1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV042 Information

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by noaaah, Mar 3, 2005.

  1. noaaah

    noaaah Network Guru Member

    The information was gathered via serial console, and shows some interesting stuff about the RV042.

    The RV042 has two serial ports, so the second serial port can be used for a number of things. For example: get a UPS and connect the second serial port to the UPS, then run a program to monitor the UPS.

    The RV042 also has USB support, but theres no headers for that on the board.

    Also in the /dev/ dir, there are listings for /dev/phone0, all the way to /dev/phone15. So maybe JP2 on the board is used for phones? Recently Linksys came out with the Pap2 and some other VOIP devices, and I've been curious if those use Linux as well. Could the VOIP Router (router with VOIP support) actually have the same board as the RV042, minus the second WAN, and with phone support?

    Plus, the RV042 board has a header for a miniPCI socket, which could be used with a wireless network card or in other ways.

    Even more interesting, the RV042 configuration program (after login, before typing shell to get to busbox) shows that theres support for 8021x.

    /dev/perm_storage is linked to mtdblock0, /dev/mtd_rgconf0 is linked to mtdblock1, /dev/mtd_rgconf1 is linked to mtdblock2. mtdblock3 isnt connected to anything, and appears to be the bootloader.

    Flash layout shows the following:

    Section 00 Type BOOT

    Section 01 Type FLASH_SECT_BOOTCONF
    Name 'rg_conf'
    Size 0x00000304

    Section 02 Type IMAGE
    Name 'Downloaded at: Thu Feb 10 01:18:38 2005' Version '1.3.1'
    Size 0x00472D00

    Section 03 Type FLASH_SECT_CONF Name 'rg_conf'

    Section 04 Type FACTORY
    Name 'Image downloaded from: tftp://'
    Size 0x00000216

    So far there are two configs. The 4th section, FACTORY, appears to be the factory configuration, since its size 0x216. The other (current) config is in section 3. The firmware itself resides in section 2. The config for the bootloader is in section 1. Notice that the bootloader protects itself by not giving any information about section 0. But I wouldnt say that its not possible to wipe out the bootloader.. But I doubt anybody wants to.

    The only question I have about the RV042 is how to create a firmware for it. So far I havent found a way to open the RV042's firmware (even after removing the header from it) in linux.

    Keep in mind that the RV042 is big endian, while x86 is little endian. The kernel is compiled in big endian.

    When the RV042 boots up, the bootloader (linux too) takes over, then starts the firmware, which then starts /bin/main_task.

    Main_task seems to be the do-it-all program. Its responsible for starting pluto, for setting up the routes, etc etc.

    Looking at the source code for RV042 from linksys, I can see that theres kernel support for NFS, so I'm trying to find a way to mount a NFS drive from my server to the RV042. If I can do that, then I can copy the file system to the server and analyze main_task better.

    If you find anything out about the RV042, how it ticks, etc.. Please post it here, and lets work together on finding a way to get the RV042 to work for us the way we want it to. It may be necessary to write a custom firmware for the RV042 though.
  2. noaaah

    noaaah Network Guru Member

    I'm not sure if Linksys's firmware distro's default settings for the RV042 is to be trusted.
    I compiled it as is, meaning I ran a Make in the root folder of the firmware folder. The busybox program is compiled for the RV042, but its size is 559KB, while the busybox on the router is 176.1KB.

    Plus the kernel (according to the firmware source code) supports NFS, but I dont see NFS being mentioned anywhere in the bootup by the kernel, nor is there a module for NFS. Whenever I do:

    mount 192.168.1.xx:/path/here /mnt/nfs

    It will mount it to the default. In other words, in /mnt/nfs, I see the following:

    With the same files and everything as in /mnt/cramfs.. Except its read-write. However DF shows that the device is 100% full.

    If I do mount -t nfs 192.168.1.xx:/path/here /mnt/nfs I get a nice error:
    "mount: Mounting 192.168.1.xx:/path/here on /mnt/nfs failed: No such device".

    Yet doing it both ways from another linux machine works.

    Doing lsmod shows that the kos_lib module is in usage, and its used by alot of different modules.

    I decided to do a test.
    So I made /mnt/ram0, /mnt/ram1.

    mount /dev/mtd_rgconf0 /mnt/ram0
    mount /dev/mtd_rgconf1 /mnt/ram1

    Both show the same files on each one - same as on /mnt/cramfs.
    I even did du -h - 8.9MB for /mnt/cramfs, same size for ram1 and ram2.

    It seems that mount will always re-mount the default system instead of mounting a new one whenever its runned with valid parameters.

    In addition to this.. The router uses /dev/ram0, a size of 101.0 KB. Its mounted on the root file system, and everything in it is linked to /mnt/cramfs. Currently theres 60 KB being used, and 29 KB free.

    So the root file system is used for logs, and other stuff.. Like /var/spool.

    cat /proc/meminfo gives
    26.8 MB total, 8.8 MB free.

    Processor (as per /proc/cpuinfo) is an Intel XScale-IXP425 rev 1 (v5b).

    PS on the device shows this:

    PID Uid Gid State Command
    1 0 0 S init
    2 0 0 S [keventd]
    3 0 0 S [ksoftirqd_CPU0]
    4 0 0 S [kswapd]
    5 0 0 S [bdflush]
    6 0 0 S [kupdated]
    7 0 0 S [mtdblockd]
    8 0 0 S /bin/main_task
    14 0 0 D [ixp425_csr]
    27 0 0 S pluto --nofork --debug-none --uniqueids
    29 0 0 S _pluto_adns 7 10
    212 0 0 S /bin/sh
    240 0 0 R ps

    Thats why I conclude that main_task probably handles everything.
    Theres no /etc/inittab, and no startup scripts. So init probably calls main_task.

    There are 3 network cards, plus the ipsec cards. The first network card for the LAN is ixp0, the first WAN is ixp1, and the second WAN is ixp2. ipsec0, 1, etc is created for VPN connections, and its also refered to as ips0, 1, etc.

    There are alot of warnings/errors.. Like cant find this, cant find that.. The firmware program seems to handle those pretty well but it still bugs me a bit. For example: nk_ipsec_dns_resolve_cb error : ips0. There are also device-not-found errors, and then it finds the device a bit later.

    In my opinion, the setup of the router so far has been pretty minimial, but also very limiting. In other words.. It may be a fight to get more utilities in there in order to do what we want with the router. It may be easier to do custom firmware than to try and get programs on the router's existing firmware. Especially with the fact that theres only 29 KB of free space.

    Or if a way can be found to take the firmware apart, then programs could be added.

    One thing that you can do via the console is to enable the 2nd WAN interface (if you're using backup mode, not loadbalancing) and then you can setup your own routing for it. So it may be possible to do some tricks here. However, the filters seem to be done by the main_task program, which can be a problem.

    I'm going to hit the bed, been figuring this stuff out for a while and dumping it to a big logfile (via minicom). I wont post the log file since it contains private information, but I'll post parts of it.. Or I may make a website with parts from the log file.
  3. noaaah

    noaaah Network Guru Member

    I just flashed my router with the 1.3.3 firmware to compare the differences, you can find the differences here.

    Firmware Comparisons

    Note that ps -aux, ps -a, doesnt work - it still acts like you typed in ps.
    This is because PS is part of busybox, and isnt a seperated program.

    Note that 1.3.3 has stunnel running, while 1.3.1 doesnt.
    Both have about the same about of ram0 free (ramdisk), total and used. 1.3.3 has 31K free but 1.3.1 has 29K free. I believe when I did the log of 1.3.1, I copied a file before I did the df. I believe 1.3.1. actually has 31K free.

    Notice that 1.3.3's firmware (/mnt/cramfs) is 10MB, while 1.3.1's firmware (/mnt/cramfs) is 9.4MB. I also noticed that theres alot less errors in 1.3.3. In 1.3.1, it would often complain that such and so device couldnt be found, as when it was resetting the network device - and then right after that - the device was found. In 1.3.3, I havent really seen alot of those messages, if any.

    So it seems that 1.3.3 adds a new program (Stunnel) and fixes some of the bugs from 1.3.1, which its suppose to do.

    Now if somebody can send me 1.3.6, I would be a happy camper to see what the result from that will be. :-D

    On a side note..
    I've copied a text file and made one in /home/httpd, and then I was able to access it from the webbrowser. However, when I copied (or linked) the main_task file, I couldnt access it.

    So it seems that the maintask program is also the webserver, and it also parses the HTML file for special strings and then does commands based on those strings.

