! Minitar Access Point ### Index ### ---- As with Linksys WRT54G, the Minitar's firmware is based around linux. ! News * I have posted my chaining bootloader, frottle for Minitar and a test image that can be booted from RAM for those that are feeling kind of bored. go down to (/wiki/?minitar#software software) * Some notes about the software after spending about a month with the source are in MinitarHacking. (2004-09-28) * The (/files/Misc/Minitar/ older firmware source code) is available on this website. (2004-03-04) * Minitar's OEM appears to be (http://www.edimax.com/ Edimax). (http://www.edimax.com.tw/html/english/products/EW-7206APB.htm Product Link). (2003-11-08) * Mitch from perthwireless has discovered a working password for the busybox login prompt (6-11-03) * Minitar say they will now produce source for the GPL'd code in these units. (23-10-03) * Minitar has now released the source that they recieved from realtek. (25-10-03) * The kernel archive they've releasead seems to be missing a number of important .c files the drivers for the CPU, wifi, and rom chips particularly * A new Linux RTL8181 Sourceforge project has started (http://rtl8181.sourceforge.net here). This has a good table of RTL8181 based products. (2-3-04) ! Where to Buy (http://www.eyo.com.au EYO) (Sydney) (http://www.warcom.com.au Warcom) (Melbourne) (http://www.pcrange.com.au PCRange) (Adelaide) (http://www.advancedwriters.com/essay-help/buy-essay.html Buy essays) (Australia) (http://www.freenet-antennas.com Freenet Antennas) (Perth, Ship anywhere) (http://www.techtopia.net.au Jamie Moir - not always) (http://webspacehosting.com Web hosting) Wiki services (http://www.superiorpapers.com/term_paper_writing_services.php writing services) Add others please. You probably won't find these anywhere now. They are now EOL by Minitar, the replacement will not run Linux OS (don't those guys get it? ). ! Hardware !! Minitar Specifications CPU (http://www.realtek.com.tw/products/products1-2.aspx?modelid=2003052 Realtek RTL8181) (200MHz MIPS) Flash 2 MB NOR Flash RAM (http://web.icsi.com.tw/domino/packinfo.nsf/WebDSProcNum/(ADB311E3EC53802EC4CC49AE52D1632C)?OpenDocument ICSI IC42S164007T ) 8 MB SDRAM Antenna RP-SMA Detachable Antenna x 1 Transmit Power 18 dBm Power 12V DC, 0.5A Linear Power Adaptor Dimension 30(H)*127(W)*96(D) mm Actually there is 2Meg of flash but as far as I can tell the first 64K is taken up with the bootloader and the HS (hardware settings),DS (default setings) and CS (current settings). You can get the Realtek RTL8181 pinout and register data sheet by asking djongdjong_goh@winedge.com.sg nicely. You can now find the RTL8181 datasheet (http://www.felinemenace.org/~andrewg/stuff/RTL8181.pdf here) (thanks to andrewg, nevyn, RokLobsta and (http://www.eluneart.com/web-design-services.php web design services)) (This link is now fixed.) !! Peripherals CPU (http://www.realtek.com.tw/products/products1-2.aspx?modelid=2003052 Realtek RTL8181) (200MHz MIPS, Supports; JTAG, dual PCI,(http://www.puretermpapers.com Term Paper) 16 digital I/O, 32MB SDRAM) Flash (http://www.mxic.com.tw/web/P_flash.nsf/bf3add4f68988391c825667100209fa5/785e059690440530482569d1000d3acc?OpenDocument MX29LV160AB) 2 MB NOR Flash RAM (http://web.icsi.com.tw/domino/packinfo.nsf/WebDSProcNum/(ADB311E3EC53802EC4CC49AE52D1632C)?OpenDocument ICSI IC42S164007T ) 8 MB SDRAM (room for more, see U8) Ethernet 2 x RTL3129 internal MACs (eth0 only, missing PHY and isolation transformer for eth1 but it could be manually added on.) JTAG JP1 (pin layout soon) Serial J1 (see below) Radio (http://www.semiconductors.philips.com/technologies/wirelessconnectivity/sa2400/ SA2400) The data sheet is hard to get so please post a link to a PDF if you find one. You can now download the (http://www.rose-hulman.edu/~roehmj2/ECE360/documents/SA2400A_1.pdf SA2400A datasheet). SAW Filter (G W22 B004D) Unknown brand. 2.4GHz Bandpass filter. This is not a filter, but actually the RF power amplifier (http://www.gatax.com.tw/data/GA2P4W22_spec_v2.3.pdf GA2P4W22 datasheet). !! Images (Some (http://matt.ucc.asn.au/minitar/ higher resolution pictures) are available.) {http://80.68.88.208/minitar-top.jpg Top view of PCB} {http://80.68.88.208/minitar-bottom.jpg Bottom view of PCB} !! Firmware New firmware (http://www.minitar.com/downloads/MIN2APB_2.20.zip (2.20)) was released with some additional features. One can unpack the contents with this script (thanks to Mihnea) ++++ #!