Mercury MW150R: Turning an Epic Fail to an Epic Win

Okay, that was fun. You see, it happened, that I got for nearly free a Mercury MW150R router. Since it was pretty sucky, I didn’t hope to find anything useful in it, nor I thought it could be the target for OpenWRT. Nevertheless, once I had a spare moment I cracked it open and…
Well, AR9331 describes it all. The same chip you’ll find on WR703N, so it WAS a target for OpenWRT after all. Next I hooked up the UART, and saw the very unpleasant picture. It had only 2 MiBs of spi flash, and 8 MiBs of RAM, barely enough to run VxWorks with a crippled web interface. So it was a nice time for an upgrade:


That sucked, so I decided to give it an upgrade. It took a moment to find a suitable RAM chip in the junk (some old laptop RAM did the trick). To make it boot with a new and bigger chip I also had to populate the unpopulated spot with a 22 Ohm resistor.
Once it booted with the 64 Megabyte chip, it was the time To upgrade flash. (VxWorks bootloader detected 8 Megabytes anyway, but I guess that’s due its ‘not that broad-minded’ nature, lol).
Again I got a dive into a junk I had around, and got: a WR703N router (I needed that one for the u-boot dump), the buspirate, an MX25L128 16Megabyte SPI flash chip. The idea was simple:

  • dump u-boot from wr703n
  • burn it to a new flash
  • put that into ‘mercury’
  • PROFIT

To do the dumping I created a few flash adapters for the buspirate. With these and a hot air gun of my smt rework station I could easily pop the SPI flash chips to the programmer and vice versa. There’s a good tool called flashrom, that does all the dirty work. The bad thing is, that buspirate is SLOW AS HELL, so once it came to burning the 16MiB firmware, I had to leave it running for the night.

First, I did a dump of the original firmware from the 2MiB chip. Then I dumped the wr703n chip. And there goes the tricky part.

At the very end of the spi flash, there exists an mtd partition called ‘art’. Art stands for Atheros Radio Test. In short – they calibrate wireless for eash and every board and with the wrong art you wireless will work shitty. With art corrupted or absent – will not work at all, and ath9k error messages will be way too obscure to easily find out what the heck is going on. I dumped ‘art’ from the 2MiB flash, and created the new 16MiB image using dd.

Next, I created another flash adapter, and fitted the new flash into the router using a small mess of wires. After a little bit of tinkering with it, and taking the time to write the patches, to get all the leds, sysupgrade, switch and other stuff working I got myself an awesome router, that was just in time to replace my old asus WL520gU.

Now, where to get all the goodies:

  1. My flash adapters for buspirate and the router – on my github page here
  2. My patches have been submitted to OpenWRT-devel mailing list, I hope they’ll get merged upstream some time soon and appear in trunk
  3. Moar photos of the hack here
  4. Initial, very draft instructions of the upgrade at OpenWRT wiki

Well, that’s it, have fun.

P.S. USB hack is not possible. Only one of the 2 pads is accesible. The other is somewhere below the chip. So, no luck this time.
P.S.
You can see those traces on the photo from the microscope below (that’s from wr703n where it is traced)

As some people linked in the comments – USB hack IS possible. Follow the link to OpenWRT forums to find out how.

19 thoughts on “Mercury MW150R: Turning an Epic Fail to an Epic Win

  1. What “USB hack” do you mean? If you just want to tap on the traces, why not just carefully scratch off some stop lacquer and solder directly onto the trace before it hides under the chip?

  2. Hey man good hack, very impressive. Linked from hackaday.com. I’m not familiar with the USB hack that you are talking of or modding routers so I might be in left field here. But since you could see the traces for both the USB data lines couldn’t you just do some trace scraping to get your usb connection in there, if it’s something you are really after.

  3. @rigid: No, I couldn’t. The last pic is from WR703N, where usb is avaliable, unlike MW150R. I needed to find the pins, since no AR9331 pinout was avaliable.
    I was lazy to take a close up of MW150R in this part, there are just empty pads, no traces there.

  4. (plz delete my previous message, it’s wrong 😛 )
    I forgot to say, ART partition is only readable on openwrt, but in dd-wrt is both readable and writable.
    So you can dump /dev/mtd4 in openwrt, then flash dd-wrt, download the art data into /tmp and flash the new ART data by doing “mtd -f write /tmp/art_file board_config”
    Then flash openwrt and you’re done

  5. @dabyd64: yeah, I know about sandwich mode, but I prefer a dedicated programmer. Easier, less wireporn.
    ‘art’ can be easily made writeable by altering the partition table in arch/mips/* of the kernel tree, so no need to flash any dd-wrt whatsoever. I’ve done that a few homebrew devices to write the initial art there.

  6. >> The bad thing is, that buspirate is SLOW AS HELL <<
    Hi, did you ever tried openocd to flash via jtag? openocd still needs a patch for "openocd-0.6.1/src/jtag/drivers/buspirate.c" to get into fast mode:
    static void buspirate_jtag_set_speed(int fd, char speed):
    {
    ….
    usleep(100);//add this line of sleep
    buspirate_serial_setspeed(fd, speed);

    usleep(100);//add this line of sleep
    }

    On an Arm-Cpu openocd transfers now 7,6 kb/s instead of 0,6 kb/s.

    1. @b.there: No, I’m ditching the bus pirate right away. It sucks totally. Even an atmega8-based uISP I designed working via vusb flashes spi flash way faster. And in this hack I didn’t use OpenOCD, since there is no accessible JTAG.
      Instead, I’m now using an AT91SAM9260 board I have around, with OpenOCD on raw GPIO. This is really fast, even faster than Realview-ICE I use at work.

  7. Nice, might try this on an old junker or 3 (was given a pile of dead routers, thats like a red rag to a bull heh heh) and having a DD-WRT b0xen with USB would be handy indeed.

    Interestingly some of the older routers did actually have the header for JTAG complete with header pins but the newer ones do not.
    Sometimes they hide them under an inline filter which is fitted by hand, more often under another chip.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.