    Also notice that the maintask program isnt included in the source code of the firmware. My guess is that they made a program called maintask - and made it totall propreitary (spelling?) so that way they wouldnt have to release it. Since the webpages are not open source, they dont have to release those as well.

    I also think that the web-server feature in the kernel didnt satisfy their requirements, and apache was probably too big, so they decided to make their own webserver or used openrg's webserver and embedded it into the main_task program. I dont know openrg that well because I havent been able to download their source code and play with it. But I wouldnt be surpraised if main_task was source code provided by openrg, and linksys just added the features they wanted to it, and then recompiled it.

    In any case, the system on the router runs as single-user.

    Looking through the files, main_task was updated in version 1.3.3 from version 1.3.1.

    Stunnel was added, and its /etc/ configuration was added.
    Also in the html folder, 1.3.1. had vpn_summary. 1.3.3. has vpn_clients, vpn_summary, vpn_summary_rw.

    I'm going to be out for a day or two, I'll check this when I get back and see if anybody has any questions, ideas, or suggestions.
  4. noaaah

    noaaah Network Guru Member

    I also noticed something else.

    When you login to the RV042 via console, you goto RV042>
    But when you go into the bootloader via console using one of the two methods described below, you get RME1000> or something like that.

    The bootloader is already known to also be a linux distribution by openrg.
    So therefore one can assume that the bootloader never gets updated, but the firmware does, and they both share the same core files.
    For example: compare "help" in bootloader with "help" from the console.
    You will see that they have alot of the same commands, except the console has more commands than the bootloader.

    Therefore its safe to assume that main_task controls the login and the RV042 console for 1.3.1. and 1.3.3. And we can also assume that the bootloader has its own main_task. Since the bootloader doesnt have to use memory, it doesnt have to have a ramdisk to write to.. But it may use one.

    Following the logic of this, it may be possible to erase the bootloader, because the bootloader itself has a flash erase command among other commands.

    Plus, theres also a command to modify the configuration, which is where all the information for the router is stored.

    If we make a custom firmware, we could use the same configuration.. Or we could try and make it so that the customized firmware will use main_task and everything just like the original firmware except that it will have more ram, and will have a non-broken mount command, etc.

    So far this is theoritical, lets see what we find.
  5. toofgib

    toofgib Network Guru Member

    Hi Noaah!

    Was checking elsewhere. FCCYMIS seems to have v. 1.3.6. Check out:


    I would be really interested in a custom firmware for the RV042. I can't believe that Linksys last release a firmware in September 2004. These guys are terribly slow since they were absorbed by Cisco.

    I purchased the RV082 for a client and the load balancing and DMZ were not an issue. It also has a PPTP server and the DynDNS client works. Stupid me then thought that I could get a RV042 because it's supposed to the the same router as the RV082 - just 4 less ports.


    It has been a pain in the ass from the start and it hasn't gotten easier. The guys at Linksys don't seem to care that their firmware sucks. Reading from other posts, this unit and its firmware share common elements with the RV082. So, I don't understand why the people at Linksys can't get their act together and release similar firmwares for ALL models. The RV016 seems to be in the same boat as the RV042.

    I don't know anything in the programming arena, so I won't be able to help much. Just a thought though... Would you be able to analyze the RV082 firmware and compare it to the current/beta firmwares for the RV042? Perhaps a basis for getting things to work right?

    Also, my experience with the RV042 is that once you adjust the keep alive value less than 30 seconds (i.e. 20 seconds - what Linksys recomments for PPPOE/DSL connections), the router tends to reset itself. My router was going fine for 2 months at 30s before I changed it to 20s and then... Lots of resets. Just my 2 cents.

    Keep up the good work! :D
  6. toofgib

    toofgib Network Guru Member

    Hey Noaah!

    Saw your post in another thread about the RV082 firmware. Good to know that a "non-programmer" such as me is still thinking in the right direction.

  7. noaaah

    noaaah Network Guru Member

    Thanks :)

    I made one mistake, the files that I got in order to get the firmware to make the RV042 firmware to compile, came from the RV016 source code, not the RV082 source code. But the RV082 source code may include the headers as well.

    The RV042 and RV084 are similiar but not the same. They both run the same software (more or less) except that the RV082 has more "Features" and options than the RV042, not to mention more ports.

    RV042 and RV016 both run on the architecture of armv4. So theres a good chance that they both run on the same board, or related boards, and that could explain why both are affected by any design faults. Like for example, the processor in my RV042 heats up a bit, and I'm starting to think that the random reboots may be caused by overheating.. So I may install a small fan in the case and see if that helps. If the RV016 has the same problem, then thats a design fault. Or linksys should've told the consumer to keep the routers in a cool place. Mines in the basement where its cold, but the heater ducts are over the "network closet".. But the heat doesnt blow on the router at all. So.. I'll report back if installing a fan works - if I do that. Also I could connect a temperature sensor to the 2nd serial port and use that to monitor the temperature and report the temperature and uptime to another computer every 10 seconds.. If I see an increase in temperature right before a reboot, then thats the problem.

    I'm on dialup right now because I'm visiting my girlfriends parents. So I'll download the RV082 code and unpack it, and then look through it.

    As for the firmware..

    I can look at the source code for the RV082, but the biggest help would be to have an actual RV082 or console access to one. If you can connect you RV082's console to a computers serial port and then share that access (of course erase any sensitive information on the router beforehand) then I could login and post any information I find on here.

    But from the firmware file.. I've tried different ways to replicate the firmware file and different ways to mount it.

    If its a ramdisk file, it would be in a zipped format, and the name of the gz file would be in the firmware itself. Its not. Theres very little text in the firmware other than the header.

    Reading other posts, I found that if you strip the header off the RMT file, I believe the first 106 or 109 bytes, you end up with the same file that will be flashed into the router itself. This is useful if you screw up your router and need to reflash it through the bootloader since you can do something like dd if=image.rmt of=image.img skip=106c bs=1c , then flash section 2 (for RV042) with the resultant image.img to fix it.

    So therefore that brings me to the question.. What the hell is needed to make the RMT file? If I know how its made, then I know how to take it apart and to get the actual kernel, root file system, etc.

    Even if I make a cramfs, put the files in it, I still end up having to figure out how and where the kernel is placed and loaded because the kernel isnt in the root filesystem on /mnt/cramfs.. But somehow its on the same flash section.

    And the kernel does have text in itself, but no text in the rmt file.

    So right now I'm trying to get a dump of the image in the router, and also trying to see how the whole bootup process works, and then I can replicate it.

    If anybody has experience with openrg, and experience with how linux boot loaders, they're more than welcome to share their experience.

    The reason why linksys doesnt release similiar firmware for all 3 is because while alot of the files are similiar.. Each has different features that have to be coded into the main_task file.. I know the rv042 has it but I'm willing to bet that the RV016 does as well.

    To be honest, I feel that using one program for a series of features is a bad idea, even if that program spawns multiple threads.

    The RV082 - maybe has a different way to do what it does, and thats probably why it doesnt suffer from the problems that the rv042 and rv016 does, but I cant tell without seeing the inside of it.
    I wanted to get the 082, but its not worth it.. My budget can cover it but I would just be using it for a home network and small server, so I saved money by getting the 42.

    I definately will keep up the good work, I also want to get to the bottom of this. :-D
  8. noaaah

    noaaah Network Guru Member

    Ok, just tried to download the RV082 code for firmware a couple of times, and each time it said theres some corruption in the bzip file.
    Also tried renaming it to gz just in case somebody renamed it into a bz2 file by accident. Nope.

    Linksys is giving out corrupted firmware for the rv042 (1.3.6) and now corrupted source code files?
    I think that they better start giving out the real source code (minus their stuff) and not some scaled down source code that they probably ordered some intern to zip up (and then accidently corrupt).
  9. overslacked

    overslacked Network Guru Member

    Well ... after reading everything, I think I'm going to plug my SMC Barricade back in and blow out the RV042. I agree with noaaah about a single process being used for so many different types of functions - unless there's something off the wall happening in the CPU. Anyway. This weekend I'm going to try to get a new os on the RV042 - nothing that'll make it act like a firewall or router, just something I can telnet into (at first, anyway). I'm hoping the tftp trick for rescuing a flash-fried firmware will work for getting the new os in the right place.

    Any ideas, comments, or good reasons why I'm on crack for attempting this, please let me know!
  10. noaaah

    noaaah Network Guru Member

    I haven't tried the tftp trick yet but somebody else on the forums has and worked for them. But I can't personally vouch for it.

