I happened to find 3 Swisscom Netopia 3347-02 DSL routers that were laying around and I thought maybe I could get them to be useful again. Unfortunately those routers come with a custom firmware for every network provider that used them and are close to useless if you don't use this provider any longer (Swisscom, Qwest, Eircom among others). So let's see if we can reclaim their freedom.
[router photo]
exact model: 3347-02-20SC, type: 0x69
The idea is to install an alternative firmware on them. The 2 most popular options are OpenWRT and DD-WRT. So the first thing to do is to check if the router is supported. A quick check in the OpenWRT brings up this for Netopia routers:
Model | Version | Platform & Frequency | Flash | RAM | Wireless NIC | Switch | boot_wait | Serial | JTAG | USB | Status |
---|---|---|---|---|---|---|---|---|---|---|---|
3387WG-ENT | CX86113 @ 200MHz | 4MB | 16MB | TNETW1130GVF | BCM5325EKQM | No | Untested | ||||
3347NWG | Texas Instruments AR7 (TNETD7300AZDW) @??? | 4MB | 16MB | TNETW1130ZVF | BCM5325EKQMG | No | Untested | ||||
3347W/3357W | CX82310 @ 168MHz | 2MB | 16MB | ACX100AGHK | BCM5325A2KQM | No | Untested |
Unfortunately our exact model is not listed and all the listed models are untested. No luck with DD-WRT either as it doesn't have any Netopia routers listed. Let's don't get discouraged and see if we can still proceed further.
Opening the router will bring important information about the key hardware components. Three screws later we get access to the board.
[router board photo]
Here's the list of identified components:
Infineon PSB7200ZDW 83A48KW
CPU Infineon AR7 Ohio PSB7200ZDW @ 212MHz?
https://en.wikipedia.org/wiki/TI-AR7
The AR7 combines a MIPS32 processor, a DSP-based digital transceiver, and an ADSL analog front end. Integrated high performance MIPS 4KEc 32-Bit RISC processor
SPANSION S29GL032
Flash memory
SAMSUNG K4S281632I-UC75 (or NANYA NT5SV8M16FS-75B on another board)
RAM memory 128Mb Synchronous DRAM
Broadcom BCM5325EKQMG
Ethernet Switch 6-Port 10Mbps/100Mbps 128-Pin MQFP
TNETW1350A
Wireless chip
DELTA LFE8731
LAN filter
Well that's it. So we have a little computer here composed of a MIPS32 CPU, flash memory (to store the firmware), RAM memory, an ethernet switch and a wireless chip.
Going back to our OpenWRT table, we conclude that our closest relative is the 3347NWG as they share the same processor and switch although the wireless chip is a different model from the same company. Let's see if any OpenWRT compatible routers use the AR7 MIPS chip: https://wiki.openwrt.org/toh/start
Here we got several hits such as
GT724WG | 10.03? | ar7 | Texas Instruments TNETD7200 | 212 | 4 | 16 | TI TNETW1350A | b/g | 4 + DSL | No | No |
AG241 | v1 | 8.09.2 | ar7 | ar7 | ? | 4 | 16 | - | - | 4x 100M + 1xADSL | No | ? |
So that's definitely comforting, it means that although not tested it's probably possible to install OpenWRT on this router. Let's try it. Next we need to download the correct firmware image for our router. In this case it's https://downloads.openwrt.org/barrier_breaker/14.07/ar7/generic/openwrt-ar7-generic-squashfs.bin
Let's connect to the router admin interface (admin/1234) and try to install the firmware we just downloaded.
[firmware update1 and firmware update2]
Ah shit, the firmware update failed. It says the file upload failed. Let's see if we have more success through a telnet connection. For this purpose, I installed Putty. Login and password just like before.
[putty connection] [terminal]
login: admin
Password: 1234
Terminal shell v1.0
Copyright ▒2008 Motorola, Inc. All rights reserved.
Netopia Model 3347-02 AnnexA High-Power Wireless DSL Ethernet Managed Switch
Running Netopia SOC OS version 7.8.1 (build r2)
Multimode ADSL Capable
(admin completed login: Full Read/Write access)
Netopia-3000/32309508>
Ok we're in. Let's get the list of commands by typing help:
Netopia-3000/32309508> help
arp to send ARP request
atmping to send ATM OAM loopback
clear to erase all stored configuration information
clear_certificate to clear stored SSL certificate
clear_log to clear stored log data
configure to configure unit's options
diagnose to run self-test
download to download config file
exit to quit this shell
help to get more: "help all" or "help help"
hotspot to set or show hotspot authentication info
install to download and program an image into flash
license to enter an upgrade key to add a feature
log to add a message to the diagnostic log
loglevel to report or change diagnostic log level
netstat to show IP information
nslookup to send DNS query for host
ping to send ICMP Echo request
quit to quit this shell
reset to reset subsystems
restart to restart unit
show to show system information
start to start subsystem
status to show basic status of unit
telnet to telnet to a remote host
traceroute to send traceroute probes
upload to upload config file
view to view configuration summary
wan_type to Set WAN interface type
who to show who is using the shell
? to get help: "help all" or "help help"
wps to issue Wireless Protected Setup commands
wol to Wake On LAN
So it's install we're actually looking for. Let's try
Netopia-3000/32309508> install
*** WARNING *** YOU ARE ABOUT TO ERASE AND REPROGRAM THE
UNIT'S PERMANENT SOFTWARE STORAGE WITH A NEW SOFTWARE
VERSION OBTAINED VIA THE TFTP PROTOCOL. IF YOU DO NOT
HAVE ALL THE NECESSARY INFORMATION (TFTP SERVER IP-ADDRESS
AND FILENAME) YOU MAY CANCEL THE INSTALLATION NOW.
Do you wish to proceed? (type `yes' to confirm): yes
Enter TFTP server IP address:
Ok we need to setup a TFTP server that will serve the firmware.
[TFTP screenshot]
Enter TFTP server IP address: 192.168.1.4
Enter file path of image to install: openwrt-ar7-generic-squashfs.bin
About to install new Flash EPROM software image:
server: 192.168.1.4
file: "openwrt-ar7-generic-squashfs.bin"
Should installation proceed with this information?
(type `yes' to confirm): yes
Starting Firmware download.
Downloading file .................................................................................................................................................................
Firmware Load Failed: Invalid file
Well firmware refused again but this time we know that the file is invalid. So that means there's some kind of way to check that the firmware is of the correct type. Just to confirm the assumption, I tried to install an official Swisscom firmware and that works both in web and telnet. So there's definitely some check in place. I looked at it from many different angles but it seems not possible from the telnet console to anywhere further.
Let's dig deeper. Looking at the board there are two interesting locations named J5 and J2. J5 consists of 4 pins in a rectangle, while J2 consists or 14 pins in a rectangle.
[J5 photo and J2 photo]
This happens to be the Serial and JTAG pins.
Most routers come with an UART integrated into the System-on-chip and its pins are routed on the Printed Circuit Board (PCB) to allow debugging, firmware replacement or serial device connection (like modems). The bootloader is responsible for listening on it. So in contrast to the JTAG-Port, the Serial Port needs some software running on the CPU so we can use it! If the bootloader is damaged, or doesn't offer such a feature, the port is useless.
Once the serial is found, you can easily check where is the GND, which is connected to the same ground layer than the power connector. The VCC should be fixed at 3.3V and connected to the supply layer ; the TX is also at 3.3V level, but using a multimeter as an ohm-meter, if you find an infinite resistance between the TX and VCC pins, it means they're distinct signals (else, you'll need to find the correct TX or VCC pin). The RX and GND are by default at 0V, so you can check them using the same technique. Typically there are four pins to identify: GND - Ground, Vcc - 3.3VDC or 5VDC, TXD - Transmit data, and RXD - Receive data.
Pin Signal
1 GND - can only be next to J5 - Most PCB designers will draw a square pad to indicate pin number 1 - which is the case here
2 TxD - tranmission
3 VCC - positive voltage
4 RxD - reception
To use the serial console, we need to solder the pins.
[serial console soldered]
Now to communicate with the serial console, we need a USB to serial "transformer". It's called a CP210x USB to UART Bridge. Luckily they have one at the hacker space. The thingy needs drivers to run under Windows. We also need the Realterm software to read the serial console stuff.
Before connecting the router and the computer, it's best to test the USB to UART Bridge by connecting its TX to its RX. This is often called a "null-modem" configuration; the signal is sent through TX to RX (loopback).
[null-modem] [realterm settings]
Let's connect the serial console with the UART bridge. In order to interact with the device over the serial port, we need a minimum of three wires connected: a ground (GND); transmit (TX); and receive (RX). Connect both GND together and connect computer side TX to device RX and vice-versa. That way, what you say will get heard by the device and what the device says will get heard by your computer. Time to test it.