Ben Brown bio photo

Ben Brown

Electronics and Embedded Systems Engineering

Email Twitter Facebook Github

Contents

Converting the Reaver Pro to run stock OpenWRT

I bought one of the Reaver Pro units a fair while ago back when they were more useful.. Now that most routers have protection against the WPS exploit it has become mostly useless. However the unit itself is actually a really nice Alfa Networks HornetUB2 with upgraded Flash to 16MB and Ram to 64MB.

Problem

The U-Boot used on the router does not support the setenv command, and the unit comes with the memory boot location hard coded to 0x9f050000 which is NOT what all the documentation online appears to refer to.

Putting printenv into the U-Boot console provides the following output :

ar7240> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(
bootcmd=bootm 0x9f050000
bootdelay=4
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=192.168.2.10
serverip=192.168.2.100
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 374/65532 bytes

Progress

Taking a raw dump of the SPI flash on the board Available Here I compared the contents of the bianry file to the provided kernal and rootfs images provided by Alfa, looking for the start few bytes of the files to find their offsets in the binary image.

My searching for the start of the kernal image, the image is found at offset 0x00050000 inside the file. Now that I know that the U-Boot is expecting to boot the image at location 0x9f050000 on the devices memory map. By using the md command to dump a specific memory location, I looked at what was mapped into that location :

ar7240> md 0x9f050000
9f050000: 27051956 42daea8f 55b7f27f 0010218c    '..VB...U.....!.
9f050010: 80060000 80060000 829e9407 05050203    ................
9f050020: 4d495053 204f7065 6e577274 204c696e    MIPS OpenWrt Lin
9f050030: 75782d33 2e31302e 34390000 00000000    ux-3.10.49......
9f050040: 6d000080 0064e22f 00000000 0000006f    m....d./.......o
9f050050: fdffffa3 b77f4c34 f7a2db89 7a6edb3c    ......L4....zn.<
9f050060: ec7d4ea1 71788f3e 662e5921 813447fb    .}N.qx.>f.Y!.4G.
9f050070: c40a4fcd 7fe4fadd 44886237 84761dc7    ..O.....D.b7.v..
9f050080: 69eed2e2 4b81a34c 0ebd9a86 608991da    i...K..L....`...
9f050090: 2fc1b42f b904f9e1 96c809de 7f85b014    /../............
9f0500a0: d964a8af e9702d81 28f85c6e 5fe4a609    .d...p-.(.\n_...
9f0500b0: 449ed70c a9a3668e d678e288 08ce0f8e    D.....f..x......
9f0500c0: 0e95d8ae 696f303b 50e05fc2 39116a47    ....io0;P._.9.jG
9f0500d0: 710871a7 5def374c 24c98f05 17aec453    q.q.].7L$......S
9f0500e0: 097b1188 d46031b4 bb335ee7 f03c19bc    .{...`1..3^..<..
9f0500f0: 1b97c84c df8e4434 a3aaa942 2f43ddb6    ...L..D4...B/C..

The data that md shows matches exactly to what I founed earlier in the binary file for the kernal image.

By searching through the binary file I found the start address of the rootfs to be 0x00160000 in the raw file. By subtracting 0x00050000 from that we find the relative offset of the rootfs to the kernal.

I used md again to dump the data at this offset from the kernal.