    Keep in mind to only flash section 2.
    Section 2 in the rv042 is where the firmware is stored. Do a dump of that (first 100 bytes or so) and then take the header out of the corresponding firmware - you will see that the bytes match up. The header seems to be to tell the program that flashes the flash (maintask) the basic information about the firmware like the version, name, etc. You can see that information when you run the flash_layout command.

    I would strongly suggest avoiding section 0 (bootup) because that is most likely where the bootloader lies.

    Also.. I'm starting to think that maybe the busybox shell is a chroot jail.

    Plus upon bootup, the module loaded makes the linux only use one mtd partition, it doesn't allow the other partitions to be used.. I wonder why.

    When I get back, I'll definately spend more time on this - I haven't had a lot of time lately and I just got started.

    If you get the serial port console, try compiling the kernel and then insert it into the flash and see if that will boot. I'm not sure how the bootloader boots the firmware - that would tell us how we can boot our own customized firmware.

    Is there anybody out there that knows how to boot a kernel from within a kernel? Like starting up a kernel, running a program and then booting another kernel fully (not running the second kernel inside of a virtual machine)?
  11. overslacked

    overslacked Network Guru Member


    Well - that didn't take long.

    I downloaded and unzipped the RV042's GPL'd code, poked around, scanned the makefile, tried to make a few things. "make kernel", I got to see all the build options, mostly they were in line with what noaaah saw, although I'm surprised USB devices showed up.

    Anyway, I can't get very far because I don't have OpenRG (Residential Gateway). Despite its free-source sounding name, it's commercial and I haven't been able to get source. I downloaded an "evaluation kit" which turned out to be an .rmt file. (!)

    There is something in their Programmer's Guide though I thought was interesting: "[single-threading] ... improves performance of servers under heavy load, reduces footprint by 30%, and reduces per connection memory allocations by up to 99%." Noaaah's main task theory seems to be confirmed.

    I'm really not sure if there's much we can do without reinventing everything (even the bootloader is OpenRG's), and then, if we'd be able to get a worthwhile featureset.

    If anybody has any experience with OpenRG or any comments, please post. I think we'd all really like a way to hack this guy into something a little more feature-rich.
  12. overslacked

    overslacked Network Guru Member

    Ok, so ... perhaps nevermind about OpenRG, I found a "compiler" under pkg/build ... I'm not any farther along but this may be possible, after all.
  13. overslacked

    overslacked Network Guru Member

    Some success!

    After downloading and unzipping the source, I changed into the pkg/build directory and ran "make". After that, I was able to run the rg_configure.sh script in the root of the RV042 source.

    When that completed, I tried "make" again and it got pretty far, but it looks like we're going to need the Intel IPX400 software. It looks like you have to register with the site and agree not to export before you can get the code:

    Intel® IXP400 Software

    Worse, a human checks it over and they don't work weekends.

    So, that looks like it until Monday, but I'll keep Googling.
  14. noaaah

    noaaah Network Guru Member

    I'll look at the openrg site again, I couldnt find any source code - which is why I gave up a bit on it. On getting any openrg source code that is.

    As for the intel headers..
    If you're seeing that it needs IxCryptoAcc.h - if thats what you're going to the intel site for - you can get it from the RV016 source code.
    Unzip/tar the code, you will see a tar file called RV016_GPL_Header_files.tar.gz - tar -zxvf it. You will get /vendor/intel, etc. A bunch of .h files. Just drop that into the RV042 source code dir, and it'll compile.

    For some reason they included those files with the RV016 but not the RV042.

    I got main_task. Just fire up a TFTP server (atftpd for one) and then log into the router, and do:
    tftp put main_task (for me)

    You can use that to copy over files to/from the tftpd server.
    Now if we can only make the ramdisk bigger.. But that seems to be something encoded into the kernel.

    And main_task itself is an openrg program. It probably uses threads, or interrupts because it has what it calls "entities".

    If you type "ps" in the RV042> menu, you will see the "entities". Notice that if you do "ps" in the bootloader, one of the entities is a telnet server.

    Since you said single threading, and ps shows just few processes and doesnt show the "entities" that are running in the main_task.. Maybe main_task uses some clever interrupt routines to "multitask" between its "entities".. Or multitasking in multitasking.

    Plus pluto is running, _pluto_adns, stunnel.. So it makes me think that whats the point of multitasking in main_task if you also have other processes that are running in linux?

    Busybox doesnt show me the priority of each process so I cant tell if main_task is running at the highest priority.

    If main_task had the highest priority, then it would make more sense because it could judge which of the "entities" running inside of it needs to do something and give that "entity" more CPU time based on the priority, while the kernel just (as far as i know) give each process CPU time based on the process's individual priority.

    *scratches head*

    Anyways, right now I'm focusing on how the bootloader loads the image. I noticed that when the image boots.. Copied and pasted from the log.
    Uncompressing Linux.................................. done, booting the kernel.
    Press ESC to enter BOOT MENU mode.
    Booting an active image in 3 seconds
    Uncompressing Linux................................................................................................................................................................................ done, booting the kernel.
    Linux version 2.4.19openrg-rmk6-ds1 #2 ¶g¥| 12¤ë 9 15:55:21 CST 2004
    CPU: Intel XScale-IXP425 revision 1
    Machine: Intel IXP425 IXDP425
    Warning: bad configuration page, trying to continue
    initrd (0xc0164000 - 0xc016a000) extends beyond physical memory - disabling initrd
    Security risk: creating user accessible mapping for 0xc8000000 at 0xff000000
    Security risk: creating user accessible mapping for 0xc0000000 at 0xff00c000
    Security risk: creating user accessible mapping for 0xc4000000 at 0xff00d000
    On node 0 totalpages: 8192
    zone(0): 8192 pages.
    zone(1): 0 pages.
    zone(2): 0 pages.
    Kernel command line: console=ttyS0,115200 root=/dev/ram0 rw nohalt
    Using IXP425 Timer 0 as timer source
    Calibrating delay loop... 266.24 BogoMIPS
    Memory: 32MB = 32MB total
    Memory: 26624KB available (1265K code, 4445K data, 44K init)
    XScale Cache/TLB Locking Copyright(c) 2001 MontaVista Software, Inc.
    Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
    Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
    Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
    Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
    Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
    POSIX conformance testing by UNIFIX
    Linux NET4.0 for Linux 2.4
    Based upon Swansea University Computer Society NET3.039
    Initializing RT netlink socket
    Starting kswapd

    Random: 0xe2b781dc
    pty: 256 Unix98 ptys configured
    Serial driver version 5.05c (2001-07-08) with no serial options enabled
    ttyS00 at 0xff000003 (irq = 15) is a IXP425 UART
    ttyS01 at 0xff001003 (irq = 13) is a IXP425 UART
    RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
    loop: loaded (max 8 devices)
    PPP generic driver version 2.4.2
    NET4: Linux TCP/IP 1.0 for NET4.0
    IP Protocols: ICMP, UDP, TCP, IGMP
    IP: routing cache hash table of 512 buckets, 4Kbytes
    TCP: Hash tables configured (established 2048 bind 2048)
    NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
    NetWinder Floating Point Emulator V0.95 (c) 1998-1999 Rebel.com
    PPP MPPE compression module registered
    klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.99
    RAMDISK: Compressed image found at block 0
    Freeing initrd memory: 24K
    VFS: Mounted root (ext2 filesystem).
    Freeing init memory: 44K
    Mounting cramfs image at 'cramfs'
    insmod: add-symbol-file PATH/kos_lib.o 0xc280f060 -s .data 0xc28123c0 -s .bss 0xc28124dc
    insmod: add-symbol-file PATH/ixp425_flash_mod.o 0xc2814060 -s .data 0xc28143ec -s .bss 0xc281447Using buffer write method
    Using predefined MTD partitions.
    Creating 1 MTD partitions on "ixp425 Flash":
    0x00000000-0x01000000 : "openrg"
    mtd: partition "openrg" extends beyond the end of device "ixp425 Flash" -- size truncated to 0x800000
    Version 1.3.3 has been updated in flash section 2.
    Press ESC to enter BOOT MENU mode.
    Notice the "boot menu" shows up twice. So the bootloader is the same as the firmware image except that bootloader's kernel doesnt show any output (its quiet), and bootloader's main_task has few features. It has a telnet server, it can write/read config, flash, and thats about it. Its either a generic main_task or an older main_task. I would say both.

    The firmware's main_task is newer. Notice it loads the module for ixp425_flash_mod.. It has predefined partitions. That would explain why I cannot use section 0, 1, 3, or 4. I can only use section 2.

    Notice the mod at the end. Its possible that the file was modified so that only a certain section would be specified. That way you can flash the stuff through the main_task program, but cant through the shell.

