Questo appunto descrive un’ esperienza trascorsa con l’upgrade da AirOS 5.3.x a scooreggione-AA-dynack su una Nanostation M5, usando il firmware 3f3b55f42539af7d2803bf2ed14998f1 postato da zioproto in data 25-Jul-2013 16:42.
Con il presupposto di formulare qualcosa di utile per chi dovesse imbattersi in un brick ostinato.
Per upgradare da AirOS 5.3.x a Scooreggione ho fatto i soliti step:
ssh root@ip.nano.station.m5 XM.v5.3.3.sdk# wget http://stud.netgroup.uniroma2.it/~saverio/scooreggione-AA-dynack/openwrt-ar71xx-generic-ubnt-nano-m-squash fs-factory.bin --2011-12-21 23:13:00-- http://stud.netgroup.uniroma2.it/~saverio/scooreggione-AA-dynack/openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin Resolving stud.netgroup.uniroma2.it... 160.80.221.14 Connecting to stud.netgroup.uniroma2.it|160.80.221.14|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 5833116 (5.6M) [application/octet-stream] Saving to: `openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin' 100%[====================================================================================>] 5,833,116 819K/s in 7.0s 2011-12-21 23:13:07 (811 KB/s) - `openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin' saved [5833116/5833116] XM.v5.3.3.sdk# ls boot.txt running.cfg leases.1.eth0 system.cfg openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin upload XM.v5.3.3.sdk# md5sum /tmp/openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin 3f3b55f42539af7d2803bf2ed14998f1 /tmp/openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin XM.v5.3.3.sdk# /sbin/ubntbox fwupdate.real -m /tmp/openwrt-ar71xx-generic-ubnt-nano-m-squashfs-factory.bin -d Found mtd block: /dev/mtd0(u-boot) Found mtd block: /dev/mtd1(u-boot-env) Found mtd block: /dev/mtd2(kernel) Found mtd block: /dev/mtd3(rootfs) Found mtd block: /dev/mtd4(cfg) Found mtd block: /dev/mtd5(EEPROM) Got U-Boot variable: mtdparts = mtdparts=mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),1024k(kernel),6528k(rootfs),256k(cfg),64k(EEPROM) Adding U-Boot partition: u-boot 9F000000 00040000 Adding U-Boot partition: [ ... infiniti digits di log ... ] file_cksum: 0x00000000 =========================== Working(3) with block: /dev/mtd5 Copying FIS partition: 5 <= name: 'EEPROM' flash_base: 0x9F7F0000 mem_base: 0x00000000 size: 0x00010000 entry_point: 0x00000000 data_len: 0x00010000 desc_cksum: 0x00000000 file_cksum: 0x00000000 =========================== New FIS entries count 6 FIS Change: added partition terminator instead of 0x75. New partition count: 0, changes: 1 Writing U-Boot environment to /dev/mtd1 Done
Al termine del processo – pare che abbia fatto reboot regolare – la shell ssh non risponde più, aspetto un pò, evidentemente non abbastanza da lasciarlo completare, prima di spegnerlo e riaccenderlo “come se niente fosse”.
Al riavvio l’ip 192.168.1.1 non risponde.
Tento diversi netdiscover -i eth0 con range (-r) nostrani.
Accendo, spengo, seguono vani hard-reset stile 30-30-30 (intendo intervalli di secondi acceso/spento).
… faccio cose … Una voce dentro di me mi pone dinanzi l’evidenza: “Hai brickato la nano. Bravo.”
Non esponendo nessuna interfaccia eth0 al riavvio temo che tentare tftp sia vano, tftp è un client, fa una connessione tcp/ip mentre l’interfaccia eth0 dell’M5 non sembra rispondere a un bel niente. Anche un tcpdump -vvv -e -i eth0 non ha esposto niente, a parte – e solo per un’istante – un pacchetto ipv6 ICMP (sfottente).
In questo caso l’unica alternativa è procedere con una connessione seriale, sui pin TX e RX troviamo un’interfaccia I/O a caratteri dove si accede alla shell busybox di openwrt.
Serve un USB-to-TTL.
Purtroppo è sabato pomeriggio e questa merce a Cosenza non si trova se non alzando il telefono e scomodando il mondo. Il programmatore TTL di Verde Binario pare chessia a casa di qualcuno (+rancore).
Seguono interrogativi quali:
- Che faccio lo ordino su internet?
- Quando m’arriva?
- Dopodomani c’è il MakerFaire, quando se ne riparlerà?
Poi l’idea: ma Arduino non ha sulla board un chip FTDI per comunicare in seriale via usb?
Infatti crea il device /dev/ttyACM0 ( … ACM1 ACM2 ACM3 ) attraverso il quale scriviamo in “maniera seriale”.
I pin RX e TX dell’ FTDI sono collegati all’ATMEGA328P.
