AirMobi iReceiver Preliminary Software Hacking

I recently discovered and purchased an inexpensive, unofficial WiFi-enabled AirPlay and DNLA audio receiver called the AirMobi iReceiver. I couldn’t find much information on the device, but for $12, I thought it was worth buying and trying.

It works reasonably well, but that’s not really why I bought it. I bought it with the intention of taking it apart and seeing what makes it tick. And now, having done that, I plan to hack it to run OpenWRT so I can secure it, customize it, and update the software.

IMG_9667

It is based on a Ralink RT5305T WiFi SoC which suggests to me that it is running linux, and probably has a serial console exposed via some test points on the mother board. I only found handful of candidates during my teardown. My guess was that the Tx and Rx lines were available on the unpopulated 4-pin header at the edge of the circuit board. From visual inspection I could tell that the second pin from the left was a ground pin. A little continuity probing with a multimeter suggested the first pin provided power, a fact confirmed when I check its voltage when I powered up the device.

I hooked a logic analyzer up to the other two pins to see which one toggled on and off at boot, but that was really overkill. I could have done just as well figuring out which one was pulled high when I powered up the device.

Once I had the pins worked out, I hooked up a TTL level USB/serial converter to my laptop, connected the ground pins and cross connected the Tx and Rx pins between the adapter and the board. Once I powered everything up, my screen started to fill with garbage. I guessed that 115.2Kbps was too fast, and tried 57.6Kbps instead. Bingo!

After booting up, I hit return and was presented with a login prompt. I tried the password for the webui and was pleased to find that it worked. I poked around the filesystem, looking at various config files, the various files for the web UI, and checking what binaries were installed on the system.

One of them is a telnet daemon (implemented as part of busybox). So, I started it, connected to the WiFi, and was able to log in over the network.

From there, I gathered more information. I was dissapointed that there wasn’t really anything like zip, or tar, or an ftp or ssh server that would make it easy to pull a bunch of files off at once, so I dumped the web UI files to the terminal one at a time and then saved them for further inspection.

Hidden ate_test.asp page

Hidden test_ate.asp page

Once I did, I found hidden functions in the firmware update page for uploading the bootloader over the webui. Exposing it required tweaking the page using web developer tools, which is kind of tedious. Then I hit the jackpot, I found an unlinked file called test_ate.asp. When loaded, it has a button to fire up the telnet daemon, making a command line available with just a WiFI connection, no serial console necessary. It also has an option to update the boot loader and a mysterious ATE function. This discovery made it easier to return and poke at the device at my leisure.

From what I learned in my poking and prodding, it appears to be based on the Ralink provided SDK with some modifications. With any luck, the modifications will be minor, and it will be easy to load an OpenWRT firmware over the webUI.

Before I do that though, I’ll need to take special care since this device doesn’t have an ethernet port, and so recovering from non-working firmware will be more difficult.

A lot of details follow…

Boot Log

U-Boot 1.1.3 (Apr 23 2014 - 10:15:13)

Board: Ralink APSoC DRAM: 32 MB
reg_data: 0x400000 
reg_data: 0x404000 
relocate_code Pointer at: 81fb8000
spi_wait_nsec: 42 
spi device id: c2 20 17 c2 20 (2017c220)
find flash: MX25L6405D
raspi_read: from:30000 len:1000 
.*** Warning - bad CRC, using default environment

============================================ 
Ralink UBoot Version: 4.2.S.1
-------------------------------------------- 
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping 
DRAM_TYPE: SDRAM 
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 32 MBytes
Flash component: SPI Flash
Date:Apr 23 2014 Time:10:15:13
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384 

 ##### The CPU freq = 360 MHZ #### 
 estimate memory size =32 Mbytes

Please choose the operation: 
 1: Load system code to SDRAM via TFTP. 
 2: Load system code then write to Flash via TFTP. 
 3: Boot system code via Flash (default).
 4: Entr boot command line interface.
 7: Load Boot Loader code then write to Flash via Serial. 
 9: Load Boot Loader code then write to Flash via TFTP. 
 1  0 
raspi_read: from:30000 len:14 
.raspi_read: from:38000 len:14 
.
=================================================
nvram_org MAGIC:0x48534c46, nvram_bak MAGIC:0x48534c46
nvram_org LEN:0x17bc, nvram_bak LEN:0x17bc
nvram_org crc_ver_init:0x2012e, nvram_bak crc_ver_init:0x201eb
Check nvram validation:
nvram org Header Magic Number --> OK
nvram bak Header Magic Number --> OK

nvram_org: OK; nvram_bak: OK

nvram org has been modified, Copy nvram org to nvram bak

2-Copy NVRAM:
NVRAM ORG(0x30000) to NVRAM BAK(0x38000), size=0x17BC
raspi_read: from:30000 len:17bc 
.raspi_erase_mini: offs:38000 len:8000
........
raspi_write_mini: to:38000 len:17bc 
.
 
