Jan Krupa

This article provides solution for EEPROM checksum problem with Atheros cards. I've successfully used it to repair Atheros based Wistron Neweb CM9.

wifi%d: unable to attach hardware: 'EEPROM checksum invalid' (HAL status 7)

UPDATE: I've put new version of read/write EEPROM tool on my homepage. Everything is now integrated into one easy-to-use tool. You can download it here.

Because MadWifi with original HAL from Atheros doesn't load when there is some problem with EEPROM, it's needed to compile madwifi-old + OpenHAL. I wrote small howto in previous blog post.

Tools needed

• madwifi-old + OpenHAL
• idchanger_plnt.c – My modifcation of idchanger tool for EEPROM dump.
• ar5k_plnt.c – My modification of ar5k tool for EEPROM write.
• Functional Atheros card (preferably same model as broken one)

madwifi-old + OpenHAL

After loading madwifi-old + OpenHAL (if it was successfull) you should be able to access EEPROM (check dmesg for details).

Broken EEPROM dump (backup)

We should test proper work of EEPROM access by doing backup of actual state of corrupted EEPROM to eeprom_broken_be­fore.txt file.

host-broken:~# lspci -v
...
0000:00:0c.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01)
        Subsystem: Wistron NeWeb Corp.: Unknown device 1012
        Flags: bus master, medium devsel, latency 168, IRQ 11
        Memory at df000000 (32-bit, non-prefetchable) [size=64K]
        Capabilities: [44] Power Management version 2
...

host-broken:~# gcc ./idchanger_plnt.c -o ./idchanger_plnt

host-broken:~# ./idchanger_plnt -r 0xdf000000 > ./eeprom_broken_before.txt

host-broken:~# cat ./eeprom_broken_before.txt
Accessing adapter at 0xDF000000
Reading 0 current value 0x0013
...
Reading 3ff current value 0x0000

Working EEPROM dump

After backup of broken EEPROM we need to obtain data from working card the same way as we did backup from broken one. There is just one difference – we can use MadWifi-ng or madwifi-old with original HAL since it loads without a problem. No need to compile and load madwifi-old + OpenHAL. In the end we'll transfer eeprom_workin­g.txt file to host-broken host to have all the EEPROM dumps on one place.

host-working:~# lspci -v
...
0000:00:0c.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01)
        Subsystem: Wistron NeWeb Corp.: Unknown device 1012
        Flags: bus master, medium devsel, latency 168, IRQ 11
        Memory at f9000000 (32-bit, non-prefetchable) [size=64K]
        Capabilities: [44] Power Management version 2
...

host-working:~# gcc ./idchanger_plnt.c -o ./idchanger_plnt

host-working:~# ./idchanger_plnt -r 0xf9000000 > ./eeprom_working.txt

host-working:~# cat ./eeprom_working.txt
Accessing adapter at 0xF9000000
Reading 0 current value 0x0013
...
Reading 3ff current value 0x0000

host-working:~# scp ./eeprom_working.txt root@host-broken:/root

Cloning of working EEPROM to broken one

Now we've got both dumps on one place on the computer with broken card. So we'll diff them.

host-broken:~# diff ./eeprom_broken_before.txt ./eeprom_working.txt
1c1
< Accessing adapter at 0xDF000000
---
> Accessing adapter at 0xF9000000
31c31
< Reading 1d current value 0x1234
---
> Reading 1d current value 0x5678
169c169
< Reading a7 current value 0xAAAA
---
> Reading a7 current value 0xBBBB
194c194
...

Finally we'll use ar5k_plnt tool to flash the modified values from diff file. You should put it in shell script, because there will be probably many differences.

host-broken:~# gcc ./ar5k_plnt.c -o ./ar5k_plnt

host-broken:~# ./ar5k_plnt 0xdf000000 0x1d 0x5678
Current value 0x1234 on position 0x001D will change to 0x5678

host-broken:~# ./ar5k_plnt 0xdf000000 0xa7 0xBBBB
Current value 0xAAAA on position 0x00A7 will change to 0xBBBB
...

After flashing all of the data to broken EEPROM you should try to unload madwifi-old + OpenHAL driver and try to load MadWifi-ng or madwifi-old with original Atheros HAL. If it loads, you were successfull.

Fixing MAC address

As you probably already found out, broken Atheros card is complete clone of the working one – including MAC address. That's not the best idea. If you want to put the original MAC address back, you need to flash 1D, 1E, 1F (first location) and A5, A6, A7 (second location, opossite order of hex numbers) from to broken card back. Here is an example of MAC address structure and location.

MAC 11:22:33:44:55:66

1D - 0x5566
1E - 0x3344
1F - 0x1122

A5 - 0x2211
A6 - 0x4433
A7 - 0x6655

Thanks to people from ath-driver.org / ar5k for these great tools which I just little modified to access more than 512 bytes of EEPROM. I know that my modifications are crappy but I just need it for one flash so I didn't rewrite it more proper way. Maybe I'll do it in the future.

Although this fix should work, I don't recommend you to use it unless you really need it and know what you are doing. Each EEPROM probably contain data with RF tunning which can negatively improve your transmission quality. I recommend you to make backup of your EEPROM before the card broke (I know.. easy to say, hard to do.. so you can flash the original content back.

Legal disclaimer: I don't guarantee that this will work. Everything you do is at your own risk.

This entry was posted on Saturday, January 13th, 2007 at 10:04 pm and is filed under EN, WiFi.