General

The GigaFast WF719-CAPR 802.11g is actually the CC&C WA-2204A router, (it is registered at the FCC under this name) but AKA Gigafast WF719-CAPR, AKA Blanc Wireless G router BW54R11, AKA MSI RG54SE, AKA Bluecomm WA-2204A, AKA Zonet ZSR1114WE. The device is a RTL8180/RTL8185/RTL8186 based Linux IGD router. It supports WDS, Client, and AP mode, along with VPN passthrough. It runs Linux (version 2.4.18-MIPS-01.00) and has a 2M Byte Intel TE28F160C3 flash part. Currently, it has 3 open ports:

21/tcp open  ftp
53/tcp open  domain
80/tcp open  http

Hardware

Memory

cat /proc/meminfo
...
MemTotal:        14208 kB
MemFree:          3344 kB

Bridge

brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.0002724d37a5       no              eth0
                                                        wlan0

Boot Log

A boot log is available through the web interface

0day 00:03:58 klogd started: BusyBox v1.00-pre8 (2004.12.03-02:38+0000)
0day 00:03:58 Linux version 2.4.18-MIPS-01.00 ([email protected]) (gcc version 3.3.3) #183 Wed Aug 24 15:34:13 IRST 0day 00:03:58 early printk enabled
0day 00:03:58 Determined physical RAM map:
0day 00:03:58  memory: 01000000 @ 00000000 (usable)
0day 00:03:58 Initial ramdisk at: 0x801bd000 (5324800 bytes)
0day 00:03:58 On node 0 totalpages: 4096
0day 00:03:58 zone(0): 4096 pages.
0day 00:03:58 zone(1): 0 pages.
0day 00:03:58 zone(2): 0 pages.
0day 00:03:58 Kernel command line: root=/dev/ram console=0 ramdisk_start=0 single
0day 00:03:58 Calibrating delay loop... 179.40 BogoMIPS
0day 00:03:58 Memory: 8956k/16384k available (1583k kernel code, 7428k reserved, 5332k data, 52k init, 0k highmem)
0day 00:03:58 Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes)
0day 00:03:58 Inode-cache hash table entries: 1024 (order: 1, 8192 bytes)
0day 00:03:58 Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
0day 00:03:58 Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
0day 00:03:58 Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
0day 00:03:58 check_wait... unavailable.
0day 00:03:58 POSIX conformance testing by UNIFIX
0day 00:03:58 Linux NET4.0 for Linux 2.4
0day 00:03:58 Based upon Swansea University Computer Society NET3.039
0day 00:03:58 Initializing RT netlink socket
0day 00:03:58 Starting kswapd
0day 00:03:58 Serial driver version 6.02 (2003-03-12) with no serial options enabled
0day 00:03:58 ttyS00 at 0x00c3 (irq = 3) is a rtl_uart1
0day 00:03:58 state->flags=00000000
0day 00:03:58 Realtek GPIO Driver for Flash Reload Default
0day 00:03:58 block: 64 slots per queue, batch=16
0day 00:03:58 RAMDISK driver initialized: 16 RAM disks of 7000K size 1024 blocksize
0day 00:03:58 PPP generic driver version 2.4.1
0day 00:03:58 PPP MPPE Compression module registered
0day 00:03:58 RealTek Nor-Type Flash System Driver. (C) 2002 RealTek Corp.
0day 00:03:58 Found 1 x 2M Byte Intel TE28F160C3
0day 00:03:58 flash: init complete (31), size 2048(KB) blks 1024 hs 512
0day 00:03:58 RTL8180/RTL8185 driver version 1.6 (2005-03-18)
0day 00:03:58 8186NIC Ethernet driver v0.0.2 (Jan 30, 2004)
0day 00:03:58 eth0: RTL8186-NIC at 0xbd200000, 00:01:02:03:04:05, IRQ 4
0day 00:03:58 eth1: RTL8186-NIC at 0xbd300000, 04:05:06:07:08:09, IRQ 5
0day 00:03:58 nat_speed_init (v1.1)
0day 00:03:58 NET4: Linux TCP/IP 1.0 for NET4.0
0day 00:03:58 IP Protocols: ICMP, UDP, TCP
0day 00:03:58 IP: routing cache hash table of 512 buckets, 4Kbytes
0day 00:03:58 TCP: Hash tables configured (established 1024 bind 2048)
0day 00:03:58 rtl8186_crypto_init()...
0day 00:03:58 rtl8186_crypto: IPSec status(RTL8186_IPSCFR) = B
0day 00:03:58 rtl8186_crypto: IPSec status(RTL8186_IPSCTR) = 2027202
0day 00:03:58 ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
0day 00:03:58 ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
0day 00:03:58 ipsec_md5_init(alg_type=14 alg_id=2 name=md5): ret=0
0day 00:03:58 ipsec_null_init(alg_type=15 alg_id=11 name=null): ret=0
0day 00:03:58 ipsec_sha1_init(alg_type=14 alg_id=3 name=sha1): ret=0
0day 00:03:58 ip_conntrack version 2.1 (128 buckets, 1024 max) - 312 bytes per conntrack
0day 00:03:58 PPTP netfilter connection tracking: registered
0day 00:03:58 PPTP netfilter NAT helper: registered
0day 00:03:58 ip_tables: (C) 2000-2002 Netfilter core team
0day 00:03:58 NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
0day 00:03:58 NET4: Ethernet Bridge 008 for NET4.0
0day 00:03:58 RAMDISK: ext2 filesystem found at block 0
0day 00:03:58 RAMDISK: Loading 5200 blocks [1 disk] into ram disk... done.
0day 00:03:58 Freeing initrd memory: 5200k freed
0day 00:03:58 VFS: Mounted root (ext2 filesystem).
0day 00:03:58 Freeing unused kernel memory: 52k freed
0day 00:03:58 mount /proc file system ok!
0day 00:03:58 device eth0 entered promiscuous mode
0day 00:03:58 eth0:phy is 8305
0day 00:03:58 device wlan0 entered promiscuous mode
0day 00:03:58 br0: port 2(wlan0) entering listening state
0day 00:03:58 br0: port 1(eth0) entering listening state 0day 00:03:58 br0: port 2(wlan0) entering learning state 0day 00:03:58 br0: port 2(wlan0) entering forwarding state 0day 00:03:58 br0: topology change detected, propagating 0day 00:03:58 br0: port 1(eth0) entering learning state 0day 00:03:58 br0: port 1(eth0) entering forwarding state 0day 00:03:58 br0: topology change detected, propagating  

