[Huan] Liberates a Router

[Huan Truong] was given a WiFi router and thought he’d improve it by installing a free firmware on it. Unfortunately, the router in question is a bit old, and wasn’t ever popular to begin with, which meant that it was unsupported by the usual open firmware suspects. The problem was that it only had a 4 MB flash to boot off of, but [Huan] was determined to make it work. (Spoiler: he did it, and documented it fully.)

The flash workaround consisted basically of repartitioning the space, and then telling u-boot where to find everything. On a router like the WNR2000 that [Huan] had, the flash is memory-mapped, which meant adding an offset to the flash start (0xbf000000 instead of 0x00000000) and remembering to do this consistently so that he doesn’t overwrite things like the MAC address.

[Huan] went for the LEDE fork of OpenWRT, and rebuilt it from source because he needed a small version to fit inside his limited flash. With this task completed, it worked. All done? Nope, [Huan] then submitted a pull request to LEDE, and now you can enjoy the fruits of his labor without replicating it. But if you’ve got another low-flash, obscure router, you’ve got a head start in getting LEDE up and running on it.

Routers are perhaps the most-hacked device that we see here, and they can be made pretty darn useful with the right firmware. Sometimes getting a custom firmware running is relatively easy, as it was here, and sometimes it requires some deep reverse engineering. But it’s good to keep up your router-hacking chops, because they may not always be as open as they are now.

32 thoughts on “[Huan] Liberates a Router

      1. I don’t know what you’re talking about. It looks right to me (after I sneakily edited it).

        Thanks. Oops. And sorry, Huan.

        A friend of mine in grad school, Raffaella, went by “Jane” at a local bagel place. They messed that up once. Added a “y”. She was apoplectic.

  1. If only someone would do this with the numerous 2wire DSL modem/router combo units that are basically all landfill fodder at this point. Probably have a half-dozen I can’t bring myself to toss.

    1. If you were buying brand-new computers, that would have been almost 30 years ago. 30 years before that, UNIVAC was clocking in at 0.002 MIPS. UNIVAC to the 286/386/680×0 era is a 500x increase in MIPS over 30 years. From 286/386/680×0 to Core i7 6950X is about a 40,000x increase in MIPS over 30 years. If someone is ever worried that “everything has already been invented, we can’t do better than this” tell them we always find a way.

  2. I’ve used several routers from that series, and while they never captured the tech blog headlines, they did what they were supposed to do, and they did a pretty decent job of it, and they weren’t going to break the bank (some of these under premium consumer models ringing in north of $200 seem a bit absurd to me… diminishing returns and such). Perhaps some of us define”popular” a little differently, but all in all its a decent model. Heck, I think I’ve still got one kicking around somewhere… maybe I’ll fire it up and give this firmware a try!

    1. I use my WNDR as an AP. If there’s any fault is that the hardware eventually fails in some way. Ports go bad, wireless wonky, USB gets loose, etc. Their cheapness is a blessing and a curse.

    2. I personally have aNetgear WNDR3800 as recommended by CeroWRT and Free Wifi project ages ago. I just bought another exact one for my lady friend on Amazon, $20 with free shipping and runs LEDE fine. Given it has Wifi-N and the connection in here never reaches 50Mbps, it does a very decent job of keeping everyone happy.

  3. 4MB? The LogiLink WL0081 (rebranded Tenda W311R) runs Linux with only 2MB of flash!
    And I still had enough free space to add dropbear and strace.
    It uses uClibc, puts everything into the compiled-in initramfs, and compresses the uImage with lzma.

    1. Do you care to explain what’s wrong with it?

      I got the cable from a surplus auction with a CRT Mac and a keyboard about 10 years ago. I distinctively remember that it has a groove so it only fits Mac keyboards and mice. I bent it with a pair of pliers to make it universal and never cared enough to do anything more about it, until that day I realize that I need to plug the TTL adapter to the laptop USB port and I need an extension cable because the wires from the router to the adapter was too short. I don’t know why I still have it even.

  4. Let’s assume for a moment that we can magically make SMT soldering simpler for a moment. What would be the hazards of replacing the flash part?
    It sounds like it’s probably a NOR flash part which might be tricky to find a programmer for depending on the interface. But lets do some handwaving and make all this easy.
    What are the roadblocks to changing the flash part with something larger?

    1. Nothing is stopping you from replacing the NOR flash, except for it’s probably not that economical, given you can get a flash chip for $10 shipped on eEay and for $5 more, you can probably get a very good router that has wireless-N used. It would be a fun project, though.

      What I imagine you’d have to do is to find the datasheet for the chip, find a SOIC clip or a programmer, transfer u-boot over (so copy 050000 first bytes of the dump, also the flash region for the ART partition and then flash LEDE uImage and rootfs over. Indeed that’s what my friend is intending to do when he’s free.

  5. One reason why Open WRT is too big for routers with less RAM and less flash is the GUI. Either make it a much simpler GUI or go to a “TUI” using text characters, remember games like KROZ that used ANSI graphics? Or just ditch the user interface completely and configure by telnet. Then if you must have a GUI, make it client side and push the configuration behind the scenes by telnet.

    If it still can be squeezed small enough to fit into 2 megs (or less), then strip down the functions and make different sub versions that only do a few things, even as little as one.

    What I bet would be a highly popular version is one that just “reverses” a WiFi router so that the wireless connects to an access point instead of being an access point. No reason a custom firmware couldn’t fit into the same amount of space as the firmware that’s already in the box – as long as the custom firmware doesn’t include everything and the kitchen sink plus a GUI full of bulky graphics.

    I did finally obtain an OpenWRT compatible router. It’s a Cisco Linksys EA2700. Snagged it at a yardsale for 75 cents. Put OpenWRT in it and have it configured with the wireless connected to a DSL modem in another building, and as a separate access point, plus using the wired ports.

    I’d still like to be able to reverse the function of one of the other WiFi routers I have to be able to connect my Playstation 2, XBox and Xbox 360 to WiFi.

    1. >What I bet would be a highly popular version is one that just “reverses” a WiFi router so that the wireless connects to an access point instead of being an access point.

      Oh that’s called a wireless client, and that’s what I’m using for my friend and myself — all we have to do is to define the interface as WWAN. You can have the router be both the client and an AP on the same radio hardware, with the sole restriction of the channel of the AP has to be the same as the channel of the wireless network it’s connecting to.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s