    I also strongly believe that the mount program was modified. Especially because every time I try to mount a drive, it always defaults to the flash disk. Always.

    I would say at this point that the kernel code from the RV042 source should be kept.. But the rest may have to be tossed out.

    But if theres a way to change the amount of RAM used for ramdisk, then we could put in a real mount that allows mounting of NFS partitions, and then play with that more.

    I personally want to keep the firmware's programs and add our own programs, because why do all the work of making a router, when theres already an existing router? For example.. The VPN doesnt always work, (it works for me but not for some others) but its VPN, and its better to have it than to try and redo our own.

    So maybe we can make firmware that keeps the existing firmware and adds to it.. Adds more options, corrects problems, allows more flexibility.

    I'm off to figure out how the partition gets booted.
  15. noaaah

    noaaah Network Guru Member

    Ok, figured out how the header works, for the router - for the partitions.

    The link to the text file (my notes) is here. Headers

    Section 00 in the boot is in ARM5 instruction set, a.k.a. machine language.
    I've found the instruction set, but not the opcodes. So I cant figure it out.

    Still working on how the kernel was booted.

    On a hutch, I did cat kcore > /test in the /proc.
    Then when the ramdisk was full, I tftp'ed the file over to my server and then hex edited it.

    Sure enough, its an .elf file, named vmlinux.
    CORE.R...........................vmlinux...........console=ttyS0,115200 root=/dev/ram0 rw nohalt..................... etc.

    By the way while looking through main_task..
    When main_task was compiled, it compiled code from other programs into itself. Programs like snmpd, by Wes Hardaker (net-snmp). But, I dont see net-snmp in the source code for the firmware.

    Maybe the programs were built, and then moved into the main_file? I dont think that would be very effective, most likely the programs were compiled into main_file.

    Also theres a telnet server built into main_task, but its disabled.
    The way to enable it is to do the following:
    rg_conf_set /nk/telnetd_enabled 1
    reconf 1

    Viola, you can now telnet into the box.
    No more messy serial cables. I'm not sure if you need to do both reconf 1 and flash_commit - may just need flash_commit. Either way it will commit the modified configuration file to the flash.
  16. noaaah

    noaaah Network Guru Member

    I've been looking at the configuration backup files.

    RV042.exp files.

    I backed up the router, then did the telnet enable, then backed it up again. The new file is different from the original file. However, the two files do not match any of the flash sections in the router. So those files cannot be written directly into the flash.

    Looking through main_task, I noticed that the exp files probably are compressed, because theres a line that says:

    Import:unzip error^@^@SYSLOG_NK-(System Log) Import Bad Format of Configuration File !

    However, unzip doesnt recognize the RV042.exp file as a zip file.

    The reason why I'm doing this is because if theres a way to modify the RV042.exp file to enable telnet, then people wouldnt have to do the serial console modification. However, the serial console modification has some advantages over the telnet - such as being able to interrupt the bootup process after the firmware boots up, before it starts its operations. But telnet seems faster.

    I also tried gzip -d, didnt work either. Neither did bzip.

    I made a text file, and then zipped it using zip, it stored the name of the original file in the zip file. Hmm. Same when I gzipped it.

    Plus even though the telnet-enabled file is 5 bytes more than the telnet-disabled file, both files's content is totally different. Its like the original config files were XOR'ed by the checksum.. But if thats what happened, then how would the router get the original files back without the original checksum? The mystery continues..

    P.s. I cant give out the telnet-enabled EXP file because my password is in it. However, I will set the router to its default settings and then do the telnet patch and then I may post the telnet-enabled EXP file.
  17. noaaah

    noaaah Network Guru Member

    Ok - resetted router to default configuration, applied the telnet hack, then saved the configuration file.

    When you do the telnet hack, all you need to do is to just do:
    rg_conf_set /nk/telnetd_enabled 1

    Dont need to do rg_conf 1.

    Heres the link to the folder.
    Configuration Files

    Just download it, save your settings (on paper), then apply the above configuration files. Then you will have to redo your entire settings.

    I could try and figure out how the router saves the configuration, but its not really worth wasting hours and hours on that when all I have to do is to give out a configuration file with telnet enabled, and people can just take 5-15 minutes to write down their configuration information.

    Especially because there's no need to figure out how the configuration file is structured once you're able to telnet into the router.

    Or just do the console hack, and you can enable it without having to do the above method. :)

    But if somebody figures out how the configuration file is structured, please post it on here, and I'll figure out how to modify it (via a program) so that people dont have to lose all of their settings.

    Keep in mind that once you apply the telnet enable, and redo all of your settings, any backups you make from that point will have the telnet enabled. If you ever go back to factory defaults, most likely telnet will be disabled. So make a backup before and after you do this. That way you can turn telnet on and off by applying the "before" or "after" backup files.

    Please let me know if this works for you. This way more people can get involved without having to do any hardware to their RV042.
  18. noaaah

    noaaah Network Guru Member

    i was browsing around (googling for main_task openrg) and found this.

    Sounds like theres a similiar setup between that and the RV042.

    And from the way the hardware is described, sounds same, except the mainboard is different between those two. For example, the RV042 doesnt have a MiniPCI card holder installed, but could have one installed and probably could use it. In other words, good chance of installing a miniPCI card holder and a wireless card, and the RV042 may become wireless..!
    But in reality, I'm not sure.

    Both WRV54G and RV042 uses the same processor, but the RV042 has a different chip than the KENDIM chip shown in the picture of the WRV54G board.

    From that board, it sounds like they have some similiar problems as us.
    J2 on RV042 looks like JTAG - probably is, since it looks similiar to J2 on the WRV.

    I may try uncompressing the kernel and ramdisk - to see if I can make the ramdisk bigger.. See what happens. Just remember the offsets will be different from the WRV. Plus the few times that I looked in the firmware file, I dont see any GZ headers in it.
  19. ICHIRO

    ICHIRO Network Guru Member

  20. noaaah

    noaaah Network Guru Member

    Re: telnetd of RV series is confirmed

    Dont need to do the reconf 1, but great work.

    How'd you figure that out? :)
  21. noaaah

    noaaah Network Guru Member


    There's a PPTP menu, not sure if anybody knows about it - because (from what i see) its not on the menu. or just pptp.htm

    Also check out map.htm.
  22. ICHIRO

    ICHIRO Network Guru Member

    Re: telnetd of RV series is confirmed

    It was in the site in LINKSYS China.

    RV016_2.0.0.exe was performed, the capture of the packet was carried out and it was found.
  23. noaaah

    noaaah Network Guru Member

    Re: telnetd of RV series is confirmed

    Thanks again :)
    I'll flash the 1.3.6, and I hope its not in all chineese.. If it is, I'll have to wait till the english one comes out or until somebody sends it to me.
  24. ICHIRO

    ICHIRO Network Guru Member

    Re: telnetd of RV series is confirmed

    I do not have English version 1.3.6 firmware.
    have you compare on the farm and binary level of the China site in the direction with the English version firmware -- doesn't it become precocious?
  25. overslacked

    overslacked Network Guru Member


    Awesome find on the Linksys China site.


    Your debugging and tracing skills are truly awesome, and a huge help for us all trying to understand what this box is doing when it's doing it's thing. Thank you for spending time on this.

    The compile choked while building freeswan, IIRC, ipsec_glue.h included "IxTypes.h" ... I'm still downloading the RV016 source, hopefully, all the Ix* headers will be there.

    I'm using 1.3.3 at the moment and tried to enable the PPTP server ... no dice. I'll try it with 1.3.6 ... does anyone know if the firmwares are local-specific? I'd hate to flash a Chinese language firmware, since I can't read Chinese!

    It's been a long day, so I may not get very far tonight, but I'll be on this first thing!

    Thanks again, this information is top notch.
  26. DummyPLUG

    DummyPLUG Network Guru Member

    If anyone know all the hidden menu of the RV042?
  27. ICHIRO

    ICHIRO Network Guru Member

    It can see by accessing rv042 by telnet and starting shell.

    / #ls /home/httpd/html
  28. DummyPLUG

    DummyPLUG Network Guru Member

    Thanks for reply... I can never imagine it had enabled this by default..
    by the way, did you had the 1.3.6 firmware?
  29. ICHIRO

    ICHIRO Network Guru Member

    I do not have 1.3.6 firmwares of the English version. If it curves 1.3.3 with 1.3.1, it has the firmware of 1.3.6 of the China site.

    telnetd cannot be used by the default.
    telnetd operates by accessing URL.



    rg_conf_set /nk/telnetd_enabled 1
  30. DummyPLUG

    DummyPLUG Network Guru Member

    oops.. but it seems that I can directlt telenet to the rv042 without accessing that URL first.. strange..
  31. noaaah

    noaaah Network Guru Member

    There are few ways to enable telnet.
    The first is that url and then enter the commands to enable telnet permently, the second is to use the serial port mod, and enter the commands through it to enable telnet permently. The third is to use my default configuration setting file (RV042.exp), which will also enable telnet permently.

