Differences between revisions 3 and 4
Revision 3 as of 2007-11-23 18:01:24
Size: 14179
Editor: localhost
Comment: converted to 1.6 markup
Revision 4 as of 2008-04-05 21:36:41
Size: 14164
Editor: dsl-189-138-74-18
Comment:
Deletions are marked like this. Additions are marked like this.
Line 22: Line 22:
Line 26: Line 25:
   dni_go [-a <Entry point address >]     dni_go [-a <Entry point address >]
Line 32: Line 31:
   bdmove     bdmove
Line 38: Line 37:
   check_mac     check_mac
Line 55: Line 54:
   history     history
Line 59: Line 58:
   load [-r] [-v] [-d] [-h <host>] [-p <TCP port>][-m <varies>] [-c <channel_number>]     load [-r] [-v] [-d] [-h <host>] [-p <TCP port>][-m <varies>] [-c <channel_number>]
Line 71: Line 70:
   reset     reset
Line 73: Line 72:
   set_mac [-l <XX:XX:XX:XX:XX:XX >] [-w <XX:XX:XX:XX:XX:XX >]     set_mac [-l <XX:XX:XX:XX:XX:XX >] [-w <XX:XX:XX:XX:XX:XX >]
Line 75: Line 74:
   version     version
Line 88: Line 87:
Board: Meraki Mini  Board: Meraki Mini
Line 110: Line 109:
 Cmdline :   Cmdline :
Line 121: Line 120:
Kernel command line:  Kernel command line:
Line 273: Line 272:

Received 5 Meraki Minis today to play with. This page contains random notes:

  • Device is openable with two screws hidden behind the silver foil label on the back. Upper right, lower left with label facing you.
  • A four-pin 3.3V serial header is present, compatible with a serial console cable constructed for the Netgear WGT634U. With antenna on top, the unused 3.3V pin is on the left. Ground is on the right. The middle two pins are consistent with the WGT, whatever that is.

  • Meraki-supplied hacking stuff is available from here.

  • Device uses RedBoot, similar to CFE on the WGT. Some description can be found here.

  • Unpack the openwrt-meraki tarball, and follow instructions in openwrt-meraki/Meraki.README

  • Attempt to build openwrt-meraki first stumbles on a minor tar incompatibility. Patch as here.

  • No obvious place to feedback fixes, not obvious why they forked the openwrt buildroot rather than improving openwrt... well, except for the obvious reason: stability. It would be interesting to know when the fork occurred and how tractable a recovergance would be. This is terra incognita at the moment. The other interesting bit is the reflashing procedure. Obviously somewhat different than for the WGT, and potentially dangerous.
  • There is a build dependency of ruby for ruby.
  • Some of the downloads point at a host called: high.meraki.net, which presently is resolving here to 172.22.0.210, which is a private IP per RFC 1918. Non-connections there seem to fail-over to a working source, however.
  • Here is a boot log from the serial console: 
    help
Execute code at a location
   dni_go [-a <Entry point address >]
Manage aliases kept in FLASH memory
   alias name [value]
Set/Query the system console baud rate
   baudrate [-b <rate>]
Move Atheros Board Data information
   bdmove
Manage machine caches
   cache [ON | OFF]
Display/switch console channel
   channel [-1|<channel number>]
Check Mac Address
   check_mac
Compute a 32bit checksum [POSIX algorithm] for a range of memory
   cksum -b <location> -l <length>
Display (hex dump) a range of memory
   dump -b <location> [-l <length>] [-s] [-1|2|4]
Execute an image
   exec [-b <argv addr>] [-c "kernel command line"] [-w <timeout>]
        [<entry point>]
Manage FLASH images
   fis {cmds}
Manage configuration kept in FLASH memory
   fconfig [-i] [-l] [-n] [-f] [-d] | [-d] nickname [value]
Execute code at a location
   go [-w <timeout>] [-c] [-n] [entry]
Help about help?
   help [<topic>]
Display command history
   history
Set/change IP addresses
   ip_address [-l <local_ip_address>[/<mask_len>]] [-h <server_address>]
Load a file
   load [-r] [-v] [-d] [-h <host>] [-p <TCP port>][-m <varies>] [-c <channel_number>]
        [-b <base_address>] <file_name>
Compare two blocks of memory
   mcmp -s <location> -d <location> -l <length> [-1|-2|-4]
Copy memory from one address to another
   mcopy -s <location> -d <location> -l <length> [-1|-2|-4]
Fill a block of memory with a pattern
   mfill -b <location> -l <length> -p <pattern> [-1|-2|-4]
Network connectivity test
   ping [-v] [-n <count>] [-l <length>] [-t <timeout>] [-r <rate>]
        [-i <IP_addr>] -h <IP_addr>
Reset the system
   reset
Set/change Lan/Wlan Mac addresses
   set_mac [-l <XX:XX:XX:XX:XX:XX >] [-w <XX:XX:XX:XX:XX:XX >]
Display RedBoot version information
   version
Display (hex dump) a range of memory
   x -b <location> [-l <length>] [-s] [-1|2|4]
RedBoot> reset
... Resetting.Ethernet eth0: MAC address 00:18:0a:01:13:2f
IP: 192.168.84.1/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.84.9

