Hacking (debricking) the Aironet/Arlan 640 series bridges/AP’s   1 comment

I’ve a growing collection of the extraordinary Symbol/ARLAN/Telxon/Aironet bridges and AP’s.. 630, 640 series.

These were pre-802.11 radio AP’s and bridges, and are just amazing in their depth of control.

I’ve a few bricked units I’m trying to revive, and I intend to blog the (slow) progress here.

The main unit is an Arlan 640-2400 2.4ghz.

It has a Motorola 68360 series (68EN360FE25C) CPU – 25Mhz Quad Integrated Communications Controller. (datasheet link USER MANUAL)

Flash 2 x AM29F010-120JC (1 Megabit (128 K x 8-Bit) CMOS 5v) (DATASHEET LINK)

Clock source or EEPROM: Intel 14538B

DRAM 2 x 814260-70

RS232 MC145407DW

And some additional glue logic.

Motorola 68360 CPU

25mhz, 4.5 MIPS

8/16/32-bit databus, 32 address lines, glueless SRAM and DRAM interface, IJTAG Access port(!), 7 IRQ’s,

Four Comms Controllers – Ethernet, HDLC/SDLC 2mbit, UART, two TDM controllers (BRI/PRI ISDN)

Parallel/Centronics Interface

Instruction Set: CPU32+ (superset of M68000)

Connectivity to EEPROM/FLASH

EEPROM (8 bit boot) may be regular or flash.

Signals (68k-EEPROM): CSO-CE-Enable, OE-OE(Output Enable), WE0-WE (Write Enable), Data and Address.

WE0 – aka UU-WE, Active-low, Address bus A31, corresponds to data bits 31-24

Most interesting is the SIM60 (System Integration Module) as it controls startup, initialisation.

DEBRICKING

This unit was bricked by too much debug info being logged – into flash I think. This might have caused a wraparound effect – debug wasn’t meant to have full error handling as it’s not user-exposed.

The basic plan is to a) try and get a diag on the cause of the boot hang, b) understand the boot process, and c) remedy the cause.

I suspect flash has been trashed by the wrap (or it’s just plain full) – this would be most easily remedied by unsoldering flash from both bricked and good unit, examining both to see what’s there, and if wrap occurred, dumping into a programmer and cloning. Parity might be an issue too.

If the issue is EEPROM them same process.

Interfacing to Flash

The User’s Guide has the interfacing spec on page 9-6, and EEPROM on 9-8.

Boot Process

Basic init is described in User’s Manual on page 9-10.

<That’s all i have the battery for at the moment!>

Collateral to come:

M68000PM/AD M68000 Family Programmer’s Reference Manual – (link)

M68300 Family CPU32 Reference Manual (link)


Update:
Unbricking procedures for other routers – short-flash method
http://www.dd-wrt.com/wiki/index.php/Recover_from_a_Bad_Flash
http://forum.openwrt.org/viewtopic.php?id=1572
http://www.ranvik.net/prosjekter-privat/jtag_for_wrt54g_og_wrt54gs/HairyDairyMaid_WRT54G_v22.pdf – WRT54G EJTAG DeBrick Guide by HairyDairyMaid
http://forum.openwrt.org/viewtopic.php?id=5050 – Bit of discussion about JTAG methods
http://forum.openwrt.org/viewtopic.php?id=664&p=2 – JTAGging other platforms
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=12053 – JTAG pinouts and guides ! !

Advertisements

Posted June 18, 2008 by benryanau in ICT

Tagged with ,

One response to “Hacking (debricking) the Aironet/Arlan 640 series bridges/AP’s

Subscribe to comments with RSS.

  1. I have two Aironet Arlan 640-2400 but I forgot the password and I can not use them, can you tell me how can I do to reset them and reconfigure them? Please help me

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: