[Huan Truong] was given a WiFi router and thought he’d improve it by installing a free firmware on it. Unfortunately, the router in question is a bit old, and wasn’t ever popular to begin with, which meant that it was unsupported by the usual open firmware suspects. The problem was that it only had a 4 MB flash to boot off of, but [Huan] was determined to make it work. (Spoiler: he did it, and documented it fully.)
The flash workaround consisted basically of repartitioning the space, and then telling u-boot where to find everything. On a router like the WNR2000 that [Huan] had, the flash is memory-mapped, which meant adding an offset to the flash start (
0xbf000000 instead of
0x00000000) and remembering to do this consistently so that he doesn’t overwrite things like the MAC address.
[Huan] went for the LEDE fork of OpenWRT, and rebuilt it from source because he needed a small version to fit inside his limited flash. With this task completed, it worked. All done? Nope, [Huan] then submitted a pull request to LEDE, and now you can enjoy the fruits of his labor without replicating it. But if you’ve got another low-flash, obscure router, you’ve got a head start in getting LEDE up and running on it.
Routers are perhaps the most-hacked device that we see here, and they can be made pretty darn useful with the right firmware. Sometimes getting a custom firmware running is relatively easy, as it was here, and sometimes it requires some deep reverse engineering. But it’s good to keep up your router-hacking chops, because they may not always be as open as they are now.
32 thoughts on “[Huan] Liberates A Router”
Oups title error: “[Huan]” not “[Haun]”
No worries, I am pretty lenient to the spelling of both my first and last name. I even have an English name, Jimmy, to use in Starbucks so that people have an easier and faster time spelling my name. The other day the barista asked me how do I spell Jimmy?
I don’t know what you’re talking about. It looks right to me (after I sneakily edited it).
Thanks. Oops. And sorry, Huan.
A friend of mine in grad school, Raffaella, went by “Jane” at a local bagel place. They messed that up once. Added a “y”. She was apoplectic.
People do tend to be rather sensitive about their names…
If only someone would do this with the numerous 2wire DSL modem/router combo units that are basically all landfill fodder at this point. Probably have a half-dozen I can’t bring myself to toss.
I did some googling, and 2wire uses a Trimedia VLIW CPU core that doesn’t really have much support, sadly. Most routers run MIPS (and a few ARM), both of which are easier to deal with…
His router reports that it can do 265 bogoMIPS. I remember being so excited when I had a desktop computer that made it over 1 MIPS.
If you were buying brand-new computers, that would have been almost 30 years ago. 30 years before that, UNIVAC was clocking in at 0.002 MIPS. UNIVAC to the 286/386/680×0 era is a 500x increase in MIPS over 30 years. From 286/386/680×0 to Core i7 6950X is about a 40,000x increase in MIPS over 30 years. If someone is ever worried that “everything has already been invented, we can’t do better than this” tell them we always find a way.
That’s sort of the problem, though. While power is generally not a concern, functionality and support are.
I bet, if I were to live on an island, the general-purpose 1 MIPS computer is probably more fun to play with than the 265 bogoMIPS router I have. :)
I don’t think a netgear router like that is all that obscure.
Although I guess it was to OpenWRT, which is a bit surprising.
It’s rather old and rather underpowered so far as OpenWRT is concerned, so it likely didn’t have support because it wasn’t supposed to be able to run.
Well, mess up on my part. I don’t see many people discussing about it on the forums, so I thought it was obscure.
Old routers do come in handy as repurposed local single task servers. e.g. DNS,DHCP,VPN,etc.
I’ve used several routers from that series, and while they never captured the tech blog headlines, they did what they were supposed to do, and they did a pretty decent job of it, and they weren’t going to break the bank (some of these under premium consumer models ringing in north of $200 seem a bit absurd to me… diminishing returns and such). Perhaps some of us define”popular” a little differently, but all in all its a decent model. Heck, I think I’ve still got one kicking around somewhere… maybe I’ll fire it up and give this firmware a try!
I use my WNDR as an AP. If there’s any fault is that the hardware eventually fails in some way. Ports go bad, wireless wonky, USB gets loose, etc. Their cheapness is a blessing and a curse.