RedBoot(tm) bootstrap and debug environment [ROMRAM]
Release, version V1.04 - built 12:24:00, Apr 17 2006

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.

Board: Meraki Mini
RAM: 0x80000000-0x82000000, [0x8003d110-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87e0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 2.000 seconds - enter ^C to abort
RedBoot> check_mac
Lan Mac address is  : 00:18:0a:01:13:2f
Wlan Mac address is : 00:18:0a:01:13:2f
Serial Number is    : 26c-aab-602
RedBoot> load art_ap51.elf
Using default protocol (TFTP)
__udp_sendto: Can't find address of server
Can't load 'art_ap51.elf': some sort of network error
RedBoot> go
No entry point known - aborted
RedBoot> load -h 192.168.84.9 -p 80 -m http /meraki/mini.1.img
Unable to reach host 192.168.84.9 (192.168.84.9)
RedBoot> exec
Can't execute Linux - invalid entry address
RedBoot> fis load stage2
RedBoot> exec
Now booting linux kernel:
 Base address 0x80030000 Entry 0x80100000
 Cmdline :
starting stage2
reading flash at 0xa8150000 - 0xa8452927... done
Calculating CRC... 0x727b3da7 - matches
decompressing... done
starting linux
Linux version 2.6.16.16-meraki-mini (jbicket@high.meraki.net) (gcc version 3.4.6 (OpenWrt-2.0)) #8 Fri Nov 3 11:36:22 PST 2006
CPU revision is: 00019064
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Built 1 zonelists
Kernel command line:
Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.
Primary data cache 16kB, 4-way, linesize 16 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 256 (order: 8, 4096 bytes)
Using 92.000 MHz high precision timer.
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 19940k/32768k available (2121k kernel code, 12812k reserved, 394k data, 9592k init, 0k highmem)
Mount-cache hash table entries: 512
Checking for 'wait' instruction...  available.
unpacking initramfs....done
NET: Registered protocol family 16
Algorithmics/MIPS FPU Emulator v1.5
JFFS2 version 2.2. (NAND) (C) 2001-2003 Red Hat, Inc.
Initializing Cryptographic API
io scheduler noop registered
io scheduler anticipatory registered (default)
io scheduler deadline registered
io scheduler cfq registered
faulty_init
watchdog hb: 90  ISR: 0x21  IMR: 0x8  WD : 0x8907e615  WDC: 0x0
ar2315_wdt_init using heartbeat 90 s cycles 3600000000
watchdog hb: 90  ISR: 0x21  IMR: 0x88  WD : 0xd68e74f2  WDC: 0x0
Serial: 8250/16550 driver $Revision: 1.90 $ 1 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0xb1100003 (irq = 37) is a 16550A
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
setting one ethernet device to null...
MTD driver for SPI flash.
spiflash: Probing for Serial flash ...
spiflash: Found SPI serial Flash.
8388608: size
RedBoot partition parsing not available
Creating 7 MTD partitions on "spiflash":
0x00000000-0x00030000 : "RedBoot"
0x00030000-0x00050000 : "stage2"
0x00050000-0x00150000 : "/storage"
0x00150000-0x00490000 : "part1"
0x00490000-0x007d0000 : "part2"
0x007d0000-0x007e0000 : "redboot config"
0x007e0000-0x00800000 : "board config"
oprofile: using timer interrupt.
NET: Registered protocol family 2
IP route cache hash table entries: 512 (order: -1, 2048 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
ip_conntrack version 2.4 (256 buckets, 2048 max) - 232 bytes per conntrack
ip_conntrack_pptp version 3.1 loaded
ip_nat_pptp version 3.0 loaded
ip_tables: (C) 2000-2006 Netfilter Core Team
ClusterIP Version 0.8 loaded successfully
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Freeing unused kernel memory: 9592k freed
init started:  BusyBox v1.1.0 (2006.09.29-21:24+0000) multi-call binary