Software

Some software that is included on this device includes:

BusyBox

The main shell scripts are run through BusyBox, which has the following commands built in: bg break cd chdir continue eval exec exit export false fg hash help jobs kill local pwd read readonly return set shift times trap true type ulimit umask unset wait

flash

Additionally, there is a "flash" command similar to the nvram command on the WRT54G

Usage: flash cmd
option:
cmd:
      default -- write flash parameters to default.
      get [wlan interface-index] mib-name -- get a specific mib from flash memory.
      set [wlan interface-index] mib-name mib-value -- set a specific mib into flash memory.
      all -- dump all flash parameters.
      reset -- reset current setting to default.
flash extr /web (extract web page from flash)
flash get (list of all variable from setting in flash)
flash (get,set) variable

config file

The config file saveable in the router's web interface has a very primitive obfuscation scheme. Once you've downloaded it, just subtract each byte value from 0xc7 to obtain the plaintext.

Perl one-liner: perl -mbytes=no -npe "s/./chr(0xc7-ord($&))/eg" config.dat > config-plaintext.dat

Hacks

The WF719-CAPR is based on the 8186 AP reference design offered by RealTek. A number of devices sold by various distributors are essentially the same hardware. Gigafast have not made to much modification from the realtek sdk.

Extract ext2 partition from firmware

open .bin with hex editor
find BZh91AY (bzip2 header)
Cut from BZh91AY to end of file and save to a new file(1)
bunzip the new file
Take the last 5200 Ko and save to a another new file(2) (ext2 partion before that is the kernel)
On linux box
mkdir /mnt/ext2rtl8186
mount -o loop /newfile(2) /mnt/ext2rtl8186
Note:
Web area is not on the ext2 image, it is extract from flash at bootup (flash extr /web)
More information available soon at http://www.qcnetwork.com/Linux4Rtl/

Software

This is essentially the same as the Zyxel P-330W, and the firmware *may* be interchangable. Update: The firmwares are not interchangable (at least using the firmware update webpage), the WF719-CAPR rejects the P-330W firmware as invalid after upload.

It looks like the Zyxel product reads the filesystem directly from MTD (as compared to copying everything to RAMdisk). See the following thread for more info (and a possible buildroot/partial source for another very similar router): http://forum.openwrt.org/viewtopic.php?id=3099

There is also a hidden page on both: http://192.168.1.254/syscmd.asp

Update: The ZyXel also has a "REMOTE_TELNET" flash option, and a telnetd binary, however when this flash option was set and the device rebooted, it bricked.

There is no "ls" command. However, typing echo /usr/* will list files in /usr/.

/bin/busybox --help will faild but try "/bin/busybox --help > file" and "cat file"

BusyBox v1.00-pre8 (2004.12.03-02:38+0000) multi-call binary

Usage: busybox [function] [arguments]...

Currently defined functions:

From firmware v1.2.9, help

Built-in commands:
-------------------
        . : bg break cd chdir continue eval exec exit export false fg
        hash help jobs kill local pwd read readonly return set shift
        times trap true ulimit umask unset wait

"ash -c 'echo datatogotofile' > filename |" can be use to upload ascii to file

There is also a page to set "tx power": http://192.168.1.254/ccncsetup.asp along with an even more advanced page (that let you set the regulatory domain and misc): http://192.168.1.254/WlanSetDefaultC.asp

From firmware v1.2.9, cat /proc/cpuinfo

system type             : Philips Nino
processor               : 0
cpu model               : R3000 V0.0
BogoMIPS                : 179.40
wait instruction        : no
microsecond timers      : no
tlb_entries             : 64
extra interrupt vector  : no
hardware watchpoint     : no
VCED exceptions         : not available
VCEI exceptions         : not available
ll emulations           : 0
sc emulations           : 0

More on executing commands on the router

I wrote a small utility to make it easier play with the router, it suffers the same limitations the web interface such as the command length limit. At a later point I might manage the time to add a file uploader to it and work around the command length limit (current idea is repeated cat >> /tmp/cmd.sh and then executing that).

