!!! Minitar Access Point



As with Linksys WRT54G, the Minitar's firmware is based around linux.



! News



* Minitar's OEM appears to be (http://www.edimax.com/ Edimax). (http://www.edimax.com.tw/html/english/products/EW-7206APB.htm Product Link).  (2003-11-08)



* Source is available on the (http://melbourne.wireless.org.au/pub/ Melbourne Wireless website).  (2003-11-08)



* Mitch from perthwireless has discovered a working password for the busybox login prompt (6-11-03)



* Minitar say they will now produce source for the GPL'd code in these units. (23-10-03)





* Minitar has now released the source that they recieved from realtek. (25-10-03)



* The kernel archive they've releasead seems to be missing a number of important .c files the drivers for the CPU, wifi, and rom chips particularly



!!! Where to Buy

(http://www.eyo.com.au EYO) (Sydney)

(http://www.warcom.com.au Warcom) (Melbourne)

(http://www.pcrange.com.au PCRange) (Adelaide)

(http://www.jmcs.net.au Jamie Moir)

Add others please.



!!! Hardware



* Minitar Specifications



 CPU	(http://www.realtek.com.tw/products/products1-2.aspx?modelid=2003052 Realtek RTL8181) (200MHz MIPS)

 Flash	1 MB NOR Flash

 RAM	(http://web.icsi.com.tw/domino/packinfo.nsf/WebDSProcNum/(ADB311E3EC53802EC4CC49AE52D1632C)?OpenDocument ICSI IC42S164007T ) 8 MB SDRAM

 Antenna	RP-SMA Detachable Antenna x 1

 Transmit Power	18 dBm

 Power	12V DC, 0.5A Linear Power Adaptor

 Dimension	30(H)*127(W)*96(D) mm



Actually there is 2Meg of flash but as far as I can tell the first is taken up with the primary firmware code. (btcode)



You can get the Realtek RTL8181 pinout and register data sheet by asking djongdjong_goh@winedge.com.sg nicely.  Oh sod it.  Here it is as well as below. (http://www.wireless.org.au/~jhecker/RTL8181spec_1.pdf RTL8181 PDF)



You can now find the RTL8181 datasheet here http://www.felinemenace.org/~andrewg/stuff/RTL8181.pdf (thanks to andrewg, nevyn & RokLobsta) (This link is now fixed.)







* Peripherals



 CPU		(http://www.realtek.com.tw/products/products1-2.aspx?modelid=2003052 Realtek RTL8181) (200MHz MIPS, Supports; JTAG, dual PCI, 16 digital I/O, 32MB SDRAM)

 Flash		(http://www.mxic.com.tw/web/P_flash.nsf/bf3add4f68988391c825667100209fa5/785e059690440530482569d1000d3acc?OpenDocument MX29LV160AB) 2 MB NOR Flash

 RAM		(http://web.icsi.com.tw/domino/packinfo.nsf/WebDSProcNum/(ADB311E3EC53802EC4CC49AE52D1632C)?OpenDocument ICSI IC42S164007T ) 8 MB SDRAM (room for more, see U8)

 Ethernet	2 x RTL3129 internal MACs (eth0 only, missing PHY and isolation transformer for eth1 but it could be manually added on.)

 JTAG 		JP1 (pin layout soon)

 Serial		J1 (see below)

 Radio		(http://www.semiconductors.philips.com/technologies/wirelessconnectivity/sa2400/ SA2400) The data sheet is hard to get so please post a link to a PDF if you find one.

 SAW Filter       (G W22 B004D) Unknown brand.  2.4GHz Bandpass filter.