3: System Boot system code via Flash.
## Booting image at bc050000 ...
raspi_read: from:50000 len:40 
. Image Name: iReceiver-8.1
 Image Type: MIPS Linux Kernel Image (lzma compressed)
 Data Size: 3462568 Bytes = 3.3 MB
 Load Address: 80000000
 Entry Point: 80244000
raspi_read: from:50040 len:34d5a8 
..................................................... Verifying Checksum ... OK
 Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80244000) ...
## Giving linux memsize in MB, 32

Starting kernel ...


LINUX started...

 THIS IS ASIC
ra0: No such device
apcli0: No such device
vconfig: ioctl error for rem: Invalid argument
vconfig: ioctl error for rem: Invalid argument
apcli0: No such device
brctl: iface apcli0: No such device
ra0: No such device
rmmod: rt2860v2_ap: No such file or directory
killall: rt2860apd: no process killed
## [rc] set lan_if as 192.168.8.8/255.255.255.0
webs: Listening for HTTP requests at address 192.168.8.8
Password for 'admin' changed

c.cctairmobi login:

UBoot Options

U-Boot 1.1.3 (Apr 23 2014 - 10:15:13)

Board: Ralink APSoC DRAM: 32 MB
reg_data: 0x400000 
reg_data: 0x404000 
relocate_code Pointer at: 81fb8000
******************************
Software System Reset Occurred
******************************
spi_wait_nsec: 42 
spi device id: c2 20 17 c2 20 (2017c220)
find flash: MX25L6405D
raspi_read: from:30000 len:1000 
.*** Warning - bad CRC, using default environment

============================================ 
Ralink UBoot Version: 4.2.S.1
-------------------------------------------- 
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping 
DRAM_TYPE: SDRAM 
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 32 MBytes
Flash component: SPI Flash
Date:Apr 23 2014 Time:10:15:13
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384 

 ##### The CPU freq = 360 MHZ #### 
 estimate memory size =32 Mbytes

Please choose the operation: 
 1: Load system code to SDRAM via TFTP. 
 2: Load system code then write to Flash via TFTP. 
 3: Boot system code via Flash (default).
 4: Entr boot command line interface.
 7: Load Boot Loader code then write to Flash via Serial. 
 9: Load Boot Loader code then write to Flash via TFTP. 


You choosed 4

 0 
raspi_read: from:40028 len:6 
.
 
4: System Enter Boot Command Line Interface.

U-Boot 1.1.3 (Apr 23 2014 - 10:15:13)
RT5350 # ?

? - alias for 'help'
bootm - boot application image from memory
cp - memory copy
erase - erase SPI FLASH memory
go - start application at address 'addr'
help - print online help
loadb - load binary file over serial line (kermit mode)
md - memory display
mdio - Ralink PHY register R/W command !!
mm - memory modify (auto-incrementing)
nm - memory modify (constant address)
printenv- print environment variables
reset - Perform RESET of the CPU
rf - read/write rf register
saveenv - save environment variables to persistent storage
setenv - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version
RT5350 # printenv

bootcmd=tftp
bootdelay=2
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
ipaddr=10.10.10.123
serverip=10.10.10.3
stdin=serial
stdout=serial
stderr=serial

Environment size: 149/4092 bytes
RT5350 # version


U-Boot 1.1.3 (Apr 23 2014 - 10:15:13)
Please choose the operation: 
 1: Load system code to SDRAM via TFTP. 
 2: Load system code then write to Flash via TFTP. 
 3: Boot system code via Flash (default).
 4: Entr boot command line interface.
 7: Load Boot Loader code then write to Flash via Serial. 
 9: Load Boot Loader code then write to Flash via TFTP. 
 1 

You choosed 7

 0 
raspi_read: from:40028 len:6 
.

7: System Load Boot Loader then write to Flash via Serial. 
## Ready for binary (kermit) download to 0x80100000 at 57600 bps...

Commands in Path

[ fdisk mknod shairport
[[ free mnet sleep
androiddmr goahead mount snmp.sh
appd gpio mtd_write stats
ash grep nvram switch
ated halt ontime_pppoe.sh sync
audioplayer hostname ping sysinfo
basename hotplug_usb pmonitor tcpcheck
brctl i2scmd poweroff telnetd
busybox ifconfig printf test
cat init product tftp
chmod insmod ps time
chpasswd iwconfig pt_hotplug touch
chpasswd.sh iwpriv pwd tr
cksum kill rc udhcpc
cp killall rc_pppoe.sh udhcpd
cru login reboot umount
date ls reg uptime
dev_init.sh lsmod restoredefault vconfig
dnsmasq mDNSPublish rm wc
echo mDNSResponder rmmod wpspbc
erase mdev route write
expr mii_mgr sed
factory_real mkdir sh

Even More

Trying 192.168.8.8...
Connected to 192.168.8.8.
Escape character is '^]'.

