Giving new life to old routers

I’ve been planning to update my WiFi network for some time. I have three Access Points (APs) to cope with the all-brick interior walls of my house, but one had simply stopped working, and another could no longer be upgraded to cope with the latest security exploits. None were 5GHz capable, which also meant that I was suffering from problems with the number of other nearby 2.4GHz WiFi networks. Ideally I wanted to move to 2.4/5GHz dual-radio APs with 802.11ac and mimo aerials, which at this point in time is about £60 per device.

Fortunately there are a large number of BT Home Hub v5 home gateways available on UK Ebay from about £10 delivered. These are very nice devices that more than meet my requirements, but the firmware is designed to prevent them from being used on any network other than BT’s, and to seriously limit the functionality.

However, it is possible to replace the router firmware with open source software that removes all those restrictions and allows the full potential of the hardware to be realised. The software I used is called OpenWRT/LEDE. However, the process is fairly technically involved, and as it involves soldering wires to the motherboard of the router, definitely not for the faint-hearted. The “bible” for this process is available from this website, but this has steadily grown until it now comprises a 130-page document. It’s extremely complete, but hardly consumable.

So what follows is a complete summary of the process that I followed, that worked perfectly for the three routers I converted.

My environment is a home network running in the address range 192.168.255.0-255, controlled by a router (running LEDE 17.1.04) and hosting a home server (running Ubuntu server 16.04.4 LTS). A machine needs to be connected to the router via a serial connection, and I used an Ubuntu 16.04.4 LTS laptop, with an FTDI adapter.

In broad terms, we need to force the router to boot into a debug mode where it talks to the laptop via the serial link. Then, download (via the serial link) and run a new, more functional version of the bootloader. We then use that to download and execute a basic OpenWRT/LEDE environment over the network, that we can use to backup the original BT router firmware, repartition the flash storage, before finally installing OpenWRT/LEDE into the flash storage.

First I made up a set of flying leads to connect from the FTDI adapter to the Home Hub motherboard. Then I set up a TFTP server on the home server:

sudo apt-get update
sudo apt-get install tftpd-hpa
sudo service tftpd-hpa status
netstat -a | grep tftp

Then I created the directory that will be used by the TFTP server, and configured the server itself:

sudo mkdir -p /srv/tftp
sudo cp /etc/default/tftpd-hpa /etc/default/tftpd-hpa.ORIGINAL
sudo vi /etc/default/tftpd-hpa
TFTP_DIRECTORY=”/srv/tftp”
TFTP_OPTIONS=”–secure –create”
TFTP_ADDRESS=”:69″

Next, I modified the permissions on the TFTP directory, and restarted the service. I set the ownership to my own userid, and allowed the TFTP service access via it’s group as I also wanted to be able to easily scp files into and out of that same directory, but I guess I could have simply added my userid to the tftp group instead:

sudo chown -R richard:tftp /srv/tftp
sudo service tftpd-hpa restart

I went to the OpenWRT hardware page for the Home Hub v5, and then downloaded: 

lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin and
lede-17.01.4-lantiq-xrx200-BTHOMEHUBV5A-squashfs-sysupgrade.bin

into the /srv/tftp/ folder on the home server. I then downloaded

lede-lantiq-bthomehubv5a_ram-u-boot.asc

to the Ubuntu laptop that I intended to connect to the router.

Now you need to open up the case of the Home Hub. It’s a difficult task, even for someone who has experience of these things. The designer clearly never intended for it to be opened, but there are some tutorials on YouTube that may help. Expect to break some of the clips on the sides of the unit, but don’t worry unduly, as these seem not to be essential. Of the four units I opened, I broke all the side clips on two, and none on the other two. All the units went back together again perfectly, so it’s clearly over-engineered. Go figure.

