Při snaze o zprovoznění nových verzí OpenWrt pro router RB951G-2HnD jsem se pokoušel o extrakci Device Tree z původního uzavřeného systému Mikrotiku - RouterOS. Abych mohl lépe porozumět, jak celý systém funguje, chtěl jsem prozkoumat, jak se chová za chodu. Ovšem, RouterOS má pouze velmi omeznou příkazovou řádku, tak jsem začal hledat, jak se dostat dovnitř a spustit nějaký rozumný shell.
Zkoušel jsem toto: https://medium.com/tenable-techblog/rooting-routeros-with-a-usb-drive-16d7b8665f90, ale neúspěšně, protože v mé verzi RouterOS (nepamatuji si, ale byla větší než 6.45.9) to nefungovalo.
Tady jsem musel cross-compilovat pomocí mips-linux-gnu-gcc z Ubuntího repozitářového balíčku gcc-mips-linux-gnu. Takto:
mips-linux-gnu-gcc -c -fpic snmp_exec.c
mips-linux-gnu-gcc -shared -s -o lol_mips.so snmp_exec.o
Ještě jsem zkusil toto: https://github.com/0ki/mikrotik-tools/tree/master/exploit-defconf a to mi fungovalo po downgradu na verzi 6.45.9.
Downgrade RouterOS lze však bohužel downgradovat jen do verze, která byla do zařízení továrně nainstalována.
V první řadě si pomocí skriptu vytvoříme flash disk s filesystémem se symbolickým odkazem na root. Potom spustíme second stage skript, který se přes ssh připojí k zařízení a nabídne nám shell. Nějak to nebudu rozpitvávat, podívelte se pro více do repozitáře.
Původně jsem se k ní chtěl dostat přes sysfs, ale neúspěšně, protože dle mých průzkumů distribuce není Device Tree-based. Potom jsem zkusil nabootovat Openwrt v Initramfs a stáhnout si obsah MTD bloků. Ten sem projel skrz Binwalk a hledal jednotlivé součásti. Nakonec jsem jeden DTB soubor našel, překonveroval do DTS a prozkoumal. Bylo to něco univerzálního, kde nesedělo vůbec nic.
/dts-v1/;
/ {
#address-cells = <0x01>;
#size-cells = <0x01>;
compatible = "mediatek,mtk7621-soc";
cpus {
cpu@0 {
compatible = "mips,mips1004Kc";
};
cpu@1 {
compatible = "mips,mips1004Kc";
};
};
cpuintc@0 {
#address-cells = <0x00>;
#interrupt-cells = <0x01>;
interrupt-controller;
compatible = "mti,cpu-interrupt-controller";
phandle = <0x08>;
};
cpuclock@0 {
#clock-cells = <0x00>;
compatible = "fixed-clock";
phandle = <0x09>;
};
hclk@0 {
#clock-cells = <0x00>;
compatible = "fixed-clock";
clock-frequency = <0xd1cef00>;
phandle = <0x06>;
};
sysclock@0 {
#clock-cells = <0x00>;
compatible = "fixed-clock";
clock-frequency = <0x2faf080>;
phandle = <0x03>;
};
rb750gr3-leds {
status = "disabled";
compatible = "leds-rb";
user_led {
label = "user-led";
gpios = <0x01 0x00 0x00>;
};
usb_power_off {
label = "usb-power-off";
gpios = <0x01 0x0c 0x01>;
};
power_led {
label = "power-led";
gpios = <0x01 0x10 0x00>;
default-state = "on";
};
button {
label = "button";
gpios = <0x01 0x12 0x01>;
default-state = "input";
};
mode_button {
label = "mode-button";
gpios = <0x01 0x0d 0x01>;
default-state = "input";
};
};
rb760-leds {
status = "disabled";
compatible = "leds-rb";
sfp_led {
label = "sfp-led";
gpios = <0x01 0x09 0x00>;
};
usb_power_off {
label = "usb-power-off";
gpios = <0x01 0x0c 0x01>;
};
power_led {
label = "power-led";
gpios = <0x01 0x10 0x00>;
default-state = "on";
};
button {
label = "button";
gpios = <0x01 0x12 0x01>;
default-state = "input";
};
mode_button {
label = "mode-button";
gpios = <0x01 0x0d 0x01>;
default-state = "input";
};
};
m33-leds {
status = "disabled";
compatible = "leds-rb";
