Hitron CGNM-2250
From Leo's Notes
Last edited on 21 December 2023, at 21:53.
The Hitron CGNM-2250 is a DOCSIS 3.0 modem that was used with Shaw. We used it sometime between 2017 through to 2023 until Shaw forced us to replace it.
This modem is based on Intel's Puma 6 modem chipset with a somewhat notorious reputation of having high network jitter and latency. While I didn't really notice any issues with this modem with day-to-day tasks, I did notice a significant reduction in network jitter with ICMP pings after replacing the modem.
Instead of throwing it out, I'd like to see whether it can be turned into something useful. But really, this thing isn't worth saving. Go spend some extra money on something that can run OpenWRT and save yourself the headache.
Hardware[edit | edit source]
The CGNM-2250 is based on the Puma 6 modem chipset/architecture. The architecture of the entire system is extremely odd and was offered many surprises as I dug deeper into the firmware without any previous knowledge about these modems.
There are two distinct subsystems, each using a different CPU architecture on this modem and communicate with each other using RPC over a built-in network bridge:
- The Intel Atom CPU which the firmware files refer to as 'APP CPU' and is responsible for services like Samba and handling of the USB ports. It is also the CPU that boots up the system when the system is powered on. The CPU appears to read the first 2MB of the flash storage when powered on as that's where u-boot and the first/second stage boot data is stored.
- The ARM CPU which is referred to as the 'NP CPU' which is responsible for network related services including the web UI interface, SNMP, DOCSIS related services, and the network CLI program. This CPU is disabled (or made to not boot) if the system is powered on with the front button pressed. The processor boots using u-boot stored on partitions 7 and 8 of the flash storage. Whenever this ARM/NP CPU side is rebooted, the Intel/APP CPU side also reboots. Interestingly, rebooting the Intel/APP CPU side does not affect the ARM/NP CPU side.
Overview[edit | edit source]
| Hardware | Other notes | |
|---|---|---|
| APP CPU | Intel(R) Atom(TM) CPU 652 @ 1.20GHz | USB ports are connected to this processor. |
| NP CPU | ARMv6-compatible processor rev 4 (v6b) | Used to drive the DOCSIS hardware. Runs the web interface.
Is ARMv6 big endian. Pretty rare? |
| Memory | 512 MB DDR3 | Shared between the two processors.
Application CPU gets 358MB, network CPU gets 120MB. |
| Flash storage | 128MB NAND | Shared between the two processors as a mmcblk device.
Both CPUs can read anything from this storage device. |
| Networking | 4x Gigabit, 1x Coax | Gigabit ports are on the same hardware switch.
Coax has a DOCSIS 3.0 frontend. |
| Serial UART | 2x 3.3v UART connector | The one closest to the front button is for the APP/Intel CPU
The one closest to the USB ports is for the NP/ARM CPU. Both serial UARTs talk at 115200 baud at 3.3 volts. |
Hardware info[edit | edit source]
| Intel | ARM |
|---|---|
Intel Atom CPUprocessor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 53
model name : Intel(R) Atom(TM) CPU 652 @ 1.20GHz
stepping : 8
cpu MHz : 1200.047
cache size : 256 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm movbe lahf_lm arat dts tpr_shadow vnmi flexpriority
bogomips : 2400.09
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 53
model name : Intel(R) Atom(TM) CPU 652 @ 1.20GHz
stepping : 8
cpu MHz : 1200.047
cache size : 256 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 1
apicid : 1
initial apicid : 1
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm movbe lahf_lm arat dts tpr_shadow vnmi flexpriority
bogomips : 2399.93
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:
|
Some generiec ARMv6 CPUProcessor : ARMv6-compatible processor rev 4 (v6b)
BogoMIPS : 447.28
Features : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xb76
CPU revision : 4
Hardware : puma6
Revision : 05e1
Serial : 0000000000000000
|
On Intel's side, we see ~358MB.# free -m
total used free shared buffers
Mem: 367244 43708 323536 0 4680
-/+ buffers: 39028 328216
Swap: 0 0 0
|
On ARM's side, we see about 120MB:# free -m
total used free shared buffers
Mem: 120624 104172 16452 0 9700
-/+ buffers: 94472 26152
Swap: 0 0 0
|
## On the intel side, we see eth0 which is to the gigabit lan and also tagged with the l2sd0 VLANs (4093)
# ip a | grep 192
inet 192.168.0.254/24 brd 192.168.0.255 scope global eth0
inet 192.168.254.254/24 brd 192.168.254.255 scope global eth0.4093
inet 192.168.1.254/24 brd 192.168.1.255 scope global ath0
inet 192.168.2.254/24 brd 192.168.2.255 scope global ath1
|
## On the ARM side, we have these l2sd interfaces with vlans.
# ip a | grep 192
inet 192.168.254.253/24 brd 192.168.254.255 scope global l2sd0.4093
inet 192.168.101.1/24 brd 192.168.101.255 scope global l2sd0.3
inet 192.168.102.1/24 brd 192.168.102.255 scope global l2sd0.4
inet 192.168.103.1/24 brd 192.168.103.255 scope global l2sd0.5
inet 192.168.104.1/24 brd 192.168.104.255 scope global l2sd0.6
inet 192.168.105.1/24 brd 192.168.105.255 scope global l2sd0.7
inet 192.168.106.1/24 brd 192.168.106.255 scope global l2sd0.8
inet 192.168.107.1/24 brd 192.168.107.255 scope global l2sd0.9
|
PCI devices[edit | edit source]
shell> lspci
lspci
BB:DD:FF VID :DID DevClass IRQ Device Type
-------- ----:---- -------- --- -------------------------------
00:00:00 8086:0931 06:00:00 00 Host-PCI Bridge
00:00:01 8086:2E58 08:00:20 00 IO(x) APIC
00:00:02 8086:2E52 08:80:00 00 System Peripheral
00:01:00 8086:0700 06:04:01 00 PCI-PCI Bridge
00:0E:00 8086:0C80 01:01:8A 04 IDE Controller
00:1C:00 8086:0899 06:04:00 04 PCI-PCI Bridge
00:1C:01 8086:089A 06:04:00 04 PCI-PCI Bridge
00:1E:00 8086:08BC 00:00:00 FF PUnit
00:1F:00 8086:8119 06:01:00 00 PCI-ISA Bridge
01:00:00 8086:0947 02:80:00 FF L2 Switch DMA
01:01:00 8086:0947 02:80:00 FF L2 Switch DMA
01:04:00 8086:2E5D 04:80:00 04 Multimedia Device
01:05:00 8086:0948 02:80:00 FF Docsis DMA
01:07:00 8086:0956 0B:40:00 FF (unknown)
01:09:00 8086:2E64 10:10:00 04 Entertainment Encrypt/Decrypt
01:0B:00 8086:2E66 07:00:03 04 UART Controller
01:0B:01 8086:2E67 FF:00:00 04 GPIO controller
01:0B:02 8086:2E68 FF:00:00 04 I2C controller
01:0B:03 8086:2E69 07:05:00 04 Smart Card Controller
01:0B:05 8086:2E6B 04:80:00 04 Multimedia Device
01:0B:06 8086:089F FF:00:00 04 PWM controller
01:0B:07 8086:2E6D FF:00:00 04 DFX controller
01:0C:00 8086:2E6E 02:00:00 04 Ethernet Controller
01:0C:01 8086:2E6F FF:00:00 04 IEEE1588 and Clock Recovery
01:0D:00 192E:0101 0C:03:20 04 USB Controller (EHCI)
01:0D:01 192E:0101 0C:03:20 04 USB Controller (EHCI)
01:0D:02 192E:0101 0C:03:20 04 USB Controller (EHCI)
01:0E:00 8086:0949 08:80:00 FF System Peripheral
01:0F:00 8086:094A 08:80:00 FF System Peripheral
01:10:00 8086:0702 10:10:00 00 Entertainment Encrypt/Decrypt
01:14:00 8086:0705 04:80:00 04 Multimedia Device
01:17:00 8086:08A0 05:01:00 00 SPI-SLAVE
01:1B:00 8086:070B 08:05:01 04 SDIO Controller
01:1C:00 8086:0957 02:80:00 FF (unknown)
01:1D:00 8086:08BD 02:80:00 FF L2 Switch
01:1E:00 8086:08BE 02:80:00 FF MOCA
01:1F:00 8086:0946 02:80:00 FF Docsis
02:00:00 168C:0030 02:80:00 04 (unknown)
03:00:00 168C:003C 02:80:00 04 (unknown)
Serial UART[edit | edit source]
There are 2 4-pin UART headers on the main board, each one for each of the ARM and Intel subsystems:
- The one closest to the USB ports appear to be connected to the NP/ARM CPU
- The other one closer to the front button tactile switch is connected to the APP/Intel CPU.
The APP/Intel CPU appears to be the 'master' system and its UART will show POST messages immediately when the system is powered on.
Accessing the bootloader shell[edit | edit source]
The APP/Intel CPU UART will prompt for a password if a key is hit during the POST stage (about 2-5 seconds after power on). You will see this message if a key is hit: please input your password. You have only one chance to get the password right or else the system will continue to boot (and then subsequently hang until you power-cycle).
The password to the bootloader is D0nt4g3tme!. We can find the MD5 hash aa6670c39dc93b73a34605e4d14d5003 within the first 2MB of the flash storage and the plain-text version of the password in one of the libraries of the CLI tool used by the APP/Intel CPU on partition 11. This particular password prompt did not appear in the Intel CEFDK reference source code so this must be custom to the Hitron and I suspect implemented not quite correctly as the system hangs after the wrong password is entered.
Enter the password and then the enter key. If you don't see a shell prompt, you'll have to power-cycle and try again.
Here's what I did on the serial console to get the bootloader shell.
Warning: No device found in chip select 0
Spi Flash Init Failed and disable SPI Fl
Intel(R) Consumer Electronics Firmware Development Kit (Intel(R) CEFDK)
Copyright (C) 1999-2012 Intel Corporation. All rights reserved.
Build Time (Aug 18 2015,20:31:26).
POST: 0xf07
Set flash layout to Intel 128MB layout Rev 1
please input your password
D0nt4g3tme!
shell>
You can see the version of u-boot used to boot the Intel/APP CPU side of things.
shell> version
mango-1.8.10
GIT SHA: 92828e8a
Build Date: Aug 18 2015,20:31:26
Boot messages[edit | edit source]
| Intel | ARM |
|---|---|
The Intel UART shows POST messages when the system boots. The default Shaw firmware seems to be locked down as there's no way to interact with the bootloader on startup. We will change this later, keep reading.
The only messages on this serial device looks like this:Fail to enable battery: temperature safety violation
AC_BOOT
POST: 0xb03
wdt: reset type = 0, reset reason = 0
POST: 0xc02
cefdk_rom_base_addr: 0x00280800
POST: 0xc1f
wdt: acboot win2 end, counter=1121868
POST: 0xf02cs =0, jedec=ffffff
Warning: No device found in chip select 0
Spi Flash Init Failed and disable SPI Fl
Intel(R) Consumer Electronics Firmware Development Kit (Intel(R) CEFDK)
Copyright (C) 1999-2012 Intel Corporation. All rights reserved.
Build Time (Aug 18 2015,20:31:26).
POST: 0xf07
Set flash layout to Intel 128MB layout Rev 1
WARNING: Ancient bootloader, some functionality may be limited!
|
The kernel decompression seems to be from 7z? Interestingly, they spelled 'kernel' wrong.NPCPU Only Mode = 0
Cat Mountain D0 - Boot Ram.
Version: 0.1.16 (Apr 10 2014, 18:52:35)
Boot Param memory dump:
[0x1FFC] - 0x00010016
[0x1FF8] - 0x00000001
[0x1FF4] - 0x00000001
[0x1FF0] - 0x00000002
[0x1FEC] - 0x00000001
[0x1FE8] - 0x18000000
[0x1FE4] - 0x08000000
[0x1FE0] - 0x001E0000
[0x1FDC] - 0x001E0200
[0x1FD8] - 0x03C04000
[0x1FD4] - 0x00040000
[0x1FD0] - 0x03C44000
[0x1FCC] - 0x03C44000
[0x1FC8] - 0x00010000
[0x1FC4] - 0x00000000
[0x1FC0] - 0x00000000
[0x1FBC] - 0x00000000
[0x1FB8] - 0x00000000
[0x1FB4] - 0x00000000
[0x1FB0] - 0x00000000
[0x1FAC] - 0x00000000
[0x1FA8] - 0x00000000
[0x1FA4] - 0x00000000
[0x1FA0] - 0x00000000
[0x1F9C] - 0x0B0A0807
[0x1F98] - 0x01090D0C
[0x1F94] - 0xFF050302
[0x1F90] - 0x00000001
[0x1F8C] - 0x0000000C
[0x1F88] - 0x0005480E
[0x1F84] - 0x001D8000
[0x1F80] - 0x00000070
[0x1F7C] - 0xFFFFFFFF
[0x1F78] - 0x00008000
[0x1F74] - 0x00000020
[0x1F70] - 0x00080800
[0x1F6C] - 0x00010000
[0x1F68] - 0x00090800
[0x1F64] - 0x00009400
[0x1F60] - 0x00099C00
[0x1F5C] - 0x00065400
[0x1F58] - 0x000FF800
[0x1F54] - 0x00000800
[0x1F50] - 0x00100000
[0x1F4C] - 0x00000800
[0x1F48] - 0x000FF000
[0x1F44] - 0x00000800
[0x1F40] - 0x00000001
[0x1F3C] - 0x01010101
[0x1F38] - 0x01010101
[0x1F34] - 0x01010101
[0x1F30] - 0x01010101
[0x1F2C] - 0x00000000
[0x1F28] - 0x00000000
[0x1F24] - 0x00000000
Load U-Boot from eMMC/NAND Flash
eMMC/NAND copy from 0x03C04000 to 0x59FB0000 (len:262144).
