Go to HOMEPAGE

Practically all the files that can bedownloaded from this site need to be uncompressed with gzip (check the file extension). Two longerfiles have been split. After uncompressing the seperate parts of these files with gzip, you willhave filenames that look likefilename_aa, filename_ab, etc. Merge the serpate filestogether with the command:
cat filename_a* > filename

Hackingan Edimax BR6104KP router all starts with creating theneccesary Serial Cable to connect to the router. I bought a cheapSiemens mobile C25 serial connection cable (for a couple of Euro's).This cable is an easy solution to transform the high voltage in/outputlevels of the computer's RS232 port, to the 3.3V levels that the routerrequires.
Initially the connectors on the Siemens C25 serial cable look like this:

Someone I know, who also hacked into his Edimax, mounted an extra(mini-DIN) connector to the back of the router to connect the serialcable. I think the router looks much less nerdy if there is notcontinuously hanging a cable from it, so I added a mini-DIN connectorplug to my Edimax. The back of my router now looks like:

And the serial connector cable looks like:


The connections on the router print with the cable I bought are asfollows:
1.RX White
7.TX Blue
8.GND Black

More serial cable modding information can be found at:
http://www.meshcube.org/meshwiki/ModifiedMobileSerCable

Onceyou have got your serial connection setup between the router andyour PC, you can start a terminal window to make a connection with yourserial port. If your PC is running Linux, minicom is a nice tool. Startminicom with the command (if you start minicom for the very first timeit will ask you to start minicom as root): 
minicom -s
You should set up the following minicom configuration:

If you use the first serial port of your computer, you should set the Serial Device optionto /dev/ttyS0.

I always start minicom with the option -o.Minicom will notcreate a lock file, which is not neccesarysince on myPC I'm always the ony one trying to connect to the COM port.

If you have your serial cable connected, and minicom setup, you canstart minicom:
minicom -o
Ifyou switch on the power on your router, you should be able to see thebooting process of the standard firmware in you minicom window.
The booting process ends with a login screen which asks for a usernameand password. To login:
user: super
passwd: @gogolinux
It wil return with a #,thismeans you are now on an a linux command shell. To convince yourselfthat this is all really happening, you can play around with the leds onyour router:
echo "led on" > /dev/led_usb0
echo "led off" > /dev/led_usb0

Thefirst thing I want to try is to get the router to boot from USBstick. I therefor followed the instructions from JeroenDomburg.

First I prepared my 256MB USB stick by dividing it into threepartitions. I plug my stick into my PC, and open a Linux command shell.The command mountshows you where the stick is mounted (if your Linux distribution mountsit automatically). In my case it is automatically mounted; the deviceis /dev/sda1.
First use the command suto become root in a Linux command window and unmount the memorystick. 
umount /dev/sda1
Then start fdisk, and use the following commands as a guideline toformatting the memory stick:
fdisk /dev/sda

(d)elete partition
(n)ew partition 
(p)rimary
(1)st primary partition
start cyclinder = default
end cyclinder = +100M
(n)ew partition
(p)rimary
(3)rd primary partition
start cyclinder = default
end cyclinder = +26M
(n)ew partition
(p)rimary
(2)nd primary partition
start cyclinder = default
end cyclinder = default
(t)ype
(1)st partition
(83) Linux
(t)ype
(2)nd partition
(b) W95 FAT32
(t)ype
(3)rd partition
(82) Linux swap
(p)rint
(w)rite
Now the usbstick partitions have to be formatted:
mke2fs /dev/sda1
mkswap /dev/sda3
mkfs.vfat -v /dev/sda2
Now make sure that /dev/sda1is mounted. Then make sure thatyou are rootand change directory to the location where the stick ismounted. In my case:
cd /mnt/usbdisk
Then untar the rootfs file as created by JeroenDomburg or my snapshotof that file.
tar -xjvf ~/MyDownload/rootfs.tar.bz2
The memory stick now contains a filesystem which the router can useduring booting.