* Images:



 http://212.13.198.208/minitar-top.jpg

 http://212.13.198.208/minitar-bottom.jpg









!!! Firmware





New firmware (http://www.minitar.com/downloads/MIN2APB_2.20.zip (2.20)) was released with some additional features. One can unpack the contents with this script (thanks to Mihnea)



   #!/bin/bash

   #-- START

   wget http://www.minitar.com/downloads/MIN2APB_2.20.zip

   unzip -jo MIN2APB_2.20.zip

   dd if=general-ap_upg_2.20.bin bs=1 skip=12 count=$((0x18000)) | \

   zcat ->webpages-ap.bin

   dd if=general-ap_upg_2.20.bin bs=1 skip=$((12+0x18000)) | \

   zcat ->vmlinux_img

   dd if=vmlinux_img bs=1 count=$((0x166000)) >kcoff

   dd if=vmlinux_img bs=1 skip=$((0x166000)) |zcat ->tmpimg.img

   rm -f vmlinux_img

   #-- END





Script modified for version 2.32 of the firmware.



   #!/bin/bash

   ZIPFILE=Minitar_AP_Firmware_2.32.zip

   FIRMWARE=general-ap_upg_2.32_8m.bin

   DOWNLOADSITE="http://www.minitar.com/downloads/"

   #-- START

   wget "$DOWNLOADSITE$ZIPFILE"

   unzip -jo $ZIPFILE

   dd if=$FIRMWARE bs=1 skip=12 count=$((0x18000)) | \

   zcat ->webpages-ap.bin

   dd if=$FIRMWARE bs=1 skip=$((12+0x18000)) | \

   zcat ->vmlinux_img

   dd if=vmlinux_img bs=1 count=$((0x16d000)) >kcoff

   dd if=vmlinux_img bs=1 skip=$((0x16d000)) |zcat ->tmpimg.img

   rm -f vmlinux_img

   #-- END



"You will get 3 files: webpages-ap.bin (the web pages), kcoff (the kernel binary, probably in ECOFF format) and tmpimg.img (the initrd). "



I have some doubt about the kernel binary that this procedure returns. it has far too many 0's at the start for my liking.



Mount it:



 mount -t ext2 -o loop tmpimg.img /mnt/floppy -o ro,nodev,nosuid,noexec



directory listing MinitarLs



!!! Memory



Unpopulated component U8 looks to be space for a second SDRAM IC. Related components around U8 seem to be populated, so it wont be too hard to add more ram to your minitar.



I will try this out when I get mine running again.



The RTL8181 supports 1 bank of 32bit ram or 2 banks of 16bit ram. The IC42S164007T is a 64Mbit / 16bit device, adding another to U8 would be very straight forward.



!!! EJTAG



With the help of the late release of the RTL8181 datasheet, we noticed the controller supports EJTAG, the interface seems to be wired to JP1.



The JTAG interface is not normally active, JTAG CLK doubles as the WLAN activity led indicator (LED2?) - some jumpers need to be set to disable WLAN activity & enable JTAG, see the datasheet for more info.



A pin map for JP1 will be provided when figured out.

Also schematics for JTAG devices should be here sometime too..



Here is a start..



 GPIOB Pin	Package Pin	Description

 11		205		JTAG Mode enable

 10		206		Not used(?)

 9		207

 8		2

 7		3

 6		5

 5		6		JTAG_TDO(JTAG test data output)

 4		8		JTAG_TRSTN(JTAG reset)

 3		9		JTAG_TMS(JTAG test mode select)

 2		11		JTAG_TDI(JTAG test data input).

 1		12

 0		13



---

No more info today, didn't have time to get parts. check back tuesday evening.

---



Here's a link to an Open Source JTAG project that might be of use. It contains links to compatible JTAG interfaces you can make yourself.  All that needs to be done is BDSL definitions for the RTL8181 and relevant FLASH MX29LV160AB programming algorithm. (http://openwince.sourceforge.net/jtag/ JTAG).



Here's a link to MIP's specification for (http://www.mips.com/content/Documentation/MIPSDocumentation/EJTAG/doclibrary EJTAG).  Now this info and the Sourceforge JTAG project above need to be combined and something magical could happen....



!!! Serial Console



 With a max232 hooked up to pins 1 (RX) and 7 (TX) of J1, one can get a serial

 console on the device.



