CG-WLR300GNZ を分解した - mura日記 (halfrack)

久しく NW 機器を分解していなかったので、ついムラムラしたので分解した。今は UART を叩いている。
と言う訳で、 CG-WLR300GNZ を分解してみた。

コレガ(アライドテレシス) 11n/g/b規格&有線ギガ対応無線LANルータ Wかんたん設定 CG-WLR300GNZ

出版社/メーカー: コレガ
発売日: 2012/11/20
メディア: Personal Computers
クリック: 10回
この商品を含むブログを見る

普段買ってる機器と比べるとずいぶんと丸い感じですが、安くて速くて /29 な PPPoE の終端だけする箱が欲しかったので購入。普段は NEC アクセステクニカ製品が鉄板だと考えているので WR9500N を使おうとしたのですが、最近の製品は Unnumbered PPPoE に対応していないことが発覚。
CG-WLR300GNZ は安い民生品なのに PPPoE で 723Mbps とか出るらしい。 NAPT も DNS forwarder も使わんのでテキトーな箱でもきっと大丈夫なはず。はず。

中身は大変シンプル。
$f:id:halfrack:20130105233157j:image$

その他 IO とか。裏面には初期化ボタンがある。~~もうシリアル番号とか隠すの面倒くさくなってきた…。~~
$f:id:halfrack:20130105233326j:image$
$f:id:halfrack:20130105233337j:image$
$f:id:halfrack:20130105233407j:image$

ゴム足が両面テープではなくはめ込み式というところに分解フレンドリーを感じましたが、別に分解されたい訳ではなく、壁掛けにするときにネジを引っ掛けるようになっているだけであった。ネジはヘックスローブが必要。
$f:id:halfrack:20130105233555j:image$

ネジを 4本外すだけでパカーン。ツメとか無いので分解しやすい。
$f:id:halfrack:20130105234607j:image$

基板表裏。蟹尽くしである。リンク先に高解像度な画像があります。
$f:id:halfrack:20130105234656j:image$
$f:id:halfrack:20130105235922j:image$

メインは Realtek RTL8198 という 500MHz の MIPS を積んだ SoC と、 ESMT M13S2561616A -5TG という 200MHz 32MB の DDR SDRAM かな。
$f:id:halfrack:20130105234755j:image$

500MHz の MIPS で PPPoE 723Mbps とかどうやって出すねん、と思ったら、以下のような文章を発見した。

Due to its powerful protocol parser, the RTL8198 can recognize and hard-wire-forward VLAN-tagged, SNAP/LLC, PPPoE, IP, TCP, UDP, ICMP, IGMP, and PPTP packets.
http://www.realtek.com/products/productsView.aspx?Langid=1&PNid=9&PFid=11&Level=4&Conn=3&ProdID=308

なーんと PPPoE を "hard-wire-forward" するらしい。スゲーけどちゃんと実装されてるのか不安。まあ PPPoE ってパケット転送単位ではステートレスだから、ワイヤーロジックでも TSO/TOE みたいな地雷は少ないか。
RTL8198_Datasheet_Cleaned_0.91.pdf でググるとデータシートを発見できる。

WLAN は RTL8192CE の模様。 "Single-Chip IEEE 802.11b/g/n 2T2R WLAN Controller with PCI Express Interface" だそうです。 USB じゃないあたりちゃんとしている。
$f:id:halfrack:20130105235116j:image$

地味に電源まわりは日本ケミコンを使っている。良い。
$f:id:halfrack:20130105235256j:image$

お次はみんな大好き UART を探す。探すまでもなくピンヘッダが出ている。
$f:id:halfrack:20130105235656j:image$
裏面のパターンを追っかけるに、 UART で間違いなさそう。
$f:id:halfrack:20130106000322j:image$
例によって真ん中 2本が TX/RX で、ボーレートは 38400 だった。

long# cu -s 38400 -l /dev/cuaU0
Connected

Booting...
========== SPI =============

SFCR_8198(0xb8001200)=3fc00000

---CG-WLR300GNZ at 2012.03.05-09:44+0800 version:6.0 [16bit](500MHz)
no sys signature at 00010000!
no sys signature at 00020000!
no rootfs signature at 000D0000!
no rootfs signature at 000E0000!
no rootfs signature at 000F0000!

