Playing with the Starbridge Lynx 210

Okay, so a few says ago I bought a Bus Pirate v3.6 off Amazon (might not have been the best buy, but you know, it works), and up until this morning I was pretty much just working based off TFTP and UART, obviously with limited progress. But later today I got my precious swiss-knife of embedded computing, and after a much needed firmware upgrade to v6.1, the first thing I did was trying to plug it in in the "JTAG" ports I found earlier. Somewhat unsurprisingly however, it didn't quite work the first time. I'm not sure as to why, but I couldn't get it to work, so I decided to look at the other header right next to it. After a bit of poking it turned out to be a MIPS EJTAG 2.6, or something similar. I tried hooking the BP to it, and finally!, it didn't work either.

I tried plugging and unplugging the cables many, many times. I tried changing MISO for MOSI (as if that was going to work), using other tools like urJtag and even the integrated serial terminal on the BP (which wasn't available in this version afaik, but that didn't stop me from trying). Finally, and after a long walk where I cooled my head down a little bit, I tried going for another approach.

Earlier today I found JTAGenum, an Arduino-based utility mainly used to detect the different pins for JTAG on an embedded device. For whatever reason however, I did not think about using it until I came back. It was a bit of a challenge to get it working at the begging. None of the boards I had seem to work, I tried using an Arduino UNO, a NodeMCU and even an old Weemos D1 mini board I had laying around in my room. Of course, I don't think it was an issue with the code, but rather with the wiring, but nevertheless I only managed to get the utility working with an Arduino Pro mini.

And it all lead to this four, beautiful lines:

> s
================================
Starting scan for pattern:0110011101001101101000010111001001
FOUND!  ntrst:2 tck:3 tms:4 tdo:5 tdi:6 IR length: 5
active  ntrst:2 tck:3 tms:6 tdo:5 tdi:4  bits toggled:28
================================

 I ran the command a couple times to make sure it was right, and it all seemed to be working. All it was left to do was to try the connection out...

I can't begin to express how happy I was when I saw that. All the times I tried connecting the BP to the router, I got all sorts of errors and warnings, but now, it even let me halt and continue the system, a cathartic experience all around. I also made sure to take pictures of the pins and jumpers I used to accomplish this:

I'll now be trying to get the dumps out of the flash, and hopefully start building a new image for this old fella. Which by the way, might be the least difficult part of the project (and yes, I know there's a extremely high chance I'm wrong, but hey, I can have dreams!)

Yesterday I tried to find the JTAG pins on the board with my multimeter, and while I do not have a programmer yet (I might be getting a bus pirate by the end of the week) I wanted to test my luck with the tools that I had in mind.

I was well aware that some devices use their own weird proprietary connectors for the JTAG pins, but I after taking a look at the three different headers right next to the serial port, I figured there was a good chance it was using a standard pinout. And I might be right.

I found out about the TI 14 Pin JTAG connector, and after looking at the placements of the GND and VCC pins, we might just have a winner in your hands:

I might be wrong of course, but that wont stop me from trying those pins out as soon as I get a proper programmer in my hands.

So, I remember reading about mtd partitions somewhere, and at the time I'm writing this log I believe they represent flash memory in embedded devices or something.

After what I can only describe as a painfully long ordeal, I set up a tftp server on my laptop and I managed to dump all of the four partitions to it. I'll now be using Ghidra to see which one of them is the bootloader, (I mean, I know it's mtd0 from the serial port logs, but I just want an excuse to use Ghidra). I'll see if I can also take a look at the SquashFS image and change the contents of it.

I'm not entirely sure as to if I can upload the binaries somewhere, but I'll see if I can later built a small (and more modern) Linux image and publish that instead.

I just used this command to dump the mtd partitions into files on my laptop:

tftp -p -l /dev/mtdblock/0 -r /mnt/tftp/mtd0.bin 192.168.1.2 69

I did this as soon as I got the router. I first took a look at the board and tried to find a serial port of some kind following devttys0's excellent guide. I took me a while to realize that the port wasn't any of the empty slots I so much tried to use, but rather the very obvious but horribly placed header right next to them. 

By the way, I may have messed up the channels on the drawing, but the ground is good... I hope. As for the baudrate, I spent a bit of time trying to get devtty0's baudrate.py working (Python2 man...), but I just ended up testing different standard baudrates. At the end it turned out it uses 38400 bauds, which is a bit unusual, at least as far as I know, but other than that it works just fine.

I also added a RS232 interface on it. It doesn't do anything (I don't even know if it would work if I where to connect it to a computer), but I figured it would be cool to see a router with a serial port sicking off the side. And I was right.

