This are read only contents of the former OpenWrt wiki system. The pages are provided for archival purposes only. Refer to https://openwrt.org/ for up-to-date information.
inbox:toh:virgin.media.superhub.2
Useful page: http://electronics360.globalspec.com/article/3410/netgear-super-hub-2-vmdg485-wireless-router-teardown
Even more useful, albeit patched - details and an exploit via config restore: https://www.contextis.com/blog/hacking-virgin-media-super-hub
https://wikidevi.com/wiki/Virgin_media_superhub_2 -photos
MODEL name: VMDG485 Not supported? If you buy it from second hand it cannot be activated by VM its still their property.
Major chip: W248TH72 SLHCZ DNCE2530GU
Memory: SKhynix H5PS1G63JFR Y5C 307V NWKN2366H3
Wifi1: ATHEROS AR8327-BL1A E4U375.3B 1305 TAIWAN
Wifi2:
ATHEROS AR9580-AR1A PNF488.003C 1301 KOREA
Cable modem chip: MxL MXL261
SR3H6 . 16 1307 CC
Flash:
SPANSION 70 FL256POXMF 100 245QQ044 A Copyright 10 SPANSION
Produced; In China for Netgear
PCB name: ACM6234 REV : 3.11
Some chip: ATHEROS AR 9344-BC2A PKS787 . 002B 1306 TAIWAN
Another memory:
SKhynix H5PS5162GFR Y5C 309V NWKH1886HY3
Small chip on pcb: MAXIM 3520E TP242 +NSBH
2042B 2AM ACN8
Tbc
uboot boot wait is disabled by default serial console login/password - root/5up
(connected to puma5 serial) U-Boot 1.2.0 (May 6 2013 - 15:14:41) PSPU-Boot 1.0.20.1356 DRAM: 128 MB Spansion S25FL129P flash found Spansion S25FL129P flash found Flash: 32 MB In: serial Out: serial Err: serial *** ACTIMAGE = 2, will try to boot UBFI2 stored @0x4c000000 ## Executing script at 4c000000 ============== Running script ========= *** Running from UBFI2 partition @0x4c000000 Load address = 0x4c00253c (0x253c) Kernel address = 0x4c002588 (0x2588) kernel size = 0x106678 FS address = 0x4c108c00 (0x108c00) FS size = 0x69f400 NVRAM offset = 0xfb0000 NVRAM size = 0x50000 *** UBFI2 bootscript executed successfully. Start booting... ## Booting image at 4c00253c ... Image Name: Multi Image File Image Type: ARM Linux Multi-File Image (uncompressed) Data Size: 8018564 Bytes = 7.6 MB Load Address: 80a00000 Entry Point: 80a00000 Contents: Image 0: 1074808 Bytes = 1 MB Image 1: 6943744 Bytes = 6.6 MB Verifying Checksum ... OK OK Starting kernel ... Starting LZMA Uncompression Algorithm. Compressed file is LZMA format. ----------------- (connected to ar9344 serial) WASP BootROM Ver. 1.1 GMAC start ROM>:mdio download ready find_hif: bootstrap = 0xbe075b WASP BootROM Ver. 1.1 GMAC start ROM>:mdio download ready Firmware Download length 12 Firmware Exec Address bd004000 Firmware checksum 0xfad27631 started receiving bytes 11188 completed receiving bytes Firmware Download is good COMMAND TO START FIRMWARE RECEIVED initialize PLL & DDR U10 sri Wasp 1.2 Wasp (16bit) ddr1 init setting for 40 fw1: GMAC Init Receiving gmac params ag7240_gmac_initialize... Setting for f1e vir phy sending discovery ... *sending discovery ... *sending discovery ... *sending discovery ... *inside __gmac_process_discv __gmac_process_discv: received bytes ***********************************************************************[...]
somehow it goes out from hidden stars:
*sending discovery ...
*sending discovery ...
*sending discovery ...
*inside __gmac_process_discv
__gmac_process_discv: received bytes
*****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Calling 2nd stage
Lzma decompressing(addr: 81202c00 len: 1897208)...
Jump to kernel(addr: 801a1680)...