Nowthe firmware file has to be uploaded to the Router'sflash. Jeroen Domburg created a ready to use firmware which can befound hereor you can use this snapshot.

First I want to understand the contents of the firmware file and testit on the router without running the risk of blocking myself out of therouter completely. I used the package khexedit (which comes with mySuSE distribution) to view and modify the contents of the firmwarefile. I found some information about the structure of the firmware fileat Norocketscience.

=================================
I checked the Flash_usbroot-1.0.bin which is 1057507 bytes long. Andthe EdiEngBR6104KP_2.13.bin which is 1892078 bytes long and is aofficial firmware release from Edimax. You don't really need this file,but ifyou want to check it or keep it to be able to restore the originalrouter firmware, it can be found at the Edimaxsite, or here's a snapshot (part1, part2) of thefile.In the text below, the information that comes from Jeroen Domburgsfirmware file is printed in black. If the Edimax firmware differs, thisinformation is printed in gray.

The first header is located at 0x00 - 0x0c
It starts with WB4K (=6104K firmware)  or WBKP (=6104KP firmware)
Then: 00 00 01 00
Then: 4 bytes with the length of the file that follows (in this casewebpages-6104kp.bin, as we will see a couple of bytes further)
C8 57 01 00 (= 0x0157c8) orED01 00 00 (= 0x01ed)
So this file will end on 0x0157c8 + 0x0c = 0x0157d4 or 0x01ed + 0x0c =0x01f9

At location 0x0c-0x0157d4 or0x0c-0x01f9we find a gzipped file. At location 0x0c the header of a gzipcan be identified (I'm not going to describe the gzip format). You cansee the name of the file that is stored in the gzip file:
webpages-6104k.bin orwebpages-6104kp.bin


Then there's padding of zeros (0x00) until adress 0x20000 or adress 0x10000

CSYS header from 0x20000 - 0x2000c or 0x10000 - 0x1000c
Starts with CSYS
Then: 00 00 50 80
Then: 4 bytes with the length of the file: vmlinux.bin
D7 22 0E 00 (= 0x0e22d7) orE2DE 1B 00 (= 0x1bdee2)
This file will end at 0x0e22d7 + 0x2000c = 0x1022e3 or 0x1bdee2+0x1000c = 0x1cdeee

If you use the hexeditor to extract the vmlinux.bin from the fileyoucan uncompress it using:
cat vmlinux.bin | gzip -d -c > vmlinux
Gzipwill give an error message if you have a corrupt gzip file. If all iswell, you should see no error messages and you should have received avmlinux file.
Then use:
cat vmlinux | gzip -9 -c > vmlinuz
Younow have a vmlinuz file which you can test withoption (b) during theboot process of your router. This process is described in the nextsection.
The vmlinuz file is basically identical to the vmlinux.bin file, exceptthat the compression level is higher.

Inorder to test the vmlinuz file, start minicom -o and makesure that the minicom window is active.
Now power on your router, and tap the spacebar three times, to enterthe boot menu of the router. you will see the following message:
Linux Loader Menu
====================
(a) Download vmlinuz to flash ...
(b) Download vmlinuz to sdram (for debug) ...
(c) Exit

Please enter your key :

Now the thing that really took me some time to discover, is the factthat option aand option b,do not expect the same type of file. Even though both options suggestthat you need to send a vmlinuz file. Option a however expects afirmware file (must contain a CSYS header), while option b expects acompressed kernel file (vmlinuz). Option b is the safeoption, using this option you should not be able to do permanent damageto your router.

I had some problems initiating the filetransfer smoothly, and from somecomments on the net, I noticed that some others had thatproblemalso. In order to start the filetransfer without difficulties I did thefollowing......
Do not choose any of the options in the bootmenu (yet). To start thefile transfer protocol in the minicom window press:
Ctrl-A,S
Choose xmodem, and select the vmlinuzfile that you want to send (In minicom tap the spacebar twice to changedirectory, tap it once to select a file, and press return to startsending the file). Minicom is now waiting for the modem to startreceiving the file.
Now the router needs to receive the command b, to startreceiving the file. I created a tiny binaryfilewith only the ascii character code for b in it. Now to start thetransfer I send the contents of the file to the com port (in mycase ttyS1):
cat b.bin > /dev/ttyS1
If you look in the minicom window you can see that thetransfer commences nicely.

