Friday, January 31, 2014

OpenWRT for WEMO - Part 2 - Flashing Firmware

So the WEMO arrived, and the first thing I did was set it up with my iPhone. After checking it worked I voided the warranty to attach serial lines. The serial port is used to issue commands to flash firmware onto the WEMO and requires soldiering onto the board. There are pads for RX and TX, but the pad for ground proved tricky to heat sufficiently so I used the ground pin of the header in fear of damaging the board. There is also conveniently placed via to put the ground wire through, I refrained from soldering to the via for the same reason as the ground pad.

The location of the pads and various other information about the hardware can be found here and here. I attached the ground, rx, and tx to Sparkfun FTDI XBee explorer to give access to the serial terminal. Powering on the WEMO gave a very verbose boot log.

The flash memory partitioning on the WEMO can be determined from the boot messages.

Creating 10 MTD partitions on "raspi":
0x00000000-0x00050000 : "uboot"
0x00050000-0x007c0000 : "A - Kernel and Rootfs"
0x00150000-0x007c0000 : "A - Rootfs"
0x007c0000-0x00f30000 : "B - Kernel and Rootfs"
0x008c0000-0x00f30000 : "B - Rootfs"
0x00fe0000-0x00ff0000 : "Nvram"
0x00ff0000-0x01000000 : "User_Factory"
0x00040000-0x00050000 : "Factory"
0x00f30000-0x00fd0000 : "Belkin_settings"
0x00030000-0x00040000 : "Uboot_env"

The stock firmware allows for updating from Belkin, so to increase reliability there are actually 2 firmware images stored in flash. From the partitions above you can see where they reside in flash. Uboot uses the environment variables "bootstate" and "check_boot" for switching between which images to boot from (more info can be found on the OpenWRT site).

When I first uploaded the firmware onto the WEMO I assumed that OpenWRT would either override this or nicely work with their redundancy scheme. Unfortunately it didn't quite work out because the partitions OpenWRT expected to see weren't there as it was put into the "B - Kerenel and Rootfs" partition.

Using the fwupgrade tool in the stock firmware I flashed my compiled firmware image in, but at boot it would not mount the rootfs partition. Setting the uboot "bootarg" variable with different mtdblock numbers did not remedy the situation. So I booted back into the stock firmware (changed "bootstate" to 0) and dd'ed the stock firmware to overwrite openwrt using:

dd if=/dev/mtdblock1 of=/dev/mtdblock3
This overwrites the kernel and rootfs. The intial state of the flash memory appears to have identical contents of a and b firmware partitions. To flash the OpenWRT firmware requires that a stock firmware version of less than WeMo_WW_2.00.2176.PVT. To find the firmware version use this command in the serial terminal

cat /etc/ver.txt

The contents of my ver.txt is:

02/19/2012 06:35:50 AM

If you have an upgraded WEMO it may be possible to still boot into the stock firmware, you can check if the stock firmware is in the b partition by using step 4 and 5 below.

To write the OpenWRT firmware to the WEMO use the following steps:

  1. Ensure the WEMO is connected to your WIFI network by setting it up, DO NOT UPGRADE THE FIRMWARE if prompted.

  2. This step is optional - if you want to used a custom compiled image. Install apache or any other web server. This is needed to download the firmware image. Place the compiled firmware image in the in root web server directory and ensure it is accessible.

  3. Open a terminal for the serial port, I used PuTTy, the buad rate is 57600.
  4. While in the terminal hold down "4" and then boot the WEMO, uboot only has a 1 second wait time.
  5. In the uboot command line set it to boot from the b firmware image using:
    set bootstate 2
    set boot_check 0
    set bootargs 'console=ttys1,57600n root=/dev/mtdblock4'
    After the boot command the WEMO will reboot into the stock firmware image from the b firmware partition.
  6. Wait for about 10 seconds for a prompt, the serial terminal is the default output for some of the log messages so messages will appear sporadically. To stop these log messages use:

    killall sh
    killall wemoAPP

    This kills the Belkin applications that enable remote switching and log to the serial port.
  7. Now we can download the firmware image into the tmp (this is for a firmware image from, change the url accordingly):

    cd /tmp

    The tmp directory resides in RAM, all other directories are in flash so the image will not fit. I have given the URL to the trunk snapshot on, if you are using a custom image give the url to webserver that has the image.
  8. The image is now in the tmp directory and it can be flashed using:

    fwupgrade openwrt-ramips-rt305x-belkinf7c027-squashfs-sysupgrade.bin
  9. Reboot the router using the "reboot" command and then hold "4" to enter the uboot command menu. The "bootstate" and "boot_check" variable need to be set in order to prevent uboot reverting back to the stock firmware.
    set bootstate 0 
    set boot_check 0

    The WEMO will now reboot and hopefully boot into OpenWRT. The nice thing is that the stock firmware can be reverted to by changing the boot variables using step 5.
In the next part I will show how to use Eclipse to compile and remotely debug software for the WEMO using the toolchain compiled in part 1.

No comments:

Post a Comment