Technically minded Weblog

A quick update on my AC810 adventures.

I’ve decided against zRAM – that would require a kernel rebuild and this device has no recovery mode.
Even though “free” showed only a few MB free (max I saw was like 20 MB, usually it shows 5-6 MB), I’ve never ran out of memory when running any software on the device.

Installed some additional software on the device, all built from source, including dependencies:
TUN driver, bash shell, latest hostapd, latest OpenSSL, nano editor and OpenVPN.
I didn’t overwrite any stock binaries just to be safe and instead used a simple wrapper script (which uses LD_LIBRARY_PATH) to run newly installed software.

An interesting idea came to mind when building OpenVPN – what if I could just take one of the WiFi APs (this device has two, one for 2.4 GHz and one for 5 GHz band) and bridge it to a TAP interface instead of doing routing to a tunnel ? Devices connecting to the bridged WiFi would then connect directly to my home network instead of being routed through a tunnel.
A true home WiFi away from home experience without any setup required !
Since OpenVPN is CPU-bound, I’m not expecting to get full speed, but around 40 mbps should be achievable with good 4G reception. More than enough for my needs (remote work and game streaming).

At first, I wanted to preserve dual-band WiFi and create a third SSID (WiFi driver claims to supports this) for the VPN bridge, but Qualcomm’s binary driver has a bug which causes WPA authentication responses from the client device to always be sent to the primary WiFi SSID instead of the secondary SSID, which causes authentication failures. Third SSID only works as Open WiFi which won’t do for me.
I have explored a possibility of using ath10k open source driver from Driver Backports instead of the binary blob (this device seems to use Atheros QCA6174 for WiFi) but again, I cannot install it without rebuilding the kernel due to cfg80211.ko being built into kernel which conflicts with Driver Backports.

So in the end, I had to dedicate one of the existing WiFi APs for VPN bridge. I’ve decided to use the 5 GHz AP for VPN bridge for now and leave 2.4 GHz AP for normal WiFi use but I’m not sure whether I will leave it that way.

UPDATE: OpenVPN was doing 24mbps max with CPU maxed out and a lot of packet loss. Switching from OpenVPN to SoftEther increased speeds to over 40mbps (and zero packet loss). Maybe it can do even more, will need to test in a different location with better 4G reception.
SoftEther was pain in the but to cross-compile (required manual editing of Makefile) and get working though and I also needed to use preloadable_libiconv hack to get past the iconv() stuff as libc on the modem did not have gconv enabled.

I’ve recently bought myself a Netgear AC810 mobile hostpot. It is a rather old model but it’s lightyears better than those cheap Huawei soapbar-style modems which our ISPs provide. Also, since 4G is not my main connection and is only used on-the-go, I didn’t want to invest in a higher-end model, like Nighthawk M1 or M2.

Now, since I’m a computer geek, I wanted to take a look what’s under the hood of that small black box with an LCD screen on it.
I know that this thing, like most 4G routers out there runs some version of Linux. Now how do I access the shell ?
After some research, I found that there’s an AT terminal running on port 5510. Since this modem uses a Qualcomm chipset, it is probably based on the same software as those Sierra Wireless modems. Fortunately, the unit I have had all advanced AT commands (which are usually locked by a password, which in case of my model should be “whistler”) unlocked out the box.
But AT!CUSTOM=? returned an error. So there is some lock present. Fortunately, a keygen is available to enable custom commands on Qualcomm/Sierra Wireless modems.
https://github.com/bkerler/SierraWirelessGen (use model MDM9x40)

With this keygen, I was able to unlock AT!CUSTOM commands (commands will again be locked after a reboot). On my particular unit, AT!CUSTOM=”ADBENABLE”,1 succeeded but did not actually enable ADB. But AT!CUSTOM=”ENABLETELNET”,1 did enable Telnet. I was able to get a password-less root shell on port 23. Bingo !

Now, for the specs:
SoC: Qualcomm MDM9640 (aka. Snapdragon X12), single core ARM Cortex-A7, 1.19 GHz
RAM: 160 MB
Storage: 512 MB, divided into multiple partitions, usable space is formatted as UBIFS. There’s a total of about 126 MB of usable free space available. Root is writable as are most other locations.
Kernel: Linux 3.10.49

Router’s interface is purely web-based. Even the LCD interface is done using a tiny DirectFB based web browser (WebKit based, judging from the logs) which simply loads a web page (http://127.0.0.1/lcd/index.html) during boot. This browser seems to have some kind of custom API accessible via JavaScript. I have not yet fully reverse-engineered it but I do plan to do so.

For compiling custom software, Linaro v13.08 ARM toolchain should work, it has the same version of libc (eglibc 2.17) as that used on the router:
https://releases.linaro.org/archive/13.08/components/toolchain/binaries/
There are GPL sources provided, but compiling GCC toolchain from schratch is a large amount of work and the result probably wouldn’t work any better than the Linaro toolchain.

I was pleasantly surprised that Netgear developers have enabled the option to include a kernel configuration in /proc/config.gz, this should help greatly when building new modules for modem’s kernel. /proc/config.gz is a very rare sight on production devices. This modem is the first device I’ve ever seen to have /proc/config.gz enabled out of the box.

What I’ve done so far:
* Customized dropbear SSH server, https://github.com/zcutlip/dropbear-hacks (replace MIPS compilers with ARM ones in the build script) which works without relying on getpwnam(). Now, I can add a password and stop relying on Telnet for shell access.

Ideas:
* zRAM module. OS is extremely poorly optimized. With GUI and SSH running there’s only about 5 MB of RAM free !
* DnsCrypt for secure DNS lookups.
* OpenVPN client for VPN passthrough.
* Password lock for LCD UI

Will update.