user_led {
label = "user-led";
gpios = <0x01 0x00 0x00>;
};
ext_pin3 {
label = "ext-pin3";
gpios = <0x01 0x03 0x00>;
default-state = "input";
};
ext_pin5 {
label = "ext-pin5";
gpios = <0x01 0x04 0x00>;
default-state = "input";
};
pcie_power_off {
label = "mpcie-power-off";
gpios = <0x01 0x09 0x01>;
};
pcie2_power_off {
label = "mpcie2-power-off";
gpios = <0x01 0x0a 0x01>;
};
usb_power_off {
label = "usb-power-off";
gpios = <0x01 0x0c 0x01>;
};
button {
label = "button";
gpios = <0x01 0x12 0x01>;
default-state = "input";
};
};
m11-leds {
status = "disabled";
compatible = "leds-rb";
user_led {
label = "user-led";
gpios = <0x01 0x00 0x00>;
};
pcie_power_off {
label = "mpcie-power-off";
gpios = <0x01 0x09 0x01>;
};
button {
label = "button";
gpios = <0x01 0x12 0x01>;
default-state = "input";
};
led1 {
label = "led1";
gpios = <0x01 0x1a 0x01>;
};
led2 {
label = "led2";
gpios = <0x01 0x19 0x01>;
};
led3 {
label = "led3";
gpios = <0x01 0x18 0x01>;
};
led4 {
label = "led4";
gpios = <0x01 0x17 0x01>;
};
led5 {
label = "led5";
gpios = <0x01 0x16 0x01>;
};
};
ltap-leds {
status = "disabled";
compatible = "leds-rb";
user_led {
label = "user-led";
gpios = <0x01 0x00 0x00>;
};
pcie_power_off {
label = "mpcie-power-off";
gpios = <0x01 0x0a 0x01>;
};
pcie2_power_off {
label = "mpcie2-power-off";
gpios = <0x01 0x0b 0x01>;
};
usb_power_off {
label = "usb-power-off";
gpios = <0x01 0x0c 0x01>;
};
gps_reset {
label = "gps-reset";
gpios = <0x01 0x0d 0x00>;
default-state = "keep";
};
gps_pps {
label = "gps-pps";
gpios = <0x01 0x0e 0x00>;
};
control {
label = "control";
gpios = <0x01 0x0f 0x00>;
default-state = "on";
};
gps_timer {
label = "gps-timer";
gpios = <0x01 0x10 0x00>;
};
button {
label = "button";
gpios = <0x01 0x12 0x01>;
default-state = "input";
};
power_led {
label = "power-led";
gpios = <0x01 0x17 0x00>;
default-state = "on";
};
mode_button {
label = "mode-button";
gpios = <0x01 0x18 0x01>;
default-state = "input";
};
sim_select {
label = "sim-select";
gpios = <0x01 0x19 0x01>;
};
gps_ant_select {
label = "gps-ant-select";
gpios = <0x01 0x1b 0x00>;
};
gps_led {
label = "gps-led";
gpios = <0x01 0x1c 0x01>;
};
lte_reset {
label = "lte-reset";
gpios = <0x01 0x1d 0x01>;
};
led1 {
label = "led1";
gpios = <0x01 0x00 0x00>;
type = "wifi";
};
led2 {
label = "led2";
gpios = <0x01 0x01 0x00>;
type = "wifi";
};
led3 {
label = "led3";
gpios = <0x01 0x02 0x00>;
type = "wifi";
};
led4 {
label = "led4";
gpios = <0x01 0x03 0x00>;
type = "wifi";
};
led5 {
label = "led5";
gpios = <0x01 0x04 0x00>;
type = "wifi";
};
};
beeper {
status = "disabled";
compatible = "rb,gpio-beep";
gpios = <0x01 0x0f 0x01>;
};
poe-simple {
status = "disabled";
compatible = "rb,poe-out-simple";
eth_port = <0x04>;
has_low_current_sense = <0x01>;
gpi_status = <0x01 0x07 0x00>;
gpo_on = <0x01 0x11 0x00>;
};
palmbus@1e000000 {
compatible = "palmbus";
reg = <0x1e000000 0x100000>;
ranges = <0x00 0x1e000000 0xfffff>;
#address-cells = <0x01>;
#size-cells = <0x01>;
sysc@0 {
compatible = "mtk,mt7621-sysc";
reg = <0x00 0x100>;
};
wdt@100 {
compatible = "mtk,mt7621-wdt";
reg = <0x100 0x100>;
};
gpio@600 {
#gpio-cells = <0x02>;
#interrupt-cells = <0x02>;
compatible = "mediatek,mt7621-gpio";
gpio-controller;
interrupt-controller;
reg = <0x600 0x100>;
interrupt-parent = <0x02>;
interrupts = <0x00 0x0c 0x04>;
phandle = <0x01>;