### Press down Esc key to escape booting by user!! ###
Set GPHY Parameter OK
Jump to image start=0x80500000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003790
CPU revision is: 0000dc02
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: console=ttyS0,38400 root=/dev/mtdblock2
icache: 16kB/32B, dcache: 8kB/32B, scache: 0kB/0B
NR_IRQS:48
PID hash table entries: 128 (order: 7, 512 bytes)
console handover: boot [early0] -> real [ttyS0]
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 25272k/32768k available (2337k kernel code, 7496k reserved, 567k data, 104k init, 0k highmem)
Calibrating delay loop... 498.07 BogoMIPS (lpj=2490368)
Mount-cache hash table entries: 512
net_namespace: 536 bytes
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 49
io scheduler noop registered
io scheduler cfq registered (default)
AUTO BRIDGE SWITH ON    !!!
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x18002000 (irq = 8) is a 16550A
PPP generic driver version 2.4.2
NET: Registered protocol family 24
RTL8192C/RTL8188C driver version 1.6 (2011-07-18)
=====>>INSIDE rtl8192cd_init_one <<=====
PCIE reset (0)
Do MDIO_RESET
98 - 40MHz Clock Source
Find Port=0 Device:Vender ID=819110ec
vendor_deivce_id=819110ec
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
=====>>EXIT rtl8192cd_init_one <<=====



Probing RTL8186 10/100 NIC-kenel stack size order[3]...
chip name: 8196C, chip revid: 0
==Set GPHY Parameter OK
NOT YET
Set threshould idx 0
eth0 added. vid=9 Member port 0x2...
eth1 added. vid=8 Member port 0x1...
eth2 added. vid=9 Member port 0x4...
eth3 added. vid=9 Member port 0x8...
eth4 added. vid=9 Member port 0x10...
[peth0] added, mapping to [eth1]...
SPI INIT
 ------------------------- Force into Single IO Mode ------------------------
|No chipID  Sft chipSize blkSize secSize pageSize sdCk opCk      chipName    |
| 0 c22016h  0h  400000h  10000h   1000h     100h   86    0      MX25L3205D/E|
 ----------------------------------------------------------------------------
SPI flash(MX25L3205D/E) was found at CS0, size 0x400000
Creating 5 MTD partitions on "flash_bank_1":
0x000000000000-0x000000030000 : "boot+cfg"
0x000000030000-0x000000130000 : "linux"
0x000000130000-0x0000003e0000 : "root fs"
0x0000003e0000-0x0000003f0000 : "pppoe session id"
0x0000003f0000-0x000000400000 : "nvram"
nf_conntrack version 0.5.0 (512 buckets, 2048 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 17
Bridge firewalling registered
Ebtables v2.0 registered
Netlink[Kernel] create socket for igmp ok.
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 104k freed
/etc/rc.d/rc: 29: cannot create /proc/wan_port: Directory nonexistent
/etc/rc.d/rc: 30: cannot create /proc/sys/net/core/hot_list_length: Directory nonexistent
mtd = /dev/nvram
flatfsd: flat1_checkfs 4, hdr.magic=cafe2345, hdr.length=16968, hdr.chksum=1478119

flatfsd: Created 10 configuration files (16625 bytes)


BusyBox v1.01 (2012.06.18-06:09+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # 00:26:87:12:30:6c
mtd = /dev/nvram
flatfsd: Wrote 16968 bytes to flash in 1 seconds
00:26:87:12:30:6D
00:26:87:12:30:6E
00268712306D
00268712306D
Interface doesn't accept private ioctl...
set_mib (89F1): Operation not permitted
mtd = /dev/nvram
flatfsd: Wrote 16968 bytes to flash in 0 seconds
 in the AB mode
Start infoHdl moniter

SIOCGIFFLAGS: No such device
Configuring LAN , lan_ifname = br0 ........
device eth0 entered promiscuous mode
br0: port 1(eth0) entering forwarding state
$Starting Service:
LAN 0 plug off
LAN 1 plug off
LAN 2 plug off
LAN 3 plug off
wan cable plug off :(
$Starting uhttpd:
$Starting dnsmasq:
$Starting udhcpd:

error, Failure parsing line 10 of /var/udhcpd.conf

info, udhcpd (v0.9.9-pre) started
error, max_leases value (254) not sane, setting to 30 instead
error, Unable to open /tmp/udhcpd.leases for reading
The httpd server is running ...


WPAPSKWPA2PSK
TKIPAES
41135464
37323333313736323133323537
IF_handle start....
device wlan0 entered promiscuous mode
[PHY_ConfigMACWithParaFile][MACPHY_REG_92C]
===> Load_92C_Firmware
<=== Load_92C_Firmware
br0: port 2(wlan0) entering forwarding state
wlan led
initializing wlan0-va0
device wlan0-va0 entered promiscuous mode
br0: port 3(wlan0-va0) entering forwarding state
wps start
***********************************************
*** ptr = uuid = 6304125310192006122800268712306c
device_name = "CG-WLR300GNZ"
manufacturer = "Allied Telesis K.K."
manufacturerURL = "http://corega.jp/"
modelURL = "http://corega.jp/prod/wlr300gnz"
model_name = "CG-WLR300GNZ"
model_num = "CG-WLR300GNZ"
serial_num = "123456789012347"
modelDescription = "CG-WLR300GNZ"
device_attrib_id = 1
device_oui = 0050f204
device_category_id = 6
device_sub_category_id = 1

