From Lundman Wiki
Jump to: navigation, search


Since we have telnet access, and all our apps run excellently, there is no need to do firmware inspection. Sorry.

It's not like I have time to spare :)

Here's some pointers of how to get a toolchain and shell working. The info below is compiled from various posts over at the netoworkedmediatank.com forum:


A toolchain is available at CodeSourcery.com. Look for "CodeSourcery G++ Lite for MIPS".

The C200 reports:

# uname -a
Linux PCH-C200 #330 PREEMPT Fri Sep 4 10:21:37 MYT 2009 mips unknown


sigma designs tangoX MIPS 74K V4.9 FPU V0.0.

The configure needs Little Endian:

./configure --host=mips-linux-gnu CFLAGS=-EL CXXFLAGS=-EL LDFLAGS=-EL CPPFLAGS=-EL ASFLAGS=-EL CC="mips-linux-gnu-gcc -EL"

With the CodeSourcery toolchain you can probably also use


which should be the right target. This should encourage gcc to order the assembly for best performance on the C200. Not sure what the trailing c represents though.


(NOTE: Since early 2011 PTY support is enabled in the 200-series firmware.)

As the PTY is disabled currently, we will not have "real" telnet. But you can get lundman's shell here: http://www.lundman.net/ftp/nmt/shell.zip

Unzip and rename the shell-installer.cgi-RENAME-ME file to shell-installer.cgi as WinZip corrupts it.

Upload to root of HDD, make it executable, then run it like any cgi. You can use my hacked html/cgi files too if you want, I have not had time to make it nice though..

It will "hang" after spawning shell, but that's ok, just let it be or push STOP then SOURCE button to return to normal GUI.

Connect to port 2222 on C200. Please note you can not use "telnet" as it insist on sending cr/nl, unless you find the option to disable that in telnet, or change shell.c to send DONT CRNL in telnet speak.

Use netcat to connect:

nc ip.ip.ip.ip 2222

Then type in /bin/sh as the process to run, and you are set. Enter sh -i after that if you like the nice prompt. You can connect as many times as you want.

Note: "LundmanShell" is also available in the CSI for simple installation.


upnp crashes, so compile strace to find out why.

cd /tmp
wget http://lundman.net/ftp/nmt/strace.c200
chmod 755 strace.c200
killall upnpapp
cd /opt/syb/app/upnp
/tmp/strace.c200 -fv -a 200 -s 200 /opt/syb/app/upnp/upnpapp &


Compiling etherdeth.ko to try that for the nic.

First attempt gets:

# /sbin/insmod forcedeth.ko
<4>forcedeth: Unknown symbol pci_disable_msi
<4>forcedeth: Unknown symbol pci_enable_msi
<4>forcedeth: Unknown symbol netpoll_trap
<4>forcedeth: Unknown symbol add_preempt_count
<4>forcedeth: Unknown symbol debug_smp_processor_id
<4>forcedeth: Unknown symbol pci_enable_msix
<4>forcedeth: Unknown symbol sub_preempt_count
<4>forcedeth: Unknown symbol pci_disable_msix
insmod: cannot insert 'forcedeth.ko': unknown symbol in module

The drive itself will try to use MSI-X interrupts first, then MSI interrupts and finally INTA. So the code that attempts msix and msi needs to be escaped out. The MIPS platform appears to only have INTA type.

The "add_preempt_count" and partner is because CONFIG_PREEMPT_DEBUG=y was in .config. The final "netpoll_trap" is because CONFIG_NETPOLL was in .config.

Finally we get:

# /sbin/insmod forcedeth.ko
<6>forcedeth.c: Reverse Engineered nForce ethernet driver. Version 0.60.

Alas, only the PHY is vitesse, the top part of the driver is not at all, so this will not work. but we do have the patches for the nic now, so this should be tested.


# wget http://lundman.net/ftp/nmt/tcpdump
# chmod 755 tcpdump