OpenWrt Forum Archive

Topic: Reverse engineering UBee ddw3611 (bcm43xx wifi)

The content of this topic has been archived on 6 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I came across this Ubee wifi & cabel modem combo.

I couldn't find anywhere that it supports openwrt or dd-wrt. Is it just this device, or is it possible to port OpenWRT to wifi/cable combos?


I'm not that experienced in electrical hardware. What I found:

There's a BCM 43224 abgn wifi mini-pcie card, rebranded as ubee (has fcc id XCNC2104001)

I found a chip on the main board "Atheros AR8315-AH1E". Not sure what it is. Google shows results to chineese electronics suppliers.

It has a USB 2.0 port it seems.

When I boot it up, it gets stuck in a loop, trying to establish a cable connection (I didn't connect it to a coxical cable connection.)

I'm gettinga usb-serial (TTL) adapter soon, so may try to probe for a UART connection to get serial output.


edit: pics of board: imgur.com/a/R5kOk

(Last edited by mushi on 14 Mar 2017, 16:14)

Atheros chip is merely the Ethernet PHY/switch; notice it is connected to the Ethernet port transformers.  The CPU / SoC will be under the big heatsink.  The pin header near the cable port looks like it would be serial. 

Very unlikely it can work with OpenWrt.

mk24 wrote:

The CPU / SoC will be under the big heatsink.

It looks glued or something. Will it make sense to take the heatsink off to identify the chip?

mk24 wrote:

Very unlikely it can work with OpenWrt.

Why is that?

(Last edited by mushi on 14 Mar 2017, 16:14)

Trying to pull the heatsink off is likely to damage something. The CPU type and other useful information is usually seen on the serial when it boots.

mk24 wrote:

The CPU type and other useful information is usually seen on the serial when it boots.

I connected the uart serial and got a bootlog. It's stuck in a loop, maybe because the cable internet isn't attached.

Boot log: gist.github.com/anonymous/e17d9f07f153c … 386195881b

Some takeaways:
It has Broadcom firmware, so maybe there's CFE?
Telnet is running at 192.168.100.1. Wasn't able to connect since router keep rebooting.

64M ram
8MB flash

There may be 2 serial outputs (/dev/ser0 and /dev/ser1)

Serial settings I used:
115200
Parity: None
flow: RTS/CTS

The pins on J305 are the serial pins:
      J305
0 RX TX TX 0

I wasn't able to see what I typed on the keyboard, and pressing 1, 2, or p didn't do anything during the prompt.

You'll need to be able to break in before the stock firmware boots, and get a bootloader prompt. 

Use flow control "None".  RTS/CTS requires the device to assert CTS before the PC will transmit anything.  This connection has no CTS line so it may never work. You can also test your adapter by disconnecting from the router and connecting the adapter's TX and RX wires together, then whatever you type should loop back to the screen.

(Last edited by mk24 on 18 Mar 2017, 23:12)

mk24 wrote:

You'll need to be able to break in before the stock firmware boots, and get a bootloader prompt. 

Use flow control "None".  RTS/CTS requires the device to assert CTS before the PC will transmit anything.  This connection has no CTS line so it may never work. You can also test your adapter by disconnecting from the router and connecting the adapter's TX and RX wires together, then whatever you type should loop back to the screen.

Thanks. I set flow control to None and was able to type, though characters show up as a gray box. I was able to select '1' to boot the first image. It was similar to image 2 though. Pressing 'p' also boots image 1 or 2. I think it stands for "previous"?

I couldn't get a prompt. Pressed Ctrl+C repeatedly to no avail.

The discussion might have continued from here.