Done.
)mango-1.6.5-ge4b629a1 (Aug 27 2014 - 11:31:05)
DRAM: 128 MB
MMC: sdhci_puma6: 0
MMC info:
Manufacturer ID: 0
OEM ID: 0
Name: MMC128
MMC version 4.4
High Capacity: No
Dual Data Rate (DDR): No
Bus Width: 8-bit
Clock: 50000000
Rd Block Len: 512
Capacity: 112.4 MB (117833728 bytes)
Starting LZMA Uncompression Algorithm.
Compressed file is LZMA format.
[Debug - Kerenl] LZMA Uncompression - Done.
|
Hacking[edit | edit source]
Enter manufacturer mode[edit | edit source]
The easiest way to 'break in' to the Intel side is to power on the system while holding the front button. The bootloader will boot the APP/Intel CPU with a 'nonpcpu' flag which will cause the system to boot without silencing the serial console, setup networking with a hard-coded 192.168.0.254 IP address, and allow for root logins via the serial console and telnet. In this mode, the NP/ARM CPU will not boot. The watchdog timer may also be disabled as there is no watchdog daemon running.
If you assign your computer another IP address on this subnet, you should be able to telnet to this address and log in as root.
This is what it looks like on the Intel UART when in this mode:
Fail to enable battery: temperature safety violation
AC_BOOT
POST: 0xb03
wdt: reset type = 0, reset reason = 0
POST: 0xc02
cefdk_rom_base_addr: 0x00280800
POST: 0xc1f
wdt: acboot win2 end, counter=1075261
POST: 0xf02cs =0, jedec=ffffff
Warning: No device found in chip select 0
Spi Flash Init Failed and disable SPI Fl
Intel(R) Consumer Electronics Firmware Development Kit (Intel(R) CEFDK)
Copyright (C) 1999-2012 Intel Corporation. All rights reserved.
Build Time (Aug 18 2015,20:31:26).
POST: 0xf07
Set flash layout to Intel 128MB layout Rev 1
WARNING: Ancient bootloader, some functionality may be limited!
[MFG] nonpcpu found, start test mode...
ADDRCONF(NETDEV_UP): eth0: link is not ready
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
8021q: adding VLAN 0 to HW filter on device eth0
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
168c0030 168c003c
killall: nart.out: no process killed
rmmod: can't unload 'art': unknown symbol in module, or unknown parameter
killall: hostapd_booster: no process killed
killall: hostapd: no process killed
NUMRADIO_PCI 2
NUMRADIO = (2)
DEFAULT_GW:
AP_STARTMODE=multi, do multi VAP
my_vaps ('' _2 _3 _4 _5 _6 _7 _8 _9 _10 _11 _12 _13 _14 _15 _16)
num_2: 1 num_5:1
0 ITER_VAP_COUNT = 1
interface:ath0
makeVAP ap-wds Hitron_ATH_2G 0:RF:6:11NGHT40PLUS 100 0 :::1
1->ap-wds 2->Hitron_ATH_2G 3->0:RF:6:11NGHT40PLUS 4->100 5->0 6->:::1 7-> 8-> 9-> 10->
CFGINDEX=0
DTIMPERIOD=
FRAG=
RTS=
Args: 1
mem_manager: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
... lots of stuff ...
### Start /etc/rc3.d/iwevent
iwevent SUCCESS
/bin/init_man: init_man.sh: svc_get failed for icepm_gateway: No such file or directory
/bin/init_man: init_man.sh: service icepm_gateway not found, cannot delete
/bin/init_man: init_man.sh: svc_get failed for runtime_pm: No such file or directory
/bin/init_man: init_man.sh: service runtime_pm not found, cannot delete
##### Starting Scripts Complete ######
Please press Enter to activate this console.
starting pid 3909, tty '': '-/bin/sh'
#
Intel / APPCPU side[edit | edit source]
Running kernel: Linux version 2.6.39 (root@US1-Yocto) (gcc version 4.5.1 (IntelCE toolchain-V5 Tue Apr 17 19:34:48 PDT 2012) ) #2 SMP PREEMPT Thu Nov 18 01:35:16 EST 2021
Here are some logs from the Intel side of things.
dmesg[edit | edit source]
Initializing cgroup subsys cpuset
Initializing cgroup subsys cpu
Linux version 2.6.39 (root@US1-Yocto) (gcc version 4.5.1 (IntelCE toolchain-V5 Tue Apr 17 19:34:48 PDT 2012) ) #2 SMP PREEMPT Thu Nov 18 01:35:16 EST 2021
BIOS-provided physical RAM map:
BIOS-e820: 0000000000000000 - 0000000000011ab0 (reserved)
BIOS-e820: 0000000000011ab0 - 0000000000018000 (ACPI data)
BIOS-e820: 0000000000018000 - 0000000000020000 (reserved)
BIOS-e820: 0000000000020000 - 0000000000040000 (usable)
BIOS-e820: 0000000000040000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 0000000007400000 (usable)
BIOS-e820: 0000000007400000 - 0000000008000000 (reserved)
BIOS-e820: 0000000008000000 - 0000000018000000 (usable)
BIOS-e820: 0000000018000000 - 0000000020000000 (reserved)
BIOS-e820: 00000000fec00000 - 00000000fec00400 type 6
BIOS-e820: 00000000fee00000 - 00000000fee00400 type 7
e820 update range: 000000000008fc00 - 000000000008fe98 (usable) ==> (usable)
e820 update range: 000000000008fe98 - 000000000008feac (usable) ==> (usable)
extended physical RAM map:
reserve setup_data: 0000000000000000 - 0000000000011ab0 (reserved)
reserve setup_data: 0000000000011ab0 - 0000000000018000 (ACPI data)
reserve setup_data: 0000000000018000 - 0000000000020000 (reserved)
reserve setup_data: 0000000000020000 - 0000000000040000 (usable)
reserve setup_data: 0000000000040000 - 0000000000100000 (reserved)
reserve setup_data: 0000000000100000 - 0000000007400000 (usable)
reserve setup_data: 0000000007400000 - 0000000008000000 (reserved)
reserve setup_data: 0000000008000000 - 0000000018000000 (usable)
reserve setup_data: 0000000018000000 - 0000000020000000 (reserved)
reserve setup_data: 00000000fec00000 - 00000000fec00400 type 6
reserve setup_data: 00000000fee00000 - 00000000fee00400 type 7
NX (Execute Disable) protection: active
DMI not present or invalid.
e820 update range: 0000000000000000 - 0000000000001000 (usable) ==> (reserved)
e820 remove range: 00000000000a0000 - 0000000000100000 (usable)
last_pfn = 0x18000 max_arch_pfn = 0x1000000
MTRR default type: uncachable
MTRR fixed ranges enabled:
00000-9FFFF write-back
A0000-BFFFF uncachable
C0000-EFFFF write-back
F0000-FFFFF write-protect
MTRR variable ranges enabled:
0 base 000000000 mask FE0000000 write-back
1 disabled
2 disabled
3 disabled
4 disabled
5 disabled
6 disabled
7 disabled
initial memory mapped : 0 - 01c00000
Base memory trampoline at [c003c000] 3c000 size 16384
init_memory_mapping: 0000000000000000-0000000018000000
0000000000 - 0000200000 page 4k
0000200000 - 0018000000 page 2M
kernel direct mapping tables up to 18000000 @ 1bfc000-1c00000
ACPI: RSDP 0009fc00 00024 (v02 INTEL )
ACPI: RSDT 00017fb0 00030 (v01 INTEL 00000000 00000000)
ACPI: FACP 00013b20 000F4 (v03 INTEL 00000000 00000000)
ACPI: DSDT 00013c20 010D4 (v01 Intel CE2600 00000001 INTL 20091112)
ACPI: FACS 00017f70 00040
ACPI: APIC 00011af0 00068 (v01 INTEL 00000000 00000000)
ACPI: HPET 00011ab0 00038 (v01 INTEL 00000000 00000000)
ACPI: Local APIC address 0xfee00000
0MB HIGHMEM available.
384MB LOWMEM available.
mapped low ram: 0 - 18000000
low ram: 0 - 18000000
Zone PFN ranges:
DMA 0x00000020 -> 0x00001000
Normal 0x00001000 -> 0x00018000
HighMem empty
Movable zone start PFN for each node
early_node_map[3] active PFN ranges
0: 0x00000020 -> 0x00000040
0: 0x00000100 -> 0x00007400
0: 0x00008000 -> 0x00018000
On node 0 totalpages: 95008
free_area_init_node: node 0, pgdat c1710140, node_mem_map d7cff400
DMA zone: 32 pages used for memmap
DMA zone: 0 pages reserved
DMA zone: 3840 pages, LIFO batch:0
Normal zone: 736 pages used for memmap
Normal zone: 90400 pages, LIFO batch:31
Using APIC driver default
ACPI: PM-Timer IO Port: 0x1008
ACPI: Local APIC address 0xfee00000
ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
ACPI: LAPIC (acpi_id[0x01] lapic_id[0x01] enabled)
ACPI: IOAPIC (id[0x00] address[0xfec00000] gsi_base[0])
IOAPIC[0]: apic_id 0, version 32, address 0xfec00000, GSI 0-23
ACPI: IOAPIC (id[0x01] address[0xbffff000] gsi_base[24])
IOAPIC[1]: apic_id 1, version 32, address 0xbffff000, GSI 24-47
ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 high level)
ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
ACPI: IRQ0 used by override.
ACPI: IRQ2 used by override.
ACPI: IRQ9 used by override.
Using ACPI (MADT) for SMP configuration information
ACPI: HPET id: 0x8086a201 base: 0xfed00000
SMP: Allowing 2 CPUs, 0 hotplug CPUs
nr_irqs_gsi: 64
Allocating PCI resources starting at 20000000 (gap: 20000000:dec00000)
setup_percpu: NR_CPUS:8 nr_cpumask_bits:8 nr_cpu_ids:2 nr_node_ids:1
PERCPU: Embedded 12 pages/cpu @d7a00000 s25216 r0 d23936 u1048576
pcpu-alloc: s25216 r0 d23936 u1048576 alloc=1*2097152
pcpu-alloc: [0] 0 1
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 94240
Kernel command line: console=ttyS0,115200,y� ip=192.168.100.2 root=/dev/mmcblk0p5 nonpcpu cefdk=mango-1.8.10-g92828e8a
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Initializing CPU#0
allocated 1572352 bytes of page_cgroup
please try 'cgroup_disable=memory' option if you don't want memory cgroups
Initializing HighMem for node 0 (00000000:00000000)
Memory: 366844k/393216k available (5366k kernel code, 13188k reserved, 1891k data, 400k init, 0k highmem)
virtual kernel memory layout:
fixmap : 0xfff18000 - 0xfffff000 ( 924 kB)
pkmap : 0xffc00000 - 0xffe00000 (2048 kB)
vmalloc : 0xd8800000 - 0xffbfe000 ( 627 MB)
lowmem : 0xc0000000 - 0xd8000000 ( 384 MB)
.init : 0xc1717000 - 0xc177b000 ( 400 kB)
.data : 0xc153d85d - 0xc1716800 (1891 kB)
.text : 0xc1000000 - 0xc153d85d (5366 kB)
Checking if this processor honours the WP bit even in supervisor mode...Ok.
SLUB: Genslabs=15, HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
Preemptable hierarchical RCU implementation.
RCU-based detection of stalled CPUs is disabled.
Verbose stalled-CPUs detection is disabled.
NR_IRQS:512
CPU 0 irqstacks, hard=d740c000 soft=d740e000
Extended CMOS year: 2000
Console: colour dummy device 80x25
console [ttyS0] enabled
hpet clockevent registered
Fast TSC calibration using PIT
Detected 1200.047 MHz processor.
Calibrating delay loop (skipped), value calculated using timer frequency.. 2400.09 BogoMIPS (lpj=4800188)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
Initializing cgroup subsys ns
ns_cgroup deprecated: consider using the 'clone_children' flag without the ns_cgroup.
Initializing cgroup subsys cpuacct
Initializing cgroup subsys memory
Initializing cgroup subsys devices
Initializing cgroup subsys freezer
Initializing cgroup subsys blkio
Initializing cgroup subsys perf_event
CPU: Physical Processor ID: 0
CPU: Processor Core ID: 0
mce: CPU supports 5 MCE banks
CPU0: Thermal monitoring enabled (TM1)
using mwait in idle threads.
