BuffaloのWLI3-TX1-G54のFreeBSD化

お約束ですが、このページのいかなる記載においても著者は一切の責任をおいません。
いろいろ書いてますが、FreeBSDでは使える様にならなかったです。せっかく調べたり、いろいろ手元にあったのでBare Metalでmrubyを動かすことしました。

BCM4712のページから分割してみた。

BUFFALOのWLI3-TX1-G54を分解してUARTを探して、以下のダンプを確認してみた。

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Fri Apr  7 13:44:00 JST 2006 (root@Satoh-linux)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena.
Initializing Devices.
* Flash Info. -> manufacturer (89), device (16)
* Flash Info. -> manufacturer2 (0000), device2 (0000)
* Flash Info. -> manufacturer (89), device (16)
* Flash Info. -> manufacturer2 (0000), device2 (0000)
* Flash Info. -> manufacturer (89), device (16)
* Flash Info. -> manufacturer2 (0000), device2 (0000)
#### 50ms gpioout hold!!
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.60.9.0
* memc_config: (00048000) -> [00048540]
CPU type 0x29007: 200MHz
Total memory: 0x1000000 bytes (16MB)

Total memory used by CFE:  0x80400000 - 0x8053C820 (1296416)
Initialized Data:          0x80436970 - 0x80439070 (9984)
BSS Area:                  0x80439070 - 0x8043A820 (6064)
Local Heap:                0x8043A820 - 0x8053A820 (1048576)
Stack Area:                0x8053A820 - 0x8053C820 (8192)
Text (code) segment:       0x80400000 - 0x80436970 (223600)
Boot area (physical):      0x0053D000 - 0x0057D000
Relocation Factor:         I:00000000 - D:00000000

Device eth0:  hwaddr 00-16-01-00-00-00, ipaddr 1.1.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Reading :: et0: link up (interface up)
Failed.: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: ..... 1490944 bytes read
Entry at 0x80001000
Closing network.
et0: link down (interface down)
Starting program at 0x80001000
CPU revision is: 00029007
Primary instruction cache 8kb, linesize 16 bytes (2 ways)
Primary data cache 4kb, linesize 16 bytes (2 ways)
Linux version 2.4.20 (root@localhost.localdomain) (gcc version 3.2.3 with Broadc
om modifications) #2 Mon Apr 17 13:49:03 JST 2006
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
CPU: BCM4712 rev 1 at 200 MHz
Calibrating delay loop... 199.47 BogoMIPS
Memory: 14412k/16384k available (1260k kernel code, 1972k reserved, 108k data, 6
4k init, 0k highmem)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
PCI: Fixing up bus 0
PCI: Fixing up bridge
PCI: Fixing up bus 1
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
BUFFALO WBR-B11 INIT SWICH DRIVER ver 1.00
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI en
abled
ttyS00 at 0xb8000300 (irq = 3) is a 16550A
ttyS01 at 0xb8000400 (irq = 0) is a 16550A
PPP generic driver version 2.4.2
Flash device: 0x400000 at 0x1c000000
Physically mapped flash: cramfs filesystem found at block 1024
Creating 4 MTD partitions on "Physically mapped flash":
0x00000000-0x00040000 : "boot"
0x00040000-0x003c0000 : "linux"
0x00100000-0x003c0000 : "rootfs"
0x003c0000-0x00400000 : "nvram"
sflash: found no supported devices
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
ip_conntrack version 2.1 (128 buckets, 1024 max) - 344 bytes per conntrack
* VPN Masqurade -- IPsec Support 
reg isakmp:done
reg ESP protocol:
reg ESP conntrack:done
ip_nat_ipsec : isakmp : done.
ip_nat_ipsec : esp    : init switch port GPIO(4) is output port!!!
done.
ip_tables: (C) 2000-2002 Netfilter core team
*** #define HZ is (100).
ipt_time loading
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
VFS: Mounted root (cramfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 64k freed

NVRAM checking...OK!!
Using /lib/modules/2.4.20/kernel/drivers/net/et/et.o
Called hotplug[net]
Using /lib/modules/2.4.20/kernel/drivers/net/wl/wl.o
Called hotplug[net]
>file_timezone_info (GMT-9)
NAT Table Version Check.
NAT VerUP End.(No change)
 product_name_st : [WLI3-TX1-G54]
band_list (0x4)
 product_name : [WLI3-TX1-G54]
 ap_version : [WLI3-TX1-G54 Ver.2.53]
Wed Jan  1 00:01:17 GMT 2003
 TimeRestore -> 2003.01.01-00:01:17 -> Adjust -> 2003.01.01-00:01:33
Wed Jan  1 00:01:33 GMT 2003
Called hotplug[net]
  start_lan wireless hwaddr[00:16:01:00:00:00]
killall: ripd: no process killed
killall: zebra: no process killed
route add AUTO dgw ()
 set_wireless_dev eth1: Invalid argument
wl_intvar_set(eth1): setting iovar "a_rate" to 0x0 failed, err = -1
eth1: Invalid argument
wl_intvar_set(eth1): setting iovar "a_mrate" to 0x0 failed, err = -1
start_httpdstart_cnv_prot
-- start infini_exec (httpd) ---

-- start /tmp/cnv_main (/usr/sbin/cnv_prot) ---
start_initswdstart_asts  start_asts  
-- start /tmp/infini_nas (nas) ---
assigned mode sta
STA_MODE
app_options 00000010
standalone mode 
[ HTTPD_LOCK_OFF ]
Hit enter to continue...---- Start !! asts child process (port=22416[5790]).
No interface specified. Quitting...
/tmp/infini_nas : child dead.(nas pid=41)
/tmp/infini_nas : Break.(mypid=0)
-- exit /tmp/infini_nas
Hit enter to continue...start ASTS ? = 0
Hit enter to continue...>wl_join_retry assoc -> 1
>wl_join_retry Associated!! check after 600s
[ HTTPD_LOCK_OFF ]
Hit enter to continue...

