TP Link WA801ND v3 OpenWRT Install guide

WA801ND v3 Hardware overview

Some weeks ago i’ve succesfully ported OpenWRT to the TP-Link TL WA801ND v3, that access point features 2×2 MIMO, detachable antennas, 32 MBytes of ram and 4 Mbytes of flash.
It is based, like most new tp-link devices on a qualcomm atheros system on chip ( QCA9533-BL3A)  which integrates the MIPS core, ethernet switch and wifi hardware.

Accessing the WA801ND serial port

Out of the box even if the serial header is present and has the typical TP-Link pinout, it won’t work, because some resistors are missing from the board, namely R105 and R107.

TL-WA801ND v3 solder bridge required
Solder bridge on R105 required to receive data from the serial port
TL-WA801ND v3 solder bridge required
Solder bridge on R107 to allow sending to serial port

The serial port settings are, as usual 115200 baud and to enter uboot prompt you have to quickly type “tpl” when it says that it is waiting 1 second.

Installing from the web interface

OpenWRT trunk builds can be installed using the original tp-link firmware from the web interface.
In order to do that download openwrt trunk build for the device, under the directory ar71xx there should be in trunk a file named openwrt-ar71xx-generic-tl-wa801nd-v3-squashfs-factory.bin , download it and rename it to a.bin ( tested working, but maybe anything works ), and use it to upgrade the access point from the web interface.
Once you uploaded the file, wait for the device to reboot, when it reboots currently , no leds will be lit.
That’s because by default no led is assigned to anything, maybe i should do some patch to fix that in the future.
To configure it connect with ssh to 192.168.1.1 ( DHCP should be enabled by default too ), or if you have built an image with luci, just navigate to http://192.168.1.1 .

 

Convert your cheap “unmanaged” switch to a VLAN capable layer 2 managed switch for just $2

The title of that post may look crazy at first, but it’s not, it is entirely possible to convert your cheap 100M 8 port switch or stuff like that to a managed switch.

That’s possible simply because, if you open up one of these and look at the datasheet, you will find out that they use the same switch chips used frequently inside of routers ( which they can be reprogrammed as you like with openwrt ).

The switch i’ve used this time is a “digicom 10/100” switch, digicom is an italian rebrand of some other stuff probably, but anyway, let’s get straight to the point, below you can see the PCB of that switch

 

Switch chip is IP178CH, and since today luck is on our side, its datasheet can easily be found there http://www.icplus.com.tw/Data/Datasheet/IP178Cx-DS-R13-20080925.pdf .

Serial management interface timing diagram and command format

Now by taking a quick look at the datasheet some important things for that modification are easily found:

  • The switch chip can be programmed by pulling up or down it’s pins but only basic features are programmable that way
  • The switch chip can be programmed from the EEPROM ( which on that switch board is not present, but there are unpopulated pads for it ), for the switch to take in account the EEPROM , first two bytes must be 0x55AA
  • The switch chip can be programmed using a synchronous serial interface at pins MDC & MDIO, on the fly.
    This one is the most useful one to create a managed switch

The serial interface is similiar to I2C but much simpler, it does not support multiple devices on the same bus and devices don’t have an address.
MDC Clock has to be generated from CPU side ( in that case an arduino ) , so you can operate it at whatever speed you want provided you don’t exceed maximum ratings.

Now once you know how to operate communicate with the switch it’s just matter of programming an arduino.
To do that, if you want just to test and you are going to power the arduino over usb. you are going to need to modify an USB cable to give arduino 3.3v instead of 5v.
You could also use a level shifter for that, but i prefer powering the entire arduino at 3.3v because it’s simpler and cheaper.
To power an arduino with 3.3v you can simple take an usb cable and cut red and black wires and insert a regulator between PC side and arduino side.

Arduino usb cable modification

After doing that modification, just adjust the regulator to give 3.3v and you are ready to go
On that switch , since again , we are lucky today, the IC pins of the serial management interface were already routed to an unpopulated header, on which i soldered a 3 pin strip header

The pinout is the following:
1 :   GND
2 :   MDIO
3 :   MDC

MDIO must be pulled high using a 2.2k resistor or some similiar value, again, if you are using a level shifter instead of the 3.3 cable mod, be sure to connect pullup resistor to 3.3v and not 5V.
To protect I/O lines also add two 100 ohm resistors or 200 ohm at most between MDIO,MDC and arduino pins ( 2,3 )

After doing that the HW part is done, if you want to make it permanent, just buy an arduino pro mini ( NOT NANO ) , and an usb-serial, the two should be around $2 total, max 3$.
You can also easily find on the board the 3.3v power rail and power the pro-mini from there, DO NOT power the arduino pro mini from usb or use an arduino nano or you will fry everything.
When connecting usb-serial adapter to it you will only connect GND, RX, TX wires , also DTS if you want to be able to program it from usb.