ACPI: Core revision 20110316
Enabling APIC mode: Flat. Using 2 I/O APICs
..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
CPU0: Intel(R) Atom(TM) CPU 652 @ 1.20GHz stepping 08
Performance Events: PEBS fmt0+, generic architected perfmon, Intel PMU driver.
... version: 3
... bit width: 40
... generic registers: 2
... value mask: 000000ffffffffff
... max period: 000000007fffffff
... fixed-purpose events: 3
... event mask: 0000000700000003
CPU 1 irqstacks, hard=d7466000 soft=d7468000
Booting Node 0, Processors #1 Ok.
smpboot cpu 1: start_ip = 3c000
Initializing CPU#1
Brought up 2 CPUs
Total of 2 processors activated (4800.02 BogoMIPS).
NET: Registered protocol family 16
ACPI: bus type pci registered
PCI: Using configuration type 1 for base access
pcimode=0x0
bio: create slab <bio-0> at 0
ACPI: EC: Look up EC in DSDT
ACPI: Interpreter enabled
ACPI: (supports S0 S3 S5)
ACPI: Using IOAPIC for interrupt routing
ACPI: No dock devices found.
PCI: Ignoring host bridge windows from ACPI; if necessary, use "pci=use_crs" and report a bug
ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-fe])
pci_root PNP0A08:00: host bridge window [io 0x0000-0x0cf7] (ignored)
pci_root PNP0A08:00: host bridge window [io 0x0d00-0xffff] (ignored)
pci_root PNP0A08:00: host bridge window [mem 0xfed40000-0xfed4bfff] (ignored)
pci 0000:00:00.0: [8086:0931] type 0 class 0x000600
pci 0000:00:00.1: [8086:2e58] type 0 class 0x000800
pci 0000:00:00.1: reg 10: [mem 0xbffff000-0xbfffffff]
pci 0000:00:00.2: [8086:2e52] type 0 class 0x000880
pci 0000:00:00.2: reg 10: [mem 0xbfffef00-0xbfffefff]
pci 0000:00:01.0: [8086:0700] type 1 class 0x000604
pci 0000:00:0e.0: [8086:0c82] type 0 class 0x000106
pci 0000:00:0e.0: reg 10: [io 0x8000-0x8007]
pci 0000:00:0e.0: reg 14: [io 0x8008-0x800b]
pci 0000:00:0e.0: reg 18: [io 0x8010-0x8017]
pci 0000:00:0e.0: reg 1c: [io 0x8018-0x801b]
pci 0000:00:0e.0: reg 20: [io 0x8020-0x803f]
pci 0000:00:0e.0: reg 24: [mem 0xbfffe000-0xbfffe7ff]
pci 0000:00:0e.0: PME# supported from D3hot
pci 0000:00:0e.0: PME# disabled
pci 0000:00:1c.0: [8086:0899] type 1 class 0x000604
pci 0000:00:1c.0: PME# supported from D0 D3hot D3cold
pci 0000:00:1c.0: PME# disabled
pci 0000:00:1c.1: [8086:089a] type 1 class 0x000604
pci 0000:00:1c.1: PME# supported from D0 D3hot D3cold
pci 0000:00:1c.1: PME# disabled
pci 0000:00:1e.0: [8086:08bc] type 0 class 0x000000
pci 0000:00:1e.0: reg 10: [io 0xb000-0xb00f]
pci 0000:00:1e.0: reg 14: [io 0xb040-0xb07f]
pci 0000:00:1e.0: reg 18: [io 0xb080-0xb09f]
pci 0000:00:1e.0: reg 1c: [io 0x03e8-0x03ef]
pci 0000:00:1e.0: reg 20: [io 0xb0c0-0xb0df]
pci 0000:00:1e.0: reg 24: [io 0xb100-0xb13f]
pci 0000:00:1f.0: [8086:8119] type 0 class 0x000601
pci 0000:01:00.0: [8086:0947] type 0 class 0x000280
pci 0000:01:00.0: reg 10: [mem 0xdffe8200-0xdffe83ff]
pci 0000:01:01.0: [8086:0947] type 0 class 0x000280
pci 0000:01:01.0: reg 10: [mem 0xdffe8400-0xdffe85ff]
pci 0000:01:04.0: [8086:2e5d] type 0 class 0x000480
pci 0000:01:04.0: reg 10: [mem 0xdf900000-0xdf91ffff]
pci 0000:01:05.0: [8086:0948] type 0 class 0x000280
pci 0000:01:05.0: reg 10: [mem 0xdffe8600-0xdffe87ff]
pci 0000:01:07.0: [8086:0956] type 0 class 0x000b40
pci 0000:01:07.0: reg 10: [mem 0xdf8c0000-0xdf8cffff]
pci 0000:01:09.0: [8086:2e64] type 0 class 0x001010
pci 0000:01:09.0: reg 10: [mem 0xdfc00000-0xdfcfffff]
pci 0000:01:09.0: reg 14: [mem 0xdf830000-0xdf83ffff]
pci 0000:01:0b.0: [8086:2e66] type 0 class 0x000700
pci 0000:01:0b.0: reg 10: [mem 0xdffe0200-0xdffe02ff]
pci 0000:01:0b.0: reg 14: [mem 0xdffe0300-0xdffe03ff]
pci 0000:01:0b.0: reg 18: [mem 0xdffe0b00-0xdffe0bff]
pci 0000:01:0b.1: [8086:2e67] type 0 class 0x00ff00
pci 0000:01:0b.1: reg 10: [mem 0xdffe0400-0xdffe04ff]
pci 0000:01:0b.2: [8086:2e68] type 0 class 0x00ff00
pci 0000:01:0b.2: reg 10: [mem 0xdffe0500-0xdffe05ff]
pci 0000:01:0b.2: reg 14: [mem 0xdffe0600-0xdffe06ff]
pci 0000:01:0b.2: reg 18: [mem 0xdffe0700-0xdffe07ff]
pci 0000:01:0b.2: reg 1c: [mem 0xdffe0e00-0xdffe0eff]
pci 0000:01:0b.3: [8086:2e69] type 0 class 0x000705
pci 0000:01:0b.3: reg 10: [mem 0xdffe0800-0xdffe08ff]
pci 0000:01:0b.3: reg 14: [mem 0xdffe0900-0xdffe09ff]
pci 0000:01:0b.5: [8086:2e6b] type 0 class 0x000480
pci 0000:01:0b.5: reg 10: [mem 0xdf970000-0xdf97ffff]
pci 0000:01:0b.6: [8086:089f] type 0 class 0x00ff00
pci 0000:01:0b.6: reg 10: [mem 0xdffe0f00-0xdffe0fff]
pci 0000:01:0b.7: [8086:2e6d] type 0 class 0x00ff00
pci 0000:01:0b.7: reg 10: [mem 0xdf8f0000-0xdf8fffff]
pci 0000:01:0c.0: [8086:2e6e] type 0 class 0x000200
pci 0000:01:0c.0: reg 10: [mem 0xdf860000-0xdf87ffff]
pci 0000:01:0c.0: reg 14: [mem 0xdffe0d00-0xdffe0dff]
pci 0000:01:0c.1: [8086:2e6f] type 0 class 0x00ff00
pci 0000:01:0c.1: reg 10: [mem 0xdffe1000-0xdffe13ff]
pci 0000:01:0d.0: [192e:0101] type 0 class 0x000c03
pci 0000:01:0d.0: reg 10: [mem 0xdf810100-0xdf8101ff]
pci 0000:01:0d.0: reg 14: [mem 0xdf810000-0xdf8100ff]
pci 0000:01:0d.0: reg 18: [mem 0xdf818000-0xdf8180ff]
pci 0000:01:0d.0: reg 1c: [mem 0xdf810200-0xdf8102ff]
pci 0000:01:0d.1: [192e:0101] type 0 class 0x000c03
pci 0000:01:0d.1: reg 10: [mem 0xdf820100-0xdf8201ff]
pci 0000:01:0d.1: reg 14: [mem 0xdf820000-0xdf8200ff]
pci 0000:01:0d.1: reg 18: [mem 0xdf828000-0xdf8280ff]
pci 0000:01:0d.1: reg 1c: [mem 0xdf820200-0xdf8202ff]
pci 0000:01:0d.2: [192e:0101] type 0 class 0x000c03
pci 0000:01:0d.2: reg 10: [mem 0xdf880100-0xdf8801ff]
pci 0000:01:0d.2: reg 14: [mem 0xdf880000-0xdf8800ff]
pci 0000:01:0d.2: reg 18: [mem 0xdf888000-0xdf8880ff]
pci 0000:01:0d.2: reg 1c: [mem 0xdf880200-0xdf8802ff]
pci 0000:01:0e.0: [8086:0949] type 0 class 0x000880
pci 0000:01:0e.0: reg 10: [mem 0xdffe1800-0xdffe1fff]
pci 0000:01:0f.0: [8086:094a] type 0 class 0x000880
pci 0000:01:0f.0: reg 10: [mem 0xdffe1400-0xdffe14ff]
pci 0000:01:10.0: [8086:0702] type 0 class 0x001010
pci 0000:01:10.0: reg 10: [mem 0xdf940000-0xdf94ffff]
pci 0000:01:10.0: reg 14: [mem 0xd0000000-0xd3ffffff]
pci 0000:01:10.0: reg 18: [mem 0xd4000000-0xd7ffffff]
pci 0000:01:14.0: [8086:0705] type 0 class 0x000480
pci 0000:01:14.0: reg 10: [mem 0xdfe00000-0xdfefffff]
pci 0000:01:17.0: [8086:08a0] type 0 class 0x000501
pci 0000:01:17.0: reg 10: [mem 0xdffe0100-0xdffe01ff]
pci 0000:01:17.0: reg 14: [mem 0xd8000000-0xdbffffff]
pci 0000:01:17.0: reg 18: [mem 0xdffe0000-0xdffe00ff]
pci 0000:01:1b.0: [8086:070b] type 0 class 0x000805
pci 0000:01:1b.0: reg 10: [mem 0xdff00000-0xdff000ff]
pci 0000:01:1b.0: reg 14: [mem 0xdff00100-0xdff001ff]
pci 0000:01:1c.0: [8086:0957] type 0 class 0x000280
pci 0000:01:1c.0: reg 10: [mem 0xdff01000-0xdff01fff]
pci 0000:01:1d.0: [8086:08bd] type 0 class 0x000280
pci 0000:01:1d.0: reg 10: [mem 0xdf9c0000-0xdf9fffff]
pci 0000:01:1e.0: [8086:08be] type 0 class 0x000280
pci 0000:01:1e.0: reg 10: [mem 0xdf700000-0xdf7fffff]
pci 0000:01:1f.0: [8086:0946] type 0 class 0x000280
pci 0000:01:1f.0: reg 10: [mem 0xc8000000-0xcfffffff]
pci 0000:00:01.0: PCI bridge to [bus 01-01] (subtractive decode)
pci 0000:00:01.0: bridge window [io 0xf000-0x0000] (disabled)
pci 0000:00:01.0: bridge window [mem 0xc0000000-0xdfffffff]
pci 0000:00:01.0: bridge window [mem 0x00f00000-0x000fffff pref] (disabled)
pci 0000:00:01.0: bridge window [io 0x0000-0xffff] (subtractive decode)
pci 0000:00:01.0: bridge window [mem 0x00000000-0xfffffffff] (subtractive decode)
pci 0000:02:00.0: [168c:0030] type 0 class 0x000280
pci 0000:02:00.0: reg 10: [mem 0xbfee0000-0xbfefffff 64bit]
pci 0000:02:00.0: reg 30: [mem 0xbfbf0000-0xbfbfffff pref]
pci 0000:02:00.0: supports D1
pci 0000:02:00.0: PME# supported from D0 D1 D3hot
pci 0000:02:00.0: PME# disabled
pci 0000:00:1c.0: PCI bridge to [bus 02-02]
pci 0000:00:1c.0: bridge window [io 0x9000-0x9fff]
pci 0000:00:1c.0: bridge window [mem 0xbfe00000-0xbfefffff]
pci 0000:00:1c.0: bridge window [mem 0xbfb00000-0xbfbfffff 64bit pref]
pci 0000:03:00.0: [168c:003c] type 0 class 0x000280
pci 0000:03:00.0: reg 10: [mem 0xbfc00000-0xbfdfffff 64bit]
pci 0000:03:00.0: reg 30: [mem 0xbfaf0000-0xbfafffff pref]
pci 0000:03:00.0: supports D1
pci 0000:03:00.0: PME# supported from D0 D1 D3hot
pci 0000:03:00.0: PME# disabled
pci 0000:00:1c.1: PCI bridge to [bus 03-03]
pci 0000:00:1c.1: bridge window [io 0xa000-0xafff]
pci 0000:00:1c.1: bridge window [mem 0xbfc00000-0xbfdfffff]
pci 0000:00:1c.1: bridge window [mem 0xbfa00000-0xbfafffff 64bit pref]
pci_bus 0000:00: on NUMA node 0
ACPI: PCI Interrupt Routing Table [\_SB_.PCI0._PRT]
ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.PCI1._PRT]
ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.PEX0._PRT]
ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.PEX1._PRT]
ACPI: PCI Interrupt Link [LSAT] (IRQs *47)
ACPI: PCI Interrupt Link [LUSB] (IRQs *46)
ACPI: PCI Interrupt Link [LGBE] (IRQs *45)
ACPI: PCI Interrupt Link [LUAR] (IRQs *38)
ACPI: PCI Interrupt Link [LDOS] (IRQs *24)
ACPI: PCI Interrupt Link [LGPA] (IRQs *25)
ACPI: PCI Interrupt Link [LEPU] (IRQs *25)
ACPI: PCI Interrupt Link [LHVE] (IRQs *25)
ACPI: PCI Interrupt Link [LAVC] (IRQs *44)
ACPI: PCI Interrupt Link [LHDR] (IRQs *44)
ACPI: PCI Interrupt Link [LGPB] (IRQs *26)
ACPI: PCI Interrupt Link [LCRS] (IRQs *27)
ACPI: PCI Interrupt Link [LTSP] (IRQs *28)
ACPI: PCI Interrupt Link [LTSD] (IRQs *29)
ACPI: PCI Interrupt Link [LWTG] (IRQs *42)
ACPI: PCI Interrupt Link [LLW0] (IRQs *30)
ACPI: PCI Interrupt Link [LLW1] (IRQs *31)
ACPI: PCI Interrupt Link [LL2W] (IRQs *32)
ACPI: PCI Interrupt Link [LDSD] (IRQs *33)
ACPI: PCI Interrupt Link [LMOC] (IRQs *34)
ACPI: PCI Interrupt Link [LMTX] (IRQs *35)
ACPI: PCI Interrupt Link [LSEC] (IRQs *36)
ACPI: PCI Interrupt Link [LMMC] (IRQs *37)
ACPI: PCI Interrupt Link [LIDL] (IRQs *39)
ACPI: PCI Interrupt Link [LPWM] (IRQs *39)
ACPI: PCI Interrupt Link [LI2C] (IRQs *40)
ACPI: PCI Interrupt Link [LPNT] (IRQs *41)
ACPI: PCI Interrupt Link [LAEP] (IRQs *44)
ACPI: PCI Interrupt Link [LWAN] (IRQs *33)
ACPI: PCI Interrupt Link [LMPD] (IRQs *43)
ACPI: PCI Interrupt Link [LNKA] (IRQs *4 5 6 7 9 10 11 12 14 15)
ACPI: PCI Interrupt Link [LNKB] (IRQs *4 5 6 7 9 10 11 12 14 15)
ACPI: PCI Interrupt Link [LNKC] (IRQs *4 5 6 7 9 10 11 12 14 15)
ACPI: PCI Interrupt Link [LNKD] (IRQs *4 5 6 7 9 10 11 12 14 15)
vgaarb: loaded
SCSI subsystem initialized
libata version 3.00 loaded.