};
i2c@900 {
compatible = "mediatek,mt7621-i2c";
reg = <0x900 0x100>;
clocks = <0x03>;
resets = <0x04 0x10>;
reset-names = "i2c";
#address-cells = <0x01>;
#size-cells = <0x00>;
status = "disabled";
pinctrl-names = "default";
pinctrl-0 = <0x05>;
};
memc@5000 {
compatible = "mtk,mt7621-memc";
reg = <0x300 0x100>;
};
cpc@1fbf0000 {
compatible = "mtk,mt7621-cpc";
reg = <0x1fbf0000 0x8000>;
};
mc@1fbf8000 {
compatible = "mtk,mt7621-mc";
reg = <0x1fbf8000 0x8000>;
};
uartlite@c00 {
compatible = "ns16550a";
reg = <0xc00 0x100>;
clocks = <0x03>;
interrupt-parent = <0x02>;
interrupts = <0x00 0x1a 0x04>;
reg-shift = <0x02>;
reg-io-width = <0x04>;
no-loopback-test;
};
uartlite@e00 {
status = "disabled";
compatible = "ns16550a";
reg = <0xe00 0x100>;
clocks = <0x03>;
interrupt-parent = <0x02>;
interrupts = <0x00 0x1c 0x04>;
reg-shift = <0x02>;
reg-io-width = <0x04>;
no-loopback-test;
};
spi@b00 {
status = "okay";
compatible = "ralink,mt7621-spi";
reg = <0xb00 0x100>;
clocks = <0x06>;
resets = <0x04 0x12>;
reset-names = "spi";
#address-cells = <0x01>;
#size-cells = <0x00>;
m25p80@0 {
#address-cells = <0x01>;
#size-cells = <0x01>;
status = "disabled";
compatible = "jedec,spi-nor";
reg = <0x00>;
spi-max-frequency = <0x1c9c380>;
m25p,chunked-io = <0x20>;
partition@40000 {
label = "RouterOS";
reg = <0x40000 0xfc0000>;
};
partition@0 {
label = "RouterBoot";
reg = <0x00 0x40000>;
};
};
m25p80@1 {
#address-cells = <0x01>;
#size-cells = <0x01>;
status = "disabled";
compatible = "jedec,spi-nor";
reg = <0x01>;
spi-max-frequency = <0x1c9c380>;
m25p,chunked-io = <0x20>;
partition@40000 {
label = "RouterOS";
reg = <0x40000 0xfc0000>;
};
partition@0 {
label = "RouterBootFake";
reg = <0x00 0x40000>;
};
};
m25p80_boot@0 {
#address-cells = <0x01>;
#size-cells = <0x01>;
status = "disabled";
compatible = "jedec,spi-nor";
reg = <0x00>;
spi-max-frequency = <0x1c9c380>;
m25p,chunked-io = <0x20>;
partition@0 {
label = "RouterBoot";
reg = <0x00 0x40000>;
};
};
ts@1 {
status = "disabled";
compatible = "rb-spi-ts";
reg = <0x01>;
spi-max-frequency = <0x1e8480>;
};
};
};
pinctrl {
compatible = "ralink,rt2880-pinmux";
pinctrl-names = "default";
pinctrl-0 = <0x07>;
status = "disabled";
pinctrl0 {
phandle = <0x07>;
};
i2c0 {
phandle = <0x05>;
i2c0 {
groups = "i2c";
function = "i2c";
};
};
};
rstctrl {
compatible = "ralink,rt2880-reset";
#reset-cells = <0x01>;
phandle = <0x04>;
};
sdhci@1e130000 {
status = "disabled";
compatible = "ralink,mt7620-sdhci";
reg = <0x1e130000 0x4000>;
interrupt-parent = <0x02>;
interrupts = <0x00 0x14 0x04>;
};
xhci@1e1c0000 {
status = "disabled";
compatible = "mediatek,mt8173-xhci";
reg = <0x1e1c0000 0x1000 0x1e1d0700 0x100>;
reg-names = "mac\0ippc";
clocks = <0x03>;
clock-names = "sys_ck";
interrupt-parent = <0x02>;
interrupts = <0x00 0x16 0x04>;
};
crypto@1e004000 {
compatible = "mediatek,mt7621-crypto";
reg = <0x1e004000 0x1000>;
interrupt-parent = <0x02>;
interrupts = <0x00 0x13 0x04>;
};
interrupt-controller@1fbc0000 {
compatible = "mti,gic";
reg = <0x1fbc0000 0x80>;
interrupt-controller;
#interrupt-cells = <0x03>;
mti,reserved-cpu-vectors = <0x07>;
interrupt-parent = <0x08>;
phandle = <0x02>;
timer {
compatible = "mti,gic-timer";
interrupts = <0x01 0x01 0x00>;
clocks = <0x09>;
};
};
ethernet@1e100000 {
compatible = "ralink,mt7621-eth";
reg = <0x1e100000 0x2710>;