Login Details



 Username: super

 Password: lance@edimax.com.tw





Schematic (note you will need a external 5V power source)



BOM:

4 - 1uF Tantalum 35V Capacitors

1 - MAX232 IC

1 - DB9 Female connector

1 - 8 Pin dim female connector



[http://www.unstable.org/~redrum/minitar-uart.gif]



If an ADM3202 is used instead of the MAX232, you only need 100nF caps AND you

can get the 3.3V power from the board.



Hit escape when booting to access the Realtek bootloader.



* Boot



 UART1 output test ok

 Uart init

 Found 1 x 2M flash memory



 ---!RealTek(RTL8181)at ¶g¥| 8?ë 7 11:22:57 CST 2003 version 1.0

 no sys signature at 00010000!

 Jump to image start=0x80300000...

 display on

 entering boot loader, turning on display

 decompressing kernel:

 Uncompressing Linux... done, booting the kernel.

 done decompressing kernel.

 Linux version 2.4.18-MIPS-01.00 (root@localhost.localdomain) (gcc version 3.0.3) #2 Fri Aug 22 00:02:09 CST 2003

 Determined physical RAM map:

 memory: 00800000 @ 00000000 (usable)

 Initial ramdisk at: 0x80166000 (405253 bytes)

 On node 0 totalpages: 2048

 zone(0): 2048 pages.

 zone(1): 0 pages.

 zone(2): 0 pages.

 Kernel command line: root=/dev/ram console=0 ramdisk_start=0 single

 Calibrating delay loop... 204.39 BogoMIPS

 Memory: 6104k/8192k available (1295k kernel code, 2088k reserved, 476k data, 44k init, 0k highmem)

 Dentry-cache hash table entries: 1024 (order: 1, 8192 bytes)

 Inode-cache hash table entries: 512 (order: 0, 4096 bytes)

 Mount-cache hash table entries: 512 (order: 0, 4096 bytes)

 Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)

 Page-cache hash table entries: 2048 (order: 1, 8192 bytes)

 unavailable.

 POSIX conformance testing by UNIFIX

 Linux NET4.0 for Linux 2.4

 Based upon Swansea University Computer Society NET3.039

 Initializing RT netlink socket

 block: 64 slots per queue, batch=16

 RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize

 Serial driver version 6.02 (2003-03-12) with no serial options enabled

 ttyS00 at 0x00c3 (irq = 3) is a rtl_uart1

 state->flags=00000000

 !RealTek E-Flash System Driver. (C) 2002 !RealTek Corp.

 Found 1 x 2MiB MXIC MX29LV160AB at 0xbfc00000

 NET4: Linux TCP/IP 1.0 for NET4.0

 IP Protocols: ICMP, UDP, TCP

 order=00000000 in rt_init

 IP: routing cache hash table of 512 buckets, 4Kbytes

 TCP: Hash tables configured (established 512 bind 1024)

 NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.

 NET4: Ethernet Bridge 008 for NET4.0

 Starting kswapd

 RAMDISK: Compressed image found at block 0

 Freeing initrd memory: 395k freed

 VFS: Mounted root (ext2 filesystem).

 Freeing unused kernel memory: 44k freed

 mount /proc file system ok!

 serial console detected.  Disabling virtual terminals.



 console=/dev/ttyS0

 init started:  !BusyBox v0.60.1 (2003.09.16-11:50+0000) multi-call binary







 !BusyBox v0.60.1 (2003.09.16-11:50+0000) Built-in shell (msh)

 Enter 'help' for a list of built-in commands.



 Initialize WLAN interface

 length=0?

 length=0?

 SIOCGIFFLAGS: No such device

 bridge br0 doesn't exist!

 bridge br0 doesn't exist; can't delete it

 Setup bridge...

 Algorithmics/MIPS FPU Emulator v1.5

 device eth1 entered promiscuous mode

 device wlan0 entered promiscuous mode

 This is 8305SB

 eth1: Promiscuous mode enabled.

 eth1: Promiscuous mode enabled.

 eth1: Promiscuous mode enabled.

 eth1: Promiscuous mode enabled.

