Linksys WRT100 and WRT110
The Linksys WRT100 and WRT110 are similar routers internally, packaged in rather different enclosures. Both are RT2780-based 100Mbit routers with 2.4GHz 802.11n WiFi.
This fork is stable on the WRT100/WRT110. The hardware components are well-supported in Attitude Adjustment. However, due to having only 16MB of memory, some functions are not possible, like the LuCI web GUI.
- CPU: Ralink RT2780 SoC (MIPS 4KEc) at 266MHz (like RT2880)
- RAM: 16MB
- Flash: 4MB
- Ethernet: 100Mbit on a 5-port IP175C/IP175E switch
- Wireless: Ralink RT2872, supports 2.4GHz
- Expansion: None
- JTAG: No idea
- Serial: 57600bps, Linux sees as ttyS1
Both boards are based on Gemtek designs and share a single factory firmware image. OpenWrt-leitec splits these into two.
The flash is mapped at 0xBC400000.
0x000000 - 0x050000 uBoot
0x30000 uBoot environment variables
0x40000 RT2872 EEPROM data
0x40004 MAC address
0x050000 - 0x130000 Linux Kernel
0x130000 - 0x390000 RootFS
0x390000 - 0x3e0000 LANGUAGE_PACK
0x3e0000 - 0x3f0000 NVRAM
0x3f0000 - 0x400000 NVRAM_FACTORY
The bootloader expects a uImage kernel at 0xBC450000. Alternatively, it can load an image via its TFTP client (i.e. a PC is the server). It understands both gzip and LZMA compressed kernels. Anything beyond that is specific to the firmware installed.
Factory firmware: The Linux 2.4 kernel loads a squashfs v3 filesystem. Settings are kept via the NVRAM partition. Some settings are always overwritten at boot.
The NVRAM_FACTORY partition contains the WPS PIN. Flashing OpenWrt-leitec will erase this partition, and so the PIN will be gone as well. If reverting to the factory firmware, a default PIN will be used. WPS is completely insecure, anyway, so this isn't really that big of a deal.
Both the web and TFTP interfaces require an image with a 32-byte Gemtek header.
OpenWrt: The OpenWrt port uses only the kernel and rootfs partitions to allow for more room. The kernel fits into the same sized partition (896k), although this should be easily changed. The system automatically creates a subpartition rootfs_data as is standard with OpenWrt. This contains the JFFS2 read-write overlay. This stretches from the first aligned block after the squashfs v4 rootfs to the end of the flash. There is an additional defined partition firmware that is the entire space from kernel to the end, for easy firmware upgrades via sysupgrade.
The current trunk version does away with the distinction between kernel and rootfs entirely and uses a single firmware partition. The system automatically find the squashfs root.
The serial port is connected at J6 on the board.
( ) (RXD) ( ) ( ) (TXD) <
( ) (GND) ( ) (VCC)
The bootloader protects the flash on startup. This is a good thing, and when you do need to flash something it is easily disabled. Note that this only applies to the bootloader! Once the OS takes over, it has full control of the flash chip.
The one critical thing is to NEVER, EVER unprotect the u-Boot partition 0xBC400000-0xBC450000. Without a functioning boot loader, your device is useless, even with a serial console hooked up. Since there doesn't seem to be a JTAG connection available, losing the bootloader spells doom for your router.
The "safe" flash area is 0xBC450000-0xBC7FFFFF. This is the kernel, rootfs and the two NVRAM partitions. This is the area that you can effectively screw up and recover, provided you have the serial console working. Without the console, though, a broken firmware means a broken router. The bootloader doesn't have any way to recover without the console. There's a TFTP client but not a TFTP server, and the client doesn't try to do anything on its own when it finds an unbootable flash. There doesn't seem to be any sort of procedure with the reset button or whatnot to bring it into recovery mode, either.
Here's an example of how to load a file firmware.bin via TFTP onto flash. In this example, the TFTP server is a PC at 192.168.1.100 (defaults to 192.168.3.79) and the client takes 192.168.1.1 (defaults to 192.168.3.244). 0x8a800000 is a safe RAM address to load things into. Images flashed this way must begin with a uImage header and not the 32-byte Gemtek header.
setenv ipaddr 192.168.1.1
setenv serverip 192.168.1.100
tftp 8a800000 firmware.bin
erase bc450000 bc7fffff
cp.b 8a800000 bc450000 $(filesize)
bootm
The last line boots into the newly flashed image. If this is the factory firmware, it'll recreate the NVRAM partition. If this is OpenWrt, it'll format the JFFS2 space.