    Keep in mind that when I say permently, I mean that it will stay enabled through reboots. However if you restore default factory settings or restore a backup that doesnt have telnet enabled, it will be disabled because the telnet setting is in the rg_conf flash section 3.

    Its also possible that some people may find that their telnet is activated. I would guess that maybe their machines were refurbished, and packaged in new boxes, and the technican forgot to disable telnet. If you're lucky in this way, you dont need to enable telnet. :)

    There are some hidden menus, but not much. The biggest ones are ConnectionStart.htm and ConnectionStop.htm. Those HTML files are not real HTML files, but they are shown in the main_task program. They will ask for your username/password, but so far I havent found a correct username/password. Not even the default user/pass works.

    But be careful. Have a backup before you try those pages, and some others like rwServHandle.htm. I believe, from the code within, that rvServHandle.htm is designed to return command information to subroutines inside the main_task program, and you could possibly pass information that can screw up your configuration - hence the backup.

    Do a cat rwServHandle.htm | grep "<!-"
    You can do that for any other htm files, notice the tags such as ? That will return the firmware version. Nearly all the files (if not all) have tags, thats how the webpages can show your router's information - main_task (which is also the http server) will parse the page, and then return it.

    Since the pages in /home/httpd/html (but not /mnt/cramfs/home/httpd/html) are on the ramdisk, you have 31.0k of free memory to create a new page. Just use echo to echo your tect to a html file, and you'll notice that the page will be availible right away.

    However, the server doesnt seem to support binary files. I've tried to get main_task by linking it, and then downloading it and got an error - I believe it was an error that it couldnt handle the file. So the webserver is a simple one that basically parses the files before sending - an exception (so far) is the RV042.exp backup configuration file.

    You can use TFTP to copy the main_task file to your computer, and then look through it using strings to get all the strings, and then use that to see all the stuff inside.

    As I've said before, it seems that all the programs (or most) in the source code for the firmware - with the exception of the kernel, busybox and few other programs, are all linked into main_task. Thats also where I got the string to enable telnet - /nk/enable_telnetd.

    Hope this clears up any confusion :)
  32. overslacked

    overslacked Network Guru Member

    I managed to get the GPL'd code to build, thanks for the pointer to the RV016, the Intel headers were all there. I'll write up a little HOWTO, and post a tarball with all the required goodies included - anyone know if that's alright (legal) to do?

    In the meantime, I was wondering ... when we upgrade the firmware, are we only upgrading OpenRG's black box? I'm wondering if the GPL code Linksys is releasing for this series "*RV*" is what OpenRG is based on ... 'cause I haven't seen any GPL downloads on OpenRG's site. I'm really curious as to the extent Linksys is modifying OpenRG's releases ... but, then again, I'm sure Jungo (company that produces OpenRG) releases tools to compile the .rmt files, if for no other reason than for Linksys to brand the web admin pages.

    I'd meant to mention it last night, I saw something about s_irqs (software interrupts?) on the box last night. BTW, the kernel config shows support for a wireless PCI card.
  33. noaaah

    noaaah Network Guru Member

    I noticed that on the chineese site, it said that 1.3.6 on there - said something about DDNS. I know from another page that theres bugs with the DDNS and it was fixed in the 1.3.6. So therefore I assume that the 1.3.6 on the chineese site is the same as the american 1.3.6 but most likely with chineese text.

    I havent seen anything in the router configuration about "local", but if I do, I will.

    The firmware doesnt modify the configuration, it may update it if theres sections that are not already in the configuration. So if 1.3.6 is flashed and then shows up in english, then its good. I'll try it later today.

    Its also possible that the english version of 1.3.6 was screwed up during compilation and now linksys has to get the programmer to recompile it. But the chineese verson wasnt.
  34. DummyPLUG

    DummyPLUG Network Guru Member

    I just flash the chinese 1.3.6, all its menu is still in english, and it seems to handle my MSN much better, although it still had some problem to login whne I had over 700 conneciton..

    lastly, I still had the "Selective Acks" disabled by the router, did somebody notice the same thing?
  35. noaaah

    noaaah Network Guru Member

    Yup, thats why I think it has similiar config to the WRV54G - I linked to that project in an earlier post. It uses the same ARM chip, except different motherboard. Plus the motherboard for the RV042 has a miniPCI header on it, but not the holder. You could buy one, solder it on, put in a miniPCI wireless network card and see if the router detects it.

    As for legallity.. I believe Linksys only released the code that they had to. They *may* have an agreement with the net-snmp so they dont have to release that code, but they released everything else that they had to. Notice they didnt release anything for the main_task program, but they did release the GPL code for the other programs that are compiled INTO the main_task program.. So I believe that you can use the RV016 code for the RV042 - because to be honest, how can you compile the RV042 otherwise?

    Also if linksys is breaking legality agreements by releasing those headers in the RV016 code, then who is responsible? Linksys is because they put the file in the download. Not us. If we get a cease-and-stop order then we'll do that.. But as long as we dont, we're ok. Think about it :)

    Nobody likes to goto court, it takes time. They rather settle out of court. And if the files in the RV016 (the headers) are not suppose to be distributed, then Intel will go after Linksys first and order them to stop people from downloading, and Linksys will be responsible for it.

    However I'm not a lawyer, so let me know if I'm wrong about any of this.

    As for the RG..
    Well, so far the firmware from the linksys site is all open source. There are some RG files in it, but the RG files in there (so far) are the open source varity.

    I believe that what linksys does is that they have all the opensource files in one dir, and they have the RG files in another dir. Then when they build it, all the packages get compiled and so forth. Then the makefile for main_task will go into each dir and then take the source code for each program that will end up into main_task and then incorporate it into it and compile it.

    It could also be that the programs are built into .o files, and are also linked and made into ELF files. Then the main_task makefile takes the .o file from each program and builds it into itself. This way the programs can be tested on the router in the case that some part of main_task doesnt work. For example, if main_task's ddns program doesnt work, the developers can take the ddns program ELF file and then test it on the router to see if its the DDNS code and to see whats wrong. Makes sense?

    So the source code from Linksys has some RG headers, but has none of the code thats used to build main_task and to make RMT files.

    I recently brought the book called "Building Embedded LINUX SYSTEMS" by Karim Yaghmour from Borders. I'll be using that as reference because it has information on different flash systems such as MTD, etc.. And it'll help alot in building customized firmware for the router.

    For example:

    "Unlike disk or DOC devices, CFI flash cannot generally be partitioned using tools such as fdisk or pdisk, because partition information is not usually stored on CFI flash devices. Instead, the device's partitions are hardcoded in the mapping driver adn are registered with tne MTD subsystem during the driver's initialization. The actual device does not contain any partition information whatsoever." Page 208, "Building Embedded LINUX Systems" by Karim Yaghmour, 2003.

    Notice theres a driver that loads from the ramdisk that will "define" the partitions for the RV042, called ixp425_flash_mod.o. This same driver also forces the usage of ONLY one partition, 0x00000000-0x01000000 called "openrg".

    Also notice that range 0x00000000-0x000F0000 is the boot partition.

    Also in the book, it says that the driver sets up partitions and sets up which addresses each partition is in. So basically that driver is controlling which partition is used for the firmware image.

    I know that the range shown in the start up doesnt make sense. Section 02 is from 0x00100000-0x00640000.

    So far this is what it looks like its doing:

    The bootloader loads, then reads the flash memory, and its configurated to boot section 02. After a certain amount of time (which you can change in the bootloader's configuration via rg_conf), it will start section 02.

    Section 02 starts up.

    The root device for the firmware is /dev/ram0, which is configured to be 101kB max size. The ramdisk is loaded, and it then starts init and main_task, then main_task loads the driver for the flash thats used to access the flash. It waits 3 seconds for the ESC key, then continues with normal bootup.

