Crazy modem/router on the rebound

[Gothi[c]]

Last friday I noticed my modem/router (an actiontec GT704-WG) was acting strange. It's port-forwarding wasn't working as it should anymore, all in all, it seemed it's NAT was completely broken.

The next morning I walk up to the computer, and notice the Internet isn't working at all anymore. - I look at the modem, and it has it's status light solid red. (Not good,- the manual sais that when the red status light remains solid, there is a hardware or firmware problem.) I tried rebooting it, unplugging it, plugging it back in, anything I could think of, It wouldn't boot up, and the web interface wasn't accessible anymore.

At that point anyone else would have trashed the thing and bought a new one, but since I don't have a tree growing $100 bills, and also, since I didn't have anything better to do with my internet being down, I was a bit more persistent.

After lots of fiddling and trying, I noticed that my computer would get an IP about 2 seconds after I power on the router, and lose it again about 5 seconds later. This ip was 192.168.0.127.

I thought that was kind of strange, and interesting, so I set a static IP and disabled dhcp on my network settings, and i tried probing some ports during that 5 second window, and found out there was an FTP server accessible!

The ftp server announced itself as 'adam2'. My router's name isn't Adam, and I don't know anyone named Adam, so I went to a friends house to borrow their internet and do some googling. It turns out this is the routers bootloader, which gives you a 5 second window after startup to upload firmware.

[Select]

$ ftp 192.168.0.1
Connected to 192.168.0.1.
220 ADAM2 FTP Server ready.

That was great news! It ment two things:
  1) My router wasn't fubar.
  2) I was able to try something that might fix it: replace/repair the firmware

Of course, It wasn't that easy. The Adam2 boot loader defines a set of environment variables to define the memory range of several partitions. (A kernel, file system, boot loader, boot loader settings, and some unknown partition labeled from mtd0 through mtd4) And the original firmware image of the manifacturer (Actiontec) is just one image file, not 2 or 5 image files. I tried splitting the image in several parts using the partition layout memory address numbers in the boot loader, but that didn't seem to work. I could upload the firmware but it wouldn't boot.

With no easy way to upload the firmware image of the manifacturer through the adam2 ftp interface, I was almost back at square one, but it just required some more persistense.

The OpenWRT project has a page on the Actiontec 701, which is appearantly a modem/router similar to mine (but without wireless).
On that same page it has some information about the router, and it mentions the router uses the AR7 architecture.

It turns out D-Link has a router running on that very same architecture (the DSL-G604T) and unlike Actiontec, D-link provides a recovery utility to replace the firmware through the ftp interface, using ONE image file.

I ran the utility and it uploaded D-Link firmware to my actiontec modem, I figured, maybe the web-interface will work, if I'm lucky, and I can use that to upload the original Actiontec firmware, or just replace the d-link image with the actiontec one in the recovery utility.

It turned out I didn't even have to, because, appearantly, the D-Link software is running with no problems on my Actiontec router, eventhough it has completely different hardware. I can now get back on-line, use NAT and port forwarding, even wireless works. All features in the web-interface work etc,...

This D-Link software seems to have more features(see screenshot) in it's web-interface than I've ever seen in a modem/router; so why would I replace the original buggy and featureless actiontec firmware if the D-link firmware works just as well?

It turns out I was rather lucky the D-Link firmware even boots, since the device it was written for has at least twice as much memory as my Actiontec piece of junk.

The memory constraint had me worried, so I did a small stress test by calling on my VoIP while downloading stuff (probably not the best test one could do, it's not like p2p) and it worked fine. But at least now if I ever encounter problems I can revert back to the original firmware. (Though I'd like to avoid it if possible)

The original Actiontec firmware hasn't been maintained or updated since 2005 and it is full of bugs. One of the most annoying bugs is that it wants to log every dns-request without ever deleting/cycling the cache. When the memory is full, the firmware craches. Using any p2p app for 5 mins will do that. There is a temporary fix (by telnetting to the modem and disabling the caching), but it gets lost after reboot. So that's why I'd rather keep the D-Link firmware if I don't have any problems with it (so far so good)

[db90h]

Nice investigation and resolution . If you haven't had any major troubles with the D-Link firmware by now, you probably won't. As you said, the difference in RAM size is the thing most likely to cause troubles, if there are any. It would manifest on high load and/or a large number of services running on the router.

Probably both firmwares aren't very different 'under the hood'. Typically, these vendors take a reference firmware from the manufacturer, Texas Instruments in this case, and modify it to suit their needs.

[Gothi[c]]

A small update.

This thing finally died on me quite a few months ago during a power outage, i think it was, i don't remember 100%.
Solid red light of death, indicating hardware problem again.

Only, this time I could not connect to the ADAM2 bootloader in the few seconds window after you turn it on. It did not respond to anything at all anymore. After lots of tries, trying anything I could to get into adam2, I gave up and considered it dead. Then went to buy another modem/router/AP so I could get online.

I was pressed in time, because important work had to be done, and there couldn't have been a worse time for the thing to break.

I did not throw it away of course, since as any good geek, you keep it to eventually maybe recycle parts or whatever.

Now, many months later, I decided to dig it up again, and see if I could resurrect it, after reading about how you can upload a new bootloader using a JTAG cable.

So, I went ahead and opened it up, soldered together the simplest JTAG interface I could find (using only 5 100 ohm resistors on the parallel port), and fired up the jtag software.

Unfortunately, no go. I went onto IRC (#ar7 on freenode) where they have an openwrt-related channel for the ar7 platform routers, and queried about what could be wrong, and I was informed that I wouldn't be able to upload a new bootloader using only the 4 signals of this simple cable, and that I would need a 'real' JTAG cable.

