projects:zsun-wifi-card-reader
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
projects:zsun-wifi-card-reader [2016/01/15 21:30] – emeryth | projects:zsun-wifi-card-reader [2020/02/12 16:14] (current) – emeryth | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | {{template>: | ||
+ | | name=zsun-wifi-card-reader | ||
+ | | status=abandoned | ||
+ | | founder=[[user> | ||
+ | | repo=[[github> | ||
+ | }} | ||
+ | |||
====== Hacking the Zsun WiFi SD Card Reader ====== | ====== Hacking the Zsun WiFi SD Card Reader ====== | ||
- | {{: | + | {{: |
The goal of this project is to learn as much as possible about the Zsun WiFi card reader and run OpenWrt on it to turn it into an awesome wifi device. | The goal of this project is to learn as much as possible about the Zsun WiFi card reader and run OpenWrt on it to turn it into an awesome wifi device. | ||
+ | **UPDATE 2017-09-12** Info about LEDE and USB gadget working \\ | ||
+ | **UPDATE 2016-11-28** Adding some more info about the new PCB revision, thanks to Erik Dorner, who sent me his analysis a long time ago \\ | ||
+ | **UPDATE 2016-04-23** The new PCB is missing a jumper on the RX serial line, see serial port section \\ | ||
+ | **UPDATE 2016-03-16** The second PCB revision has identical software and hardware (apart from optimized minor component layout), flashing works the same \\ | ||
+ | **UPDATE 2016-03-12** We now know that there are at least two different PCB versions of the reader! | ||
+ | **UPDATE 2016-02-21** github mirror at https:// | ||
+ | **UPDATE 2016-01-27** informatic seems to have figured out how to use the original firmware' | ||
=== People Involved === | === People Involved === | ||
Line 22: | Line 36: | ||
* Use it as the brains of your IoT project | * Use it as the brains of your IoT project | ||
* Buy a dozen and play around with mesh networking | * Buy a dozen and play around with mesh networking | ||
- | * Use it for distributed WiFi activism like PirateBox or OccupyWiFi | + | * Use it for distributed WiFi activism like PirateBox or OccupyWiFi, or run a [[https:// |
* Host Node.js on it and take your apps to your favorite coffee shop :^) | * Host Node.js on it and take your apps to your favorite coffee shop :^) | ||
\\ | \\ | ||
Line 38: | Line 52: | ||
\\ | \\ | ||
The device consists of two PCBs sandwiched together and connected via 8 pins.\\ | The device consists of two PCBs sandwiched together and connected via 8 pins.\\ | ||
+ | **WARNING** There are at least 2 PCB revisions, our original research was on the " | ||
+ | The new revision has optimized layout with some minor changes, software is identical. | ||
+ | |||
The bottom PCB contains only the SD card reader chip and SD slot, it can be safely removed without affecting operation. | The bottom PCB contains only the SD card reader chip and SD slot, it can be safely removed without affecting operation. | ||
+ | **This is only true for the old PCB revision!** The new revision moved the 3.3V regulator to the PCB with the card reader. | ||
+ | |||
=== Serial Port === | === Serial Port === | ||
Line 45: | Line 64: | ||
Bitrate is 115200. | Bitrate is 115200. | ||
- | Original firmware root password is " | + | Original firmware root password is " |
+ | |||
+ | The new PCB has a missing jumper that connects the serial RX testpad to the SoC. Short it or solder directly to the lower pad of the jumper to use serial. | ||
+ | (The second missing resistor is a pull up/down, I guess) | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Thanks to Andreas H. for the clear picture of the new PCB. | ||
=== Ethernet Port === | === Ethernet Port === | ||
Line 52: | Line 78: | ||
Use a Magjack or similar connector with magnetics.\\ | Use a Magjack or similar connector with magnetics.\\ | ||
This port is required for uploading images to u-boot.\\ | This port is required for uploading images to u-boot.\\ | ||
+ | |||
+ | Here's how to properly connect the ethernet port, thanks to **Erik Dorner**: \\ | ||
+ | |||
