Cameo WLG2002 Hacking

While I was sitting here looking at the UltraWAP, I noticed my WLG2002 11g AP sitting on the desk. I wondered if this was linux powered as well. I coupla screws later and the internals were exposed. Intersil chips everywhere, the main Soc being an ISL3893.

what looked like a 4 pin serial interface (no pins soldered though) was indeed one. I soldered 4 pins into it.

after a quick google, I found that it was a 3.3v logic unit and luckily my power source is adjustable between 3v and 12v. I guesses the RX and TX pins and a 50 -50 chance of being right paid off.

______________
X X X X
Rx Tx GND VCC

the terminal settings are fast.. 115200, 8,N,1

This is an ARM processor and yes it does indeed run ucLinux.:

# cat /proc/version
Linux version 2.4.19-uc1 (root@roger90) (gcc version 2.95.3.2 20010315
(release)) #29 ¥| 11¤ë 11 12:00:49 CST 2004
The people putting this together had a sense of humour, as there are various strange comments in the code. It also is evident that it doesnt take a genius to program these things.. numerous errors are there and if the feature of ucLinux isnt needed, it seems they just deleted the code and left the error msg's in:

Mounting proc on /proc
Bummer, can't write to log on /dev/tty5!
console=/dev/ttyS0

they also have transmit power control! values like 39(you'd be unhappy!) and 1000:

# cat regulatory.conf
#
# country/domain configuration file
#
#
# default pda-index = 0
# pda-index should be defined if pda-index != 0

domains FCC, IC countries TW,HK {

default-freq-2 2437;
default-freq-5 5280;

max-output-power 39 {
freq 2412;
}

max-output-power 1000 {
freq 2417, 2422, 2427, 2432, 2437;
freq 2442, 2447, 2452, 2457;
}

max-output-power 39 {
freq 2462;
}

max-output-power 250 {
freq 5260, 5280, 5300, 5320;
}

EIRP no;
}

domains ETSI, ESP countries SG, KR, ZA, CN, JOI, PHI {

EIRP yes;

default-freq-2 2437;

max-output-power 39 {
freq 2412;
}

max-output-power 100 {
freq 2417, 2422, 2427, 2432, 2437;
freq 2442, 2447, 2452, 2457, 2462, 2467;
}

max-output-power 39 {
freq 2472;
}

I'll try and keep the formatting sane!!!!!

Rescueing Boot for the ISL3893, version 0.5.3.0
Copyright (C) 1993-2002 Intersil Americas Inc. All Rights Reserved.
MAC Address: 00.40.f4.b8.64.e8
Forcing soft reset from Bootloaderÿ
Rescueing Boot for the ISL3893, version 0.5.3.0
Copyright (C) 1993-2002 Intersil Americas Inc. All Rights Reserved.
MAC Address: 00.40.f4.b8.64.e8