#address-cells = <0x01>;
#size-cells = <0x00>;
resets = <0x04 0x06 0x04 0x17>;
reset-names = "fe\0eth";
interrupt-parent = <0x02>;
interrupts = <0x00 0x03 0x04>;
mdio-bus {
#address-cells = <0x01>;
#size-cells = <0x00>;
ethernet-phy@1f {
reg = <0x1f>;
phy-mode = "rgmii";
};
};
};
gsw@1e110000 {
compatible = "ralink,mt7620a-gsw";
reg = <0x1e110000 0x1f40>;
};
i2c_gpio@0 {
compatible = "i2c-gpio";
sda-gpios = <0x01 0x03 0x06>;
scl-gpios = <0x01 0x04 0x06>;
i2c-gpio,delay-us = <0x05>;
i2c-gpio,timeout-ms = <0x01>;
i2c-gpio,scl-output-only = <0x00>;
status = "disabled";
};
pcie@1e140000 {
status = "disabled";
compatible = "mediatek,mt7621-pci";
reg = <0x1e140000 0x100 0x1e142000 0x100>;
#address-cells = <0x03>;
#size-cells = <0x02>;
device_type = "pci";
bus-range = <0x00 0xff>;
ranges = <0x2000000 0x00 0x00 0x60000000 0x00 0x10000000 0x1000000 0x00 0x00 0x1e160000 0x00 0x10000>;
interrupt-parent = <0x02>;
interrupts = <0x00 0x04 0x04 0x00 0x18 0x04 0x00 0x19 0x04>;
pcie@0,0 {
reg = <0x00 0x00 0x00 0x00 0x00>;
#address-cells = <0x03>;
#size-cells = <0x02>;
ranges;
bus-range = <0x00 0xff>;
};
pcie@1,0 {
reg = <0x800 0x00 0x00 0x00 0x00>;
#address-cells = <0x03>;
#size-cells = <0x02>;
ranges;
bus-range = <0x00 0xff>;
};
pcie@2,0 {
reg = <0x1000 0x00 0x00 0x00 0x00>;
#address-cells = <0x03>;
#size-cells = <0x02>;
ranges;
bus-range = <0x00 0xff>;
};
};
};
Tady mám pár výstupů z příazů:
# cat /proc/mtd
dev: size erasesize name
mtd0: 003c0000 00020000 "RouterBoard NAND 1 Boot"
mtd1: 07c00000 00020000 "RouterBoard NAND 1 Main"
mtd2: 00040000 00020000 "RouterBoot NAND Booter"
# cat /proc/cmdline
root=/dev/ram0 no-uart benand_no_swecc=2 parts=1 boot_part_size=4194304 gpio=249387 mem=128M kmac=48:A9:8A:54:C2:D0 board=951G board=951G board_rev=r3 bver=6.48.6 hw_opt=00280005 boot=0 mlc=11 rd_start=0xc0514000 rd_size=0x000193a8
# cat /proc/cpuinfo
system type : Mikrotik RB951G
processor : 0
cpu model : MIPS 74Kc V4.12
cpu MHz : 600.000
BogoMIPS : 299.82
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : yes, count: 4, address/irw mask: [0x0004, 0x0ffc, 0x0ff8, 0x0ff8]
ASEs implemented : mips16
shadow register sets : 1
kscratch registers : 0
core : 0
VCED exceptions : not available
VCEI exceptions : not available
# cat /proc/version
Linux version 3.3.5 (build@builder) (gcc version 4.8.2 (GCC) ) #1 Wed Apr 29 12:49:57 UTC 2020
# uname -a
Linux RouterOS 3.3.5 #1 Wed Apr 29 12:49:57 UTC 2020 mips unknown
cat /proc/kmsg
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_txtimeout: monitor reset
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_txtimeout: monitor reset
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_txtimeout: monitor reset
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_txtimeout: monitor reset
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_txtimeout: monitor reset
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_txtimeout: monitor reset
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
... pak to spadlo
Zajímavé, že systém pří čtení kernel logu spadnul…
<5>Linux version 3.3.5 (build@builder) (gcc version 4.8.2 (GCC) ) #1 Wed Apr 29 12:49:57 UTC 2020
<6>CPU revision is: 0001974c (MIPS 74Kc)
<6>Determined physical RAM map:
<6> memory: 0002a000 @ 00384000 (usable after init)
<6>User-defined physical RAM map:
