Onion used to my favorite satire newspaper before it was taken over by the wokes. When I was in college, some teaching assistants read us an article as a treat before starting a session. Here’s one of my favorite headlines. Here’s one of my favorite
I grew up in Hong Kong and I can tell you for sure that you are going to have a very hard time surviving there if you are not a hardcore cynic. People are very harsh to each other but most are sticklers to the rules and contracts to the letter (they believe in the rule-OF-law), to the extent that some might find them inflexible or outright cruel (this is especially true with bus drivers in Hong Kong nowadays) .
In other words, people there feel comfortable taking advantage of others, but 99.9% of time they do it within legal boundaries (like exploiting scenarios not considered when the contracts are drafted) as they are not bold legal risk takers. It’s not a forgiving city because Hongkong is geographically too close to the land of crooks so every sign of kindness we show are seen as signs of weakness ready to be exploited. Kindness just doesn’t pay in Hong Kong.
Socialist (Chinese Communist Party) is a shit-magnet, identifying the nastiest people in any population. Hong Kong Protests in 2019 showed me people aren’t predominantly bad. I might have picked up a little bit of faith in humanity again after seeing the spirits of the freedom-fighters. The scumbags I should have hated with passions are now wagging their tails and licking the boots of the Chinese Communist Party.
Got a second customer coming in today with a E507XB series network analyzer that does not turn on. Looks like it’s a common problem within the model series.
If the unit turns on without the CMOS battery but it doesn’t turn on the 2nd time after the CMOS was cleared, you have a very expensive problem which likely I’m the only person who can solve it because it’s months of effort tracing the circuit and the timings inside. I regretted chasing down the rabbit hole and spent more labor than 3 good unit’s costs for the few grands I’ve charged, but I might be able to recoup the labor in the future as more of the E507XB fails the same way.
UNLESS it’s a SC815E (there are 2 revisions that uses different motherboard), it’s NOT the motherboard or the power supply. I’ve seen some faulty SC815E doing the same on other model series, but not the VP22s (I replaced 4~5 different VP22s, they all do the same thing). It’s some good timing issues that’s hard to pinpoint to a specific module (you can replace everything on the digital side and it still doesn’t work) which I had to design, build and test a special circuit to correct it.
If you have a unit E5060 series or E5070 series VNA (Vector Network Analyzer) that doesn’t boot, I’m likely to have the exact experience fixing it. Of course I’m open to solving other problems with the analyzer as well. I offer free eval (no fix, no fee). Please email me at owner@humgar.com or call me at 949-682-8145.
Use a UART controller that signals at 3.3V (e.g. FTDI TTL-232R-3V3) to talk to the board. Regular serial RS-232 ports requires a voltage level shifter converting the signal to swing between 0V to 3.3V.
You only need 3 pins: Tx, Rx and Ground. There’s voltage contention if you plug in the Vcc from TTL-232R-3V3 (It’s the USB’s 5V despite the signaling is 3.3V) to the 3.3V supply of the router. You don’t need the Vcc pin. It didn’t harm anything or do anything when I connected the Vcc pin.
Stick with all serial port defaults and only set the baud to 115200 (default is 9600) and turn off flow control (default is xon/xoff). I use Putty for terminal.
The terminal serves as the monitor for the computer on the router that shows a text console. Broadcom uses CFE bootloader (others use U-Boot with busybox).
CFE bootloader defaults to 192.168.1.1 with subnet mask 255.255.255.0 (aka /24). Set up the network interface to have a static IP on the same subnet to talk to the board.
Good habit: nvram erase
The flash program relies on TFTP protocol to receive the firmware file. So get your TFTP client ready. Microsoft included a TFTP client/server since Windows 7 but usually disabled (turn it on in Windows OptionalFeatures.exe).
TFTP is a simple push(put)/pull(get) design. You can either “push a file on your computer” or “get a file as filename”. You’d want to specify -i switch (binary image transfer) with Windows tftp.exe.
So type this command at the command prompt but don not press enter until your router is ready to grab the file: tftp -i 192.168.1.1 put {path to whatever TRX firmware file}
Go back to the serial terminal and tell the router to accept a TFTP push (in a window of a few seconds before it time out) and flash the memory region flash1.trx with this command: flash -ctheader : flash1.trx
Immediately initiate the TFTP push from your computer (Windows command line example in Step #9 above)
Wait for a couple of hours! The terminal might tell you that it has received the file completely, but it won’t show anything when it’s writing to the flash! It’s a painfully slow process with no feedback. Just be patient!
Some observations
FreshTomato firmware absolutely won’t tell you on the screen after it has done flashing (Merlin-WRT does). Just turn the router back on after a couple of hours.
Merlin firmware repeats (exposes) the raw passwords to the serial port!
