Exploring the humble Internet Router - Part 1

With a growing number of internet-connected devices at home, the internet router has commonplace around every household. Not many realize that the very same router is a full-fledged Linux computer that you log into and do some basic stuff. Although it doesn’t support a Graphical interface like our desktop computers, it still gives us access to the terminal from which you can access all its internals. With a few hardware and software changes, we will be exploring all that this little router can offer in a series of projects.

I happened to have a Linksys E1200 v2 router that I was not using and decided to open it up just out of curiosity. What followed was a great deal of hardware hacking and learning. We will explore the different kinds of things we can do using this router in a series of projects, each at a different skill level.

Let’s first start by breaking the “Do not tamper” sticker. Once this is done, we’ll be able to access the router’s hardware. Be warned though, breaking that will void your warranty.

Now that we have ended our relationship with Linksys, let’s open the outer case and look at the printed circuit board inside. As you can see in the image below, the PCB contains the main processor (Broadcomm BCM5357) in the center, DDR RAM (Winbond W9425G64KH) on the right, Flash memory (Macronix MXIC 25L6406E). If you think about it, this is a full-fledged computer with a volatile memory (RAM) and a Non-volatile memory (ROM). These routers had to be cost-optimized so they do not have a lot of memory. The flash chip is 8Mb and the DDR RAM is 32Mb.

Now comes the hardware tinkering part. The most important component for us is the UART connection port located under the flash chip as shown below. Out of the 5 pins exposed here, we would need three -> The Transmit pin (Tx), The Receive pin (Rx), and the Ground pin (GND). As we will see, the operating system outputs the kernel messages through this port and it is through this port that we will gain access to the Linux terminal. I have soldered a set of header pins to the 5 pins.

Now, we connect a set of jumper cables to the Tx, Rx, and GND pins. How did I know which one is the Tx and Rx pin? If you observe carefully, out of the five pins, two have traces connecting them to the main processor and one of them has a square pad (the first pin from the right) indicating the Ground pin. I did not know which of those two were the transmit or receive pins so I swapped around the Tx and Rx wires until I saw messages on the terminal. This is where you will need a UART-USB converter to be able to see the messages sent by the router. The cable has female headers on one end which is where we connect the jumper wires coming from the router. The other end is a USB connector that goes into the PC. The connections are shown in the image below.

Once the connections are made as shown, we open up a terminal on a Linux laptop and fire up minicom. This tool is installed by default on most distributions and requires root access.

$ sudo minicom

I did not change any of the default UART settings on minicom. Once this is done, we switch the router on. The kernel messages should now be visible on the screen as it boots up. After a few seconds, we have access to the terminal prompt. Note how there is a pound symbol (#) instead of a dollar ($) sign at the prompt. This indicates we have root access to the router.

Here we try out a few commands to see if all is well. The ls command lists out the directories in the current folder (root folder in this case). The next command prints out the system info.

# ls          // Lists out the directories and files

# uname -a    // Prints basic system information

We can see that this system uses Busybox for its minimal file system. Busybox has the very basic tools required to use the system and will not provide all the tools that you usually have on desktop operating systems. We will see in later projects how to add more tools to the router. Let us now take a peek at what the router is currently doing. We can do that by running the "top" tool which shows all the processes currently running on the system.

# top              //this command shows the processes running on the system

As we can see from the output of the top command, there are several processes running. We can see some familiar programs running. The HTTP process is the one that provides the router login page when you go to the local address 192.168.1.1 on your browser. The DHCP process is the one that assigns the IP addresses to all the devices that connect to this router. It also shows the amount of memory used by all of these processes on the top. It currently shows that about 24Mb of the total 32Mb RAM is being used by the system. That is about 75% of the total memory.

That is all we can do with the current operating system that came along with the router. This is a major limitation for us as most of the commonly used tools are not available and the filesystem is "read-only" meaning we cannot add any files. As you can see in the image below, we try creating a new file with the touch command and it failed with an error. This issue will be fixed in Part-2 of this series.

Please check out Part -2 of this project series where we will be exploring a lot further and will be replacing the original firmware with a custom one. See ya there!