Disappointed, I was looking over the PCB and noticed that only 4 paths were connected to the 12 pins of the JTAG port. I mentioned this in the channel, being confused that only 4 pins were connected. This seemed impossible. Eventually I noticed a second 12 pin connector on the pcb, on which all pins were connected. So then I started probing with the old volt meter to see which is the 'real' jtag port, and what the pin layout could be.

This router also has 2 6-pin serial ports somewhere. Someone in the channel noted that if I measure the voltage between the chassis and some of the 6-pin serial connector pins, I should get 3.3 Volts. (And indeed, I did get exactly 3.3 volts on 3 of the serial pins), then I could measure on those serial pins of which I know I get 3.3 Volts, with pins on the jtag interfaces, to determine which the ground pins are.

So I was probing around with the 'ol volt meter to find the ground pins on the jtag port, and I must have shorted something on the serial port (the pins are close together, so it's easy to accidentally short something with a voltmeter probe), as I suddenly noticed some LED's started blinking.

I ignored the behavior and continued probing, until I finally noticed the state of all the LED's. They indicated an OK state,- a successful boot!

Somehow in all the probing, somewhere I must have initiated some undocumented hardware-reset, which fixed up the bootloader again! I hooked it up to the PC, and it worked. Got an IP over DHCP and everything!!

Thus the old dead router is not so dead after all, and I fixed the darn thing AGAIN! Woohoo! Now I have a spare in case something bad happens to my new one.

(02:31) < Gothi[c]> +180mV
(02:31) < Gothi[c]> that's probably too low to be significant heh
(02:31) <@sn9> oh, you're meauring volts?
(02:31) < Gothi[c]> yeah
(02:32) <@sn9> 5 and chassis, then
(02:32) < Gothi[c]> hmm nothing
(02:32) <@sn9> see if it matches 2 and 5
(02:32) < Gothi[c]> 14mV
(02:33) < Gothi[c]> no
(02:33) <@sn9> is there a +3.3 on serial?
(02:33) < Gothi[c]> not sure
(02:33) -!- AndyIL [[email protected]] has quit [Connection timed out]
(02:33) < Gothi[c]> what pins do i measure on serial?
(02:34) <@sn9> 3.3 against ground
(02:34) < Gothi[c]> yep
(02:34) < Gothi[c]> exactly 3.3
(02:34) <@sn9> if you get 3.3, measure that 3.3 against the even jtag pins
(02:34) < Gothi[c]> i get 3.3 on serial on pin2 with chassis
(02:35) < Gothi[c]> good idea
(02:35) <@sn9> then measure serial pin2 and jtag pin2
(02:35) < Gothi[c]> hmm nope
(02:35) <@sn9> serial pin2 against all the jtag pins, then
(02:36) < Gothi[c]> i get nothing if i measure between any serial pin and any pin on that jtag port, heh
(02:36) <@sn9> is pin2 the only serial pin to have 3.3 against chassis?
(02:36) < Gothi[c]> no
(02:37) <@sn9> try the other ones with 3.3, also against all jtag
(02:37) < Gothi[c]> 2,5,6 all have 3.3
(02:37) < Gothi[c]> wtf
(02:37) <@sn9> so try 5 with jtag, and 6 with jtag
(02:37) < Gothi[c]> i just made a light blink lol
(02:38) <@sn9> sort the lights out later
(02:38) < Gothi[c]> interesting
(02:39) < Gothi[c]> omg
(02:39) < Gothi[c]> it's doing something
(02:39) < Gothi[c]> WTF
(02:39) < Gothi[c]> it looks like it booted
(02:39) < Gothi[c]> WTF
(02:39) < Gothi[c]> the LED's on the modem indicate a booted state!!
(02:40) < Gothi[c]> let me hook it up
(02:40) < Gothi[c]> i might have accidently have done some kind of undocumented reset thing by shorting that serial with something
(02:41) <@sn9> guess so
(02:42) < Gothi[c]> well hang on
(02:42) < Gothi[c]> let me see if it actually works
(02:42) < Gothi[c]> let me power cycle
(02:42) < Gothi[c]> and see what it does
(02:42) <@sn9> if the bootloader was ok, but the bootloader environment flashed itself, that would explain this
(02:43) < Gothi[c]> it boots normally now
(02:43) < Gothi[c]> crazy!
(02:44) < Gothi[c]> got an ip from dhcp and everything
(02:44) < Gothi[c]> fixed!

Note that I did previously try the documented firmware reset procedures etc (by holding the reset button for n seconds etc) all of which didn't work. Amazing

[f0dder]

Hardcore! 

[Edvard]

a man after my own heart 

I used to be quite the solder-jockey in my day, sounds like I need to brush up on some skillz...

[40hz]

So I was probing around with the 'ol volt meter to find the ground pins on the jtag port, and I must have shorted something on the serial port (the pins are close together, so it's easy to accidentally short something with a voltmeter probe), as I suddenly noticed some LED's started blinking.

I ignored the behavior and continued probing, until I finally noticed the state of all the LED's. They indicated an OK state,- a successful boot!

Somehow in all the probing, somewhere I must have initiated some undocumented hardware-reset, which fixed up the bootloader again! I hooked it up to the PC, and it worked. Got an IP over DHCP and everything!!

-Gothi[c] (September 04, 2008, 03:22 AM)

Probing around with a voltmeter? Love it! "Hardcore" doesn't begin to do you justice.

I am very impressed.