ipTIME G204

From WikiDevi.Wi-Cat.RU
Jump to navigation Jump to search

ipTIME G204

Manuf (OEM/ODM): Zioncom IP0477.B

Country of manuf.: China

Type: wireless router

Power: 7.5 VDC, 1.5 A
Connector type: barrel

CPU1: Micrel KS8695P (166 MHz)
FLA1: 2 MiB2,097,152 B <br />16,384 Kib <br />2,048 KiB <br />16 Mib <br />0.00195 GiB <br /> (Spansion S29AL016D70TFI02)
RAM1: 16 MiB16,777,216 B <br />131,072 Kib <br />16,384 KiB <br />128 Mib <br />0.0156 GiB <br /> (StarRam 4X32SDRAM)

Expansion IFs: none specified
Serial: yes, (38400,8,N,1)

WI1 chip1: Ralink RT2561S
WI1 chip2: Ralink RT2527
WI1 802dot11 protocols: bg
WI1 antenna connector: RP-SMA

ETH chip1: Micrel KS8695P
Switch: Micrel KS8695P
LAN speed: 100M
LAN ports: 4
WAN speed: 100M
WAN ports: 1

bg

Stock FW OS: Linux 2.4.19-rmk4

Flags: boot log

Default SSID: iptime (1 addl. devices)
Default IP address: 192.168.0.1
the IP 192.168.0.1 is used by 785 additional devices
of which 1 are ipTIME devices

802dot11 OUI: 00:08:9F (-, 1 W)
Ethernet OUI: 00:08:9F (-, 1 W)

For a list of all currently documented Micrel (Kendin) chipsets with specifications, see Micrel.
For a list of all currently documented Ralink chipsets with specifications, see Ralink.


"ZC-IP0477.B" is on the board.

Review on kbench.com

specifies processor as ARM9 based @ 166MHz

The device is using 2.4.19-rmk4 - an ARM kernel released 2002-08-25.

The SoC used appears to be 22 (labeled A through U) x 17 (individually marked numbers) in a PBGA package.

It is presumed to be a Micrel KS8695P.. .. also relevant.

Info on shell access at kldp.org (KR)

Shell commands can be sent to the device via /cgi-bin/timepro.cgi?flag=bluesky w/ firmware version 5.16.
Older FW versions may use flag=debug instead of bluesky..
FTP access to the device can be attained by running /sbin/ftpd and logging in w/ bin:efm-sw credentials.

Shell info dump

cat /etc/passwd

root::0:0:root::/bin/sh 
nobody::99:0:nobody:/:/bin/sh 
bin::99:0:efm-sw:/bin:/bin/sh 

cat /proc/version

Linux version 2.4.19-rmk4 (nvwl@perrier) (gcc version 2.95.3 20010315 (release)) #7 Tue Jul 24 14:45:58 KST 2007 

cat /proc/cpuinfo

Processor	: ARM/ALTERA Arm922Tid(wb) rev 0 (v4l)
BogoMIPS	: 83.14
Features	: swp half thumb 

Hardware	: Micrel-KS8695
Revision	: 0000
Serial		: 0000000000000000

cat /proc/pci

PCI devices found:
  Bus  0, device   0, function  0:
    Host bridge: PCI device 16c6:8695 (rev 0).
      IRQ 2.
      Master Capable.  Latency=32.  
      Non-prefetchable 32 bit memory at 0x60000000 [0x63ffffff].
  Bus  0, device   5, function  0:
    Network controller: PCI device 1814:0301 (rev 0).
      IRQ 2.
      Master Capable.  Latency=32.  
      Non-prefetchable 32 bit memory at 0x64000000 [0x64007fff].

cat /proc/mtd

dev: size erasesize name 
mtd0: 00200000 00010000 "Physically mapped flash" 
mtd1: 00020000 00010000 "savefs" 

cat /proc/meminfo

        total:    used:    free:  shared: buffers:  cached:
Mem:  15101952 13111296  1990656        0   208896  6774784
Swap:        0        0        0
MemTotal:        14748 kB
MemFree:          1944 kB
MemShared:           0 kB
Buffers:           204 kB
Cached:           6616 kB
SwapCached:          0 kB
Active:           1700 kB
Inactive:         6968 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        14748 kB
LowFree:          1944 kB
SwapTotal:           0 kB
SwapFree:            0 kB

