fon2405EルータにDD-WRTを入れる

iPadを買った時にfonという無線ルータをもらいました。どうせなので、色々いじってみたいと思い、改造ファームウェアを入れてみることにしました。

ファームウェアを書き換えるには、シリアルケーブルで接続する必要があるようで、fonの基盤に直接ケーブルをハンダ付けします。
SSHやtelnetなどの接続も試みましたが、このfonでは無理なようでした。
下記サイトを参考にしました。
unix is mine oyster, which I with code will open!: FON2405Eの中身
FONルータ復旧大作戦 | このいえ
DD-WRT – FoNまとめwiki
[FON] – 　
Hot Tuna Labs

今回用意したのは、9-KEというシリアルケーブルと、fon本体のみです。9-KEは、ネット通販で送料込み数百円くらいでした。
ちなみにハンダ付けは今回が初めてで、以前から電子工作に興味があったので、これを機会にやってみようと思ったわけです。

なんとか取り付けることができ、シリアル経由でコンソールに繋いでみた所、起動ログがちゃんと流れてきました。ちょっと感動。

こんなログが流れてきました。

U-Boot 1.1.3 (Jan  6 2010 - 07:10:30)
Board: Fonera
DRAM:  32 MB
relocate_code Pointer at: 81fac000
spi_wait_nsec: 3e
spi deice id: c2 20 15 c2 20 (2015c220)
find flash: mx25l1605d
raspi_read: from:41030000 len:1000
Using default environment
##### The CPU freq = 320 MHZ ####
SDRAM bus set to 16 bit
SDRAM size =32 Mbytes
Please choose the operation:
1: Boot system code via Flash (default).
2: Load system code then write to Flash via TFTP.
3: Entr boot command line interface.
booting from flash
## Booting image at bf020000 ...
raspi_read: from:20000 len:40
Image Name:   MIPS OpenWrt Linux-2.6.21
Created:      2010-02-11   8:09:34 UTC
Image Type:   MIPS Linux Kernel Image (lzma compressed)
Data Size:    613723 Bytes = 599.3 kB
Load Address: 80000000
Entry Point:  80000000
raspi_read: from:20040 len:95d5b
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 32
Starting kernel ...
LINUX started...
THIS IS ASIC
Linux version 2.6.21 (blogic@blap4) (gcc version 4.1.2) #143 Thu Feb 11 09:09:18 CET 2010
The CPU feqenuce set to 320 MHz
CPU revision is: 0001964c
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock4 init=/sbin/preinit
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
cause = 80800000, status = 1100ff00
PID hash table entries: 128 (order: 7, 512 bytes)
calculating r4koff... 0030d400(3200000)
CPU frequency 320.00 MHz
Using 160.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 30416k/32768k available (1689k kernel code, 2352k reserved, 186k data, 100k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
Generic PHY: Registered new driver
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
was not able to assign mahjor 200 to button chardev
ramips_gpio: done
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
io scheduler noop registered
io scheduler deadline registered (default)
ramips_wdt: loaded
Serial: 8250/16550 driver $Revision: 1.3 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A
PPP generic driver version 2.4.2
NET: Registered protocol family 24
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
deice id : c2 20 15 c2 20 (2015c220)
mx25l3205d(c2 20160000) (4096 Kbytes)
mtd .name = raspi, .size = 0x00400000 (4M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
ramips_mtd: kernel size is 613787
padded kernel is 00096000
Creating 6 MTD partitions on "raspi":
0x00000000-0x00010000 : "uboot"
0x00010000-0x00020000 : "boardconfig"
0x00020000-0x00200000 : "image"
0x00020000-0x000b6000 : "linux"
mtd: partition "linux" doesn't end on an erase block -- force read-only
0x000b6000-0x001f0000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
mtd: partition "rootfs" set to be root filesystem
0x001f0000-0x00200000 : "uci_overlay"
Registered led device: power
Registered led device: wps
Registered led device: wlan
nf_conntrack version 0.5.0 (256 buckets, 2048 max)
IPv4 over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Linux
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <[email protected]>
All bugs added by David S. Miller <[email protected]>
ramips: ethernet loaded
ramips_eth: loaded
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 100k freed
Warning: unable to open an initial console.
Preinit complete, spawning microd
found uci_overlay -> /dev/mtd5
i found OPENWRT_UCI_OVERLAY inside /dev/mtd5
loading file zepttho 275
loading file wireless 696
loading file user 70
loading file system 72
loading file reg 16
loading file network 473
loading file led 342
loading file lang 33
loading file form 4768
loading file fonsmcd 290
loading file fon 4Algorithmics/MIPS FPU Emulator v1.5
07
loading file firewall 907
loading file passwd 149
loading file chilli.conf 566
loading fon config
Spawning syslogd
registering led wps -> /sys/class/leds/wps/
registering led wlan -> /sys/class/leds/wlan/
registering led power -> /sys/class/leds/power/
loading base firewall ...iptables: Chain already exists
done
adding zone wannet
adding zone lan
adding zone wan
adding zone hotspotwifi
adding zone hotspot
adding forwarding lan->wan
adding forwarding hotspot->wan
interface loopback
proto = static
ipaddr = 127.0.0.1
netmask = 255.0.0.0
ifname = lo
interface lan
proto = static
ipaddr = 192.168.10.1
netmask = 255.255.255.0
ifname = eth0.1
type = bridge
interface wan
proto = dhcp
ifname = eth0.2
interface hotspot
ifname = tun0
interface hotspotwifi
proto = none
ifname = ra1
net event up loopback ...bringing up lo
done
net event up lan ...bringing ueth0.1: dev_set_promiscuity(master, 1)
p eth0.1
device eth0 entered promiscuous mode
device eth0.1 entered promiscuous mode
br-lan: port 1(eth0.1) entering learning state
adding br-lan to zone lan
done
net event up wan ...bringing up eth0.2
Spawning udhcpc for eth0.2
udhcpc (v0.9.9-pre) started
Trying to connect...
sending -> "udhcpc|deconfig|eth0.2|"
adding eth0.2 to zone wan
Sending discover...
done
wifi device rt305x
type = rt305x
channel = 11
mode = 9
wifi interface public
ifname = ra1
ssid = FON_FREE_INTERNET
encryption = none
network = hotspotwifi
device = rt305x
isolate = 1
auto = 1
wifi interface private
ifname = ra0
ssid = MyPlace
encryption = wpa-wpa2
key = 4141414141
password = ueriehaeph
wpa_crypto = mixed
network = lan
device = rt305x
channel = 0
mode = bgn
txpower = 100
br-lan: topology change detected, propagating
br-lan: port 1(eth0.1) entering forwarding state
rt2860v2_ap: module license 'unspecified' taints kernel.
Sending discover...
WSending discover...
0x1300 = 00064380
bringing up rt30device ra0 entered promiscuous mode
5x ...done
br-lan: port 2(ra0) entering learning state
Terminate the task(RtmpCmdQTask) with pid(202)!
Terminate the task(RtmpWscTask) with pid(203)!
br-lan: port 2(ra0) entering disabled state

しかし、入力を一切受け付けてくれません。どうやら制限が入っているようで、こちらの操作を受け付けないようになっているようです。
これではファームウェアの更新はできません…。色々試してみたものの、結局解決には至りませんでした。残念。

配線を4本ハンダ付けしてしまったり、他の線と干渉？しちゃったりで、電子工作はやっぱりたいへんだなという感じでしたが、面白かったのでこれからもいじっていきたいです。