/bin/bash #-- START wget http://www.minitar.com/downloads/MIN2APB_2.20.zip unzip -jo MIN2APB_2.20.zip dd if=general-ap_upg_2.20.bin bs=1 skip=12 count=$((0x18000)) | \ zcat ->webpages-ap.bin dd if=general-ap_upg_2.20.bin bs=1 skip=$((12+0x18000)) | \ zcat ->vmlinux_img dd if=vmlinux_img bs=1 count=$((0x166000)) >kcoff dd if=vmlinux_img bs=1 skip=$((0x166000)) |zcat ->tmpimg.img rm -f vmlinux_img #-- END ++++ Script modified for version 2.32 of the firmware. ++++ #!/bin/bash ZIPFILE=Minitar_AP_Firmware_2.32.zip FIRMWARE=general-ap_upg_2.32_8m.bin DOWNLOADSITE="http://www.minitar.com/downloads/" #-- START wget "$DOWNLOADSITE$ZIPFILE" unzip -jo $ZIPFILE dd if=$FIRMWARE bs=1 skip=12 count=$((0x18000)) | \ zcat ->webpages-ap.bin dd if=$FIRMWARE bs=1 skip=$((12+0x18000)) | \ zcat ->vmlinux_img dd if=vmlinux_img bs=1 count=$((0x16d000)) >kcoff dd if=vmlinux_img bs=1 skip=$((0x16d000)) |zcat ->tmpimg.img rm -f vmlinux_img #-- END ++++ "You will get 3 files: webpages-ap.bin (the web pages), kcoff (the kernel binary, probably in ECOFF format) and tmpimg.img (the initrd). " I have some doubt about the kernel binary that this procedure returns. it has far too many 0's at the start for my liking. Mount it: mount -t ext2 -o loop tmpimg.img /mnt/floppy -o ro,nodev,nosuid,noexec directory listing MinitarLs !! Memory Unpopulated component U8 looks to be space for a second SDRAM IC. Related components around U8 seem to be populated, so it wont be too hard to add more ram to your minitar. I will try this out when I get mine running again. The RTL8181 supports 1 bank of 32bit ram or 2 banks of 16bit ram. The IC42S164007T is a 64Mbit / 16bit device, adding another to U8 would be very straight forward. !! EJTAG With the help of the late release of the RTL8181 datasheet, we noticed the controller supports EJTAG, the interface seems to be wired to JP1. The JTAG interface is not normally active, JTAG CLK doubles as the WLAN activity led indicator (LED2?) - some jumpers need to be set to disable WLAN activity & enable JTAG, see the datasheet for more info. These instructions can be applied in (http://www.customwritings.com research paper writing). A pin map for JP1 will be provided when figured out. Also schematics for JTAG devices should be here sometime too.. Here is a start.. ||'''GPIOB Pin'''||'''Package Pin'''||'''Description'''|| ||11||205||JTAG Mode enable|| ||10||206||Not used(?)|| ||9||207|| || ||8||2|| || ||7||3|| || ||6||5|| || ||5||6||JTAG_TDO(JTAG test data output)|| ||4||8||JTAG_TRSTN(JTAG reset)|| ||3||9||JTAG_TMS(JTAG test mode select)|| ||2||11||JTAG_TDI(JTAG test data input)|| ||1||12|| || ||0||13|| || || ||65||JTAG Reset (alternative reset?)|| || ||64||JTAG Clock|| The Minitar board has no apparent breakout to a header for the JTAG. Metering out the JTAG pins to various points on the PCB resulted in not much. Pin 205 connects to a pad on R28 so this pad will need to be pulled to ground to enable JTAG. Pin 64 connects to a pad on R15 and pin 65 to a pad on R16.(http://www.theassignments.co.uk/ Assignments) It would seem that in order to hook up JTAG that very fine wire will have to be directly soldered onto the pins of the chip. Make sure the JTAG unit you use is 3.3V compatible. Read more (http://www.midterm.us term papers) about these (http://zzzwebhosting.com hosting) tips. --- Here's a link to an Open Source JTAG project that might be of use. It contains links to compatible JTAG interfaces you can make yourself. All that needs to be done is BDSL definitions for the RTL8181 and relevant FLASH MX29LV160AB programming algorithm. (http://openwince.sourceforge.net/jtag/ JTAG). Here's a link to MIP's specification for (http://www.mips.com/content/Documentation/MIPSDocumentation/EJTAG/doclibrary EJTAG). Now this info and the Sourceforge JTAG project above need to be combined and something magical could happen....