TP-LINK TL-WR882N v1 拆解
本帖最后由 hackpascal 于 2014-6-30 12:56 编辑楼主为了做 TP9343 的不死 U-Boot,特地提前买了一个 TP9343 的路由。。免得以后芯片变了。。
配置:
CPU: Qualcomm Atheros TP9343-AL3A (750MHz)
RAM: ESMT M13S128168A-5T (16MB DDR1 200MHz)
Flash: GigaDevice GD25Q16BSIG (2MB)
网口是8针的,LAN 状态指示灯集成在接口上
P.S. 这个 PCB 似乎是三层的,中间有一层用于走 LED
通过对原厂 U-Boot 进行逆向分析,没有发现 USB 的初始代码,所以 TP9343 可能没有 USB 功能
直接上图 (图较大,单击可看大图)
TTL 输出:
U-Boot 1.1.4 (Nov 14 2013 - 19:26:49)
cus249 - Dragonfly 1.0
DRAM:16 MB
Top of RAM usable for U-Boot at: 81000000
Reserving 130k for U-Boot at: 80fdc000
Reserving 132k for malloc() at: 80fbb000
Reserving 44 Bytes for Board Info at: 80fbafd4
Reserving 36 Bytes for Global Data at: 80fbafb0
Reserving 128k for boot params() at: 80f9afb0
Stack Pointer at: 80f9af98
Now running in RAM - U-Boot at: 80fdc000
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x15
flash size 4MB, sector count = 1024
Flash:4 MB
Using default environment
In: serial
Out: serial
Err: serial
Net: ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Dragonfly----> S27 PHY *
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :10
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :10
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :10
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :10
eth1 up
eth0, eth1
Setting 0x181162c0 to 0x55aa2100
Autobooting in 1 seconds
header.file.offset=0x80, len=0x44794
header.file.offset=0x44820, len=0x528
header.file.offset=0x44d50, len=0xc43ee
header.file.offset=0x0, len=0x0
vxWorks.bin from =0x53d50, len=0xc43ee
Uncompressing...done
Attaching interface lo0... done
Rx clbufs 1456 each of size 1660
Dragonfly -----> S27 PHY
ATHRS27: resetting s27
ATHRS27: s27 reset done
ATHRS27:Port status register read 2:7E
ATHRS27:S27 S27_PHY_FUNC_CONTROL (0):862
ATHRS27:S27 PHY ID(0) :4d
ATHRS27:S27 PHY CTRL(0) :10
ATHRS27:S27 ATHR PHY STATUS(0) :7949
ATHRS27:S27 S27_PHY_FUNC_CONTROL (1):862
ATHRS27:S27 PHY ID(1) :4d
ATHRS27:S27 PHY CTRL(1) :10
ATHRS27:S27 ATHR PHY STATUS(1) :7949
ATHRS27:S27 S27_PHY_FUNC_CONTROL (2):862
ATHRS27:S27 PHY ID(2) :4d
ATHRS27:S27 PHY CTRL(2) :10
ATHRS27:S27 ATHR PHY STATUS(2) :7949
ATHRS27:S27 S27_PHY_FUNC_CONTROL (3):862
ATHRS27:S27 PHY ID(3) :4d
ATHRS27:S27 PHY CTRL(3) :10
ATHRS27:S27 ATHR PHY STATUS(3) :7949
ATHRS27:S27 S27_CPU_PORT_REGISTER :1f0
ATHRS27:S27 PORT_STATUS_REGISTER0:fe
ATHRS27:S27 PORT_STATUS_REGISTER1:1280
ATHRS27:S27 PORT_STATUS_REGISTER2:1280
ATHRS27:S27 PORT_STATUS_REGISTER3:1280
ATHRS27:S27 PORT_STATUS_REGISTER4:1280
ATHRS27:S27 PORT_CONTROL_REGISTER0 :4004
ATHRS27:S27 PORT_CONTROL_REGISTER1 :4004
ATHRS27:S27 PORT_CONTROL_REGISTER2 :4004
ATHRS27:S27 PORT_CONTROL_REGISTER3 :4004
ATHRS27:S27 PORT_CONTROL_REGISTER4 :4004
Setting Drop CRC Errors, Pause Frames and Length Error frames
Setting PHY...