cat /proc/ksyms

c1ac78e4 ppp_mppe_cleanup	[ppp_mppe]
c1ac78c8 ppp_mppe_init	[ppp_mppe]
c1ac9c64 SHA1_Init	[ppp_mppe]
c1ac9d74 SHA1_Final	[ppp_mppe]
c1ac9e70 arcfour_setkey	[ppp_mppe]
c1ac9ff0 ppp_mppe	[ppp_mppe]
c1ac9cb4 SHA1_Update	[ppp_mppe]
c1ac9f10 arcfour_encrypt	[ppp_mppe]
c1a5ac24 next_key	[rt61ap]
c1a63244 ApStartUp	[rt61ap]
c1a4f700 RTMPSetLED	[rt61ap]
c1a42134 AuthStateMachineInit	[rt61ap]
c1a67630 NUM_OF_5225_CHNL_1	[rt61ap]
c1a5e54c CountGTK	[rt61ap]
c1a38e08 AsicResetBbpTuning	[rt61ap]
c1a560a4 RTMPIoctlStatistics	[rt61ap]
c1a676b4 A_BAND_REGION_2_CHANNEL_LIST	[rt61ap]
c1a5afac WpaStateMachineInit	[rt61ap]
c1a5ed80 RTMPMakeRSNIE	[rt61ap]
c1a3fefc getCfgWmmCapable	[rt61ap]
c1a5298c Set_TxRate_Proc	[rt61ap]
c1a64a7c ApUpdateAccessControlList	[rt61ap]
c1a6d840 try_mac_list	[rt61ap]
c1a593c4 ShiftOutBits	[rt61ap]
c1a5d5f0 WPAHardTransmit	[rt61ap]
c1a4f84c RTMPBuildDesireRate	[rt61ap]
c1a3a870 AsicSetRxAnt	[rt61ap]
c1a39cf8 BssTableInit	[rt61ap]
c1a58e14 ATEAsicSwitchChannel	[rt61ap]
c1a5b568 WpaEAPPacketAction	[rt61ap]
c1a5abf8 xor_128	[rt61ap]
c1a52d6c Set_TxBurst_Proc	[rt61ap]
c1a5e05c GREKEYPeriodicExec	[rt61ap]
c1a335e4 macauth_add_trylist	[rt61ap]
c1a4a94c NICInitTxRxRingAndBacklogQueue	[rt61ap]
c1a52c44 Set_TxAntenna_Proc	[rt61ap]
c1a3ff38 getCfgAPAifsn	[rt61ap]
c1a5854c Set_ATE_SA_Proc	[rt61ap]
c1a3c800 MlmeRadioOn	[rt61ap]
c1a595f8 RTMP_EEPROM_READ16	[rt61ap]
c1a42194 MlmeDeauthReqAction	[rt61ap]
c1a4e3a8 NICLoadFirmware	[rt61ap]
c1a403a0 getCfgNoForwarding	[rt61ap]
c1a679a0 BBPRegTable	[rt61ap]
c1a58b1c Set_ATE_TX_FREQOFFSET_Proc	[rt61ap]
c1a5861c Set_ATE_BSSID_Proc	[rt61ap]
c1a678d8 SNAP_AIRONET	[rt61ap]
c1a52b20 Set_DtimPeriod_Proc	[rt61ap]
c1a65938 PeerDlsTearDownAction	[rt61ap]
c1a361c8 MlmeQueueDestroy	[rt61ap]
c1a67014 RateIdTo500Kbps	[rt61ap]
c1a325d4 RT61_open	[rt61ap]
c1a50638 ChannelSanity	[rt61ap]
c1a40058 getCfgAPTxop	[rt61ap]
c1a543c8 Set_AccessControlList_Proc	[rt61ap]
c1a5478c Set_dfstest_Proc	[rt61ap]
c1a33344 RT61_get_ether_stats	[rt61ap]
c1a3f970 ConvertToRssi	[rt61ap]
c1a58d58 Set_ATE_TX_COUNT_Proc	[rt61ap]
c1a52e2c Set_WmmCapable_Proc	[rt61ap]
c1a538e4 Set_Key2_Proc	[rt61ap]
c1a513f0 PeerDlsReqSanity	[rt61ap]
c1a62fd0 F	[rt61ap]
c1a36480 LfsrInit	[rt61ap]
c1a4f07c NdisFillMemory	[rt61ap]
c1a39a0c AsicAddPairwiseKeyEntry	[rt61ap]
c1a63e18 MacTableReset	[rt61ap]
c1a3da88 ScanTimeout	[rt61ap]
c1a52f14 Set_HideSSID_Proc	[rt61ap]
c1a4053c getCfgAuthMode	[rt61ap]
c1a3329c rt_abs	[rt61ap]
c1a5a78c RTMPSoftDecryptAES	[rt61ap]
c1a4f6d8 RTMPAddTimer	[rt61ap]
c1a38d4c AsicSetSlotTime	[rt61ap]
c1a38ae0 AsicEnableBssSync	[rt61ap]
c1a676ed A_BAND_REGION_9_CHANNEL_LIST	[rt61ap]
c1a401f4 getCfgBSSCwmax	[rt61ap]
c1a4a35c RTMPAllocDMAMemory	[rt61ap]
c1a41bd4 Cls3errAction	[rt61ap]
c1a32f84 VirtualIF_close	[rt61ap]
c1a52b9c Set_OLBCDetection_Proc	[rt61ap]
c1a59cdc rotr1	[rt61ap]
c1a5f5d4 hmac_md5	[rt61ap]
c1a3fdb8 getCfgDisableOLBC	[rt61ap]
c1a5cf9c Wpa1PeerPairMsg4Action	[rt61ap]
c1a58dc4 Set_ATE_RX_FER_Proc	[rt61ap]
c1a41a80 PeerDisassocReqAction	[rt61ap]
c1a5159c RTMPEncryptData	[rt61ap]
c1a545d8 Set_WPAPSK_Proc	[rt61ap]
c1a51800 RTMP_CALC_FCS32	[rt61ap]
c1a5f42c RTMPSearchPMKIDCache	[rt61ap]
c1a5f830 MD5Final	[rt61ap]
c1a52a50 Set_Channel_Proc	[rt61ap]
c1a549e8 Set_SiteSurvey_Proc	[rt61ap]
c1a35df0 MlmeEnqueue	[rt61ap]
c1a676e9 A_BAND_REGION_8_CHANNEL_LIST	[rt61ap]
c1a48aac RTMPCalcDuration	[rt61ap]
c1a52fb4 Set_IEEE8021X_Proc	[rt61ap]
c1a530c4 Set_VLANID_Proc	[rt61ap]
c1a596a4 RTMP_EEPROM_WRITE16	[rt61ap]
c1a6db44 Rtmp_Irq_Lock	[rt61ap]
c1a67ac4 WPA_OUI	[rt61ap]
c1a52d34 Set_TxQueueSize_Proc	[rt61ap]
c1a5f1e8 RTMPAddPMKIDCache	[rt61ap]
c1a40340 getCfgAckPolicy	[rt61ap]
c1a519f0 RTMPQueryInformation	[rt61ap]
c1a39bf8 AsicSendCommandToMcu	[rt61ap]
c1a3fddc getCfgBGProtection	[rt61ap]
c1a630d8 PasswordHash	[rt61ap]
c1a3998c AsicRemoveSharedKeyEntry	[rt61ap]
c1a322c8 RT61_Init_MSSID	[rt61ap]
c1a3bef0 RadarDetectPeriodic	[rt61ap]
c1a52678 Set_DriverVersion_Proc	[rt61ap]
c1a491c4 RTMPUpdateTupleCache	[rt61ap]
c1a3c788 MlmeRadioOff	[rt61ap]
c1a39d94 BssTableDeleteEntry	[rt61ap]
c1a5d210 Wpa2PeerPairMsg4Action	[rt61ap]

