General
The GigaFast WF719-CAPR 802.11g is actually the CC&C WA-2204A router, (it is registered at the FCC under this name) but AKA Gigafast WF719-CAPR, AKA Blanc Wireless G router BW54R11, AKA MSI RG54SE, AKA Bluecomm WA-2204A, AKA Zonet ZSR1114WE. The device is a RTL8180/RTL8185/RTL8186 based Linux IGD router. It supports WDS, Client, and AP mode, along with VPN passthrough. It runs Linux (version 2.4.18-MIPS-01.00) and has a 2M Byte Intel TE28F160C3 flash part. Currently, it has 3 open ports:
21/tcp open ftp 53/tcp open domain 80/tcp open http
Hardware
Memory
cat /proc/meminfo ... MemTotal: 14208 kB MemFree: 3344 kB
Bridge
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0002724d37a5 no eth0
wlan0
Boot Log
A boot log is available through the web interface
0day 00:03:58 klogd started: BusyBox v1.00-pre8 (2004.12.03-02:38+0000) 0day 00:03:58 Linux version 2.4.18-MIPS-01.00 ([email protected]) (gcc version 3.3.3) #183 Wed Aug 24 15:34:13 IRST 0day 00:03:58 early printk enabled 0day 00:03:58 Determined physical RAM map: 0day 00:03:58 memory: 01000000 @ 00000000 (usable) 0day 00:03:58 Initial ramdisk at: 0x801bd000 (5324800 bytes) 0day 00:03:58 On node 0 totalpages: 4096 0day 00:03:58 zone(0): 4096 pages. 0day 00:03:58 zone(1): 0 pages. 0day 00:03:58 zone(2): 0 pages. 0day 00:03:58 Kernel command line: root=/dev/ram console=0 ramdisk_start=0 single 0day 00:03:58 Calibrating delay loop... 179.40 BogoMIPS 0day 00:03:58 Memory: 8956k/16384k available (1583k kernel code, 7428k reserved, 5332k data, 52k init, 0k highmem) 0day 00:03:58 Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes) 0day 00:03:58 Inode-cache hash table entries: 1024 (order: 1, 8192 bytes) 0day 00:03:58 Mount-cache hash table entries: 512 (order: 0, 4096 bytes) 0day 00:03:58 Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) 0day 00:03:58 Page-cache hash table entries: 4096 (order: 2, 16384 bytes) 0day 00:03:58 check_wait... unavailable. 0day 00:03:58 POSIX conformance testing by UNIFIX 0day 00:03:58 Linux NET4.0 for Linux 2.4 0day 00:03:58 Based upon Swansea University Computer Society NET3.039 0day 00:03:58 Initializing RT netlink socket 0day 00:03:58 Starting kswapd 0day 00:03:58 Serial driver version 6.02 (2003-03-12) with no serial options enabled 0day 00:03:58 ttyS00 at 0x00c3 (irq = 3) is a rtl_uart1 0day 00:03:58 state->flags=00000000 0day 00:03:58 Realtek GPIO Driver for Flash Reload Default 0day 00:03:58 block: 64 slots per queue, batch=16 0day 00:03:58 RAMDISK driver initialized: 16 RAM disks of 7000K size 1024 blocksize 0day 00:03:58 PPP generic driver version 2.4.1 0day 00:03:58 PPP MPPE Compression module registered 0day 00:03:58 RealTek Nor-Type Flash System Driver. (C) 2002 RealTek Corp. 0day 00:03:58 Found 1 x 2M Byte Intel TE28F160C3 0day 00:03:58 flash: init complete (31), size 2048(KB) blks 1024 hs 512 0day 00:03:58 RTL8180/RTL8185 driver version 1.6 (2005-03-18) 0day 00:03:58 8186NIC Ethernet driver v0.0.2 (Jan 30, 2004) 0day 00:03:58 eth0: RTL8186-NIC at 0xbd200000, 00:01:02:03:04:05, IRQ 4 0day 00:03:58 eth1: RTL8186-NIC at 0xbd300000, 04:05:06:07:08:09, IRQ 5 0day 00:03:58 nat_speed_init (v1.1) 0day 00:03:58 NET4: Linux TCP/IP 1.0 for NET4.0 0day 00:03:58 IP Protocols: ICMP, UDP, TCP 0day 00:03:58 IP: routing cache hash table of 512 buckets, 4Kbytes 0day 00:03:58 TCP: Hash tables configured (established 1024 bind 2048) 0day 00:03:58 rtl8186_crypto_init()... 0day 00:03:58 rtl8186_crypto: IPSec status(RTL8186_IPSCFR) = B 0day 00:03:58 rtl8186_crypto: IPSec status(RTL8186_IPSCTR) = 2027202 0day 00:03:58 ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0 0day 00:03:58 ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0 0day 00:03:58 ipsec_md5_init(alg_type=14 alg_id=2 name=md5): ret=0 0day 00:03:58 ipsec_null_init(alg_type=15 alg_id=11 name=null): ret=0 0day 00:03:58 ipsec_sha1_init(alg_type=14 alg_id=3 name=sha1): ret=0 0day 00:03:58 ip_conntrack version 2.1 (128 buckets, 1024 max) - 312 bytes per conntrack 0day 00:03:58 PPTP netfilter connection tracking: registered 0day 00:03:58 PPTP netfilter NAT helper: registered 0day 00:03:58 ip_tables: (C) 2000-2002 Netfilter core team 0day 00:03:58 NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. 0day 00:03:58 NET4: Ethernet Bridge 008 for NET4.0 0day 00:03:58 RAMDISK: ext2 filesystem found at block 0 0day 00:03:58 RAMDISK: Loading 5200 blocks [1 disk] into ram disk... done. 0day 00:03:58 Freeing initrd memory: 5200k freed 0day 00:03:58 VFS: Mounted root (ext2 filesystem). 0day 00:03:58 Freeing unused kernel memory: 52k freed 0day 00:03:58 mount /proc file system ok! 0day 00:03:58 device eth0 entered promiscuous mode 0day 00:03:58 eth0:phy is 8305 0day 00:03:58 device wlan0 entered promiscuous mode 0day 00:03:58 br0: port 2(wlan0) entering listening state 0day 00:03:58 br0: port 1(eth0) entering listening state 0day 00:03:58 br0: port 2(wlan0) entering learning state 0day 00:03:58 br0: port 2(wlan0) entering forwarding state 0day 00:03:58 br0: topology change detected, propagating 0day 00:03:58 br0: port 1(eth0) entering learning state 0day 00:03:58 br0: port 1(eth0) entering forwarding state 0day 00:03:58 br0: topology change detected, propagating