<6> memory: 08000000 @ 00000000 (usable)
<6>Initial ramdisk at: 0xc0514000 (103336 bytes)
<4>Zone PFN ranges:
<4> DMA 0x00000000 -> 0x00008000
<4> Normal empty
<4>Movable zone start PFN for each node
<4>Early memory PFN ranges
<4> 0: 0x00000000 -> 0x00008000
<7>On node 0 totalpages: 32768
<7>free_area_init_node: node 0, pgdat c0382090, node_mem_map c1000000
<7> DMA zone: 256 pages used for memmap
<7> DMA zone: 0 pages reserved
<7> DMA zone: 32512 pages, LIFO batch:7
<4>Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
<4>Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
<7>pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
<7>pcpu-alloc: [0] 0
<4>Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512
<5>Kernel command line: root=/dev/ram0 no-uart benand_no_swecc=2 parts=1 boot_part_size=4194304 gpio=249387 mem=128M kmac=48:A9:8A:54:C2:D0 board=951G board=951G board_rev=r3 bver=6.48.6 hw_opt=00280005 boot=0 mlc=11 rd_start=0xc0514000 rd_size=0x000193a8
<6>PID hash table entries: 512 (order: -1, 2048 bytes)
<6>Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
<6>Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
<6>Writing ErrCtl register=00000000
<6>Readback ErrCtl register=00000000
<6>Memory: 124600k/131072k available (2397k kernel code, 6472k reserved, 685k data, 168k init, 0k highmem)
<6>SLUB: Genslabs=15, HWalign=16, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
<6>NR_IRQS:168
<6>Calibrating delay loop... 299.82 BogoMIPS (lpj=1499136)
<6>pid_max: default: 32768 minimum: 301
<6>Mount-cache hash table entries: 512
<6>devtmpfs: initialized
<6>NET: Registered protocol family 16
<4>rb700_pci_init
<6>bio: create slab <bio-0> at 0
<6>Switching to clocksource MIPS
<6>NET: Registered protocol family 2
<6>IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
<6>TCP established hash table entries: 4096 (order: 3, 32768 bytes)
<6>TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
<6>TCP: Hash tables configured (established 4096 bind 4096)
<6>TCP reno registered
<6>UDP hash table entries: 256 (order: 0, 4096 bytes)
<6>UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
<6>NET: Registered protocol family 1
<7>PCI: CLS 0 bytes, default 32
<6>Unpacking initramfs...
<6>Freeing initrd memory: 100k freed
<6>squashfs: version 4.0 (2009/01/31) Phillip Lougher
<4>yaffs Apr 29 2020 12:47:26 Installing.
<6>msgmni has been set to 243
<6>io scheduler noop registered (default)
<4>AR9344 nand
<6>ONFI flash detected
<6>ONFI param page 0 valid
<6>NAND: 4 ECC bits => use MLC ecc
<6>NAND device: Manufacturer ID: 0x01, Chip ID: 0xf1 (AMD S34ML01G2)
<6>Scanning device for bad blocks
<4>AR9344 NAND ctrl b44
<5>0x000000040000-0x000000400000 : "RouterBoard NAND 1 Boot"
<5>0x000000400000-0x000008000000 : "RouterBoard NAND 1 Main"
<5>0x000000000000-0x000000040000 : "RouterBoot NAND Booter"
<4>RB900 SPI
<4>ahb_clock_source is DDR (200000000Hz)
<4>AHB clock 200000000 Hz
<4>RB400 spi misc
<6>gpiochip_add: registered GPIOs 100 to 115 on device: ssr-gpio
<7>Registered led device: user-led
<7>Registered led device: usb-power-off
<7>Registered led device: wlan-led
<7>Registered led device: button
<7>Registered led device: pin-hole
<7>Registered led device: all-leds
<6>TCP cubic registered
<6>NET: Registered protocol family 17
<4>Warning: unable to open an initial console.
