Every now and then I come across some interesting devices, one of which was the Cisco Air-OEAP602 “Access Point”. This little guy has an impressive spec sheet with a BCM4718A1 CPU running at 480Mhz, 16MB of flash, and 64MB of RAM but sadly the stock firmware lacks many standard features. Obviously as an enterprise offering it has unique things such as OfficeExtend, but what good are they if they are closed source? Time to hack this thing!
After getting this device my end goal was to get OpenWRT/AdvancedTomato running on it, but before we get to that let’s go over the hardware and stock firmware first.
Air-OEAP602 Teardown & Stock Firmware Root
The device itself isn’t very pretty, but the teardown proved to be quite beneficial. For a complete copy of the teardown pics, I have an album up on Imgur.
The first thing noted is the fact this PCB is based on the exact same one put in the E3000, which means that getting another firmware on here shouldn’t be too bad as long as the CFE plays nice.
At this point I soldered up UART and added the JTAG pins and booted it up. For those interested, a copy of the stock bootlog is available Here. Sadly there was no console available over UART, but I noticed that the bootloader and UI both reported a “key” being set to “LOCK”. So from here, I moved onto JTAG to get a dump of the system.
As per the E3000, UART is hardware disabled out of the box until you solder some traces under the top switch RF cover. More info on that process can be found on DD-WRT’s Forum. On my device I just bridged the traces and it worked fine. Once that was done, I created a OpenOCD board profile using the partition info provided from the stock kernel’s bootlog. Once that was done, I was able to get a dump of each partition using OpenOCD’s firmware-recovery tcl script.
The first thing I did was look at the key partition in a hex editor and I noticed that the only thing held on this partition was a string with the word “lock” spelled backwards.
At this point I decided to dump the system partition and then use binwalk to see what it was. Sure enough, the rootfs is just a basic squashfs system image so I extracted it and started to dig into it. It seems that Cisco replaced the standard rc binary with a custom loader to run through its services, so I decided to pull it up in IDA Pro reference to the string ”lock’.
From here I was able to find out that if a key of “45 4e 47 31” is set, it would then put the device in INIT mode which would then start a root shell over UART! So, I created a new bin, wrote “45 4e 47 31” in backwards (which spells out ENG1) and then flashed it to the key partition. A copy of the key.bin I flashed can be downloaded Here. Once that was done and a power reset was applied, I was greeted with a root terminal. Harah! I then also dug around to figure out all key states, and came up with this little table.
- LOCKED – Stock Mode
- key string: kcol
- key hex: 6b636f6c
- reported key: 0x6c6f636b
- CLEAR – After a NVRAM reset
- key string: 1GFM
- key hex: 31474e45
- reported key: 0x454e4731
- INIT – Allows root shell
- key string: 1GNE
- key hex: 31474e45
- reported key: 0x454e4731
Flashing OpenWRT to the Air-OEAP602
Now for the fun part, getting OpenWRT running on this device. Now that we have a full NAND dump and working JTAG, I decided to move on with experimenting with the device. As the board is almost 100% identical to the E3000 I decided I had nothing to lose by trying to flash the E3000 CFE to the board as I had a backup of the stock one anyways. For those who don’t know what a CFE is, it’s the bootloader used on most Broadcom devices.
For reference, a copy of the Stock CFE can be downloaded Here and a copy of a E3000 CFE can be downloaded Here.
From here you just follow the E3000 conversion guide on DD-WRT to make sure your devices MAC address is properly added to the new bootloader. Once it is added, go ahead and flash the CFE. Once mine was done flashing, I also erased all partitions except the CFE and NVRAM (you can do this by just writing 0’s). Once that was done, I then reset the device and was greeted with the E3000 bootloader running on the device! From here, I use UART to put the CFE into tftp mode where I flashed a copy of OpenWRT, and after a few minutes I was able to access the web interface.
I then tested everything (WiFi, ethernet, LED’s, etc) and verified that everything is working properly. As a bonus, the Air-OEAP602 has 2x the flash space as the E3000 which is quite nice. I can also confirm that this device will also run AdvancedTomato and DD-WRT.
Hi just wondering if you still have the cfe files and links dont work. Also any tips on the bare min to convert one of these out of the box. Brought 3 of them only to realise they useless withoyut the CISCO WLC so looking to convert them. First time hacking hardware at this level and althoguh have 3 dont wont to brick them or do unessary soldering and decapping if not needed.
I verified all files linked in this post still work. Can you try right clicking the link, and opening it in a new tab? That should get it to download.
As for bare minimum to convert, you will have to solder up the JTAG lines as mentioned in the dd-wrt conversion post at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=137565. That is probably the hardest part of the entire conversion. Once that’s done, then JTAG should work as expected.