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
PCI: Using ACPI for IRQ routing
PCI: pci_cache_line_size set to 64 bytes
reserve RAM buffer: 0000000007400000 - 0000000007ffffff
ACPI: PCI Interrupt Link [LMTX] enabled at IRQ 35
ce-hw-mutex 0000:01:0e.0: PCI INT A -> Link[LMTX] -> GSI 35 (level, high) -> IRQ 35
mem_iobase = 0xdffe1800, mem_iosize = 0x800
pmaster 0xd759c700 mem_base 0xdffe1800, io_size 0x800,irq_num 35, reg_base 0xd8810800
Intel(R) HW MUTEX driver built on Nov 18 2021 @ 01:32:33
ACPI: PCI Interrupt Link [LDOS] enabled at IRQ 24
mailbox driver 0000:01:1f.0: PCI INT A -> Link[LDOS] -> GSI 24 (edge, high) -> IRQ 24
Intel(R) NPCPU <-> APPCPU Event Mailbox Device Driver built on Nov 18 2021 @ 01:30:19
enable IRQ #24 for device named ce_mailbox
Switching to clocksource hpet
pnp: PnP ACPI init
ACPI: bus type pnp registered
pnp 00:00: [irq 0 disabled]
pnp 00:00: [irq 8]
pnp 00:00: [mem 0xfed00000-0xfed003ff]
pnp 00:00: Plug and Play ACPI device, IDs PNP0103 (active)
pnp 00:01: [bus 00-fe]
pnp 00:01: [io 0x0000-0x0cf7 window]
pnp 00:01: [io 0x0d00-0xffff window]
pnp 00:01: [io 0x0cf8-0x0cff]
pnp 00:01: [mem 0xfed40000-0xfed4bfff window]
pnp 00:01: Plug and Play ACPI device, IDs PNP0a08 PNP0a03 (active)
pnp: PnP ACPI: found 2 devices
ACPI: ACPI bus type pnp unregistered
pci 0000:00:01.0: PCI bridge to [bus 01-01]
pci 0000:00:01.0: bridge window [io disabled]
pci 0000:00:01.0: bridge window [mem 0xc0000000-0xdfffffff]
pci 0000:00:01.0: bridge window [mem pref disabled]
pci 0000:00:1c.0: PCI bridge to [bus 02-02]
pci 0000:00:1c.0: bridge window [io 0x9000-0x9fff]
pci 0000:00:1c.0: bridge window [mem 0xbfe00000-0xbfefffff]
pci 0000:00:1c.0: bridge window [mem 0xbfb00000-0xbfbfffff 64bit pref]
pci 0000:00:1c.1: PCI bridge to [bus 03-03]
pci 0000:00:1c.1: bridge window [io 0xa000-0xafff]
pci 0000:00:1c.1: bridge window [mem 0xbfc00000-0xbfdfffff]
pci 0000:00:1c.1: bridge window [mem 0xbfa00000-0xbfafffff 64bit pref]
pci 0000:00:01.0: setting latency timer to 64
pci 0000:00:1c.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
pci 0000:00:1c.0: setting latency timer to 64
pci 0000:00:1c.1: PCI INT B -> GSI 17 (level, low) -> IRQ 17
pci 0000:00:1c.1: setting latency timer to 64
pci_bus 0000:00: resource 0 [io 0x0000-0xffff]
pci_bus 0000:00: resource 1 [mem 0x00000000-0xfffffffff]
pci_bus 0000:01: resource 1 [mem 0xc0000000-0xdfffffff]
pci_bus 0000:01: resource 4 [io 0x0000-0xffff]
pci_bus 0000:01: resource 5 [mem 0x00000000-0xfffffffff]
pci_bus 0000:02: resource 0 [io 0x9000-0x9fff]
pci_bus 0000:02: resource 1 [mem 0xbfe00000-0xbfefffff]
pci_bus 0000:02: resource 2 [mem 0xbfb00000-0xbfbfffff 64bit pref]
pci_bus 0000:03: resource 0 [io 0xa000-0xafff]
pci_bus 0000:03: resource 1 [mem 0xbfc00000-0xbfdfffff]
pci_bus 0000:03: resource 2 [mem 0xbfa00000-0xbfafffff 64bit pref]
NET: Registered protocol family 2
IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
TCP established hash table entries: 16384 (order: 5, 131072 bytes)
TCP bind hash table entries: 16384 (order: 5, 131072 bytes)
TCP: Hash tables configured (established 16384 bind 16384)
TCP reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
PCI: CLS 0 bytes, default 64
platform rtc_cmos: registered platform RTC device (no PNP device found)
microcode: CPU0 sig=0x30658, pf=0x40, revision=0x4
microcode: CPU1 sig=0x30658, pf=0x40, revision=0x4
microcode: Microcode Update Driver: v2.00 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.16)
msgmni has been set to 716
alg: No test for stdrng (krng)
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing enabled
serial8250: ttyS0 at I/O 0x3f8 (irq = 38) is a GEN3_serial
serial8250: ttyS1 at I/O 0x2f8 (irq = 38) is a GEN3_serial
ACPI: PCI Interrupt Link [LUAR] enabled at IRQ 38
serial 0000:01:0b.0: PCI INT A -> Link[LUAR] -> GSI 38 (level, high) -> IRQ 38
serial 0000:01:0b.0: PCI INT A disabled
This is atom only reboot
ACPI: PCI Interrupt Link [LAEP] enabled at IRQ 44
intelce_aep 0000:01:07.0: PCI INT A -> Link[LAEP] -> GSI 44 (level, high) -> IRQ 44
Trying to free nonexistent resource <00000000df8c0000-00000000df8cffff>
intelce_aep 0000:01:07.0: PCI INT A disabled
intelce_aep: probe of 0000:01:07.0 failed with error -1
toshiba: not a supported Toshiba laptop
Linux agpgart interface v0.103
[drm] Initialized drm 1.1.0 20060810
brd: module loaded
loop: module loaded
ACPI: PCI Interrupt Link [LPNT] enabled at IRQ 41
p_unit_access_drv 0000:00:1e.0: PCI INT A -> Link[LPNT] -> GSI 41 (edge, high) -> IRQ 41
SCSI Media Changer driver v0.25
ahci 0000:00:0e.0: version 3.0
ACPI: PCI Interrupt Link [LSAT] enabled at IRQ 47
ahci 0000:00:0e.0: PCI INT A -> Link[LSAT] -> GSI 47 (level, high) -> IRQ 47
ahci 0000:00:0e.0: irq 64 for MSI/MSI-X
ahci 0000:00:0e.0: forcing PORTS_IMPL to 0x3
ahci: SSS flag set, parallel bus scan disabled
ahci 0000:00:0e.0: AHCI 0001.0300 32 slots 2 ports 3 Gbps 0x3 impl SATA mode
ahci 0000:00:0e.0: flags: 64bit ncq sntf ilck stag pm led clo pmp pio slum part ems apst
ahci 0000:00:0e.0: setting latency timer to 64
scsi0 : ahci
scsi1 : ahci
ata1: SATA max UDMA/133 abar m2048@0xbfffe000 port 0xbfffe100 irq 64
ata2: SATA max UDMA/133 abar m2048@0xbfffe000 port 0xbfffe180 irq 64
physmap platform flash device: 08000000 at c0000000
physmap-flash physmap-flash.0: map_probe failed
Intel(R) SPI FLASH CONTROLLER Driver built on Nov 18 2021 @ 01:31:42
ce5xx-spi-flash 0000:01:17.0: csr iobase 0xdffe0100, iosize 0x100 , mapped to 0xd881c100
ce5xx-spi-flash 0000:01:17.0: mem iobase 0xd8000000, iosize 0x4000000 , mapped to 0xd8900000
ce5xx-spi-flash 0000:01:17.0: can't setup spi1.0, status -19
ce5xx-spi-flash 0000:01:17.0: can't create new device for nmyx25
e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
e1000: Copyright (c) 1999-2006 Intel Corporation.
ACPI: PCI Interrupt Link [LGBE] enabled at IRQ 45
e1000 0000:01:0c.0: PCI INT A -> Link[LGBE] -> GSI 45 (level, high) -> IRQ 45
e1000 0000:01:0c.0: setting latency timer to 64
GMUX setting: GMAC0 is connected to internal switch (RGMII0)
GBE working in Internal Fake Phy Mode
e1000 0000:01:0c.0: eth0: (PCI:33MHz:32-bit) 00:05:ca:44:55:66
e1000 0000:01:0c.0: eth0: Intel(R) PRO/1000 Network Connection
e1000e: Intel(R) PRO/1000 Network Driver - 1.3.10-k2
e1000e: Copyright(c) 1999 - 2011 Intel Corporation.
udma - Intel (R) UDMA Driver - 1.0.0
udma - Copyright (c) 2012 Intel Corperation.
