Debrick Ubiquity Nanostation con Arduino

Questo appunto descrive un’ esperienza trascorsa con l’upgrade da AirOS 5.3.x a scooreggione-AA-dynack su una Nanostation M5, usando il firmware 3f3b55f42539af7d2803bf2ed14998f1 postato da zioproto in data 25-Jul-2013 16:42.

Con il presupposto di formulare qualcosa di utile per chi dovesse imbattersi in un brick ostinato.

bella_e_precariaPer upgradare da AirOS 5.3.x a Scooreggione ho fatto i soliti step:

ssh root@ip.nano.station.m5

XM.v5.3.3.sdk# wget http://stud.netgroup.uniroma2.it/~saverio/scooreggione-AA-dynack/openwrt-ar71xx-generic-ubnt-nano-m-squash fs-factory.bin
--2011-12-21 23:13:00-- http://stud.netgroup.uniroma2.it/~saverio/scooreggione-AA-dynack/openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin
Resolving stud.netgroup.uniroma2.it... 160.80.221.14
Connecting to stud.netgroup.uniroma2.it|160.80.221.14|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5833116 (5.6M) [application/octet-stream]
Saving to: `openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin'

100%[====================================================================================>] 5,833,116 819K/s in 7.0s

2011-12-21 23:13:07 (811 KB/s) - `openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin' saved [5833116/5833116]

XM.v5.3.3.sdk# ls
boot.txt running.cfg
leases.1.eth0 system.cfg
openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin upload

XM.v5.3.3.sdk# md5sum /tmp/openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin
3f3b55f42539af7d2803bf2ed14998f1 /tmp/openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin

XM.v5.3.3.sdk# /sbin/ubntbox fwupdate.real -m /tmp/openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin -d
Found mtd block: /dev/mtd0(u-boot)
Found mtd block: /dev/mtd1(u-boot-env)
Found mtd block: /dev/mtd2(kernel)
Found mtd block: /dev/mtd3(rootfs)
Found mtd block: /dev/mtd4(cfg)
Found mtd block: /dev/mtd5(EEPROM)
Got U-Boot variable: mtdparts = mtdparts=mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),1024k(kernel),6528k(rootfs),256k(cfg),64k(EEPROM)
Adding U-Boot partition: u-boot 9F000000 00040000
Adding U-Boot partition:

[ ... infiniti digits di log ... ]

file_cksum: 0x00000000
===========================
Working(3) with block: /dev/mtd5
Copying FIS partition: 5 <=
name: 'EEPROM'
flash_base: 0x9F7F0000
mem_base: 0x00000000
size: 0x00010000
entry_point: 0x00000000
data_len: 0x00010000
desc_cksum: 0x00000000
file_cksum: 0x00000000
===========================
New FIS entries count 6
FIS Change: added partition terminator instead of 0x75.
New partition count: 0, changes: 1
Writing U-Boot environment to /dev/mtd1
Done

Al termine del processo – pare che abbia fatto reboot regolare – la shell ssh non risponde più, aspetto un pò, evidentemente non abbastanza da lasciarlo completare, prima di spegnerlo e riaccenderlo “come se niente fosse”.

Al riavvio l’ip 192.168.1.1 non risponde.
Tento diversi netdiscover -i eth0 con range (-r) nostrani.
Accendo, spengo, seguono vani hard-reset stile 30-30-30 (intendo intervalli di secondi acceso/spento).

… faccio cose … Una voce dentro di me mi pone dinanzi l’evidenza: “Hai brickato la nano. Bravo.

applausi

Non esponendo nessuna interfaccia eth0 al riavvio temo che tentare tftp sia vano, tftp è un client, fa una connessione tcp/ip mentre l’interfaccia eth0 dell’M5 non sembra rispondere a un bel niente. Anche un tcpdump -vvv -e -i eth0 non ha esposto niente, a parte – e solo per un’istante – un pacchetto ipv6 ICMP (sfottente).

In questo caso l’unica alternativa è procedere con una connessione seriale, sui pin TX e RX troviamo un’interfaccia I/O a caratteri dove si accede alla shell busybox di openwrt.

Serve un USB-to-TTL.
Purtroppo è sabato pomeriggio e questa merce a Cosenza non si trova se non alzando il telefono e scomodando il mondo. Il programmatore TTL di Verde Binario pare chessia a casa di qualcuno (+rancore).

Seguono interrogativi quali:

  • Che faccio lo ordino su internet?
  • Quando m’arriva?
  • Dopodomani c’è il MakerFaire, quando se ne riparlerà?

Poi l’idea: ma Arduino non ha sulla board un chip FTDI per comunicare in seriale via usb?
Infatti crea il device /dev/ttyACM0 ( … ACM1 ACM2 ACM3 ) attraverso il quale scriviamo in “maniera seriale”.