Here are the dumps I got from playing around with the serial port a bit:

ADAM2

ADAM2 Revision 0.22.03
(C) Copyright 1996-2003 Texas Instruments Inc. All Rights Reserved.
(C) Copyright 2003 Telogy Networks, Inc.
Usage: setmfreq [-d] [-s sys_freq, in MHz] [cpu_freq, in MHz]
Memory optimization Complete!

Adam2_AR7RD > 
Press any key to abort OS load, or wait 5 seconds for OS to boot...
help
	 Commands		Description
	 --------		-----------
         h/help Displays the commands supported
           info Displays board information
          memop Memory Optimization
       setmfreq configures/dumps the system and cpu frequencies
          erase Erase Flash except Adam2 Kernel and Env space
       printenv Displays Env. Variables
         setenv Sets Env. variable <var> with a value <val>
       unsetenv Unsets the Env. variable <var>
         fixenv Defragment for Env. space
             go Loads the image starting at address <mtd1>
Adam2_AR7RD > 
Adam2_AR7RD > info
Monitor Revision              0.22.03
Monitor Compilation time      Apr  1 2005, 18:45:39
Endianness                    Little
External Memory rate          Full, 16 bit wide
CPU Frequency                 150 MHz
Adam2_AR7RD > 
Adam2_AR7RD > printenv
memsize               0x00800000
flashsize             0x00200000
modetty0              38400,n,8,1,hw
modetty1              38400,n,8,1,hw
bootserport           tty0
cpufrequency          150000000
sysfrequency          125000000
bootloaderVersion     0.22.03
ProductID             AR7RD
HWRevision            Unknown
SerialNumber          none
my_ipaddress          192.168.1.1
prompt                Adam2_AR7RD
firstfreeaddress      0x9401d328
req_fullrate_freq     125000000
maca                  00:30:0A:5F:2D:0B
mtd0                  0x90090000,0x901f0000
mtd1                  0x90010000,0x90090000
mtd2                  0x90000000,0x90010000
mtd3                  0x901f0000,0x90200000
mtd4                  0x90010000,0x901f0000
autoload              1
azcpmac_config        1
usb_vid               0x0451
usb_pid               0x6060
HWA_RNDIS             00:30:0A:5F:2D:0C
HWA_HRNDIS            00:30:0A:5F:2D:0E
usb_flag              1
modulation            MMODE
usb_board_mac         00:30:0A:5F:2D:0C
usb_rndis_mac         00:30:0A:5F:2D:0E
macc                  00:30:0A:5F:2D:0D
vcc_encaps0           0.0
vcc_encaps1           0.0
vcc_encaps2           0.0
vcc_encaps3           0.0
vcc_encaps4           0.0
vcc_encaps5           0.0
vcc_encaps6           0.0
vcc_encaps7           0.0
connection0           0
Adam2_AR7RD > 
Adam2_AR7RD > 
--- exit ---

BOOT 

Press any key to abort OS load, or wait 5 seconds for OS to boot...
Launching kernel decompressor.
Starting LZMA Uncompression Algorithm.
Copyright (C) 2003 Texas Instruments Incorporated; Copyright (C) 1999-2003 Igor Pavlov.
Compressed file is LZMA format.
Kernel decompressor was successful ... launching kernel.