(http://www.theessay.co.uk/ Essays) --- JTAG sort of works now. See (http://www.wireless.org.au/~jhecker/rtljtag here) for details. ! Software As mentioned in (/wiki/?minitar#news News) above, MinitarHacking contains some (comprehensive) notes on the software.(http://www.theonlinethesis.co.uk/ Theses) There are a few binary images starting to be available based on the RTL8181 Sourceforge project: * (http://rtl8181.sourceforge.net/rtl8181_demo.php Souceforge project ROM images) * (http://www.voda.cz/rtl8181/fw/ Tom Verana's 16Mb RAM images) * (/files/Misc/frottle_rtl8181.tar.bz2 frottle ) * (/files/Misc/Minitar/boot-csys.bin bootloader ) * (/files/Misc/Minitar/img_test.bin RAM image for Minitar) ! Serial Console With a max232 hooked up to pins 1 (RX) and 7 (TX) of J1, one can get a serial console on the device. Login Details Username: super Password: lance@edimax.com.tw Schematic (note you will need a external 5V power source) BOM: 4 - 1uF Tantalum 35V Capacitors 1 - MAX232 IC 1 - DB9 Female connector 1 - 8 Pin dim female connector {http://www.unstable.org/~redrum/minitar-uart.gif Schematic diagram} If an ADM3202 is used instead of the MAX232, you only need 100nF caps AND you can get the 3.3V power from the board. or Using a Nokia Data Cable. 1.Cut the head off an old Nokia phone serial cable crimp on an RJ45 Head {http://i.pbase.com/v3/63/405863/4/48676025.CRW_9032.jpg Nokia Cable} 2.Make the header for the device you want to connect to with an RJ45 head The one on the left and the harness at the top is for the Minitar then any un known devices can use the loose pins,(http://www.thedissertation.co.uk/ Dissertations) the one on the right is configured for my router. {http://i.pbase.com/v3/63/405863/4/48676026.CRW_9033.jpg Different Headers} 3.Then use a RJ45 joiner to join everything together {http://i.pbase.com/v3/63/405863/4/48676028.CRW_9035.jpg All Together} 4.In Action {http://i.pbase.com/v3/63/405863/4/49322134.ttl2.jpg In Action} (http://www.pbase.com/hegars/pjttl Bigger Pictures)(http://www.emo-site.com/ Emo)(http://www.youronlinetipsource.com/ make money online) The beautiful thing about this is you can quickly swap between devices with different pin configurations as easily as plugging in a network cable.(http://www.thecoursework.co.uk/ GCSE Coursework) Hit escape when booting to access the Realtek bootloader. !! Boot ++++ UART1 output test ok Uart init Found 1 x 2M flash memory ---!RealTek(RTL8181)at .... ... 7 11:22:57 CST 2003 version 1.0 no sys signature at 00010000! Jump to image start=0x80300000... display on entering boot loader, turning on display decompressing kernel: Uncompressing Linux... done, booting the kernel. done decompressing kernel. Linux version 2.4.18-MIPS-01.00 (root@localhost.localdomain) (gcc version 3.0.3) #2 Fri Aug 22 00:02:09 CST 2003 Determined physical RAM map: memory: 00800000 @ 00000000 (usable) Initial ramdisk at: 0x80166000 (405253 bytes) On node 0 totalpages: 2048 zone(0): 2048 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: root=/dev/ram console=0 ramdisk_start=0 single Calibrating delay loop... 204.39 BogoMIPS Memory: 6104k/8192k available (1295k kernel code, 2088k reserved, 476k data, 44k init, 0k highmem) Dentry-cache hash table entries: 1024 (order: 1, 8192 bytes) Inode-cache hash table entries: 512 (order: 0, 4096 bytes) Mount-cache hash table entries: 512 (order: 0, 4096 bytes) Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 2048 (order: 1, 8192 bytes) unavailable. POSIX conformance testing by UNIFIX Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket block: 64 slots per queue, batch=16 RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize Serial driver version 6.02 (2003-03-12) with no serial options enabled ttyS00 at 0x00c3 (irq = 3) is a rtl_uart1 state->flags=00000000 !RealTek E-Flash System Driver. (C) 2002 !RealTek Corp. Found 1 x 2MiB MXIC MX29LV160AB at 0xbfc00000 NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP order=00000000 in rt_init IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 512 bind 1024) NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. NET4: Ethernet Bridge 008 for NET4.0 Starting kswapd RAMDISK: Compressed image found at block 0 