ACPI: PCI Interrupt Link [LLW0] enabled at IRQ 30
udma 0000:01:00.0: PCI INT A -> Link[LLW0] -> GSI 30 (level, high) -> IRQ 30
Intel(R) UDMA Port 0 Device Driver Init Done
ACPI: PCI Interrupt Link [LLW1] enabled at IRQ 31
udma 0000:01:01.0: PCI INT A -> Link[LLW1] -> GSI 31 (level, high) -> IRQ 31
Intel(R) UDMA Port 1 Device Driver Init Done
eth_udma0: Features changed: 0x00004800 -> 0x00004000
eth_udma1: Features changed: 0x00004800 -> 0x00004000
UDMA Network Device Driver init
ixgbe: Intel(R) 10 Gigabit PCI Express Network Driver - version 3.2.9-k2
ixgbe: Copyright (c) 1999-2011 Intel Corporation.
ixgb: Intel(R) PRO/10GbE Network Driver - version 1.0.135-k2-NAPI
ixgb: Copyright (c) 1999-2008 Intel Corporation.
e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI
e100: Copyright(c) 1999-2006 Intel Corporation
usbcore: registered new interface driver cdc_ether
usbcore: registered new interface driver cdc_eem
usbcore: registered new interface driver cdc_subset
cdc_ncm: 23-Apr-2011
usbcore: registered new interface driver cdc_ncm
ACPI: PCI Interrupt Link [LL2W] enabled at IRQ 32
uio_ce2600 0000:01:1d.0: PCI INT A -> Link[LL2W] -> GSI 32 (level, high) -> IRQ 32
ACPI: PCI Interrupt Link [LMOC] enabled at IRQ 34
uio_ce2600 0000:01:1e.0: PCI INT A -> Link[LMOC] -> GSI 34 (level, high) -> IRQ 34
usbmon: debugfs is not available
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci_hcd: block sizes: qh 64 qtd 96 itd 160 sitd 96
ACPI: PCI Interrupt Link [LUSB] enabled at IRQ 46
ehci_hcd 0000:01:0d.0: PCI INT A -> Link[LUSB] -> GSI 46 (level, high) -> IRQ 46
ehci_hcd 0000:01:0d.0: setting latency timer to 64
ehci_hcd 0000:01:0d.0: EHCI Host Controller
drivers/usb/core/inode.c: creating file 'devices'
drivers/usb/core/inode.c: creating file '001'
ehci_hcd 0000:01:0d.0: new USB bus registered, assigned bus number 1
ehci_hcd 0000:01:0d.0: reset hcs_params 0x10011 dbg=0 ind cc=0 pcc=0 ordered ports=1
ehci_hcd 0000:01:0d.0: reset hcc_params 60006 thresh 0 uframes 256/512/1024 park LPM ppce
ehci_hcd 0000:01:0d.0: enable per-port change event
ehci_hcd 0000:01:0d.0: park 0
ehci_hcd 0000:01:0d.0: support lpm
ehci_hcd 0000:01:0d.0: reset command 0080b02 park=3 ithresh=8 period=1024 Reset HALT
ehci_hcd 0000:01:0d.0: ...powerup ports...
ehci_hcd 0000:01:0d.0: cache line size of 64 is not supported
ehci_hcd 0000:01:0d.0: supports USB remote wakeup
ehci_hcd 0000:01:0d.0: irq 46, io mem 0xdf810100
ehci_hcd 0000:01:0d.0: init command 0018005 PPCEE(park)=0 ithresh=1 period=512 RUN
ehci_hcd 0000:01:0d.0: USB 0.0 started, EHCI 1.10
usb usb1: default language 0x0409
usb usb1: udev 1, busnum 1, minor = 0
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: EHCI Host Controller
usb usb1: Manufacturer: Linux 2.6.39 ehci_hcd
usb usb1: SerialNumber: 0000:01:0d.0
usb usb1: usb_probe_device
usb usb1: configuration #1 chosen from 1 choice
usb usb1: adding 1-0:1.0 (config #1, interface 0)
hub 1-0:1.0: usb_probe_interface
hub 1-0:1.0: usb_probe_interface - got id
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
hub 1-0:1.0: standalone hub
hub 1-0:1.0: individual port power switching
hub 1-0:1.0: individual port over-current protection
hub 1-0:1.0: Single TT
hub 1-0:1.0: TT requires at most 8 FS bit times (666 ns)
hub 1-0:1.0: power on to power good time: 20ms
hub 1-0:1.0: local power source is good
hub 1-0:1.0: enabling power on all ports
drivers/usb/core/inode.c: creating file '001'
ehci_hcd 0000:01:0d.1: PCI INT A -> Link[LUSB] -> GSI 46 (level, high) -> IRQ 46
ehci_hcd 0000:01:0d.1: setting latency timer to 64
ehci_hcd 0000:01:0d.1: EHCI Host Controller
drivers/usb/core/inode.c: creating file '002'
ehci_hcd 0000:01:0d.1: new USB bus registered, assigned bus number 2
ehci_hcd 0000:01:0d.1: reset hcs_params 0x10011 dbg=0 ind cc=0 pcc=0 ordered ports=1
ehci_hcd 0000:01:0d.1: reset hcc_params 60006 thresh 0 uframes 256/512/1024 park LPM ppce
ehci_hcd 0000:01:0d.1: enable per-port change event
ehci_hcd 0000:01:0d.1: park 0
ehci_hcd 0000:01:0d.1: support lpm
ehci_hcd 0000:01:0d.1: reset command 0080b02 park=3 ithresh=8 period=1024 Reset HALT
ehci_hcd 0000:01:0d.1: ...powerup ports...
ehci_hcd 0000:01:0d.1: cache line size of 64 is not supported
ehci_hcd 0000:01:0d.1: supports USB remote wakeup
ehci_hcd 0000:01:0d.1: irq 46, io mem 0xdf820100
ehci_hcd 0000:01:0d.1: init command 0018005 PPCEE(park)=0 ithresh=1 period=512 RUN
ehci_hcd 0000:01:0d.1: USB 0.0 started, EHCI 1.10
usb usb2: default language 0x0409
usb usb2: udev 1, busnum 2, minor = 128
usb usb2: New USB device found, idVendor=1d6b, idProduct=0002
usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb2: Product: EHCI Host Controller
usb usb2: Manufacturer: Linux 2.6.39 ehci_hcd
usb usb2: SerialNumber: 0000:01:0d.1
usb usb2: usb_probe_device
usb usb2: configuration #1 chosen from 1 choice
usb usb2: adding 2-0:1.0 (config #1, interface 0)
hub 2-0:1.0: usb_probe_interface
hub 2-0:1.0: usb_probe_interface - got id
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
hub 2-0:1.0: standalone hub
hub 2-0:1.0: individual port power switching
hub 2-0:1.0: individual port over-current protection
hub 2-0:1.0: Single TT
hub 2-0:1.0: TT requires at most 8 FS bit times (666 ns)
hub 2-0:1.0: power on to power good time: 20ms
hub 2-0:1.0: local power source is good
hub 2-0:1.0: enabling power on all ports
drivers/usb/core/inode.c: creating file '001'
ehci_hcd 0000:01:0d.2: PCI INT A -> Link[LUSB] -> GSI 46 (level, high) -> IRQ 46
ehci_hcd 0000:01:0d.2: setting latency timer to 64
ehci_hcd 0000:01:0d.2: EHCI Host Controller
drivers/usb/core/inode.c: creating file '003'
ehci_hcd 0000:01:0d.2: new USB bus registered, assigned bus number 3
ehci_hcd 0000:01:0d.2: reset hcs_params 0x10011 dbg=0 ind cc=0 pcc=0 ordered ports=1
ehci_hcd 0000:01:0d.2: reset hcc_params 60006 thresh 0 uframes 256/512/1024 park LPM ppce
ehci_hcd 0000:01:0d.2: enable per-port change event
ehci_hcd 0000:01:0d.2: park 0
ehci_hcd 0000:01:0d.2: support lpm
ehci_hcd 0000:01:0d.2: reset command 0080b02 park=3 ithresh=8 period=1024 Reset HALT
ehci_hcd 0000:01:0d.2: ...powerup ports...
ehci_hcd 0000:01:0d.2: cache line size of 64 is not supported
ehci_hcd 0000:01:0d.2: supports USB remote wakeup
ehci_hcd 0000:01:0d.2: irq 46, io mem 0xdf880100
ehci_hcd 0000:01:0d.2: init command 0018005 PPCEE(park)=0 ithresh=1 period=512 RUN
ehci_hcd 0000:01:0d.2: USB 0.0 started, EHCI 1.10
usb usb3: default language 0x0409
usb usb3: udev 1, busnum 3, minor = 256
usb usb3: New USB device found, idVendor=1d6b, idProduct=0002
usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb3: Product: EHCI Host Controller
usb usb3: Manufacturer: Linux 2.6.39 ehci_hcd
usb usb3: SerialNumber: 0000:01:0d.2
usb usb3: usb_probe_device
usb usb3: configuration #1 chosen from 1 choice
usb usb3: adding 3-0:1.0 (config #1, interface 0)
hub 3-0:1.0: usb_probe_interface
hub 3-0:1.0: usb_probe_interface - got id
hub 3-0:1.0: USB hub found
hub 3-0:1.0: 1 port detected
hub 3-0:1.0: standalone hub
hub 3-0:1.0: individual port power switching
hub 3-0:1.0: individual port over-current protection
hub 3-0:1.0: Single TT
hub 3-0:1.0: TT requires at most 8 FS bit times (666 ns)
hub 3-0:1.0: power on to power good time: 20ms
hub 3-0:1.0: local power source is good
hub 3-0:1.0: enabling power on all ports
drivers/usb/core/inode.c: creating file '001'
usbcore: registered new interface driver cdc_acm
cdc_acm: v0.26:USB Abstract Control Model driver for USB modems and ISDN adapters
usbcore: registered new interface driver usblp
usbcore: registered new interface driver cdc_wdm
usbcore: registered new interface driver usbtmc
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver usbserial
USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
usbserial: USB Serial Driver core
USB Serial support registered for FTDI USB Serial Device
usbcore: registered new interface driver ftdi_sio
ftdi_sio: v1.6.0:USB FTDI Serial Converters Driver
i8042: PNP: No PS/2 controller found. Probing ports directly.
i8042: No controller found
hub 1-0:1.0: state 7 ports 1 chg 0000 evt 0000
mousedev: PS/2 mouse device common for all mice
rtc_cmos rtc_cmos: RTC can wake from S4
hub 2-0:1.0: state 7 ports 1 chg 0000 evt 0000
rtc_cmos rtc_cmos: rtc core: registered rtc_cmos as rtc0
rtc0: alarms up to one month, y3k, 114 bytes nvram, hpet irqs
cpuidle: using governor ladder
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pci 0000:01:1b.0: SDHCI controller found [8086:070b] (rev 4)
ACPI: PCI Interrupt Link [LMMC] enabled at IRQ 37
sdhci-pci 0000:01:1b.0: PCI INT A -> Link[LMMC] -> GSI 37 (level, high) -> IRQ 37
sdhci-pci 0000:01:1b.0: setting latency timer to 64
Registered led device: mmc0::
ata1: SATA link down (SStatus 0 SControl 300)
mmc0: SDHCI controller on PCI [0000:01:1b.0] using ADMA
hub 3-0:1.0: state 7 ports 1 chg 0000 evt 0000
mmc0: new high speed MMC card at address 0001
mmcblk0: mmc0:0001 MMC128 112 MiB
mmcblk0: detected capacity change from 0 to 117833728
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
oprofile: using NMI interrupt.
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
Mobile IPv6
IPv6 over IPv4 tunneling driver
sit0: Features changed: 0x00007800 -> 0x00007000
ip6tnl0: Features changed: 0x00006800 -> 0x00006000
NET: Registered protocol family 17
NET: Registered protocol family 15
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
sctp: Hash tables configured (established 16384 bind 16384)
mmcblk0: p1 p2 p3 p4 < p5 p6 p7 p8 p9 p10 p11 p12 p13 >
lib80211: common routines for IEEE802.11 drivers
lib80211_crypt: registered algorithm 'NULL'
lib80211_crypt: registered algorithm 'WEP'
lib80211_crypt: registered algorithm 'CCMP'
lib80211_crypt: registered algorithm 'TKIP'
Registering the dns_resolver key type
Using IPI No-Shortcut mode
mmcblk0: p13 size 34816 extends beyond EOD, truncated
rtc_cmos rtc_cmos: setting system clock to 2000-01-01 00:00:05 UTC (946684805)
ata2: SATA link down (SStatus 0 SControl 300)
Refined TSC clocksource calibration: 1200.000 MHz.
Switching to clocksource tsc
ADDRCONF(NETDEV_UP): eth0: link is not ready
8021q: adding VLAN 0 to HW filter on device eth0
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
IP-Config: Guessing netmask 255.255.255.0
IP-Config: Complete:
device=eth0, addr=192.168.100.2, mask=255.255.255.0, gw=255.255.255.255,
host=192.168.100.2, domain=, nis-domain=(none),
bootserver=255.255.255.255, rootserver=255.255.255.255, rootpath=
VFS: Mounted root (squashfs filesystem) readonly on device 179:5.
Freeing unused kernel memory: 400k freed
PAL driver init...
Device: CE2600
Stepping: D0
platform_config init complete! (build Nov 18 2021)
devmem list is sorted and considated as:
base: 0x07400000 size: 0x00b80000 access: 0x00000001
base: 0x07f80000 size: 0x00030000 access: 0x00000000
base: 0x07fb0000 size: 0x00002000 access: 0x00000001
devmem load sucessfully. major num is 249.
ESS OSAL release - Built on Nov 18 2021 at 02:01:17.
thermal init complete! (build Nov 18 2021)
major number =248
intelce_gpio 0000:01:0b.1: CE2600 GPIO controller detected.