Once the transfer is done, the new kernel will start bootingimmediately. If you stick is plugged into the first usb port of therouter, the whole booting process should run through, and you shouldget a command prompt at the end of the process. If you did not plug inthe usb stick, the process will stop relatively early, and keepsretrying every second to see if the stick is available:
request_module[block-major-8]: Root fs not mounted
VFS: Cannot open root device "sda1" or 08:01
Please append a correct "root=" boot option
<4>Retry in 1 sec.
Retry in 1 sec.
request_module[block-major-8]: Root fs not mounted
VFS: Cannot open root device "sda1" or 08:01
Please append a correct "root=" boot option
<4>Retry in 1 sec.
Retry in 1 sec.
If you plug inyour stick (into the first USB port), the boot process shouldcontinue. If you do not have a network cable connected to the router,the dhcp process will also get into a loop wating for the DHCP server.Using Ctrl-C you can interrupt this loop, the booting process willcontinue and end up with a command prompt.

Ifthe test in the previous section went well, you are ready to flashJeroen Domburg's firmware into the router.
Start minicom -oand make sure that the minicom window is active.
Nowpower on your router, and tap the spacebar three times, to enter theboot menu of the router. You will see the following message:
Linux Loader Menu
====================
(a) Download vmlinuz to flash ...
(b) Download vmlinuz to sdram (for debug) ...
(c) Exit

Please enter your key :
Do not choose any of the options in the bootmenu (yet). To start thefile transfer protocol in the minicom window press:
Ctrl-A,S
Choose xmodem, and select the flash_usbroot-1.0.binfile. Minicom is now waiting for the modem to startreceiving the file.
Now the router needs to receive the command a, to startreceiving the file. I created a tiny binaryfilewith only the ascii character code for a in it. Now to start thetransfer I send the contents of the file to the com port (in mycase ttyS1):
cat a.bin > /dev/ttyS1
Afer uploading you will see:
Linux Loader Menu
====================
(a) Download vmlinuz to flash ...
(b) Download vmlinuz to sdram (for debug) ...
(c) Exit

Please enter your key : a
Downloading...........PASS

Eraseing nor flash.......PASS

Programming nor flash...PASS
You will be back in the Linux Loader Menu. Choose c to start the newkernel.

OK.Now I understand how it works; flashing a new kernel into therouter, andbooting from usb stick. Now I want to create my own utilities and/orkernel as I see fit.

First I tried to use the cross-compiler that Edimax has made availableas Edimax-tools.I was not able to get these tools to work on my SuSE 10.1. In the end Idecided to install an old Linux distribution which uses the same kernelversion as the original Edimax firmware. I chose Mandrake 8.2, whichuses kernel 2.4.18. With this Mandrake version, the Edimax tools, andthe Busybox sources, I was able to build a new Busybox executable forJeroen Domburg's rootfs, which also included vi, and swapon. The sourceis located hereand the result can be found here.

The fact that I had to install an old Linux distribution, in order tocompile a new package for my router bothered me (a lot). It must bepossible to compile new packages for my router with my current (andfuture) SuSE versions. After experimenting a lot with adding extraenvironment settings to the makecommand. For example:
yes "" | make -j1 CC=/export/tools/bin/mipsel-linux-gcc CROSS=/export/tools/bin/mipsel-linux- 
LD=/export/tools/bin/mipsel-linux-ld AR=/export/tools/bin/mipsel-linux-ar RANLIB=/export/tools/bin/mipsel-linux-ranlib 
CROSS_COMPILE=/export/tools/bin/mipsel-linux-
#Other options I tried: AR, CC, RANLIB, CFLAGS, IFLAGS and LDFLAGS
I also got my hopes up when I discovered the BuildrootuClibc site.
I was not able to get the compilation process to work on mySuSE 10.1

Aftera lot of browsing on the internet and almost giving up, I foundthis magnificent Sunspot site.
I accurately followed the descriptions, and it all worked like a charm.