+ | The AR9331 uses a current-mode line driver, which, in practical terms, means that the center taps of the primary coils of the Ethernet transformer must be connected to the PHY power supply voltage (2.0V for the AR9331).\\ | ||
+ | The SoC is capable of producing this voltage, but it needs some external components (a general purpose PNP transistor and some filter/ | ||
+ | Fortunately, | ||
+ | |||
+ | {{: | ||
+ | |||
+ | If you don't care that much, you can connect 3.3V to the center taps, it should work. | ||
=== USB switch === | === USB switch === | ||
Line 86: | Line 122: | ||
+ | === USB device mode === | ||
+ | AR9331 is capable of working as a usb device (gadget). | ||
+ | < | ||
+ | http:// | ||
+ | **The USB device/ | ||
+ | (It's not in the 17.01 stable release, though) | ||
+ | |||
+ | So if you want to use the zsun as a USB gadget you will need to: | ||
+ | - < | ||
+ | - Remove the G13 bootstrap resistor setting USB to host mode | ||
+ | - < | ||
+ | |||
+ | |||
+ | Here's what it looks like on the old PCB with the pins connected to the original USB plug: | ||
+ | |||
+ | {{: | ||
==== Original firmware ==== | ==== Original firmware ==== | ||
Line 94: | Line 146: | ||
Source: [[http:// | Source: [[http:// | ||
- | Regular telnet | + | Regular telnet |
< | < | ||
Line 129: | Line 181: | ||
My OpenWrt port, based on the 15.05 "Chaos Calmer" | My OpenWrt port, based on the 15.05 "Chaos Calmer" | ||
https:// | https:// | ||
+ | |||
+ | **You have to clone the " | ||
+ | git clone -b zsun https:// | ||
+ | |||
+ | Github mirror: | ||
+ | https:// | ||
Compiled images and image builder: \\ | Compiled images and image builder: \\ | ||
- | https:// | + | <del>https:// |
+ | https:// | ||
+ | |||
+ | **You cannot use kernel modules from the official repository, use the image builder or compile them yourself if they' | ||
This port sticks to the original flash layout. \\ | This port sticks to the original flash layout. \\ | ||
I've added a few things to this port to make it more usable on the zsun without having to solder. | I've added a few things to this port to make it more usable on the zsun without having to solder. | ||
* Wifi is enabled by default, AP mode, no encryption | * Wifi is enabled by default, AP mode, no encryption | ||
- | * Entering failsafe will run a script that automatically does a factory | + | * Entering failsafe will run a script that automatically does a factory |
* The SD card detect pin is registered as a button and will trigger failsafe when inserted/ | * The SD card detect pin is registered as a button and will trigger failsafe when inserted/ | ||
* The SD card reader is reset every time a card is inserted or removed | * The SD card reader is reset every time a card is inserted or removed | ||
+ | |||
+ | ==== LEDE ==== | ||
+ | |||
+ | https:// | ||
+ | |||
+ | I've made a quick port of LEDE: | ||
+ | https:// | ||
+ | |||
+ | **good news:** | ||
+ | It has USB gadget | ||
+ | |||
+ | **bad news:** | ||
+ | The standard LEDE kernel is too big to fit in the original kernel partition. | ||
+ | You need to either change the bootloader and flash layout, or decrease the kernel image size by disabling things like debug symbols. | ||
+ | |||
+ | |||
+ | ==== Backing up the original firmware ==== | ||
+ | |||
+ | \\ | ||
+ | **YOU SHOULD DO THIS BEFORE ATTEMPTING TO FLASH** \\ | ||
+ | At the end of the flash chip there is an " | ||
+ | You can backup the entire flash over telnet by using dd. | ||
+ | |||
+ | < | ||
+ | |||
+ | **Do this with all the mtd partitions (mtd0 to mtd5)** | ||
+ | |||
+ | Then make a symlink to /tmp in /etc/disk so you can download the files via the web interface. | ||
+ | |||
+ | |||
+ | < | ||
==== Flashing ==== | ==== Flashing ==== | ||
Line 147: | Line 239: | ||
- Reflash the firmware from the original firmware using mtd_write (easy but you have to do it right on the first try) | - Reflash the firmware from the original firmware using mtd_write (easy but you have to do it right on the first try) | ||