Software
Some software that is included on this device includes:
BusyBox
The main shell scripts are run through BusyBox, which has the following commands built in: bg break cd chdir continue eval exec exit export false fg hash help jobs kill local pwd read readonly return set shift times trap true type ulimit umask unset wait
flash
Additionally, there is a "flash" command similar to the nvram command on the WRT54G
Usage: flash cmd
option:
cmd:
default -- write flash parameters to default.
get [wlan interface-index] mib-name -- get a specific mib from flash memory.
set [wlan interface-index] mib-name mib-value -- set a specific mib into flash memory.
all -- dump all flash parameters.
reset -- reset current setting to default.
flash extr /web (extract web page from flash)
flash get (list of all variable from setting in flash)
flash (get,set) variable
config file
The config file saveable in the router's web interface has a very primitive obfuscation scheme. Once you've downloaded it, just subtract each byte value from 0xc7 to obtain the plaintext.
Perl one-liner: perl -mbytes=no -npe "s/./chr(0xc7-ord($&))/eg" config.dat > config-plaintext.dat
Hacks
The WF719-CAPR is based on the 8186 AP reference design offered by RealTek. A number of devices sold by various distributors are essentially the same hardware. Gigafast have not made to much modification from the realtek sdk.
Extract ext2 partition from firmware
open .bin with hex editor find BZh91AY (bzip2 header) Cut from BZh91AY to end of file and save to a new file(1) bunzip the new file Take the last 5200 Ko and save to a another new file(2) (ext2 partion before that is the kernel) On linux box mkdir /mnt/ext2rtl8186 mount -o loop /newfile(2) /mnt/ext2rtl8186 Note: Web area is not on the ext2 image, it is extract from flash at bootup (flash extr /web) More information available soon at http://www.qcnetwork.com/Linux4Rtl/
Software
This is essentially the same as the Zyxel P-330W, and the firmware *may* be interchangable. Update: The firmwares are not interchangable (at least using the firmware update webpage), the WF719-CAPR rejects the P-330W firmware as invalid after upload.
It looks like the Zyxel product reads the filesystem directly from MTD (as compared to copying everything to RAMdisk). See the following thread for more info (and a possible buildroot/partial source for another very similar router): http://forum.openwrt.org/viewtopic.php?id=3099
There is also a hidden page on both: http://192.168.1.254/syscmd.asp
Update: The ZyXel also has a "REMOTE_TELNET" flash option, and a telnetd binary, however when this flash option was set and the device rebooted, it bricked.
There is no "ls" command. However, typing echo /usr/* will list files in /usr/.
/bin/busybox --help will faild but try "/bin/busybox --help > file" and "cat file"
BusyBox v1.00-pre8 (2004.12.03-02:38+0000) multi-call binary
Usage: busybox [function] [arguments]...
- or: [function] [arguments]...
Currently defined functions:
- [, ash, bunzip2, busybox, bzcat, cat, cut, date, dirname, echo, egrep, expr, grep, head, hostname, id, ifconfig, init, kill, killall, klogd, logger, netstat, ps, reboot, rm, route, sed, sh, sleep, sort, syslogd, tail, test, tr, uname, wc
From firmware v1.2.9, help
Built-in commands:
-------------------
. : bg break cd chdir continue eval exec exit export false fg
hash help jobs kill local pwd read readonly return set shift
times trap true ulimit umask unset wait"ash -c 'echo datatogotofile' > filename |" can be use to upload ascii to file
There is also a page to set "tx power": http://192.168.1.254/ccncsetup.asp along with an even more advanced page (that let you set the regulatory domain and misc): http://192.168.1.254/WlanSetDefaultC.asp
From firmware v1.2.9, cat /proc/cpuinfo
system type : Philips Nino processor : 0 cpu model : R3000 V0.0 BogoMIPS : 179.40 wait instruction : no microsecond timers : no tlb_entries : 64 extra interrupt vector : no hardware watchpoint : no VCED exceptions : not available VCEI exceptions : not available ll emulations : 0 sc emulations : 0
More on executing commands on the router
I wrote a small utility to make it easier play with the router, it suffers the same limitations the web interface such as the command length limit. At a later point I might manage the time to add a file uploader to it and work around the command length limit (current idea is repeated cat >> /tmp/cmd.sh and then executing that).
