OpenWrt Forum Archive

Topic: Sky Wireless Booster - AirTies Air4400

The content of this topic has been archived between 22 Apr 2018 and 24 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello,

Sky in the UK are giving away free wireless extenders. These are in fact AirTies Air4400 wireless extenders. Unfortunately they don't have any official Access Point mode which makes it useless to me.

Does anyone if it would be possible to run any form of OpenWRT on them?

It is BCM5357 based.

I've taken photos of the internals if they're of any interest.

http://imgur.com/a/GrsDZ/

(Last edited by ant_thomas on 5 Jan 2014, 02:00)

Well it does have 8mb flash memory and 32mb ram memory (according to the pics).
And looks more or less similar to the dir615 k1.
As well it does seem to have an uart/ttl (j2) and a jtag (j1) header (unpopulated).

It looks possible to get openwrt running on this.

according to the sticker it is an air4400
Official firmware AirTies_Air4400_FW_1.6.0.9.bin
Binwalk output from the AirTies_Air4400_FW_1.6.0.9.bin

Pinout based on image, a square is always pin 1 (pinout can be incorrect be sure to measure).
J2:

1 = RX
2 = gnd
3 = Vcc
4 = gnd
5 = TX

pinout can be incorrect be sure to measure it don't connect the Vcc and use a ttl adapter and not a com/rs232 port directly. The logic levels are 3.3v

(Last edited by FriedZombie on 7 Jan 2014, 00:02)

Well that looks promising.

I don't think I currently have a ttl adapter but could probably do with buying one anyway. I do have some Raspberry Pis which run on 3.3V logic and have TTL pins if I could use on of those for diagnostic purposes.

What could I do that would be useful for helping port Open-WRT to it?

I was a bout to type a lengthy step by step guide on how to check my pinout, but somehow I don't think that's really needed tongue

But basically double check my findings (since I don't have the actual device). and capture a bootlog smile (the pi will work fine for that).

Also do you have access to some kind of web interface by any chance? it could be that you have to set your computer manually to 192.168.1.10 and see if there is web interface on 192.168.1.1 (or similar).


And the uboot env would be nice as well smile in the u-boot console the command is: printenv

(Last edited by FriedZombie on 6 Jan 2014, 15:33)

Good find! I would place myself very much at the bottom of the amateur ladder so any step by step would certainly be followed but I'm confident enough to give it a go...!

Yes, there's a web interface. Not many options.

Connect to a different router
Wireless Security Settings
Firmware update (current firmware Firmware Version:1.0.0.31)

Anything helpful I could do regarding the web interface?

How do I get the uboot env?

type ctrl+c when you see "waiting for magic..."

(Last edited by nebbia88 on 7 Jan 2014, 00:27)

Tried that and had a look around.

Available commands: et, reset, saveenv, setenv, getenv, readflash, writeflash, nvram, reboot, flash, batch, go, boot, load, save, airboot, airfw, airdt, ping, arp, ifconfig, show, help

bcm5357 # getenv
(null)
*** command status = 0
bcm5357 # show devices
Device Name          Description
-------------------  ---------------------------------------------------------
uart0                NS16550 UART at 0x18000300
flash0.boot          ST Serial flash offset 00000000 size 128KB
flash0.nvrampad      ST Serial flash offset 00020000 size 32KB
flash0.nvram         ST Serial flash offset 00028000 size 96KB
flash0.config        ST Serial flash offset 00040000 size 64KB
flash0.asd           ST Serial flash offset 00050000 size 64KB
flash0.kernel        ST Serial flash offset 00060000 size 3904KB
flash0.rootfs        ST Serial flash offset 00430000 size 3904KB
flash1.boot          ST Serial flash offset 00000000 size 128KB
flash1.nvrampad      ST Serial flash offset 00020000 size 32KB
flash1.nvram         ST Serial flash offset 00028000 size 96KB
flash1.config        ST Serial flash offset 00040000 size 64KB
flash1.asd           ST Serial flash offset 00050000 size 64KB
flash1.kernel        ST Serial flash offset 00060000 size 3904KB
flash1.rootfs        ST Serial flash offset 00430000 size 3904KB
flash2.allflash      ST Serial flash offset 00000000 size 8192KB
eth0                 Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller
*** command status = 0

bcm5357 # help
Available commands:

et                  Broadcom Ethernet utility.
reset               Reboots the board
saveenv             Save all environment variables to nvram
setenv              Set a value to an mnram variable. Don't use '=' (equal) sign
getenv              Get an environment variable from nvram
readflash           Read flash's different partitions to a fixed memory address.
writeflash          Write to flash's different partitions from a fixed memory ad
dress.
nvram               NVRAM utility.
reboot              Reboot.
flash               Update a flash memory device
batch               Load a batch file into memory and execute it
go                  Verify and boot OS image.
boot                Load an executable file into memory and execute it
load                Load an executable file into memory without executing it
save                Save a region of memory to a remote file via TFTP
airboot             Start AirTies Boot Protocol
airfw               Start AirTies Firmware Protocol
airdt               Start AirTies Detect Protocol
ping                Ping a remote IP host.
arp                 Display or modify the ARP Table
ifconfig            Configure the Ethernet interface
show clocks         Show current values of the clocks.
show devices        Display information about the installed devices.
help                Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** command status = 0
bcm5357 # nvram show
sb/1/ofdm2gpo=0x75555555
antswctl2g=0x1
boardrev=0x1162
sb/1/mcs2gpo0=0x5555
sb/1/mcs2gpo1=0x7755
et0macaddr=00:90:4c:08:02:2b
sb/1/mcs2gpo2=0x5555
sb/1/mcs2gpo3=0x7555
sb/1/mcs2gpo4=0x5555
sb/1/mcs2gpo5=0x7755
watchdog=0
boot_wait=on
sb/1/mcs2gpo6=0x5555
sb/1/temps_period=5
sb/1/mcs2gpo7=0x7555
sb/1/rssismc2g=0xf
et0mdcport=0
f_rootfs_end=0x007fffff
flashboot=NOR
reset_gpio=21
pmon_ver=CFE 5.100.138.20
sb/1/rssisav2g=0x7
sb/1/bxa2g=0x3
vlan2ports=0 5
sb/1/triso2g=0x5
sb/1/sromrev=8
rootfs_auto_size=0x002F6040
MAC_ETH_0=18:28:61:DB:19:C0
gpio7=wps_led
sb/1/pa2gw2a0=0xFA87
sb/1/pa2gw2a1=0xFA99
SERIAL_NUMBER=AT1581347042775
sb/1/tempthresh=120
wl_msglevel=0x1
sb/1/itt2ga0=0x20
sb/1/itt2ga1=0x20
f_config_addr=0x00040000
WPS_PIN_0=89001127
boardtype=0x058e
HW_REVISION=TW_0.3
et_swleds=0xd
lan_netmask=255.255.255.0
PRODUCT_ID=SB601
BOOT_DELAY=3
f_uboot_end=0x0001ffff
sb/1/regrev=0
sb/1/ag0=0x2
sb/1/ag1=0x2
f_kernel2_size=0x00379fc0
sb/1/ag2=0x2
sb/1/ag3=0xff
sb/1/rssismf2g=0xf
vlan2hwname=et0
sb/1/extpagain2g=0x2
nvram_revision=402
xtalfreq=20000
sb/1/stbcpo=0x0
boardflags2=0x1000
sb/1/bwduppo=0x0
sb/1/aa2g=0x3
sb/1/txchain=0x3
fwserver_addr=239.254.0.229
wait_time=3
f_uboot_addr=0x00000000
sb/1/pa2gw1a0=0x1648
f_kernel2_addr=0x00430000
sb/1/pa2gw1a1=0x1617
sb/1/boardflags2=0x1000
f_config_end=0x0004ffff
sb/1/boardflags=0x710
enable_mc_fw_upgrade=off
sb/1/leddc=0xffff
boot_flag=success
lan_ipaddr=192.168.2.1
STARTUP_SCRIPT=airboot
clkfreq=300,150,75
vlan1hwname=et0
sdram_config=0x103
vlan1ports=0 1 2 3 4 5
sb/1/temps_hysteresis=5
BOOTLOADER_VER=CFE_1.0.37
sb/1/macaddr=00:90:4c:08:12:2b
sb/1/ccode=0
boardflags=0x710
TELNET_ENABLED=OFF
sdram_refresh=0x8040
wandevs=vlan2
f_asd_end=0x0005ffff
sb/1/cck2gpo=0x0
sdram_ncdl=0x00000000
sb/1/pa2gw0a0=0xFE7C
sb/1/pa2gw0a1=0xFE82
Version=16777247
f_image_num=0
sb/1/bw40po=0x0
sb/1/devid=0x4329
f_kernel_size=0x00379fc0
f_asd_addr=0x00050000
et0phyaddr=30
MAC_WLAN_0=18:28:61:DB:19:C1
sb/1/pdetrange2g=0x2
landevs=vlan1 wl0
rootfs_auto_offset=0x00139FC0
sb/1/tssipos2g=0x1
sdram_init=0x0419
sb/1/antswctl2g=0x1
f_kernel_end=0x0042ffff
gpio20=wps_button
f_rootfs_addr=0x00430000
sb/1/tri2g=0xff
sb/1/ledbh0=11
sb/1/maxp2ga0=0x50
sb/1/ledbh1=11
sb/1/maxp2ga1=0x50
f_kernel_addr=0x00060000
sb/1/ledbh2=11
sb/1/ledbh3=11
sb/1/ledbh5=11
sb/1/cddpo=0x0
sb/1/ledbh6=11
sb/1/opo=0x0
sb/1/rxchain=0x3
sb/1/rxpo2g=0xff
boardnum=555
f_kernel2_end=0x007fffff
sb/1/antswitch=0x0
dualimage=enabled
size: 2468 bytes (30300 left)
*** command status = 0

