Unable to access UART in WAP300N

[mrmuzzio]

Hi... I'm attaching the settings in "readble format" in txt. You'll see there are some changes between the "factory settings" and "media connector mode"...

Another interesting thing is that the configuration block at 0x32000 starts with some binary data that looks like a CRC32... But I could not reproduce the values from the data.

[madires]

Some hints: https://openwrt.org/toh/linksys/wap300n

[dc101]

Hi... I'm attaching the settings in "readble format" in txt. You'll see there are some changes between the "factory settings" and "media connector mode"...

Another interesting thing is that the configuration block at 0x32000 starts with some binary data that looks like a CRC32... But I could not reproduce the values from the data.

It's the crc32 value in little endian for the wlan0 config section (0x2000-0x6000)

[mrmuzzio]

I can't get the same results as you... wich file did you take for input at the dd command ?

I mean, address 0x2000 is from the start of the whole flash dump or a subsection ?

Thanks a lot !

[dc101]

I split up the main firmware image into their respective sections according to the SDK, with the exception of the kernel. For that I ended the section based on the size indicated by the uimage header + 64 bytes for the uimage header. And that size to the end of file made up the last section, whatever it actually is.

Code: [Select]

dd if=chipfirmware.bin bs=1 count=196608 of=1_bootloader.bin
dd if=chipfirmware.bin bs=1 skip=196608 count=65536 of=2_config.bin
dd if=chipfirmware.bin bs=1 skip=262144 count=65536 of=3_factory.bin
dd if=chipfirmware.bin bs=1 skip=327680 count=4488481 of=4_kernel.bin
dd if=chipfirmware.bin bs=1 skip=4816161 bs=1 of=5_rootfs.bin

-rw-rw-r--  1 user user  196608 May 23 13:47 1_bootloader.bin
-rw-rw-r--  1 user user   65536 May 23 13:48 2_config.bin
-rw-rw-r--  1 user user   65536 May 23 13:49 3_factory.bin
-rw-rw-r--  1 user user 4488481 May 23 14:45 4_kernel.bin
-rw-rw-r--  1 user user 3572447 May 23 14:27 5_rootfs.bin
Then I extracted the wlan0 config section minus 4 bytes for the crc (0x2004 - 0x6000) from the config data, and that is what i ran crc32 against.

Code: [Select]

dd if=2_config.bin bs=1 skip=8196 count=16380 of=config_blob.bin

[mrmuzzio]

Thanks ! I was missing the free space in my calcs...

[mrmuzzio]

Despite the device seems ok, of the four modes it has, only the AP mode is working.

With the other 3, when I change the mode and hit "save" the AP restarts and I can't go on with the configuration.

Been reading the user guide (https://downloads.linksys.com/downloads/userguide/WAP300N_UG_EN_3425-01640A_Web,0.pdf) and trying different settings but none seems to work...

Luckly the reset button is still functional, so you can return easy to the Factory Settings...

[dc101]

Well my WAP300N showed up today, it has firmware version 1.0.01. I hooked my scope up to pins 3 and 4 of the UART connector, both rise to 3.3V after powering on, but I didn't see any data going across either pin. I starting to lead towards they just compiled out terminal support in later revs of the board, which would be easier than modifying the board layout. This board is a different revision than the image on the openwrt wiki, my board number ends in a 2 as opposed to a 1. So far I've only noticed the power switch is missing in rev 2.

[mrmuzzio]

Hi! great news !!! my board is also missing the power switch, and I saw the same behaviour with the UART lines but my board does not have a revision number....

I'll be looking forward for your findings...

[mrmuzzio]

I was wondering if you tried the other modes of the router, besides AP ... since in my unit is the only one working...

Thanks!

[dc101]

I was wondering if you tried the other modes of the router, besides AP ... since in my unit is the only one working...

Thanks!

I tried access point, and media connector mode last night and both worked fine. I didn't try the other modes.

[mrmuzzio]

I've tried all modes, but the only one working is AP.

When I try the Media Connector mode, I factory-reset, set the mode and save.
Then I can not longer connect to the web interface to do the wireless survery...
It seems some settings are saved wrong .... I'll look into it again.

Thanks!

[darkspr1te]

Despite the device seems ok, of the four modes it has, only the AP mode is working.

With the other 3, when I change the mode and hit "save" the AP restarts and I can't go on with the configuration.

Been reading the user guide (https://downloads.linksys.com/downloads/userguide/WAP300N_UG_EN_3425-01640A_Web,0.pdf) and trying different settings but none seems to work...

Luckly the reset button is still functional, so you can return easy to the Factory Settings...

I see this often with random chinese wall wart repeaters, often you have to make sure you are on manual ip for you and the router via cable, then switch modes (media mode, repeater etc) , you should still be able to ping the unit.
as for uart, yes it could be disabled in uboot, how ever if you have ssh access you should be able to output to the uart if it's seen in /dev/
also hackaday has many router hacking articles from uart attacks to patching initrd and initramfs to patch in features and tools.

https://hackaday.com/2020/10/07/hacking-a-netgear-router/
https://hackaday.com/2011/10/20/ram-upgrade-for-wrt300n-router/

darkspr1te

[dc101]

That's a good point, I believe the IP scheme changes depending on what configuration you're in.

As far as SSH, no such luck. I ran an nmap scan as soon as I hooked up the AP and the only services I discovered was http and upnp. No ftp, telnet or ssh