This compiled cleanly for me on linux, cygwin, osx. You need cURL (libcurl) because that is what I use for http. When you run it make sure there is a "secrets" in CWD that contains username:password to login into your router.
To compile
$ cc -lcurl rshell3.c -o rshell3
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include <curl/types.h>
#include <sys/errno.h>
#include <curl/easy.h>
struct void_mem_object
{
size_t size;
char *p;
};
size_t store_curl_object(void *p, size_t size, size_t nmemb, struct void_mem_object *data);
int http_post_request(char **p, size_t *size, char *url, char **vars);
int exec_cmd(char *cmd, char **o, char *addr);
#define ces curl_easy_setopt
int main(int argc, char **argv)
{
char cmd[1048], *o;
char cmd_run[2048];
char path[1024] = "/";
int retry=3;
curl_global_init(CURL_GLOBAL_ALL);
if ( argc < 2 ) {
fprintf(stderr, "%s ip_addr\n", argv[0]);
return EINVAL;
}
while ( retry-- ) {
exec_cmd("cat /proc/version", &o, argv[1]);
if ( o )
printf("%s\n", o);
else {
printf("retrying...\n");
continue;
}
free(o);
break;
}
if ( retry < 0 ) {
fprintf(stderr, "unable to access the router at %s\n", argv[1]);
return EHOSTDOWN;
}
while ( 1 ) {
printf("%s # ", path);
fgets(cmd, sizeof(cmd)-1, stdin);
cmd[strlen(cmd)-1] = 0;
if ( !strstr(cmd, "cd ") ) {
sprintf(cmd_run, "cd %s; %s", path, cmd);
exec_cmd(cmd_run, &o, argv[1]);
if ( o ) printf("%s\n", o);
}
else {
sprintf(cmd_run, "cd %s; %s; echo $PWD", path, cmd);
exec_cmd(cmd_run, &o, argv[1]);
if ( o ) strcpy(path, o);
}
if ( o ) free(o);
}
return 0;
}
int exec_cmd(char *cmd, char **o, char *addr)
{
char *header=0, *output=0, *p;
size_t size;
char *arg[] = { "sysCmd", "echo+*", "apply", "Apply", "submit-url", "%2Fsyscmd.asp", 0 };
char cmdbuf[1024];
char *headerend, *location;
int errpass;
arg[1] = cmd;
sprintf(cmdbuf, "http://%s/goform/formSysCmd", addr);
if ( errpass = http_post_request(&header, &size, cmdbuf, arg) )
return errpass;
if ( !(headerend = strstr(header, "\r\n\r\n")) ) {
fprintf(stderr, "invalid reply from router: can't find header\n");
goto exec_cmd_err;
}
*headerend = 0;
if ( !(location = strstr(header, "Location:")) ) {
fprintf(stderr, "invalid reply from router: can't find redirect\n");
goto exec_cmd_err;
}
if ( !(headerend = strstr(header, "\r\n")) ) {
fprintf(stderr, "invalid reply from router: can't find end of location field\n");
goto exec_cmd_err;
}
*headerend = 0;
location += sizeof("Location:");
if ( errpass = http_post_request(&output, &size, location, 0) )
return errpass;
free(header); header = 0;
if ( !(p = strstr(output, "wrap=\"virtual\">")) ) {
fprintf(stderr, "empty output\n");
goto empty_output;;
}
p += (sizeof("wrap=\"virtual\">")-1);
if ( !(headerend = strstr(p, "\n</textarea>")) ) {
fprintf(stderr, "unparseable command output\n");
goto exec_cmd_err;
}
*headerend = 0;
*o = malloc(strlen(p)+1);
strcpy(*o, p);
empty_output:
free(output);
return 0;
exec_cmd_err:
*o = 0;
if ( header ) free(header);
if ( output ) free(output);
return -1;
}
int http_post_request(char **p, size_t *size, char *url, char **vars)
{
CURL *cr=0;
struct void_mem_object data = {0,0};
FILE *fp;
char secret[100];
char postvars[4096], *pp;
size_t len=0;
struct curl_slist *headers=NULL;
if ( !(fp = fopen("secret", "r")) ) {
fprintf(stderr, "unable to open secret. please make sure to have a secret file in %s in format of username:password to access your router\n", getcwd());
goto err;
}
fgets(secret, sizeof(secret)-1, fp);
fclose(fp);
cr = curl_easy_init();
ces(cr, CURLOPT_URL, url);
ces(cr, CURLOPT_WRITEFUNCTION, store_curl_object);
ces(cr, CURLOPT_WRITEDATA, (void*)&data);
ces(cr, CURLOPT_USERPWD, secret);
ces(cr, CURLOPT_USERAGENT, "rshell/1.0");
ces(cr, CURLOPT_HEADER, -1);
if ( vars ) {
pp = postvars;
while ( *vars ) {
len = strlen(*vars);
memcpy(pp, *vars, len);
pp += len;
*pp = '=';
++pp;
++vars;
if ( !*vars ) {
fprintf(stderr, "error, unbalanced variable-argument count, var-args element count should always be divisible by 2\n");
goto err;
}
len = strlen(*vars);
memcpy(pp, *vars, len);
pp += len;
*pp = '&';
++pp;
++vars;
}
*--pp = 0;
ces(cr, CURLOPT_POSTFIELDS, postvars);
//printf("-->%s\n", postvars);
}
if ( curl_easy_perform(cr) )
goto err;
curl_easy_cleanup(cr);
*p = data.p;
*size = data.size;
return 0;
err:
if ( cr ) curl_easy_cleanup(cr);
if ( data.p ) free(data.p);
return -1;
}
size_t store_curl_object(void *p, size_t size, size_t nmemb, struct void_mem_object *data)
{
size_t realsize;
void *rp;
realsize = size*nmemb;
if ( !(rp = realloc(data->p, data->size+realsize+1)) ) {
perror("realloc failed");
return -1;
}
data->p = rp;
memcpy(&data->p[data->size], p, realsize); // \0?