    Now the question is.. Notice in the bootup:
    "Stored version is 1.3.1, current version is 1.3.3"

    Does that mean version 1.3.1. is stored in the bootloader? In other words, the bootloader is used in the normal firmware? The reason why I'm asking this question is because it makes a partition from 0x00000000 to 0x01000000.. Which covers the entire flash device. However, when i do a DF, it shows the cramfs as 10MB, yet the router itself says the flash is 8MB. So the cramfs is compressed, and its expanded in memory.. But why make a partition from 0x0000000 to 0x01000000? Why reuse the bootloader partition? Maybe when the firmware boots up, the "bootloader" and other flash disk partitions are "invisible" to the firmware's linux kernel, and thus it will see 0x00000000 0x01000000 when its actually 0x00100000-0x00640000. Or maybe the module was also modified to report the wrong range - i.e. it reports 0x01000000 when its not that. Or maybe the default code reports 0x01000000 and linksys didnt change it.

    DummyPLUG, can you define Selective Acks? I forgot what that is, but I recognize that from somewhere. I can check it out if I know what I'm looking for.

    Last but not least, while I was looking in the main_task, I noticed that in some places they have both the chineese and english versions in the main_task but didnt see that in the html files. So it appears theres a configuration string that will activate the chineese version.. But I'm not totally sure. I would need somebody with a chineese version of the RV042 to dump the entire configuration (dont forget to take out any sensitive information such as email, password, etc) and then can see what the difference is.

    This takes me back to the question of the bootloader..
    If the HTML files are in english, then flashing the chineese firmware should change the HTML files to chineese.. Logically speaking. Unless the firmware doesnt contain the HTML files and the HTML files are stored elsewhere. However, version 1.3.3. added some HTML files that version 1.3.1 didnt have.. So therefore the HTML files should be stored in the firmware image..
    Doesnt make sense, right? :)

    I dont know if its even worth it to try and figure out that part, as long as the 1.3.6 works for us.
  36. noaaah

    noaaah Network Guru Member

    Its the permissions that keep us from linking to other files in /home/httpd/html and then accessing thru webpage.

    I was able to do this:
    cd /home/html/httpd
    ln -s /proc/meminfo meminfo

    But not able to:
    ln -s /proc/kcore kcore

    Thats because kcore is read only by the owner, while meminfo can be read by anybody. However, I was able to tftp kcore over. Its 33 MB.

    GCC: (GNU) 2.95.3 20010315 (release/MontaVista)

    Inside I found:

    So the ramdisk is embedded inside of the kernel.

    Its possible that they are using initramfs, where the initramfs image contains much of the initialization code thats currently hardcoded in the kernel.
  37. DummyPLUG

    DummyPLUG Network Guru Member

    you can use here to look for it is enable or disable:
    look for the Selective Acknowledgements (RFC2018)

    I had check the home.htm and wizard.htm file in the /home/httpd/html, and didn't have any chinese in it.. I will check all file If I have time..
    I will ask my friend to look for what is the different for the CN version.

    p.s. mine is RV-042-SG (Singapore???)
  38. ICHIRO

    ICHIRO Network Guru Member

    memoinfo operated by RV042 and RV082 in the procedure.
    cd /home/html/httpd has rightly right cd /home/httpd/html/.

    kcore Access was denied.

    -r-------- 1 0 0 33558528 Mar 7 11:47 kcore

    The size of kcore is RV042 and RV082. It was the same.
  39. overslacked

    overslacked Network Guru Member



    I did a cat kmsg in /proc and saw some interesting things, for one, the size of the flash memory being detected and sized down. WARNING! For some reason, kmsg wouldn't let cat go, so I had to ctrl+c, and couldn't look at the file again. Maybe TFTPing it would work. I just rebooted, but there may be more elegant solutions.

    The stunnel program provides the https service for the Quick VPN Client. It appears and disappears related to the HTTPS Service -> Enabled. It runs in open-kernel space so, perhaps that program hasn't been Borg'd into main_task yet - it'll be interesting to see if it gets an entity in the next release. Unless the HTTPS/Quick VPN is a Linksys-only thing, then OpenRG wouldn't include support (well, probably not).

    Which brings me to the PPTP server ... I haven't been able to get a response, not even a log entry, when I try to establish a VPN to this box. Are everyone else's logs as sparse as mine? It doesn't look like main_task shuts down or frees any of it's "child" processes when their functionality is disabled in the interface -- so as far as I know, the only changes I'm making in the PPTP screen are to the conf. And, it's frustrating to see that Linksys is hiding options in its interface! Then again, this is beta and I'm not supposed to even know the page is there.

    Anyway, so, using the PPTP config page (usually, has anyone had any success using the RV042's PPTP server?

    Oh, Noaaah, those links you posted yesterday were to our routers instead of to your dyndns!

    Thanks everyone.
  40. noaaah

    noaaah Network Guru Member

    Re: KMSG

    I know it was to my routers :)

    "I was able to do this:
    cd /home/html/httpd
    ln -s /proc/meminfo meminfo

    But not able to:
    ln -s /proc/kcore kcore "

    Go into the shell, type this:
    cd /home/httpd/html
    ln -s /proc/kcore kcore
    then goto

    You will see what I mean. :)

    Remember that alot of the things in the /proc dir can be seen by using cat or a webpage, they're like the output of a program, but they are not a program themselves. I forgot the name of what they really are.

    The point is, kcore can be tftp'ed because its a file, if you do ls -al to the rest of the files in the /proc, you will see that they are very small - the file isnt all "there". Kcore is the kernel's core, but kmsg is a kernel's message. If you tftp'ed kmsg over, most likely it will not work. However, you could use the webpage or cat to view it.

    The best way to see it via webpage is to link to it, but it wont work if the file is not readable by all. Even though theres no "users" or "groups" and the router runs as single-user mode.. The webserver seems to not serve anything thats not world readable. KCore itself isnt world readable, which is why I had to use TFTP.

    As for stunnel.. They could've borg'ed it, but I think it depends on time.
    They can either run it from inside of the main_task, or they can run it externally - like they did with pluto. I'm not sure why they decided to run it externally.. Because of time limits? Not enough time to make sure that the code works internally?

    Point is, whats the point of running main_task and having all the programs run from inside of main_task and using software interrupts to give some programs more priority than others, and running main_task at highest priority - yet run other processes concurrently?

    Well, running programs internally would give more control over whats happening in the programs and give access to the inner workings that you cant get as easily. For example, you would have to parse logs from a firewall in order to see whats up, but if you have the firewall code and code of something else (a blocker, or monitor) - you can block an IP address if the firewall code reports too many break ins. So thats one reason I can think of that they have all of the code together, other than for speed gains.

    Point is.. I dont think its very much worth the time trying to figure out WHY they did it this way. I think its more worth it to figure out how we can get custom firmware to start up on it, and so forth. We could spend days and weeks arguing over why they did such and so, but we dont have the source code for main_task and so far nobody who has worked with openrg, or worked for linksys has said anything.

    Just my 2 bits.

    As for the "processes", or "entities" as main_Task and openrg calls it.. Theres a command in the RV042> menu that allows you to see them (ps) and another command that allows you to kill them.

    ICHIRO - I'm not an expert in kernels, so I'm not sure if the same size KCORE in two different routers mean the same thing. I know that the RV016 and RV042 use the same firmware with the exceptions of some hardware modifications, but I dont know about the RV082.. The source code for the firmware is corrupted (gzip and bzip2 both report it as corrupted). So I cant peek inside and see what CPU the RV082 uses. However if the RV082 uses the same CPU, and has the exact same hardware, then one could assume that it would be the same kernel as the RV042.

    But same time, RV042 and RV016 has have problems, while the RV082 has been better off. But that could be because of how the software is programmed. They could all be using the same kernel but different main_task setups.

    Can you post more information about the RV082?
  41. noaaah

    noaaah Network Guru Member

    Just read it.

    I just looked at the kernel configuration, and I dont see any options for Selective Ack's. I'm not familiar with that, and I'm not sure where that would be located in the kernel code. I will keep an eye out for it though.
  42. noaaah

    noaaah Network Guru Member

    Ok, I just looked at the kernel setup that came with the RV042 firmware source code. I wish that there was a /proc/kconfig. I will be comparing this to what I find in kcore from my RV042, version 1.3.6.

    Keep in mind that the kernel could be "generic", it may not have the setup that the RV042 does.

    I'm not listing ALL the options, just those that I feel are important and apply to embedded systems.

    Kernel Setup:
    -No CramFS support in the kernel
    -ROM file system support (for initial ramdisks of installation disks and can be used for other read-only media)
    -No JFFS, or JFFS2 support.
    -/Proc support
    -/dev/pts support
    -EXT2 support
    -NFS support
    -Root file system on NFS support
    -Loopback device support
    -No network block device support (not used with NFS or Coda)
    -Ram disk support
    -16384 default ram disk size
    -INITRD ram disk support
    Loaded by the boot loader and mounted as root before the normal boot procedure.
    -MTD support
    -MTD partitioning support
    -MTD concatenating support
    -Direct char device access to MTD devices
    -caching block device access to MTD devices - mtd-block
    -RAM/ROm/Flash chip drivers
    -Detect flash chips by common flash interface (CFI) probe
    -Support for Intel/Sharp flash ships (intel strata flash command sets)
    -No Mapping drivers for chip access were selected
    -No self-contained mtd device drivers selected
    -No NAND flash device drivers selected.