c.cctairmobi login: admin
Password: 


BusyBox v1.12.1 (2014-07-11 16:55:17 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /proc/cpuinfo 
system type : Ralink SoC
processor : 0
cpu model : MIPS 24K V4.12
BogoMIPS : 239.61
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes
ASEs implemented : mips16 dsp
VCED exceptions : not available
VCEI exceptions : not available

# cat /proc/devices 
Character devices:
 1 mem
 2 pty
 3 ttyp
 4 ttyS
 5 /dev/tty
 5 /dev/console
 5 /dev/ptmx
 10 misc
 13 input
 90 mtd
128 ptm
136 pts
218 i2cM0
229 nvram
234 i2s0
252 gpio
253 rdm0

Block devices:
 1 ramdisk
 7 loop
 31 mtdblock

# cat /proc/modules 
rt2860v2_ap 832240 2 - Live 0xc011e000 (P)

# cat /proc/mtd 
dev: size erasesize name
mtd0: 00800000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "nvram"
mtd3: 00010000 00010000 "Factory"
mtd4: 007a0000 00010000 "Kernel"
mtd5: 00010000 00010000 "nvbak"

# cat /proc/partitions 
major minor #blocks name

 31 0 8192 mtdblock0
 31 1 192 mtdblock1
 31 2 64 mtdblock2
 31 3 64 mtdblock3
 31 4 7808 mtdblock4
 31 5 64 mtdblock5

# cat /proc/filesystems 
nodev sysfs
nodev rootfs
nodev bdev
nodev proc
nodev sockfs
nodev pipefs
nodev futexfs
nodev tmpfs
nodev eventpollfs
nodev devpts
nodev ramfs
nodev autofs
nodev fuse
 fuseblk
nodev fusectl

# cat /proc/meminfo 
MemTotal: 29996 kB
MemFree: 10368 kB
Buffers: 0 kB
Cached: 11108 kB
SwapCached: 0 kB
Active: 6908 kB
Inactive: 5960 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 1788 kB
Mapped: 3072 kB
Slab: 4684 kB
SReclaimable: 1472 kB
SUnreclaim: 3212 kB
PageTables: 236 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
CommitLimit: 14996 kB
Committed_AS: 6060 kB
VmallocTotal: 1048404 kB
VmallocUsed: 1620 kB
VmallocChunk: 1046440 kB

# cat /proc/mounts 
rootfs / rootfs rw 0 0
proc /proc proc rw 0 0
none /var ramfs rw 0 0
none /etc ramfs rw 0 0
none /tmp ramfs rw 0 0
none /media ramfs rw 0 0
none /sys sysfs rw 0 0
none /dev/pts devpts rw 0 0
mdev /dev ramfs rw 0 0
devpts /dev/pts devpts rw 0 0

# mount -v
rootfs on / type rootfs (rw)
proc on /proc type proc (rw)
none on /var type ramfs (rw)
none on /etc type ramfs (rw)
none on /tmp type ramfs (rw)
none on /media type ramfs (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw)
mdev on /dev type ramfs (rw)
devpts on /dev/pts type devpts (rw)

# ps
 PID USER VSZ STAT COMMAND
 1 admin 2000 S /init 
 2 admin 0 SWN [ksoftirqd/0]
 3 admin 0 SW< [events/0]
 4 admin 0 SW< [khelper]
 5 admin 0 SW< [kthread]
 21 admin 0 SW< [kblockd/0]
 32 admin 0 SW< [kswapd0]
 33 admin 0 SW [pdflush]
 34 admin 0 SW [pdflush]
 35 admin 0 SW< [aio/0]
 595 admin 0 SW [mtdblockd]
 693 admin 0 SW [RtmpCmdQTask]
 694 admin 0 SW [RtmpWscTask]
 703 admin 1432 S udhcpd /tmp/udhcpd.conf 
 704 admin 1424 S udhcpc -i br0 -p /var/run/udhcpc-br0.pid -s /tmp/ldhc
 709 admin 1788 S appd 
 710 admin 1788 S appd 
 712 admin 2012 S goahead 
 717 admin 1824 S /sbin/wpspbc 
 721 admin 1788 S appd 
 722 admin 1788 S appd 
 723 admin 1788 S appd 
 738 admin 924 S dnsmasq 
 739 admin 2000 S /sbin/pmonitor 
 747 admin 3792 S androiddmr -f iReceiver_4E 
 748 admin 3792 S androiddmr -f iReceiver_4E 
 749 admin 3792 S androiddmr -f iReceiver_4E 
 750 admin 3792 S androiddmr -f iReceiver_4E 
 751 admin 3792 S androiddmr -f iReceiver_4E 
 753 admin 4828 S shairport 
 757 admin 3304 S mDNSResponder 
 758 admin 3304 S mDNSResponder 
 759 admin 3304 S mDNSResponder 
 760 admin 2556 S mDNSPublish C05E79FCEC4E@iReceiver_4E _raop._tcp 5293
 799 admin 1428 R telnetd 
 806 admin 1436 S -sh 
 1092 admin 1428 R ps 