Please press Enter to activate this console. ar2315_wdt: starting watchdog w/timeout 90 seconds
watchdog hb: 90  ISR: 0x20  IMR: 0x89  WD : 0xd69182a9  WDC: 0x0
ath_hal: module license 'Proprietary' taints kernel.
ath_hal: 0.9.17.2 (AR5212, AR5312, RF2316, TX_DESC_SWAP)
wlan: 0.8.4.2 (svn 2943)
ath_rate_sample: 1.2 (svn 2943)
ath_ahb: 0.9.4.5 (svn 2943)
wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: H/W encryption support: WEP AES AES_CCM TKIP
wifi0: mac 11.0 phy 4.8 radio 7.0
wifi0: Use hw queue 1 for WME_AC_BE traffic
wifi0: Use hw queue 0 for WME_AC_BK traffic
wifi0: Use hw queue 2 for WME_AC_VI traffic
wifi0: Use hw queue 3 for WME_AC_VO traffic
wifi0: Use hw queue 8 for CAB traffic
wifi0: Use hw queue 9 for beacons
couldn't load module 'wlan_scan_sta' (-89)
unable to load wlan_scan_sta
wifi0: Atheros 2315 WiSoC: mem=0xb0000000, irq=3
click: starting router thread pid 394 (818ccb00)
wlan: mac acl policy registered
realtek setup
couldn't load module 'wlan_scan_monitor' (-89)
unable to load wlan_scan_monitor
ath0: start running
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: stop running
ath0: __ieee80211_newstate: RUN -> INIT
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: start running
ath0: __ieee80211_newstate: RUN -> INIT
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: stop running
ath0: __ieee80211_newstate: RUN -> INIT
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: start running
ath0: __ieee80211_newstate: RUN -> INIT
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: stop running
ath0: __ieee80211_newstate: RUN -> INIT
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: start running
ath0: __ieee80211_newstate: RUN -> INIT
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: stop running
ath0: __ieee80211_newstate: RUN -> INIT
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: start running
ath0: __ieee80211_newstate: RUN -> INIT
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: stop running
ath0: __ieee80211_newstate: RUN -> INIT
ath0: start running
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: __ieee80211_newstate: RUN -> RUN
ath0: stop running
ath0: __ieee80211_newstate: RUN -> INIT
ath0: __ieee80211_newstate: INIT -> RUN
ath0: __ieee80211_newstate: RUN -> RUN



BusyBox v1.1.0 (2006.09.29-21:24+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

http://meraki.net

Welcome to your meraki mini.  Please look for developer information at
http://meraki.net.  We would like to encourage you to play with this
platform and add your own features to it.  However, our lawyers
require us to tell you that much of the software on this device is
protected by copyrights, and may not be redistributed or sold.