 SIOCDELRT: No such process

 SIOCDELRT: No such process

 br0: port 2(wlan0) entering listening state

 br0: port 1(eth1) entering listening state

 br0: port 2(wlan0) entering learning state

 br0: port 2(wlan0) entering forwarding state

 br0: topology change detected, propagating

 br0: port 1(eth1) entering learning state

 br0: port 1(eth1) entering forwarding state

 br0: topology change detected, propagating

 SIOCDELRT: No such process

 SIOCDELRT: No such process

 udhcp server (v0.9.9-pre) started

 iappauth.sh: not found

 ********** run Diagd **********

 setting: port: 31727

 running in daemon mode

 251

 [?3l--------------------------------------------------------------

 -----------------<TAB> Select                     <ESC>

 Exit                     <Enter> EnterPlease enter your Name and

 PasswordUser Name:^A



* Reboot:



 The system is going down NOW !!

 Sending SIGTERM to all processes.

 Terminated

 # Sending Please stand by while rebooting the system.

 Restarting system.

 Enable Watch Dog to Reset whole system



--





--



to get a root console:



login: super

password: lance@edimax.com.au



you have no 'ls', so you need to 'echo *' to do useful things like see files {/regexpicons/emoticons/emoticon-face1.png :)}



 # cat cpuinfo

 system type             : Philips Nino

 processor               : 0

 cpu model               : R3000 V0.0

 BogoMIPS                : 204.39

 wait instruction        : no

 microsecond timers      : no

 tlb_entries             : 64

 extra interrupt vector  : no

 hardware watchpoint     : no

 VCED exceptions         : not available

 VCEI exceptions         : not available

 ll emulations           : 0

 sc emulations           : 0



 # cat meminfo

         total:    used:    free:  shared: buffers:  cached:

 Mem:   6651904  4444160  2207744        0    61440  2338816

 Swap:        0        0        0

 MemTotal:         6496 kB

 MemFree:          2156 kB

 MemShared:           0 kB

 Buffers:            60 kB

 Cached:           2284 kB

 SwapCached:          0 kB

 Active:            636 kB

 Inactive:         2140 kB

 HighTotal:           0 kB

 HighFree:            0 kB

 LowTotal:         6496 kB

 LowFree:          2156 kB

 SwapTotal:           0 kB

 SwapFree:            0 kB



 # df

 Filesystem           1k-blocks      Used Available Use% Mounted on

 /dev/root                 1373      1317        56  96% /



 # cd /proc/rtl8180/

 # echo *

 PCI_IO ap_status bssdb rxdesc stats status txdesc



 # cat ap_status

 ************ wlan_sta_tbl ************

 There are 0 stations in table.

 ************ wlan_wep_KM_tbl ************

 ************ wlan_macaddr_filter ************

 macaddr_filter_num = 0

 deny_macaddr_filter_num = 0

 ************ Broadcase skb tx queue ************

 wCtx->ps_brstQ.qnum = 0



 # cat status

 ************ Current driver status ************

  rtl8180_pci_driver loaded.

  MacAddr = 00:50:fc:d4:b1:dd

  ioaddr = 0xbd400000

  irq = 2





 -- RTL8180 Link status --



   Channel number = 11

   beacon period = 100

   BSSID = 0x00 0x50 0xfc 0xd4 0xb1 0xdd

   SSID = 0x66(f) 0x7a(z) 0x6a(j) 0x2d(-) 0x77(w) 0x69(i) 0x72(r) 0x65(e) 0x6c(l) 0x65(e) 0x73(s) 0x73(s) 0x2d(-) 0x6f(o) 0

   Capability = 0x00

   AID = 0x00

   Operational rate = <1><2><5.5><11>Mbps



! Questions



Does somebody has the BDSL def file?

The BSDL file hasn't been as forthcoming as the data sheet from the rep (I have asked for it) and may never will.  It's not always one of those things that get given out without an NDA.  Keep hassling Realtek.



Q: Can somebody gave the FCC-ID of this AP? Apparently it's being approved and will get one for sale in the US of A.



A: FWIW, there is a RTL8181-based design for a Network Everywhere product under the FCCID of Q87-NWR11B --JerrittCollord