# PASS_ID_DEFAULT=0, PASS_ID_USER=1, PASS_ID_MACHINE=2, PASS_ID_REKEY=3,
# PASS_ID_PB=4, PASS_ID_REG=5, PASS_ID_RESERVED=6
device_password_id = 0

tx_timeout = 5
resent_limit = 2
reg_timeout = 120
block_timeout = 60
# Those parameters are supported by WPS daemon starting from V1.2.
# Need to patch /rtl8186/linux-2.4.18/drivers/char/rtl_gpio.c if
# you want to use wireless LED instead of WPS LED.
WPS_START_LED_GPIO_number = 2
WPS_END_LED_unconfig_GPIO_number = 0
WPS_END_LED_config_GPIO_number = 0
WPS_PBC_overlapping_GPIO_number = 5
PBC_overlapping_LED_time_out = 30
WPS_ERROR_LED_GPIO_number = 6
WPS_ERROR_LED_time_out = 120
WPS_SUCCESS_LED_GPIO_number = 3
WPS_SUCCESS_LED_time_out =300

# When 0, WPS daemon will issue command 'flash set wlan0 value' to update setting
# When 1, WPS daemon will issue command 'flash set value' to update setting
# When 2, WPS daemon will update setting to a file '/tmp/flash_param'
No_ifname_for_flash_set = 0

# Disable to send dis-association to STA after WPS is done. 1:disable, 0:enable
#disable_disconnect = 1

# Disable auto generate SSID in un-configured state
#disable_auto_gen_ssid = 1


#(A)Manual assigned encryption type. 0:disable, 1:WPA-TKIP, 2:WPA2-AES, 3:Mixed-AES-TKIP
#manual_key_type = 2

#(A1)if manual_key_type == 1~3 ,
# you can alternative select 1)assigned manual psk value(manual_key)
# or 2)assignbr0: port 2(wlan0) entering disabled state
ed random key length(random_key_len)
# PSK valid key length between 8~64 ; if manual_key no assigned  and random_key_len no assigned
# then use 1234567890 as default
#manual_key = 1234567890
#random_key_len = 64

#(A2)if manual_key_type == 0,you can assigned PSK length between 8~64
#PSK_LEN = 64

# Disable hidden AP when wsc is activiated
disable_hidden_ap = 1

#if "use_ie"!=2 and "disable_auto_gen_ssid" != 1 then use this parameter as prefix of SSID
#default case use "WPS"  as prefix of SSID
#SSID_prefix = "RTKAP_"

button_hold_time = 1

# Enable the fix for Windows-Zero-Config WEP issue
fix_wzc_wep = 0

#for 92D concurrent mode, there are two wlan interfaces, we can use this parameter to select one interface to do WPS
#if bo[PHY_ConfigMACWithParaFile][MACPHY_REG_92C]
===> Load_92C_Firmware
<=== Load_92C_Firmware
tton_hold_time_for_wlan0 <= 5, do trigger to wlan0, if botbr0: port 2(wlan0) entering forwarding state
ton_hold_time_for_wlan0 >5, do trigger to wlan1.
#if wlan0 and wlan1 are both on AP mode, we don't care this parameter.
button_hold_time_for_first_if = 5
# for WPS2;if wps1.0 don't define
# 0x2008|0x480|0x680(CONFIG_METHOD_VIRTUAL_PIN | CONFIG_METHOD_PHYSICAL_PBC | CONFIG_METHOD_VIRTUAL_PBC )
config_method =  9864

status.st_size = 3519

WiFi Simple Config v2.3 (2012.06.18-06:11+0000).

starting app
wlan led
@ez-server port = 10000
@ez-server ip = 192.168.1.1
Corega ez-tools start
Auto Bride mode start !!!

AB_log: [Flow] ***** Flow A - Start *****

AB_log: redirect function ON
status led
internet led
AB_log: [LED] internet orange on, 121

例によって Linux ベース。 eth0-eth4 と見えてるのとか面白い。メモリマップの "pppoe session id" ってのがとても気になるところ。 busybox/ash が上がった後のメッセージは、ユーザーランドプロセスのものっぽい気がする。
手持ちの USB-Serial 変換アダプタの問題か、 TX が通らず文字を入力出来なかったので、今日はここまで。
その他の画像はフォトライフに置いてある。 http://f.hatena.ne.jp/halfrack/wlr300gnz/