I have a friend who relies on me for trying to rescue him from IT disasters, often of someone else’s making. You know the type. Well the latest one got me into hidden serial ports and demonstrated how commodity routers can surprise you.
In the end he shipped me the box, as it goes it’s a nice little unit, badged underneath as “Wireless N300 Easy Setup Router” Model: F3. It was dead, nothing except a stoically solid “SYS” light and a link light if you connected a device. I suspected flash issues.
The problem was the reset button, I’ve always found these cheap routers can be persuaded to go into a TFTP or Emergence upload mode with a web page to recover firmware, nope not this one despite repeated and varied combinations of reset and power. Using a static arp on a PC to try to get to the default ip (192.168.0.1) also couldn’t ellicit a response.
I’ve seen many tales of hidden serial/console ports in devices often for initial setup or debugging, long since removed by the time the design is finalised but I’d never been too keen to lear on a router that was already working so I had a perfect opportunity. I enlisted a friend to show me the ropes. We opened the device and were confronted with a tiny sircuit board and two chips. Two chips! I am old enough to remember 300bit modems the size of a shoe box and we have a wired/wifi 300N router on two chips, I thoguht there’s no way this is coming back but I was wrong. On the board were clearly four holes ready for a header plug, my previous research suggested this may be a serial port, despite the two chips there’s still a port. My mate spent ten minutes checking the voltage levels, making a quick check of the traces and soldering in a header. Another ten minutes with Putty and a USB-TTL adapter and we had a pulse. A quick flurry of info on power on and then a blank.
Reading the info, the device was obviously booting and trying to go to the flash then hanging for whatever reason but the odd thing was the IP address, not 192.168.0.1 but 192.168.1.58, at first I thought recovery address but I was wrong. After 10 minutes of power…text…ctrl-c.. swear.. repower we hit the ctrl-c at just the right time to get CFE prompt (CFE is a Broadcom low level interface with commands geared at loading and running flash: OpenWRT guide to CFE ). Armed with this, setting up a PC directly into the device I can ping the IP and get my replacement flash ready to go… but will the command work? Noo.. this cursing goes on for an hour, pinging, checking TFTP servers, firewalls, command line and each time getting a TFTP timeout. Scrolling down the CFE wiki I notice the emergency web page. Open a browser to the 192.168.1.58 mystery address and there we have a very similar page. Upload the image and away! The image in question being the F3 image from the Tenda website.
So in essence, I needed a serial port to interrupt the boot process at low level so the web page became available to re-flash. Bit wonky on the design front there!
The kicker came looking at the config, ALL the original config appeared to be there, SSID, keys, passwords were as set last time I’d seen the device working. The penny dropped. The 192.168.1.58 wasn’t a recovery IP it was the IP in NVRAM from the config. The reset button was no use at all in the state the router had got to, it was using the real config to try and recover itself! Not something you expect.
There was still a nagging thought that the config looked different last time. Even looking back at the support site http://www.tendacn.com/en/product/download/F3.html was odd, the software on the box was obviously Easy Setup but it wasn’t what it came with and the manual on the same site showed many more features. I didn’t get it until I found the F300 router http://www.tendacn.com/en/product/download/F300.html#Firmware well it looks the same, the manual looks very similar to the F3 and I have a serial port to recover from a bad flash! Download the image, point the device at it and… upgrade! No complaining of wrong versions, no warning or blocking, just upgrade and double the feature set! I realised the device had has two SSID’s set as soon as I looked in the new web interface, and all the keys were still there from before the flash failed, despite all my attempts to reset them!
Connections to Serial cable (Pin 1 RHS)
Location of serial cable on board
My serial port adapter should be pretty standard but for info:
- Ground – Black
- CTS – Black/Brown
- VCC – Red
- TXD – Orange
- RXD – Yellow
- RTS – Green
So for me the moral is, take time, read up, ask a friend but persevere. For a 30 Euro router, the F3/F300 can be a very thing, just don’t expect it to be easy to clear your settings.
I’m off to do more reading on Open-WRT for it.
Update: Much more Tenda firmware now here https://www.tendacn.com/en/service/download-cata-11.html and version numbers and dates seem to suggest a fundamental change in firmware which may explain the function reductions.