Install openwrt firmware in Broadlink's C1n

Do you have broadlink's next version Altai C1n CPE/AP? Want to use it for other personal purposes at home or work...

Revealing customization is always not possible as we think. Each time they improve security hole and make harder  to exploit as newer version is released.

However, it is possible to reveal and remove password of broadlink's customization:  Compile open source firmware, use tftpboot to boot ramfs firmware image from uboot and  mount the locked flash area to reveal through serial, just like booting windows or Linux using iso CD image and accessing the other partition of the disk.... 

Lets do something other then revealing password. Since this device is powered by openwrt firmware, why not install latest openwrt and use it as Multi SSID Access Point, WDS , Repeater, Relay Bridge or Station mode with  more powerful and secured device.

Device Details

 Name: Altai C1n Super WiFi CPE/AP



C1n Super WiFi CPE/AP (WA1011N-G)

Model: WA1011N-G
FCCID : UCC-WA1011N-G
Board : DB120
CPU : Atheros (AR9344)
RAM : 32 MB
FLASH: 8MB
Boot Loader: U-boot
Platform: linux, openwrt
Wifi support: 802.11 bgn
Radio: 2.4 Ghz
WAN: 1 Ethernet POE
Power: 18v, 0.66A (POE)
Hardware version: 1.0

Platform:



C1n Front  and Rear view

C1n used Atheros based SOC chip with DB120 platform board, is powered by popular wireless open source system "openwrt" equipped with U-boot bootloader, embedded Linux sytem and busybox.

Because this firmware is customized for specific use, you wont get full benefits/power of openwrt until you replace the original firmware with your own compile firmware.

Know more about openwrt

www.openwrt.org

Using binwalk tool in linux the following information is displayed:

root@user#binwalk C1n_1.2.4.1821_2014-04-07.bin

DECIMAL    HEX        DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
65536      0x10000    uImage header, header size: 64 bytes, header CRC: 0xE20DFCAF, created: Mon Apr  7 17:19:54 2014, image size: 892269 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0xA60F2B25, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-2.6.32.25"
65600      0x10040    LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2664968 bytes
983040     0xF0000    Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 5233777 bytes,  1815 inodes, blocksize: 131072 bytes, created: Mon Apr  7 17:19:52 2014

The header displaying uImage, (uboot) boot loader, Linux openwrt firmware kernel compressed with LZMA.

Another header showing the Squashfs filesystem with LZMA compressd .

Warnning !!!

Installing custom firmware to device will void warranty....

Your device may permanently damaged....

However the following processes are conducted  many times and successfully attempted and mine device is working perfectly,

I am not liable, guaranty and bear any loss of yours, do at your own risk.....

If you don't know what you are doing.. then please don't do....

This process is specially for C1n device (model: WA1011N-G, Hardware version: 1.0, see device details above), and will not work for other model( such as c1), never try with other model.  

How to install Custom openwrt Firmware

 1. Prepare your device for serial connection

 

We should connect device through serial to access boot loader through where we can install custom firmware.

disassembling and serial pins configuration of C1n is same as C1 device, see my old blog how to disassemble and connect c1n serials with computer...

 see how to connect C1 device to computer with usb to serial cable

2. Prepare firmware:

Openwrt is free open source project, releases operating systems for embedded system and that supports wide range of wireless devices. 

You can download source and build own version of firmware.

you can download openwrt source code form here:

download openwrt to make your own customize firmware

View openwrt wiki how to compile firmware:

know more how to compile, build or install openwrt

Or you can download this complied one of mine:

openwrt-2.2.1-ar71xx-generic-db120-squashfs-sysupgrade.bin

3. Prepare your computer:

Linux is best platform to compile and upload firmware for such devices

a. Install and configure dnsmasq

There are several way of installing dnsmasq in Linux distro.. prepare with googling.....

apt-get install dnsmasq

Un-comment following line in /etc/dnsmasq.conf and save to enable tftp feature in dnsmasq.

# Enable dnsmasq's built-in TFTP server
enable-tftp
# Set the root directory for files available via FTP.
tftp-root=/tftp/

Start dnsmasq service

service dnsmasq start

copy downloaded or compiled firmware file to /tftp/ folder you may change the long file name with short one to make easier.

firmware downloaded to /tftp/ folder

cp openwrt-2.2.1-ar71xx-generic-db120-squashfs-sysupgrade.bin sysupgrade2.2.1.bin

Renames downloaded file

b. Open minicom and configure

Connect usb serial ttl device to usb and run the command.