Booting Atheros AR934x
Linux version 2.6.31--LSDK-9.2.0_U6.621 (pegauser@localhost.localdomain) (gcc version 4.3.3 (GCC) ) #1 Sun Mar 31 12:37:38 CST 2013
flash_size passed from bootloader = 37
CPU revision is: 0001974c (MIPS 74Kc)
ath_sys_frequency: cpu srif ddr srif cpu 560 ddr 450 ahb 225
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Initial ramdisk at: 0x810d0000 (1066533 bytes)
Zone PFN ranges:
Normal 0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: console=ttyS0,115200 root=01:00 rd_start=0x810d0000 rd_size=1066533 init=/sbin/init mem=64m mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),6336k(rootfs),1408k(uImage),64k(mib0),64k(ART)
PID hash table entries: 256 (order: 8, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 46632k/65536k available (1678k kernel code, 18828k reserved, 435k data, 152k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop... 279.55 BogoMIPS (lpj=559104)
Mount-cache hash table entries: 512
****************ALLOC***********************
Packet mem: 80249580 (0xe00000 bytes)
********************************************
NET: Registered protocol family 16
PCI init:ath_pcibios_init
ath_pcibios_init(294): PCI CMD write: 0x356
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
SCSI subsystem initialized
pci 0000:00:00.0: PME# supported from D0 D1 D3hot
pci 0000:00:00.0: PME# disabled
Returning IRQ 64
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 1041k freed
ATH GPIOC major 0
JFFS2 version 2.2 (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.
msgmni has been set to 93
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
brd: module loaded
DEBUG-CMDLINE-PART: parsing <1024k(ART)>
DEBUG-CMDLINE-PART: partition 0: name <ART>, offset ffffffff, size 100000, mask flags 0
DEBUG-CMDLINE-PART: mtdid=<mtdparts=ath-nor0> num_parts=<1>
parse_cmdline_partitions: part mtdparts=ath-nor0
parse_cmdline_partitions: part num 1
1 cmdlinepart partitions found on MTD device ath-nor0
Creating 1 MTD partitions on "ath-nor0":
0x000000000000-0x000000100000 : "ART"
TCP cubic registered
NET: Registered protocol family 17
arch/mips/atheros/gpio.c (ath_simple_config_init) ATH_GPIO_OE : 22f31b
arch/mips/atheros/gpio.c (ath_simple_config_init) WPS_LED_GPIO : 13
arch/mips/atheros/gpio.c (ath_simple_config_init) WIFI24G_LED_GPIO : 12
arch/mips/atheros/gpio.c (ath_simple_config_init) JUMPSTART_GPIO_WIFI : 16
arch/mips/atheros/gpio.c (ath_simple_config_init) JUMPSTART_GPIO : 20
arch/mips/atheros/gpio.c (ath_simple_config_init) ATH_GPIO_OE : 33131b
athwdt_init: Registering WDT success
ath_otp_init: Registering OTP success
ath_clksw_init: Registering Clock Switch Interface success
RAMDISK: lzma image found at block 0
VFS: Mounted root (ext2 filesystem) readonly on device 1:0.
Freeing unused kernel memory: 152k freed
init started: BusyBox v1.01 (2013.03.31-04:37+0000) multi-call binary
init started: BusyBox v1.01 (2013.03.31-04:37+0000) multi-call binary
Starting pid 16, console /dev/ttyS0: '/etc/rc.d/rcS'
ATHR_GMAC: Length per segment 1536
ATHR_GMAC: fifo cfg 3 01f00140
ATHR_GMAC: RX TASKLET - Pkts per Intr:100
ATHR_GMAC: Mac address for unit 0:bfff0000
ATHR_GMAC: 00:00:00:00:00:00
Registering Virtual F1E Phy....
ATHR_GMAC: Max segments per packet : 1
ATHR_GMAC: Max tx descriptor count : 128
ATHR_GMAC: Max rx descriptor count : 192
ATHR_GMAC: Mac capability flags : 2380
athr_gmac_ring_alloc Allocated 2048 at 0x8384b000
athr_gmac_ring_alloc Allocated 3072 at 0x831ee000
WASP ----> VIR F1E PHY
Setting Drop CRC Errors, Pause Frames and Length Error frames
FIFO_CFG_5 setting for s17 phy
Setting PHY...
