Freedom for the Netopia 3347-02 DSL router

I happened to find 3 Swisscom Netopia 3347-02 DSL routers that were laying around and I thought maybe I could get them to be useful again. Unfortunately those routers come with a custom firmware for every network provider that used them and are close to useless if you don't use this provider any longer (Swisscom, Qwest, Eircom among others). So let's see if we can reclaim their freedom.

[router photo]

exact model: 3347-02-20SC, type: 0x69

The idea is to install an alternative firmware on them. The 2 most popular options are OpenWRT and DD-WRT. So the first thing to do is to check if the router is supported. A quick check in the OpenWRT brings up this for Netopia routers:

Model Version Platform & Frequency Flash RAM Wireless NIC Switch boot_wait Serial JTAG USB Status
3387WG-ENT CX86113 @ 200MHz 4MB 16MB TNETW1130GVF BCM5325EKQM No Untested
3347NWG Texas Instruments AR7 (TNETD7300AZDW) @??? 4MB 16MB TNETW1130ZVF BCM5325EKQMG No Untested
3347W/3357W CX82310 @ 168MHz 2MB 16MB ACX100AGHK BCM5325A2KQM No Untested

Unfortunately our exact model is not listed and all the listed models are untested. No luck with DD-WRT either as it doesn't have any Netopia routers listed. Let's don't get discouraged and see if we can still proceed further.

Opening the router will bring important information about the key hardware components. Three screws later we get access to the board.

[router board photo]

Here's the list of identified components:

Infineon PSB7200ZDW 83A48KW
CPU Infineon AR7 Ohio PSB7200ZDW @ 212MHz?
http://en.wikipedia.org/wiki/TI-AR7
The AR7 combines a MIPS32 processor, a DSP-based digital transceiver, and an ADSL analog front end. Integrated high performance MIPS 4KEc 32-Bit RISC processor

SPANSION S29GL032
Flash memory

SAMSUNG K4S281632I-UC75 (or NANYA NT5SV8M16FS-75B on another board)
RAM memory 128Mb Synchronous DRAM

Broadcom BCM5325EKQMG
Ethernet Switch 6-Port 10Mbps/100Mbps 128-Pin MQFP

TNETW1350A
Wireless chip

DELTA LFE8731
LAN filter

Well that's it. So we have a little computer here composed of a MIPS32 CPU, flash memory (to store the firmware), RAM memory, an ethernet switch and a wireless chip.

Going back to our OpenWRT table, we conclude that our closest relative is the 3347NWG as they share the same processor and switch although the wireless chip is a different model from the same company. Let's see if any OpenWRT compatible routers use the AR7 MIPS chip: http://wiki.openwrt.org/toh/start

Here we got several hits such as

GT724WG 10.03? ar7 Texas Instruments TNETD7200 212 4 16 TI TNETW1350A b/g 4 + DSL No No
AG241 v1 8.09.2 ar7 ar7 ? 4 16 - - 4x 100M + 1xADSL No ?

So that's definitely comforting, it means that although not tested it's probably possible to install OpenWRT on this router. Let's try it. Next we need to download the correct firmware image for our router. In this case it's http://downloads.openwrt.org/barrier_breaker/14.07/ar7/generic/openwrt-ar7-generic-squashfs.bin

Let's connect to the router admin interface (admin/1234) and try to install the firmware we just downloaded.

[firmware update1 and firmware update2]

Ah shit, the firmware update failed. It says the file upload failed. Let's see if we have more success through a telnet connection. For this purpose, I installed Putty. Login and password just like before.

[putty connection] [terminal]

login: admin
Password: 1234

Terminal shell v1.0
Copyright ▒2008 Motorola, Inc.  All rights reserved.
Netopia Model 3347-02 AnnexA High-Power Wireless DSL Ethernet Managed Switch
Running Netopia SOC OS version 7.8.1 (build r2)
Multimode ADSL Capable
(admin completed login: Full Read/Write access)

Netopia-3000/32309508>
Ok we're in. Let's get the list of commands by typing help:

Netopia-3000/32309508> help
arp                           to send ARP request
atmping                       to send ATM OAM loopback
clear                         to erase all stored configuration information
clear_certificate             to clear stored SSL certificate
clear_log                     to clear stored log data
configure                     to configure unit's options
diagnose                      to run self-test
download                      to download config file
exit                          to quit this shell
help                          to get more: "help all" or "help help"
hotspot                       to set or show hotspot authentication info
install                       to download and program an image into flash
license                       to enter an upgrade key to add a feature
log                           to add a message to the diagnostic log
loglevel                      to report or change diagnostic log level
netstat                       to show IP information
nslookup                      to send DNS query for host
ping                          to send ICMP Echo request
quit                          to quit this shell
reset                         to reset subsystems
restart                       to restart unit
show                          to show system information
start                         to start subsystem
status                        to show basic status of unit
telnet                        to telnet to a remote host
traceroute                    to send traceroute probes
upload                        to upload config file
view                          to view configuration summary
wan_type                      to Set WAN interface type
who                           to show who is using the shell
?                             to get help: "help all" or "help help"
wps                           to issue Wireless Protected Setup commands
wol                           to Wake On LAN

 

So it's install we're actually looking for. Let's try

Netopia-3000/32309508> install

*** WARNING ***  YOU ARE ABOUT TO ERASE AND REPROGRAM THE
UNIT'S PERMANENT SOFTWARE STORAGE WITH A NEW SOFTWARE
VERSION OBTAINED VIA THE TFTP PROTOCOL.  IF YOU DO NOT
HAVE ALL THE NECESSARY INFORMATION (TFTP SERVER IP-ADDRESS
AND FILENAME) YOU MAY CANCEL THE INSTALLATION NOW.

Do you wish to proceed? (type `yes' to confirm): yes

Enter TFTP server IP address:

Ok we need to setup a TFTP server that will serve the firmware.

[TFTP screenshot]

Enter TFTP server IP address: 192.168.1.4
Enter file path of image to install: openwrt-ar7-generic-squashfs.bin

About to install new Flash EPROM software image:
server: 192.168.1.4
file:  "openwrt-ar7-generic-squashfs.bin"

Should installation proceed with this information?
(type `yes' to confirm): yes

Starting Firmware download.
Downloading file .................................................................................................................................................................
Firmware Load Failed:  Invalid file

Well firmware refused again but this time we know that the file is invalid. So that means there's some kind of way to check that the firmware is of the correct type. Just to confirm the assumption, I tried to install an official Swisscom firmware and that works both in web and telnet. So there's definitely some check in place. I looked at it from many different angles but it seems not possible from the telnet console to anywhere further.

Let's dig deeper. Looking at the board there are two interesting locations named J5 and J2. J5 consists of 4 pins in a rectangle, while J2 consists or 14 pins in a rectangle.

[J5 photo and J2 photo]

This happens to be the Serial and JTAG pins.

Most routers come with an UART integrated into the System-on-chip and its pins are routed on the Printed Circuit Board (PCB) to allow debugging, firmware replacement or serial device connection (like modems). The bootloader is responsible for listening on it. So in contrast to the JTAG-Port, the Serial Port needs some software running on the CPU so we can use it! If the bootloader is damaged, or doesn't offer such a feature, the port is useless.

Once the serial is found, you can easily check where is the GND, which is connected to the same ground layer than the power connector. The VCC should be fixed at 3.3V and connected to the supply layer ; the TX is also at 3.3V level, but using a multimeter as an ohm-meter, if you find an infinite resistance between the TX and VCC pins, it means they're distinct signals (else, you'll need to find the correct TX or VCC pin). The RX and GND are by default at 0V, so you can check them using the same technique. Typically there are four pins to identify: GND - Ground, Vcc - 3.3VDC or 5VDC, TXD - Transmit data, and RXD - Receive data.

Pin    Signal
1    GND - can only be next to J5 - Most PCB designers will draw a square pad to indicate pin number 1 - which is the case here
2    TxD - tranmission
3    VCC - positive voltage
4    RxD - reception

To use the serial console, we need to solder the pins.

[serial console soldered]

Now to communicate with the serial console, we need a USB to serial "transformer". It's called a CP210x USB to UART Bridge. Luckily they have one at the hacker space. The thingy needs drivers to run under Windows. We also need the Realterm software to read the serial console stuff.

Before connecting the router and the computer, it's best to test the USB to UART Bridge by connecting its TX to its RX. This is often called a "null-modem" configuration; the signal is sent through TX to RX (loopback).

[null-modem] [realterm settings]

Let's connect the serial console with the UART bridge. In order to interact with the device over the serial port, we need a minimum of three wires connected: a ground (GND); transmit (TX); and receive (RX). Connect both GND together and connect computer side TX to device RX and vice-versa. That way, what you say will get heard by the device and what the device says will get heard by your computer. Time to test it.

Leave a Reply

Your email address will not be published. Required fields are marked *