<6>Freeing unused kernel memory: 168k freed
<4>Algorithmics/MIPS FPU Emulator v1.5
<6>yaffs: dev is 32505857 name is "mtdblock1"
<4>yaffs: Attempting MTD mount on 31.1, "mtdblock1"
<4>yaffs: auto selecting yaffs2
<4>yaffs: restored from checkpoint
<6>yaffs: dev is 32505856 name is "mtdblock0"
<4>yaffs: Attempting MTD mount on 31.0, "mtdblock0"
<4>yaffs: auto selecting yaffs2
<4>yaffs: restored from checkpoint
<4>new-flash: starting...
<4>bad RouterBoot MTD device
<4>spi flash id: ef301000
<4>-=(00021600)=-
<4>flash: ptr = d1400000, base = 1fc00000
<4>HW_OPT[00280005]
<4>board name = RB951G-2HnD
<4>market name =
<4>alloc spi_page_buf size = 4096
<4>nand id 01f1801d 01f1801d
<4>nand unique id bb413039 32032513 09080606 030affff
<4>logring: default buf size:4096, console_loglevel:1
<6>console [logring0] enabled
<4>RB400 spi poe not present
<6>nf_conntrack version 0.5.0 (54498 buckets, 217992 max)
<4>skb_bin_update_max_len: 0->1792
<4>gre: register ipv4
<4>sizeof(struct phy):488
<5>Bridge firewalling registered
<4>watchdog freq = 25000000
<7>Registered led device: group0
<7>Registered led device: group1
<7>Registered led device: group2
<7>Registered led device: group3
<6>Initializing XFRM netlink socket
<4>fan: init
<6>NET: Registered protocol family 15
<4>ar7100_wdt_enable
<4>voltage: init
<4>init_rb450G_voltage
<4>voltage: terminating
<4>fan: init
<4>voltage: init
<4>init_rb450G_voltage
<4>voltage: terminating
<4>rb: starting...
<4>rb: started
<4>rb_ioctl, cmd: 0x2000520f, arg: 0x0
<4>rb: RB_GET_TYPE
<4>rb_ioctl, cmd: 0x20005201, arg: 0x0
<4>rb: RB_CFG_SIZE
<4>rb_ioctl, cmd: 0x20005203, arg: 0x45df20
<4>rb: RB_READ_CFG
<4>rb_ioctl, cmd: 0x20005202, arg: 0x0
<4>rb: RB_INFO_SIZE
<4>rb_ioctl, cmd: 0x20005204, arg: 0x45ef28
<4>rb: RB_READ_INFO
<4>probe_er_radio_data chunkid 3 caldataid 3
<6>usbcore: registered new interface driver usbfs
<6>usbcore: registered new interface driver hub
<6>usbcore: registered new device driver usb
<6>ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
<6>rb400-ehci rb400-ehci.0: RB400 EHCI
<6>rb400-ehci rb400-ehci.0: new USB bus registered, assigned bus number 1
<4>ehci_reset Port Status 1c000000
<6>rb400-ehci rb400-ehci.0: irq 3, io mem 0x1b000000
<6>rb400-ehci rb400-ehci.0: USB 2.0 started, EHCI 1.00
<6>ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
<6>hub 1-0:1.0: USB hub found
<6>hub 1-0:1.0: 1 port detected
<4>ar724x_usb: Host Tx Pre-Buffer Packet Tuning [00080001]
<4>sram: init cpu:2120
<4>sram: init size:32768
<4>atheros_enum_failure_fix
<6>usb 1-1: new high-speed USB device number 2 using rb400-ehci
<4>atheros_enum_failure_fix
<4>ath8327: custom_leds:1 is_rb2011_sfp_old:0 is_rb2011_sfp_new:0
<4>hard cfg field 38 is absent
<7>Registered led device: switch-all-leds
<4>sizeof(struct music_hdr): 12
<4>machtype:52 cpu: 12123, revision: 3, cycles_per_sec: 300000000
<4>ar7240:0 ar7241:0 ar7242:0 ar9330:0 ar9331:0 ar9341:0 ar9342:0 ar9344:1 qca95xx:0
<4>sram alloc 16384 32, used 16384, ptr: d16c0000
<4>sram alloc 2048 32, used 18432, ptr: d16c4000
<4>switch0: reset unit 0 (phy 8327, mii divider 6, preamble 0) mdio_reset:1
<4>switch0: ath8327_reset 1204
<4>switch0: reg access: 91943ns
<4>switch0: max_tx_buffers_per_port=203, tx_buffer_count=1024, cpu_port_count=1, port_count=5, max_tx_buffers_per_pack=1, num_tx_queues:1
<6>Netfilter messages via NETLINK v0.30.
<6>ctnetlink v0.93: registering with nfnetlink.
<4>a9300_ahb_init: read eeprom, size 65536, rev 0x12123
<4>probe_er_radio_data chunkid 1 caldataid -1
<4>found extended radio data with id 1
<4>radio data lzo decompressed from 815 to 65536
<4>read_radio_data got 65536 from 131072
<4>mem: 0x18100000, 0xd1f80000-0xd1fc0000 (262144)
<4>a9300_ahb_init: apply wasp small channels hack
<4>a9300: wasp svid 0xffffffff ssid 0xffffffff
<4>a9300: disablePAPRDHack, no SSID
<4>a9300_init: custData = '....................'
<4>a9300_init: mac 48:a9:8a:54:c2:d5, modes 0x360000, caps 0x27c1bf, txchains 0x3, rxchains 0x3, macver 0x300 macrev 0x3
<4>w_virtdev_alloc: bcast_sta refcnt 1
<4>w_hwdev_update_l2mtu: l2mtu 0->1600
<4>w_hwdev_update_l2mtu: bindatasize 0->1856
<4>ath_changedbufsize
<4>a9300_ahb_init: registered at 0xd1f80000, irq 2
<5>SCSI subsystem initialized
<6>Initializing USB Mass Storage driver...
<6>scsi0 : usb-storage 1-1:1.0
<6>usbcore: registered new interface driver usb-storage
<6>USB Mass Storage support registered.
<6>ip_tables: (C) 2000-2006 Netfilter Core Team
<4>netfilter PSD loaded - (c) astaro AG
<4>hard cfg field 38 is absent
<4>flash: writing cfg id = 23, size = 4
<4>flash_ioctl: programming injected settings id 23
<4>spi flash id: ef301000
<4>rb400_beep 5000
<4>mpls_nl_init: id 17
<6>RouterBoard NAND 1 Boot: block 1 refresh took 140 ms, 29 blocks left
<6>RouterBoard NAND 1 Main: block 2 refresh took 140 ms, 990 blocks left
<4>rb400_beep 0
<4>rb400_beep 0
<5>scsi 0:0:0:0: Direct-Access Kingston DataTraveler 3.0 PQ: 0 ANSI: 6
<5>sd 0:0:0:0: [sda] 15109516 512-byte logical blocks: (7.73 GB/7.20 GiB)
<5>sd 0:0:0:0: [sda] Write Protect is off
<7>sd 0:0:0:0: [sda] Mode Sense: 4f 00 00 00
<5>sd 0:0:0:0: [sda] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
<6> sda: sda1
<5>sd 0:0:0:0: [sda] Attached SCSI removable disk
<4>hard cfg field 38 is absent
<6>kjournald starting. Commit interval 5 seconds
<6>EXT3-fs (sda1): using internal journal
<6>EXT3-fs (sda1): mounted filesystem with writeback data mode
<4>ctl_zap
<4>virt_open: can not start queue, enabled 0, backlog 0
<4>a9300_hw_reset: chan 2412000, phymode 0x14 (phy 2412:0x10080)
<4>probe_er_radio_data chunkid 2 caldataid 2
<4>probe_er_radio_data chunkid 3 caldataid 3
<4>get_tx_power_adjust = 0
<4>interrupt: !enabled, isr 0x10
<4>sizeof(struct sfq_data): 4400
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x14 (phy 2412:0x10080)
<4>hard cfg field 38 is absent
<4>a9300_hw_reset: chan 2417000, phymode 0x14 (phy 2417:0x10080)
<4>a9300_hw_reset: chan 2422000, phymode 0x14 (phy 2422:0x10080)
<4>a9300_hw_reset: chan 2427000, phymode 0x14 (phy 2427:0x10080)
<4>a9300_hw_reset: chan 2432000, phymode 0x14 (phy 2432:0x10080)
<4>a9300_hw_reset: chan 2437000, phymode 0x14 (phy 2437:0x10080)
<4>a9300_hw_reset: chan 2442000, phymode 0x14 (phy 2442:0x10080)
<4>a9300_hw_reset: chan 2447000, phymode 0x14 (phy 2447:0x10080)