- Attach a programmer to the flash chip (impossible to mess up) | - Attach a programmer to the flash chip (impossible to mess up) | ||
+ | - Use the original firmware' | ||
Line 161: | Line 254: | ||
</ | </ | ||
- | Where openwrt.bin is your rootfs+kernel image (in that order!). | + | Where openwrt.bin is your rootfs+kernel image (in that order! and the kernel must be at the correct offset!), that is **openwrt-ar71xx-generic-zsun-sdreader-squashfs-sysupgrade.bin** if you're using our image. |
=== Flashing from original firmware (mtd_write) === | === Flashing from original firmware (mtd_write) === | ||
+ | |||
+ | **WARNING** **This method is risky, you have only one chance to get it right.** However if you fail to do so, you still can use above method (unless you completely screw it up by overwriting u-boot, but that's pretty unlikely) | ||
+ | |||
+ | The method could use some improvement, | ||
There are multiple ways to get files onto zsun rootfs, one of which is TFTP (pretty easy to setup, no need for SD card) | There are multiple ways to get files onto zsun rootfs, one of which is TFTP (pretty easy to setup, no need for SD card) | ||
Line 171: | Line 268: | ||
# serves files off your current directory, remember to chmod o+r files you'd like to use</ | # serves files off your current directory, remember to chmod o+r files you'd like to use</ | ||
- | Then download your files onto zsun's /tmp (ramfs is mounted there), copy mtd_write to ramfs too, just to be safe, and write them with mtd_write. | + | Then download your files onto zsun's /tmp (ramfs is mounted there), just to be safe, and write them with mtd_write. |
Keep in mind **you have to flash kernel first**, since rootfs is used by running system. | Keep in mind **you have to flash kernel first**, since rootfs is used by running system. | ||
+ | |||
+ | **To be extra safe, you can kill all processes that are not telentd and your shell.** | ||
+ | It has been shown that flashing can succeed without this, but you never know. | ||
< | < | ||
Line 184: | Line 284: | ||
# tftp -g 10.168.168.100 -r openwrt-ar71xx-generic-zsun-sdreader-kernel.bin | # tftp -g 10.168.168.100 -r openwrt-ar71xx-generic-zsun-sdreader-kernel.bin | ||
# tftp -g 10.168.168.100 -r openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin | # tftp -g 10.168.168.100 -r openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin | ||
- | # cp / | ||
# cat /proc/mtd | # cat /proc/mtd | ||
dev: size | dev: size | ||
Line 193: | Line 292: | ||
mtd4: 00010000 00010000 " | mtd4: 00010000 00010000 " | ||
mtd5: 00010000 00010000 " | mtd5: 00010000 00010000 " | ||
- | # /tmp/mtd_write write openwrt-ar71xx-generic-zsun-sdreader-kernel.bin /dev/mtd3 | + | # mtd_write write openwrt-ar71xx-generic-zsun-sdreader-kernel.bin /dev/mtd3 |
Unlocking /dev/mtd3 ... | Unlocking /dev/mtd3 ... | ||
Writing from openwrt-ar71xx-generic-zsun-sdreader-kernel.bin to /dev/mtd3 ... [w] | Writing from openwrt-ar71xx-generic-zsun-sdreader-kernel.bin to /dev/mtd3 ... [w] | ||
- | # /tmp/mtd_write write openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin /dev/mtd2 | + | # mtd_write write openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin /dev/mtd2 |
Unlocking /dev/mtd2 ... | Unlocking /dev/mtd2 ... | ||
Writing from openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin to /dev/mtd2 ... [w] | Writing from openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin to /dev/mtd2 ... [w] | ||
Line 203: | Line 302: | ||
"//Bus error//" | "//Bus error//" | ||
+ | |||
+ | === Using the original firmware' | ||
+ | |||
+ | Device can be flashed without any special tools even in Windows by copying special update package with SMB/Network Shares and opening two URLs. More information here: | ||
+ | [[projects: | ||
==== Pictures ==== | ==== Pictures ==== | ||
- | {{: | + | {{: |
- | {{: | + | {{: |
- | {{: | + | {{: |
- | {{: | + | {{: |
+ | {{: |
projects/zsun-wifi-card-reader.1452893451.txt.gz · Last modified: 2016/01/15 21:30 by emeryth