Bricking a Sky SR101 Router

I’ve had an old Sky SR101 router lying around for a while now, waiting for embedded device hacking practice.

I began by removing the case, in particular noting a secret screw underneath one of the rubber feet, and then prizing out the clips as described in a skyuser post. After removing the case, two sets of 10 pins are immediately obvious – you can see them in this image – note that mine did not have the header attached; I had to solder one on.

To identify which was which, I referenced a previous disection of an SR102, on the OpenWrt website. I then used a multimeter to try and figure out ground, v+, transmit and receive pins as described here. These looked good so I soldered on a header and connected up my FTDI cable after googling the cable out.

Unfortunately I couldn’t remember how to use the FTDI cable! A quick lsusb showed that linux had recognised it and so screen /dev/ttyUSB0 115200 got me connected. However, there was no input. At this point I thought my soldering ability had let me down… but a chance disconnection of the ground cable resulted in some readable text on the console; and a bit of investigation revealed that i’d mistaken v+ for gnd; and swapping the pins gave me perfect output.

Time to login – but there was no response to any keypresses. A bit of googling told me that this was probably down to screen trying to use hardware flow control; so I quit the session and restarted it again with screen -fn /dev/ttyUSB0 115200 – voila, pressing enter presented me with a login prompt.

Using the username and password shown on the OpenWRT page for the SR101 (admin, sky) I was able to login!

At this point I took a step back and used cat to save a log of the system boot; revealing a few useful tidbits about the device:

Chip ID: BCM6362B0, MIPS: 400MHz, DDR: 333MHz, Bus: 166MHz
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000

After starting busybox’s sh and having a little browse the novelty wore off and to sustain interest I decided I needed to flash the device. After toying with building my own OpenWRT hardware I decided to take a punt on flashing it with the offered SR102 firmware. After downloading the firmware from the OpenWRT page I started python -m SimpleHTTPServer 8080 and followed the OpenWRT guide. The firmware seemed to flash, I rebooted the machine, and.. BRICKED!

Oh well! Experimentation over! Maybe next I can have a look at using the JTAG pins to see what I can recover…