Now let’s take a look of a basic software to have a managed switch which can save configuration on arduino eeprom and restore it at boot.

 

outBit and inBit generate a clock cycle on MDC while reading or writing an output value to/from MDIO

readReg reads an entire register by submitting read command, phy address and reg address

writeReg writes an entire register by submitting a write command together with phy address, reg address and the 16 bit value to write.

The switch itself works in a fairly simple way, you can assign which ports belongs to a VLAN ( that is independent from whether the packets will be tagged or not) and then you can configure how to treat untagged packet and what to do when a packet from a VID port group goes out of a port.

For example if you want to use port 1 as trunking port ( multiple vlan tagged networks on the same physical port ) , and you want to tag untagged traffic from ports 2,3,4 with vlan ids 2,3,4 you have to:

  • Assign ports 1,2 to VID 2
  • Assign ports 1,3 to VID 3
  • Assign ports 1,4 to VID 4
  • Set ports 2,3,4 to remove VLAN tags from outgoing packets
  • Set port 1 to add VLAN tag to outgoing packets
  • Set default VID for untagged traffic of port 2 to 2
  • Set default VID for untagged traffic of port 3 to 3
  • Set default VID for untagged traffic of port 4 to 4

With that configuration for example you will be able to connect 3 different networks to a single ethernet cable, which may be useful when you have a radio tower with multiple devices on it and only a single cable going to the ground equipment.

That’s just the beginning, similiar mods can in most of the cases be done on all switches and probably with more features on newer ( gigabit ones ) switches.

You could also use a raspberry to manage the switch instead of an arduino to be able to work on it from ethernet with some nice web interface.

 

Installing OpenWRT on SITECOM WL-326

The SITECOM WL-326 is an ethernet+3g router featuring 300 Mbps wireless and an usb port to connect a 3G modem.

This device is not officially supported by OpenWRT and not very common, so there’s basically zero info on it at the moment.

First thing is to find out which SoC it uses, since it is covered by an heat spreader, best idea that does not involve the risk of destroying the board is connecting an USB-TTL adapter to the serial port which is visible on the photos.

Luckly contrary to most cases, the PCB has already written on it which pins are RX,TX,GND, so it’s just matter of soldering a female o male strip header, and connect it to the adapter.

Serial port settings are 57600 8N1, and when connecting the power to the device, it’s immediately visible that it is a rebrand of another device, the ESR-6670 http://wiki.openwrt.org/toh/engenius/esr6670.
Still no luck, it’s not supported either, but at least now we know what SoC it uses, which is Ralink 3052.

Now the tricky part, bootloader only shows one option, contrary to most supported routers

So the only option is just to try it, worst case scenario if it goes wrong we’ll have to reverse engineer the (likely) jtag connector visible on the photo.

This command will ask you some parameters, first one is the router IP, just hit enter ( leaving it as it is )
second one is the TFTP server IP, a default one will be shown.

Now connect an ethernet cable between a LAN port and your machine and ifconfig it to the router ip address

ifconfig eth0 up 192.168.99.8

or something like that.

Now you can hit enter, and then it will ask the linux kernel filename, which is WRONG, that’s not the linux kernel filename but the uImage filename.

Now the hard choice, finding a similiar enough device to flash this one with, and cross finger that it does not blow up, i’ve choosen the wr512 because it has too an usb port and an ethernet so, it’s worth trying.

So download http://downloads.openwrt.org/chaos_calmer/15.05-rc2/ramips/rt305x/openwrt-15.05-rc2-ramips-rt305x-wr512-3ng-4M-initramfs-uImage.bin and rename it to something sane, like /home/dev/rd.bin

Now, start a tftp server, quickiest way without spending 15 mins configuring with xinetd or crap like that is

dnsmasq –enable-tftp –tftp-root=/home/dev -d

If it fails because of port already in use, append -p 3244

If it started succesfully, enter the choosen filename ( rd.bin or whatever it is ) on the serial console and hit enter, now it should flash it and reboot, but you are not done yet, because this is an image designed to work only on RAM , so any config change will NOT be saved.