I pin RX e TX dell’ FTDI sono collegati all’ATMEGA328P.
Ma se noi togliessimo il chip sfrutteremmo la board come interfaccia FTDI semplice.

arduino_senza_MCU
Poi documentandomi su Google ho letto che è possibile annullare il chip ATMEGA328P semplicemente tenendo premuto il tasto reset, meglio ancora cortocircuitare RESET con GND (collegare i pin).

Nanostation_nuda
pinout

Pinout:

RX di Arduino con pin SIN
TX di Arduino con pin SOUT
PIN RST e GND di Arduino collegati

Nota 1: sono stato un’ora a collegare RX con SOUT e TX con SIN vanamente…
Nota 2: Il cavo blu collega SIN a RX, il cavo nero è GND, il cavo ROSSO è la 3.3Volts che a noi non serve, L’arancione collega RST con GND, poi c’è un cavo ambiguo – una parte bianca e un’altra grigia – questo cavo collega SOUT con TX.

wires_bb

Per capire se la combinazione è quella giusta è bastato aprire un emulatore di terminale seriale e configurare device e velocità. Sembrava funzionare, al boot del device nel terminale vedo scorrere diversi bytes, purtroppo indecifrabili.
Configurando la velocità da 9600 a 115200 inizio a capirci qualcosa, bingo.

cutecom

L’M5 presenta eth0 e eth1 scollegate, se configuro le interfacce il link continua ad essere down.
Se riavvio e da seriale scrivo f [INVIO] vado in failsafe mode, in questa modalità eth0 ha il link up.
Ecco un estratto del log, sempre comunicando in seriale tramite cutecom:


[ 2.950000] TCP cubic registered
[ 2.950000] NET: Registered protocol family 17
[ 2.950000] Bridge firewalling registered
[ 2.960000] 8021q: 802.1Q VLAN Support v1.8
[ 2.970000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
[ 2.980000] Freeing unused kernel memory: 212k freed
- preinit -
Press the [f] key and hit [enter] to enter failsafe mode
f
- failsafe -

BusyBox v1.19.4 (2013-07-25 15:11:00 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

================== FAILSAFE MODE ====================
* mount_root mounts partition with config files
* /etc/config directory with config files
* firstboot reset settings to factory defaults
* passwd reset root's password
* reboot -f reboots router

please also respect:
http://wiki.openwrt.org/doc/howto/generic.failsafe
=====================================================

__
|__|
.-.___ __ .-.___ __ __ __ __ _____ ____ _____
| || || || | |\ \/ / | || _|| |
| | || || | || | | ) ( _ | - || | | - |
|__|__||__||__|__||_____|/_/\_\|_||_____||__| |___ |
n e t w o r k u n d e r e x p e r i m e n t |_____|
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
ATTITUDE ADJUSTMENT (Scooreggione, v4)
-----------------------------------------------------
* 1/4 oz Vodka Pour all ingredients into mixing
* 1/4 oz Gin tin with ice, strain into glass.
* 1/4 oz Amaretto
* 1/4 oz Triple sec
* 1/4 oz Peach schnapps
* 1/4 oz Sour mix
* 1 splash Cranberry juice
-----------------------------------------------------
root@(none):/#
root@(none):/# [ 8.350000] eth0: link up (100Mbps/Full duplex)

La differenza è che in failsafe il boot non carica la configurazione presente nella memoria JFFS2, a quanto pare è questa la causa di ogni male, pertanto in termini di sistema operativo non abbiamo problemi, questi sorgono invece quando il boot monta la memoria scrivibile dove inizializza la configurazione della rete e i moduli aggiuntivi.
Inoltre in failsafe mode risultano veramente pochi i moduli caricati:

root@(none):/# lsmod
Module Size Used by Tainted: G
ledtrig_timer 1072 0
ledtrig_default_on 416 0
leds_gpio 1552 0
gpio_button_hotplug 3200 0

Decido di riflashare il dispositivo.
Configuro sull’antenna il gateway e configuro /etc/resolv.conf in maniera da fare sfruttare all’antenna la mia LAN domestica. Scarico con wget una immagine scooregione dynack e la rinomino in fwupdate.bin.
Poi scrivo brutalmente:

mtd -r write /tmp/fwupdate.bin firmware
Unlocking firmware ...

Writing from /tmp/fwupdate.bin to firmware ... [w]
Rebooting ...