data->size += realsize;
data->p[data->size] = 0;
return realsize;
}
Maxium Size of the nat connection tracking table
The default size of the connection tracking table is 1024 on firmware 1.2.8 and below, and with firmware 1.2.9 and higher it seems to have been set EVEN LOWER! now it's defauted to 512. This becomed a major problem if you have a lot of open connections, usually this is the case with p2p programs such as bittorrent, hitting 1024 connetions is quite common. You router will feel slow and take a long time to execute a request. If you can check if you're hitting the conntrack limit via the syslog http://192.168.1.254/syslog.asp. If you are hitting this limit you will see this message fairly frequently (like 100 times a second or so!):
Apr 15 01:00:11 NET: 13 messages suppressed. Apr 15 01:00:11 ip_conntrack: table full, dropping packet.
Solution: Increase the ip connection tracking table size, which is fairly easy to do. /proc/sys/net/ipv4/ip_conntrack_max is the control file, you can read it see the current limit, and write to it to chance the limit.
cat /proc/sys/net/ipv4/ip_conntrack_max
Will return you the current limit.
Pasting this into the system command page will allow you to alter the limit:
echo `echo 3300 > /proc/sys/net/ipv4/ip_conntrack_max` > /tmp/a
Change the number to however many connections you need. I found that 3300 is the perfect number for me. This of course needs to be done everytime the router is rebooted. Perhaps the person who has direct line to 'god' can convince them to default this value to 3000 or something much more resonable?
May 10/06 Attempted to paste "echo echo 3300 > /proc/sys/net/ipv4/ip_conntrack_max > /tmp/a" into syscmd under V1.2.10 but found that input was truncated - anyone found a workaround?
May 11/06 There is a workaround to this, simply grab the page source of syscmd.asp by click "View Source" in your browser, then copy it into a new HTML page, replacing
<form action=/goform/formSysCmd method=POST name="formSysCmd"> with <form action=http://192.168.2.1/goform/formSysCmd method=POST name="formSysCmd">
(where 192.168.2.1 is your router's IP)
and
<input type="hidden" value="/syscmd.asp" name="submit-url"> with <input type="hidden" value="http://192.168.2.1/syscmd.asp" name="submit-url">
and
<td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td> with <td><input type="text" name="sysCmd" value="" size="20" maxlength="100"></td>
(this makes sure that you have a 100 maxlength...adjustable to whatever you want)
Open up the page in a web browser, and away you go.
June 12/06
Cut and paste the following into a text editor and save it as an .html file. (Don't forget to change the variables.) Load it into Firefox (Opera and IE will not work) to automatically reboot the router, wait 2 minutes and then execute the command to change the size of the connection tracking table. You can actually do this for any command you want to execute!
<body onload='reboot();' >
<SCRIPT ID=clientEventHandlersJS LANGUAGE=javascript>
<!--
/*
This script was designed for the Gigafast Router WF719-CAPR. You must load this page in Firefox ONLY!
The script will reboot the router, wait 2 minutes, then reset the Maximum Size of the nat connection tracking table
to 3300 from 512 or 1024. You need to change the loginID, passWord and ipAddress variables to match your system.
For more information on this router go to
http://bcwireless.net/moin.cgi/GigaFast_WF719-CAPR
*/
var loginID= 'yourlogin'
var passWord= 'yourpassword'
var ipAddress= '192.168.2.1'
var rebootCMD = 'sysCmd=reboot'
var fixnatCMD = "sysCmd=echo `echo 3300 ^> /proc/sys/net/ipv4/ip_conntrack_max` ^> /tmp/a"
function reboot()
{
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
var xmlhttp = new XMLHttpRequest();
xmlhttp.open('POST','http://'+loginID+':'+passWord+'@'+ipAddress+'/goform/formSysCmd',false);
xmlhttp.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xmlhttp.send(rebootCMD);
setTimeout("fixnattable()", 120000)
}
function fixnattable()
{
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
var xmlhttp = new XMLHttpRequest();
xmlhttp.open('POST','http://'+loginID+':'+passWord+'@'+ipAddress+'/goform/formSysCmd',false);
xmlhttp.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xmlhttp.send(fixnatCMD);
}
//-->
</SCRIPT>
</body>Aug 31/06
I was inspired by the previous post to write a script that would work regardless of whether you used IE, Firefox or any other browser. Cut and paste the following into a text editor and save it as a .vbs file (don't forget to change the variables). Double clicking the file will automatically reboot the router, then the script will wait 1.5 minutes and execute the command to change the size of the connection tracking table. It took me weeks if trial and error but I finally found 4200 to be rock solid - now if only there were a way to make the Wi-Fi more stable.
