EHCI Driver Completed

STR9100 has two Host Controller Interface, EHCI and OHCI. Enhanced Host Controller Interface (EHCI) is used for high speed USB, while Open Host Controller Interface (OHCI) is used for full and low speed devices. I think I have completed the EHCI part (it can detect my USB disk and the internal hard disk), but I haven’t tested this extensively. The OHCI part may not seem important if we only use high speed devices, but it is. When I tried plugging in low speed device, the port becomes unusable (even when I unplug the device and insert a new USB 2.0 device).

I will try to complete the OHCI part, and I hope I can post the source code this weekend after cleaning up the debugging part. I also plan to support the MTD device access so we can update the firmware easily. Updating from the old kernel to the new one will be easy with the web interface, but it is important that we can update the new one also (currently I am still booting from tftp server).

Wii and My Strange ISP (MaxNet Thailand)

wiiOne of my distractions last weekend was my new Nintendo Wii. After playing my first game, I tried to get the Internet connection working without success. After spending few hours I finally found out why: The Wii Connection test DOES NOT send a user agent, and apparently, my ISP uses a transparent proxy that will deny access to anything that doesn’t provide “User-Agent” header. It took me quite a long time to realize this.

It is quite a long story how I realized the problem. Connecting Wii trough direct connection never works, so I use my proxy server. It didn’t work either, so I looked at the log file, and tried to connect to URL listed in the log file ( using my browser through my proxy server, and it works. I tried again using the Wii and now it works also. At that time I still don’t understand why. I just thought that Wii needs the proxy server, and since I don’t want to turn on my computer just to access the Internet through my Wii, I tried to install tinyproxy on my openwrt linksys router, and it still doesn’t work.

After sniffing with WireShark, I realized the difference in the header (Wii only sends 1 line of GET request). Squid is a caching server, when the Wii asks for the same document, it is already in the proxy server (because I tested the URL with Firefox), so the request was handled properly by my squid.

Realizing that, I installed squid on my router, with wget periodically pulling the connection test to refresh the cache. Now everything is OK, and I think may be I can just redirect the request to to my server, but I will wait to check at my squid log to make sure whether this URL is used for connection test only or for something else.

Porting Linux Kernel To STAR STR9100 (Agestar)

There are quite many limitations using old kernel for Agestar, one of them is you can not install the latest Linux distribution. I am eager to make the new Linux kernel to work on the agestar hardware. So since my last post, mainly I am just hacking at the kernel and not at the userspace stuff. As of today, I managed to boot the new kernel, and wrote a serial driver for it (you can see the boot messages at the end of this post). My next target is to port the USB and/or NIC driver.

As you may have read from my earlier posts, there are no documentations available for the STR 9100 hardware, so I based my work on the source code of the earlier kernel (I can’t believe so many things have changed since the 2.4.36). The initial work is quite easy if you are an experienced kernel developer. Because I am not experienced, I need to study quite many things before reaching the current state.

Because I don’t have any documentation about the FA526 CPU, I took the CPU specific code from the Icy Box. They provide the source code for Kernel 2.6. The SoC uses the same Processor, but completely different hardware for the rest (well, something is better than nothing). For the serial port, I realized that the serial port used is "High-speed 16C550-compliant UART serial channel", so I studied the source code for 8250.c and added a small code to specify the the UART speed, register mapping, and memory location for the UART IO. This creates a much cleaner code than the original serial_str9100.c source code. The serial_str9100.c was 3799 lines of code, mine was about 100 lines of code (70 lines of code in a separate file, and the rest is adding register mapping to 8250.c).

My next plan is to work on the network driver. This should be not so difficult, at least I have higher hope to make this work compared to the USB part. The old network driver have some conditional compilation that indicates it can be compiled in kernel 2.6. I have tried to compile it, and there were many errors and warnings. I will try removing many codes that was not meant for the Agestar configuration (the kernel was from the WAP2000 router, so it contains router specific codes such as to acess hardware NAT).

Continue reading “Porting Linux Kernel To STAR STR9100 (Agestar)”

Linux Kernel

With the help from kineq from the mailing list, I manage to get the network device working. The correct setting was Virgo (Two Macs) option.

I also managed to update the WAP200 source code to by patching it one by one using the patch from You can find the patch in the groups mailing list or here: Download the latest 2.4 kernel, then apply the the patch.