cat /proc/cmdline

console=ttyAM0

Serial

Pinout

(GND) (TX) (RX) [???] -> LED section, antennas, RT2561S, etc

Boot log




Check Firmware CRC =======> [OK]


Uncompressing Linux.................................................................done.
Transferring kernel ...complete
Transferring initrd ...complete
Transferring parms ...complete
Transferring control! ---------> Booting
Stage 2 flash detecting...................
Flash detecting(BUS:16bit,TYPE:16bit)... detected
 Amd/Fujitsu Extended Query Table v1.0 at 0x0040
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
NET4: Ethernet Bridge 008 for NET4.0
alias:g204 version:5.16
Restore Default
insmod: /lib/modules/2.4.19-rmk4: No such file or directory
insmod: bridge.o: no module by that name found
Bridge Init


=========================================
RALINK WIRELESS MODULE DETECTED!!
=========================================


AsicAntennaSelect(ch=6) - Tx=Ant-A, Rx=Ant-A
Check EEPROM contents .. [OK]



=================================================================
press magic key to change default setting ...
  LAN MAC : 00:08:9F:62:57:94
  WAN MAC : 00:08:9F:63:57:94
PPTP Server Start!!
insmod: /lib/modules/2.4.19-rmk4: No such file or directory
gzip: /etc/messages.gz: No such file or directory
copy_file:/etc/messages not found
Check Firmware Integrity ........ - size : 256
[OK]
Please press Enter to activate this console. => AUTH : 4:23:30