Happy Hacking!
root@meraki-node:/# ath0: start running
  • Here is a listing of the upgrade.sh script. To the end of the script is appended a tarball with some constituent files. This can be dissected to see what gets flashed where. 
    skip=103
script_reference_md5sum="711ab335ea7685cd6ff2c42e425cd4d1"
this_script=`pwd`/$0

mkdir /tmp/upgrade
cd /tmp/upgrade

if [ `cat /MERAKI_BUILD` == "2315" ]; then
  rm /usr/bin/led*
fi

mv /storage/config /storage/config.old

stage2_dev=/dev/`grep stage2 /proc/mtd|head -c 4`
part1_dev=/dev/`grep part1 /proc/mtd|head -c 4`
part2_dev=/dev/`grep part2 /proc/mtd|head -c 4`
redconf_dev=/dev/`grep "redboot config" /proc/mtd|head -c 4`

script_measured_md5sum=`tail -n +3 $this_script | md5sum | head -c 32`

#echo "script_measured_md5sum = '${script_measured_md5sum}'"
#echo "script_reference_md5sum = '${script_reference_md5sum}'"

if [ "${script_measured_md5sum}" != "${script_reference_md5sum}" ]; then
    echo "error in downloading script!"
    exit 2
fi

tail -n +${skip} ${this_script} | tar xz

stage2_file=stage2-flash.bin
redconf_file=redconf.bin

if ! ( [ -f ${stage2_file} ] && [ -f ${redconf_file} ] ); then
    echo "files not found!"
    exit 3
fi

stage2_md5=`md5sum < ${stage2_file} | head -c 32`
stage2_size=`wc -c < ${stage2_file}`
redconf_md5=`md5sum < ${redconf_file} | head -c 32`
redconf_size=`wc -c < ${redconf_file}`

#echo "stage2_md5 = '${stage2_md5}'"
#echo "stage2_size = '${stage2_size}'"
#echo "redconf_md5 = '${redconf_md5}'"
#echo "redconf_size = '${redconf_size}'"

/usr/bin/led_blink &

installed_stage2_md5=`head -c ${stage2_size} ${stage2_dev} | md5sum | head -c 32`
installed_redconf_md5=`head -c ${redconf_size} ${redconf_dev} | md5sum | head -c 32`

#echo "installed_stage2_md5 = '${installed_stage2_md5}'"
#echo "installed_redconf_md5 = '${installed_redconf_md5}'"

if [ "${stage2_md5}" != "${installed_stage2_md5}" ]; then
    echo "upgrading stage2"
    mtd erase ${stage2_dev}
    dd if=${stage2_file} of=${stage2_dev} bs=1k
    sync
fi

if [ "${redconf_md5}" != "${installed_redconf_md5}" ]; then
    echo "upgrading redboot configuration"
    mtd erase ${redconf_dev}
    dd if=${redconf_file} of=${redconf_dev} bs=1k
    sync
fi

done_part1=false

echo "checksumming part1"
if ! /usr/bin/checkpart.pl ${part1_dev}; then
    echo "part1 was invalid!, upgrading it first"
    mtd erase ${part1_dev}
    echo "writing part1.."
    dd if=part of=${part1_dev} bs=1k
    done_part1=true
fi

echo "upgrading part2"
mtd erase ${part2_dev}
echo "writing part2.."
dd if=part of=${part2_dev} bs=1k

if ! ${done_part1}; then
    echo "upgrading part1"
    mtd erase ${part1_dev}
    echo "writing part1.."
    dd if=part of=${part1_dev} bs=1k
fi

killall led_blink
sleep 1
/usr/bin/led_off

echo "done"

/sbin/reboot

exit 0

MerakiHacking (last edited 2008-04-05 21:36:41 by dsl-189-138-74-18)