ATHRS27:athrs27_phy_setup S27_PHY_CONTROL 0 :1000
ATHRS27:athrs27_phy_setup S27_PHY_SPEC_STAUS 0 :10
ATHRS27:athrs27_phy_setup S27_PHY_CONTROL 1 :1000
ATHRS27:athrs27_phy_setup S27_PHY_SPEC_STAUS 1 :10
ATHRS27:athrs27_phy_setup S27_PHY_CONTROL 2 :1000
ATHRS27:athrs27_phy_setup S27_PHY_SPEC_STAUS 2 :10
ATHRS27:athrs27_phy_setup S27_PHY_CONTROL 3 :1000
ATHRS27:athrs27_phy_setup S27_PHY_SPEC_STAUS 3 :10
eth1 Verify MAC address E4D332XX XXXX0000
sb = E4 D3 32 XX XX XX
Dragonfly -----> S27 PHY
ATHRS27:ATHRS27:OPERATIONAL_MODE_REG0:40
ATHRS27:ATHRS27:REG 0x4-->:40
ATHRS27:ATHRS27:REG 0x2c-->:fe7f007f
ATHRS27:ATHRS27:REG 0x8-->:10000000
Setting Drop CRC Errors, Pause Frames and Length Error frames
Setting PHY...
ATHRS27:athrs27_phy_setup S27_PHY_CONTROL 4 :1000
ATHRS27:athrs27_phy_setup S27_PHY_SPEC_STAUS 4 :10
eth0 Verify MAC address E4D332XX XXXX0000
sb = E4 D3 32 XX XX XX
Version2.0
Software Platform for PNE2.2
Copyright(C) 2001-2011 by TP-LINK TECHNOLOGIES CO., LTD.
Creation date: Mar 10 2014, 16:34:43
# Moduler MODULER-CONTROL: start working.
All config data size = 22232, srart address= 0x80a7cf10.
Moduler MODULER-CONTROL: size = 16, srtart address = 0x80a7cf10.
Moduler SYSTEM-LOG: size = 280, srtart address = 0x80a7cf20.
Moduler TDDP-AGENT: size = 0, srtart address = 0x80a7d038.
Moduler OEMDEF: size = 592, srtart address = 0x80a7d038.
Moduler BRIDGE: size = 0, srtart address = 0x80a7d288.
Moduler ACCOUNT: size = 40, srtart address = 0x80a7d288.
Moduler WEB-V4: size = 0, srtart address = 0x80a7d2b0.
Moduler wizard: size = 0, srtart address = 0x80a7d2b0.
Moduler OPMODE: size = 4, srtart address = 0x80a7d2b0.
Moduler LAN: size = 16, srtart address = 0x80a7d2b4.
Moduler UPnP: size = 0, srtart address = 0x80a7d2c4.
Moduler WLAN: size = 3368, srtart address = 0x80a7d2c4.
Moduler MAC-CLONE: size = 0, srtart address = 0x80a7dfec.
Moduler DHCPS: size = 1964, srtart address = 0x80a7dfec.
Moduler IF-NAT: size = 0, srtart address = 0x80a7e798.
Moduler WAN: size = 4, srtart address = 0x80a7e798.
Moduler LINKMODE: size = 4, srtart address = 0x80a7e79c.
Moduler STATIC-IP: size = 32, srtart address = 0x80a7e7a0.
Moduler DHCPC: size = 104, srtart address = 0x80a7e7c0.
Moduler PPPoE: size = 596, srtart address = 0x80a7e828.
Moduler VIRTSVR: size = 904, srtart address = 0x80a7ea7c.
Moduler IGDV2: size = 4, srtart address = 0x80a7ee04.
Moduler DMZ-HOST: size = 8, srtart address = 0x80a7ee08.
Moduler STATIC-ROUTER: size = 328, srtart address = 0x80a7ee10.
Moduler Statistics: size = 20, srtart address = 0x80a7ef58.
Moduler AccessCtrl: size = 10860, srtart address = 0x80a7ef6c.
Moduler Security: size = 40, srtart address = 0x80a819d8.
Moduler ARPBIND: size = 648, srtart address = 0x80a81a00.
Moduler ADDITIONDNS: size = 0, srtart address = 0x80a81c88.
Moduler DNS-PROXY: size = 0, srtart address = 0x80a81c88.
Moduler TP-DOMAIN: size = 0, srtart address = 0x80a81c88.
Moduler DDNS: size = 1740, srtart address = 0x80a81c88.
Moduler IPQOS: size = 572, srtart address = 0x80a82354.
Moduler LOGIN-PASSWORD: size = 0, srtart address = 0x80a82590.
Moduler USER-REBOOT: size = 0, srtart address = 0x80a82590.
Moduler RESET: size = 0, srtart address = 0x80a82590.
Moduler DIAGNOSTIC: size = 0, srtart address = 0x80a82590.
Moduler BAKNRESTORE: size = 0, srtart address = 0x80a82590.
Moduler HTTP-FIRMWARE: size = 0, srtart address = 0x80a82590.
Moduler IGMP: size = 4, srtart address = 0x80a82590.
Moduler ANTI-SNIFFER: size = 0, srtart address = 0x80a82594.
