Analysis of Mini 3G/4G WiFi Wireless Router (A5-V11)

There are a lot of different types of the A5-V11 router on the market. For this analysis a Goliton® 2in1 150Mbps 3G WiFi Mobile USB Router is used.

First of all it is necessary to remove the housing of the device. This could be done without any tools, just by lifting up the upper part of the case with some pressure.

After this step, the printed circuit board is accessible. And on the top there are four test points, which are indicating a serial bus (UART).

For a comfortable usage of this, it is recommended to solder some pins to it.

With an oscilloscope it is possible to identify the test points.

-------------.
Network    o |    <- GND
Jack       o |    <- RX
           o |    <- TX
           o |    <- VCC
             |

After connecting an UART to USB device i powered up the router. If the device is not powering up, remove the RX cable, while the router is booting. After the initialization the RX cable could be connected.

The boot output of the router:

sudo picocom -b 57600 /dev/ttyUSB0 
picocom v1.7

port is        : /dev/ttyUSB0
flowcontrol    : none
baudrate is    : 57600
parity is      : none
databits are   : 8
escape is      : C-a
local echo is  : no
noinit is      : no
noreset is     : no
nolock is      : no
send_cmd is    : sz -vv
receive_cmd is : rz -vv
imap is        : 
omap is        : 
emap is        : crcrlf,delbs,

Terminal ready


U-Boot 1.1.7 (Dec 13 2011 - 13:49:42)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fb4000
spi_wait_nsec: 42 
spi device id: c8 40 16 c8 40 (4016c840)
find flash: G 1407
raspi_read: from:30000 len:1000 
.*** Warning - bad CRC, using default environment

============================================ 
Ralink UBoot Version: 3.6.0.0
-------------------------------------------- 
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping 
DRAM_TYPE: SDRAM 
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 32 MBytes
Flash component: SPI Flash
Date:Dec 13 2011  Time:13:49:42
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384 

 ##### The CPU freq = 360 MHZ #### 
 estimate memory size =32 Mbytes
raspi_read: from:40028 len:6 
.
raspi_read: from:0 len:30004 
....*************Is_update = 0 plat = 1**************

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 

You choosed 3

 0 
   
3: System Boot system code via Flash.
## Booting image at bc050000 ...
raspi_read: from:50000 len:40 
.   Image Name:   Linux Kernel Image
   Created:      2013-08-23   7:31:57 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3794821 Bytes =  3.6 MB
   Load Address: 80000000
   Entry Point:  80307000
raspi_read: from:50040 len:39e785 
..........................................................   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80307000) ...
## Giving linux memsize in MB, 32

Starting kernel ...


LINUX started...

 THIS IS ASIC
Linux version 2.6.21 (root@hex.centos.mac) (gcc version 3.4.2) #3378 Fri Aug 23 15:31:27 HKT 2013

 The CPU feqenuce set to 360 MHz
CPU revision is: 0001964c
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS1,57600n8 root=/dev/ram0
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
cause = d080806c, status = 11000000
PID hash table entries: 128 (order: 7, 512 bytes)
calculating r4koff... 0015f900(1440000)
CPU frequency 360.00 MHz
Using 180.000 MHz high precision timer.
Console: colour dummy device 80x25
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 26472k/32768k available (2368k kernel code, 6296k reserved, 727k data, 2732k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
detected lzma initramfs
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=1048576,origSize=10946560
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com>........................................................................................................................................................................deice id : c8 40 16 c8 40 (4016c840)
Warning: un-recognized chip ID, please update SPI driver!
AT25DF321(1f 47000000) (4096 Kbytes)
mtd .name = raspi, .size = 0x00400000 (4M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 6 MTD partitions on "raspi":
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "Config"
0x00040000-0x00050000 : "Factory"
0x00050000-0x00400000 : "Kernel"
0x00050000-0x00400000 : "Romfs"
0x00050000-0x00400000 : "Firmware"
RT3xxx EHCI/OHCI init.
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
NTFS driver 2.1.28 [Flags: R/W].
fuse init (API version 7.8)
io scheduler noop registered (default)
----- GPIO Init ----
DIR=003eff84
MOD=0000005d
DATA=003c7f85
Ralink gpio driver initialized
Serial: 8250/16550 driver $Revision: 1.7 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A
RAMDISK driver initialized: 16 RAM disks of 12288K size 1024 blocksize
loop: loaded (max 8 devices)
rdm_major = 254
MAC_ADRH -- : 0x00000000
MAC_ADRL -- : 0x00000000
Ralink APSoC Ethernet Driver Initilization. v2.0  256 rx/tx descriptors allocated, mtu = 1500!
MAC_ADRH -- : 0x00002c67
MAC_ADRL -- : 0xfbfffff0
PROC INIT OK!
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V0.17
PPTP driver version 0.8.1
block2mtd: version $Revision: 1.1.1.1 $
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (256 buckets, 2048 max) - 232 bytes per conntrack
ip_conntrack_pptp version 3.1 loaded
ip_nat_pptp version 3.0 loaded
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone
ipt_time loading
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Freeing unused kernel memory: 2732k freed
nvram_init start.
NVRAM MTD is mtd1
_nvram_read checksum = 1085 save checksum = 1085
nvram_init finished. 
Netlink Hotplugdrt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller
rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1
rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x101c0000
rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
usb usb1: Product: Ralink EHCI Host Controller
usb usb1: Manufacturer: Linux 2.6.21 ehci_hcd
usb usb1: SerialNumber: rt3xxx
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller
rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2
rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x101c1000
usb usb2: Product: RT3xxx OHCI Controller
usb usb2: Manufacturer: Linux 2.6.21 ohci_hcd
usb usb2: SerialNumber: rt3xxx-ohci
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected

phy_tx_ring = 0x015c9000, tx_ring = 0xa15c9000

phy_rx_ring0 = 0x015ca000, rx_ring0 = 0xa15ca000
RT305x_ESW: Link Status Changed
Hit enter to continue...
--->Wan_Hwaddr: 00:40:F8:A0:2F:E9
--->lan_Hwaddr: 00:40:F8:A0:2F:EA

3G Router Start!
rt2860v2_ap: module license 'unspecified' taints kernel.


=== pAd = c0041000, size = 630176 ===

<-- RTMPAllocAdapterBlock, Status=0
RX DESC a041f000  size = 2048
<-- RTMPAllocTxRxRingMemory, Status=0
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
3b:43:dc:d3:42:ab:35:9d:cd:73:1d:76:4e:64:5d:3b:
3a:3a:75:28:d4:a9:79:28:6c:8f:e2:d5:74:9d:f7:d7:

1. Phy Mode = 9
2. Phy Mode = 9
3. Phy Mode = 9
MCS Set = ff 00 00 00 01
Main bssid = 00:40:f8:a0:2f:e8
<==== rt28xx_init, Status=0
0x1300 = 00064380
Algorithmics/MIPS FPU Emulator v1.5
device ra0 entered promiscuous mode
device eth2 entered promiscuous mode
br0: port 2(eth2) entering learning state
br0: port 1(ra0) entering learning state
=====> set eth2.2 hwaddr to 00:40:F8:A0:2F:E9 error
ioctl siocsifmtu fail 19 No such device
Hit enter to continue...
br0: topology change detected, propagating
br0: port 2(eth2) entering forwarding state
br0: topology change detected, propagating
br0: port 1(ra0) entering forwarding state
-----------------run smartd----------------------
Hit enter to continue...

BusyBox v1.12.1 (2013-06-20 00:48:37 HKT) built-in shell (msh)
Enter 'help' for a list of built-in commands.

BoC Router>

After the root console appeared. I tried to view the root file system, but i get only get back “Unknow command”.

BoC Router> ls /
Unknow command

With the following command it is possible to get a shell, where it is possible to execute some basic commands.

BoC Router> runshellcmd
shell mode on

Invasive Method

Remove the SPI flash from the PCB.

Pinlayout of the SO8 SPI Chips

            __
  MOSI  5 =|  |= 4  GND
   CLK  6 =|  |= 3  NC
    NC  7 =|  |= 2  MISO
   VCC  8 =|_*|= 1  CS (dot on top of the chip)

Pinlayout of the Raspberry Pi

e       +-----+
d       | o o <-  GND
g       | o o |
e       | o o |
        | o o |
o       | o o |
f       | o o |
        | o o |
R       | o o |
a  CS  -> o o <-  CLK
s       | o o <-  MISO
p       | o o <-  MOSI
b       | o o <-  3.3V 
e       | o o |
r       | o o |
r       | o o |
y       | o o |
        | o o |
P       | o o |
i       | o o |
        | o o |
        +-----+

With flashrom it is possible to read out the SPI flash.

sudo flashrom --programmer linux_spi:dev=/dev/spidev0.0 -c "MX25L6406E/MX25L6408E" -r flash01.bin

Known Problems

  • The router was not able to boot, when the TX cable of the USB to UART adapter was connected during the initialization. This could be “fixed” by plug in the TX cable during or after the boot.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

3 × two =