ここの設定ファイルを使ってUrJTAGでWLI3-TX1-G54を見てみた。

bash-3.2$ ./jtag

UrJTAG 0.10 #1502
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

WARNING: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable ft2232
Connected to libftd2xx driver.
jtag> detect
IR length: 8
Chain length: 1
Device Id: 00010100011100010010000101111111 (0x000000001471217F)
  Manufacturer: Broadcom
  Part(0):         BCM4712
  Stepping:     Ver 1
  Filename:     /Users/hiroki/Develop/Device/OpenSrouce/urjtag-0.10/urjtag/broad
com/bcm4712/bcm4712
jtag> initbus ejtag
ImpCode=00000000100000000000100100000100 00800904
EJTAG version: <= 2.0
EJTAG Implementation flags: R4k DMA MIPS32
Processor entered Debug Mode.
jtag> detectflash 0x1fc00000
Query identification string:
        Primary Algorithm Command Set and Control Interface ID Code: 0x0001 (Int
el/Sharp Extended Command Set)
        Alternate Algorithm Command Set and Control Interface ID Code: 0x0000 (n
ull)
Query system interface information:
        Vcc Logic Supply Minimum Write/Erase or Write voltage: 2700 mV
        Vcc Logic Supply Maximum Write/Erase or Write voltage: 3600 mV
        Vpp [Programming] Supply Minimum Write/Erase voltage: 0 mV
        Vpp [Programming] Supply Maximum Write/Erase voltage: 0 mV
        Typical timeout per single byte/word program: 64 us
        Typical timeout for maximum-size multi-byte program: 128 us
        Typical timeout per individual block erase: 1024 ms
        Typical timeout for full chip erase: 0 ms
        Maximum timeout for byte/word program: 256 us
        Maximum timeout for multi-byte program: 1024 us
        Maximum timeout per individual block erase: 4096 ms
        Maximum timeout for chip erase: 0 ms
Device geometry definition:
        Device Size: 4194304 B (4096 KiB, 4 MiB)
        Flash Device Interface Code description: 0x0002 (x8/x16)
        Maximum number of bytes in multi-byte program: 32
        Number of Erase Block Regions within device: 1
        Erase Block Region Information:
                Region 0:
                        Erase Block Size: 131072 B (128 KiB)
                        Number of Erase Blocks: 32
jtag>

readmemで64KByteを読み込むのに8分55秒かかる。

ZRouterにはBCM47xx系は含まれていないがAsus/WL-500GP_V2がBCM5354を使っているようだ。

このモジュールのフラッシュは以下のようなマップになっている。

このSOCはでSonicという会社のSiloconBackplaneという仕組みを使っているようだ。なんとFreeBSDにはsibaというドライバが存在していた。

ZRouterでWLI3-TX1-G54をFreeBSD化してみた。

socs/Broadcom/BCM5354をsocs/Broadcom/BCM4712にコピー
boards/Asus/500GP_V2をboards/Buffalo/WLI3-TX1-G54にコピー
sys/mips/conf/BCM5354*をBCM4712*にコピー（使ってないかも）
s/BCM5354/BCM4712/
GPIOでbus errorになっていたので、mkから外した
USBが無い機種なので、mkからUSBまわりをコメントアウト
sys/mips/bcm47xx/bcm47xx_machdep.cのmips_init()にある、lenを0x02000000から 0x01000000に変更(なんでハードコードなのかな？)

CFE> ^C
CFE> ifconfig eth0 -addr=10.10.10.200
Device eth0:  hwaddr 00-16-01-00-00-00, ipaddr 10.10.10.200, mask 255.255.255.0
        gateway not set, nameserver not set
*** command status = 0
CFE> flash -noheader 10.10.10.3:Buffalo_WLI3-TX1-G54.trx flash1.trx
Reading 10.10.10.3:Buffalo_WLI3-TX1-G54.trx: Done. 3596288 bytes read
Programming...done. 3596288 bytes written
*** command status = 0
CFE> go

とりあえずログインできただけでWIFI/ETHERのデバイスは見えてない。ブートログはこんなかんじ。

mkにbwiを追加してみたが認識されず。

BCM47xxシリーズはSonics Silicon Backplaneというバスシステムを使っているようだ。 bwnやbfeはこれにぶら下がるのだおもうが、bfeはそれらしコードがあるがbwnにはない。

siba0: <IEEE 802.11> at device 1 (no driver attached)
bfe0: <Broadcom 44xx Ethernet Chip> at mem 0x18002000-0x18002fff irq 2 on siba0
Trap cause = 7 (bus error (load or store) - kernel mode)
[ thread pid 0 tid 100000 ]
Stopped atgeneric_bs_r_4+0x4: jrra
db>

if_bfe.cのbfe_chip_reset()で落ちているようなのだが、まとまった時間が出来たら見てみたい。if_bfe.cはAleksandrさんがいじった形跡はあり、Switchの入ったBCM5354 では動いているのかもしれないが、BCM4712ではダメなのかな。