Al termine fà il reboot e sempre da terminale seriale apprendo un danno peggiore:

Board: Ubiquiti Networks XM board (rev 1.0 e805)
DRAM: 32 MB
Flash: 8 MB
Net: eth0, eth1
Hit any key to stop autoboot: 1 \0x08\0x08\0x08 0
## Booting image at 9f050000 ...
Bad Magic Number
ar7240> printenv

bootdelay=1
baudrate=115200
ethaddr=00:15:6d:0d:00:00
mtdids=nor0=ar7240-nor0
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
filesize=10000
fileaddr=81000000
ethact=eth0
mtdparts=mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),1024k(kernel),6528k(rootfs),256k(cfg),64k(EEPROM)
bootcmd=bootm 0x9f050000
serverip=192.168.1.254
bootargs=console=tty0 root=31:03 rootfstype=squashfs init=/init
stdin=serial
stdout=serial
stderr=serial

Environment size: 452/65532 bytes
ar7240>

Dopo alternanze di panico e fastidio, frugo wiki di open-wrt e immetto:

setenv ipaddr 192.168.1.20
urescue

Mentre sul mio pc in LAN eseguo:

atftp --trace --option "timeout 1" --option "mode octet" --put --local-file openwrt-ar71xx-generic-ubnt-nano-m-squash fs-factory.bin 192.168.1.20

Da Seriale leggo:

U-Boot 1.1.4.2-s445 (Sep 6 2010 - 14:46:33)

Board: Ubiquiti Networks XM board (rev 1.0 e805)
DRAM: 32 MB
Flash: 8 MB
Net: eth0, eth1
Hit any key to stop autoboot: 1 \0x08\0x08\0x08 0
## Booting image at 9f050000 ...
Bad Magic Number
ar7240> urescue

Setting default IP 192.168.1.20
Starting TFTP server...
Using eth0 (192.168.1.20), address: 0x81000000
Waiting for connection: *\0x08-\0x08\\0x08|\0x08/\0x08-\0x08\\0x08|\0x08/\0x08-\0x08\\0x08|\0x08/\0x08-\0x08\\0x08|\0x08/\0x08-\0x08\\0x08
Receiving file from 192.168.1.22:53847
Received 512 bytes
Received 940544 bytes
Received 1363456 bytes
Received 1750016 bytes
Received 2163712 bytes
Received 2551296 bytes
Received 2956800 bytes
Received 3348480 bytes
Received 3783168 bytes
Received 4184576 bytes
Received 4613120 bytes
Received 4989440 bytes
Received 5358592 bytes
Received 5732352 bytes
Received 5833116 bytes

Firmware Version: XM.ar7240.v6.0.0-OpenWrt-r37174
Setting U-Boot environment variables
Un-Protected 1 sectors
Erasing Flash.... done
Erased 1 sectors
Writing to Flash... done
Protected 1 sectors
Copying partition 'kernel' to flash memory:
\0x09erasing range 0x9F050000..0x9F14FFFF: ................ done
Erased 16 sectors
\0x09writing to address 0x9f050000, length 0x00100000 ...
Copying partition 'rootfs' to flash memory:
\0x09erasing range 0x9F150000..0x9F5EFFFF: .......................................................................... done
Erased 74 sectors
\0x09writing to address 0x9f150000, length 0x004a0000 ...

Firmware update complete.

Resetting...

Ma stessa storia: niente eth0, sempre link-down.
Ecco un estratto del log:

Board: Ubiquiti Networks XM board (rev 1.0 e805)
DRAM: 32 MB
Flash: 8 MB
Net: eth0, eth1
Hit any key to stop autoboot: 1 \0x08\0x08\0x08 0
## Booting image at 9f050000 ...
Image Name: MIPS OpenWrt Linux-3.3.8
Created: 2013-07-25 14:01:00 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 952544 Bytes = 930.2 kB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK

Starting kernel ...