ACPI: PCI Interrupt Link [LIDL] enabled at IRQ 39
intelce_gpio 0000:01:0b.1: PCI INT B -> Link[LIDL] -> GSI 39 (level, high) -> IRQ 39
usbcore: registered new interface driver snd-usb-audio
SVEN init:Nov 18 2021 02:16:46
sven_open_header(): 328: SVEN Header Initialized d88a2000@07fb0000:00001000, circbuf dca80000@07500000:00100000 dis:ffffffff
sven_init_dfx_support(): 302: SVEN DFX Enabled @df8f0000:00010000 wpos:0
pwm 0000:01:0b.6: PCI INT B -> Link[LIDL] -> GSI 39 (level, high) -> IRQ 39
pwm 0000:01:0b.6: 2 channels
intelce watchdog: Intel CE2600 WatchDog Timer Driver v0.1
ACPI: PCI Interrupt Link [LWTG] enabled at IRQ 42
intelce watchdog 0000:01:0f.0: PCI INT A -> Link[LWTG] -> GSI 42 (level, high) -> IRQ 42
intelce watchdog: initialized (0xd88dc400). heartbeat=30 sec (nowayout=0)
Running firmware is the latest one.
kjournald starting. Commit interval 5 seconds
EXT3-fs (mmcblk0p6): using internal journal
EXT3-fs (mmcblk0p6): mounted filesystem with journal data mode
Change reboot to atom only reboot
npcpu_appcpu_mbx driver open ref 1
npcpu_appcpu_mbx driver close ref 0
ADDRCONF(NETDEV_UP): eth0: link is not ready
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
8021q: adding VLAN 0 to HW filter on device eth0
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
mem_manager: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
ath_spectral: Version 2.0.0
Copyright (c) 2005-2009 Atheros Communications, Inc. All Rights Reserved
ath_hal: 0.9.17.1 (AR5416, AR9380, WRITE_EEPROM, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
ath_tx99: Version 2.0
Copyright (c) 2010 Atheros Communications, Inc, All Rights Reserved
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
ath_da_pci: (Atheros/multi-bss)
ath_da_pci 0000:02:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
ath_da_pci 0000:02:00.0: setting latency timer to 64
ath_pci_probe num_radios=0, wifi_radios[0].sc = d6c70440 wifi_radio_type = 1
__ath_attach: Set global_scn[0]
*** All the minfree values should be <= ATH_TXBUF-32, otherwise default value will be used instead ***
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
ATH_TXBUF=1536
Atheros device id: 0x30
Restoring Cal data from FS
qdf_fs_read[59], Open File /nvram/caldata SUCCESS!!file system magic:61267super blocksize:1024inode 21file size:5184
ART Version : 40.117
SW Image Version : 0.45.-10.339.7
Board Revision : ntro
ar9300_attach: nf_2_nom -110 nf_2_max -60 nf_2_min -125
SPECTRAL : get_capability not registered
HAL_CAP_PHYDIAG : Capable
SPECTRAL : Need to fix the capablity check for RADAR (spectral_attach : 237)
SPECTRAL : get_capability not registered
HAL_CAP_RADAR : Capable
SPECTRAL : Need to fix the capablity check for SPECTRAL
(spectral_attach : 242)
SPECTRAL : get_capability not registered
HAL_CAP_SPECTRAL_SCAN : Capable
SPECTRAL : get_tsf64 not registered
spectral_init_netlink 78 NULL SKB
SPECTRAL : No ADVANCED SPECTRAL SUPPORT
SPECTRAL :----- module attached
Green-AP : Green-AP : Attached
ath_get_caps[6165] rx chainmask mismatch actual 7 sc_chainmak 0
ath_get_caps[6140] tx chainmask mismatch actual 7 sc_chainmak 0
band steering initialized for direct attach hardware
ieee80211_bsteering_attach: Band steering initialized
acfg_attach: 2961: Netlink socket created:d77f3a00
ath_attach_dfs[12667] dfsdomain 1
dfs_attach: event log enabled by default
SPECTRAL : module already attached
ath_attach: Set global_ic[1]..gloabl_ic ptr:dce6a000
osif_wrap_attach:443 osif wrap attached
osif_wrap_devt_init:404 osif wrap dev table init done
Wrap Attached: Wrap_com =d64ff400 ic->ic_wrap_com=d64ff400 &wrap_com->wc_devt=d64ff400
ath_tx_paprd_init sc d6c98000 PAPRD disabled in HAL
__ath_attach : Interrupt WA timer is enabled
ath_da_pci 0000:02:00.0: wifi0: Features changed: 0x00004800 -> 0x00004000
wifi0: Atheros 9380: mem=0xbfee0000, irq=16 hw_base=0xdd140000
ath_ol_pci: (Atheros/multi-bss)
hif_pci_enable_bus: con_mode = 0x0, device_id = 0x3c
ath_ol_pci 0000:03:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17
ath_ol_pci 0000:03:00.0: setting latency timer to 64
hif_pci_enable_bus: hif_enable_pci donehif_pci_enable_bus: hif_type = 0x6, target_type = 0x7hif_pci_enable_bus: hif_pci_probe_tgt_wakeup donehif_configure_irq: Ehif_configure_msi: Ehif_configure_msi: num_msi_desired = 8, available_msi = 1hif_configure_msi: use single msi
ath_ol_pci 0000:03:00.0: irq 65 for MSI/MSI-X
hif_configure_msi: X, ret = 0hif_target_sync: Loop checking FW signalhif_target_sync: Got FW signal, retries = 61hif_config_ce: ce_init donehif_config_ce: X, ret = 0hif_set_hia: Ehif_set_hia_extnd: E
CLOCK PLL skipped
hif_pci_bus_configure: hif_set_hia donehif_enable: X OK
__ol_ath_attach() Allocated scn d5040440
__ol_ath_attach: dev name wifi1
ol_ath_attach interface_id 1
ol_target_init() BMI inited.
ol_target_init() BMI Get Target Info.
Chip id: 0x7, chip version: 0x4100016c
CE WAR Disabled
NUM_DEV=1 FWMODE=0x2 FWSUBMODE=0x0 FWBR_BUF 0
ol_target_init() configure Target .
ol_transfer_bin_file: flash data file defined
ol_transfer_bin_file[3764] Get Caldata for wifi1.
qdf_fs_read[54]: Fail to Open File /tmp/wifi1.caldataol_transfer_bin_file: flash cal data len 0 doesn't equal to 2116
ol_ath_download_firmware: BOARDDATA DOWNLOAD TO address 0x401cc0
ol_transfer_bin_file: Board data file AR9888v2
ol_transfer_bin_file: Board Data File download to address=0x401cc0 file name=AR9888/hw.2/fakeBoardData_AR6004.bin
ol_transfer_bin_file 3645: downloading file 3, Download data len 2116
Board extended Data download address: 0x0
ol_ath_download_firmware: Using 0x1234 for the remainder of init
Selecting OTP binary for CHIP Version 0
ol_transfer_bin_file 3645: downloading file 0, Download data len 7224
[Non-Flash] : Ignore Module param
Second otp download Param 700
ol_ath_download_firmware : Second OTP download and Execute is good, param=0x0
Mission mode: Firmware CHIP Version 0
ol_transfer_bin_file: Downloading firmware file: AR9888/hw.2/atf.bin
ol_transfer_bin_file 3645: downloading file 1, Download data len 250932
ol_target_init() Download FW done.
ol_ath_attach() WMI attached. wmi_handle d745a000
wmi_unified_register_event_handler: Event id 62 is unavailable
+htc_create .. HIF :d5660000-htc_create: (0xd6684000)
htc_wmi_init() HT Create . d6684000
htc_wmi_init 7521 host_enable 1 nss_nwifi_offload 0
ol_ath_set_default_tgt_config : AC Minfree buffer allocation through module param (umac.ko)
OL_ACBKMinfree : 0
OL_ACBEMinfree : 0
OL_ACVIMinfree : 0
OL_ACVOMinfree : 0
hif_enable_fastpath, Enabling fastpath mode
+HWT
hif_completion_thread_startup: pipe_num:0 pipe_info:0xd5664578hif_completion_thread_startup: pipe_num:3 pipe_info:0xd5664650hif_completion_thread_startup: pipe_num:4 pipe_info:0xd5664698
-HWT
Startup Mode-0 set
htt_peer_map_timer_init Enter pdev d51f0000 hrtimer d51f492c
htt_alloc_peer_map_mem : Alloc Success : host q vaddr d568c000 paddr 1568c000
htt_alloc_peer_map_mem : Flush Interval Configured to 256 pkts
ol_txrx_pdev_attach: 2496 tx desc's allocated ; range starts from d4e20000
Firmware_Build_Number:0
host/RAM_fw Build Ver Mismatch: H:0x7, F:0x0 !
FW wireless modes: 0x1f9001
num_rf_chain:0x00000003 ht_cap_info:0x0000085b vht_cap_info:0x338001b2 vht_supp_mcs:0x0000ffea
wmi_service_coex_gpio 0, wmi_service_4_wire_coex_support 0, coex_version 0
Sending Ext resource cfg: HOST PLATFORM as 1
fw_feature_bitmap as 50 to TGT
ol_ath_service_ready_event: tt_support: 0
ol_ath_service_ready_event: periodic_chan_stats: 1
ol_ath_service_ready_event: sw_cal_support_check_flag: 0
LARGE_AP enabled. num_peers 144, num_vdevs 16, num_tids 256
Airtime Fairness: num_peers=144 num_active_peer=0
ATF: peers = 66, vdevs = 16
idx 0 req 1 num_units 0 num_unit_info 2 unit size 440 actual units 67
ol_ath_alloc_host_mem_chunk req_id 1 idx 0 num_units 67 unit_len 440,
Support not added yet for Service 91
Support not added yet for Service 92
No EXT_MSG send INIT now
chunk 0 len 29480 requested , ptr 0x14e10000
FIRMWARE:P 67 V 16 T 365
Version = 16777216 3 status = 0
ol_ath_connect_htc() WMI is ready
htt_h2t_frag_desc_bank_cfg_msg - HTT_H2T_MSG_TYPE_FRAG_DESC_BANK_CFG sent to FW for radio ID = 1
target uses HTT version 2.2; host uses 2.2
ol_ath_attach() connect HTC.
bypasswmi : 0
ol_regdmn_start: reg-domain param: regdmn=0, countryName=, wModeSelect=FFFFFFFF, netBand=FFFFFFFF, extendedChanMode=0.
ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2) flags 0x2150
ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4) flags 0xa0
ol_regdmn_init_channels: !avail mode 0x1f9001 (0x8) flags 0xc0
ol_regdmn_init_channels: !avail mode 0x1f9001 (0x20) flags 0xd0
ol_regdmn_init_channels: !avail mode 0x1f9001 (0x40) flags 0x150
ol_regdmn_init_channels: !avail mode 0x1f9001 (0x800) flags 0x10080
ol_regdmn_init_channels: !avail mode 0x1f9001 (0x2000) flags 0x20080
ol_regdmn_init_channels: !avail mode 0x1f9001 (0x4000) flags 0x40080
Add VHT80 channel: 5210
Add VHT80 channel: 5290
Add VHT80 channel: 5530
Add VHT80 channel: 5610
Add VHT80 channel: 5690
Add VHT80 channel: 5775
Skipping VHT80 channel 5825
ol_regdmn_init_channels: !avail mode 0x1f9001 (0x200000) flags 0x4000100
ol_regdmn_init_channels: !avail mode 0x1f9001 (0x400000) flags 0x8000100
ol_ath_phyerr_attach: called
freq=58
freq=106
freq=122
OL Resmgr Init-ed
ieee80211_bsteering_attach: Band steering initialized
acfg_attach: using existing sock d77f3a00
pktlog_init: Initializing Pktlog for AR9888, pktlog_hdr_size = 16
ol_if_spectral_setup
SPECTRAL : get_capability not registered
HAL_CAP_PHYDIAG : Capable
SPECTRAL : Need to fix the capablity check for RADAR (spectral_attach : 237)
SPECTRAL : get_capability not registered
HAL_CAP_RADAR : Capable
SPECTRAL : Need to fix the capablity check for SPECTRAL
(spectral_attach : 242)
SPECTRAL : get_capability not registered
HAL_CAP_SPECTRAL_SCAN : Capable
SPECTRAL : get_tsf64 not registered
spectral_init_netlink 78 NULL SKB
Green-AP : Green-AP : Attached
Green-AP : Attached
ol_ath_smart_ant_attach: Hardware doest not support Smart Antenna.
ol_if_dfs_setup: called
ol_if_dfs_attach: called; ptr=d4ea1984, radar_info=d653bc7c
dfs_attach: event log enabled by default
ol_ath_rtt_meas_report_attach: called
ol_ath_lowi_wmi_event_attach: called
>>>> CB Set (null)
ol_ath_attach() UMAC attach .
