Anddear/ZiKing CPE46B (ar9331) (~ap121)

giulio · April 12, 2020, 1:24pm

Hello!
I just received a very cheap outcoor chinese cpe based on the AR9331 SoC.
Here's the aliexpress link: https://it.aliexpress.com/item/32964460654.html?spm=a2g0s.9042311.0.0.4b834c4dp8Occ3

It hasn't any specific brand, it has just a label which says "CPE46B" and it is exacly like the one shown in this video: https://www.youtube.com/watch?v=i3WUmMOqit0

https://i.postimg.cc/nzgFJP9K/IMG-20200412-150721.jpg
https://i.postimg.cc/KcTkYPcc/IMG-20200412-150732.jpg
https://i.postimg.cc/sXhXvzrH/IMG-20200412-150739.jpg
https://i.postimg.cc/j2SFMxSZ/IMG-20200412-150752.jpg

Now, as seen in the photo, it has an easy interface for the serial console. Furthermore, it has a telnet service vulnerable to command injection so i'm able to run root commands on the powered on device. I also have a Soic clip that i used to do some tests and fully dump the memory.

Here's the u-boot log

U-Boot 1.1.413 (Aug 29 2012 - 10:36:47)
AP121-2MB (ar9330) U-boot
DRAM:  32 MB
flash size 8388608, sector count = 128
Flash:  8 MB
In:    serial
Out:   serial
Err:   serial
Net:   
eth0: c8:ee:a6:3f:62:ad
eth0 up
eth1: 00:0a:0b:0c:0d:0e
eth1 up
eth0, eth1
Hit any key to stop autoboot:  0
## Booting image at 9f380000 ...
   Image Name:   Linux Kernel Image
   Created:      2019-09-05  10:02:56 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    864262 Bytes = 844 kB
   Load Address: 80002000
   Entry Point:  801d0de0
   Verifying Checksum at 0x9f380040 ...OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 801d0de0) ...
## Giving linux memsize in bytes, 33554432
Starting kernel ...
Booting AR9330(Hornet)...

bdinfo output:


# bdinfo
boot_params = 0x81F87FB0
memstart    = 0x80000000
memsize     = 0x02000000
flashstart  = 0x9F000000
flashsize   = 0x00800000
flashoffset = 0x00000000
ethaddr     = 00:AA:BB:CC:DD:EE
ip_addr     = 192.168.0.144
baudrate    = 115200 bps

printenv output

bootargs0=console=ttyS0,115200 root=31:02 rootfstype=squashfs,jffs2 init=/bin/init mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),3456k(rootfs),1024K(uImage),3456k(rootfs1),64k(NVRAM),64k(ART)
bootcmd0=bootm 0x9f380000
bootargs1=console=ttyS0,115200 root=31:04 rootfstype=squashfs,jffs2 init=/bin/init mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),3456k(rootfs),1024K(uImage),3456k(rootfs1),64k(NVRAM),64k(ART)
bootcmd1=bootm 0x9f380000
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ethact=eth0
filesize=27d000
fileaddr=80060000
ipaddr=192.168.0.144
serverip=192.168.0.141
bootparam=0
bootdelay=4
runver1=AWS-SX9331027-4.3.3
runver0=OEM-SX933146B-4.3.7
LANG=en
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 1.1.413 (Aug 29 2012 - 10:36:47)
bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs,jffs2 init=/bin/init mtdparts=ar7240-nor0:128k(u-boot),3456k(rootfs),1024K(uImage),3456k(rootfs1),64k(NVRAM),64k(ART)
bootcmd=bootm 0x9f380000
Environment size: 978/65532 bytes

Here's the content of a file called ver.conf inside the rootfs in order to provide some more info about the manufacturer:

FID="OEM"
FLASH_ID="SPI"
PCB="v1.0"
PN="CPE46B"
PT="AP"
VER="4.3.7"
VER1="4.3.7"
RF_MODE="1T1R"
WAN="0"
EXT_PA="1"
TRSW="1"
SERVER_DOMAIN="www.ziking.net"
DHCPD_EVER="0"
IANA="37260"
MAXNUM=4