FreshTomato firmware boots to a linux prompt on the serial port
The “WAN – DDNS” page only allows users to set the DDNS updater to check as frequently as every 30 minutes. My DDNS provider does not have an update frequency limit, so I’d like to have the update client check for every 1 minute. The setting is called “Verify every”:
Attempting to set it to every 1 minute gives this error message:
I searched for the “WAN-DDNS” config webpage file (Advanced_ASUSDDNS_Content.asp) in the firmware source code, and found that it’s under /www folder in the router’s linux root.
Since “Verify every” is such generic words, and Github does not support exact phrase match in search (I use “in:file” specifier in the search box), I pick “WAN IP and hostname verification” (the closest setting which I expect the code to be in the proximity of the one corresponding to “Verify every”) so it has more unique keywords. The first jump:
Since it’s just a dictionary files, we search for the associated internal variable name “DDNS_verification_enable” which points to the this line in Advanced_ASUSDDNS_Content.asp:
Since this name appeared nowhere else, I traced the “id” attribute above, which is “check_ddns_field” and I see a Javascript (.js) file that process the data from the web page forms:
The variable check_ddns_field appears in the if-else-if branches of change_ddns_settings(), so one of the few next few variables after it is likely to correspond to “Verify with”.
The variable name showed up in 4 branches of if-elseif-else switches (switching DDNS service providers), which ddns_regular_period comes right after
Searching for the class member (or struct field)
Bingo. Here’s the entry value range check code. I’ll change the “30” minutes to “1” minute to enable checking at 1 minute intervals (which I think it’s reasonably responsive for testing and general use).
I’d prefer to check if the input range check is there out of feasibility (i.e. what is the smallest increment) or it’s just set to prevent people from getting banned by the DDNS provider for checking too frequently. I looked into the last occurrence of ddns_regular_period and found this:
Which means the web forms is updating NVRAM (environmental) variable of the same name ddns_regular_period, which appears to be called only in watchdog.c:
And Dang! The code enforces if the ddns_regular_period (on NVRAM) is set to be less than the original 30 minute minimum (invalid condition), it’d be set to the default 60 minutes (1 hr).
It’s actually sloppy coding because the defaults are specified in struct fields in defaults.c:
yet that 60 minutes is hard-coded in watchdog.c. That means if I don’t catch it and only changed the default in one place, the behavior will not be what I expected given the right conditions. This is an example of why software feature expansion are likely to break things. If you have solid code, bugs on updates are likely to happen.
I was curious why it says (period*2)
and suspected the ddns_check_count is incremented in 30 second (half-minute) interval. Since it’s watchdog.c, my natural guess is that the watchdog checks every 30 seconds for these event hooks. Turns out the notes (comments) in the code has “30 seconds periods” noted everywhere.
I searched a little bit more about linux watchdogs and found this useful webpage which explained how it works. I didn’t see /dev/watchdog in my router’s rootfs (root file system) so I assumed it’s a hardware watchdog (embedded linux, so duh).
I was about to dig up the hardware manual for the chipset for my router, but I search for they string HW_RTC_WATCHDOG first and it showed up in linux kernel code (duh):
Note that the HW_RTC_WATCHDOG is a register in this code base, not the number of seconds from Christian’s Blog. i.e. they are completely different things, but it provided a good keyword lead for me to start digging.
The code seems to be the same for various kernel version so I picked any one of them to understand the behavior. First occurrence is in wdt_enable():
The other places are suspend/resume, so I’ll ignore those for now. Note that wdt_enable() is a static function, so only need to search within the same file. The only active place that calls it is wdt_ping():
So there are only 2 things I’ll need to find out: heartbeat and WDOG_COUNTER_RATE:
While it’s a lot of useful learning about Embedded Linux and hunting down source code, for the meantime, given that namecheap does not care if you blindly update every minute, it’s easier to just set up a cron job that runs at every N minutes using curl/wget.
dd-wrt has a place for you to enter the cron scripts with the web interface, but you might need to log into the router using SSH and register the cron job yourself:
The core command is called ‘cru‘, which typing it in the command prompt will show you the very simple usage:
admin@Router:/tmp/home/root# cru
Cron Utility
add: cru a <unique id> <"min hour day month week command">
delete: cru d <unique id>
list: cru l
<unique id> is just a tag that you make up to name your task. Again the one-liner command needs to be direct absolute path. My ‘curl‘ program is located in /usr/sbin, so the command is:
cru a ncddns * * * * * /usr/sbin/curl "https://dynamicdns.park-your-domain.com/update?host={subdomain or @ for root}&domain={registered domain name}&password={DDNS-specific password generated by namecheap's domain administration page under Advanced DNS}"
The “* * * * *” refers to run at every “minute, hour, date of month, month, date of week”, in other words, run at every minute in every waking moment. The wild card * means ALL-OF.
Cron job registration through CRU is not persistent, so to make it survive reboots, add the above cru command as a line to /jffs/scripts/services-start script. It should be executable by default, if not, make sure you set it to be executable or it won’t run.