<4>a9300_hw_reset: chan 2452000, phymode 0x14 (phy 2452:0x10080)
<4>a9300_hw_reset: chan 2457000, phymode 0x14 (phy 2457:0x10080)
<4>a9300_hw_reset: chan 2462000, phymode 0x14 (phy 2462:0x10080)
<4>a9300_hw_reset: chan 2467000, phymode 0x14 (phy 2467:0x10080)
<4>voltage: init
<4>init_rb450G_voltage
<4>voltage: terminating
<4>voltage: init
<4>init_rb450G_voltage
<4>voltage: terminating
<4>a9300_hw_reset: chan 2472000, phymode 0x14 (phy 2472:0x10080)
<4>switch0: open
<4>switch0: reset unit 0 (phy 8327, mii divider 6, preamble 0) mdio_reset:1
<4>switch0: ETH_XMII_CONTROL: 02000000
<4>switch0: ath8327_reset 1204
<4>switch0: reg access: 91980ns
<7>Registered led device: switch0-all-leds
<4>eth0: set isolation from 0 to 0
<4>switch0-eth0: set switched 1 0
<4>eth1: set isolation from 0 to 0
<4>switch0-eth1: set switched 14 0
<4>eth2: set isolation from 0 to 0
<4>switch0-eth2: set switched 14 0
<4>eth3: set isolation from 0 to 0
<4>switch0-eth3: set switched 14 0
<4>eth4: set isolation from 0 to 0
<4>switch0-eth4: set switched 14 0
<4>eth0: mdio read 00:00 = 0xffff
<4>eth0: phy reg access: 31140ns
<4>voltage: init
<4>init_rb450G_voltage
<4>voltage: terminating
<4>eth1: mdio read 01:00 = 0xffff
<4>eth2: mdio read 02:00 = 0xffff
<4>eth3: mdio read 03:00 = 0xffff
<4>eth4: mdio read 04:00 = 0xffff
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>interrupt: !enabled, isr 0x10
<4>dynack_init: distance 0
<4>ctl_key_set: vid 0, idx 0, algo 0
<4>ctl_key_set: vid 0, idx 1, algo 0
<4>ctl_key_set: vid 0, idx 2, algo 0
<4>ctl_key_set: vid 0, idx 3, algo 0
<4>wl_update_wmm: update active_wmm
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>wl_beacon_enable: enable hw gen
<4>hard cfg field 38 is absent
<4>voltage: init
<4>init_rb450G_voltage
<4>voltage: terminating
<4>eth0: set isolation from 0 to 0
<4>switch0-eth0: set switched 14 0
<4>eth1: set isolation from 0 to 0
<4>switch0-eth1: set switched 14 0
<4>eth2: set isolation from 0 to 0
<4>switch0-eth2: set switched 14 0
<4>eth3: set isolation from 0 to 0
<4>switch0-eth3: set switched 14 0
<4>eth4: set isolation from 0 to 0
<4>switch0-eth4: set switched 14 0
<4>eth1: link change 03ce -> 034e -> 034e
<4>eth1: phy link up (1000/full)
<6>device eth1 entered promiscuous mode
<4>hard cfg field 38 is absent
<4>eth0: link change 03ce -> 034e -> 034e
<4>eth0: phy link up (1000/full)
<4>hard cfg field 38 is absent
<4>hard cfg field 38 is absent
<4>ath_txtimeout: monitor reset
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>eth1: set isolation from 0 to 1
<4>switch0-eth1: set switched 14 0
<4>ath_txtimeout: monitor reset
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_txtimeout: monitor reset
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_txtimeout: monitor reset
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)
<4>ath_reset
<4>a9300_hw_reset: chan 2412000, phymode 0x15 (phy 2412:0x20080)