Inside a cheap WiFi repeater/access point
Added 2025-01-25 06:03:23 +0000 UTCThis router was very cheap - less than £10 shipped from eBay in the UK. It works, but I've not done a long test of it, and don't really trust it from a security perspective.
But it's amazing how mass produced items like this have become.
Comments
It will depend on your location. Try a search for WiFi repeater and see what comes up locally.
Big Clive
2025-02-10 15:36:05 +0000 UTCgot an ebay link for these?
Eric Latour
2025-02-09 17:55:52 +0000 UTCThe 4-pin port is for UART communications with the main chip. It usually prints the boot logs and (in the case of u-boot) let's you communicate interactively with the bootloader (possibly even letting you re-flash the firmware to some extent). You can communicate with it using the standard FT232 boards that are used for flashing arduino pro minis. - https://docs.u-boot.org/en/latest/usage/index.html#shell-commands - https://openwrt.org/docs/guide-user/troubleshooting/generic.debrick#serial
Tomáš
2025-02-01 15:43:14 +0000 UTCThanks for this, Clive! It would be great to see more videos on embedded computers or more elaborate digital electronics.
Tomáš
2025-02-01 15:37:33 +0000 UTCDefinitley a UART console: https://ibb.co/kgxGZxTF I've also dumped the memory chip but it looks like a standard OpenWRT/LEDE installation. Will poke around for anything suspicious in there but I think it's safe or easily overwritable with a later version
JT
2025-01-29 16:41:08 +0000 UTCCheap and easy to power from a car or battery pack, set SSID to your favorite area law enforcement type name (DEA_VAN, ICE_ROUNDUP, etc.) and spook the locals wherever you drive or drop it off.
Bill Kerr
2025-01-26 22:14:54 +0000 UTCJust discrete components on the back, but a look at the pinout of the QCA9531 chip suggests it has the facility for two transmitting and two receiving antennas.
Big Clive
2025-01-26 17:36:32 +0000 UTCShaving off the magnetic, replacing them by resistors is cutting corners which works for 100TX, on very short distances, if not both sides are doing that. Common trick in 2 USD usb-eth adaptors.
adorfer
2025-01-26 12:01:38 +0000 UTCYou are right, it is a 8MB Flash chip, I was getting the chip size wrong, it is large enough even for a current standard OpenWRT.
Kai-Steffen Hielscher
2025-01-26 08:09:28 +0000 UTCsince the RAM is 64MB and the flash is 8MB (instead of 4MB on the TP-Link devices), it's rather generous and you could even install openwrt2023 on it, so you are not limited to the ar71xx-tiny-target which was EOLed in Openwrt2019.
adorfer
2025-01-26 04:03:31 +0000 UTCQCA9533-AL3A and 4 antennas is quite a rare sight. normally this legacy chip is running 2 antennas. could not find a single router with 4 antennas. Might there be a second Wifichip (QCA or other) on the backside of the PCB? a setup "one QCA for the client/downlink + one QCA for the host/uplink radio"? Would be unusable. but since this chip is new old stock anyway (2018/39?), desperate measures might have been taken.... Look at those other 36 devices listed as using QCA "honey-bee 2nd-gen, aka QCA9533": https://wikidevi.wi-cat.ru/Qualcomm_Atheros
adorfer
2025-01-26 03:59:59 +0000 UTCYes, see, e.g., TI Ethernet PHY PCB layout: "No metal should be under the magnetics on any layer." in https://www.ti.com/lit/pdf/snla387
Kai-Steffen Hielscher
2025-01-25 21:43:12 +0000 UTCThere's a big copper gap under it that smells like isolation barrier.
Mike Page
2025-01-25 21:02:24 +0000 UTCDepending what you want to do, you could also start with a larger (blank) Flash chip and your own (modified) version of U-Boot when you just want to get OpenWRT running, e.g., https://github.com/pepe2k/u-boot_mod. Not sure if such an old u-boot version is the best choice, but it is an easy starting point, and the docs on the github page are also helping to get started.
Kai-Steffen Hielscher
2025-01-25 17:06:41 +0000 UTCThat tplink router also happens to be the target of choice in a few IoT hacking courses as the key to decrypt the firmware package can be pulled out of the boot loader bin file in ghidra. Since this one uses the same chip you could probably do the same, I would imagine they are using the same boot loader . That all presupposes that the firmware is even encrypted on this model, if not then that wouldn’t even be necessary.
Fëanor Evanstar
2025-01-25 16:45:21 +0000 UTCThe QCA9533-AL3A is also used in the TP-Link TL-WR841ND v.9. There is a port of OpenWRT for the TL-WR841ND v.9, and this repeater seems to have enough RAM to run OpenWRT, but the Flash is a bit small for a full installation. So, if you have time and about 7 USD, it might be a fun device for some experiments. But you might need to desolder the Flash memory and replace it by a larger model for running OpenWRT.
Kai-Steffen Hielscher
2025-01-25 16:33:33 +0000 UTCMy suspicion is that the unpopulated header(J7) is a UART debugging connection. It was likely removed to help lower the BOM cost more than for security reasons so there’s a decent chance that it wasn’t disabled at the firmware level. In a classic design that memory chip would hold the router firmware but it would depend on the main chipset being used. Just looking at the Qualcomm chip it doesn’t appear to be a SoC so it probably doesn’t have internal flash to store the firmware. Without either the data sheet or decapping I couldn’t say for sure. Given the cost of the unit I would doubt that a secure software development process was followed so it’s possible that the function names and/or debug symbols weren’t stripped when the firmware was compiled. I would start by soldering some header pins on J6 to see if those traces are still live. You could also use a clip adapter to attach directly to the flash chip and dump its contents with a programmer like the ch341a or a j-link if you have the money. It’s also possible that the network credentials you give it are being stored in plain text.
Fëanor Evanstar
2025-01-25 14:29:49 +0000 UTCMaybe it's for a PoE transformer? Stepdown a 48v PoE to 5v?
Kieran Kennedy
2025-01-25 13:43:51 +0000 UTCOMP, while I change my SSID to ChunkyMonkey
Kieran Kennedy
2025-01-25 13:32:35 +0000 UTCYeah, I was going to suggest the same. What is probably happening on the other side is that they have the tracks going from the transformer to the Ethernet connector and, as the transformer is not installed, they are probably bypassing it using a couple of capacitors.
elias
2025-01-25 12:49:49 +0000 UTCI bought a similar one last year for extending to my shed, but couldnt get it to work in wifi mode- probably for the same reason you couldnt at first- however I just connected it in AP mode, and now it works fine , even going through the foil insulation covering the inside of my shed. so pleasantly surprised at its performance for 12 quid.
Mike Hughes
2025-01-25 08:05:27 +0000 UTCThe unpopulated "chip" footprint T1 looks like it is intended for Ethernet magnetics. The component designator "T1" could mean "transformer". But I am not sure if the track layout supports this guess. The usual pinout would connect pins 9 to 16 to the RJ45 port. I cannot see what is happening on this side of the supposed transformer.
Kai-Steffen Hielscher
2025-01-25 07:33:49 +0000 UTC
