Cracking open the worthless Zyxel X1 Armor (WAP6806)

Prepare yourself, this will be so far one of my longest rants to this day.

Bought my bloody MacBook Pro, and figured it was time to get a cheapish AC Access Point since the MacBooks USB ports is non existant – a good trade off so TimeMachine could do it’s thing and I would be none the wiser but lots poorer.

However – getting the Mac and getting it to a good state was the easier part. Getting that fudged Zyxel AP however…

Waste of plastic.

We start the fun right here…

BusyBox v1.12.1 (2016-10-26 15:52:49 CST) multi-call binary

So.. After you enable TELNET (IN 2017!), and since you cannot change the “admin” password (default “1234”) to anything with “special chars” (I’ll append the f-ked message later on), you prolly log in with admin and 1234, over TELNET…

Ah – did I mention that you need to log out for the password change to stick? No? Okay.. Now I did..

This will leave you with the setup of;


# cat /proc/cpuinfo
system type : Ralink SoC
processor : 0
cpu model : MIPS 1004Kc V2.15
BogoMIPS : 583.68
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0000, 0x0000, 0x0000]
ASEs implemented : mips16 dsp mt
shadow register sets : 1
core : 0
VCED exceptions : not available
VCEI exceptions : not available

processor : 1
cpu model : MIPS 1004Kc V2.15
BogoMIPS : 583.68
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0000, 0x0000, 0x0000]
ASEs implemented : mips16 dsp mt
shadow register sets : 1
core : 0
VCED exceptions : not available
VCEI exceptions : not available

The CPU in this is laughable, or weird … So “much” umpf – for what? But, it’s not the main part – I knew I was in for a cheap-thrill to begin with with all the dinks and donks.


# cat /proc/meminfo
MemTotal: 58928 kB
MemFree: 23576 kB
Buffers: 0 kB
Cached: 21236 kB
SwapCached: 0 kB
Active: 580 kB
Inactive: 2872 kB
Active(anon): 564 kB
Inactive(anon): 2868 kB
Active(file): 16 kB
Inactive(file): 4 kB
Unevictable: 21196 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 3412 kB
Mapped: 2316 kB
Shmem: 20 kB
Slab: 7748 kB
SReclaimable: 2312 kB
SUnreclaim: 5436 kB
KernelStack: 400 kB
PageTables: 292 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 29464 kB
Committed_AS: 7968 kB
VmallocTotal: 1048372 kB
VmallocUsed: 2340 kB
VmallocChunk: 1044532 kB


# uname -a
Linux WAP6806 2.6.36 #173 SMP Tue Nov 1 11:37:47 CST 2016 mips unknown

The kernel is a bit more enjoyable – as I know it could at least do networking of some sort…

But, the REALLY sad part?

They have hardcoded a few bridge interfaces.. Why? NO F-ING IDEA!
The setup was supposed to be kinda straight forward – it is a disaster! With a old as hell kernel in (release 2016) 2017!

# ifconfig
br0 Link encap:Ethernet HWaddr 1C:xxxxxxx
inet addr:192.168.x.x Bcast:192.168.x.x Mask:255.255.255.x
inet6 addr: fe80::x::x Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:21870 errors:0 dropped:0 overruns:0 frame:0
TX packets:25841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1344357 (1.2 MiB) TX bytes:6758904 (6.4 MiB)

br0:1 Link encap:Ethernet HWaddr 1C:xxxxxxxxxxxx
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

br0:9 Link encap:Ethernet HWaddr 1C:xxxxxxxxxxx
inet addr:1.1.1.1 Bcast:1.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

eth2 Link encap:Ethernet HWaddr 1C:---------
inet6 addr: fe80::x::x Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:715 errors:0 dropped:0 overruns:0 frame:0
TX packets:1414 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:63796 (62.3 KiB) TX bytes:631847 (617.0 KiB)
Interrupt:3

eth3 Link encap:Ethernet HWaddr 00.......
inet6 addr: fe80::x::x Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21170 errors:0 dropped:0 overruns:0 frame:0
TX packets:25096 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1587641 (1.5 MiB) TX bytes:6223369 (5.9 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:115 errors:0 dropped:0 overruns:0 frame:0
TX packets:115 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9880 (9.6 KiB) TX bytes:9880 (9.6 KiB)

#


The static non-existant iwconfig;

# iwconfig
lo no wireless extensions.

eth2 no wireless extensions.

ra0 RTWIFI SoftAP Access Point: 1E:xx:xx:xx:

sit0 no wireless extensions.

ip6tnl0 no wireless extensions.

ra1 RTWIFI SoftAP ESSID:"ZyGuest[random]"
Mode:Managed 13 Access Point: 1E:--------
Bit Rate=300 Mb/s

ra2 RTWIFI SoftAP ESSID:"ZyGuest[random]"
Mode:Managed 13 Access Point: 1E:----------
Bit Rate=300 Mb/s

ra3 RTWIFI SoftAP ESSID:"ZyGuest[random]"
Mode:Managed 13 Access Point: 1E:---------
Bit Rate=300 Mb/s

apcli0 RTWIFI SoftAP ESSID:""
Mode:Managed 13 Access Point: Not-Associated
Bit Rate:300 Mb/s

eth3 no wireless extensions.

br0 no wireless extensions.

Well, I do have some idea – the interface 1.1.1.2 seems to be their tied in for static interface. Dozens of cgi-scripts calls it.

The other one, is their “alias” address, hardcoded into existance from factory at 192.168.1.2. Makes no sense. NO SENSE.

The awesome part was this -it has a “nice” Autodetect mode of what kind of mode it should be in – AP, Client or Repeater.
My unit got stuck in a rotating state – and kept changing mode ALL THE TIME.
And since the routing table get screwed up with the static parts – it’s really enjoyable.. I got a “new” release of the firmware (do NOT get me started on the versioning on their firmware…No, seriously, don’t). That “new” “release” “fixed” it.


# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
239.255.255.250 * 255.255.255.255 UH 0 0 0 br0
192.168.x.y * 255.255.255.x U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
1.1.1.0 * 255.255.255.0 U 0 0 0 br0
default 192.168.x.y 0.0.0.0 UG 1 0 0 br0

The above example is missing out the static entry of br0:1 – as I killed it off so my network didn’t explode on itself since it’s supposed to be in another broadcast domain…

I could produce and sell a better setup software-wise myself. Why oh WHY don’t they (since they don’t seem to be interested in doing anything right or giving their R&D time to develop something resembeling a working state) simply make a pledge to dd-wrt or openwrt instead, meaning they can instead contribute and make sure their plastic is not wasted nor the components..

I am not sure where to end this.. So I’ll just update it as it comes and publish it. Meaning this line moves down.