This compiled cleanly for me on linux, cygwin, osx. You need cURL (libcurl) because that is what I use for http. When you run it make sure there is a "secrets" in CWD that contains username:password to login into your router.

To compile
$ cc -lcurl rshell3.c -o rshell3
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include <curl/types.h>
#include <sys/errno.h>
#include <curl/easy.h>
struct void_mem_object
{
        size_t size;
        char *p;
};
size_t store_curl_object(void *p, size_t size, size_t nmemb, struct void_mem_object *data);
int http_post_request(char **p, size_t *size, char *url, char **vars);
int exec_cmd(char *cmd, char **o, char *addr);
#define ces curl_easy_setopt
int main(int argc, char **argv)
{
char cmd[1048], *o;
char cmd_run[2048];
char path[1024] = "/";
int retry=3;
        curl_global_init(CURL_GLOBAL_ALL);

        if ( argc < 2 ) {
                fprintf(stderr, "%s ip_addr\n", argv[0]);
                return EINVAL;
        }

        while ( retry-- ) {
                exec_cmd("cat /proc/version", &o, argv[1]);
                if ( o )
                        printf("%s\n", o);
                else {
                        printf("retrying...\n");
                        continue;
                }
                free(o);
                break;
        }

        if ( retry < 0 ) {
                fprintf(stderr, "unable to access the router at %s\n", argv[1]);
                return EHOSTDOWN;
        }

        while ( 1 ) {
                printf("%s # ", path);
                fgets(cmd, sizeof(cmd)-1, stdin);
                cmd[strlen(cmd)-1] = 0;
                if ( !strstr(cmd, "cd ") ) {
                        sprintf(cmd_run, "cd %s; %s", path, cmd);
                        exec_cmd(cmd_run, &o, argv[1]);
                        if ( o ) printf("%s\n", o);
                }
                else {
                        sprintf(cmd_run, "cd %s; %s; echo $PWD", path, cmd);
                        exec_cmd(cmd_run, &o, argv[1]);
                        if ( o ) strcpy(path, o);
                }
                if ( o ) free(o);
        }

        return 0;
}
int exec_cmd(char *cmd, char **o, char *addr)
{
char *header=0, *output=0, *p;
size_t size;
char *arg[] = { "sysCmd", "echo+*", "apply", "Apply", "submit-url", "%2Fsyscmd.asp", 0 };
char cmdbuf[1024];
char *headerend, *location;
int errpass;
        arg[1] = cmd;
        sprintf(cmdbuf, "http://%s/goform/formSysCmd", addr);
        if ( errpass = http_post_request(&header, &size, cmdbuf, arg) )
                return errpass;

        if ( !(headerend = strstr(header, "\r\n\r\n")) ) {
                fprintf(stderr, "invalid reply from router: can't find header\n");
                goto exec_cmd_err;
        }
        *headerend = 0;
        if ( !(location = strstr(header, "Location:")) ) {
                fprintf(stderr, "invalid reply from router: can't find redirect\n");
                goto exec_cmd_err;
        }

        if ( !(headerend = strstr(header, "\r\n")) ) {
                fprintf(stderr, "invalid reply from router: can't find end of location field\n");
                goto exec_cmd_err;
        }
        *headerend = 0;
        location += sizeof("Location:");
        if ( errpass = http_post_request(&output, &size, location, 0) )
                return errpass;

        free(header); header = 0;
        if ( !(p = strstr(output, "wrap=\"virtual\">")) ) {
                fprintf(stderr, "empty output\n");
                goto empty_output;;
        }
        p += (sizeof("wrap=\"virtual\">")-1);
        if ( !(headerend = strstr(p, "\n</textarea>")) ) {
                fprintf(stderr, "unparseable command output\n");
                goto exec_cmd_err;
        }
        *headerend = 0;
        *o = malloc(strlen(p)+1);
        strcpy(*o, p);

        empty_output:
        free(output);

        return 0;

        exec_cmd_err:
                *o = 0;
                if ( header ) free(header);
                if ( output ) free(output);
                return -1;
}
int http_post_request(char **p, size_t *size, char *url, char **vars)
{
CURL *cr=0;
struct void_mem_object data = {0,0};
FILE *fp;
char secret[100];
char postvars[4096], *pp;
size_t len=0;
struct curl_slist *headers=NULL;
        if ( !(fp = fopen("secret", "r")) ) {
                fprintf(stderr, "unable to open secret. please make sure to have a secret file in %s in format of username:password to access your router\n", getcwd());
                goto err;
        }
        fgets(secret, sizeof(secret)-1, fp);
        fclose(fp);
        cr = curl_easy_init();
        ces(cr, CURLOPT_URL, url);
        ces(cr, CURLOPT_WRITEFUNCTION, store_curl_object);
        ces(cr, CURLOPT_WRITEDATA, (void*)&data);
        ces(cr, CURLOPT_USERPWD, secret);
        ces(cr, CURLOPT_USERAGENT, "rshell/1.0");
        ces(cr, CURLOPT_HEADER, -1);