ar7240> md 0x9F160000
9f160000: 68737173 8d070000 c5f2b755 00000400    hsqs.......U....
9f160010: 59000000 04001200 c0060100 04000000    Y...............
9f160020: c5171636 00000000 d8749800 00000000    ...6.....t......
9f160030: d0749800 00000000 ffffffff ffffffff    .t..............
9f160040: bade9700 00000000 1e1a9800 00000000    ................
9f160050: 9a669800 00000000 ba749800 00000000    .f.......t......
9f160060: 0c801400 09009000 40000000 0400fd37    [email protected]
9f160070: 7a585a00 00016922 de3603c0 bcb30980    zXZ...i".6......
9f160080: 80102101 0c00e330 3114e1ac 4deffe6c    ..!....01...M..l
9f160090: 003f9145 84600846 3f70491e 008b6899    .?.E.`.F?pI...h.
9f1600a0: eabbc1a3 54d917f2 173f2e70 6cab9be3    ....T....?.pl...
9f1600b0: 4bb011c9 0db448bd e1298d0c 5412332e    K.....H..)..T.3.
9f1600c0: f0368af5 7ed91dc5 e66503e1 f578a895    .6..~....e...x..
9f1600d0: bb049d9f c942644b fd369d5c 9d76a993    .....BdK.6.\.v..
9f1600e0: b14bd76a 2730ac20 c40938fc 2f66eab1    .K.j'0. ..8./f..
9f1600f0: 9c049274 1a3aba57 d306e71f 860693e2    ...t.:.W........

Perfect, that matches the start of the rootfs file.

Now I know the actual location for the two files on this device we can now program them via tftp as normal.

Steps to program

By default the unit assigns itself an ip of 192.168.2.10, and looks for a tftp server at 192.168.2.100. I used my mac laptop with pumpkin tftp server to serve the files to the unit.

I used these two known working files : kernal.bin rootfs.bin

I renamed them to kernal.bin/rootfs.bin to reduce the typing.

Then just enter the following commands to the U-Boot console :

ar7240> tftp 0x80600000 kernel.bin


eth0 link down
FAIL
dup 1 speed 1000
Using eth1 device
TFTP from server 192.168.2.100; our IP address is 192.168.2.10
Filename 'kernel.bin'.
Load address: 0x80600000
Loading: #################################################################
         #################################################################
         #################################################################
         #######################
done
Bytes transferred = 1114112 (110000 hex)


ar7240> erase 0x9f050000 +0x110000
Erase Flash from 0x9f050000 to 0x9f15ffff in Bank # 1
First 0x5 last 0x15 sector size 0x10000                                                                          21
Erased 17 sectors


ar7240> cp.b 0x80600000 0x9f050000 110000
Copy to Flash... write addr: 9f050000
done


ar7240> tftp 0x80600000 rootfs.bin
eth0 link down
FAIL
Using eth1 device
TFTP from server 192.168.2.100; our IP address is 192.168.2.10
Filename 'rootfs.bin'.
Load address: 0x80600000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ######
done
Bytes transferred = 2359296 (240000 hex)


ar7240> erase 0x9F160000 +0x240000
Erase Flash from 0x9f160000 to 0x9f39ffff in Bank # 1
First 0x16 last 0x39 sector size 0x10000                                                                         57
Erased 36 sectors


ar7240> cp.b 0x80600000 0x9F160000 240000
Copy to Flash... write addr: 9f160000
done
ar7240> boot
## Booting image at 9f050000 ...
   Image Name:   MIPS OpenWrt Linux-3.10.49
   Created:      2014-10-02   6:57:00 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1107111 Bytes =  1.1 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum at 0x9f050040 ...OK
   Uncompressing Kernel Image ... OK
No initrd


After the system has booted, I executed a reboot in the OpenWRT to check the system boots correct and all appears well (So far).

Further details:

U-Boot boot details


U-Boot 1.1.4 (Jul 24 2013 - 15:16:09)

AP121 (ar9331) U-boot

DRAM:  64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 149k for U-Boot at: 83fd8000
Reserving 192k for malloc() at: 83fa8000
Reserving 44 Bytes for Board Info at: 83fa7fd4
Reserving 36 Bytes for Global Data at: 83fa7fb0
Reserving 128k for boot params() at: 83f87fb0
Stack Pointer at: 83f87f98
Now running in RAM - U-Boot at: 83fd8000
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18
flash size 16777216, sector count = 256
Flash: 16 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag7240_enet_initialize...
Fetching MAC Address from 0x83ff0608
Fetching MAC Address from 0x83ff0608
: cfg1 0x5 cfg2 0x7114
eth0: 00:c0:ca:74:43:95
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 00:c0:ca:74:43:94
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
eth1 up
eth0, eth1
Hit any key to stop autoboot:  0