(Last edited by ant_thomas on 7 Jan 2014, 00:34)

ant_thomas: forget about U-Boot, just use CFE, some short howto can be found on: http://wiki.openwrt.org/doc/techref/bootloader/cfe

It seems this device has some partitions that are not supported by bcm47xxpart. Please dump for me "cfe", "Config" and "ASD" partitions. I think that:
cfe: /dev/mtdblock0
Config: /dev/mtdblock2
ASD: /dev/mtdblock3

If this device has USB, you can just dump them to some USB disk. Connect one, see where it's mounted ("mount" command) and dump mtdblock to it (cat /dev/mtdblock0 > /mnt/pendrive/cfe.bin).

If devices doesn't have USB, you can try faking dump to be some image accessible over http. I think your http files are located in /webs/. If that is correct, you can try sth like "cat /dev/mtdblock0 > /webs/cfe.jpeg" and then access it like http://192.168.1.1/cfe.jpeg

If you provide dump of these partitions I'll try to add support for them in bcm47xxpart.

(Last edited by Zajec on 7 Jan 2014, 08:36)

zajec: Thanks for the details, I'll sort that this evening.

Some nvram entries that may be device specific:

boardnum=555
boardrev=0x1162
boardtype=0x058e
HW_REVISION=TW_0.3
PRODUCT_ID=SB601
Zajec wrote:

If you provide dump of these partitions I'll try to add support for them in bcm47xxpart.

Sounds like a plan smile, since I currently don't really have the time for it.
Also couldn't you dump the partitions to a tftp server as well?

Dumping it to the web directory is probably not going to work, since it is /var/unpacked/webs and it is loaded in ram only.
there exists a symlink from /webs -> /var/unpacked/webs

The file that is unpacked onboot is /webs.tar.lzma

Also I wouldn't be surprised if the firmware I posted earlier for the airties 4400 just flashes, but it would be a good thing to have the partition dumps. There could always be hiding something interesting in it:)

p.s. Also sory for the u-boot cfe mixup wink

(Last edited by FriedZombie on 7 Jan 2014, 22:01)

Zajec wrote:

Some nvram entries that may be device specific:

boardnum=555
boardrev=0x1162
boardtype=0x058e
HW_REVISION=TW_0.3
PRODUCT_ID=SB601

Did you get the dumps?

Copying to /webs seemed to work fine assuming the dumps are suitable.

ant_thomas wrote:

Did you get the dumps?

Copying to /webs seemed to work fine assuming the dumps are suitable.

Nope we both didn't you are the only one of us with a sky wireless booster
If you dumped the images, I would share them on a file sharing site. I usually use google drive for sharing things like this.

FriedZombie wrote:

Nope we both didn't you are the only one of us with a sky wireless booster
If you dumped the images, I would share them on a file sharing site. I usually use google drive for sharing things like this.

Sorry, that was supposed to be directed at Zajec. I've sent them to him.

I got the dumps, analyzing them. Thanks.

Zajec wrote:

I got the dumps, analyzing them. Thanks.

Zajec: Have you managed to make any progress?

Not much. So I've analyzed your flash dump.
1) Standard CFE on 0x00000000 → 0x00200000
2) Main NVRAM on 0x00280000 → ...
3) Backup NVRAM on 0x00380000 → ...
4) Config on 0x00040000 → 0x00050000. Starts with:

0004:0000 | E0 0D DC BA  67 4A 00 00  F2 4C 4C F6  31 7C 27 8D | à.ܺgJ..òLLö1|'.
0004:0010 | 3C 63 6F 6E  66 69 67 20  76 65 72 73  69 6F 6E 3D | <config version=

5) ASD on 0x00050000 → 0x00060000. Starts with:

0005:0000 | E0 0D DC BA  E2 00 00 00  00 00 05 00  45 2E E6 33 | à.ܺâ.......E.æ3
0005:0010 | BD 93 A7 FC  63 75 72 72  65 6E 74 5F  6C 61 6E 67 | ½.§ücurrent_lang

6) Kernel on 0x006000 →0x00139???. Starts with:

0006:0000 | 5D 00 00 02  00 E8 BC 2A  00 00 00 00  00 00 00 24 | ]....è¼*.......$
0006:0010 | E0 C1 86 9C  B0 B1 53 C1  CF 25 27 9F  D5 69 C7 95 | àÁ..°±SÁÏ%'.ÕiÇ.