        if ( vars ) {
                pp = postvars;
                while ( *vars ) {
                        len = strlen(*vars);
                        memcpy(pp, *vars, len);
                        pp += len;
                        *pp = '=';
                        ++pp;
                        ++vars;
                        if ( !*vars ) {
                                fprintf(stderr, "error, unbalanced variable-argument count, var-args element count should always be divisible by 2\n");
                                goto err;
                        }
                        len = strlen(*vars);
                        memcpy(pp, *vars, len);
                        pp += len;
                        *pp = '&';
                        ++pp;
                        ++vars;
                }
                *--pp = 0;
                ces(cr, CURLOPT_POSTFIELDS, postvars);
                //printf("-->%s\n", postvars);
        }
        if ( curl_easy_perform(cr) )
                goto err;
        curl_easy_cleanup(cr);
        *p = data.p;
        *size = data.size;

        return 0;

        err:
                if ( cr ) curl_easy_cleanup(cr);
                if ( data.p ) free(data.p);
                return -1;
}
size_t store_curl_object(void *p, size_t size, size_t nmemb, struct void_mem_object *data)
{
size_t realsize;
void *rp;
        realsize = size*nmemb;
        if ( !(rp = realloc(data->p, data->size+realsize+1)) ) {
                perror("realloc failed");
                return -1;
        }


        data->p = rp;
        memcpy(&data->p[data->size], p, realsize); // \0?
        data->size += realsize;
        data->p[data->size] = 0;

        return realsize;
}

Maxium Size of the nat connection tracking table

The default size of the connection tracking table is 1024 on firmware 1.2.8 and below, and with firmware 1.2.9 and higher it seems to have been set EVEN LOWER! now it's defauted to 512. This becomed a major problem if you have a lot of open connections, usually this is the case with p2p programs such as bittorrent, hitting 1024 connetions is quite common. You router will feel slow and take a long time to execute a request. If you can check if you're hitting the conntrack limit via the syslog http://192.168.1.254/syslog.asp. If you are hitting this limit you will see this message fairly frequently (like 100 times a second or so!):

Apr 15 01:00:11 NET: 13 messages suppressed.
Apr 15 01:00:11 ip_conntrack: table full, dropping packet.

Solution: Increase the ip connection tracking table size, which is fairly easy to do. /proc/sys/net/ipv4/ip_conntrack_max is the control file, you can read it see the current limit, and write to it to chance the limit.

cat /proc/sys/net/ipv4/ip_conntrack_max

Will return you the current limit.

Pasting this into the system command page will allow you to alter the limit:

echo `echo 3300 > /proc/sys/net/ipv4/ip_conntrack_max` > /tmp/a

Change the number to however many connections you need. I found that 3300 is the perfect number for me. This of course needs to be done everytime the router is rebooted. Perhaps the person who has direct line to 'god' can convince them to default this value to 3000 or something much more resonable?

May 10/06 Attempted to paste "echo echo 3300 > /proc/sys/net/ipv4/ip_conntrack_max > /tmp/a" into syscmd under V1.2.10 but found that input was truncated - anyone found a workaround?

May 11/06 There is a workaround to this, simply grab the page source of syscmd.asp by click "View Source" in your browser, then copy it into a new HTML page, replacing

<form action=/goform/formSysCmd method=POST name="formSysCmd"> with <form action=http://192.168.2.1/goform/formSysCmd method=POST name="formSysCmd">

(where 192.168.2.1 is your router's IP)

and

<input type="hidden" value="/syscmd.asp" name="submit-url"> with <input type="hidden" value="http://192.168.2.1/syscmd.asp" name="submit-url">

and

<td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td> with <td><input type="text" name="sysCmd" value="" size="20" maxlength="100"></td>

(this makes sure that you have a 100 maxlength...adjustable to whatever you want)

Open up the page in a web browser, and away you go.


June 12/06

Cut and paste the following into a text editor and save it as an .html file. (Don't forget to change the variables.) Load it into Firefox (Opera and IE will not work) to automatically reboot the router, wait 2 minutes and then execute the command to change the size of the connection tracking table. You can actually do this for any command you want to execute!

<body onload='reboot();' >
<SCRIPT ID=clientEventHandlersJS LANGUAGE=javascript>
<!--
/*
This script was designed for the Gigafast Router WF719-CAPR.  You must load this page in Firefox ONLY!
The script will reboot the router, wait 2 minutes, then reset the Maximum Size of the nat connection tracking table
to 3300 from 512 or 1024.  You need to change the loginID, passWord and ipAddress variables to match your system.
For more information on this router go to
http://bcwireless.net/moin.cgi/GigaFast_WF719-CAPR
*/
  var loginID= 'yourlogin'
  var passWord= 'yourpassword'
  var ipAddress= '192.168.2.1'
  var rebootCMD = 'sysCmd=reboot'
  var fixnatCMD = "sysCmd=echo `echo 3300 ^> /proc/sys/net/ipv4/ip_conntrack_max` ^> /tmp/a"

  function reboot()
  {
        netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");

        var xmlhttp = new XMLHttpRequest();

        xmlhttp.open('POST','http://'+loginID+':'+passWord+'@'+ipAddress+'/goform/formSysCmd',false);
        xmlhttp.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
        xmlhttp.send(rebootCMD);

        setTimeout("fixnattable()", 120000)
  }

  function fixnattable()
  {
        netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");

        var xmlhttp = new XMLHttpRequest();

        xmlhttp.open('POST','http://'+loginID+':'+passWord+'@'+ipAddress+'/goform/formSysCmd',false);
        xmlhttp.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
        xmlhttp.send(fixnatCMD);
  }

//-->
</SCRIPT>

</body>


Aug 31/06

I was inspired by the previous post to write a script that would work regardless of whether you used IE, Firefox or any other browser. Cut and paste the following into a text editor and save it as a .vbs file (don't forget to change the variables). Double clicking the file will automatically reboot the router, then the script will wait 1.5 minutes and execute the command to change the size of the connection tracking table. It took me weeks if trial and error but I finally found 4200 to be rock solid - now if only there were a way to make the Wi-Fi more stable.