Once you have opened the case, you need to connect the FTDI cable to the UART on the motherboard. This involves soldering some wires from the FTDI cable to some extremely small solder pads. Even if you’re pretty experienced with a soldering iron, this is not a fun experience: the solder pads are tiny, and it’s very easy to damage the motherboard. This picture shows you what you are aiming to solder wires to. I destroyed the first one I attempted to convert, and I’ve been soldering electronics for decades …


Solder the FTDI Rx line to the Home Hub 5a Tx pad (R77)
Solder the FTDI Tx line to the Home Hub 5a Rx pad (R78)
Solder the FTDI Gnd to the Home Hub 5a Gnd (lower left of 4 pins that that run through the board on the top right)
Finally, you will need to ground the pad connected to BootSel2 (R45), but only momentarily while booting the router (ie, you don’t have to solder it, just hold in place for a couple of seconds while turning on the router)

Now connect the serial – USB converter to a Linux machine. I couldn’t find a way to make this work with MacOS, because apparently the ascii-xfr utility needed to transfer the bootloader to the router isn’t available on MacOS, even via ‘brew’.

So on the Linux laptop, install picocom and minicom (which includes ascii-xfr):

sudo apt-get update
sudo apt-get install picocom minicom

Start picocom on the Linux laptop using the command:

picocom -b 115200 /dev/ttyUSB0 –send-cmd “ascii-xfr -s -n”

Turn on the Home Hub v5 with boot_sel2 held low (a couple of seconds only) and then wait until “CFG 04” shows up on the picocom serial console. This should take no more than a couple of seconds. If anything else happens, turn the Home Hub off, and try again. Check carefully that you really are connecting the boot_sel2 pad to one of the routers ground points.

Once you have that “CFG 04” prompt in picocom, press Ctrl+a then Ctrl+s to trigger the send file function, and then input the full path and file name to the ascii bootloader (this is the lede-lantiq-bthomehubv5a_ram-u-boot.asc file that you downloaded to the laptop earlier). You’ll see lots of ‘#’ characters being printed to the picocom terminal while the file is downloaded to the routers RAM.

After the file transfer is complete the image is booted and a command line prompt shows up. The default Home Hub v5 IP address and TFTP server addresses won’t work with my network (as they are in the wrong subnets), so we can change them, as follows:

set ipaddr 192.168.255.19
set serverip 192.168.255.20

You’ll need to change these to match your own configuration. Now we’re going to download and boot from a much larger image that is stored on the home server, accessed via the TFTP server:

tftpboot 0x81000000 lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin; bootm 0x81000000

This will cause the Home Hub router to boot into a very basic OpenWRT/LEDE environment, running in RAM, that is designed just to help install the proper firmware into the router flash storage. Note that it takes a LONG time for the router to bring up it’s networking stack. Wait until you see some messages about “br-lan” come up on the picocom terminal, and then check the router’s IP address using “ifconfig”. If you get no output from that command, the network is still not up, so wait a bit longer. When the network does eventually come up, the routers IP address will have changed again, so you will need to reset it to match your home networks subnet again. Use the command:

ifconfig br-lan 192.168.255.19

You can now save the current BT firmware with nanddump. First, on the home server, run the following:

sudo apt-get install pv
ncat -l 60000 | pv -s 128m > hh5a-mtd4-nanddump

This will listen for the backup to be sent to it over the network, provide a progress indication, and save the backup into the file “hh5a-mtd4-nanddump”.

Then on the Home Hub 5a, take the backup, and send it over the network to the home server:

nanddump /dev/mtd4 | nc 192.168.255.20 60000

This will take approximately 20 minutes, as the router is running very slowly at this point. When this completes, transfer the version of OpenWRT/LEDE that we are going to install into the flash, to the router:

scp richard@192.168.255.20/srv/tftp/lede-17.01.4-lantiq-xrx200-BTHOMEHUBV5A-squashfs-sysupgrade.bin /tmp/sysupgrade.bin

This will also transfer very slowly, taking around 4-5 minutes to download. I also found that it took a long time waiting for scp to ask for confirmation of the SSH thumbprint, and to request my password. Sometimes scp timed out on the home server, waiting for the router. Repeating the command invariably worked the second time.

Once that firmware is transferred to the router you need to type:

prepare

on the router, and follow the instructions. Then to finally flash OpenWRT/LEDE to the router flash storage, enter the command:

sysupgrade /tmp/sysupgrade.bin

Once the router has been reflashed it will reboot automatically. If that results in you seeing the “CFG 04” prompt on the picocom terminal again then power cycle the router. It should then reboot into OpenWRT/LEDE. At that point you can turn off the router, disconnect the wires from the motherboard, and close up the case.

All you then need to do is configure the router to suit your needs, using the web interface built into it. Good luck!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s