[ 0.000000] Linux version 3.3.8 (saverio@nockid) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Thu Jul 25 15:58:58 CEST 2013
[...]
[ 2.970000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
[ 2.980000] Freeing unused kernel memory: 212k freed
- preinit -
Press the [f] key and hit [enter] to enter failsafe mode
[ 8.350000] eth0: link up (100Mbps/Full duplex)
- regular preinit -
jffs2 not ready yet; using ramdisk
- init -
[ 8.920000] eth0: link down
[ 11.030000] Compat-drivers backport release: compat-drivers-2013-01-21-1
[ 11.040000] Backport based on wireless-testing.git master-2013-02-22
[ 11.050000] compat.git: wireless-testing.git
[ 11.090000] cfg80211: Calling CRDA to update world regulatory domain
[ 11.100000] cfg80211: World regulatory domain updated:
[ 11.100000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 11.110000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 11.120000] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 11.130000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 11.130000] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 11.140000] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 11.430000] NET: Registered protocol family 10
[ 11.830000] usbcore: registered new interface driver usbfs
[ 11.830000] usbcore: registered new interface driver hub
[ 11.840000] usbcore: registered new device driver usb
[ 12.530000] PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
[ 12.560000] ieee80211 phy0: Atheros AR9280 Rev:2 mem=0xb0000000, irq=40
[ 12.580000] cfg80211: Calling CRDA for country: US
[ 12.580000] cfg80211: Regulatory domain changed to country: US
[ 12.590000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 12.590000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
[ 12.600000] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
[ 12.610000] cfg80211: (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 12.620000] cfg80211: (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 12.630000] cfg80211: (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 12.630000] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)
[ 12.700000] NET: Registered protocol family 15
[ 12.990000] Initializing XFRM netlink socket
[ 13.130000] PPP generic driver version 2.4.2
[ 13.180000] tun: Universal TUN/TAP device driver, 1.6
[ 13.190000] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ 13.360000] IPv4 over IPv4 tunneling driver
[ 14.320000] L2TP core driver, V2.0
[ 14.340000] L2TP netlink interface
[ 14.370000] L2TP ethernet pseudowire support (L2TPv3)
[ 14.390000] L2TP IP encapsulation support (L2TPv3)
[ 14.440000] GRE over IPv4 demultiplexor driver
[ 14.470000] GRE over IPv4 tunneling driver
[ 14.620000] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 14.920000] NET: Registered protocol family 24
[ 15.050000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 15.090000] nf_conntrack version 0.5.0 (456 buckets, 1824 max)
[ 16.460000] xt_time: kernel timezone is -0000
[ 17.410000] xt_length2: Unknown symbol ipv6_find_hdr (err 0)
[ 17.550000] xt_RAWNAT: Unknown symbol ipv6_find_hdr (err 0)
[ 17.590000] xt_SYSRQ: Unknown symbol ipv6_find_hdr (err 0)
[ 17.760000] Ebtables v2.0 registered
[ 18.240000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 18.630000] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
[ 18.640000] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
[ 18.790000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver

Please press Enter to activate this console. [ 24.050000] ath9k: ath9k: Driver unloaded
[ 24.080000] Compat-drivers backport release: compat-drivers-2013-01-21-1
[ 24.090000] Backport based on wireless-testing.git master-2013-02-22
[ 24.100000] compat.git: wireless-testing.git
[ 24.150000] cfg80211: Calling CRDA to update world regulatory domain
[ 24.160000] cfg80211: World regulatory domain updated:
[ 24.160000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 24.170000] cfg80211: (2400000 KHz - 2483000 KHz @ 40000 KHz), (N/A, 3000 mBm)
[ 24.180000] cfg80211: (5140000 KHz - 5860000 KHz @ 40000 KHz), (N/A, 3000 mBm)
[ 24.450000] ieee80211 phy0: Atheros AR9280 Rev:2 mem=0xb0000000, irq=40
[ 24.460000] cfg80211: Calling CRDA for country: US
[ 24.460000] cfg80211: Regulatory domain changed to country: US
[ 24.470000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 24.470000] cfg80211: (2400000 KHz - 2483000 KHz @ 40000 KHz), (N/A, 3000 mBm)
[ 24.480000] cfg80211: (5140000 KHz - 5860000 KHz @ 40000 KHz), (N/A, 3000 mBm)
[ 31.540000] ADDRCONF(NETDEV_UP): wlan0: link is not ready

Allora ripiego a Scooregione AA v.4 classico. sempre via tftp uploadando l’immagine. E oppelà le interfacce redivive:

root@Scooreggione:/# ifconfig
eth0 Link encap:Ethernet HWaddr 00:27:22:93:6B:46
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::227:22ff:fe93:6b46/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:865 (865.0 B) TX bytes:616 (616.0 B)
Interrupt:4

eth1 Link encap:Ethernet HWaddr 02:27:22:93:6B:46
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:5

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 00:27:22:92:6B:46
inet addr:172.16.1.1 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@Scooreggione:/# done.
[ 55.230000] JFFS2 notice: (1336) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[ 65.640000] device eth0 entered promiscuous mode

Alla fine di questo sabato bellissimo mi pongo due domande:

il firmware scooreggione-AA-dynack scavalla?
Ma avete visto che figata arduino?

m5_sin_sout

Riferimenti:
http://wiki.villagetelco.org/OpenWrt_Failsafe_Mode_and_Flash_Recovery
http://www.treccani.it/vocabolario/scavallare/

5 pensieri su “Debrick Ubiquity Nanostation con Arduino

  1. Ciao,
    grande, bell’idea :-)
    link appena passatomi da Gianfranco… ti segnalo che, se dovesse servire, dai cinesoni vicino al carrefour trovi una USB/RS232 a tre eurini… ottima forse anche per i casi d’emergenza come questo 😉

    un saluto

Lascia una risposta

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *

È possibile utilizzare questi tag ed attributi XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>