'Gigafast_reboot_resetNAT.vbs
'This script was designed for the Gigafast Router WF719-CAPR.
'The script will reboot the router, wait 1.5 minutes, then reset the Maximum Size of the nat connection tracking table
'to 4200 from 512 or 1024.  You need to change the loginID, passWord and ipAddress variables to match your system.
'For more information on this router go to
'http://bcwireless.net/moin.cgi/GigaFast_WF719-CAPR
Dim strUName, strUPass, strRouterIP, intNatConTable
strUName = "username"
strUPass = "password"
strRouterIP = "192.168.1.254"
intNatConTable  = 4200
On Error Resume Next
Set objHTTP = CreateObject("Microsoft.XMLHTTP")
objHTTP.open "POST", "http://" & strUName & ":" & strUPass & "@" & _
        strRouterIP & "/goform/formSysCmd", False
objHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objHTTP.send "sysCmd=reboot"
'MsgBox objHTTP.responseText
'wait for 1.5 minutes before resetting the Maxium Size of the nat connection tracking table
WScript.Sleep(90000)
objHTTP.open "POST", "http://" & strUName & ":" & strUPass & "@" & _
        strRouterIP & "/goform/formSysCmd", False
objHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objHTTP.send "sysCmd=echo `echo " & intNatConTable  & " > /proc/sys/net/ipv4/ip_conntrack_max` > /tmp/a"
'MsgBox objHTTP.responseText
Set objHTTP = Nothing


Also, I tried to run ShieldUp! (on grc.com) with DMZ enabled and the router crashed and rebooted. Anybody know why?

Hardware

The 8186 SoC has onboard JTAG and serial IO (UARTs). I have verified continuity on a GigaFast board with a multimeter. Using the squared connection of J1 as the first of six pins:

Board   RTL8186  Symbol      Description
------  -------  ----------  ------------------------------
Pin 1   Pin 51   DVDD33      CPU power +3.3V (Digital).
Pin 2   Pin 80   UCTS0PIN    UART0 Clear-to-Send signal.
Pin 3   Pin 73   URTS0PIN    UART0 Request-to-Send signal.
Pin 4   Pin 79   USIN0PIN    UART0 In data signal.
Pin 5   Pin 58   USOUT0PIN   UART0 Out data signal.
Pin 6   Pin 35   DGND33      CPU 3.3 GND (Digital).

This thread on SourceForge details a "Successful connection with C54BRS4 Version 2" (a very similar device to the WF719-CAPR).

From the post by "Eneko":

I have joined CTS and RTS together (loopback handsaking), and then using an adaptor with the MAX3232 and five 0.1 uF tantalum capacitators with the hyperterminal configures as follows:

Speed: 38400
Data bits: 8
Parity: None
Stop bits:1
Flow Control: Xon/Xoff

I have a successful connection!