LINUX started...
Config serial console: ttyS0,38400
CPU revision is: 00018448
Primary instruction cache 16kb, linesize 16 bytes (4 ways)
Primary data cache 16kb, linesize 16 bytes (4 ways)
Number of TLB entries 16.
Linux version 2.4.17_mvl21-malta-mips_fp_le (khcheng@atmos2) (gcc version 2.95.3 20010315 (release/MontaVista)) #12 Tue Aug 31 18:43:49 SGT 2004
Determined physical RAM map:
 memory: 14000000 @ 00000000 (reserved)
 memory: 00020000 @ 14000000 (ROM data)
 memory: 007e0000 @ 14020000 (usable)
On node 0 totalpages: 2048
zone(0): 2048 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: 
the pacing pre-scalar has been set as 600.
calculating r4koff... 000b71b0(750000)
CPU frequency 150.00 MHz
Calibrating delay loop... 149.91 BogoMIPS
Freeing Adam2 reserved memory [0x14001000,0x0001f000]
Memory: 6312k/8192k available (1477k kernel code, 1880k reserved, 119k data, 60k init)
Dentry-cache hash table entries: 1024 (order: 1, 8192 bytes)
Inode-cache hash table entries: 512 (order: 0, 4096 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 2048 (order: 1, 8192 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Disabling the Out Of Memory Killer
devfs: v1.7 (20011216) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
pty: 32 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with no serial options enabled
ttyS00 at 0xa8610e00 (irq = 15) is a 16550A
ttyS01 at 0xa8610f00 (irq = 16) is a 16550A
block: 64 slots per queue, batch=16
Using the MAC with internal PHY
PPP generic driver version 2.4.1
avalanche flash device: 0x400000 at 0x10000000.
 Amd/Fujitsu Extended Query Table v1.0 at 0x0040
number of CFI chips: 1
Looking for mtd device :mtd0:
Found a mtd0 image (0x90000), with size (0x160000).
Looking for mtd device :mtd1:
Found a mtd1 image (0x10000), with size (0x80000).
Looking for mtd device :mtd2:
Found a mtd2 image (0x0), with size (0x10000).
Looking for mtd device :mtd3:
Found a mtd3 image (0x1f0000), with size (0x10000).
Looking for mtd device :mtd4:
Found a mtd4 image (0x10000), with size (0x1e0000).
Creating 5 MTD partitions on "Physically mapped flash":
0x00090000-0x001f0000 : "mtd0"
0x00010000-0x00090000 : "mtd1"
0x00000000-0x00010000 : "mtd2"
0x001f0000-0x00200000 : "mtd3"
0x00010000-0x001f0000 : "mtd4"
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 512)
Linux IP multicast router 0.06 plus PIM-SM
ip_conntrack version 2.0 (64 buckets, 512 max) - 364 bytes per conntrack
ip_tables: (c)2000 Netfilter core team
netfilter PSD loaded - (c) astaro AG
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 60k freed
serial console detected.  Disabling virtual terminals.
console=/dev/tts/0
init started:  BusyBox v0.61.pre (2004.03.30-19:34+0000) multi-call binary
Starting pid 9, console /dev/tts/0: '/etc/init.d/rcS'
 Standard Configuration File
proc write:Calling Configuration
Number of State module =  1
STATE =  1
STATE =  2
STATE =  3
module =  2
STATE =  1
STATE =  2
module =  3
STATE =  1
STATE =  2
STATE =  3
module =  5
STATE =  1
STATE =  2
STATE =  3
module =  6
STATE =  1
STATE =  2
STATE =  3
Elements = 14
Total Length = 116
Using /lib/modules/2.4.17_mvl21-malta-mips_fp_le/kernel/drivers/net/avalanche_usb.o
USB: Entering USB_init_module.
vid = 0x451
pid = 0x6060
No Serial Number String present.
man = Texas Instruments
prod = TI RNDIS Network Adapter
USB: Entering USB_Init.
USB: Leaving USB_Init.
USB: Leaving USB_init_module.
Using /lib/modules/2.4.17_mvl21-malta-mips_fp_le/kernel/drivers/atm/tiatm.o
registered device TI Avalanche SAR
Initializing DSL interface
size=10120
size=38720
size=46432
size=45312
dsl modulation = MMODE
Texas Instruments ATM driver: version:[4.02.04.00]
Waiting for enter to start '/bin/sh' (pid 34, terminal /dev/tts/0)

Please press Enter to activate this console. Sep  8 12:00:06 cm_monitor: Monitor Starting
Sep  8 12:00:07 cfgmgr(pppoe-102): Valid Configuration Tree
SIOCGIFFLAGS: No such device
Sep  8 12:00:07 cfgmgr(fdb): Firewall NAT service started
create:0
text2atm:0
Communicating over ATM 0.0.35
setsockopt SO_SNDBUF: (0) Success
assign:0
SIOCGIFFLAGS:0
SIOCGIFFLAGS:0
Sep  8 12:00:08 cfgmgr(bridge): Bridge Created: br0
device usbrndis entered promiscuous mode
Sep  8 12:00:09 cfgmgr(bridge): Bridge Interface Added: usbrndis
br0: port 1(usbrndis) entering learning state
device eth0 entered promiscuous mode
Sep  8 12:00:09 cfgmgr(bridge): Bridge Interface Added: eth0
br0: port 2(eth0) entering learning state
br0: port 1(usbrndis) entering forwarding state
br0: topology change detected, propagating
br0: port 2(eth0) entering forwarding state
br0: topology change detected, propagating
Sep  8 12:00:16 cfgmgr(sar): DSL Carrier is down


Starting pid 34, console /dev/tts/0: '/bin/sh'


BusyBox v0.61.pre (2004.03.30-19:34+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

#