Hi everyone,
I bought an AFoundry EW1200 to increase my wifi range.
It was:
- Cheap (75 €)
- Good looking with metal enclosue
The router is equiped with :
- Mediatek MT7621 as CPU
- 128 MB DDR3 RAM
- 128 Mb SPI flash
- Mediatek MT7612E (5.8 Ghz)
- Mediatek MT7603E (2.4 Ghz)
- 1 USB 3.0
The router is working great with a nice Wifi range and nice bandwidth. However, the web interface isn't as efficient as I'd like. So I wanted to abuse this cute router with firmware flashing.
OpenWRTisn't available for now. I wanted to dig into, so did I.
When you (easily) open the metal enclosure, there is an already populated UART port (TX, GND, RX) sitting in the middle of the pcb. When you attach your classic uart-usb adapter you can see the boot process and access bootloader (uboot) / console.
The router is obviously running a custom OpenWRT :
BusyBox v1.22.1 (2016-11-03 13:11:16 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
BARRIER BREAKER (Barrier Breaker, r37)
-----------------------------------------------------
* 1/2 oz Galliano Pour all ingredients into
* 4 oz cold Coffee an irish coffee mug filled
* 1 1/2 oz Dark Rum with crushed ice. Stir.
* 2 tsp. Creme de Cacao
-----------------------------------------------------
MTK OpenWrt SDK V3.4
revision : benchmark : APSoC SDK 5.0.1.0
kernel : 144992
-----------------------------------------------------
admin@AFOUNDRY-526870:~#
The credentials are classics : admin // admin
You can edit the tenet conf file and enable the telnet server. Enabling the telnet server can also be done after importing a modified config backup file (as someone wrote on the DD-WRT forum).
The manufacturer doesn't provide any firmware for upgrade / restore. I wanted the firmware so I dumped the SPI flash chip.
This chip is a 128 Mb <-> 16 MB flash from Macronix : MX25L12835F. I used a raspi with flashrom. After trying 3 times in-circuit, I ended desoldering the chip with hot air station because the dumps were always partials (I could not find a way to halt the cpu and stop disturbing the reading of the flash chip).
The dump is available here : h**ps://filebin.ca/3Qey47yoyo2w/ew1200_original_1.5.7_dump.bin
md5sum : 2084768506eebead3dea40ffa71593c2
Binwalk process :
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
71624 0x117C8 U-Boot version string, "U-Boot 1.1.3 (Nov 3 2016 - 13:37:42)"
327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0x19A5881E, created: 2016-11-03 05:37:20, image size: 1555786 bytes, Data Address: 0x80001000, Entry Point: 0x80001000, data CRC: 0xA3008F57, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "OpenWrt Linux-3.10.14"
327744 0x50040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4524288 bytes
1883530 0x1CBD8A Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5791162 bytes, 1218 inodes, blocksize: 262144 bytes, created: 2016-11-03 05:37:17
7733248 0x760000 JFFS2 filesystem, little endianess
Filesystems can be extracted by Binwalk.
I'll try to dig more, but can "openWRT pros" tell me if adapting vanilla openWRT to this router can be done without help from the manufacturer (extracting radio drivers ?)
Thanks.
(Last edited by gbiohazard on 20 Jun 2017, 20:56)