wifi%d: unable to attach hardware: 'EEPROM checksum invalid' (HAL status 7)
UPDATE: I've put new version of read/write EEPROM tool on my homepage. Everything is now integrated into one easy-to-use tool. You can download it here.
Because MadWifi with original HAL from Atheros doesn't load when there is some problem with EEPROM, it's needed to compile madwifi-old + OpenHAL. I wrote small howto in previous blog post.
- madwifi-old + OpenHAL
- idchanger_plnt.c – My modifcation of idchanger tool for EEPROM dump.
- ar5k_plnt.c – My modification of ar5k tool for EEPROM write.
- Functional Atheros card (preferably same model as broken one)
madwifi-old + OpenHAL
After loading madwifi-old + OpenHAL (if it was successfull) you should be able to access EEPROM (check dmesg for details).
Broken EEPROM dump (backup)
We should test proper work of EEPROM access by doing backup of actual state of corrupted EEPROM to eeprom_broken_before.txt file.
host-broken:~# lspci -v ... 0000:00:0c.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01) Subsystem: Wistron NeWeb Corp.: Unknown device 1012 Flags: bus master, medium devsel, latency 168, IRQ 11 Memory at df000000 (32-bit, non-prefetchable) [size=64K] Capabilities:  Power Management version 2 ... host-broken:~# gcc ./idchanger_plnt.c -o ./idchanger_plnt host-broken:~# ./idchanger_plnt -r 0xdf000000 > ./eeprom_broken_before.txt host-broken:~# cat ./eeprom_broken_before.txt Accessing adapter at 0xDF000000 Reading 0 current value 0x0013 ... Reading 3ff current value 0x0000
Working EEPROM dump
After backup of broken EEPROM we need to obtain data from working card the same way as we did backup from broken one. There is just one difference – we can use MadWifi-ng or madwifi-old with original HAL since it loads without a problem. No need to compile and load madwifi-old + OpenHAL. In the end we'll transfer eeprom_working.txt file to host-broken host to have all the EEPROM dumps on one place.
host-working:~# lspci -v ... 0000:00:0c.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01) Subsystem: Wistron NeWeb Corp.: Unknown device 1012 Flags: bus master, medium devsel, latency 168, IRQ 11 Memory at f9000000 (32-bit, non-prefetchable) [size=64K] Capabilities:  Power Management version 2 ... host-working:~# gcc ./idchanger_plnt.c -o ./idchanger_plnt host-working:~# ./idchanger_plnt -r 0xf9000000 > ./eeprom_working.txt host-working:~# cat ./eeprom_working.txt Accessing adapter at 0xF9000000 Reading 0 current value 0x0013 ... Reading 3ff current value 0x0000 host-working:~# scp ./eeprom_working.txt root@host-broken:/root
Cloning of working EEPROM to broken one
Now we've got both dumps on one place on the computer with broken card. So we'll diff them.
host-broken:~# diff ./eeprom_broken_before.txt ./eeprom_working.txt 1c1 < Accessing adapter at 0xDF000000 --- > Accessing adapter at 0xF9000000 31c31 < Reading 1d current value 0x1234 --- > Reading 1d current value 0x5678 169c169 < Reading a7 current value 0xAAAA --- > Reading a7 current value 0xBBBB 194c194 ...
Finally we'll use ar5k_plnt tool to flash the modified values from diff file. You should put it in shell script, because there will be probably many differences.
host-broken:~# gcc ./ar5k_plnt.c -o ./ar5k_plnt host-broken:~# ./ar5k_plnt 0xdf000000 0x1d 0x5678 Current value 0x1234 on position 0x001D will change to 0x5678 host-broken:~# ./ar5k_plnt 0xdf000000 0xa7 0xBBBB Current value 0xAAAA on position 0x00A7 will change to 0xBBBB ...
After flashing all of the data to broken EEPROM you should try to unload madwifi-old + OpenHAL driver and try to load MadWifi-ng or madwifi-old with original Atheros HAL. If it loads, you were successfull.
Fixing MAC address
As you probably already found out, broken Atheros card is complete clone of the working one – including MAC address. That's not the best idea. If you want to put the original MAC address back, you need to flash 1D, 1E, 1F (first location) and A5, A6, A7 (second location, opossite order of hex numbers) from to broken card back. Here is an example of MAC address structure and location.
MAC 11:22:33:44:55:66 1D - 0x5566 1E - 0x3344 1F - 0x1122 A5 - 0x2211 A6 - 0x4433 A7 - 0x6655
Thanks to people from ath-driver.org / ar5k for these great tools which I just little modified to access more than 512 bytes of EEPROM. I know that my modifications are crappy but I just need it for one flash so I didn't rewrite it more proper way. Maybe I'll do it in the future.
Although this fix should work, I don't recommend you to use it unless you really need it and know what you are doing. Each EEPROM probably contain data with RF tunning which can negatively improve your transmission quality. I recommend you to make backup of your EEPROM before the card broke (I know.. easy to say, hard to do.. so you can flash the original content back.
Legal disclaimer: I don't guarantee that this will work. Everything you do is at your own risk.