How to modify the firmware (or update to OpenWrt 21)

A project log for Fun with wifi repeaters

WiFi repeaters are getting super cheap now ($5!) and can contain quite open hardware. Try to make the most out of the QCA953X based ones.

biemsterbiemster 09/17/2023 at 17:360 Comments

The hardware is not locked down almost at all, just a vanilla install of Lede. You could go through the setup as per the instructions that came with it and then connect over SSH, or you could solder the UART pins that are clearly marked on the pcb and connect to a PC (that's what I did).

The board draws very little power, my USB to UART stick had enough juice on the 5v pin to power it up. It shows the u-boot and Linux boot log over the standard 115200 baud. You can cancel the bootloader and drop in an u-boot shell, or let Lede fully boot and then press Enter to get a root shell.

Now there are two options:

1) Keep the current (perfectly fine) Lede install, and start modifying that. You'll need a 3rd part toolchain if you want to compile code for it, which can be found here:

Don't forget to use static linking (-static), because the C lib will not match. This means 0.5MB extra per application!

2) Compile OpenWrt and update. This will get you a bit newer kernel, but most importantly, a compatible toolchain! Here is a repo specifically for that (you could completely skip 'make menuconfig'):

I've also attached a firmware image made with this code, and the corresponding toolchain in the "Files" section here.

First time flashing this firmware will have to be done via the uboot console (Luci will not accept this sysupgrade.bin as it thinks it's for another device), with instructions here:

setenv ipaddr <make up an ip>
setenv serverip <tftp server ip>
tftp 0x80060000 openwrt-ath79-generic-embstar-squashfs-sysupgrade.bin
erase 0x9f050000 +0x7a0000
cp.b $fileaddr 0x9f050000 0x7a0000
setenv bootcmd "bootm 0x9f050000"

EDIT: apparently the openwrt 21.02 in the repo has an issue with bpf filters on wireless:

so to make tcpdump capture filters (and bpf filters in your code) work one needs to disable bpf jit:

echo 0 > /proc/sys/net/core/bpf_jit_enable