[Battlemesh] [FCC] What hardware still works?

Tue Feb 23 19:06:40 CET 2016

Apologies for jumping straight into tech jargon.

A serial console is a simple communications port available to the SoC (aka
System-on-a-Chip, the embedded processor) that forms the core of these wifi
routers.  Typically, gaining access to this port is done by opening the
case, soldering on a pin header, and then using a USB/serial dongle to open
a console on that port.  I do so using minicom on my laptop, for example.
The serial console can be useful to manually trigger alternate boot modes,
or just to see verbose logging and errors from the kernel and OS.  The
serial console is very low speed (~100kbits/s), so it's only useful for
typing shell command interactively, or getting debug logging.

TFTP is "Trivial FTP," and it's a streamlined version of FTP that wifi
routers commonly use to receive their firmware images via one of their
Ethernet ports.  On some devices, you may need to type commands into the
serial console to trigger its TFTP upload mode, i.e. to put it into a state
where it will receive the firmware image being sent to it and flash it.  I
think with most TP-Link products, you can actually trigger the TFTP mode
just on the WAN port using an expect script, i.e. no need for serial
console.

JTAG, aka Joint Test Action Group, is by far the least user-friendly
option.  That is a very low-level interface used more by the embedded
designers themselves (or by determined modders needing to rescue a bricked
device).  As Benjamin H mentioned, using this interface would require that
the software used to talk JTAG (e.g. the application running on your
laptop) support the flash chip to be written.  JTAG would be what you use
if the more accessible options above, namely TFTP, are not available.

The last option that Benjamin H described involved using a device that
clamps down onto the flash chip soldered to the router's board and rewrites
it directly.  Again, this would be a rather time-consuming option; TFTP
definitely preferred.

On Tue, Feb 23, 2016 at 11:42 AM, Adam Longwill <adam.longwill at metamesh.org>
wrote:

> On Feb 23, 2016 12:42 PM, "Adam Longwill" <adam.longwill at gmail.com> wrote:
>
>> I do not have a good understanding of the difference between jtag/serial/
>> and tftp. Can someone briefly explain the difference for people like
>> myself? Can JTAG flashing replace a locked firmware? I thought the chips
>> themselves could be built to only cryptographically accept approved
>> firmware? Or is that only with "higher level" flashing methods.
>>
>> Anyone have a Explain it Like I'm 5 version out there to help explain?
>>
>> Thank you all.
>> On Feb 23, 2016 12:04 PM, "Ben West" <ben at gowasabi.net> wrote:
>>
>>> Is JTAG intervention now required?  I had thought I'd read that serial
>>> console access and/or TFTP recovery mode was sufficient, at least on
>>> TP-Link products being discussed.  Since we're talking about products
>>> costing only 50-100USD, I would gather that the amount of effort
>>> manufacturers are willing to invest in locking the firmware is finite,
>>> meaning by extension the effort required to work-around such locks should
>>> also be finite.
>>>
>>> That is, all radio products with firmware presently for sale can have
>>> their firmware modified, given sufficient effort.  The fact that
>>> sufficiently determined persons can override countermeasures and mod the
>>> firmware doesn't appear to endanger their FCC certification.
>>>
>>> Anyway, similar to the hardware compatibility pages on openwrt.org's
>>> wiki, would it make sense to also record in wiki the list of working
>>> hardware, along with known work-arounds?
>>>
>>> What would be a good venue for such wiki pages?  Any of these?
>>>
>>> https://wiki.openwrt.org/
>>> http://battlemesh.org/
>>> https://wirelesspt.net/wiki/P%C3%A1gina_principal
>>> https://libreplanet.org/wiki/Main_Page
>>>
>>> On Tue, Feb 23, 2016 at 10:23 AM, Philipp Borgers <
>>> borgers at mi.fu-berlin.de> wrote:
>>>
>>>> On Tue, Feb 23, 2016 at 05:08:52PM +0100, Benjamin Henrion wrote:
>>>> > On Tue, Feb 23, 2016 at 4:26 PM, Adam Longwill
>>>> > <adam.longwill at metamesh.org> wrote:
>>>> > > We have contracts to fulfill. Can we start a discussion here about
>>>> what
>>>> > > hardware still works? What about Ligowave who came to Battlemesh
>>>> v8? They
>>>> > > said they gave out unlock codes. Do any of you use them? What
>>>> hardware are
>>>> > > you STILL buying that STILL works?
>>>> > >
>>>> > > Also, is it possible to use the JTAG interface to reflash a router
>>>> and erase
>>>> > > locked down firmware or is it the same as ethernet flashing- I've
>>>> never done
>>>> > > it.
>>>> >
>>>> > Yes, depends on the SoC, and if the JTAG pins are properly exposed.
>>>> >
>>>> > After that, the JTAG software needs to support your flash chip.
>>>> >
>>>> > Otherwise, since nowadays most flash chips are SPI ones in SOIC8
>>>> > format, it is easier to just use a buspirate with a 4x2 clamp hooked
>>>> > on the chip, and you will be able to reflash it:
>>>> >
>>>> >
>>>> http://www.dhresource.com/0x0s/f2-albu-g1-M00-CA-EB-rBVaGFQ_GG6AHCR0AAEtkRTBPOQ099.jpg/updated-ic-clamp-soic8-sop8-ic-clip-1-adapter.jpg
>>>>
>>>> Can someone give a workshop about the tools for flash reading and the
>>>> process
>>>> involved?
>>>>
>>>> Maybe we can collect some money in advance so everybody can have the
>>>> right tools
>>>> at hand?
>>>>
>>>> Best Philipp
>>>>
>>>> _______________________________________________
>>>> Battlemesh mailing list
>>>> Battlemesh at ml.ninux.org
>>>> http://ml.ninux.org/mailman/listinfo/battlemesh
>>>>
>>>>
>>>
>>>
>>> --
>>> Ben West
>>> http://gowasabi.net
>>> ben at gowasabi.net
>>> 314-246-9434
>>>
>>> _______________________________________________
>>> Battlemesh mailing list
>>> Battlemesh at ml.ninux.org
>>> http://ml.ninux.org/mailman/listinfo/battlemesh
>>>
>>>
> _______________________________________________
> Battlemesh mailing list
> Battlemesh at ml.ninux.org
> http://ml.ninux.org/mailman/listinfo/battlemesh
>
>

-- 
Ben West
http://gowasabi.net
ben at gowasabi.net
314-246-9434
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.ninux.org/pipermail/battlemesh/attachments/20160223/624ab2b3/attachment-0001.html>