But since you should have an openwrt console now and the LAN ports configured to 192.168.1.1, ifconfig your machine’s interface to 192.168.1.2.

Download http://downloads.openwrt.org/chaos_calmer/15.05-rc2/ramips/rt305x/openwrt-15.05-rc2-ramips-rt305x-wr512-3ng-4M-squashfs-sysupgrade.bin

Notice that now the downloaded file has “sysupgrade” in it and not initramfs-uImage.

Now from the serial console do

scp [email protected]:/home/youruser/openwrt-15.05-rc2-ramips-rt305x-wr512-3ng-4M-squashfs-sysupgrade.bin /tmp/

Once done ( and completed succesfully of course ), do

sysupgrade -v /tmp/openwrt-15.05-rc2-ramips-rt305x-wr512-3ng-4M-squashfs-sysupgrade.bin

It will take like a min or two and then reboot automatically, after the reboot you will have the router at 192.168.1.1 again.

Now login to LuCI interface, go to Network->Switch and you should see two vlans configured , vlan1 which is lan configured with the first port untagged and vlan2 which is wan configured to some other port untagged.

Now change on vlan1 the first port ( left to right ) , to off , and on vlan2 the first port ( same as vlan1 ) to untagged, and click save & apply.
That’s because the router of which we flashed the firmware has the switch connected differently.

That’s it now you are done , you can configure wireless and other stuff, just forget about 3G unless you replace flash memory, because it is likely that there’s not enough space on flash ( unless you build a version without LuCI and with 3g and then configure with CLI ).

Update: It’s possible to install 3g packages and still have 52 kbytes free, not tested because i don’t have an USB 3g modem handy

A very simple internet of things system to control lights and other stuff

In these days i’ve worked on how to create a system that allows me to turn on and off lights or appliances at home with minimal cost and complexity, and there it is: https://github.com/tizbac/IoTManager

Each node (ESP-01 ESP8266) with nodemcu firmware and the init.lua script from esp8266 folder of my repository has two outputs and can control two appliances.
A node has commands to retrieve name , unique identifier and current state, and to set the state, all that happens via UDP packet.

At first i tried, especially for discovery purposes to use UDP broadcast packets, but it seems that the module has some bug that makes the reception of broadcasts very unreliable, so at last i resorted to try to send a command to query status for each ip address specified in the subnet, like for 192.168.1.0/24, it would be 192.168.1.1 to 192.168.1.254.

The server which runs on an ARM board like a raspberry or a beaglebone takes care of the authentication of the clients from the internet ( the ESP8266 modules have no authentication , they rely on the safety of the network, so avoid passwords like “password” or “0123456789” ).

When first started the server creates a self signed certificate to use with HTTPS and a random password, then when the user connects to the webserver from a local ip address a qrcode is displayed to configure the android application.

The QR Code contains the public ip address , the port , the password and the sha1 fingerprint of the certificate, so that even if it is self-signed, it can be verified by the application to prevent man in the middle attacks.

The servers also takes care of enforcing state on the nodes, especially when a packet is lost or when the node for some reason loses power, at each discovery the state is compared and if not equal it will be resent again until the node status matches.

That’s it, with barely 200 lines of python and a trivial android app you can safely control your house from where you want.

How to do transparent bridging / repeater on OpenWRT with an Atheros card

What you need

  • An access point running OpenWRT and supporting 4 address mode ( WDS )
  • Another access point running OpenWRT and supporting both multi-ssid and 4 address mode ( or only 4 address mode if you want wifi->ethernet bridge )

Setting up the main access point

First of all , you need to setup the main access point , to do that , once openwrt is up and running, login to the web interface and go to “Wifi” section
Then , on the Wifi page , if needed remove any existing SSID and then add a new one
Once you have done here, click save and apply to create the new access point

Setting up the repeater

As with the main access point , login and go to Wifi section, remove any existing SSIDs / Client and then click “Scan”
Once you get the scan results( it can take up to 45 secs ) , select the network you are interested in , and click “Join network”
Once done click submit
When done with changing to client (WDS) and if needed setting up security , click “Save” , not save and apply , not yet
Now you have to create an access point ssid , to do that repeat the steps on the main access point , but when selecting the network , instead of choosing lan , choose repeater or whatever you entered when creating WDS Client interface , and the click Save and Apply and enjoy your openwrt based repeater