Minicom setup Menu

minicom -s  

will open minicom setup menu.

i. Select Serial port setup

C1n will work on

Speed(baud rate): 115200

Data bits:8

Stop bits:1

Parity:none

i.e. 115200 8N1

ii.Press E to select 115200 8N1

iii.Press Enter and Select Save setup as dft and Exit from minicom.

Then hit following command.

minicom

Run following commands from I to IV, only if  the following error occurred while running   minicom. 

solution: /dev/modem not linkd with ttyUSBx

 I.

dmesg | grep tty

(shows which serial device connected to which port i.e in my case FTDI USB serial Device to ttyUSB0)

II.

minicom

(starts the minicom, but may shows error: /dev/modem not found)

III.

ln -s /dev/ttyUSB0 /dev/modem

(makes soft link serial device to connected USB serial device)

minicom running successfully

IV.

minicom

(now your minicom should run successfully with following messages  

   

 

 

4. Configure  C1n Networks connection

Connect the network cable jack one end to C1n Ethernet port and another end to power supply(POE)  (Data out + power)port. connect device LAN port to computer LAN port with another cable.

Plugged in the POE power adapter to electric power socket.

As soon as your C1n is switched on you will see the booting information as following minicom window.

Booting C1n

Press any key to interrupt firmware boot process after display above marked message, you have just 4 seconds.

(Note: Sometimes device boot is stuck(hang) as soon as some sort of messages is shown with some usb ttl device... do following process if so...

1. power off device

2. plugged out c1n TX pin cable(C1n device side) leaving RX and GND as connected

3. power on device

4. as soon as powered on connect TX pin cable to C1n, quickly hit any key on keyboard to interrupt firmware boot process)

5. Setup C1n u-boot parameters

As soon as you press any key between 4 seconds, the firmware boot process is interrupted, hit following command to view and setup required parameters.

U-boot environment variable

printenv

will shows the u-boot environment variable as shown in pictures.

ipaddr:C1n boot time ip

serverip: tftp server ip should match with your PC LAN ip.

bootcmd: firmware boot process loads from this memory...we should change this later to boot our firmware successfully

Leave other things as it is and set the serverip to match with your PC LAN ip with following command.

Change serverip to match with your PC LAN ip

set serverip 192.168.1.180

in my case my PC LAN address is 192.168.1.180, change it as yours

check network connection between C1n and PC dnsmasq service by

Check link between C1n and PC

ping 192.168.1.180

if "host X.X.X.X is alive" message is displayed then all are going ok, we are ready for flash

6. Flash custom firmware

i. Download firmware from PC to Device RAM  

tftp 0x80060000 sysupgrade2.2.1.bin

 

this command loads the firmware from pc to device RAM.

firmware load progress and file size transferred

Following progress with total bytes  transferred is displayed in hex value.

Note the (file size:762d23), we require it while erasing and writing flash.

 

 

 

 

 

 

ii. Erase Flash area and Copy Firmware to Flash area

erase 0x9f050000 +0x762d23

Erases flash area.

cp.b 0x80060000 0x9f050000 $filesize

Copies firmware from RAM to flash area.


 

iii. Change firmware boot parameter and save changes

set bootcmd bootm 0x9f680000

Changes boot location of firmware that points on flash on where kernel (vmlinux) is located, after loading the kernel image successfully , it prepares system doing rest of the system booting tasks.

save

This will commit all changes permanently in u-boot environment variable.

 

reset

 

This will restart the C1n. Reboot u-boot loader and loads the new  firmware displaying following messages.

 



openwrt trunk build version r47436

Configure Device to operate in Station Mode:

In station mode your device wireless can be connected with any wireless access point(worked as WAN) and device POE port as LAN.

You can configure your device to operate in various mode ....Please visit openwrt official website how to configure device to other mode.

1. For quick configuration download this file to your computer...

config-backup-sta-mode.tar.gz 

OpenWrt provides webconfig powerd by luci.

2. Open web browser

Type 192.168.1.1,   type user: root and  password: (leave empty and press login)

3. Upload archive

After logged in press System tab, then Backup / Flash Firmware, click Browse button, select the downloaded archive file, click upload archive button and your system starts configuring device in station mode.

Wait for reboot device.... You are ready, login again, change the ssid and security key from Network-> wifi tab.

That's it , enjoy with your powerful and secured device..............

 Read this also:  Remove Broadlink's C1 password