Here's what I did based on the Sunspot information:
I created a folder named Sunspotand copied the files mentioned on the site to that directory. To makesure that all neccesary files remain available, here are snapshots ofthe files I used:
Linksfrom Sunspot Myown snapshots
http://midge.vlad.org.ua/src/kamikaze/kamikaze-200602050443.tar.bz2 kamikaze-200602050443.tar.bz2_aa.gz
kamikaze-200602050443.tar.bz2_ab.gz
kamikaze-200602050443.tar.bz2_ac.gz
kamikaze-200602050443.tar.bz2_ad.gz
kamikaze-200602050443.tar.bz2_ae.gz
kamikaze-200602050443.tar.bz2_af.gz
kamikaze-200602050443.tar.bz2_ag.gz
http://midge.vlad.org.ua/tmp/004-kernel-entry.patch 004-kernel-entry.patch.gz
http://www.sunspot.co.uk/Projects/SWEEX/files/toolchain060504/do_mounts.c do_mounts.c.gz
http://www.sunspot.co.uk/Projects/SWEEX/files/toolchain060504/usb-shci.c usb-shci.c.gz
http://www.sunspot.co.uk/Projects/SWEEX/files/toolchain060504/usb-shci.h usb-shci.h.gz
http://www.sunspot.co.uk/Projects/SWEEX/files/toolchain060504/serial.c serial.c.gz
http://www.sunspot.co.uk/Projects/SWEEX/files/TheKr1s/LEDCfor5more/led.c led.c.gz
http://www.sunspot.co.uk/Projects/SWEEX/files/TheKr1s/LEDCfor5more/led.h led.h.gz
http://midge.vlad.org.ua/svn/trunk/openwrt-midge/target/linux/image/adm5120/src/mksyshdr.c mksyshdr.c.gz
http://www.sunspot.co.uk/Projects/SWEEX/files/TheKr1s/led_set.c led_set.c.gz
If you want to use the same configuration settings I used, here's my configurationfilefor kamikaze, and here is the configurationfile I used for the kernel. If you want touse this file, copy it in the Sunspotdirectory, just like you did withthe other files.

When building a package, I always like to log exacly what I do. Anice way to do that, is to use the following two commands when youstartyour work:
script make.log1
history -c
When you are done type:
history
exit
After you finish your work, you have a log file: make.log1which contains all the terminal in and output information, with at theend a listing of the commands that are logged in the log file. Thisworks fine for me, hope you like it.

(Make sure following packages are installed:
ncurses, flex, zlib-devel, bison)

I put all the abovementioned files in the Sunspot directory and executethe following commands:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
cd Sunspot
mkdir kamikaze-200602050443
cd kamikaze-200602050443
tar xvjf ../kamikaze-200602050443.tar.bz2
cp ../004-kernel-entry.patch trunk/openwrt/target/linux/adm5120-2.4/patches
cd trunk/openwrt
cp .config .config.orig
cp ../../../_config_kamikaze-200602050443 ./.config
gmake menuconfig
gmake V=99
vi build_mipsel/iproute2-2.6.11-050330/netem/paretonormal.c
gmake V=99
cp ../../../serial.c build_mipsel/linux-2.4-adm5120/linux-2.4.32/arch/mips/am5120/
cp ../../../led.[ch] build_mipsel/linux-2.4-adm5120/linux-2.4.32/arch/mips/am5120/
cp ../../../do_mounts.c build_mipsel/linux-2.4-adm5120/linux-2.4.32/init
cp ../../../usb-shci.[ch] build_mipsel/linux-2.4-adm5120/linux-2.4.32/drivers/usb/host/
cp ../../../mksyshdr.c build_mipsel/linux-2.4-adm5120/linux-2.4.32
cd build_mipsel/linux-2.4-adm5120/linux-2.4.32
cp .config .config.orig
cp ../../../../../../_config_kernel-2.4.32 ./.config
gmake menuconfig
gmake V=99
gcc mksyshdr.c -o mksyshdr 
chmod 755 mksyshdr
./mksyshdr csys vmlinuz
cat csys vmlinuz > midge-ttyS1-96-firmware.bin

