Banana Pi Router(?) R1

Just got a Banana Pi Route R1 that I *nearly/half-way* turned into WiFi router. Here follows my notes about how, what and to which degree.

Banana Pi Route R1 is a first version of Banana-Pi board that has 5x ethernet ports and WiFi with external connectors for the antenas. There is already R2 version out there, but R1 is cheaper and I found an aluminium case for it and I thought the older version would also be better "battle" tested and supported. It turned out the newest Armbian doesn't work so well with it and it is coming to end-of-life. The hdmi did just out-of-sync on the screen and network-split-switch funtionality also did not work out-of-the-box with it. Wanted to try to install Debian from www.debian.org, but that option requires a serial cable which I do not have. SD-card image from banana-pi.org basically worked, but needed to lock-down upgrades of kernel&tools.

Network device of Banana Pi R1 is Broadcom BCM53125 which is single chip that through configuration allows isolating ports and creating the classical scenario of 4-port LAN switch and 1-port WAN interface. This leads to a little security problem / flaw / window of opportunity. The thing is that before this chip is configured the default state of operation is a simple 5-port switch. Which means that during boot or in case something goes wrong and OS fails to configure it, all of the LAN devices end-up being connected via switch to the WAN. There can be a DHCP server there too and devices could end-up getting public IP addresses. Tested this be interrupting the boot process. Even during normal boot there are 10-15s when all 5 ports are in a switch mode. According to forum this auto switching mode on start-up can be disabled by soldering 2k2 resistor on the board. Will try that once I get this 0402 smd resistor (the smalles size → will be difficult to solder).

The original WiFi module RTL8192cu used in BP-R1 has a stability problems in AP mode and therefor is usable only as client... There are people who desoldered it and replaced with MT5572. Will need at least hot air gun to do so and additional 14€ for the new module.

My plan was to use an old sata SSD disk, but it turned out that the device boots from SD-card only.

Anyway after couple of days of trial and error here's what worked to have a half-way functional (insecure, with slow/broken WiFi) router out of this hardware:

  • http://www.banana-pi.org/downloadall.html → BPI-R1 → Images → http://wiki.banana-pi.org/Banana_Pi_BPI-R1#Image_Release → Debian u-boot-2016.07, kernel 4.6.5 → image name: 2016-08-04-Armbian_5.17_Lamobo-r1_Debian_jessie_4.6.5_desktop-build-by-bpi-r1.img.zip google drive download : https://drive.google.com/file/d/0B_YnvHgh2rwjV3I5RlpwdmZHYWs/view?usp=sharing
  • ^^^ it's a full SD-card image with auto-login X session
  • following files then needs to be overwritten:
    ├── etc
    │   ├── apt
    │   │   └── preferences.d
    │   │       └── 10-linux-image-next-sunxi.pref
    │   ├── default
    │   │   ├── hostapd
    │   │   └── isc-dhcp-server
    │   ├── dhcp
    │   │   └── dhcpd.conf
    │   ├── firewall
    │   ├── hostapd.conf
    │   ├── hostname
    │   ├── network
    │   │   └── interfaces
    │   ├── screenrc
    │   ├── ssh
    │   │   └── sshd_config
    │   └── timezone
    └── root
        └── .ssh
            └── authorized_keys
    11 directories, 14 files
    • files that can be used as they are:
      • etc/apt/preferences.d/10-linux-image-next-sunxi.pref → pin the 5.17 arbian tools and kernel, those are working and shall not be upgraded
      • etc/default/hostapd → to enable hostapd to start
      • etc/default/isc-dhcp-server → to enable dhcpd server to start and set interface to br0
      • etc/dhcp/dhcpd.conf → dhcpd server config with leases pool, dns servers
      • etc/firewall → iptables firewall with nat, ssh and ping allowed from WAN
      • etc/network/interfaces → eth0.101 as WAN with dhcp and NAT firewall, the rest of port as eth.102 + wlan0 in br0 bridge
      • etc/screenrc → startup_message off && vbell off
      • etc/ssh/sshd_config → PasswordAuthentication no
    • files that needs to be edited:
      • etc/hostname → a place for your creativity
      • root/.ssh/authorized_keys → add here your ssh key so that you can log-in (ssh password authentication is off)
      • etc/timezone → Europe/Vienna
      • etc/hostapd.conf → wlan0 in AP mode with ssid FIXME and passphrase CHANGE_ME
    • here all those files as tarball. Just copy/overwrite those into the root system and edit/adjust the ones mentioned above.

What next? Well will try to find someone who can help me with desoldering the WiFi module and soldering the resistor, then test again. If/once that happens, will write here more about it.

comments powered by Disqus