    From Kcore (used strings on core to get all the strings)..

    -Supports cramfs

    So apparently the kernel given via source is probably the generic kernel, and not 100% configurated for the RV042. Plus, I cannot find the ixp425_flash_mod.o, ixp425_flash_mod, or ixp425_flash files anywhere in the source. So I'm downloading those from intel. In order to build a custom kernel, those modules and some others will be needed.

    In other news, I got an ARM simulator - it allows me to simulate ARM code on the PC and see what it does. It also allows me to put in assembly and to see the opcodes.

    I have verified that some of the beginning opcodes in section 0, the boot section, match those in the file bootstrap.S.

    Section 00:
    E1 A0 C0 00 E3 A0 00 D3 E1 21 F0 00 E3 A0 00 78

    mov r12, r0 --> E1A0C000
    mov r0, #F_BIT | I_BIT | MODE_SVC --> Cant get opcodes
    msr cpsr_c, r0 --> E121F000

    Keep in mind that there are header files included, and some of the things (such as F_BIT, etc) may be replaced. The point is that the kernel appears to be bootstrapped using the bootstrap.S.

    Lookng in vmlinux via hexediting (after compiling the kernel), I found similiar code in offset 0x8000. I'm not an expert in ARM programming but, it appears that the bootloader is vmlinux with the header stripped out. Hexedit reveals alot of zeros from the top (where it says ELF) to the arm code.

    E1 A0 C0 00
    E3 A0 10 F1
    E3 A0 00 D3
    E1 21 F0 00

    The firmware starts with:
    E2 8F A0 08
    E5 9F B0 04
    E0 4A B0 0B
    EA 12 84 03
    00 00 00 10
    E1 A0 00 00 (repeated 8 times)
    EA 00 00 02 01 6F 28 18 00 70 00 00 00 B9 7B C4
    E1 A0 70 01
    E3 A0 80 00
    E1 0F 20 00
    E3 12 00 03
    1A 00 00 01

    Putting them in the "memory" of the simulator gives me:
    add r10, pc, #8h
    ldr r11, [pc, #4h] ; 10h
    sub r11, r10, r11
    b 0x004A1020
    andeq r0, r0, r0
    mov r0, r0 (repeated 8 times)
    b 0x00000044
    dw 16f2818h
    rsbeqs r0, r0, r0
    adceqs r7, r9, r4, asr #23
    mov r7, r1
    mov r8, #0h
    mrs r2, cpsr
    tst r2, #3h
    bne 0x00000060

    Now.. Im not 100% sure what to make from this. :-P
    Just for the heck of it, I may put the whole firmware in the memory of the simulator. Im just playing around, seeing if I can better understand the bootup process.

    Also, as long as we use the same kernel, we can still use the modules from the router's firmware - can just tftp them over to the PC.
    But if we use a different kernel, then we may have to rebuild the modules.
  43. noaaah

    noaaah Network Guru Member

    Just made a zImage of the kernel, and it's very similiar to the firmware RMT file with the header extracted.

    Last 4 bytes before a bunch of zeros in zImage is 00 60 2F 54, first zero starts at 0x94748. In RV042_1.3.6.img the last 4 bytes are 00 70 2F 54, first zero starts at 0x497BCC. Hmm.

    I noticed during compilation that piggy.gz is inserted..

    About kcore, I notice it keeps growing in size.

    IO mem shows:
    00000000-01FFFFFF - System RAM
    00013000-0014FA0F - Kernel code
    0014FA10-005ABB07 - Kernel data
    50000000-50FFFFFF - IXP425 Flash

    I notice that when the router is under heavy usage, the console messes up. What I mean is theres some missing characters and some corruption of the output from the serial port.. But when I run the command a second time, it may come out ok. So the router is definately making heavy usage of interrupts. A.k.a. Real time system.

    About SACK's, look in /proc/sys/net/ipv4/ - a "cat tcp_sack" returns 1, which means sack is enabled. The router may be dropping those packets because of the firewall. Try killing off the 'entities' from within RV042> 1 by 1 until it stops dropping. If it continues to drop, then its a kernel issue. I would recommend a 2.6 kernel except that we'd have to make it from scratch for the router. :-/

    I'm going to try and organize the information that I've gathered so far. Its a bit disorganized - as you can tell from my posts that often contain different kinds of information.
  44. DummyPLUG

    DummyPLUG Network Guru Member

    Well.. the firewall and VPN is disabled already, may be there is other stuff make it become disable.
  45. ICHIRO

    ICHIRO Network Guru Member

    Re: KMSG

  46. DummyPLUG

    DummyPLUG Network Guru Member

    Re: KMSG

  47. noaaah

    noaaah Network Guru Member

    I noticed that the kcore file got bigger over time.

    If both RV042 and RV082 have the same cpu, which Dummyplug mentioned, then most likely the same kernel is used for both but..

    Also the piggy.gz file that I saw before, is a compressed version of the vmlinux file.

    I re-organized the RV042 project folder on my server, and also set up a cname for the server since rocnoah.mine.nu isnt working for me when I use the RV042 as my DNS server.. I believe its because the RV042 itself updates DDNS for rocnoah.mine.nu, and because of that, it does something wierd with the name itself.. *Shrug*

    RV042 folder

    The Gatewaymaker project makes firmware for IXPD 425 processors, so thats why I'm trying that out.

    I believe that the router uses an image embedded within the zImage because thats the only thing that makes sense. The zImage of the firmware and the zImage that I generated are pretty much the same except that the firmware has a initrd within itself.

    I'm still trying to figure out if it uses INITRD or RAMFS because ramfs was suppose to come out in 2.5 and to replace the initrd..

    Some of the initrd messages doesnt make sense.. Like it says initrd is disabled, and then it mounts a ramdisk.. Plus it wouldnt be able to access the MTD without the driver loaded in order to mount it.. So maybe its using a RAMFS driver?

    Keep in mind that you have /mnt/cramfs/ and everything is linked to the / from there, including init, but init is required by the kernel - it searches for init, and if it cannot find init, it will give an error and halt.

    Back to the gateway maker project. Theres a file that allows the mapping of the MTD within that project, and it supports the ixp425. Thats the main reasons why I'm trying it out because without the flash mapping, theres little chance of any custom firmware being built without using any of the original firmware. I dont mind using parts of the original firmware, but the ramdisk has to be expanded. If its a initrd.gz, then the simple way to expand it is to make it bigger. If its ramfs, I'll have to read the documentation in how to make it bigger.

    Also the quarter (college) just started for me, so I'll be more busy with college.. But I'll try and work on this some. No promises.
    Hopefully more people will get involved and help out than the couple of us :)
  48. ICHIRO

    ICHIRO Network Guru Member

    Hello, noaaah.
    Is the firmware 1.3.6 currently exhibited to your WEB site an English model's? It compared with the firmware 1.3.6 of LINKSYS China using FC.EXE. There was no difference.
    Is there any information needed like RV082 throat?
    Although my RV082 has put in the Japanese firmware, is it that it is consulted?
  49. noaaah

    noaaah Network Guru Member

    The firmware on my website is from the china website. Its not the US release.

    My theories regarding the language for the routers are:

    1.) The main_task program and/or the webserver (within the main_task) does the language translation based on the configuration setting. In other words, if a certain configuration option is added or modified, then you may see chineese or japaneese. This is based on the fact that theres a foreign language embedded within the main_task program.

    2.) The webpages are actually not stored in the firmware, but instead are stored elsewhere. Since the webpages are mostly text, they could be stored in another location (perhaps one of the configuratins?) and then uncompressed and copied to the html dir. This is based on the fact that when the US RV042 was flashed with a chineese firmware file, the webpages remained english.

    Keep in mind the above two are theories, and are not facts. Also keep in mind that there are 5 sections in the flash. We still dont know how big the bootloader section really is. Also I'm not 100% sure on how the MTD device mapping is being done. In short, I'm still a bit confused about how this router boots up the firmware and where the ramdisk is loaded from.
  50. ICHIRO

    ICHIRO Network Guru Member

    Thanks, noaaah.

    It is natural that it compares and there is no difference.

    Since it will become long if the information on RV082 which I could know is indicated here, it sends by PM.