Freeing initrd memory: 395k freed VFS: Mounted root (ext2 filesystem). Freeing unused kernel memory: 44k freed mount /proc file system ok! serial console detected. Disabling virtual terminals. console=/dev/ttyS0 init started: !BusyBox v0.60.1 (2003.09.16-11:50+0000) multi-call binary !BusyBox v0.60.1 (2003.09.16-11:50+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. Initialize WLAN interface length=0? length=0? SIOCGIFFLAGS: No such device bridge br0 doesn't exist! bridge br0 doesn't exist; can't delete it Setup bridge... Algorithmics/MIPS FPU Emulator v1.5 device eth1 entered promiscuous mode device wlan0 entered promiscuous mode This is 8305SB eth1: Promiscuous mode enabled. eth1: Promiscuous mode enabled. eth1: Promiscuous mode enabled. eth1: Promiscuous mode enabled. SIOCDELRT: No such process SIOCDELRT: No such process br0: port 2(wlan0) entering listening state br0: port 1(eth1) entering listening state br0: port 2(wlan0) entering learning state br0: port 2(wlan0) entering forwarding state br0: topology change detected, propagating br0: port 1(eth1) entering learning state br0: port 1(eth1) entering forwarding state br0: topology change detected, propagating SIOCDELRT: No such process SIOCDELRT: No such process udhcp server (v0.9.9-pre) started iappauth.sh: not found ********** run Diagd ********** setting: port: 31727 running in daemon mode 251 ------------------------------------------------------------ -----------------%%%%%%Select Exit Enter%%%Please enter your Name and Password%%%User Name : ++++ !! Reboot ++++ The system is going down NOW !! Sending SIGTERM to all processes. Terminated # Sending Please stand by while rebooting the system. Restarting system. Enable Watch Dog to Reset whole system ++++ ---- ! Root console login: super password: lance@edimax.com.au you have no 'ls', so you need to 'echo *' to do useful things like see files :) ++++ # cat cpuinfo system type : Philips Nino processor : 0 cpu model : R3000 V0.0 BogoMIPS : 204.39 wait instruction : no microsecond timers : no tlb_entries : 64 extra interrupt vector : no hardware watchpoint : no VCED exceptions : not available VCEI exceptions : not available ll emulations : 0 sc emulations : 0 # cat meminfo total: used: free: shared: buffers: cached: Mem: 6651904 4444160 2207744 0 61440 2338816 Swap: 0 0 0 !MemTotal: 6496 kB !MemFree: 2156 kB !MemShared: 0 kB Buffers: 60 kB Cached: 2284 kB !SwapCached: 0 kB Active: 636 kB Inactive: 2140 kB !HighTotal: 0 kB !HighFree: 0 kB !LowTotal: 6496 kB !LowFree: 2156 kB !SwapTotal: 0 kB !SwapFree: 0 kB # df Filesystem 1k-blocks Used Available Use% Mounted on /dev/root 1373 1317 56 96% / # cd /proc/rtl8180/ # echo * PCI_IO ap_status bssdb rxdesc stats status txdesc # cat ap_status ************ wlan_sta_tbl ************ There are 0 stations in table. ************ wlan_wep_KM_tbl ************ ************ wlan_macaddr_filter ************ macaddr_filter_num = 0 deny_macaddr_filter_num = 0 ************ Broadcase skb tx queue ************ wCtx->ps_brstQ.qnum = 0 # cat status ************ Current driver status ************ rtl8180_pci_driver loaded. !MacAddr = 00:50:fc:d4:b1:dd ioaddr = 0xbd400000 irq = 2 -- RTL8180 Link status -- Channel number = 11 beacon period = 100 BSSID = 0x00 0x50 0xfc 0xd4 0xb1 0xdd SSID = 0x66(f) 0x7a(z) 0x6a(j) 0x2d(-) 0x77(w) 0x69(i) 0x72(r) 0x65(e) 0x6c(l) 0x65(e) 0x73(s) 0x73(s) 0x2d(-) 0x6f(o) 0 Capability = 0x00 AID = 0x00 Operational rate = <1><2><5.5><11>Mbps ++++ ---- ! Questions !! Does somebody has the BDSL def file? The BSDL file hasn't been as forthcoming as the data sheet from the rep (I have asked for it) and may never will. It's not always one of those things that get given out without an NDA. Keep hassling Realtek. !! Can somebody gave the FCC-ID of this AP? Apparently it's being approved and will get one for sale in the US of A. FWIW, there is a RTL8181-based design for a Network Everywhere product under the FCCID of Q87-NWR11B --JerrittCollord Also, see the linked Sourceforge project (above) for a table of products and FCCIDs. !! Does the binary wireless driver supports ad-hoc mode? Can you double check? Yes, it supports BSS AP, BSS Client, IBBS and WDS modes.