Boot: start searching for image... Found
Boot: Checking Image CRC32... Okay.
OKA
Uncompressing Linux (bzip2)... done, booting the kernel.
Linux version 2.4.19-uc1 (root@roger90) (gcc version 2.95.3.2 20010315 (release)) #29 ¥| 11¤ë 11 12:00:49 CST 2004
Processor: ARM ARM946 revision 1
Architecture: ISL3893
Boot Struct at 0003f000
Boot parameter block at 0003ffc8
SRAM size 0x7b7b40
On node 0 totalpages: 2039
zone(0): 0 pages.
zone(1): 2039 pages.
zone(2): 0 pages.
Kernel command line:
Calibrating delay loop... 72.29 BogoMIPS
Memory: 7MB = 7MB total
Memory: 4640KB available (1126K code, 1989K data, 40K init)
Dentry cache hash table entries: 1024 (order: 1, 8192 bytes)
Inode cache hash table entries: 512 (order: 0, 4096 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 2048 (order: 1, 8192 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Invalid Boot Parameter Block 0003ffc8 (magic 0)
Starting kswapd
JFFS version 1.0, (C) 1999, 2000 Axis Communications AB
pty: 256 Unix98 ptys configured
ISL3893 UART serial driver version 1.0 (2002-07-11) with no serial \
options enabled
ttyS00 at 0xc0000500 (irq = 8) is a ISL3893 UART
dev_elem, type 2, mtu 1568, head 224, tail 32
eth0: Prism Embedded MVC v2 packet IF version 0.4.0.0 found,Macaddress = 00:40:f4:b8:64:e8
dev_elem, type 1, mtu 1568, head 224, tail 32
eth1: Prism Embedded MVC v2 packet IF version 0.4.0.0 found,Macaddress = 00:40:f4:b8:64:e8
dev_elem, type 2, mtu 1568, head 224, tail 32
eth2: Prism Embedded MVC v2 packet IF version 0.4.0.0 found,Macaddress = 00:40:f4:b8:64:e8
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 2 disk images:
0: 166C04-2FD803 [VIRTUAL 166C04-2FD803] (RO)
1: 816A200-81B01FF [VIRTUAL 816A200-81B01FF] (RO)
loop: loaded (max 8 devices)
physmap flash device: 400000 at 8000000
NO QRY response
NO QRY response
Amd/Fujitsu Extended Query Table v1.0 at 0x0040
phys_mapped_flash: JEDEC Device ID is 0xC4. Assuming broken CFI table.
phys_mapped_flash: Swapping erase regions for broken CFI table.
number of CFI chips: 1
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
Using cameo's wlg2002 partition definition
Creating 3 MTD partitions on "phys_mapped_flash":
0x00000000-0x00010000 : "Bootloader"
0x00010000-0x001b0000 : "Access Point Firmware"
0x001b0000-0x00200000 : "Flash Filesystem"
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 512)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
cramfs: wrong magic
JFFS: Trying to mount a non-mtd device.
VFS: Mounted root (romfs filesystem) readonly.
Mounting proc on /proc
Bummer, can't write to log on /dev/tty5!
console=/dev/ttyS0
init started: BusyBox v0.51 (2004.11.08-10:47+0000) multi-call binary
# device eth1 entered promiscuous mode
device eth0 entered promiscuous mode
Jan 1 00:00:02 ucd-snmp[64]: UCD-SNMP version 4.2.6

(Re)starting paed
paed uses obsolete (PF_INET,SOCK_PACKET)
paed (re)started succesfully
TFTP Upgrade Server v0.0.2 (2004.11.08-10:47+0000) started
Failed opening device /usr/etc/images/uapfirmware.img: No such file or directory
paed stopped succesfully
Failed to get SNMP password
Error, couldn't open SNMP passwd file
iptables: not found
Cannot get ifindex of interface eth3: No such device
Failed to build PIMFOR packet
Get: send_rcv failed
paed stopped succesfully
SIOCDELRT: No such process
dhcpcd not running on interface br0
eth2: link up
(Re)starting paed
paed (re)started succesfully
killall: autoip: no process killed
SIOCSIFFLAGS: Cannot assign requested address
killall: udhcpd: no process killed
br0: port 1(eth1) entering listening state
eth1: link up
br0: port 2(eth0) entering listening state
Cannot get ifindex of interface eth3: No such device
Failed to build PIMFOR packet
Get: send_rcv failed
Cannot get ifindex of interface eth3: No such device
Failed to build PIMFOR packet
Set: send_rcv failed
eth1: link up
eth1: link up
eth1: link up
eth1: link up
eth1: link up
sided_multicast_init: Send router sollicitation for if br0:0 10.255.255.255
eth1: link up
eth1: link up

Accepting connections on port 1122

br0: port 2(eth0) entering learning state
br0: port 1(eth1) entering learning state
br0: port 2(eth0) entering forwarding state
br0: topology change detected, propagating
br0: port 1(eth1) entering forwarding state
br0: topology change detected, propagating

#