'Gigafast_reboot_resetNAT.vbs
'This script was designed for the Gigafast Router WF719-CAPR.
'The script will reboot the router, wait 1.5 minutes, then reset the Maximum Size of the nat connection tracking table
'to 4200 from 512 or 1024. You need to change the loginID, passWord and ipAddress variables to match your system.
'For more information on this router go to
'http://bcwireless.net/moin.cgi/GigaFast_WF719-CAPR
Dim strUName, strUPass, strRouterIP, intNatConTable
strUName = "username"
strUPass = "password"
strRouterIP = "192.168.1.254"
intNatConTable = 4200
On Error Resume Next
Set objHTTP = CreateObject("Microsoft.XMLHTTP")
objHTTP.open "POST", "http://" & strUName & ":" & strUPass & "@" & _
strRouterIP & "/goform/formSysCmd", False
objHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objHTTP.send "sysCmd=reboot"
'MsgBox objHTTP.responseText
'wait for 1.5 minutes before resetting the Maxium Size of the nat connection tracking table
WScript.Sleep(90000)
objHTTP.open "POST", "http://" & strUName & ":" & strUPass & "@" & _
strRouterIP & "/goform/formSysCmd", False
objHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objHTTP.send "sysCmd=echo `echo " & intNatConTable & " > /proc/sys/net/ipv4/ip_conntrack_max` > /tmp/a"
'MsgBox objHTTP.responseText
Set objHTTP = NothingAlso, I tried to run ShieldUp! (on grc.com) with DMZ enabled and the router crashed and rebooted. Anybody know why?
Hardware
The 8186 SoC has onboard JTAG and serial IO (UARTs). I have verified continuity on a GigaFast board with a multimeter. Using the squared connection of J1 as the first of six pins:
Board RTL8186 Symbol Description ------ ------- ---------- ------------------------------ Pin 1 Pin 51 DVDD33 CPU power +3.3V (Digital). Pin 2 Pin 80 UCTS0PIN UART0 Clear-to-Send signal. Pin 3 Pin 73 URTS0PIN UART0 Request-to-Send signal. Pin 4 Pin 79 USIN0PIN UART0 In data signal. Pin 5 Pin 58 USOUT0PIN UART0 Out data signal. Pin 6 Pin 35 DGND33 CPU 3.3 GND (Digital).
This thread on SourceForge details a "Successful connection with C54BRS4 Version 2" (a very similar device to the WF719-CAPR).
From the post by "Eneko":
I have joined CTS and RTS together (loopback handsaking), and then using an adaptor with the MAX3232 and five 0.1 uF tantalum capacitators with the hyperterminal configures as follows: Speed: 38400 Data bits: 8 Parity: None Stop bits:1 Flow Control: Xon/Xoff I have a successful connection!
Update
I have a successful connection on my gigafast and blanc tanks to Eneko!!! Picture: http://www.qcnetwork.com/Linux4Rtl/screenshots.php # reboot The system is going down NOW !! Sending SIGTERM to all processes. Terminated [1] + Terminated webs # Sending Please stand by while rebooting the system. Restarting system. Shutdown network interface eth0:===> br0: port 1(eth0) entering disabled state eth1:===> br0:===> Enable Watch Dog to Reset whole system UART1 output test ok Uart init mfid=00000089 devid=000088c3 Found 1 x 2M flash memory ---RealTek(RTL8186)at 2005.04.22-12:14+0800 version 1.3b [32bit](180MHz) no sys signature at 00010000! Jump to image start=0x80800000... early printk enabled Determined physical RAM map: memory: 01000000 @ 00000000 (usable) Initial ramdisk at: 0x801c4000 (5324800 bytes) On node 0 totalpages: 4096 zone(0): 4096 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: root=/dev/ram console=0 ramdisk_start=0 single Calibrating delay loop... 179.40 BogoMIPS Memory: 8924k/16384k available (1604k kernel code, 7460k reserved, 5336k data, 52k init, 0k highmem) Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes) Inode-cache hash table entries: 1024 (order: 1, 8192 bytes) Mount-cache hash table entries: 512 (order: 0, 4096 bytes) Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 4096 (order: 2, 16384 bytes) check_wait... unavailable. POSIX conformance testing by UNIFIX Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket Starting kswapd Serial driver version 6.02 (2003-03-12) with no serial options enabled ttyS00 at 0x00c3 (irq = 3) is a rtl_uart1 state->flags=00000000 Realtek GPIO Driver for Flash Reload Default block: 64 slots per queue, batch=16 RAMDISK driver initialized: 16 RAM disks of 7000K size 1024 blocksize PPP generic driver version 2.4.1 PPP MPPE Compression module registered RealTek Nor-Type Flash System Driver. (C) 2002 RealTek Corp. Found 1 x 2M Byte Intel TE28F160C3 flash: init complete (31), size 2048(KB) blks 1024 hs 512 RTL8180/RTL8185 driver version 1.8 (2005-09-23) 8186NIC Ethernet driver v0.0.2 (Jan 30, 2004) eth0: RTL8186-NIC at 0xbd200000, 00:01:02:03:04:05, IRQ 4 eth1: RTL8186-NIC at 0xbd300000, 04:05:06:07:08:09, IRQ 5 