Update

I have a successful connection on my gigafast and blanc tanks to Eneko!!!
Picture: http://www.qcnetwork.com/Linux4Rtl/screenshots.php
# reboot
The system is going down NOW !!
Sending SIGTERM to all processes.
Terminated
[1] + Terminated                 webs
# Sending Please stand by while rebooting the system.
Restarting system.
Shutdown network interface
eth0:===>
br0: port 1(eth0) entering disabled state
eth1:===>
br0:===>
Enable Watch Dog to Reset whole system
UART1 output test ok
Uart init
mfid=00000089 devid=000088c3
Found 1 x 2M flash memory
---RealTek(RTL8186)at 2005.04.22-12:14+0800 version 1.3b [32bit](180MHz)
no sys signature at 00010000!
Jump to image start=0x80800000...
early printk enabled
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
Initial ramdisk at: 0x801c4000 (5324800 bytes)
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/ram console=0 ramdisk_start=0 single
Calibrating delay loop... 179.40 BogoMIPS
Memory: 8924k/16384k available (1604k kernel code, 7460k reserved, 5336k data, 52k init, 0k highmem)
Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode-cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
check_wait... unavailable.
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Serial driver version 6.02 (2003-03-12) with no serial options enabled
ttyS00 at 0x00c3 (irq = 3) is a rtl_uart1
state->flags=00000000
Realtek GPIO Driver for Flash Reload Default
block: 64 slots per queue, batch=16
RAMDISK driver initialized: 16 RAM disks of 7000K size 1024 blocksize
PPP generic driver version 2.4.1
PPP MPPE Compression module registered
RealTek Nor-Type Flash System Driver. (C) 2002 RealTek Corp.
Found 1 x 2M Byte Intel TE28F160C3
flash: init complete (31), size 2048(KB) blks 1024 hs 512
RTL8180/RTL8185 driver version 1.8 (2005-09-23)
8186NIC Ethernet driver v0.0.2 (Jan 30, 2004)
eth0: RTL8186-NIC at 0xbd200000, 00:01:02:03:04:05, IRQ 4
eth1: RTL8186-NIC at 0xbd300000, 04:05:06:07:08:09, IRQ 5
nat_speed_init (v1.1)
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
rtl8186_crypto_init()...
rtl8186_crypto: IPSec status(RTL8186_IPSCFR) = B
rtl8186_crypto: IPSec status(RTL8186_IPSCTR) = 2027202
ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
ipsec_md5_init(alg_type=14 alg_id=2 name=md5): ret=0
ipsec_null_init(alg_type=15 alg_id=11 name=null): ret=0
ipsec_sha1_init(alg_type=14 alg_id=3 name=sha1): ret=0
ip_conntrack version 2.1 (128 buckets, 1024 max) - 312 bytes per conntrack
PPTP netfilter connection tracking: registered
PPTP netfilter NAT helper: registered
ip_tables: (C) 2000-2002 Netfilter core team
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
RAMDISK: ext2 filesystem found at block 0
RAMDISK: Loading 5200 blocks [1 disk] into ram disk... done.
Freeing initrd memory: 5200k freed
VFS: Mounted root (ext2 filesystem).
Freeing unused kernel memory: 52k freed
mount /proc file system ok!
serial console detected.  Disabling virtual terminals.
init started:  BusyBox v1.00-pre8 (2004.12.03-02:38+0000) multi-call binary
BusyBox v1.00-pre8 (2004.12.03-02:38+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
killall: pptp.sh: no process killed
killall: pppoe.sh: no process killed
Initialize wlan0 interface
Setup BRIDGE interface
killall: syslogd: no process killed
killall: klogd: no process killed
SIOCGIFFLAGS: No such device
bridge br0 doesn't exist; can't delete it
Setup bridge...
device eth0 entered promiscuous mode
eth0:phy is 8305
SIOCDELRT: No such process
br0: port 1(eth0) entering listening state
br0: port 1(eth0) entering learning state
br0: port 1(eth0) entering forwarding state
br0: topology change detected, propagating
SIOCDELRT: No such process
SIOCDELRT: No such process
SIOCDELRT: No such process
Setup WAN interface
eth1:phy is 8305
killall: ntp.sh: no process killed
deleting routers
SIOCDELRT: No such process
adding dns 192.168.5.254
start DNS Relay Daemon
Set Firewall...
# Check WAN & DNS ......
LOAD DNS ..... done
Setup VPN
#

The voltage regulator used in the thing is an AnaChip(now Diodes Inc.) AP1506-33. Thats an AP1506 series that outputs 3.3v. Good news: You can replace the included power brick with anything that supplies 4.5v to 22v at enough current. Datasheet can be found here.

Flash Memory

The flash memory can be read via the upload.asp file. To do so, save it to your computer and add the following above the "Select file" section (it it commented out, so you just have to remove the <!-- and -->):

  <tr>
      <td width="20%"><font size=2><b>Start Address:</b></td>
      <td width="80%"><font size=2><input type="text" name="readAddr" size="10" maxlength="8" value=20000>(hex)</td>
  </tr>
  <tr>
      <td width="20%"><font size=2><b>Size:</b></td>
      <td width="80%"><font size=2><input type="text" name="size" size="10" maxlength="8" value=F0000>(hex)</td>
  </tr>
  <tr>
      <td width="20%"><font size=2><b>Save File:</b></td>
      <td width="80%"><font size=2>
      <p><input type="submit" value="Save..." name="save"></p></td>
  </tr>

This will allow you to read any part of memory, and download it. You will also need to modify the form tag to be:

<form method="post" action="http://192.168.1.254/goform/formUpload" ...
To download the entire flash use this value
      readAddr value=00000000
      size value=200000

Flash struture

16k Boot code        start adrees 0x00000000
--------------------
8k
8k H/W setting
--------------------
16k default setting
16k currrent setting
--------------------
64k web pages        start adrees 0x00010000
--------------------
1920k Linux          start adrees 0x00020000
More information:
http://www.smallworks.com/~jim/RTL8186/izwbit.wil.pk.edu.pl/ftp/rtl8186/RTL8186%20Linux%20system%20note.doc

Note for custom firmware

Pressing "Save" by default will save the web area firmware part. If you are able to create a custom web area rom, this would allow for extra programs to be added to the device.

The same type of flash storage compression appears to be used on the following device: http://melbourne.wireless.org.au/wiki/?MinitarHacking (search for "WEBP")

Latest firmware

This router has been marketed under the name "blanc". The hardware and firmware are identical. The "manufacturers" sites are housed in the same location and network. This is normally done to accomodate specific retailers (think lowest price guarantees on "identical" hardware models).

The latest firmware available from the distributor: v1.4.2

Available at he following URL: http://www.elektronika.opatnet.cz/storage/firmware/WA2204/ (tested on the Gigafast and works flawlessly after 42 days of uptime).

Changes:

  1. Update WLAN driver
  2. Add WLAN Block Relay feature via web
  3. Add WLAN WMM feature in AP mode
  4. Add WLAN Ack Timeout feature
  5. Add ping watchdog feature
  6. Add QoS/Bandwidth Control by IP address
  7. Add DNS1/DNS2/DNS3 information in status page.

GigaFast product support: http://www.gigafast.com/products/product_drivers/WF719-CAPR_drivers.htm
Blanc Networks product support: http://www.blancnetworks.com/products.htm

1.4.x series

The v1.4.x firmwares add a few new pages/features to the router:

  1. "Universal repeater mode", which is performing as an AP and client simultaneously.
  2. "Denial-of-Service" (located in the Management menu), adds DoS prevention, threshold configuration, and further attack prevention options.
  3. RF output power setting, no longer on a hidden page.
  4. Turbo Mode

They also:

  1. update the RTL8185 driver to version 1.9 (03-27-2006)
  2. update the 8186 NIC driver to version 0.0.5 (03-03-2006)
  3. continue the decision to remove the syscmd.asp page (added again in 1.4.2), among others. You must now choose between new features or "hackability" :)

If I were a betting man, I'd say the 1.4.x firmware was updated for the US debut of this router.

08-30-2006 - Firmware v1.4.1 released on GigaFast site. Changelog starts at v1.4.0, with no mention of prior firmwares. There is mention of RTL8187s, which may indicate a hardware revision or dual-use firmware.

1.2.x series

04-18-2006 - Firmware 1.2.10 available, GigaFast and Blanc now both have version 1.2.10 posted on their site.

WARNING!!! Firmware version 1.2.9 (perhaps 1.2.8, untested) removes the syscmd.asp, ccncsetup.asp, WlanSetDefaultC.asp, and WlanSetDefaultC_14.asp files. The webpages.bin file from older versions can be used with newer firmware in order to avoid losing the above pages (within the 1.2.x series - using it with v1.4.x series firmware will deprive you of access to new features).

Alternate sources:
(You may find older references and/or discussions of same in the Discussion page. As more material is added, only the most current should be found here.)

06-01-2006 - older firmware 1.2.4 is available from the following link http://www.bluecomm.com.tw/download/WA2204A/WA2204AV124.zip

04-06-2006 - Czech language wifi site has WA-2204A firmware updates
http://www.inwifi.cz/stahnete-si/?k=152

04-03-2006 - firmware upgrade (1.2.8.1)... some one is hosting the file for me. If link becomes dead email at [email protected] and I just got word some one in the UK has version 1.2.9 will try to get that ASAP
http://members.shaw.ca/dmadkr3/linux-v1281-eng2.bin

Included with the driver file is a readme with information on driver revisions

------------------------------------------------------------------------------------
V1.2.7
------------------------------------------------------------------------------------
Changes
-Improve WLAN performance
-Improve firewall security
-Fix WEP web display irregulation while setting WDS
------------------------------------------------------------------------------------
V1.2.6
------------------------------------------------------------------------------------
Changes
-Fix UPNP can't work when change lan ip address.
------------------------------------------------------------------------------------
V1.2.5
------------------------------------------------------------------------------------
Changes
-Fix UPNP IGD retrive data fail ocasionally.
-Fix Intel BG2200 can't login hotmail and yahoo mail under secure mode (https) .
-Make webpages to be used friendly
(On Wizard page ,select gateway mode , wlan mode will auto change ap mode).
------------------------------------------------------------------------------------
V1.2.4
------------------------------------------------------------------------------------
Changes
-Fix can not do web configuration after setting "Operation Mode" as Bridge
-Fixed Client mode after settings "Operation Mode" ad WISP
------------------------------------------------------------------------------------
V1.2.3
------------------------------------------------------------------------------------
Changes
-Fix web browse hotmail website time out via PPPoE
-Add L2TP traffic passthrough firewall
-Fix PPTP traffic blocked by firewall
-Fix IPSec traffic blocked by firewall
-Fix NTPClient traffic blocked by firewall
-Fix UPNP traffic blocked by firewall
------------------------------------------------------------------------------------
V1.2.2
------------------------------------------------------------------------------------
Changes
-WLAN performace improvement.
-Fix [TCPIP]->[WAN Settings] config from WAN option bug.
-Fix [TCPIP]->[WAN Settings] config echo reply option bug.
-Fix [TCPIP]->[WAN Settings] get DNS automatically bug.
-Fix the WEP and 802.1x can not enable settings at the same time
Default Settings
-[Wireless]->[Advanced Settings] 11g protection from disable to enable
------------------------------------------------------------------------------------
V1.2.1
------------------------------------------------------------------------------------
Changes
-Improve WLAN performance
-Firewall improvement
Default Settings
-[Wireless]->[Basic Settings] WLAN BAND mode from "G" to "B+G"
-[Management]->[Time Zone Settings] NTP timezone (-1,4)(Paris, German...etc.)
 for ETSI, (+8,4)(US&Canada Pacific Time)
------------------------------------------------------------------------------------
V1.2.0
------------------------------------------------------------------------------------
Initial release

Firmware troubleshooting

Question: According to the rtl8186 SDK, the VPN images above are to be used on a router with a 4M flash mem, can anyone confirm this works with the 2M flash that comes with the Gigafast? This may not be a valid concern if the image is loaded into ram instead of being used directly from the MTD. Answer: It seems to load on the Gigafast without problems.

***March 3/06*** I have been having problems with the 1.2.7 firmware. Every so often my wireless network will disappear and I must reset the wireless settings. At this time I suggest people do not upgrade to 1.2.7 as I have been able to find a 1.2.5 or 1.2.6 firmware to download online and Gigafast's tech support is unresponsive. If anyone has a 1.2.5 firmware please post it.

