4 years ago · 91f3286b39
--- a/Readme.md
+++ b/Readme.md
@@ -9,6 +9,8 @@ https://www.alibaba.com/product-detail/AR9331-long-range-wifi-192-168_6210663865
 
				 These are 2.4ghz AR9330 based boards, powered via POE (although on a non standard voltage), with two 10/100/1000 ethernet ports, an integrated antenna and a waterproof enclosure.

			
 
				 I received the first one from Aliexpress but i plan to get some other to test as well.

			
 
				 

			
 
				+[There's a video on YouTube of someone unpacking and reviewing it](https://www.youtube.com/watch?v=i3WUmMOqit0). It also show the OEM web interface.

			
 
				+

			
 
				 ## Pictures

			
 
				 ![Front](https://git.lsd.cat/g/openwrt-cpe46b/raw/master/images/front.jpg)

			
 
				 ![Label](https://git.lsd.cat/g/openwrt-cpe46b/raw/master/images/label.jpg)

			
@@ -16,4 +18,70 @@ I received the first one from Aliexpress but i plan to get some other to test as
 
				 ![PCB](https://git.lsd.cat/g/openwrt-cpe46b/raw/master/images/pcb.jpg)

			
 
				 

			
 
				 ## PCB

			
 
				-From the PCB picture it is clear that the board has an easily accessible serial header and that it has an SOIC8 flash chip (Winbond 25Q64).
			
 
				+From the PCB picture it is clear that the board has an easily accessible serial header and that it has a SOIC8 flash chip (Winbond 25Q64). Given this info, there are two possibilities to start learning about the board via hardware: connecting to the serial console and get whatever the oem firmware prints out and do a direct hardware image of the flash chip.

			
 
				+

			
 
				+## Dumping the original firmware without hardware

			
 
				+Before even trying the SOIC clip or the serial port i wanted to check around the stock firmware. It looks like the device has no DHCP server but it has a fixed `192.168.0.1` ip address and default `admin:admin` credentials.

			
 
				+By default, there's only the web intrace and a telnet server listening on the public interface. The credentials for the telnet interface are `root` without password.

			
 
				+

			
 
				+While upon collecting the user is dropped in a restriced pompt with few commands available, it is possible to inject commands in almost any of it via common shell separators `|;&`.

			
 
				+With the command injection is easy to understand that the device is already running a heavily customized OpenWRT fork, running on `Linux 2.6.31`.

			
 
				+

			
 
				+Catting `/proc/self/cmdline` gives more info about the boot command.

			
 
				+

			
 
				+

			
 
				+```

			
 
				+

			
 
				+```

			
 
				+

			
 
				+

			
 
				+## Raspberry PI GPIO with a SOIC8 CLIP

			
 
				+

			
 
				+![Soic](https://git.lsd.cat/g/openwrt-cpe46b/raw/master/images/soic.jpg)

			
 
				+

			
 
				+[The following istruction are recycled from this other guide](https://git.lsd.cat/g/thinkpad-coreboot-qubes/src/master/README.md).

			
 
				+

			
 
				+

			
 
				+```

			
 
				+    ______

			
 
				+1--| O    |--8

			
 
				+2--|      |--7

			
 
				+3--|      |--6

			
 
				+4--|______|--5

			
 
				+

			
 
				+```

			
 
				+

			
 
				+Remeber to research your chip model and manufacturer and double check the pin layout using the official datasheet.

			
 
				+

			
 
				+| 1  | 2  | 3   | 4   | 5  | 6   | 7     | 8   | Flash pin number |

			
 
				+|----|----|-----|-----|----|-----|-------|-----|------------------|

			
 
				+| CS | DO | /WP | GND | DI | CLK | /HOLD | VCC | Pin name         |

			
 
				+| 24 | 21 | GND | 25  | 19 | 23  | GND   | 17  | Rpi GPIO number  |

			
 
				+

			
 
				+Please refer to the multiple flashing guides available

			
 
				+ * https://www.flashrom.org/RaspberryPi

			
 
				+ * https://libreboot.org/docs/install/rpi_setup.html

			
 
				+ * https://karlcordes.com/coreboot-x220/

			
 
				+ * https://tylercipriani.com/blog/2016/11/13/coreboot-on-the-thinkpad-x220-with-a-raspberry-pi/

			
 
				+ * https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi

			
 
				+

			
 
				+From a root prompt on the Rpi

			
 
				+```

			
 
				+# flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r flash1.bin

			
 
				+# flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r flash2.bin

			
 
				+# flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r flash3.bin

			
 
				+# sha1sum flash*.bin

			
 
				+```

			
 
				+Check that all the checksums do match. In case they don't there's probably something wrong in the clip position or in the wiring. Remember that no pin should left floating even if it's not useful for the operation. /WP and /HOLD should be always connected to something like GND or VCC.

			
 
				+

			
 
				+## Serial interface

			
 
				+

			
 
				+![Serial](https://git.lsd.cat/g/openwrt-cpe46b/raw/master/images/soic.jpg)

			
 
				+

			
 
				+The serial header is easy to work with and has clearly written the pinout on it. Any cheap usb adapter will probably work. In my case the baudrate is 115200, however, a script like [baudare.py](https://github.com/somu1795/baudrate) should do the trick.

			
 
				+

			
 
				+Common softwares for serial communication are `minicom` and `screen`.

			
 
				+

			
 
				+```

			
 
				+# screen /dev/ttyUSB0 115200

			
 
				+```
			
--- a/images/serial.jpg
+++ b/images/serial.jpg
--- a/images/soic.jpg
+++ b/images/soic.jpg