####language
CSS_STYLE="SHX46B"
LANG="en"
SUPPORT_LANG="en,zh"
COUNTRYCODE="76"
SUPPORT_COUNTRYCODE="76,156,276,392"
####radio & vaps
MAX_VAPS="8"
MAX_RFS="1"
#0: auto, 1:2.4G, 2-5.8G
RF0_SUPPORT_FREQ="1"
#RF1_SUPPORT_FREQ="0"

SUPPORT_AUTO_ACTIVE="0"
#### product Type
###0: FIT AP mode
###1: WIFI CPE mode
###2: LTE/3G CPE mode
###3: Route mode
####for UPNP
MANUFACTURER="XIAN ZIKING NETWORK COMMUNICATIONS CO.,LTD."
MANUFACTURERURL="http://www.ziking.net"
MODELDESCRIPTION="Wireless Broadband Access Point / CPE"
####
PRODUCT_TYPE="1"
SUPPORT_PRODUCT_TYPE="2,3"
SUPPORT_WAN_MODE="251"
SUPPORT_AUTH_MODE="63"
SUPPORT_WLAN_MODE="7"
SUPPORT_MAC_MAP="0"
PRODUCT_ID="0"
APSYSNEID="SYSNEIDatleast16chars1234567890123456"
AP_NASID="NASIDatleast16chars1234567890123456"
APSYSHOSTNAME="APNAMEatleast40chars1234567890123456789012345678901234567890"
AP_LOCATION="shenzhen"
AP_COVERAGETYPE="2"
AP_DESCRIPRION="Customer Premise Equipment"
AP_SOFT_VERDOR="ZiKing"
AP_ORIG_VENDOR="ZiKing"
AP_CPU="ar9331"
CPU_SPEED="400000000"
#it must be xxMB(type)
AP_MEMORY="64MB(S29GL064M)"
AP_FLASH="8MB(HY57V561620TP-H)"
#max power, dbm
AP_MAX_POWER="15"
PCB0="SX933146B"
BUS="AHB"
SUPPORT_AC_CURL_MGR="0"
AP_SERIALNUMBER=001122334455

Now, the original firmware is already OpenWRT based. As it can be seed by the bootargs parameter, the rom is splitted in 6 mtd partitions and it has both 2 u-boot and 2 rootfs meaning that they are either or recovery or there's something that can switch between them.

Now i would like to port a vanilla OpenWRT to this device. Given the low price, it would be a competitive device for mesh networks in my area.

I found https://github.com/oldcat618/u-boot_mod this project and would like some insights on how to try porting it to this board.

Thank you

giulio · April 16, 2020, 12:35am

I managed to write a DTS file and succesfully boot OpenWrt built from the latest source tree. In case anyone needs to do the same on similar platforms, I wrote some notes on how I did it:

https://git.lsd.cat/g/openwrt-cpe46b

I still need to figure out the GPIO definitions for the button and for the LEDS. I see that two or three of the five LEDS are already controlled by the ath9 driver. Dor the others, i don't have any /sys/class/gpiochip* interface. Also, it looks like the original firmware used a compiled binary in order to use the LED. By a brief look at the disassembly it seems to me that it controls them by writing to /dev/armem

Also, there are two MAC Addtress in the ART partition that are equal. The original firmware simply added one to the main MAC in order to set the second, as an example:
if the MAC on the art partition is 00:AA:BB:CC:DD:EE
eth0 would have 00:AA:BB:CC:DD:EE
eth1 would have 00:AA:BB:CC:DD:EF

How can I translate this in a DTS definition? is it nornmal also that wlan0 has the same MAC as eth0?

tmomas · May 25, 2021, 11:10am

FYI - snapshot support for ZiKing CPE46B has recently been added

tmomas · June 4, 2021, 11:11am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.