***March 6/06*** Select a channel in the Basic wireless settings page, using a site survey beforehand to find an available channel. I experienced the same problem when using the Auto channel setting. BTW, if you're using WPA/WPA2, I'd love to hear if you've been able to stay connected/reconnect after 24 hours without a reset. The logs in firmware v1.2.5 indicated an expired STA problem but v1.2.7 eliminated the log message (without fixing the problem). -- Mike

***June 1/06*** I am having a problem with the 1.2.10 firmware: under the http://192.168.1.254/WlanSetDefaultC.asp page my TxPower OFDM(11g): reads <Blank>. I had set it to 100 which resulted in an error that then resulted in the value negating to nothing. Under the syscmd the register shows: HW_WLAN0_TX_POWER_OFDM=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000. Any suggestions ? -- Larry

***June 4/06*** Resolved by doing a MIB set "flash set HW_WLAN0_TX_POWER_OFDM 6464646464". This reset it to a writeable value. I can now use use the hidden power settings "WlanSetDefaultC.asp" to set the Tx Power -- Larry

***October 15/06 I just updated my ccandc WA2204A with firmware 1.4.1 and started with the linux_1.4.1.bin . The firmware update was going ok, then it rebooted and i just cant get it working, tried several things. Now it doesnt work anymore/normal, i cant reach/connect the device anymore :( , not even with network cable, get the windows message, restricted network possibilities or something, and have a strange IP adress of the WA2204A (not the 192.168.1.254) Also i cant get on the setting webpage, and i have the idea that it does not send at all. I tried the PumpKin software hoping to recover the device, but this does not help. when uploading, the action will abort after a couple of minutes just because i cant connect to it. Someone tips or tricks? You guys would help me a lot when i get the device working again. thanx in advance, greetings Pieter

***October 17/06*** Anyone have an idea why firmware v1.4.1 limits the maximum MTU value (See TCP/IP Settings, WAN Interface) of the router to 1492 bytes, not allowing you to choose 1500?

***October 24/06*** Czech site has given me the stuff i need, works way better then the Pumpkin sh*t, so no problems anymore ! greetings Pieter

Alternative Firmwares

There are currently two firmwares that have been tested with this device. Please note, I have not tested if you are able to revert to the original firmware. All the firmware images were updated in recovery mode.

* aplite54g-14.07.2006

* AP ROUTER NG 6.0a

Both are commercial products using GPL code without(?) sources. You will have to use recovery mode and 1.4.1 firmware in order to get to the standard firmware (using 1.2.x firmware in recovery mode will not work). Update: to restore to 1.4.1 firmware, all three .bin firmware files provided by GigaFast must be uploaded in recovery mode; the linux-1.4.bin is only the kernel and supporting software; you will need to upload config-vpn-ogf.bin in recovery mode, wait for it to load, go back to recovery mode again and upload webpages-vpn.bin, and then finally use recovery mode to flash linux-1.4.bin to the router. This is because the router cannot operate properly without the configuration files in the other two files. (It is unclear why GigaFast split the firmware into three pieces.)

Recovery mode

  1. Unplug the router
  2. Hold down the reset button and turn the router on, wait for 5 seconds before releasing the button
  3. Set your computers IP in the 192.168.1.2 to 192.168.1.24 range
  4. Use pumpKIN to upload the firmware.

  5. Use the above software to send the .bin file to 192.168.1.6
  6. Wait a couple of minutes, the router should reboot by itself and load the new firmware.
  7. If the WLAN status light flashes irregularly, there may be a problem with the firmware.

Wireless bridge

The router can be used as a wireless bidge, wich is usefull if you want to allow another wired network to connect to your wireless network. I use the router like this to allow the computer in my garage to connect to my pre-existing wireless network. In the instructions below the "host router" is the router that you allready have inplace, and is most likley connected to the internet; The "bridge router" is the GigaFast router that will be in bridge mode; and the "client computer" is the computer or wired LAN that will connect to the bridge router.

It is assumed that the host router is capable of letting other routers connect to it. Look in the user manual, becouse you might have to change a setting that will let other routers to conect to the host router.

  1. Connect the client computer to one of the LAN ports on the bridge router, and have it obtain an IP automaticaly.
  2. Log on to the bridge router. The default IP is 192.168.1.254
  3. Open the operation mode page, and set the mode to bridge, then apply the changes.
  4. Open the wireless section, then the basic settings page. Set the mode to client, set network type to infrastructure, set SSID to the same as the host router. Then apply the changes.
  5. Open the wireless security page. Set the type and key to the same as the host router.
  6. Now do a site survey, located in the wireless section. Click on the refresh button to get a list of available APs. Select the the host router from the list and click connect.
  7. Now go to the TCP/IP section, and open the LAN interface page. Turn off the DHCP, and give the bridge router an IP in the same range as the host router. Eg: if the host router assigns IPs in the range 192.168.2.x, then give the bridge router the IP 192.168.2.254.
  8. Now the on the client computer it should appear that it is connectd directly to the host router.

Pictures

WF719-CAPRTopside.jpg

WF719-CAPRUnderside.jpg

More internal photo's are available on the BC Wireless Gallery: http://gallery.bcwireless.net/Hardware/radios/GigaFastWF719-CAPR

GigaFast_WF719-CAPR (last edited 2012-04-05 18:24:48 by awehttam)

Copyright © British Columbia Wireless Network Society