Hacking the Trendnet TEW652BRP v2 to work as a wireless bridge

Although version 1 of this router is completely customizable through alternative firmwares, version 2 has another chipset and very little tweaking will be possible, for now.

The TEW652BRP v1 and v2 are two completely different routers. The first has a 400Mhz Atheros 9130 System on a Chip, making it perfect for aftermarket firmwares such as the openwrt. The former, although having the same model number sports a RealTek 330Mhz RTL8196B core. Both have 4MB Flash, 32MB RAM and 5 10/100 ethernet ports.

# cat /proc/cpuinfo
system type        : RTL8652
processor        : 0
cpu model        : R3000 V0.0
BogoMIPS        : 329.31
wait instruction    : yes
microsecond timers    : no
tlb_entries        : 32
extra interrupt vector    : no
hardware watchpoint    : no
ASEs implemented    :
VCED exceptions        : not available
VCEI exceptions        : not available

The source code of the RTL8196B driver is not publically avaliable and probably will have to be written from scratch. Chances are it will never happen.

Anyways, it does have some of its code under GPL so i’m trying to hack it to work on bridge mode.

As Trendnet has published the firmware source along with the required toolchain, the first thing I tried to do was get shell access at the router. Turned out it was not that easy.

Repackaging the firmware with /etc/inittab pointing to “/bin/busybox telnetd &” failed, as well as trying to run anything. Not even a simple ping would launch.
/etc/inittab, /etc/rcS, /etc/init.d/*, all failed to start any programs. Actually it was a very frustrating process as i had to recompile the firmware numerous times.

Reading through similar hardware information http://wiki.x-wrt.org/index.php/Trendnet_TEW-632BRP I managed to get shell through its serial port.
Pinout is shown below. Note that TX and RX are swapped, following the serial pinout from the TEW632 WILL NOT WORK. The right pinout for the TE652BRPv2 is:

pin 1 = +3.3V
pin 2 = TX
pin 3 = RX
pin 4 = Ground

Also, the speed of the serial port on this router is 38400.

For an easy interface, another router (WRT54gs) was used to make the serial connection avoiding the rs232 hassle.
One can just connect the wrt and trendnet serial lines directly. RX-TX  TX-RX  GND-GND
Once connected, just install and run picocom on the wrt like this:

~ # picocom -b 38400 /dev/tts/1
picocom v1.4

port is        : /dev/tts/1
flowcontrol    : none
baudrate is    : 38400
parity is      : none
databits are   : 8
escape is      : C-a
noinit is      : no
noreset is     : no
nolock is      : no
send_cmd is    : ascii_xfr -s -v -l10
receive_cmd is : rz -vv

Terminal ready

Here is the output from boot:

—RealTek(RTL8196B)at 2009.02.27-14:02-0500 version v1.3 [16bit](330MHz)
no rootfs signature at E0000!
Jump to image start=0x80500000…
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 25876k/32768k available (2325k kernel code, 6892k reserved, 298k data, 120k init, 0k highmem)
Mount-cache hash table entries: 512
Checking for ‘wait’ instruction…  available.
NET: Registered protocol family 16
PCI: Bridge: 0000:00:00.0
IO window: 18c00000-18c00fff
MEM window: 19000000-190fffff
PREFETCH window: disabled.
PCI: Enabling device 0000:00:00.0 (0000 -> 0003)
NET: Registered protocol family 2
IP route cache hash table entries: 256 (order: -2, 1024 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
Squashfs 2.2-r2 (released 2005/09/08) (C) 2002-2005 Phillip Lougher
Squashfs 2.2 includes LZMA decompression support
io scheduler noop registered
io scheduler anticipatory registered (default)
Skipping PCI bus scan due to resource conflict
PCI: Bridge: 0000:00:00.0
IO window: 18c00000-18c00fff
MEM window: 19000000-190fffff
PREFETCH window: disabled.
Realtek GPIO Driver for Flash Reload Default
init gpio_ioctl Successful,  major = 201
Serial: 8250/16550 driver $Revision: $ 1 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x0 (irq = 12) is a 16550A
Probing RTL8186 10/100 NIC…
eth0 added. vid=9 Member port 0x1de…
eth1 added. vid=8 Member port 0x1…
PPP generic driver version 2.4.2
MPPE/MPPC encryption/compression module registered
NET: Registered protocol family 24
PPTP driver version 0.7
RTL8192SE driver version 1.15 (2009-09-08)
PCI: Enabling device 0000:01:00.0 (0000 -> 0003)
correcting to 32
RealTek E-Flash System Driver. (C) 2002 RealTek Corp.
Found 1 x 4M Byte MXIC MX29LV320AB at 0xbd000000
table size = 0x400000, table region is 4
mtd->numeraseregions = 0x4
Creating 5 MTD partitions on “DiskOnChip Millennium”:
0x00000000-0x00010000 : “boot+cal”
0x00010000-0x000f0000 : “linux”
0x000f0000-0x003e0000 : “rootfs”
0x003e0000-0x003f0000 : “nvram”
0x003f0000-0x00400000 : “mac”
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (256 buckets, 2048 max) – 236 bytes per conntrack
ip_conntrack_rtsp v0.6.21 loading
ip_nat_rtsp v0.6.21 loading
ip_conntrack_pptp version 3.1 loaded
ip_nat_pptp version 3.0 loaded
ip_tables: (C) 2000-2006 Netfilter Core Team
ipt_time loading
ClusterIP Version 0.8 loaded successfully
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Realtek FastPath v1.02
VFS: Mounted root (squashfs filesystem) readonly.
Go to out!!
Freeing unused kernel memory: 120k freed
mount /proc file system ok!
mount /var  file system ok!
init started:  BusyBox v1.01 (2010.02.08-23:07+0000) multi-call binary
BusyBox v1.01 (2010.02.08-23:07+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

As I said, trying to run things on this router from traditional startup scripts failed. Busybox on this router does have its inittab honoring enabled but it will just not work. It seems all the start/stop and management code is run from the “rc” proprietary code. Running through rc’s objects one can clearly see it has an important role.

caio@linuxdev:~/tew652/src/Matrix/projects/TEW-652BRPR1/apps/rc$ ls
app.o    firewall.o  Makefile  network.o  platform.o  process.o  rc    route.o  wantimer.o
build.h  lan.o       mtd.o     Pconfig    ppp.o       psmon.o    rc.o  wan.o    wlan.o

Anyway, the next step is to try and see if the wireless control tools has any hints on their inner workings.

Running strings on wlan.o shows calls to iwpriv, brctl and lots of other stuff.

To try to reverse its code would be a complete nightmare and I didnt have the time or knowledge to go down this route, so I took a different aproach.

Googling some of its strings, a realtek developers document showed up. Also some russian site with info on the DLINK G700.
Apparently, all wireless controls are the same for realtek chips, limited only by the the individual chips capabilities.
According to the specification, RTL8196B is capable of working on all modes, Client, AP and WDS.
Since the controls are avaliable as binaries (iwpriv), finding out the right commands was a matter of time.

My needs are only to bridge a pair of these TEW652BRP v2 so what I came up with was:

#set the working mode to Client.
iwpriv wlan0 set_mib opmode=8

#set the ssid of the access point to connect
iwpriv wlan0 set_mib ssid=”TRENDNETACCESSPOINT”

The rest of the configuration can be made from the administrative interface as they are shared among all working modes.

So, to brigde both routers what I did was:

replicate all wireless settings on both routers
issue a “iwpriv wlan0 set_mib opmode=8” on the client
ifconfig down/up on wlan0 interface of the client

After that the access point showed the client mac address connected as one of its clients.

Next, get this things done on boot time. Although busybox does not read inittab or any other default init scripts, it does source /etc/profile, so it can be done from there.