SIOCGIFFLAGS: No such deviceJumbo Frame enabled in Mac:0
Jumbo Frame sz val:800
athr_gmac_ring_free Freeing at 0x8384b000
athr_gmac_ring_free Freeing at 0x831ee000
athr_gmac_ring_alloc Allocated 2048 at 0x8384b000
athr_gmac_ring_alloc Allocated 3072 at 0x831ee000
WASP ----> VIR F1E PHY
Setting Drop CRC Errors, Pause Frames and Length Error frames
FIFO_CFG_5 setting for s17 phy
Setting PHY...
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Port Status 1c000004
ath-ehci ath-ehci.0: ATH EHCI
ath-ehci ath-ehci.0: new USB bus registered, assigned bus number 1
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000
ath-ehci ath-ehci.0: irq 3, io mem 0x1b000000
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000
ath-ehci ath-ehci.0: USB 2.0 started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
mac address dest --> 0: 3:7f:ff:ff:ff
mac address src--> ff:ff:ff:ff:ff:ff
__gmac_dev_event *************************************
event 5 name lo
__gmac_dev_event *************************************
event 5 name eth0
__gmac_dev_event *************************************
event 1 name eth0
Timer started
Atheros Fulloffload Target Loaded
Args: 1
/etc/rc.d/rc.wlan: 152: lsmod: not found
asf: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, WRITE_EEPROM, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
insmod: cannot open module `/lib/modules/2.6.31/net/ath_spectral.ko': No such file or directory
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
ath_ahb: 9.2.0_U6.621 (Atheros/multi-bss)
__ath_attach: Set global_scn[0]
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
Wasp Enterprise mode: 0x03fc0000
Restoring Cal data from Flash
ar9300EepromRestore: overwrite wasp antCtrlChain2g from (10, 10, 10) to (150, 150, 150)
dfs_attach: use DFS enhancements
DFS min filter rssiThresh = 18
DFS max pulse dur = 151 ticks
ath_get_caps[4967] rx chainmask mismatch actual 3 sc_chainmak 0
ath_get_caps[4942] tx chainmask mismatch actual 3 sc_chainmak 0
__gmac_dev_event *************************************
event 5 name wifi0
SC Callback Registration for wifi0
wifi0: Atheros 9340: mem=0xb8100000, irq=2
ath_pci: 9.2.0_U6.621 (Atheros/multi-bss)
__ath_attach: Set global_scn[1]
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
Restoring Cal data from Flash
dfs_attach: use DFS enhancements
DFS min filter rssiThresh = 18
DFS max pulse dur = 151 ticks
ath_get_caps[4967] rx chainmask mismatch actual 7 sc_chainmak 0
ath_get_caps[4942] tx chainmask mismatch actual 7 sc_chainmak 0
__gmac_dev_event *************************************
event 5 name wifi1
SC Callback Registration for wifi1
wifi1: Atheros 9580: mem=0x10000000, irq=64 hw_base=0xb0000000
athstats
80211stats
wlanconfig
pktlogconf
pktlogdump
radartool
Starting pid 75ATH_MAC_TIMER: enet unit:0 is up...
RGMii 1000Mbps full duplex
ATH_MAC_TIMER: done cfg2 0x7235 ifctl 0x0 miictrl
__gmac_dev_event *************************************
event 4 name eth0
exisiting node eth0
module init Netlink interface number created: 20
lo register notification
register new vap lo
eth0 register notification
register new vap eth0
Ignoring eth0 notification 1
All the wifi detected 1:1 Send HTC Ready
Wifi Detected Send HTC ready
Sending HTC ready
wifi0 register notification
wifi1 register notification
Target Iniitialized
(none) mips #1 Sun Mar 31 12:37:38 CST 2013 (none)
(none) login:
inbox/toh/virgin.media.superhub.2.txt · Last modified: 2017/11/22 02:26 by GreenReaper
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