Full OpenWRT boot


U-Boot 1.1.4 (Jul 24 2013 - 15:16:09)

AP121 (ar9331) U-boot

DRAM:  64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 149k for U-Boot at: 83fd8000
Reserving 192k for malloc() at: 83fa8000
Reserving 44 Bytes for Board Info at: 83fa7fd4
Reserving 36 Bytes for Global Data at: 83fa7fb0
Reserving 128k for boot params() at: 83f87fb0
Stack Pointer at: 83f87f98
Now running in RAM - U-Boot at: 83fd8000
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18
flash size 16777216, sector count = 256
Flash: 16 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag7240_enet_initialize...
Fetching MAC Address from 0x83ff0608
Fetching MAC Address from 0x83ff0608
: cfg1 0x5 cfg2 0x7114
eth0: 00:c0:ca:7e:7b:b1
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 00:c0:ca:7e:7b:b0
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
eth1 up
eth0, eth1
Hit any key to stop autoboot:  0
##Booting image at 9f050000 ...
   Image Name:   MIPS OpenWrt Linux-3.10.49
   Created:      2014-10-02   6:57:00 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1107111 Bytes =  1.1 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum at 0x9f050040 ...OK
   Uncompressing Kernel Image ... OK
No initrd
##Transferring control to Linux (at address 80060000) ...
##Giving linux memsize in bytes, 67108864

Starting kernel ...