And there is a part I've no idea how to handle yet:

0013:9F50 | 80 06 00 00  80 06 00 00  04 C2 0C 20  05 05 02 01 | .........Â. ....
0013:9F60 | 4C 69 6E 75  78 20 4B 65  72 6E 65 6C  20 49 6D 61 | Linux Kernel Ima
0013:9F70 | 67 65 00 00  00 00 00 00  00 00 00 00  00 00 00 00 | ge..............
0013:9F80 | 27 05 19 56  04 7C 5B E3  52 6A BE 76  00 2A 00 00 | '..V.|[ãRj¾v.*..
0013:9F90 | 00 00 00 00  00 00 00 00  14 29 A2 B9  05 05 07 03 | .........)¢¹....
0013:9FA0 | 53 42 36 30  31 20 52 6F  6F 74 46 53  00 00 00 00 | SB601 RootFS....
0013:9FB0 | 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 | ................
0013:9FC0 | 73 68 73 71  F9 00 00 00  00 00 00 00  00 00 00 00 | shsqù...........
0013:9FD0 | 00 00 00 00  00 00 00 00  00 00 00 00  03 00 00 00 | ................
0013:9FE0 | 00 00 10 00  C0 01 00 76  BE 6A 52 F8  1E 00 00 00 | ....À..v¾jRø....

(we have to somehow detect where squashfs starts).

We also have to figure out how to prepare a valid image.

(Last edited by Zajec on 8 Jan 2014, 23:11)

shsq is a marker of squashfs file system start?

nebbia88 wrote:

shsq is a marker of squashfs file system start?

That's right, but it's located in the middle of flash block and we can't scan (read) every possible place looking for magics.

We should find/notice LZMA compressed kernel, go to it's end and see what's next. Unfortunately LZMA doesn't have a nice magic and AFAIK doesn't store compressed size in the header. What we can see in your flash:

5D 00 00 02  00 E8 BC 2A  00 00 00 00  00

is a LZMA header.

1) 0x02 = Properties
lc: 3, lp: 0, pb: 2

2) 0x0000005D = Dictionary Size

3) 0x000000002ABCE8 = Uncompressed Size
Decimal value is 2800872 (bytes)

Zajec: Is there anything else you'd like me to do? or dump?

Wow, so I've been independently analysing the Wireless Booster this week too and had no idea this thread existed! Anyway, looks like you guys have gone down a slightly different route than me (hooking up a serial cable was still on my todo list), but I'll contribute all my findings so far:


Enable Telnet
Telnet is supported by the device, it's just disabled on boot. There is an nvram variable TELNET_ENABLED (as shown as TELNET_ENABLED=OFF in the log from ant_thomas). I believe that if you use 'setenv' and 'saveenv' commands in the CFE console to change it to TELNET_ENABLED=ON, it should work.


Firmware image
You can download the firmware image directly from the update web servers. Follow a similar process as defined here: https://code.google.com/p/sky-router-to … uto-Update

Navigate to:
http://sb601.skyfirmware.com/timecheck/ … uct=skydsl (replace XXXXXXXXXXwith a valid MAC address)
The response will contain something like: http://sb601.skyfirmware.com/?mac=XXXXX … uct=skydsl

And that will respond with a URL similar to http://download-ext.skyfirmware.com/S/A … 0.0.31.bin (AAA and BBB are a session)
That final URL will you will give the AirTies_SB601_FW_1.0.0.31.bin

This firmware image extracts nicely with "binwalk -e AirTies_SB601_FW_1.0.0.31.bin":

test@test:~/# ls
5C0 5C0.7z AirTies_SB601_FW_1.0.0.31.bin DA580.squashfs squashfs-root

test@test:~/# ls squashfs-root/
bin dev etc lib mnt proc ramdisk root sbin sys tmp usr var webs webs-admin webs-guest webs.tar.lzma

The web.tar.gz is there (as you guys mentioned) and also extracts fine.

test@test:~/# ls webs/
air.css config.bin global images invalid_host.html lan lang.js login.html main.html menu_frame.html report tools wireless wizard_model.js cgi-bin errors homepage.html index.html js lang licence_information.html loginmain.html management ncsi.txt style top.html wizard.html

Addresses
Theses addresses are stored in nvram (check for example f_rootfs_addr and f_rootfs_end):

uboot 0x00000000 - 0x0001ffff
config 0x00040000 - 0x0004ffff
asd 0x00050000 - 0x0005ffff
kernel 0x00060000 - 0x0042ffff
rootfs 0x00430000 - 0x007fffff

They match some of the addresses you have already.


