/MS

zoobab: @AwakenIP We definitely need more trolls. The more harm the better. Especially against those companies who still believe.

zoobab: All the briefs on Bilski are here: http://awakenip.com/Bilski

Gallery

Step 1: Get a root shell

Connect an ethernet cable between your PC and la Fonera, and the configure the ethernet interface on your linux laptop with the following IP address:

ifconfig eth0 169.254.255.2 broadcast 169.254.255.255 netmask 255.255.0.0

Test your connexion with the router with ping

ping -c 3 169.254.255.1

Then you can activate the SSH dropbear server on la Fonera with the following command (works for version below 0.7.xx) (local copy of fondue.pl):

echo -e '/usr/sbin/iptables -I INPUT 1 -p tcp —dport 22 -j ACCEPT\n/etc/init.d/dropbear' | perl fondue.pl 169.254.255.1 admin

Then you are able to have a shell on the box

ssh 1.552.452.961|toor#1.552.452.961|toor
Password: admin
root shell!

Step 2: Install fon-telnet-redboot

Once you have a shell on the box, download on your laptop fon-telnet-for-redboot_1_mips.ipk (local copy), and upload the package to the router fonera via scp:

zoobab@mylaptop$ scp fon-telnet-for-redboot_1_mips.ipk 1.552.452.961|toor#1.552.452.961|toor:/tmp
Password: admin

Then login to the router

ssh 1.552.452.961|toor#1.552.452.961|toor
Password: admin

And install the package via the following command:

root@Fon$ ipkg install /tmp/fon-telnet-for-redboot_1_mips.ipk

It takes 10 seconds and you get a root shell back. Reboot the router by typing:

root@Fon$ reboot

Step3: Reflash with AP51 utils

Download the 3 following files on your harddisk: openwrt-atheros-2.6-root.jffs2-64k,openwrt-atheros-2.6-vmlinux.lzma, and ap51-flash-1.0-42.

Then launch the ap-utils:

chmod +x ap51-flash-1.0-38
sudo ./ap51-flash-1.0-38 eth0 openwrt-atheros-2.6-root.jffs2-64k openwrt-atheros-2.6-vmlinux.lzma

It takes 10 minutes or so, go drink a coffee or tea.

Step 4: JTAG La Fonera

Pinout

Connections

Apparently the TRST and VCC pins needs to be connected together with a 100ohms resistor:

Tjtag

I used Tjtag3, which has SPI support for the flash. You can find the sources and the binaries for Linux 32bits, 64bits and Windows in tjtag3.zip.

root@lehne /home/zoobab [21]# ./tjtag3 -probeonly /fc:25

==============================================
 EJTAG Debrick Utility v3.0 RC1 Tornado-MOD 
==============================================

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000000000000000000000000000001 (00000001)
*** Found a Atheros AR531X/231X CPU chip ***

    - EJTAG IMPCODE ....... : 01000000010000000100000000000000 (40404000)
    - EJTAG Version ....... : 2.6
    - EJTAG DMA Support ... : No
    - EJTAG Implementation flags: R4k ASID_8 NoDMA MIPS32

Issuing Processor / Peripheral Reset ...  ECR: 0x00000008 Done
Enabling Memory Writes ... Skipped
Halting Processor ... 
00000000000100010000000000001000 (00110008)
00000000000000000000000000001000 (00000008)
<Processor Entered Debug Mode!> ... Done
^C
root@lehne /home/zoobab [22]#

Flash dumps

You need sometimes to power on/off the Fonera to have the dump working correctly with the command:

root@lehne /home/zoobab [22]# ./tjtag3 -backup:wholeflash /fc:25

• Bootloader AR-CFE.BIN.SAVED_20090828_020552 (256KB)
• Kernel AR-KERNEL.BIN.SAVED_20090828_015856 (6.93MB)
• Wholeflash AR-WHOLEFLASH.BIN.SAVED_20090828_014548 (8MB)

Reflashing with dumps

It takes a while (8 hours for me!) to reflash the complete flash chip with the simple jtag adaptor on parallel port.

From the following webpage Autopsy of a Fonera, you can read:

Two memory ICs are available on the Fonera, the first is an ST M25P64 serial flash, with a 50MHz SPI bus and 64Mbit capacity (8MB), in 300mil SO16 format. The fact that SPI has been chosen has the advantage that extra memory devices could be attached to the bus, but it has the caveat that it is slower than a parallel bus. Thus, flashing a new firmware could take a rather long time.

Reflash only the bootloader

Since reflashing the whole chip with JTAG and a parallel port takes too much time for most people, it is useful to reflash only the bootloader (256KB=30mins instead of 8MB=8hours). I still have to try to reflash the dumped bootloader on a virgin flash to see if I can easily use ap51 to rescue the machine.

Write the bootloader — Work In Progress — tjtag3 is segfaulting:

Manual Flash Selection ... Done

Flash Vendor ID: 00000000000000000000000000100000 (00000020)
Flash Device ID: 00000000000000000010000000010111 (00002017)
*** Manually Selected a STMicro M25P64             (8MB) Serial Flash Chip ***

    - Flash Chip Window Start .... : 1c000000
    - Flash Chip Window Length ... : 00800000
    - Selected Area Start ........ : a8000000
    - Selected Area Length ....... : 00040000

*** You Selected to Flash the AR-CFE.BIN ***

=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 0

Loading AR-CFE.BIN to Flash Memory...
[  0% Flashed]   a8000000: 00000000 00000000 00000000 00000000
[  0% Flashed]   a8000010: 00000000 00000000 00000000 00000000
[  0% Flashed]   a8000020: 00000000 00000000 00000000 00000000

[...]

[ 63% Flashed]   a8028ee0: 00000000 00000000 00000000 00000000
[ 63% Flashed]   a8028ef0: 00000000 00000000 00000000 00000000
[ 63% Flashed]   a8028f00: 00000000 Segmentation fault

Todolist

On the todolist:

• blank the flash — does not seem to work…
• test it with ap51
• find if OpenOCD or UrJTAG support SPI flashes

Comments