This article was originally based on work by Frontalot at linkstationwiki.org and has since been largely re-written.
The Linkstation HG AVR
The AVR in the HG Linkstation is an AT90S2313-4SC made by ATMEL, not Freescale as previously documented here. This is a cheap 4 MHz AVR with 2k program space and 128 EEPROM.
CN4 (next to the battery on the LS HG board) is a 6 pin ISP header that can be used to read/program the AVR with a cheap device such as a usbtiny that can be purchased as a kit/assembled from various hobby electronics websites. The cable supplied with the usbtiny has the same pin out and fits perfectly.
Hacking with avrdude
This is a basic walkthrough on analysing the AVR in the HG Linkstation with avrdude, dude. The following analysis was done entirely on OS X and will work the same in Linux.
The following command tests connectivity to the AVR using a usbtiny connected to CN4:
macbook-pro-15:~ root# avrdude -c usbtiny -p2313 -n avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e9101 avrdude done. Thank you.
This shows that avrdude can sucessfully connect to the AVR on the HG Linkstation, which means we can probably upload new firmware if we want to and extract the existing firmware that it shipped with originally.
Extracting AVR Information
So we want to know more information about our AVR. We could look in the datasheet for this information, but the part command in avrdude will tell us all we need to know to extract the firmware and anything else in the EEPROM. Typically I'll poke an AVR with an interactive avrdude session at this stage, here is how to start one with a usbtiny:
macbook-pro-15:~ root# avrdude -c usbtiny -p2313 -n -t avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e9101 avrdude>
Now the avrdude console can be issues various commands to interact with the AVR. Lets use the part command we talked about earlier:
avrdude> part >>> part AVR Part : AT90S2313 Chip Erase delay : 20000 us PAGEL : P00 BS2 : P00 RESET disposition : dedicated RETRY pulse : SCK serial program mode : yes parallel program mode : yes Timeout : 200 StabDelay : 100 CmdexeDelay : 25 SyncLoops : 32 ByteDelay : 0 PollIndex : 3 PollValue : 0x53 Memory Detail : Block Poll Page Polled Memory Type Mode Delay Size Indx Paged Size Size #Pages MinW MaxW ReadBack ----------- ---- ----- ----- ---- ------ ------ ---- ------ ----- ----- --------- eeprom 4 12 64 0 no 128 0 0 4000 9000 0x80 0x7f flash 4 12 128 0 no 2048 0 0 4000 9000 0x7f 0x7f signature 0 0 0 0 no 3 0 0 0 0 0x00 0x00 fuse 0 0 0 0 no 1 0 0 0 0 0x00 0x00 lock 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00 avrdude>
From the above information we can see the different memory types present in the AVR and their sizes - this means we can easily dump out the EEPROM (storage) and flash (program area) memory and see what is inside them.
Lets dump the EEPROM and have a look inside - this memory area is typically used by an AVR for persistent storage:
>>> dump eeprom 0 100 0000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0050 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0060 ff ff ff ff |.... | avrdude>
As we can see, it does not have anything useful inside.
Finally lets dump the 2k program area - this contains the firmware that the AVR runs:
Pin assignment for the HGAVR
NOTE THIS SECTION IS POSSIBLY WRONG AND NEEDS RE-WRITING - unless there is a different edition of the HG Linkstation that uses a different kind of MCU (the number of AVR pins in my HG is 20, can someone verify 28 on another?)
The pin assignment and its functions used in HG is listed in the following table:
|2||PTA0||DIAG LED||27||PTA5||Power switch input|
|3||VSS||CN3.6 / CN3.9||26||PTD4||Fan pulse input for status checking|
|5||OSC2||-||24||PTD2||Control 12V feed to the main switching power via TR5, TR3|
|6||PTA1||Disk full LED||23||PTA4||Reset switch input|
|7||VDD||CN3.2||22||PTD3||Fan speed control via TR2,TR1|
|8||PTA2||Power LED green||21||PTB0||CN3.5|
|9||PTA3||Power LED yellow||20||PTB1||CN3.10|
|10||PTB7||NC||19||PTD1||IDE reset / TRST (CN5.4 via R66)|
|13||RXD||Connects to /dev/ttyS1||16||PTD0||Flash reset (ZRP on IC8.12)|
|14||TXD||Connects to /dev/ttyS1||15||PTB4||NC|
Interaction With AVR In Linux
The AVR controls much of the LinkStation hardware, including the power button and LED indicator. It is controlled by the commands sent to /dev/ttyS1. To send commands to the AVR:
echo -n "commands" > /dev/ttyS1
|\30\30\30\30||Stops smbd and atalkd if /dev/hda3 is not mounted to /mnt. Sent by /www/script/melsub_diskcheck.sh.|
|[[[[||Starts slowly blinking power LED (sleep).|
|]]]]||High-speed cooling fan rotation.|
|\\\\||Low-speed cooling fan rotation.|
|>>>>||Unknown. Sent by ppc_uartd on boot.|
|AAAA||Unknown. Sent by ppc_uartd on boot.|
|CCCC||Sent by shutdown -r now (reboot).|
|EEEE||Sent by shutdown -h now (halt).|
|FFFF||Unknown. Sent by ppc_uartd on boot.|
|JJJJ||Unknown. Sent by ppc_uartd on boot.|
|KKKK||Unknown. Sent by ppc_uartd on boot.|
|QQQQ||Unknown. Sent by ppc_uartd on set timer.|
|RRRR||End of clear flash memory.|
|SSSS||Start of clear flash memory and /www/script/melsub_init.sh. Sent by /www/script/melsub_flash.sh.|
|TTTT||Flash memory update completed (stops blinking power, disk full, and diagnostic LEDs).|
|UUUU||Flash memory update started (starts blinking power, disk full, and diagnostic LEDs).|
|VVVV||Turns off disk full LED.|
|WWWW||Turns on disk full LED.|
|XXXX||Stops blinking disk full LED.|
|YYYY||Starts blinking disk full LED.|
|ZZZZ||Stops slowly blinking power LED. Sent by ppc_uartd.|
|gggg||Diagnostic LED blinks 3 times and system shutdown (partition error).|
|iiii||Diagnostic LED blinks 4 times and system shutdown (cooling fan error).|
|kkkk||Diagnostic LED blinks 5 times and system powers off (flash memory error).|
|mmmm||Diagnostic LED blinks 6 times and system shutdown (hard drive or ppc_uartd error).|
|oooo||Diagnostic LED blinks 7 times and system shutdown (RAM, NIC, or HDD controller error).|