I personally have aNetgear WNDR3800 as recommended by CeroWRT and Free Wifi project ages ago. I just bought another exact one for my lady friend on Amazon, $20 with free shipping and runs LEDE fine. Given it has Wifi-N and the connection in here never reaches 50Mbps, it does a very decent job of keeping everyone happy.
4MB? The LogiLink WL0081 (rebranded Tenda W311R) runs Linux with only 2MB of flash!
And I still had enough free space to add dropbear and strace.
It uses uClibc, puts everything into the compiled-in initramfs, and compresses the uImage with lzma.
My 386 ran X with 2MB…
…of persistent storage?
Or as Bill Gates famously said, 2 MB should be enough for anyone. :)
Don’t be daft. 640KB is more than enough…
The thing tat stands out the most to me is that incredibly old mac USB cable he is using. Those cables caused all sorts of problems.
Do you care to explain what’s wrong with it?
I got the cable from a surplus auction with a CRT Mac and a keyboard about 10 years ago. I distinctively remember that it has a groove so it only fits Mac keyboards and mice. I bent it with a pair of pliers to make it universal and never cared enough to do anything more about it, until that day I realize that I need to plug the TTL adapter to the laptop USB port and I need an extension cable because the wires from the router to the adapter was too short. I don’t know why I still have it even.
Awesome. Now I need to resume my project to get OpenWRT running on my dead WRN2020. :) (I accidentally killed U-Boot, and put the project on hold because I had already spent too much time on it)
Just a curiosity, how does one find a compiler for these chipsets?
If you want to build LEDE, it compiles a cross-compiler automatically for you. The LEDE/OpenWRT SDK is where you can also find the cross-compiler, too: https://lede-project.org/docs/guide-developer/compile_packages_for_lede_with_the_sdk . It works flawlessly on my Ubuntu 16.04 setup.
Let’s assume for a moment that we can magically make SMT soldering simpler for a moment. What would be the hazards of replacing the flash part?
It sounds like it’s probably a NOR flash part which might be tricky to find a programmer for depending on the interface. But lets do some handwaving and make all this easy.
What are the roadblocks to changing the flash part with something larger?
Nothing is stopping you from replacing the NOR flash, except for it’s probably not that economical, given you can get a flash chip for $10 shipped on eEay and for $5 more, you can probably get a very good router that has wireless-N used. It would be a fun project, though.
What I imagine you’d have to do is to find the datasheet for the chip, find a SOIC clip or a programmer, transfer u-boot over (so copy 050000 first bytes of the dump, also the flash region for the ART partition and then flash LEDE uImage and rootfs over. Indeed that’s what my friend is intending to do when he’s free.
One reason why Open WRT is too big for routers with less RAM and less flash is the GUI. Either make it a much simpler GUI or go to a “TUI” using text characters, remember games like KROZ that used ANSI graphics? Or just ditch the user interface completely and configure by telnet. Then if you must have a GUI, make it client side and push the configuration behind the scenes by telnet.
If it still can be squeezed small enough to fit into 2 megs (or less), then strip down the functions and make different sub versions that only do a few things, even as little as one.
What I bet would be a highly popular version is one that just “reverses” a WiFi router so that the wireless connects to an access point instead of being an access point. No reason a custom firmware couldn’t fit into the same amount of space as the firmware that’s already in the box – as long as the custom firmware doesn’t include everything and the kitchen sink plus a GUI full of bulky graphics.
I did finally obtain an OpenWRT compatible router. It’s a Cisco Linksys EA2700. Snagged it at a yardsale for 75 cents. Put OpenWRT in it and have it configured with the wireless connected to a DSL modem in another building, and as a separate access point, plus using the wired ports.
I’d still like to be able to reverse the function of one of the other WiFi routers I have to be able to connect my Playstation 2, XBox and Xbox 360 to WiFi.
>What I bet would be a highly popular version is one that just “reverses” a WiFi router so that the wireless connects to an access point instead of being an access point.
Oh that’s called a wireless client, and that’s what I’m using for my friend and myself — all we have to do is to define the interface as WWAN. You can have the router be both the client and an AP on the same radio hardware, with the sole restriction of the channel of the AP has to be the same as the channel of the wireless network it’s connecting to.
I would like to see someone hack one with dual-band. 2.4 ghz for AP 5 ghz for WAN to be used in a wireless mesh network.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)