Okay, that was fun. You see, it happened, that I got for nearly free a Mercury MW150R router. Since it was pretty sucky, I didn’t hope to find anything useful in it, nor I thought it could be the target for OpenWRT. Nevertheless, once I had a spare moment I cracked it open and…
Well, AR9331 describes it all. The same chip you’ll find on WR703N, so it WAS a target for OpenWRT after all. Next I hooked up the UART, and saw the very unpleasant picture. It had only 2 MiBs of spi flash, and 8 MiBs of RAM, barely enough to run VxWorks with a crippled web interface. So it was a nice time for an upgrade:
That sucked, so I decided to give it an upgrade. It took a moment to find a suitable RAM chip in the junk (some old laptop RAM did the trick). To make it boot with a new and bigger chip I also had to populate the unpopulated spot with a 22 Ohm resistor.
Once it booted with the 64 Megabyte chip, it was the time To upgrade flash. (VxWorks bootloader detected 8 Megabytes anyway, but I guess that’s due its ‘not that broad-minded’ nature, lol).
Again I got a dive into a junk I had around, and got: a WR703N router (I needed that one for the u-boot dump), the buspirate, an MX25L128 16Megabyte SPI flash chip. The idea was simple:
- dump u-boot from wr703n
- burn it to a new flash
- put that into ‘mercury’
To do the dumping I created a few flash adapters for the buspirate. With these and a hot air gun of my smt rework station I could easily pop the SPI flash chips to the programmer and vice versa. There’s a good tool called flashrom, that does all the dirty work. The bad thing is, that buspirate is SLOW AS HELL, so once it came to burning the 16MiB firmware, I had to leave it running for the night.
First, I did a dump of the original firmware from the 2MiB chip. Then I dumped the wr703n chip. And there goes the tricky part.
At the very end of the spi flash, there exists an mtd partition called ‘art’. Art stands for Atheros Radio Test. In short – they calibrate wireless for eash and every board and with the wrong art you wireless will work shitty. With art corrupted or absent – will not work at all, and ath9k error messages will be way too obscure to easily find out what the heck is going on. I dumped ‘art’ from the 2MiB flash, and created the new 16MiB image using dd.
Next, I created another flash adapter, and fitted the new flash into the router using a small mess of wires. After a little bit of tinkering with it, and taking the time to write the patches, to get all the leds, sysupgrade, switch and other stuff working I got myself an awesome router, that was just in time to replace my old asus WL520gU.
Now, where to get all the goodies:
- My flash adapters for buspirate and the router – on my github page here
- My patches have been submitted to OpenWRT-devel mailing list, I hope they’ll get merged upstream some time soon and appear in trunk
- Moar photos of the hack here
- Initial, very draft instructions of the upgrade at OpenWRT wiki
Well, that’s it, have fun.
P.S. USB hack is not possible. Only one of the 2 pads is accesible. The other is somewhere below the chip. So, no luck this time.
You can see those traces on the photo from the microscope below (that’s from wr703n where it is traced)