# ifconfig 
apcli0 Link encap:Ethernet HWaddr C2:5E:79:FC:EC:4E 
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

br0 Link encap:Ethernet HWaddr C0:5E:79:FC:EC:4E 
 inet addr:192.168.8.8 Bcast:192.168.8.255 Mask:255.255.255.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:1240 errors:0 dropped:0 overruns:0 frame:0
 TX packets:786 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0 
 RX bytes:75564 (73.7 KiB) TX bytes:127860 (124.8 KiB)

eth2 Link encap:Ethernet HWaddr C0:5E:79:FC:EC:4E 
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:181 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:0 (0.0 B) TX bytes:72203 (70.5 KiB)
 Interrupt:3 

lo Link encap:Local Loopback 
 inet addr:127.0.0.1 Mask:255.0.0.0
 UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
 RX packets:11 errors:0 dropped:0 overruns:0 frame:0
 TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0 
 RX bytes:1114 (1.0 KiB) TX bytes:1114 (1.0 KiB)

ra0 Link encap:Ethernet HWaddr C0:5E:79:FC:EC:4E 
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:2113 errors:0 dropped:0 overruns:0 frame:0
 TX packets:664 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:150912 (147.3 KiB) TX bytes:61469 (60.0 KiB)
 Interrupt:4 

# iwconfig 
eth2 no wireless extensions.

lo no wireless extensions.

br0 no wireless extensions.

ra0 RTWIFI SoftAP ESSID:"AirMobi_FCEC4E" 
 Mode:Managed Channel=2 Access Point: C0:5E:79:FC:EC:4E 
 Bit Rate=150 Mb/s 
 
apcli0 RTWIFI SoftAP ESSID:"" 
 Mode:Managed Channel=2 Access Point: Not-Associated 
 Bit Rate:150 Mb/s 

# iwpriv 
eth2 no private ioctls.

lo no private ioctls.

br0 no private ioctls.

ra0 Available private ioctls :
 set (8BE2) : set 1536 char & get 0 
 show (8BF1) : set 1024 char & get 0 
 get_site_survey (8BED) : set 0 & get 1024 char 
 set_wsc_oob (8BF9) : set 1024 char & get 1024 char 
 get_mac_table (8BEF) : set 1024 char & get 1024 char 
 e2p (8BE7) : set 1024 char & get 1024 char 
 bbp (8BE3) : set 1024 char & get 1024 char 
 mac (8BE5) : set 1024 char & get 1024 char 
 rf (8BF3) : set 1024 char & get 1024 char 
 get_wsc_profile (8BF2) : set 1024 char & get 1024 char 
 get_ba_table (8BF6) : set 1024 char & get 1024 char 
 stat (8BE9) : set 1024 char & get 1024 char 

apcli0 Available private ioctls :
 set (8BE2) : set 1536 char & get 0 
 show (8BF1) : set 1024 char & get 0 
 get_site_survey (8BED) : set 0 & get 1024 char 
 set_wsc_oob (8BF9) : set 1024 char & get 1024 char 
 get_mac_table (8BEF) : set 1024 char & get 1024 char 
 e2p (8BE7) : set 1024 char & get 1024 char 
 bbp (8BE3) : set 1024 char & get 1024 char 
 mac (8BE5) : set 1024 char & get 1024 char 
 rf (8BF3) : set 1024 char & get 1024 char 
 get_wsc_profile (8BF2) : set 1024 char & get 1024 char 
 get_ba_table (8BF6) : set 1024 char & get 1024 char 
 stat (8BE9) : set 1024 char & get 1024 char 

# ls
media etc_ro etc mnt home bin var init
proc dev sbin usr lib sys tmp shares

# ls /*
/init

/var:
lock locks private lib log run tmp spool webcgi notify

/usr:
sbin lib bin codepages

/tmp:
var rc_notification audio_vol udhcpd.leases ldhclnt
harddisk rc_action_incomplete hosts udhcpd.conf iplay_status

/sys:
fs devices bus class firmware kernel module block

/shares:
var rc_notification audio_vol udhcpd.leases ldhclnt
harddisk rc_action_incomplete hosts udhcpd.conf iplay_status

/sbin:
chpasswd.sh udhcpc rc pt_hotplug insmod vconfig ifconfig
write halt restoredefault ontime_pppoe.sh hotplug_usb androiddmr wpspbc
reboot rc_pppoe.sh snmp.sh tcpcheck appd mDNSResponder init
mDNSPublish stats lsmod factory_real route dev_init.sh rmmod
erase poweroff pmonitor fdisk mdev mnet

/mnt:

/media:

/lib:
libresolv.so libm.so.0 libcrypt.so.0 libutil-0.9.28.so libnvram.so
ipsec libc.so libmad.so.0 libid3tag.so.0 ld-uClibc-0.9.28.so
libnsl-0.9.28.so ld-uClibc.so.0 libfaad.so.2 libz-1.2.3.so libpthread-0.9.28.so
libz.so.1 libid3tag.so libpthread.so.0 libpthread.so libcrypt-0.9.28.so
libm-0.9.28.so libogg.so.0 libdl.so libc.so.0 libshared.so
libresolv-0.9.28.so libssl.so.1.0.0 libz.so libresolv.so.0 libcrypto.so.1.0.0
libdl.so.0 libnsl.so libuClibc-0.9.28.so libdl-0.9.28.so libm.so
libutil.so libFLAC.so.8 libnsl.so.0 libid3tag-0.9.28.so libmDNSResponder.so.0
libutil.so.0 libhowl.so.0 modules libcrypt.so

/home:
software_version

/bin:
chmod date rm busybox ated mount i2scmd touch
sh grep ls dnsmasq sed reg audioplayer sleep
kill ash hostname sync goahead cat product iwconfig
mtd_write ping ps iwpriv echo mkdir mknod mii_mgr
login pwd cp gpio shairport umount switch

# ls /usr/bin
cksum wc uptime basename [ tr tftp
free [[ printf test time killall expr

# ls /usr/sbin
sysinfo cru udhcpd brctl nvram telnetd chpasswd

# ls /etc
mdev.conf igmpproxy.conf hosts group passwd
resolv.conf protocols Wireless passwd- TZ

#ls /etc_ro
motd devlog init.d functions.sh web ethertypes ppp inittab
Wireless cron protocols linuxigd version xml usb wlan

# ls /etc_ro/web/
cgi-bin status.asp css sys_backupload.asp images 
sys_recovery.asp index.asp sys_upload.asp js test_ate.asp
lan.asp wan_dhcp.asp lang web_reboot.asp login.asp 
wl_adv.asp mac_clone.asp wl_arpclient_list.asp password.asp 
wl_basic.asp quick_setup1.asp wl_hostset.asp
site_survey_apcli.asp wl_mac.asp site_survey_apcli_wizard.asp 
wl_secu.asp

# ls /etc_ro/web/cgi-bin/
ExportSettings.sh history.sh upload_settings.cgi upload.cgi
ftp_upgrade.cgi upload_bootloader.cgi History reboot.sh

# cat /etc_ro/inittab 
::sysinit:/etc_ro/init.d/rcS
ttyS1::respawn:/bin/sh

# cd init.d/
# ls
filesystem.rc  network.rc     usb.rc         rcS            sysinit.rc     daemon.rc      env.rc         wlan.rc        modules.d      sysctl.rc      README

# cat filesystem.rc 
#!/bin/sh

cd /
mount -a

mkdir -p /var/run
mkdir -p /var/webcgi
mount -t tmpfs -o size=4m tmpfs /var/webcgi
mkdir -p /var/spool/cron/crontabs
mkdir -p /etc/cron
mkdir -p /var/log

cp -f /etc_ro/ethertypes /etc/
cp -f /etc_ro/protocols /etc/#    

# cat network.rc 
#!/bin/sh

###Network Initializing Configuration

#test lib/modules/2.6.21.7/kernel/net/8021q/8021q.ko&&insmod -q 8021q# 

# cat rcS 
#!/bin/sh

. /etc_ro/functions.sh

#cat /etc_ro/motd
###set environment variable
source /etc_ro/init.d/env.rc

date -s "1971.01.01-00:00:00"

###mount filesystem
/etc_ro/init.d/filesystem.rc

if [ -x /etc_ro/init.d/mkdev.rc ]; then  
    /etc_ro/init.d/mkdev.rc
fi

###install usb driver
#if [ -x /etc_ro/init.d/usb.rc ]; then  
#    /etc_ro/init.d/usb.rc
#fi

load_modules /etc/init.d/modules.d/*

###install wlan driver
if [ -x /etc_ro/init.d/wlan.rc ]; then  
    /etc_ro/init.d/wlan.rc
fi

###config network
ifconfig lo 127.0.0.1 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/all/force_igmp_version
echo 100 > /proc/sys/net/unix/max_dgram_qlen

if [ -x /etc_ro/init.d/network.rc ]; then
        /etc_ro/init.d/network.rc
fi

###init system settings
if [ -x /etc_ro/init.d/sysctl.rc ]; then
  /etc_ro/init.d/sysctl.rc
fi

###Others
if [ -x /etc_ro/init.d/private.rc ]; then
        /etc_ro/init.d/private.rc
fi