    I demanded the firmware which corrects the fault of DDNS to LINKSYS support. The sent firmware was 1.3.4.
    The sent firmware is not 1.3.6 and carried out stripes disappointedly.
  51. akk142

    akk142 Network Guru Member

    I tried to do this on my RV016 with 2.0.3 but i keep getting bad command. I tried other basic commands to just look around, such as ls and cd, but all i got was bad command.

    Any ideas?

    Anyone know what the new 2.0.6 firmware that's listed in the open source folder of the linksys ftp site is going to include. Also what's he new RV042 and RV082 firmwares include, feature wise. Thanks.

  52. rduval

    rduval Network Guru Member

    RV042->BEFVP41 - Linksys Confirmed Bug - No Netbios

    Not sure where it's best to post this but....

    After weeks of banging my head against the wall and MANY hours on the phone with Linksys tech support juniors in india and the phillapines I FINALLY got throuigh to california level 4 techs with my NEtbios problems (couldn't access resources across the VPN except by IP.

    They have tested (after my call) and confirmed that an RV042 (v1.3.7.2) connected to a BEFVP41 has Netbios issues and that they "are now working on resolving it".

  53. Toxic

    Toxic Administrator Staff Member

    anyhone find a way fo enabling selective acks on this router?
  54. Toxic

    Toxic Administrator Staff Member

    Does anyone know how to setup vlan on the RV042 via telnet?

    from the telnet shell "help" shows these vlan commands.

    nk_tag_vlan: set port base vlan / tag base vlan
    nk_vlan_all: set vlan all

    however typing these commands shows:

    RV042> nk_tag_vlan
    Returned -1

    RV042> nk_tag_vlan
    Returned -1
  55. Rubel

    Rubel LI Guru Member

    I want to make a VPN tunnel via IPsec between RV042 and Redhat Linux Enterprise WS4. Please help me how to configure the PC and RV042.
  56. guyborders

    guyborders LI Guru Member

    RV042 VPN incomplete ISAKMP sa

    Hardware -> Rv042
    Firmware ->
    my gateway-> dynamic Ip + domain name (FQDN) authentication
    their gateway ->static ip

    problem -> trying to connect VPN gateway to gateway tunnel between rv042 and sonicwall or watchguard firewall.

    error(1) -> encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
    error(2) -> Ignoring Vendor ID payload Type = [XAUTH]

    i keep getting these error on every VPN tunnel i set up.

    Anyone know what could this be from? I am hoping it is not the new firmware version.

    please help and thank you,

  57. guyborders

    guyborders LI Guru Member

    RV042 incomplete ISAKMP SA

    Hardware -> Rv042
    Firmware ->
    my gateway-> dynamic Ip + domain name (FQDN) authentication
    their gateway ->static ip

    problem -> trying to connect VPN gateway to gateway tunnel between rv042 and sonicwall or watchguard firewall.

    error(1) -> encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
    error(2) -> Ignoring Vendor ID payload Type = [XAUTH]

    i keep getting these error on every VPN tunnel i set up.

    Anyone know what could this be from? I am hoping it is not the new firmware version.

    please help and thank you,

  58. guyborders

    guyborders LI Guru Member

    sorry Rubel, i replied to the wrong thread.
  59. Rubel

    Rubel LI Guru Member

    If anyone have configured VPN tunnel via IPsec between Linux PC(openswan installed) and RV042, please help me. I am in great problem.
  60. aviegas

    aviegas Network Guru Member

    RV042 - Anby news on a new firmware release

    I'm just curious when Linksys is going to release a new firmware that will fix the TCP window issue that affect both Windows Vista and newer Linux builds. The RV082 "beta" is out, but we are yet to see the equivalent for the RV042...

    Anyone has some insight?
  61. starlight

    starlight Network Guru Member

    The tcp window issue is really annoying with my rv042.
    Most things works well but sometimes i have stalls....

    Hope there will be soon some beta
  62. duceyaj

    duceyaj Network Guru Member

    i too am waiting for a vista fix for my rv042.
    i currently have the rv042 firewall turned off in favor of tcp scaling.
  63. Toxic

    Toxic Administrator Staff Member

    there will be a fix yes. just disable TCP scaling in vista is the easiest work around.
  64. starlight

    starlight Network Guru Member

    this is not anymore a vista problem since kernel and openSuse 10.2 it's also a linux problem now :(

  65. Sfor

    Sfor Network Guru Member

    There is a new firmware available on the Linksys US site.

  66. Toxic

    Toxic Administrator Staff Member

    new? 2/15/2007
  67. Sfor

    Sfor Network Guru Member

    All right. You are right.

    (But it was newer then the last post, anyway.)
  68. Sfor

    Sfor Network Guru Member

    Firmware v1.3.9

    I've go a newer one.
    By the way. There is no information about the maximum VPN transfers available. I found no indication about how fast RV042 can go with any encryption methode, so far.
  69. fnarf

    fnarf LI Guru Member

    Where do we find this magical v1.3.9 firmware for the RV042?

    I would like to fix "problems downloading big files" ;)
  70. Sfor

    Sfor Network Guru Member

    I got it from the linksys support agent:
  71. fnarf

    fnarf LI Guru Member


    I wonder how long it's been in beta and when it will be released.

    What issue were you having that caused them to give you this?
  72. Sfor

    Sfor Network Guru Member

    I told the VPN transfer is just 0.5Mbit/s on a 100Mbit/s connection.

    Besides, I wanted to know how fast this defice can do the encryption/decryption stuff.
  73. fnarf

    fnarf LI Guru Member

    any issues

    How is it working for you? Are you having any issues? I'm thinking about trying it on our routers.

    Has the speed improved?
  74. Sfor

    Sfor Network Guru Member

    No. But, I'm not sure where the problem is. It could be the router or the ISP.

    But first, It would be good to know how fast this little box can go. I found nothing in the documentation, so far.
  75. Toxic

    Toxic Administrator Staff Member

  76. Sfor

    Sfor Network Guru Member

    What issues? I've been told by the linksys support agent this version is better than the

    Perhaps I should change it back, if the issues are so annoying.
  77. abrink

    abrink Guest

    Configuration Files -- More Info

    I was doing some research in regards to the .exp config file. If you take a look at Chapter 26.9 of the Development Guide for OpenRG, you will see a process to dump the configuration file from flash.
    Basically the process is this:
    1. Locate what section the rg_conf file is in. Use: flash_layout; For me it was Section 3.

    Dump the flash with flash_dump -s 3 -l <hex value of length>

    Parse with some cut and sed scripts and run through xxd. You will then get a binary file. The manual mentions rg_conf_inflate to parse this binary file into text. I have not tried that yet. I also did a strings on main_task and saw this:
    inflate 1.1.4 Copyright 1995-2002 Mark Adler
    This is part of zlib.

    So my theory is that you can dump the rg_conf, turn it to binary, zlib it somehow and have your .exp file. I haven't been able to get this to work though. Maybe it will get us on the correct track.

  78. Leathal

    Leathal Network Guru Member

    So share it with everyone... After talking to Linksys about my RV042 which I just bought a day ago, they told me I had to pay for my support as the unit was out of warranty, when I told the owner this a the computer store which has been around for since the 80's he was surprised as he nor his suplier knows nothing about there best before date policy.

    SIGH.. I am sure is more than just these guys who don't know about it.

  79. Sfor

    Sfor Network Guru Member

    I did share it, but both the link and the password were removed from this thread.
  80. Sfor

    Sfor Network Guru Member

    I'm experiencing problems with the "Load Ballancing" function. The device is running 1.3.10 firmware, now. But, the 1.3.9 had the same issue, as far as I remember.

    Does anyone know if the works better with load ballancing?
  81. alb1us

    alb1us LI Guru Member

    RV042 Beta Firmware

    Which is the latest beta firmware version for this router?
  82. Sfor

    Sfor Network Guru Member

    The newest I've beed heard of is 1.3.10
  83. bad_the_ba

    bad_the_ba Network Guru Member

    I have 4 of these in service at various small businesses I do administration for, and have recovered 2 bricked units out of warranty, which I had stashed away in bins for quite some time. I just recently dug the 2 out again that I had stored, and would like to use them and am flashing the latest firmware for better QVPN support and hopefully better stability. I've hunted around a bit on these forums for more info, but can anyone tell me if there was ever a successful project for creating a third party firmware for this model?
  84. Toxic

    Toxic Administrator Staff Member

    unfortunately no one has created a 3rd party firmware for distribution. the OS is OpenRG which is not as supported as the Linux Distro on the WRT range.

Share This Page