nat_speed_init (v1.1) NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 1024 bind 2048) rtl8186_crypto_init()... rtl8186_crypto: IPSec status(RTL8186_IPSCFR) = B rtl8186_crypto: IPSec status(RTL8186_IPSCTR) = 2027202 ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0 ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0 ipsec_md5_init(alg_type=14 alg_id=2 name=md5): ret=0 ipsec_null_init(alg_type=15 alg_id=11 name=null): ret=0 ipsec_sha1_init(alg_type=14 alg_id=3 name=sha1): ret=0 ip_conntrack version 2.1 (128 buckets, 1024 max) - 312 bytes per conntrack PPTP netfilter connection tracking: registered PPTP netfilter NAT helper: registered ip_tables: (C) 2000-2002 Netfilter core team NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. NET4: Ethernet Bridge 008 for NET4.0 RAMDISK: ext2 filesystem found at block 0 RAMDISK: Loading 5200 blocks [1 disk] into ram disk... done. Freeing initrd memory: 5200k freed VFS: Mounted root (ext2 filesystem). Freeing unused kernel memory: 52k freed mount /proc file system ok! serial console detected. Disabling virtual terminals. init started: BusyBox v1.00-pre8 (2004.12.03-02:38+0000) multi-call binary BusyBox v1.00-pre8 (2004.12.03-02:38+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. killall: pptp.sh: no process killed killall: pppoe.sh: no process killed Initialize wlan0 interface Setup BRIDGE interface killall: syslogd: no process killed killall: klogd: no process killed SIOCGIFFLAGS: No such device bridge br0 doesn't exist; can't delete it Setup bridge... device eth0 entered promiscuous mode eth0:phy is 8305 SIOCDELRT: No such process br0: port 1(eth0) entering listening state br0: port 1(eth0) entering learning state br0: port 1(eth0) entering forwarding state br0: topology change detected, propagating SIOCDELRT: No such process SIOCDELRT: No such process SIOCDELRT: No such process Setup WAN interface eth1:phy is 8305 killall: ntp.sh: no process killed deleting routers SIOCDELRT: No such process adding dns 192.168.5.254 start DNS Relay Daemon Set Firewall... # Check WAN & DNS ...... LOAD DNS ..... done Setup VPN #
The voltage regulator used in the thing is an AnaChip(now Diodes Inc.) AP1506-33. Thats an AP1506 series that outputs 3.3v. Good news: You can replace the included power brick with anything that supplies 4.5v to 22v at enough current. Datasheet can be found here.
Flash Memory
The flash memory can be read via the upload.asp file. To do so, save it to your computer and add the following above the "Select file" section (it it commented out, so you just have to remove the <!-- and -->):
<tr>
<td width="20%"><font size=2><b>Start Address:</b></td>
<td width="80%"><font size=2><input type="text" name="readAddr" size="10" maxlength="8" value=20000>(hex)</td>
</tr>
<tr>
<td width="20%"><font size=2><b>Size:</b></td>
<td width="80%"><font size=2><input type="text" name="size" size="10" maxlength="8" value=F0000>(hex)</td>
</tr>
<tr>
<td width="20%"><font size=2><b>Save File:</b></td>
<td width="80%"><font size=2>
<p><input type="submit" value="Save..." name="save"></p></td>
</tr>This will allow you to read any part of memory, and download it. You will also need to modify the form tag to be:
<form method="post" action="http://192.168.1.254/goform/formUpload" ...
To download the entire flash use this value
readAddr value=00000000
size value=200000
Flash struture
16k Boot code start adrees 0x00000000 -------------------- 8k 8k H/W setting -------------------- 16k default setting 16k currrent setting -------------------- 64k web pages start adrees 0x00010000 -------------------- 1920k Linux start adrees 0x00020000 More information: http://www.smallworks.com/~jim/RTL8186/izwbit.wil.pk.edu.pl/ftp/rtl8186/RTL8186%20Linux%20system%20note.doc
Note for custom firmware
Pressing "Save" by default will save the web area firmware part. If you are able to create a custom web area rom, this would allow for extra programs to be added to the device.
The same type of flash storage compression appears to be used on the following device: http://melbourne.wireless.org.au/wiki/?MinitarHacking (search for "WEBP")
Latest firmware
This router has been marketed under the name "blanc". The hardware and firmware are identical. The "manufacturers" sites are housed in the same location and network. This is normally done to accomodate specific retailers (think lowest price guarantees on "identical" hardware models).
The latest firmware available from the distributor: v1.4.2
Available at he following URL: http://www.elektronika.opatnet.cz/storage/firmware/WA2204/ (tested on the Gigafast and works flawlessly after 42 days of uptime).