### system init
/etc_ro/init.d/sysinit.rc


###start daemon
/etc_ro/init.d/daemon.rc

# cat sysctl.rc 
#!/bin/sh

# reboot linux after kernel panic
echo "5" > /proc/sys/kernel/panic

# modify dst-cache setting
# echo "2048" > /proc/sys/net/ipv4/route/max_size
echo "512" > /proc/sys/net/ipv4/route/max_size
echo "180" > /proc/sys/net/ipv4/route/gc_thresh
echo "1" > /proc/sys/net/ipv4/route/gc_elasticity
echo "35" > /proc/sys/net/ipv4/route/gc_interval
echo "10" > /proc/sys/net/ipv4/route/gc_timeout

# merge openwrt
#echo "30" > /proc/sys/net/core/netdev_max_backlog

echo "2048" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo "5" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
echo "5" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
echo "90" > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
echo "90" > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout

# cat sysinit.rc 
#!/bin/sh

###Network Initializing Configuration

### test cs conf
WebInit=`nvram_get 2860 WebInit`
if [ "$WebInit" = "" ]; then
        echo "reset default conf......"
        ralink_init clear 2860
        ralink_init renew 2860 /etc_ro/Wireless/RT2860AP/RT2860_default_vlan
fi

ralink_init make_wireless_config rt2860

rc init
# cat wlan.rc 
#!/bin/sh

test /lib/modules/2.6.21.7/kernel/drivers/net/wireless/rt2860v2_ap/rt2860v2_ap.ko&&insmod -q rt2860v2_ap# 

# cat README 
This directory includes some shell scripts for initializing TBS configution!

1. filesystem.rc,  this file is for mounting filesystems such as proc, var etc;
2. usb.rc,  this file is for installing usb driver and initializing USB configuration etc;
3. wlan.rc, this file is for installing wlan driver and initalizing WLAN configuration etc;
4. dsl.rc,  this file if for installing dsl(adsl/vdsl) driver and initializing DSL configuration etc;
5. network.rc, this file is for initializing network relatted configuration etc; 
6. daemon.rc,   this file if for starting daemon process;
7. env.rc,  this file is for initializing environment variables configuration;
8. private.rc, this file is for initializing other configuration relatted to special product;
9. rcS, this file will be called by /sbin/init process at the very beginning stage of system initialization, 
   and it will call other stript files described upon; 


Note: usb.rc, wlan.rc, dsl.rc, network.rc and private.rc, these files shoud not be modified in this directory, 
      and you should create the corresponding *.rc script files in '$(ROOTDIR)/product/$(PRODUCT_NAME)/init.d '
      directory, and in the "make rootfs" process, these scripts will be copied to 
      '$(ROOTDIR)/buile/romfs/rootfs/etc/init.d/ ' directory to cover the default scripts files;   

# cat daemon.rc 
#!/bin/sh

if [ -x /bin/nvram_daemon ]; then
  /bin/nvram_daemon &
fi

if [ -x /bin/goahead ]; then
  /bin/goahead &
fi

#for telnet debugging
#telnetd
#if [ -x /usr/sbin/telnetd ]; then
#  /usr/sbin/telnetd &
#fi