Update: this is not very stable, I don’t know whether because of my kernel options, my current binaries, or something else.

I am still working to make this better.


Right now I am stuck with the network driver for NCB3AST. The network driver from Linksys WAP200 and WRVS4400N is different from the one in the original NC3AST. I am still thinking what should I do now.

As a side note, instead of holding USB EXIT, you can also hold the USB RESET to get to the Armboot menu.

Armboot on NCB3AST

In this post, I will explain some things about armboot boot loader that I have understood. The boot loader on NCB3AST is based on the open source Armboot, but modified by Star technology (unfortunately they don’t share their modification). You need to connect to the serial port using 38400N1. I am using kermit to connect, but you can use cu or other programs. To enter the Armboot boot menu, you must hold and press USB EXIT button while powering it on. You will start seeing delay tim 0 until 9, and after that, the device will try to connect to mass production server (I don’t know what the protocol is, but if we can reverse engineer this, this can potentially be used for unbricking the device without opening the device).

Continue reading “Armboot on NCB3AST”

Hacking Agestar NCB3AST: Day 2

The first thing that I want to do today is to unbrick my NCB3AST. To unbrick it, I need to have a RS232 TTL converter. After waking up late, and doing some other weekend business, I went to Icon in Chiang Mai. I bought a data cable for Alcatel 511 (actually almost any data cable that isn’t mini USB would be fine, this is the one that I found), and after looking around, I found the schematics for the data cable. It helps me to decide where should I connect each cable guided by the close up photo from Chris.

I still doesn’t understand why my new image won’t boot, it always stops with:

undefined instruction
pc : [<00500004>]    lr : [<0d05ae60>]
sp : 0d05af00  ip : 00500000  fp : 0cf00000
r10: e8bd0070  r9 : 00000000  r8 : 00000108
r7 : 00613226  r6 : 00900000  r5 : 54420005  r4 : 00000004
r3 : 0cf00000  r2 : 0003a530  r1 : 00000001  r0 : 0003a7d4
Flags: nZcv  IRQs off  FIQs off  Mode SVC_32

The default boot command is

cp.l 0x10020000 0xcf00000 0x1f0000;go cf00000

After quite a long time, I realized that if i just type:

go 0x10020000

The kernel will be loaded just fine. I don’t understand why the firmware won’t work when the kernel is copied to cf00000 and then booted. If i have a debugger, then this memory debugging stuff can be much easier to solve.

Continue reading “Hacking Agestar NCB3AST: Day 2”

Hacking NCB3AST: Day 1

I will consider yesterday as day 1 in hacking the the my NAS drive NCB3AST, since I just started concentrating on this. Chris Baird gave me some pointer to look at WRVS440N Linux kernel source code and also gave me some info about the boot loader and serial port (this will be useful in Day2). What I did on Day 1 was looking at several firmware files and comparing it to the /dev/mtd0-3. My conclusion was:

  1. The size of the binary file is always 8 mb
  2. The first 128 kb is the ARMBoot boot loader
  3. After the boot loader is the kernel image, which is init.o + bzImage + initrd.gz
  4. There is no special header
  5. There are some offsets where you need to put some "0101" and "Supercom" string  (It seems the location is constant)
  6. Looking at the source code of init.o (init).S I can know where to get and put the initrd to modify the firmware
  7. Unfortunately if I made init.gz that is larger than the original firmware, the device won’t boot.

So at the end of day one, my NAS was bricked. It is not completely bricked as I can still use it as a "harddisk casing". When it is bricked, I can still access my data in the harddrive, the USB mass storage device is recognized as JM20337 USB2.0 to SATA & PATA Bridge.

Continue reading “Hacking NCB3AST: Day 1”


I found this quite cheap NAS (around 87 USD) few days ago when buying a new hard drive. This is cheap by Chiang Mai’s standard, because if you buy cheaper stuff from the Internet, you will need to pay a lot for shipping cost and tax. This NAS runs Linux but unfortunately they don’t provide the source code. Someone have managed to open this NAS, and connect serial port to it, while another guy find a way to access the shell by modifying samba configuration. I have managed to compile a simple hello world application and run it on the device using I am planning to do more hacking on this device this weekend, and will write more about it.