BURSTING enabled by default
ol_ath_attach: Set global_ic[2] ..ptr:dce6a000
ath_lowi_if_netlink_init LOWI Netlink successfully created
osif_wrap_attach:443 osif wrap attached
osif_wrap_devt_init:404 osif wrap dev table init done
Wrap Attached: Wrap_com =d6ecb800 ic->ic_wrap_com=d6ecb800 &wrap_com->wc_devt=d6ecb800
__ol_ath_attach: hard_header_len reservation 74
ath_ol_pci 0000:03:00.0: wifi1: Features changed: 0x00004800 -> 0x00004000
ol_ath_thermal_mitigation_attach: TT not supported in FW
ol_ath_pci_probe num_radios=1, wifi_radios[1].sc = d5040440 wifi_radio_type = 2
ath_sysfs_diag_init: diag_fsattr
ieee80211_mbo_vattach:MBO Initialized
ieee80211_oce_vattach: OCE Initialized
[ieee80211_me_SnoopListInit@1937][Snoop Init]:member limit:65
__ieee80211_smart_ant_init: Smart Antenna functions are not registered !!!
ath0: Features changed: 0x00004b80 -> 0x00004380
VAP device ath0 created osifp: (d6ca6c40) os_if: (d5008000)
DCS for CW interference mitigation: 0
DCS for WLAN interference mitigation: 0
DES SSID SET=Hitron_ATH_2G
ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1
siwfreq
Set freq vap 0 stop send + d5008000
Set freq vap 0 stop send -d5008000
Set wait done --d5008000
DES SSID SET=Hitron_ATH_2G
ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1
siwfreq
Set freq vap 0 stop send + d5008000
Set freq vap 0 stop send -d5008000
Set wait done --d5008000
[wifi1] FWLOG: [21068] WAL_DBGID_TX_AC_BUFFER_SET ( 0x3, 0x1e, 0x890, 0x890, 0x0 )
[wifi1] FWLOG: [21068] WAL_DBGID_TX_AC_BUFFER_SET ( 0x12, 0x1e, 0x890, 0x890, 0x0 )
[wifi1] FWLOG: [21068] WAL_DBGID_TX_AC_BUFFER_SET ( 0x45, 0x1e, 0x890, 0x890, 0x0 )
[wifi1] FWLOG: [21068] WAL_DBGID_TX_AC_BUFFER_SET ( 0x67, 0x1e, 0x890, 0x890, 0x0 )
[wifi1] FWLOG: [21070] WHAL_ERROR_RESET_PM ( )
[wifi1] FWLOG: [21077] WAL_DBGID_DEV_RESET ( 0x1, 0x1, 0x1 )
eth0: no IPv6 routers present
eth0.4093: no IPv6 routers present
osif_pltfrm_vap_init:Gbe Mode
8021q: adding VLAN 0 to HW filter on device ath0
This VAP's configuration value is 0 ( 1-PRIVATE 0-PUBLIC )
send_vdev_create_cmd_non_tlv: ID = 1 Type = 1, Subtype = 0 VAP Addr = a8:4e:3f:83:0d:72:
ieee80211_mbo_vattach:MBO Initialized
ieee80211_oce_vattach: OCE Initialized
[ieee80211_me_SnoopListInit@1931][Snoop Init]: group limit:13, member limit:65
[ieee80211_me_SnoopListInit@1937][Snoop Init]:member limit:65
__ieee80211_smart_ant_init: Smart Antenna functions are not registered !!!
ath1: Features changed: 0x00004b80 -> 0x00004380
VAP device ath1 created osifp: (d6ca1440) os_if: (d56d8000)
0-disable, 1-critical 2-all, -1-not valid option
DES SSID SET=Hitron_ATH_5G
ieee80211_ioctl_siwmode: imr.ifm_active=66176, new mode=3, valid=1
siwfreq
Set freq vap 1 stop send + d56d8000
Set freq vap 1 stop send -d56d8000
Set wait done --d56d8000
DES SSID SET=Hitron_ATH_5G
ieee80211_ioctl_siwmode: imr.ifm_active=66176, new mode=3, valid=1
siwfreq
Set freq vap 1 stop send + d56d8000
Set freq vap 1 stop send -d56d8000
Set wait done --d56d8000
Resetting spectral chainmask to Rx chainmask
mlme_create_infra_bss : Overriding HT40 channel with HT20 channel
__ieee80211_smart_ant_init: Smart Antenna functions are not registered !!!
[DOTH] vap-0(ath0):ieee80211_beacon_update: reinit beacon
[DOTH] vap-0(ath0):ieee80211_beacon_update: reinit beacon
osif_pltfrm_vap_init:Gbe Mode
OL vap_start +
VDEV START
OL vap_start -
ol_vdev_start_resp_ev for vap 1 (d745a000)
send_wmm_update_cmd_non_tlv:
su bfee 0 mu bfee 0 su bfer 0 mu bfer 0 impl bf 0 sounding dim 0
send_vdev_up_cmd_non_tlv for vap 1
__ieee80211_smart_ant_init: Smart Antenna functions are not registered !!!
ol_ath_vap_set_param: Now supported MGMT RATE is 6000(kbps) and rate code: 0x3
8021q: adding VLAN 0 to HW filter on device ath1
This VAP's configuration value is 0 ( 1-PRIVATE 0-PUBLIC )
sc nodebug 0
sc nodebug 0
ath0: no IPv6 routers present
ath1: no IPv6 routers present
Networking[edit | edit source]
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether a8:4e:3f:83:0d:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.254/24 brd 192.168.0.255 scope global eth0
inet6 fe80::aa4e:3fff:fe83:d70/64 scope link
valid_lft forever preferred_lft forever
3: eth_udma0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:05:ca:44:55:67 brd ff:ff:ff:ff:ff:ff
4: eth_udma1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:05:ca:44:55:68 brd ff:ff:ff:ff:ff:ff
5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
6: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN
link/tunnel6 :: brd ::
7: eth0.4093@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 00:05:ca:00:00:09 brd ff:ff:ff:ff:ff:ff
inet 192.168.254.254/24 brd 192.168.254.255 scope global eth0.4093
inet6 fe80::205:caff:fe00:9/64 scope link
valid_lft forever preferred_lft forever
8: wifi0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ieee802.11 a8:4e:3f:83:0d:70 brd ff:ff:ff:ff:ff:ff
9: wifi1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ieee802.11 a8:4e:3f:83:0d:71 brd ff:ff:ff:ff:ff:ff
10: ath0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether a8:4e:3f:83:0d:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global ath0
inet6 fe80::aa4e:3fff:fe83:d70/64 scope link
valid_lft forever preferred_lft forever
11: ath1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether a8:4e:3f:83:0d:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.254/24 brd 192.168.2.255 scope global ath1
inet6 fe80::aa4e:3fff:fe83:d72/64 scope link
valid_lft forever preferred_lft forever
Wireless[edit | edit source]
ath0 IEEE 802.11ng ESSID:"Hitron_ATH_2G"
Mode:Master Frequency:2.437 GHz Access Point: A8:4E:3F:83:0D:70
Bit Rate:216.7 Mb/s Tx-Power:25 dBm
RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm
Rx invalid nwid:966 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
ath1 IEEE 802.11ac ESSID:"Hitron_ATH_5G"
Mode:Master Frequency:5.18 GHz Access Point: A8:4E:3F:83:0D:72
Bit Rate:1.3 Gb/s Tx-Power:17 dBm
RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=94/94 Signal level=-97 dBm Noise level=-95 dBm
Rx invalid nwid:1680 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Bootloader[edit | edit source]
After entering the bootloader shell, we can look at some environment variables to understand how the boot process works. Below includes the boot script and also the npcpuonly mode variables.
shell> printenv
bootcmd=while itest.b 1 == 1;do;if itest.b ${ACTIMAGE} == 1 || itest.b ${ACTIMAGE} == 3;then aimgname=UBFI1; aubfiaddr=${UBFIADDR1};bimgname=UBFI2; bubfiaddr=${UBFIADDR2}; bimgnum=2;else if itest.b ${ACTIMAGE} == 2;then aimgname=UBFI2; aubfiaddr=${UBFIADDR2};bimgname=UBFI1; bubfiaddr=${UBFIADDR1}; bimgnum=1;else echo *** ACTIMAGE invalid; exit;fi;fi;if itest.b ${ACTIMAGE} == 3;then eval ${rambase} + ${ramoffset};eval ${RAM_IMAGE_OFFSET} + ${evalval};set UBFIADDR3 ${evalval};if autoscr ${evalval};then bootm ${LOADADDR};else echo Reloading RAM image;tftpboot ${ramimgaddr} ${UBFINAME3};if autoscr ${ramimgaddr};then bootm ${LOADADDR};else setenv ACTIMAGE 1;fi;fi;fi; echo *** ACTIMAGE = ${ACTIMAGE}, will try to boot $aimgname stored @${aubfiaddr};if autoscr $aubfiaddr;then echo *** $aimgname bootscript executed successfully.;echo Start booting...;bootm ${LOADADDR};fi;echo *** $aimgname is corrupted, try $bimgname...;setenv ACTIMAGE $bimgnum;if autoscr $bubfiaddr;then echo *** $bimgname bootscript executed successfully.;echo Check image...;if imi ${LOADADDR};then echo Save updated ACTIMAGE...;saveenv;echo Image OK, start booting...;bootm ${LOADADDR};fi;fi;echo Backup image also corrupted...exit.;exit;done;
baudrate=115200
ipaddr=192.168.100.1
serverip=192.168.100.2
gatewayip=192.168.100.2
netmask=255.255.255.0
LOADADDR=0
RAM_IMAGE_OFFSET=0x03C00000
RAM_IMAGE_SIZE=0x00400000
BOOTPARAMS_AUTOUPDATE=on
BOOTPARAMS_AUTOPRINT=off
erase_spi_env=eval ${flashbase} + ${envoffset1} && protect off ${evalval} +${envsize} && erase ${evalval} +${envsize} && protect on ${evalval} +${envsize} && eval ${flashbase} + ${envoffset2} && protect off ${evalval} +${envsize} && erase ${evalval} +${envsize} && protect on ${evalval} +${envsize}
erase_mmc_env=eval ${rambase} + ${ramoffset} && bufferbase=${evalval} &&mmcaddr2blk $envoffset1 && envblkaddr=$blocksize && mmcaddr2blk $envsize && envblksize=$blocksize && mw ${bufferbase} 0xFF $envsize &&mmc write ${bufferbase} $envblkaddr $envblksize
erase_env=if itest.s ${bootdevice} == mmc; then run erase_mmc_env;else run erase_spi_env;fi;echo Please reset the board to get default env.
flashbase=0x08000000
rambase=0x40000000
boardtype=0x00000002
bootmode=0x00000001
ramoffset=0x18000000
ramsize=0x08000000
aid1offset=0x001E0000
aid2offset=0x001E0200
ubootoffset=0x03C04000
ubootsize=0x00040000
envoffset1=0x03C44000
envoffset2=0x03C44000
envsize=0x00010000
arm11ubfioffset1=0x00000000
arm11ubfisize1=0x00000000
arm11ubfioffset2=0x00000000
arm11ubfisize2=0x00000000
atomubfioffset1=0x00000000
atomubfisize1=0x00000000
atomubfioffset2=0x00000000
atomubfisize2=0x00000000
arm11nvramoffset=0x00000000
arm11nvramsize=0x00000000
mmc_part_arm11_kernel_0=7
mmc_part_arm11_kernel_1=8
mmc_part_arm11_rootfs_0=10
mmc_part_arm11_rootfs_1=11
mmc_part_arm11_gw_fs_0=12
mmc_part_arm11_gw_fs_1=13
mmc_part_arm11_nvram=9
mmc_part_atom_kernel_0=1
mmc_part_atom_kernel_1=2
mmc_part_atom_rootfs_0=3
mmc_part_atom_rootfs_1=5
verify=n
bootdevice=mmc
UBFIADDR1=0x03C56000
UBFIADDR2=0x03F58000
usbhostaddr=78.8d.f7.00.00.00
signature1_offset=0x001D8000
signature2_offset=0xFFFFFFFF
signature_size=0x00008000
signature_number=0x00000020
emmc_flash_size=0x00000070
mmc_part_arm11_nvram_2=255
cefdk_s1_offset=0x00080800
cefdk_s1_size=0x00010000
cefdk_s2_offset=0x00090800
cefdk_s2_size=0x00009400
cefdk_s3_offset=0x00099C00
cefdk_s3_size=0x00065400
cefdk_s1h_offset=0x000FF800
cefdk_s1h_size=0x00000800
cefdk_s2h_offset=0x00100000
cefdk_s2h_size=0x00000800
cefdk_s3h_offset=0x000FF000
cefdk_s3h_size=0x00000800
board_revision=0x00000000
CONSOLE=1
bootdelay=3
cefdk_version=0x0005480E
ver=)mango-1.6.5-ge4b629a1
l2switch_internal_mac_address=00.50.f1.80.00.00
silicon_stepping=0x0000000C
aep_mode=0x00000001
stdin=serial
stdout=serial
stderr=serial
active_aid=1
aididx_app_kernel=1
aididx_app_root_fs=1
aididx_app_vgw_fs=1
aididx_np_kernel=1
aididx_np_root_fs=1
aididx_np_gw_fs=1
aididx_rsvd_6=1
aididx_rsvd_7=1
aididx_rsvd_8=1
aididx_rsvd_9=1
aididx_rsvd_10=1
aididx_rsvd_11=1
aididx_rsvd_12=1
aididx_rsvd_13=1
aididx_rsvd_14=1
aididx_rsvd_15=1
actimage_atom_kernel=2
actimage_atom_rootfs=2
actimage_atom_vgfs=2
actimage_arm_kernel=2
actimage_arm_rootfs=2
actimage_arm_gwfs=2
ACTIMAGE=2
quiet=y
shell> script info
script info
Stored script lists as below:
load -m 0x200000 -i a -t emmc
bootkernel -b 0x200000 "console=ttyS0,115200 ip=192.168.100.2"
shell> npcpuonly dump
npcpuonly dump
is_NPCPU_only_mode 0
PCI_EX_CLK_CNTL bfc
GBE_CLK_CNTL 3ff
CRU_CLK_CNTL 1
USB_CLK_CNTL 99
SATA_CLK_CNTL 7f
TS_CLK_CNTL e1
PF_CLK_CNTL 3
SEC_CLK_CNTL 61
MSPOD_CLK_CNTL 3
FPLL clock SSC1 for USB [SSCDIVCTL] a0114
FPLL clock SSC1 for USB [SSCINTPHASE] 2000
FPLL clock SSC0 for pcie & SATA [SSCDIVCTL] a0119
FPLL clock SSC0 for pcie & SATA [SSCINTPHASE] 0
/*Boot Params*/
NUMBER_OF_FLASHES 1
NPCPU_UBOOT_OFFSET 3c04000
NPCPU_UBOOT_SIZE 40000
NPCPU_ENV1_OFFSET 3c44000
NPCPU_ENV2_OFFSET 3c44000
NPCPU_ENV_SIZE 10000
AID_1_OFFSET 1e0000
AID_2_OFFSET 1e0200
SIGNATURE1_OFFSET 1d8000
SIGNATURE2_OFFSET ffffffff
SIGNATURE2_SIZE 8000
SIGNATURE_NUMBER 20
NPCPU_ROOTFS_2_EMMC_PARTITION b0a0807
APPCPU_KERNEL_1_EMMC_PARTITION 1090d0c
NPCPU_NVRAM_2_EMMC_PARTITION ff050302
AEP_MODE 1
NPCPU_DDR_OFFSET 18000000
NPCPU_DDR_SIZE 8000000
BOARD_TYPE 2
SILICON_STEPPING c
CEFDK_VERSION 5480e
EMMC_FLASH_SIZE 70
CEFDK_S1_OFFSET 80800
CEFDK_S1_SIZE 10000
CEFDK_S2_OFFSET 90800
CEFDK_S2_SIZE 9400
CEFDK_S3_OFFSET 99c00
CEFDK_S3_SIZE 65400
CEFDK_S3H_OFFSET ff000
CEFDK_S3H_SIZE 800
CEFDK_S2H_OFFSET 100000
CEFDK_S2H_SIZE 800
CEFDK_S1H_OFFSET ff800
CEFDK_S1H_SIZE 800
BOARD_REVISION 0
NPCPU_ONLY_MODE 0
ARM / NPCPU side[edit | edit source]
Running kernel: Linux version 2.6.39.3-RG-gfe412cc4 (yangyinliang@EU1N) (gcc version 4.7.3 (Buildroot 2013.08.1) ) #1 PREEMPT Fri Feb 15 09:56:27 CST 2019
Dmesg is short and appears to have been truncated. The logs are full of DOCSIS or something related to it.
Partitions[edit | edit source]
There are 13 partitions on mmcblk0. The area before the first partition has the u-boot and possibly boot options. There are two copies of everything. Which image is booted from is determined by the u-boot environment variable ACTIMAGE.
| Partition | Size | Used by | Notes |
|---|---|---|---|
| 0 | 2M | BIOS | Not a real partition, but it's the unallocated space before partition 1 and contains Intel u-boot/Firmware stuff. |
| 1 | 4M | Intel | Linux kernel x86 boot executable bzImage
version 2.6.39 (root@US1-Yocto) #2 SMP PREEMPT Tue Aug 20 22:58:23 EDT 2019 |
| 2 | 4M | Intel | Linux kernel x86 boot executable bzImage
version 2.6.39 (root@US1-Yocto) #2 SMP PREEMPT Thu Nov 18 01:35:16 EST 2021 |
| 3 | 24M | Intel | Squashfs, created: Wed Aug 21 03:54:11 2019
Intel/APP CPU rootfs. Use squashfs with xz compression. |
| 4 | n/a | Extended partition | |
| 5 | 24M | Intel | Squashfs, created: Thu Nov 18 07:30:34 2021
Intel/APP CPU rootfs. Use squashfs with xz compression. |
| 6 | 2MB | Intel | Mounted as /nvram. on the Intel/APP CPU side.
EXT3 |
| 7 | 3MB | ARM | u-boot legacy uImage
Contains ARM version of the Linux kernel |
| 8 | 3MB | ARM | u-boot legacy uImage
Contains ARM version of the Linux kernel |
| 9 | 2MB | ARM | Mounted as /nvram when not in manufacturer mode.
Has EXT3 |
| 10 | 8M | ARM | Squashfs, created: Thu Feb 25 08:39:15 2021 |
| 11 | 8M | ARM | Squashfs, created: Tue Nov 30 03:23:33 2021
Root filesystem data, possibly. Things here appear under '/' (such as var.tar). /etc/scripts is populated here. Contains ARMv7 binaries |
| 12 | 17M | ARM | Squashfs, created: Thu Feb 25 08:39:20 2021 |
| 13 | 17M | ARM | Squashfs, created: Tue Nov 30 03:23:40 2021
Mounted as Includes the web interface (webs) binary. Contains ARMv7 binaries |
Other things and passwords[edit | edit source]
The router.cfg file contains all the options set by the Hitron web interface. There are 4 accounts (1 of which is an admin) as defined by this file:
um_auth_account_name admin mso
um_auth_account_password admin $1$Qw/d/uIf$lkYLZEhpxY46CQPYpUxqB1
um_auth_account_enable admin true
um_auth_account_name user1 cusadmin
um_auth_account_password user1 $1$Qw/d/uIf$pcaWzKv6eY1lD4txqoQKq1
um_auth_account_enable user1 true
um_auth_account_name user2 comadmin
um_auth_account_password user2 $1$Qw/d/uIf$xfah7wBUOSdTayBZmDtMs/
um_auth_account_enable user2 false
um_auth_account_name user3 admin
um_auth_account_password user3 $1$Qw/d/uIf$QoCnlC1SkZRyUcdSMKvKF.
um_auth_account_enable user3 false
You typically login as cusadmin. By default, the account's password is set to 'password' out of the box. The mso account is the only admin account. The password is 'msopassword' but is locked out by default.
I tried to change router.cfg but it seemed to revert to factory settings on the next reboot. There's something checking the file somewhere which I've yet to figure out. You also can't seem to change the password by uploading router.cfg (after encrypting it, see See also) to the web UI as the web interface is smart enough to ignore these values.
Getting root access on both subsystems in normal boot mode[edit | edit source]
The best way to accomplish getting root access when the modem's booted into its normal mode is to modify the squashfs filesystems on both the Intel and ARM partitions. I modified the rcS startup script on partitions 5 and 13 to call a script I placed in /nvram (on partitions 6 and 9) for the Intel and ARM subsystems, respectively.
See the Git repo for more info on what changes were made.
A few things to keep in mind:
- On the ARM side, shell access goes to
/usr/sbin/cli, which is the modem's restricted network CLI program. - The password to run 'shell' in the CLI program is unknown. I see
D0nt4g3tme!in the linkedlibcli_core.solibrary, but it doesn't work. - To allow telnet or dropbear to allow you to login with
/bin/shas a shell, you have to add/bin/shto/etc/shells. - On the Intel side, just run
telnetdto start telnet. - On both sides, IPTables is executed with
xtables-multi iptables. Eg.xtables-multi iptables -L -n. - Adjust the default policy for INPUT to accept to make life easier:
xtables-multi iptables -P INPUT ACCEPT. This only applies to the ARM side. There doesn't appear to be a firewall on the Intel/APP CPU side. - ARM's processor is in big endian. You have to cross-compile armv7-be.
- You kinda have to run the DOCSIS services. Otherwise, nothing seems to come up.
- You can control what services are started on the ARM side by looking at the PCD service manager files. The Intel side just uses rc.d startup scripts, not PCD. PCD on the ARM side has many services set to reboot the system on failure. You may want to change this behavior if you want to hack/stop services without causing a reboot.
- You can leverage the PCD service manager to run your customized startup script.
- You have to start a watchdog daemon on the ARM side or else the system reboots (which also reboots the Intel side)
- Dropbear supports only RSA with DH-SHA1. So you'll have to SSH using this command:
ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostkeyAlgorithms=ssh-rsa cusadmin@192.168.0.254
ARM/NP CPU Command-line shell access[edit | edit source]
Decompiling the CLI shell shows that the password to run the 'shell' command is indeed D0nt4g3tme!.
bool CLI_CheckProdPasswd(void)
{
int iVar1;
bool bVar2;
char acStack264 [264];
memset(acStack264,0,0x100);
iVar1 = htx_getMfgMode();
bVar2 = false;
if (iVar1 != 1) {
CLI_GetPassword("Password:",acStack264,0x100);
iVar1 = strcmp(acStack264,"D0nt4g3tme!");
bVar2 = iVar1 != 0;
}
return bVar2;
}
The password, however, doesn't work.
Console, CLI version 1.0.0.5
Type 'help' for list of commands
mainMenu> shell
Password:D0nt4g3tme!
Wrong password!
mainMenu>
Changing /etc/passwd so telnet uses /bin/sh is the workaround.
Web UI settings backup and restore[edit | edit source]
Use the hc program to decrypt the backup config file generated by the web interface. The source code is available from GitHub at https://github.com/habohitron/habohitron/blob/master/firmwares/3.1.1.21/analyse/hc.c with a copy of it below:
/*
$ gcc -o hc -s -O3 hc.c -lcrypto
$ hc cmconfig.cfg cmconfig_plain.txt d # decrypting
$ hc cmconfig_plain.txt cmconfig.cfg e # encrypting
*/
#include <stdlib.h>
#include <stdio.h>
#include <openssl/des.h>
#define BUFFER_SIZE (8 * 1024)
#define RET_GOTO(code, marker) \
ret = code; \
goto marker;
// libhtx_db.so:00059B14
static DES_cblock hitron_key = {
0x57, 0x8A, 0x95, 0x8E, 0x3D, 0xD9, 0x33, 0xFC
};
void hitron_crypt(FILE *out, FILE *in, int enc)
{
size_t i, n = -1;
DES_cblock buffer[BUFFER_SIZE];
DES_key_schedule schedule;
DES_set_key_unchecked(&hitron_key, &schedule);
while((n = fread((void *)&buffer, sizeof(DES_cblock), BUFFER_SIZE, in)) > 0) {
for(i = 0; i < n; i++) {
DES_ecb_encrypt(&buffer[i], &buffer[i], &schedule, enc);
}
fwrite((void *)&buffer, sizeof(DES_cblock), n, out);
}
}
int main(int argc, char **argv)
{
int ret = EXIT_SUCCESS;
FILE *in = NULL, *out = NULL;
if(argc != 4) {
printf("Usage: hc in out d|e");
return EXIT_FAILURE;
}
in = fopen(argv[1], "rb");
if(in == NULL) {
printf("could not open file\n");
return EXIT_FAILURE;
}
out = fopen(argv[2], "wb");
if(out == NULL) {
printf("could not open file\n");
RET_GOTO(EXIT_FAILURE, close_in);
}
hitron_crypt(out, in, argv[3][0] == 'e');
fclose(out);
close_in:
fclose(in);
end:
return ret;
}
Compile the program and then pass in the backup config file. Make any changes as desired, though note that not all settings can be saved during the restore process including the passwords. There is also no option to allow telnet/ssh on the LAN side using this method. If that's your only intent, you have to change the firewall by getting a root shell.
$ gcc -o hc -s hc.c -lcrypto
$ ./hc backup.cfg config.txt d
$ ./hc config.txt restore.cfg e
Final thoughts[edit | edit source]
I never noticed any performance issues with this modem while using it for years. However, I can definitely see some issues with the design of this device. For one thing, why are there two disjoint systems running different architectures but using the same memory and flash storage, bridged together with a hardware network bridge? Why not use one system?
The Intel CPU seems to be used just to handle USB storage and Samba. The ARM processor seems to be overloaded by the DOCSIS handling, let alone all the other network related processes like SNMP, Web UI, Telnet, Dropbear/SSH, VPN, GRE tunnels, etc. High latency and jitter isn't really surprising since it appears traffic to/from the DOCSIS and ethernet side have to go through the ARM/NP CPU processor which is very weak.
The more I understand the system, the more it looks like a chimera to me: Two random creatures stapled together and made to work as modem -- poorly.
See also[edit | edit source]
- Encode/Decode firmware config file - https://raw.githubusercontent.com/habohitron/habohitron/master/firmwares/3.1.1.21/analyse/hc.c
- Hacking with an old RCE exploit - https://geekness.eu/content/remote-code-execution-hitron-cgnm-2250-part-1
- Hardware info - https://wikidevi.wi-cat.ru/Hitron_CGNM
- Process Control Daemon (PCD) - https://meetrp.github.io/pcd/script.html