if [ -x /bin/ap_mgrd ]; then
  /bin/ap_mgrd &
fi

#if  [ -a /usr/bin/ELMon ]; then
#/usr/bin/ELMon &
#fi

#for crond
#if [ -x /usr/sbin/crond ]; then
#  /usr/sbin/crond &
#fi

# nvram show
WscEncrypType=1
ApCliDefaultKeyID=1
WscPinCode=
dwld_enabled=0
DhcpdStat=1
wan_unit=0
wan_route=
APSDCapable=0
SecurityMode=0
log_ipaddr=
BSSTxop=0;0;94;47
hw_ver=1.2
RADIUS_Server=
WdsEncrypType=NONE
wl_version=2.7.1.5
ftp_name=AirMobiFTP
AccessControlList0=
snmpd_rocommunity=public
HT_DisallowTKIP=1
AccessControlList1=
ftp_enabled=1
AccessControlList2=
AccessControlList3=
PreAuth=0
factory_LANIP=192.168.8.8
IEEE80211H=0
fw_disable=0
ftp_max_sessions=10
HT_AutoBA=1
SSID1_CHANGE=0
BssidNum=1
set_wan_stop=0
BGProtection=0
VLANName=
dlna_enable=1
wan_nat_x=0
dhcp_gateway=192.168.8.8
wan_pppoe_srvname=
HT_TxStream=2
restore_defaults=0
ApCliKey3Type=1
IEEE8021X=0
Key3Str1=
wan_lease=86400
WdsList=
RxAntenna=
RADIUS_Port=1812
staWirelessMode=0
http_wanport=
wan_dhcp_secondary_dns=
AckPolicy=0;0;0;0
WscUseUFD=0
lan_gateway=192.168.8.8
HT_40MHZ_INTOLERANT=0
wan_stb=0
lan_domain=com
timer_interval=3600
snmpd_rwcommunity=private
wan_pppoe_gateway=0.0.0.0
ipaddr_ap_mode=
forward_port0=
Key4Type=0
wan_pppoe_mru=1492
upnp_enabled=1
lan_route=
wan_pppoe_primary_dns=
ApCliKey1Type=1
wan_gateway=0.0.0.0
dhcp_start=192.168.8.100
ftp_remove=1
Key1Str1=
BSSCwmin=4;4;3;2
RekeyInterval=3600
alg_l2tp_enable=1
dhcp_end=192.168.8.200
manage_passwd=YWRtaW4
sw_mode_ex=6
manage_username=admin
dhcp_lease=86400
dhcp_netmask=255.255.255.0
NoForwardingBTNBSSID=0
snmpd_trapsink=192.168.0.100
is_default=1
BasicRate=15
wan_nat=1
stats_server=
ftp_read=1
Key2Type=0
lan_netmask=255.255.255.0
BeaconPeriod=100
RTSThreshold=2347
http_username=admin
wan_dnsenable=1
APACM=0;0;0;0
WscConfStatus=2
HT_EXTCHA=0
ip_ctl_en=0
sw_ver=iReceiver-8.1.3751
os_date=Jul 11 2014
wan_pppoe_netmask=0.0.0.0
HT_PROTECT=1
wl_hwaddr_ex=c05e79fcec4e
HT_HTC=1
http_lanport=80
BSSCwmax=10;10;4;3
HT_STBC=0
res_SSID1=AirMobi_FCEC4E
g_isenrollee=0
nvram_version=1
wan_hwname=
wan_domain=
wan_pppoe_secondary_dns=
DefaultKeyID=1
lan_lease=86400
wan_netmask=0.0.0.0
IgmpSnEnable=1
HT_BW=1
session_timeout_interval=0
ftp_upload=1
g_wsc_configured=1
NVRAMMAGIC=
filter_client0=
alg_sip_enable=0
filter_maclist=
ApCliSsid=test; /sbin/ping 192.168.8.100
ApCliEncrypType=NONE
TxRate=0
TxPreamble=0
AutoChannelSelect=2
mtu_enable=1
WscVendorPinCode=80919094
http_passwd=YWRtaW4=
HSCounter=0
alg_h323_enable=1
lan_stp=1
nat_type=sym
SSID1=AirMobi_FCEC4E
HT_AMSDU=1
SSID2=AirMobi_FCEC4E_2
HT_BADecline=0
SSID3=AirMobi_FCEC4E_3
SSID4=AirMobi_FCEC4E_4
WscNewKey=scaptest
RADIUS_Acct_Port=1813
CountryRegion=0
lan_dhcp=0
wan_dhcp_flag_mode=0
snmpd_syslocation=www.autelan.com
wan_route_x=IP_Bridged
dhcpd_enable=1
lan_hwaddr=C0:5E:79:FC:EC:4E
wan_dns=
telnetd=0
alg_pptp_enable=1
wan_set=1
HETbutton_0=0
HETbutton_1=0
wl_mode_ex=ap
wan_pppoe_mtu=1492
HETbutton_2=0
HETbutton_3=0
ssidnumber=1
dhcp_wins=wan
sw_mode_old=6
os_server=
BSSAifsn=3;7;2;2
CountryCode=US
wan_proto=dhcp
wan_pppoe_netsniper=0
WscKeyMGMT=WPA-EAP
strict_dlna=1
wan_dhcp_domain=
factory_SSID1=AirMobi_FCEC4E
Hiddenssid=0
SynSsid=1
time_zone_x=GMT-08
wl_hwaddr=C0:5E:79:FC:EC:4E
HT_BAWinSize=64
enable_tivo=1
ApCliChannel=0
wan_pppoe_idletime=60
NoForwarding=0
productid=iReceiver_4E
wan_static_primary_dns=
ftp_write=1
usb_dev_state=
logincheck=1
WscActionIndex=9
snmpd_sysname=router
log_level=0
Channel=0
M2UEnabled=0
res_WPAPSK1=0123456789
wan_hwaddr=C0:5E:79:FC:EC:4E
WscConfigured=1
HT_MIMOPS=3
cpe_version=V3
lan_ifnames=
VLANEnable=0
snmpd_enable=0
wireless_perform_func=4
RekeyMethod=DISABLE
PMKCachePeriod=10
Language=English
lan_hostname=c.cctairmobi
wan_dhcp_gateway=0.0.0.0
wan_secondary_dns=
SetDefaultPinCode=1
AuthMode=OPEN
res_EncrypType=NONE