An initial root filesystem is located in the directory Sunspot/kamikaze-200602050443/trunk/openwrt/build_mipsel/linux-2.4-adm5120/root/.I copy these files to the usb stick using the following commands (asroot):
cd Sunspot/kamikaze-200602050443/trunk/openwrt/build_mipsel/linux-2.4-adm5120/root/
tar cvf - . | (cd /mnt/usbdisk ; tar xf -)
If you need the kernel modules, you need to copy them seperately to theusb stick:
cp -R Sunspot/kamikaze-200602050443/trunk/openwrt/build_mipsel/linux-2.4-adm5120/modules/lib/modules/2.4.32/kernel 
 /media/usbdisk/lib/modules/2.4.32
As described above, the vmlinuzfile can be tested with the router, and if it works (together with thememory stick) the midge-ttyS1-96-firmware.binfile can be flashed into the router (make sure your memory stick is inusb port 1).

Nowthe router boots automatically from usb. If you want to log in for thefirst time as root,use the password: midge.
Some of the things I modified on my usb stick:
  1. To control the leds on the router, I followed theinstructions on Sunspot. From my Sunspot directoryI used the following commands:
    mkdir Myownled.c
    cd Myownled.c
    cp ../led_set.c .
    ../kamikaze-200602050443/trunk/openwrt/staging_dir_mipsel/bin/mipsel-linux-uclibc-gcc -o led_set ./led_set.c
    Now copy the led_setexecutable to the bindirectory on the usb stick.
  2. In etcon the memory stick, I created thishttpd.conf file.
  3. I created a directory called etc/init.d/unused.I moved the following files from etc/init.dto the unuseddirectory:
    S60fw
    S80crond
    S90usb_mount
    S90vtun
    S95ipkg-update
  4. I added thisS85httpd file to the etc/init.ddirectory
  5. I added thisS12swapon file to the etc/init.ddirectory
  6. I added the following lines to the end ofthe etc/init.d/S99heart_ledfile:
    for i in 2 3 4 5 6 8 9 10 11 12; do
     led_set off $i;
    done
  7. In the file etc/midge.confthe following changes are made:
    Line 4 is changed from:
    MIDGE_TYPE=tmpfs
    to:
    MIDGE_TYPE=usb

    Line 19 is changed from:
    #USB_MOUNT=yes
    to:
    USB_MOUNT=yes
  8. Because we are booting from usb stick thefile sbin/mount_rootneeds to be modified. Now it looks like this.
  9. In order to conect to your local network, make sureto modify etc/network/interfacesand etc/resolv.confwhich should contain your local domainname and DNS-server adress.
  10. Furthermore a couple of directories have to becreated on the usb stick:
    mkdir root
    mkdir mnt
    mkdir -p var/log
    mkdir var/run
    mkdir var/www
  11. The directory tmpis a symbolic link to ram/tmp.This should be changed because we are using a usb stick as rootfilesystem, which means we can write to the stick and do not need towrite to a ramdisk:
    rm tmp
    mkdir tmp
  12. If you have the ssh server enabled, and you wouldwant to use sftp also, you need to add:
    usr/libexec/sftp-server
    usr/lib/libcrypto.so.0.9.7
  13. Because I wanted to add a visitor counter to mywebpage, I downloaded wwwcount2.6.In order to create a cgi executable for the router I used the followingcompile statements (assuming your usb stick is mounted on /media/usbdisk:
    tar --gzip -xvf wwwcount2.6.tar.gz
    cd wwwcount2.6.tar.gz

