OpenWRT'ing a cheap WiFi router

OpenWRT on a cheap, no-name WiFi "Repeater"

A long, long time ago, I was given this no-name WiFi repeater. I have seen many like it before online, and likely wouldn't have come into owning one outside of this scenario.

I tested it a couple times, both failing miserably. The OS image that was running on it was Hot Garbage, and eventually I lost the booklet that had the default credentials to get into it after resetting it, leaving me stuck with a heavier paperweight than before.

Recently, I found it again, attempted to gain access to it, and was unable. I thought it would be cool if it had a more capable image on it, maybe I could finally find a use for it.

After some trial, error, and soldering, I was able to eventually get OpenWRT booting and usable on it. I still have no use for it, but now its custom :)

A small, wifi router that plugs directly into the wall The rear of the creature, antennae in the background

Information Gathering

The first step when embarking on a project like this is to figure out if replacing the stock image is going to be feasable.

Some questions that need to be answered are:
- How can we talk to it / spy on it? Does it have a UART? Can we do any URL fuzzing on the web interface to find anything?
  - This device has 4 unlabelled pins that are likely a UART. I won't go into detail on how to identify this, it is already a well documented process elsewhere.
  - Since we probably have a UART, I'm not going to bother fuzzing the webui
- How much storage and what kind do we have?
  - The device appears to have a flash chip on board. Searching the part no. tells me it is an 128Mbit (8MByte) part. This is disappointing. That isn't very much space.
- What SoC is in use. Do we already have a Linux port?
  - Looks like we have at Mediatek MT7628. Nice. I know we have a Linux port, and I'm pretty sure OpenWRT has already been brought up on this part.
- What is currently running on it? Linux? RTOS? Bare-metal party?
  - Hopefully we can determine this based on what, if any, output we get from the suspected UART.
- Are there already pre-made images of another OS for this device?
  - Nothing that I could see for this device, although it likely was sold under 100s of different brand names. My specific example has the frustratingly generic model name "AC1200"

I soldered a row of male headers onto the board, and was able to identify these as +3.3v, GND, RX, TX. Nice.

A photo of male pin headers soldered to a PCB Headers installed

I connected up my trusty Flipper to the UART and started testing different baud rates while resetting the device each time (These types of things are usually quite a bit more chatty early in the boot process)

Terminal output display a Linux system booting

here we see the cheap travel router in its natural habitat

Awesome. Looks like we got an embedded linux image. Apologies for the crappy photo and not a screenshot, I am writing this some time after actually doing this, and the only photo I have of the stock OS's UART output is this one I excitedly sent to the original owner that gave the device to me.

The elephant in the room: storage

As stated above, this thing has a tiny flash chip on board. Thankfully, it is a standard SOIC-8 SPI flash chip. These are very common, and I have the tools to dump, flash, and replace this chip with a larger one. I also have a 256Mbit (16MByte) one laying around that looks like could barely fit OpenWRT.

I slathered some flux on the board and removed the flash chip.

This isn't a soldering lesson, which should be obvious by the questionable work shown in the photos below, but a useful trick I learned: Melt some low-melt lead solder onto the existing solder. These things were usually assembled with lead-free solder, which is more difficult to work with due to a higher melting point.

Lets take a peek

I used a CH341a programmer and SOIC-8 to DIP-8 socket to dump the contents of the chip.

flashrom --programmer ch341a_spi -r dump.bin

After this completed, I analyzed the dump with binwalk

Binwalk output showing the contents of dump.bin. We got U-boot, and a Linux rootfs. Awesome.

output of binwalk showing what is contained within the stock flash

Cool! We got U-Boot, a kernel image, and what is likely a rootfs.

Seeing U-Boot is good news. I did not feel like bringing U-Boot up on this unknown platform, and presumably I can use it to boot into whatever I want.

Since we have a Linux image, we now have confirmed that this device is capable of running linux, meaning we are that much closer to OpenWRT becoming a reality.

Slice and dice

At this point, the simplest way to proceed is to look around and see if I can find a prebuilt OpenWRT image for this SoC. In a perfect world we would find one for this device. This wasn't the case, however. But I did find this

mediatek_mt7628an-eval-board-initramfs-kernel.bin

mediatek_mt7628an-eval-board-squashfs-sysupgrade.bin

This gives me hope, since the safest option, other than building a custom image, is using an image designed for an evaluation board. This is because the evaluation board is usually generic enough with few bespoke peripherals. Additionally, especially with these cheap devices, the original designers probably ripped off the evaluation board anyway, as they are usually well documented and have schematics and suggested board layouts.

At this point, I was ready to test my luck. I used dd to insert the kernel and squashfs data into the original dump. The hope is that the entry point is the same and that U-Boot will happily start loading the kernel.

Does it work?

After modifying the original dump, I used flashrom and my trusty ch341a to put the new image onto the newer, shinier, bigger, badder 16MB SPI flash IC.

Once written, I installed the new chip onto the device's board, and reassembled, and powered it on.

An SOIC-8 SPI Flash chip installed on a PCB, with poor soldering work

some F-tier soldering work. need more SMD practice.

Watching the UART output, it looks like OpenWRT is booting! Success? Maybe? We aren't out of the woods yet. Now we need to wait and see if it comes online, if it gets an IP on its WAN port, starts broadcasting a default network, or starts handing out IP addresses on its LAN port.

To test, I plugged the LAN port on the router directly into my PC, and told my PC to get a fresh IP address.

After what seemed like an eternity, we got a link, and I got an IP.

I opened up a web browser and navigated to the device's IP, and was greeted with an unconfigured OpenWRT 🎉

I set a password and logged in.

OpenWRT Interface

It worked!

Final Thoughts

After everything was running, I set up the device as an access point and tested. Unfortunately, either by design or differences between my device and the evaluation board, the link is limited to 100mbps instead of 1000. The device still functions properly as an access point, however.

This project would be considered "beginner" and "entry level" for an embedded systems engineer or security researcher. However I haven't had any experience reverse engineering embedded systems yet. My embedded experience is limited to AVR MCUs, Pis, and some messing about bringing buildroot up on a couple of Allwinner platforms. For this reason this was a great project to start getting my feet wet in embedded RE.

From my (limited) research, most of the time you aren't able to just haphazardly insert a new kernel image and rootfs. I'm going to assume my success here is thanks to the possibility that this wifi router was born as a copy/paste from a Mediatek reference design. If it had featured any sort of bespoke peripherals or eMMC booting I wouldn't have been so lucky.