Ma se noi togliessimo il chip sfrutteremmo la board come interfaccia FTDI semplice.
Poi documentandomi su Google ho letto che è possibile annullare il chip ATMEGA328P semplicemente tenendo premuto il tasto reset, meglio ancora cortocircuitare RESET con GND (collegare i pin).
Pinout:
RX di Arduino con pin SIN
TX di Arduino con pin SOUT
PIN RST e GND di Arduino collegati
Nota 1: sono stato un’ora a collegare RX con SOUT e TX con SIN vanamente…
Nota 2: Il cavo blu collega SIN a RX, il cavo nero è GND, il cavo ROSSO è la 3.3Volts che a noi non serve, L’arancione collega RST con GND, poi c’è un cavo ambiguo – una parte bianca e un’altra grigia – questo cavo collega SOUT con TX.
Per capire se la combinazione è quella giusta è bastato aprire un emulatore di terminale seriale e configurare device e velocità. Sembrava funzionare, al boot del device nel terminale vedo scorrere diversi bytes, purtroppo indecifrabili.
Configurando la velocità da 9600 a 115200 inizio a capirci qualcosa, bingo.
L’M5 presenta eth0 e eth1 scollegate, se configuro le interfacce il link continua ad essere down.
Se riavvio e da seriale scrivo f [INVIO] vado in failsafe mode, in questa modalità eth0 ha il link up.
Ecco un estratto del log, sempre comunicando in seriale tramite cutecom:
[ 2.950000] TCP cubic registered [ 2.950000] NET: Registered protocol family 17 [ 2.950000] Bridge firewalling registered [ 2.960000] 8021q: 802.1Q VLAN Support v1.8 [ 2.970000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3. [ 2.980000] Freeing unused kernel memory: 212k freed - preinit - Press the [f] key and hit [enter] to enter failsafe mode f - failsafe - BusyBox v1.19.4 (2013-07-25 15:11:00 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. ================== FAILSAFE MODE ==================== * mount_root mounts partition with config files * /etc/config directory with config files * firstboot reset settings to factory defaults * passwd reset root's password * reboot -f reboots router please also respect: http://wiki.openwrt.org/doc/howto/generic.failsafe ===================================================== __ |__| .-.___ __ .-.___ __ __ __ __ _____ ____ _____ | || || || | |\ \/ / | || _|| | | | || || | || | | ) ( _ | - || | | - | |__|__||__||__|__||_____|/_/\_\|_||_____||__| |___ | n e t w o r k u n d e r e x p e r i m e n t |_____| _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ----------------------------------------------------- ATTITUDE ADJUSTMENT (Scooreggione, v4) ----------------------------------------------------- * 1/4 oz Vodka Pour all ingredients into mixing * 1/4 oz Gin tin with ice, strain into glass. * 1/4 oz Amaretto * 1/4 oz Triple sec * 1/4 oz Peach schnapps * 1/4 oz Sour mix * 1 splash Cranberry juice ----------------------------------------------------- root@(none):/# root@(none):/# [ 8.350000] eth0: link up (100Mbps/Full duplex)
La differenza è che in failsafe il boot non carica la configurazione presente nella memoria JFFS2, a quanto pare è questa la causa di ogni male, pertanto in termini di sistema operativo non abbiamo problemi, questi sorgono invece quando il boot monta la memoria scrivibile dove inizializza la configurazione della rete e i moduli aggiuntivi.
Inoltre in failsafe mode risultano veramente pochi i moduli caricati:
root@(none):/# lsmod Module Size Used by Tainted: G ledtrig_timer 1072 0 ledtrig_default_on 416 0 leds_gpio 1552 0 gpio_button_hotplug 3200 0
Decido di riflashare il dispositivo.
Configuro sull’antenna il gateway e configuro /etc/resolv.conf in maniera da fare sfruttare all’antenna la mia LAN domestica. Scarico con wget una immagine scooregione dynack e la rinomino in fwupdate.bin.
Poi scrivo brutalmente:
mtd -r write /tmp/fwupdate.bin firmware Unlocking firmware ... Writing from /tmp/fwupdate.bin to firmware ... [w] Rebooting ...