    (rm -rf config.{cache,status} ; 
    PATH=/data1/frank/Routerhacking/trunk/openwrt/staging_dir_mipsel/usr/bin:
    /data1/frank/Routerhacking/trunk/openwrt/staging_dir_mipsel/bin:
    /bin:/sbin:/usr/bin:/usr/sbin 
    AR=/data1/frank/Routerhacking/trunk/openwrt/staging_dir_mipsel/bin/mipsel-linux-uclibc-ar 
    AS=/data1/frank/Routerhacking/trunk/openwrt/staging_dir_mipsel/bin/mipsel-linux-uclibc-as 
    LD=/data1/frank/Routerhacking/trunk/openwrt/staging_dir_mipsel/bin/mipsel-linux-uclibc-ld 
    NM=/data1/frank/Routerhacking/trunk/openwrt/staging_dir_mipsel/bin/mipsel-linux-uclibc-nm 
    CC=/data1/frank/Routerhacking/trunk/openwrt/staging_dir_mipsel/bin/mipsel-linux-uclibc-gcc 
    GCC=/data1/frank/Routerhacking/trunk/openwrt/staging_dir_mipsel/bin/mipsel-linux-uclibc-gcc 
    CXX=/data1/frank/Routerhacking/trunk/openwrt/staging_dir_mipsel/bin/mipsel-linux-uclibc-g++ 
    RANLIB=/data1/frank/Routerhacking/trunk/openwrt/staging_dir_mipsel/bin/mipsel-linux-uclibc-ranlib 
    CFLAGS="-Os -pipe -mips32 -mtune=mips32 -funit-at-a-time " 
    ./configure --target=mipsel-linux --host=mipsel-linux --build=i386-pc-linux-gnu 
    --without-database --without-ttf --prefix=/media/usbdisk/usr/local/wwwcount2.6/)

    (common_libs="mutils bigplus sll combine"; 
    for lib in $common_libs; do 
     dir="./libs/$lib"; 
     echo "========== Entering directory: $dir "; 
     sleep 1; 
     (cd $dir; make); 
    done; )

    (common_utils="mkstrip extdgts mwhich"; 
    for u in $common_utils; do 
     dir="./utils/$u"; 
     echo "========= Entering directory: $dir"; 
     (cd $dir; make); 
    done; )

    ( cd ./src ; make )
    In order to install wwwcount, the file Config.tmpl has tobe modified. The variable CGIBIN_DIRon line 1, should be:
    CGIBIN_DIR="/media/usbdisk/usr/local/apache/cgi-bin"
    Now as rootyou can install the counter:
    ./Count-install
    Since the /media/usbdisk directory is now compiled into some of thewwwcount files, we need to make sure that this directory also exists onthe usb stick. Furthermore some other settings need to be done:
    mkdir -p /media/usbdisk/media/usbdisk/usr/local
    ln -s /usr/local/wwwcount2.6 /media/usbdisk/media/usbdisk/usr/local
    ln -s /usr/local/apache /media/usbdisk/media/usbdisk/usr/local
    echo 1 > /media/usbdisk/usr/local/wwwcount2.6/data/counter_db.dat
    chown -R 33.33 /media/usbdisk/usr/local/wwwcount2.6/{data,logs}
    mkdir /media/usbdisk/var/www/cgi-bin
    cp /media/usbdisk/usr/local/apache/cgi-bin/Count.cgi /media/usbdisk/var/www/cgi-bin
    Make sure that the [authorized]section of the file /media/usbdisk/usr/local/wwwcount2.6/conf/count.cfgcontians the names with which your server can be accessed. You can addthe following lines to your html page:
    src="/cgi-bin/Count.cgi?dd=E&df=counter_db.dat&cache=F&expires=0"
    alt="Count">

Some really helpfull links:
http://wiki.openwrt.org/Edimax
http://www.sunspot.co.uk/Projects/Sweex.htm
http://sprite.student.utwente.nl/~jeroen/projects/lb000021/rootfs/
      This page contains links topractically all essential sources of information:
http://www.linux-mips.org/wiki/BR6104



Document made with NvuValid HTML 4.01 TransitionalGet Firefoxopensuse 10.1Linux user
Count