1 (edited by mushi 2017-03-14 16:14:46)

Topic: Reverse engineering UBee ddw3611 (bcm43xx wifi)

I came across this Ubee wifi & cabel modem combo.

I couldn't find anywhere that it supports openwrt or dd-wrt. Is it just this device, or is it possible to port OpenWRT to wifi/cable combos?


I'm not that experienced in electrical hardware. What I found:

There's a BCM 43224 abgn wifi mini-pcie card, rebranded as ubee (has fcc id XCNC2104001)

I found a chip on the main board "Atheros AR8315-AH1E". Not sure what it is. Google shows results to chineese electronics suppliers.

It has a USB 2.0 port it seems.

When I boot it up, it gets stuck in a loop, trying to establish a cable connection (I didn't connect it to a coxical cable connection.)

I'm gettinga usb-serial (TTL) adapter soon, so may try to probe for a UART connection to get serial output.


edit: pics of board: imgur.com/a/R5kOk

Re: Reverse engineering UBee ddw3611 (bcm43xx wifi)

Atheros chip is merely the Ethernet PHY/switch; notice it is connected to the Ethernet port transformers.  The CPU / SoC will be under the big heatsink.  The pin header near the cable port looks like it would be serial. 

Very unlikely it can work with OpenWrt.

3 (edited by mushi 2017-03-14 16:14:03)

Re: Reverse engineering UBee ddw3611 (bcm43xx wifi)

mk24 wrote:

The CPU / SoC will be under the big heatsink.

It looks glued or something. Will it make sense to take the heatsink off to identify the chip?

mk24 wrote:

Very unlikely it can work with OpenWrt.

Why is that?

Re: Reverse engineering UBee ddw3611 (bcm43xx wifi)

Trying to pull the heatsink off is likely to damage something. The CPU type and other useful information is usually seen on the serial when it boots.

Re: Reverse engineering UBee ddw3611 (bcm43xx wifi)

mk24 wrote:

The CPU type and other useful information is usually seen on the serial when it boots.

I connected the uart serial and got a bootlog. It's stuck in a loop, maybe because the cable internet isn't attached.

Boot log: gist.github.com/anonymous/e17d9f07f153c … 386195881b

Some takeaways:
It has Broadcom firmware, so maybe there's CFE?
Telnet is running at 192.168.100.1. Wasn't able to connect since router keep rebooting.

64M ram
8MB flash

There may be 2 serial outputs (/dev/ser0 and /dev/ser1)

Serial settings I used:
115200
Parity: None
flow: RTS/CTS

The pins on J305 are the serial pins:
      J305
0 RX TX TX 0

I wasn't able to see what I typed on the keyboard, and pressing 1, 2, or p didn't do anything during the prompt.

6 (edited by mk24 2017-03-18 23:12:33)

Re: Reverse engineering UBee ddw3611 (bcm43xx wifi)

You'll need to be able to break in before the stock firmware boots, and get a bootloader prompt. 

Use flow control "None".  RTS/CTS requires the device to assert CTS before the PC will transmit anything.  This connection has no CTS line so it may never work. You can also test your adapter by disconnecting from the router and connecting the adapter's TX and RX wires together, then whatever you type should loop back to the screen.

Re: Reverse engineering UBee ddw3611 (bcm43xx wifi)

mk24 wrote:

You'll need to be able to break in before the stock firmware boots, and get a bootloader prompt. 

Use flow control "None".  RTS/CTS requires the device to assert CTS before the PC will transmit anything.  This connection has no CTS line so it may never work. You can also test your adapter by disconnecting from the router and connecting the adapter's TX and RX wires together, then whatever you type should loop back to the screen.

Thanks. I set flow control to None and was able to type, though characters show up as a gray box. I was able to select '1' to boot the first image. It was similar to image 2 though. Pressing 'p' also boots image 1 or 2. I think it stands for "previous"?

I couldn't get a prompt. Pressed Ctrl+C repeatedly to no avail.