Al termine fà il reboot e sempre da terminale seriale apprendo un danno peggiore:
Board: Ubiquiti Networks XM board (rev 1.0 e805) DRAM: 32 MB Flash: 8 MB Net: eth0, eth1 Hit any key to stop autoboot: 1 \0x08\0x08\0x08 0 ## Booting image at 9f050000 ... Bad Magic Number ar7240> printenv bootdelay=1 baudrate=115200 ethaddr=00:15:6d:0d:00:00 mtdids=nor0=ar7240-nor0 partition=nor0,0 mtddevnum=0 mtddevname=u-boot filesize=10000 fileaddr=81000000 ethact=eth0 mtdparts=mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),1024k(kernel),6528k(rootfs),256k(cfg),64k(EEPROM) bootcmd=bootm 0x9f050000 serverip=192.168.1.254 bootargs=console=tty0 root=31:03 rootfstype=squashfs init=/init stdin=serial stdout=serial stderr=serial Environment size: 452/65532 bytes ar7240>
Dopo alternanze di panico e fastidio, frugo wiki di open-wrt e immetto:
setenv ipaddr 192.168.1.20 urescue
Mentre sul mio pc in LAN eseguo:
atftp --trace --option "timeout 1" --option "mode octet" --put --local-file openwrt-ar71xx-generic-ubnt-nano-m-squash fs-factory.bin 192.168.1.20
Da Seriale leggo:
U-Boot 1.1.4.2-s445 (Sep 6 2010 - 14:46:33) Board: Ubiquiti Networks XM board (rev 1.0 e805) DRAM: 32 MB Flash: 8 MB Net: eth0, eth1 Hit any key to stop autoboot: 1 \0x08\0x08\0x08 0 ## Booting image at 9f050000 ... Bad Magic Number ar7240> urescue Setting default IP 192.168.1.20 Starting TFTP server... Using eth0 (192.168.1.20), address: 0x81000000 Waiting for connection: *\0x08-\0x08\\0x08|\0x08/\0x08-\0x08\\0x08|\0x08/\0x08-\0x08\\0x08|\0x08/\0x08-\0x08\\0x08|\0x08/\0x08-\0x08\\0x08 Receiving file from 192.168.1.22:53847 Received 512 bytes Received 940544 bytes Received 1363456 bytes Received 1750016 bytes Received 2163712 bytes Received 2551296 bytes Received 2956800 bytes Received 3348480 bytes Received 3783168 bytes Received 4184576 bytes Received 4613120 bytes Received 4989440 bytes Received 5358592 bytes Received 5732352 bytes Received 5833116 bytes Firmware Version: XM.ar7240.v6.0.0-OpenWrt-r37174 Setting U-Boot environment variables Un-Protected 1 sectors Erasing Flash.... done Erased 1 sectors Writing to Flash... done Protected 1 sectors Copying partition 'kernel' to flash memory: \0x09erasing range 0x9F050000..0x9F14FFFF: ................ done Erased 16 sectors \0x09writing to address 0x9f050000, length 0x00100000 ... Copying partition 'rootfs' to flash memory: \0x09erasing range 0x9F150000..0x9F5EFFFF: .......................................................................... done Erased 74 sectors \0x09writing to address 0x9f150000, length 0x004a0000 ... Firmware update complete. Resetting...
Ma stessa storia: niente eth0, sempre link-down.
Ecco un estratto del log:
Board: Ubiquiti Networks XM board (rev 1.0 e805) DRAM: 32 MB Flash: 8 MB Net: eth0, eth1 Hit any key to stop autoboot: 1 \0x08\0x08\0x08 0 ## Booting image at 9f050000 ... Image Name: MIPS OpenWrt Linux-3.3.8 Created: 2013-07-25 14:01:00 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 952544 Bytes = 930.2 kB Load Address: 80060000 Entry Point: 80060000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ... [ 0.000000] Linux version 3.3.8 (saverio@nockid) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Thu Jul 25 15:58:58 CEST 2013 [...] [ 2.970000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3. [ 2.980000] Freeing unused kernel memory: 212k freed - preinit - Press the [f] key and hit [enter] to enter failsafe mode [ 8.350000] eth0: link up (100Mbps/Full duplex) - regular preinit - jffs2 not ready yet; using ramdisk - init - [ 8.920000] eth0: link down [ 11.030000] Compat-drivers backport release: compat-drivers-2013-01-21-1 [ 11.040000] Backport based on wireless-testing.git master-2013-02-22 [ 11.050000] compat.git: wireless-testing.git [ 11.090000] cfg80211: Calling CRDA to update world regulatory domain [ 11.100000] cfg80211: World regulatory domain updated: [ 11.100000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) [ 11.110000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) [ 11.120000] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm) [ 11.130000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm) [ 11.130000] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) [ 11.140000] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) [ 11.430000] NET: Registered protocol family 10 [ 11.830000] usbcore: registered new interface driver usbfs [ 11.830000] usbcore: registered new interface driver hub [ 11.840000] usbcore: registered new device driver usb [ 12.530000] PCI: Enabling device 0000:00:00.0 (0000 -> 0002) [ 12.560000] ieee80211 phy0: Atheros AR9280 Rev:2 mem=0xb0000000, irq=40 [ 12.580000] cfg80211: Calling CRDA for country: US [ 12.580000] cfg80211: Regulatory domain