Changes:
- Update WLAN driver
- Add WLAN Block Relay feature via web
- Add WLAN WMM feature in AP mode
- Add WLAN Ack Timeout feature
- Add ping watchdog feature
- Add QoS/Bandwidth Control by IP address
- Add DNS1/DNS2/DNS3 information in status page.
GigaFast product support: http://www.gigafast.com/products/product_drivers/WF719-CAPR_drivers.htm
Blanc Networks product support: http://www.blancnetworks.com/products.htm
1.4.x series
The v1.4.x firmwares add a few new pages/features to the router:
- "Universal repeater mode", which is performing as an AP and client simultaneously.
- "Denial-of-Service" (located in the Management menu), adds DoS prevention, threshold configuration, and further attack prevention options.
- RF output power setting, no longer on a hidden page.
- Turbo Mode
They also:
- update the RTL8185 driver to version 1.9 (03-27-2006)
- update the 8186 NIC driver to version 0.0.5 (03-03-2006)
continue the decision to remove the syscmd.asp page (added again in 1.4.2), among others. You must now choose between new features or "hackability"
If I were a betting man, I'd say the 1.4.x firmware was updated for the US debut of this router.
08-30-2006 - Firmware v1.4.1 released on GigaFast site. Changelog starts at v1.4.0, with no mention of prior firmwares. There is mention of RTL8187s, which may indicate a hardware revision or dual-use firmware.
1.2.x series
04-18-2006 - Firmware 1.2.10 available, GigaFast and Blanc now both have version 1.2.10 posted on their site.
WARNING!!! Firmware version 1.2.9 (perhaps 1.2.8, untested) removes the syscmd.asp, ccncsetup.asp, WlanSetDefaultC.asp, and WlanSetDefaultC_14.asp files. The webpages.bin file from older versions can be used with newer firmware in order to avoid losing the above pages (within the 1.2.x series - using it with v1.4.x series firmware will deprive you of access to new features).
Alternate sources:
(You may find older references and/or discussions of same in the Discussion page. As more material is added, only the most current should be found here.)
06-01-2006 - older firmware 1.2.4 is available from the following link http://www.bluecomm.com.tw/download/WA2204A/WA2204AV124.zip
04-06-2006 - Czech language wifi site has WA-2204A firmware updates
http://www.inwifi.cz/stahnete-si/?k=152
04-03-2006 - firmware upgrade (1.2.8.1)... some one is hosting the file for me. If link becomes dead email at [email protected] and I just got word some one in the UK has version 1.2.9 will try to get that ASAP
http://members.shaw.ca/dmadkr3/linux-v1281-eng2.bin
Included with the driver file is a readme with information on driver revisions
------------------------------------------------------------------------------------ V1.2.7 ------------------------------------------------------------------------------------ Changes -Improve WLAN performance -Improve firewall security -Fix WEP web display irregulation while setting WDS ------------------------------------------------------------------------------------ V1.2.6 ------------------------------------------------------------------------------------ Changes -Fix UPNP can't work when change lan ip address. ------------------------------------------------------------------------------------ V1.2.5 ------------------------------------------------------------------------------------ Changes -Fix UPNP IGD retrive data fail ocasionally. -Fix Intel BG2200 can't login hotmail and yahoo mail under secure mode (https) . -Make webpages to be used friendly (On Wizard page ,select gateway mode , wlan mode will auto change ap mode). ------------------------------------------------------------------------------------ V1.2.4 ------------------------------------------------------------------------------------ Changes -Fix can not do web configuration after setting "Operation Mode" as Bridge -Fixed Client mode after settings "Operation Mode" ad WISP ------------------------------------------------------------------------------------ V1.2.3 ------------------------------------------------------------------------------------ Changes -Fix web browse hotmail website time out via PPPoE -Add L2TP traffic passthrough firewall -Fix PPTP traffic blocked by firewall -Fix IPSec traffic blocked by firewall -Fix NTPClient traffic blocked by firewall -Fix UPNP traffic blocked by firewall ------------------------------------------------------------------------------------ V1.2.2 ------------------------------------------------------------------------------------ Changes -WLAN performace improvement. -Fix [TCPIP]->[WAN Settings] config from WAN option bug. -Fix [TCPIP]->[WAN Settings] config echo reply option bug. -Fix [TCPIP]->[WAN Settings] get DNS automatically bug. -Fix the WEP and 802.1x can not enable settings at the same time Default Settings -[Wireless]->[Advanced Settings] 11g protection from disable to enable ------------------------------------------------------------------------------------ V1.2.1 ------------------------------------------------------------------------------------ Changes -Improve WLAN performance -Firewall improvement Default Settings -[Wireless]->[Basic Settings] WLAN BAND mode from "G" to "B+G" -[Management]->[Time Zone Settings] NTP timezone (-1,4)(Paris, German...etc.) for ETSI, (+8,4)(US&Canada Pacific Time) ------------------------------------------------------------------------------------ V1.2.0 ------------------------------------------------------------------------------------ Initial release
Firmware troubleshooting
Question: According to the rtl8186 SDK, the VPN images above are to be used on a router with a 4M flash mem, can anyone confirm this works with the 2M flash that comes with the Gigafast? This may not be a valid concern if the image is loaded into ram instead of being used directly from the MTD. Answer: It seems to load on the Gigafast without problems.
