Marlborough Wi-Fi

Hacking the Dick Smith XH8287 access point

A member of the project recently purchased a XH8287 access point from Dick Smith Electronics. This had previously been returned by a clueless customer on the basis it didn’t work and found not be faulty so was purchased at a substantial discount. I was tasked with preparing it as a MarlWiFi client and on closer inspection I noticed it appeared to closely resemble a Linksys WAP54G… And it runs Linux… Oh the possibilities!

Inside the case reveals a familiar looking PCB proudly showing off a Broadcom CPU. As I didn’t have a WAP54G handy, a quick Google search turned up a photo of the insides of one which proved to be indentical, right down to the board revision number.

At this stage it appears the hardware was designed by Gemtek although I’ve yet to confirm this. The DSE model is actually a rebranded SparkLAN WX-6800II. By now you are probably wondering why the SparkLAN/DSE access point is capable of up to 125Mbps whilst the WAP54G isn’t. Well the truth is that this is simply a setting in the firmware that can be tweaked (details further down the page) to enable the ‘Afterburner’ mode even on the WAP54G. Note that this high speed setting is incompatible with the ‘Super-G’ 108Mbps mode used by Atheros based devices.

If you have already rushed off to try and upgrade your SparkLAN or DSE access point with Linksys or third-party firmware, you probably noticed it didn’t work as the AP reports it to be invalid. This is pretty easy to work around with some simple modifications, so read on.

Installing better firmware

Performing the steps below will void the warranty of your device, and could potentially damage it beyond repair. Please make sure you know what you are doing before attempting any of these steps. If you do not feel confident about performing these steps I strongly recommend you leave your access point alone! I will not be held responsible for any damage to your equipment.

The first step is to pull the access point apart. Remove the screw under the case and poke a small flat screwdriver gently into the clips above the jacks on the rear panel while carefully prying the halves apart. The sides of the case clip together firmly, so these will need to be carefully separated with the help of a small flat screwdriver or a blunt knife.

On the PCB there should be two unpopulated sets of solder pads where header connectors would normally reside. Find the one labelled ‘J5′; this is actually a serial console port. Handy eh?

You will need to put together a TTL-CMOS to RS232 converter in order to connect this to your PC. While there are plenty of such devices available on the internet, I built a simple circuit on a breadboard using a readily available Maxim MAX232 chip as this is a lot cheaper. The MAX232 seems to operate quite happily at 3.3 volts (providing a ±5v output) and this can be supplied from J5 pins 2 or 4. DSE sell an equivalent to the MAX232 available under catalogue number Z5369. There are also many other suitable chips available.

Solder some wires to the respective pads on the PCB and connect them to your circuit. I soldered a header to the PCB (DSE P2728) and connected the circuit via a 10-pin header plug (DSE P2755) for quick connection and removal. Power up the AP and check that it seems to work OK before connecting to the serial port on your PC.

Fire up HyperTerminal or your favourite serial terminal and connect at 115200 baud, 8-N-1. Disable flow control if asked.

Press Enter to bring up a standard Linux console. Have a quick play if you so desire.

Enter the following commands to disable firmware header checking:

# nvram set chk_fw_hdr=Disabled
# nvram commit

You should now be able to upload a new firmware file via the access points standard web interface.

Advanced users might like to try the following method instead…

Power down the AP, hold down Ctrl-C in in the terminal while powering it back on. This will interrupt the boot sequence and prevent Linux from booting. You should now be at the CFE prompt. From here you can upgrade the main flash image using one of your choice from a TFP server.

If you use Windows and need a TFTP server, try downloading Solarwinds free TFTP server..

If you haven’t already done so above, disable firmware header checking as below. This is required as it overrides the -noheader switch in the flash command.

CFE> nvram set chk_fw_hdr=Disabled
CFE> nvram commit

Now it’s time to load the firmware image (where 1.2.3.4 is the IP of your TFTP server and foo.trx is the filename of your firmware image).

CFE> flash -noheader 1.2.3.4:/foo.trx flash1.trx

Wait for this to finish and reboot. If all goes well you are done and can start using your revitalised AP. If your AP does not boot, try going back into the CFE and try flashing a different image.

If you somehow manage to turn your AP into a brick and it simply won’t respond at all, don’t toss it away just yet! You can build a JTAG adapter and flash it manually via this to hopefully jumpstart it back to life. More details to come soon.

Tested firmware

Here is a list of different firmware images I have tested and found to work on this access point:

• DD-WRT Micro v2.3 generic (Recommended)
• HyperWAP 1.0
• Linksys WAP54G v2.08 EU and v3.04 US
• Sveasoft Freya v2.6

This entry was posted on Tuesday, September 12th, 2006 at 22:01 NZST and is filed under Projects & Experiments. It has been viewed 8757 times. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.