apcli0_hwaddr=
user_language=1
wan_ifnames=
ApCliKey4Type=1
ApCliKey4Str=
HideSSID=0
Key4Str1=
os_name=
lan_ipaddr=192.168.8.8
lan_proto=1
dlna_mini_port=8200
WPAPSK1=0123456789
NintendoCapable=0
wan_static_secondary_dns=
misc_conntrack_x=
dmz_ipaddr=
ApCliKey2Type=1
wan_dhcp_netmask=0.0.0.0
TxAntenna=
auto_language=1
RDRegion=FCC
Key2Str1=
ApCliBssid=
wan_dnsmanual=0
ShortSlot=0
ApCliKey3Str=
ssidenable1=1
ssidenable2=1
ftp_rename=1
ssidenable3=1
ssidenable4=1
ssidenable5=1
ssidenable6=1
lan_ifname=br0
wan_dhcp_mtu=1500
wan_primary=0
HT_MpduDensity=5
ssidenable7=1
wan_static_gateway=0.0.0.0
WscSSID=default
PktAggregate=1
Key3Type=0
WdsKey=
ftp_download=1
APCwmin=4;4;3;2
alg_ipsec_enable=1
CarrierDetect=0
ezc_enable=1
wan_pppoe_user=
WscDefaultPincode=12345670
WscConfigMethod=138
dhcp_prim_dns=192.168.8.8
ftp_add_dir=
trademarkdisc=WiFi Music Receiver
ApCliWPAPSK=12345678
wan_ipaddr=0.0.0.0
DLSCapable=0
WscConfMode=0
WscAuthType=1
VLANID=0
BSSACM=0;0;0;0
HT_RDG=1
ApCliKey2Str=
wlAp_StaMode=0
default_lan_ipaddr=192.168.8.8
wan_primary_dns=
wan_wins=
wl_ifname=
alg_tftp_enable=1
WdsEnable=0
spi_fw_enable=1
snmpd_syscontact=service@autelan.com
FixedTxMode=HT
os_version=4.2.1.0
HT_LinkAdapt=0
wan_static_mtu=1500
WscModeOption=7
Key1Type=0
sysadm_set=1
OperationMode=1
WscAKMP=1
HT_RxStream=2
DtimPeriod=1
APCwmax=6;10;4;3
wan_mtu=1500
def_wan_hwaddr=C0:5E:79:FC:EC:4E
filter_macmode=deny
RADIUS_Acct_Server=
idle_timeout_interval=0
wan_static_netmask=0.0.0.0
console_loglevel=1
EncrypType=NONE
time_zone=CST_008
FragThreshold=2346
wan_ifname=
ApCliKeyError=0
CountryRegionABand=0
HT_OpMode=1
RadioOn=1
SetupWizard=0
ApCliKey1Str=
wan_hostname=
TurboRate=0
usb_dev=
wan_pppoe_opmode=keep_alive
HT_GI=1
AccessPolicy0=0
AccessPolicy1=0
VLANPriority=0
AccessPolicy2=0
AccessPolicy3=0
dlna_mini_enable=1
ezc_version=2
WscUseUPnP=1
deviceid=iReceiver
DisableOLBC=0
WirelessEvent=0
i_serv_en=1
log_ram_enable=
lan_wins=
wan_desc=
SSIDCode=
g_wscresult=0
lan_hwnames=
wan_pppoe_ipaddr=0.0.0.0
APTxop=0;0;94;47
wan_dhcp_primary_dns=
TxBurst=1
WmmCapable=1
ftp_port=21
wan_dhcp_ipaddr=0.0.0.0
RADIUS_Acct_Key=
res_AuthMode=OPEN
WscRegResult=1
ftp_anonymous=1
wan_pppoe_pwd=
TxPower=100
WirelessMode=9
wan_pppoe_ac=
APAifsn=3;7;1;1
SafeRemoveType=0
printersrv_enabled=0
CSPeriod=6
RADIUS_Key=
ApCliAuthMode=OPEN
autofw_port0=
wan_static_ipaddr=0.0.0.0
HT_MCS=33
wan_pppoe_ifname=ppp0
factory_WLPSK=0123456789
alg_ftp_enable=1
NTPServerIP=pool.ntp.org
ApCliEnable=1
size: 6071 bytes (59465 left)


 

4 thoughts on “AirMobi iReceiver Preliminary Software Hacking

    • I never did. Do you have one?

      I was writing a plea for community help in adding support for the device. I wanted to link to the product but when I did, I found that availability was low and the asking price was way up. I finished the plea, but didn’t push forward because it didn’t seem like further effort wasn’t worth it for the two units I had. I’m waiting on some backordered C.H.I.P. devices to use instead. Running a full linux distro will make it much easier to configure and keep packages up to date.

      At some point I may do the minimum effort and try to boot a generic RAMIPS LEDE or OpenWRT image configured to enable the wifi by default. If it ends up bricked, no big loss. If it works, then great. I’ll try to remember to post the result (if I get around to experiment).

  1. I’ve got one, similar specs.
    Found this site while looking for any extra configuration pages this device might have. Happy to find the telnetd launcher. Using as repeater and audio receiver for now.
    Maybe more in future.

    • Cool. Mine have been sitting in a bin, making me feel guilty about not putting them to good use 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.