Moduler SNTPC: size = 84, srtart address = 0x80a82594.
Moduler SYSTEM-LOG: start working.
Moduler TDDP-AGENT: start working.
Moduler OEMDEF: start working.
Moduler BRIDGE: start working.
Moduler ACCOUNT: start working.
Moduler WEB-V4: start working.
Moduler wizard: start working.
Moduler OPMODE: start working.
Moduler LAN: start working.
Moduler UPnP: start working.
Moduler WLAN: start working.
APCFG task id 80a4f500sysWlanInit ...
Create WLAN event twlanSecFliterStartas : k install Wlan Sec filter.
tWLANEventTaskEntering WLAN e
vent Task Loop
Create mem partion 0x80a330c0 for size 94464
Enterprise mode: 0x03bda000
Restoring Cal data from Flash
base_eep_header.feature_enable = 0x5d.
base_eep_header.txrxgain = 0x0.
modal_header_2g.temp_slope = 0x1c.
modal_header_5g.temp_slope = 0x44.
base_ext2.temp_slope_low = 0x1c.
base_ext2.temp_slope_high = 0x1c.
Create OS_MESGQ Successfully at 0x80a11f60
osifp->queue_head = 0x80a122b8
Entering Task Loop
-->wlanBootUp: bring up ap
==>wlanBasicParaConfiged enter
apMode=0,rootap
SSID="TP-LINK_XXXX"
Region=156, "156" index=17
Channel=0, "auto"
wirelssChMode=11NGHT40PLUS, purg=0, purn=0
CWM mode=1, "1"
Broadcast SSID enalbe
==>wlanBasicParaConfiged leave
==>wlanADVParaConfiged enter
tx power: 0
beacon interval: 100
rts threshold: 2346
frag threshold: 2346
dtim interval: 1
wmm: enable
short gi: enable
ap isolation: disable
==>wlanADVParaConfiged leave
==>wlanSecParaConfiged enter
no sec...
==>wlanSecNoneConfig enter
==>wlanSecNoneConfig leave
==>wlanSecParaConfiged leave
==>wlanOtherParaConfiged enter!0x8820001
AP_DEBUG mask is 0
==>wlanOtherParaConfiged leave!
==>wlanACLParaConfiged enter
HLF wlanACLParaConfiged 1172 isWlanEnabled() = 1 isWlanAclEnabled() = 0
ERROR:wireless OR ACL disable
==>wlanACLParaConfiged leave
-->wlan start outside!
Moduler MAC-CLONEStarting WLA: start working.
N Moduler !!!!
DHCPS: start working.
AP_SModuler TARTMODEIF-NAT=: start working.
Moduler WAN: start working.
Moduler LINKMODE: start working.
Set phy 4 link mode 0x01.
Moduler STATIC-IP: start working.
Moduler DHCPC: start working.
add net 0.0.0.0: gateway 169.254.211.112
Moduler PPPoE: start working.
Moduler VIRTSVR: start working.
Moduler IGDV2: start working.
Moduler DMZ-HOST: start working.
Moduler STATIC-ROUTER: start working.
Moduler Statistics: start working.
Moduler AccessCtrl: start working.
Moduler Security: start working.
Moduler ARPBIND: start working.
Moduler ADDITIONDNS: start working.
Moduler DNS-PROXY: start working.
Moduler TP-DOMrootaAINp: start working.
Moduler DDNS: start working.
AP_ENABModuler LEIPQOS: start working.
=Moduler LOGIN-PASSWORD1: start working.
Moduler ATH_COUNTRYCODEUSER-REBOOT=: start working.
Moduler RESET: start working.
Moduler DIAGNOSTIC156: start working.
Moduler BAKNRESTORE: start working.
Moduler HTTP-FIRMWARE: start working.
Moduler IGMP: start working.
AP_CHMModuler ODEANTI-SNIFFER=: start working.
11NGHT40PLUSModuler
SNTPC: start working.
WLAN IOCTL AP_CHMODE=11NGHT40PLUS=11NGHT20=11NGHT40PLUS=1003
WLAN IOCTL AP_PRIMARY_CH=auto=6=auto=1002
WLAN IOCTL PUREG=0=0=0=1004
WLAN IOCTL AP_ISOLATION=0=0=0=1034
WLAN IOCTL AP_TX11NRATE==0x0=0x0=1041
WLAN IOCTL AP_11G_PROTECTION==0=0=1042
WLAN IOCTL AP_BEACON_INTERVAL=100=100=100=1043
WLAN IOCTL AP_FRAGMENT_THRESHOLD=2346=2346=2346=1044
WLAN IOCTL AP_RTS_THRESHOLD=2346=2347=2346=1046
WLAN IOCTL AP_DTIM_PERIOD=1=1=1=1045
WLAN IOCTL AP_WMM_ENABLE=1=1=1=1051
WLAN IOCTL AP_WMM_NOACK==0=0=1052
WLAN IOCTL AP_CYPHER_2==CCMP=CCMP=1000
WLAN IOCTL AP_NO_EDGE_CH==0=0=1056
WLAN IOCTL AP_MCASTRATE==0=0=1018
WLAN IOCTL AP_MACFILTER_MODE==0=0=1038
WLAN IOCTL AP_MACFILTER_LIST====1000
WLAN IOCTL AP_SHORT_GI=1=1=1=1055
WLAN IOCTL AP_CWMENABLE==1=1=1008
WLAN IOCTL AP_DISABLECOEXT=1=0=1=1075
WLAN IOCTL AP_MCASTENHANCE==2=2=1083
WLAN IOCTL AP_ME_LENGTH==32=32=1085
WLAN IOCTL AP_METIMER==3000=3000=1086
WLAN IOCTL AP_METIMEOUT==12000=12000=1087
WLAN IOCTL AP_MEDROPMCAST==0=0=1089
WLAN IOCTL AP_SSID=TP-LINK_XXXX=AP136_VxWorks_TPLINK_20130802=TP-LINK_XXXX=1001
AP_CHMODE=11NGHT40PLUS
AP_CWMMODE=1
AP_AMPDU=1
AP_AMPDU_LIMIT=50000
AP_AMPDU_SUBFRAMES=32
AP_PURE_N=0
AP_TX_CHAINMASK=7
AP_RX_CHAINMASK=7
AP_ATHDEBUG=0x00000000
AP_HALDEBUG=0x00000000
>>> WDS 1 ,IEEE80211IOCTL_WDS=61, vapid=0
>>> EXTAP 0 ,IEEE80211IOCTL_SETEXTAP=77, vapid=0
AP_SECMODE=None
WPS_ENABLE=0
Security Mode: None
WLAN IOCTL AP_HIDE_SSID=0=0=0=1005
AP_MACFILTER_MODE=0
WPS_ENABLE=0
WLAN IOCTL AP_BASICRATES==0=0=1039
WLAN IOCTL AP_DEBUG=0=0x00000008=0=1062
WLAN IOCTL AP_TX11NRATE==0x0=0x0=1041
WLAN IOCTL AP_TX11NRETRIES==0x04040404=0x04040404=1078
Starting Hostapd
AP_SSID=TP-LINK_XXXX
AP_SSID=TP-LINK_XXXX
AP_HOSTAPD_DEBUG=0
AP_IPADDR=192.168.1.1
AP_SECMODE=None
WPS_ENABLE=0
AP_SECMODE=None
AP_TPSCALE=0
Adding ath0 in bridge ...
不错 不错还是八针的............没省到无人性的地步 太豪华!!! 110356776 发表于 2014-6-23 15:07
不错 不错还是八针的............没省到无人性的地步
骚年 注意这是v1
v3以后的版本就呵呵了 TP玩意看看就算了 TP玩意看看就算了 三个月前买完就拆了……拆完就装回去退货了:L本来以为这东西和880n 881n一样用qca9558呢……然后被缩水的配置吓屎了……而且TTL乱码来着…… 无线灯省了,有线灯还是有的,集成在网线接口上了。 支持楼主,你的UBoot很好用! ayer 发表于 2014-6-24 13:03
无线灯省了,有线灯还是有的,集成在网线接口上了。 支持楼主,你的UBoot很好用!
你不说我还没发现呢。。 本帖最后由 ayer 于 2014-6-24 13:57 编辑
hackpascal 发表于 2014-6-24 13:11
你不说我还没发现呢。。
话说这货天线是几dB的啊,看着个大,也不是挺中用的,觉行还没有740v5841v7的强啊。楼主是在西南交大学生? ayer 发表于 2014-6-24 13:45
话说这货天线是几dB的啊,看着个大,也不是挺中用的,觉行还没有740v5841v7的强啊。楼主是在西南交大 ...
天线我不懂。。
楼主是电子神大的。。 hackpascal 发表于 2014-6-24 14:48
天线我不懂。。
楼主是电子神大的。。
天线估计5DBi的,我关心U7,U8,U9上印的啥,估计15dBm的,加起来正好20db.
最关心Q5,Q6,Q7上印的啥,灵敏度是atheros的王牌。 eeff11 发表于 2014-6-25 12:27
天线估计5DBi的,我关心U7,U8,U9上印的啥,估计15dBm的,加起来正好20db.
最关心Q5,Q6,Q7上印的啥,灵 ...
U7 U8 U9: 574B 409T
Q5 Q6 Q7: 42RGs 进来看看 ! 我屮艸芔茻
楼主这么牛A
膜拜