[    0.000000] Linux version 3.10.49 ([email protected]) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r42625) ) #3 Wed Oct 1 14:00:51 CEST 2014
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR9330 rev 1
[    0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line:  board=HORNET-UB console=ttyATH0,115200 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,15936k(firmware),64k(nvram),64k(art)ro rootfstype=squashfs,jffs2 noinitrd
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 61076k/65536k available (2369k kernel code, 4460k reserved, 621k data, 272k init, 0k highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:51
[    0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
[    0.080000] pid_max: default: 32768 minimum: 301
[    0.080000] Mount-cache hash table entries: 512
[    0.090000] NET: Registered protocol family 16
[    0.100000] MIPS: machine is ALFA NETWORK Hornet-UB
[    0.550000] bio: create slab <bio-0> at 0
[    0.560000] Switching to clocksource MIPS
[    0.570000] NET: Registered protocol family 2
[    0.570000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[    0.570000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[    0.570000] TCP: Hash tables configured (established 512 bind 512)
[    0.580000] TCP: reno registered
[    0.580000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.590000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.600000] NET: Registered protocol family 1
[    0.620000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.630000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.640000] msgmni has been set to 119
[    0.640000] io scheduler noop registered
[    0.640000] io scheduler deadline registered (default)
[    0.650000] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.660000] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11) is a AR933X UART
[    0.670000] console [ttyATH0] enabled, bootconsole disabled
[    0.670000] console [ttyATH0] enabled, bootconsole disabled
[    0.680000] ath79-spi ath79-spi: master is unqueued, this is deprecated
[    0.690000] m25p80 spi0.0: found mx25l12805d, expected m25p80
[    0.690000] m25p80 spi0.0: mx25l12805d (16384 Kbytes)
[    0.700000] 5 cmdlinepart partitions found on MTD device spi0.0
[    0.700000] Creating 5 MTD partitions on "spi0.0":
[    0.710000] 0x000000000000-0x000000040000 : "u-boot"
[    0.720000] 0x000000040000-0x000000050000 : "u-boot-env"
[    0.720000] 0x000000050000-0x000000fe0000 : "firmware"
[    0.740000] 2 uimage-fw partitions found on MTD device firmware
[    0.750000] 0x000000050000-0x000000160000 : "kernel"
[    0.750000] 0x000000160000-0x000000fe0000 : "rootfs"
[    0.760000] mtd: device 4 (rootfs) set to be root filesystem
[    0.760000] 1 squashfs-split partitions found on MTD device rootfs
[    0.770000] 0x000000380000-0x000000fe0000 : "rootfs_data"
[    0.780000] 0x000000fe0000-0x000000ff0000 : "nvram"
[    0.780000] 0x000000ff0000-0x000001000000 : "art"
[    0.800000] libphy: ag71xx_mdio: probed
[    1.360000] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch
[    2.390000] eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII
[    2.940000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY]
[    2.950000] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[    2.960000] TCP: cubic registered
[    2.960000] NET: Registered protocol family 17
[    2.970000] Bridge firewalling registered
[    2.970000] 8021q: 802.1Q VLAN Support v1.8
[    2.980000] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[    2.990000] Freeing unused kernel memory: 272K (8034c000 - 80390000)
procd: Console is alive
procd: - watchdog -
[    5.880000] usbcore: registered new interface driver usbfs
[    5.880000] usbcore: registered new interface driver hub
[    5.890000] usbcore: registered new device driver usb
[    5.900000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    5.900000] ehci-platform: EHCI generic platform driver
[    5.910000] ehci-platform ehci-platform: EHCI Host Controller
[    5.910000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[    5.920000] ehci-platform ehci-platform: irq 3, io mem 0x1b000000
[    5.950000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
[    5.950000] hub 1-0:1.0: USB hub found
[    5.950000] hub 1-0:1.0: 1 port detected
procd: - preinit -
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
jffs2 is ready
jffs2 is ready
[   10.780000] jffs2: notice: (326) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (0 unchecked, 0 orphan) and 16 of xref (0 dead, 2 orphan) found.
switching to overlay
procd: - early -
procd: - watchdog -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
[   12.550000] NET: Registered protocol family 10
[   12.560000] nf_conntrack version 0.5.0 (958 buckets, 3832 max)
[   12.580000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[   12.590000] Loading modules backported from Linux version master-2014-05-22-0-gf2032ea
[   12.600000] Backport generated by backports.git backports-20140320-37-g5c33da0
[   12.620000] ip_tables: (C) 2000-2006 Netfilter Core Team
[   12.670000] xt_time: kernel timezone is -0000
[   12.710000] cfg80211: Calling CRDA to update world regulatory domain
[   12.710000] cfg80211: World regulatory domain updated:
[   12.720000] cfg80211:  DFS Master region: unset
[   12.720000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   12.730000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   12.740000] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   12.750000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[   12.750000] cfg80211:   (5170000 KHz - 5250000 KHz @ 160000 KHz), (N/A, 2000 mBm), (N/A)
[   12.760000] cfg80211:   (5250000 KHz - 5330000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[   12.770000] cfg80211:   (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[   12.780000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[   12.790000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[   12.870000] PPP generic driver version 2.4.2
[   12.870000] NET: Registered protocol family 24
[   12.960000] ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2
[   12.990000] cfg80211: Calling CRDA for country: US
[   12.990000] cfg80211: Regulatory domain changed to country: US
[   12.990000] cfg80211:  DFS Master region: FCC
[   13.000000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   13.010000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[   13.020000] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 1700 mBm), (N/A)
[   13.020000] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz), (N/A, 2300 mBm), (0 s)
[   13.030000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[   13.040000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
procd: - init complete -
[   22.920000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   22.920000] device eth0 entered promiscuous mode
[   22.930000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   22.960000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[   24.020000] eth0: link up (1000Mbps/Full duplex)
[   24.020000] br-lan: port 1(eth0) entered forwarding state
[   24.020000] br-lan: port 1(eth0) entered forwarding state
[   24.030000] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   24.040000] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   26.020000] br-lan: port 1(eth0) entered forwarding state



BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 BARRIER BREAKER (14.07, r42625)
 -----------------------------------------------------
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao
 -----------------------------------------------------
[email protected]:/#