changed to country: US [ 12.590000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) [ 12.590000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm) [ 12.600000] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm) [ 12.610000] cfg80211: (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) [ 12.620000] cfg80211: (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) [ 12.630000] cfg80211: (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) [ 12.630000] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm) [ 12.700000] NET: Registered protocol family 15 [ 12.990000] Initializing XFRM netlink socket [ 13.130000] PPP generic driver version 2.4.2 [ 13.180000] tun: Universal TUN/TAP device driver, 1.6 [ 13.190000] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> [ 13.360000] IPv4 over IPv4 tunneling driver [ 14.320000] L2TP core driver, V2.0 [ 14.340000] L2TP netlink interface [ 14.370000] L2TP ethernet pseudowire support (L2TPv3) [ 14.390000] L2TP IP encapsulation support (L2TPv3) [ 14.440000] GRE over IPv4 demultiplexor driver [ 14.470000] GRE over IPv4 tunneling driver [ 14.620000] ip_tables: (C) 2000-2006 Netfilter Core Team [ 14.920000] NET: Registered protocol family 24 [ 15.050000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 15.090000] nf_conntrack version 0.5.0 (456 buckets, 1824 max) [ 16.460000] xt_time: kernel timezone is -0000 [ 17.410000] xt_length2: Unknown symbol ipv6_find_hdr (err 0) [ 17.550000] xt_RAWNAT: Unknown symbol ipv6_find_hdr (err 0) [ 17.590000] xt_SYSRQ: Unknown symbol ipv6_find_hdr (err 0) [ 17.760000] Ebtables v2.0 registered [ 18.240000] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 18.630000] NF_TPROXY: Transparent proxy support initialized, version 4.1.0 [ 18.640000] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. [ 18.790000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver Please press Enter to activate this console. [ 24.050000] ath9k: ath9k: Driver unloaded [ 24.080000] Compat-drivers backport release: compat-drivers-2013-01-21-1 [ 24.090000] Backport based on wireless-testing.git master-2013-02-22 [ 24.100000] compat.git: wireless-testing.git [ 24.150000] cfg80211: Calling CRDA to update world regulatory domain [ 24.160000] cfg80211: World regulatory domain updated: [ 24.160000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) [ 24.170000] cfg80211: (2400000 KHz - 2483000 KHz @ 40000 KHz), (N/A, 3000 mBm) [ 24.180000] cfg80211: (5140000 KHz - 5860000 KHz @ 40000 KHz), (N/A, 3000 mBm) [ 24.450000] ieee80211 phy0: Atheros AR9280 Rev:2 mem=0xb0000000, irq=40 [ 24.460000] cfg80211: Calling CRDA for country: US [ 24.460000] cfg80211: Regulatory domain changed to country: US [ 24.470000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) [ 24.470000] cfg80211: (2400000 KHz - 2483000 KHz @ 40000 KHz), (N/A, 3000 mBm) [ 24.480000] cfg80211: (5140000 KHz - 5860000 KHz @ 40000 KHz), (N/A, 3000 mBm) [ 31.540000] ADDRCONF(NETDEV_UP): wlan0: link is not ready
Allora ripiego a Scooregione AA v.4 classico. sempre via tftp uploadando l’immagine. E oppelà le interfacce redivive:
root@Scooreggione:/# ifconfig eth0 Link encap:Ethernet HWaddr 00:27:22:93:6B:46 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::227:22ff:fe93:6b46/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:865 (865.0 B) TX bytes:616 (616.0 B) Interrupt:4 eth1 Link encap:Ethernet HWaddr 02:27:22:93:6B:46 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:5 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) wlan0 Link encap:Ethernet HWaddr 00:27:22:92:6B:46 inet addr:172.16.1.1 Bcast:172.16.255.255 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) root@Scooreggione:/# done. [ 55.230000] JFFS2 notice: (1336) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. [ 65.640000] device eth0 entered promiscuous mode
Alla fine di questo sabato bellissimo mi pongo due domande:
il firmware scooreggione-AA-dynack scavalla?
Ma avete visto che figata arduino?
Riferimenti:
http://wiki.villagetelco.org/OpenWrt_Failsafe_Mode_and_Flash_Recovery
http://www.treccani.it/vocabolario/scavallare/
Ciao,
grande, bell’idea
link appena passatomi da Gianfranco… ti segnalo che, se dovesse servire, dai cinesoni vicino al carrefour trovi una USB/RS232 a tre eurini… ottima forse anche per i casi d’emergenza come questo 😉
un saluto
Grazie, ottima notizia
L’emergenza è stata evasa con Arduino ma per 3 euro ne vale la pena.
Se mettete questo articolo nella categoria planet blog.ninux.org se lo ripubblica!
mi postate il firmware
ho 4 nanostation bloccate
Non hai bisogno di firmware perchè non usi l’ATMEGA.
devi solo ponticellare il reset e collegare i tx/rx come illustrato nella foto fatta con fritzing.
buon lavoro