Airlink101 AR725W Stuff

Note: This is a lot of stuff to edit, so there may be errors here.

The Airlink101 AR725W is a 2008-vintage, dual-band (not simultaneous) 802.11n router that sold for very cheap around 2010. I bought one for $30, and was sufficiently satisfied that I bought two others for my family. I could live with the firmware's incredible clunkiness since the 5.8GHz N mode worked really well in crowded areas.

I used mine until 2012, when WPS vulnerabilities became public and easy to exploit with tools like reaver. Despite an option to supposedly turn WPS off, the firmware was fully exploitable and reaver got my WPA2 key using the highly secure WPS PIN of 12345670 (not that a better one would have helped).

Airlink101 is completely uninterested in supporting this device at this point and won't release sources or even an image of the factory flash. The WPS vulnerability remains completely unpatched as a result. Building an alternative firmware is the only option at this point to keep these running for my family.

The Asante SmartHub 600, or AWRT-600N, is based on what looks to be identical hardware. Both are based on a Gemtek WRTR-241N board.

Current Status

My patches for OpenWRT were accepted in April 2014 (r40549, r40550, r40551), and the AR725W is now fully supported in the development version (trunk). I will be moving this information to the OpenWRT wiki soon.

Alternatively, my fork of the stable release, Attitude Adjustment, is still available at its Github page. It also supports a few other RT2880-based routers from Linksys that, given their mere 16MB of RAM, are not doing well with trunk.

Technical Info

Specs as I understand them (further details here):

Firmware Details

The bootloader expects a uImage at 0xBC450000 containing the Linux kernel and root filesystem. There are 3866624 bytes of space in the flash for the OS image.

The factory firmware has a mysterious partition, "LANGUAGE_PACK," that I haven't seen used yet on mine. Similarly, the NVRAM_FACTORY partition doesn't seem to be used for anything, either. The NVRAM partition appears to be partly overwritten with every reboot, including some useful settings. I couldn't disable WPS or change the country code from TW due to this.

Flashing without Serial Access

Both the factory web interface and the TFTP server in the firmware (not the bootloader--see below) expect a 32-byte header in the firmware file. This is not a standard TRX, as many other routers use, and doesn't match up with any other Airlink101 RT288x routers that had GPL sources available. Airlink101 never provided an image of the factory firmware themselves, having never updated it, but Asante did release the original flash for their nearly identical AWRT-600N. I finally was able to find a description of the header in the hard-to-find GPL source archive of the Linksys WRT110, a somewhat similar router.

Although the program that actually puts the WRT110 image together does not come with source, there was a header file with a description in user/conf/LINKSYS_WRTR124GN/gmtk_imghdr.h:

/* Gemtek */
typedef struct {
        unsigned char   magic[4];       /* ASCII: GMTK */
        unsigned char   version[4];     /* x.x.x.x */
        unsigned int    pid;            /* Product ID */
        unsigned int    imagesz;        /* The length of this image file ( kernel +
                                         * romfs + this header) */
        unsigned int    checksum;       /* CRC32 */
        unsigned int    fastcksum;      /* Partial CRC32 on (First(256),
                                         * medium(256), last(512)) */
        unsigned char   build[4];
        unsigned char   language[4];
} gt_imghdr_t;

Poking around the tftpd binary in the original firmware and the Asante firmware, plus the Asante image's header, I deduced that the AR725W expects "GMTK", "1003" for magic and version (in ASCII), 0x03000001 (little-endian) for pid, and "01", "EN" for build and language, respectively. The Asante is the same except that it expects "A600" and "1005" for magic and version. "fastcksum" is zero and doesn't seem to matter. The checksum itself is a little-endian CRC32 the whole image with this header, with the checksum field zeroed. With this I managed to put together an image the factory web interface accepts, after a few weeks of fruitless effort.

A caveat about flashing with the factory firmware is that it will erase the "LANGUAGE_PACK" partition. So, any image must stay within the boundaries of the factory flash map. Once another firmware is running, there is no problem erasing everything except the bootloader.

I mentioned above a TFTP server in the firmware. This is not in the bootloader, as one would expect, but in the running Linux system. Using it is as simple as uploading an image with a TFTP client while the router is up. It does expect a proper header (unless check_fw_hdr=0 is set in NVRAM, which you can only set from the console) but requires no authentication. So, if you had any doubts: the factory firmware is not only unsafe due to WPS, it is also totally open to reflashing by anyone on the LAN or wireless.

I put together a quick program to build a webflash image given a uImage: mkheader_gemtek.c

Flashing from the Console

At least one unfortunate person has bricked his/her router trying to flash from the u-Boot console. Here's the thing: when you power on, the flash chip is protected by the bootloader (and only in the bootloader). The key to not screwing things up is to NEVER, EVER unprotect 0xBC400000 to 0xBC450000. This is the u-Boot partition; without it, you will never bring the router back to life. But with the bootloader intact, even if you flash a bad image it will continue to work to the point where you can use the serial console to flash a new image. I would also not use the options presented right at power-up. Choose "4" instead and do this from the u-Boot command line.

Unlike Broadcom CFE-based routers, there is no TFTP server built into the bootloader. It does, however, have a TFTP client. You have to set up a TFTP server on your PC. The bootloader uses the odd default IP of 192.168.3.244, and expects the TFTP server to be at 192.168.3.79. You can probably change these, but there's not much reason to. The client is clunky and only seems to work if you run it first thing after power cycling. It will not work if you reboot from the OS. I am using a Linux TFTP server.

An example - Flashing a firmware image called 'openwrt.bin' on the server:

tftp 8A800000 openwrt.bin
protect off BC450000 BC7DFFFF
erase BC450000 BC7DFFFF
cp.b 8A800000 BC450000 $(filesize)
bootm

This downloads the firmware image to RAM (which begins at 0x80000000), unprotects the safe area of the flash chip, erases said flash space and then copies (writes) onto the flash chip from the RAM image. The bootm command boots the image in 0xBC450000 by default. It is also useful for booting an uImage in memory, like the kernel+initramfs images that OpenWRT can build. In that case, something like bootm 8a800000 works.

This image must be just an uImage, i.e. it must not have the 32-byte header mentioned in the section above.

Link to my AR725W-related downloads.

Last modified 2014-03-12.