***March 3/06*** I have been having problems with the 1.2.7 firmware. Every so often my wireless network will disappear and I must reset the wireless settings. At this time I suggest people do not upgrade to 1.2.7 as I have been able to find a 1.2.5 or 1.2.6 firmware to download online and Gigafast's tech support is unresponsive. If anyone has a 1.2.5 firmware please post it.
***March 6/06*** Select a channel in the Basic wireless settings page, using a site survey beforehand to find an available channel. I experienced the same problem when using the Auto channel setting. BTW, if you're using WPA/WPA2, I'd love to hear if you've been able to stay connected/reconnect after 24 hours without a reset. The logs in firmware v1.2.5 indicated an expired STA problem but v1.2.7 eliminated the log message (without fixing the problem). -- Mike
***June 1/06*** I am having a problem with the 1.2.10 firmware: under the http://192.168.1.254/WlanSetDefaultC.asp page my TxPower OFDM(11g): reads <Blank>. I had set it to 100 which resulted in an error that then resulted in the value negating to nothing. Under the syscmd the register shows: HW_WLAN0_TX_POWER_OFDM=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000. Any suggestions ? -- Larry
***June 4/06*** Resolved by doing a MIB set "flash set HW_WLAN0_TX_POWER_OFDM 6464646464". This reset it to a writeable value. I can now use use the hidden power settings "WlanSetDefaultC.asp" to set the Tx Power -- Larry
***October 15/06 I just updated my ccandc WA2204A with firmware 1.4.1 and started with the linux_1.4.1.bin . The firmware update was going ok, then it rebooted and i just cant get it working, tried several things. Now it doesnt work anymore/normal, i cant reach/connect the device anymore 
, not even with network cable, get the windows message, restricted network possibilities or something, and have a strange IP adress of the WA2204A (not the 192.168.1.254) Also i cant get on the setting webpage, and i have the idea that it does not send at all. I tried the PumpKin software hoping to recover the device, but this does not help. when uploading, the action will abort after a couple of minutes just because i cant connect to it. Someone tips or tricks? You guys would help me a lot when i get the device working again. thanx in advance, greetings Pieter
***October 17/06*** Anyone have an idea why firmware v1.4.1 limits the maximum MTU value (See TCP/IP Settings, WAN Interface) of the router to 1492 bytes, not allowing you to choose 1500?
***October 24/06*** Czech site has given me the stuff i need, works way better then the Pumpkin sh*t, so no problems anymore ! greetings Pieter
Alternative Firmwares
There are currently two firmwares that have been tested with this device. Please note, I have not tested if you are able to revert to the original firmware. All the firmware images were updated in recovery mode.
Both are commercial products using GPL code without(?) sources. You will have to use recovery mode and 1.4.1 firmware in order to get to the standard firmware (using 1.2.x firmware in recovery mode will not work). Update: to restore to 1.4.1 firmware, all three .bin firmware files provided by GigaFast must be uploaded in recovery mode; the linux-1.4.bin is only the kernel and supporting software; you will need to upload config-vpn-ogf.bin in recovery mode, wait for it to load, go back to recovery mode again and upload webpages-vpn.bin, and then finally use recovery mode to flash linux-1.4.bin to the router. This is because the router cannot operate properly without the configuration files in the other two files. (It is unclear why GigaFast split the firmware into three pieces.)
Recovery mode
- Unplug the router
- Hold down the reset button and turn the router on, wait for 5 seconds before releasing the button
- Set your computers IP in the 192.168.1.2 to 192.168.1.24 range
Use pumpKIN to upload the firmware.
- Use the above software to send the .bin file to 192.168.1.6
- Wait a couple of minutes, the router should reboot by itself and load the new firmware.
- If the WLAN status light flashes irregularly, there may be a problem with the firmware.
Wireless bridge
The router can be used as a wireless bidge, wich is usefull if you want to allow another wired network to connect to your wireless network. I use the router like this to allow the computer in my garage to connect to my pre-existing wireless network. In the instructions below the "host router" is the router that you allready have inplace, and is most likley connected to the internet; The "bridge router" is the GigaFast router that will be in bridge mode; and the "client computer" is the computer or wired LAN that will connect to the bridge router.
It is assumed that the host router is capable of letting other routers connect to it. Look in the user manual, becouse you might have to change a setting that will let other routers to conect to the host router.
- Connect the client computer to one of the LAN ports on the bridge router, and have it obtain an IP automaticaly.
- Log on to the bridge router. The default IP is 192.168.1.254
- Open the operation mode page, and set the mode to bridge, then apply the changes.
- Open the wireless section, then the basic settings page. Set the mode to client, set network type to infrastructure, set SSID to the same as the host router. Then apply the changes.
- Open the wireless security page. Set the type and key to the same as the host router.
- Now do a site survey, located in the wireless section. Click on the refresh button to get a list of available APs. Select the the host router from the list and click connect.
- Now go to the TCP/IP section, and open the LAN interface page. Turn off the DHCP, and give the bridge router an IP in the same range as the host router. Eg: if the host router assigns IPs in the range 192.168.2.x, then give the bridge router the IP 192.168.2.254.
- Now the on the client computer it should appear that it is connectd directly to the host router.
Pictures
More internal photo's are available on the BC Wireless Gallery: http://gallery.bcwireless.net/Hardware/radios/GigaFastWF719-CAPR