Config backup/restore
As you guys have also noticed, this is a rebranded Airties 4400 and uses a skinned web interface. A lot of the original Airties web pages have been removed, but there are some still available (just the top navigation menu links disabled). All checks are done client-side by the Definitions.js file i.e. "var __DEF_HideLan_Menu = true;". You can use a web proxy (such as Burp proxy) to modify the Definitions.js file, to re-enable the menus. The most interesting one here is the page to save/restore the config. To do this, change:

var __DEF_ShowSaveConfigOnheToolsPage = false;
var __DEF_ShowRestoreConfigOnheToolsPage = false;

to

var __DEF_ShowSaveConfigOnheToolsPage = true;
var __DEF_ShowRestoreConfigOnheToolsPage = true;

You can also enable the buttons in the webpage via Firebug or similar (they are hidden via display: none CSS).
Now when you go to Tools -> you should see the Backup and Restore buttons. Backup will give you a config.bin file. This file is CRC checked on Restore, so you can't modify it and re-upload as far as I can tell.

https://dl.dropboxusercontent.com/s/84zrechowghioco/BackupRestore.PNG

Enable syslog
Using the same approach as above, you can enable the Report (syslog) menu by changing:

var __DEF_HideMenuReport = 1; -> var __DEF_HideMenuReport = 0;

This will allow you to set a remote syslog server; useful for debugging.


Other useful hidden webapges
/lan/ip_and_dhcp_settings.html
/lan/dhcp_setup.html
/lan/dhcp_client.html
/lan/operation_mode.html
/tools/sntp.html


Modify settings via SOAP API
The web interface uses a SOAP (?) interface to save/query settings. You can use this same interface to edit the config file, it just requires a POST to /cgi-bin/webapp, with the correct XML.For example, to disable automatic updates:

POST /cgi-bin/webapp

<xmlrequest version="1.0.1"> 
<command inst="cfgmgr-0"><key>begin_transaction</key><value>http_upgrade_for_sky-0</value></command> 
<set inst="http_upgrade_for_sky-0"><key>httpserverforfw</key><value>DISABLED/</value></set> 
<command inst="cfgmgr-0"><key>commit</key><value>http_upgrade_for_sky-0</value></command> 
<command inst="cfgmgr-0"><key>save</key><value/></command> 
<command inst="cfgmgr-0"><key>end_transaction</key><value>http_upgrade_for_sky-0</value></command> 
</xmlrequest>

The best way to find valid XML requests, is to use a proxy and record the requests to /cgi-bin/webapp


UPNP
A UPNP Service appears to run on port 49152, but only for a while on first boot. You can query information from it, from /wps_device.xml and /wps_scpd.xml URLs


What's needed next for this project? Happy to help out

(Last edited by Atarii on 9 Jan 2014, 22:50)

Atarii: yeah, you were analyzing this device from a bit different POV. You were examining possibilities with original firmware, while I was looking how to run OpenWrt on it.

I got some short discussion with Hauke, this device support is a bit complicated.

So first of all, it seems CFE verifies kernel and rootfs:

Searching for kernel and rootfs images..
Checking kernel..
Kernel check ok..
Checking rootfs..
Rootfs check ok..

It means out firmware image has to be compatible with the original one. It means we can't really go the easy way and for example put rootfs (SquashFs) the the beginning of flash block.

We have to:

  1. Consider if we want/need/can use loader (this may be not possible because of CFE checks)

  2. Figure out a way to find LZMA compressed kernel (I assume we don't use loader) (note: LZMA doesn't use any nice MAGIC)

  3. Put some magic data between kernel and rootfs in our firmware image

  4. Figure out how to find a rootfs (there are simple MAGICs, but offset is unknown and doesn't fit flash block)

Just wanted to confirm, enabling telnet works. I connected up a serial cable and sent the following:

bcm5357 # nvram set TELNET_ENABLED=ON

*** command status = 0

bcm5357 # nvram commit

Writing nvram to 1. slot. Rev: 479

Writing nvram to 2. slot. Rev: 480

Thanks for your input Zajec, shame it's not simple to get OpenWRT on the device. sad