Saturday, July 22, 2017

OpenWRT on EA3500 with RTL-SDR Stream

Recently I saw an interesting rtl-sdr article with a YouTube video on setting up a used Cicso LinkSys EA3500 router with OpenWrt and the RTL-SDR, (the second part of the video is here).

Cisco EA3500 with NooElec RTL-SDR
The video was so interesting, that I found a used EA3500 for sale on ebay and immediately purchased it to try this myself! (not a single one of my routers has a USB interface. Go figure) There are also used ones on amazon as well.

Although it was the topic of SDR caught my attention, it is still a pretty good video on OpenWrt.

The cool thing is that when done - I can move my RTL-SDR device anywhere within range of WiFi! Sweet. No longer limited to USB cable distance of my computer.

For stock firmware, there's no username; default password is admin

You should note that when the router first boots with stock firmware and factory reset, there's NO security on WiFi.

I did this on Windows 10, with the Ubuntu WSL for ssh access and other unix tools like iperf.

My wired test network is setup specifically to allow new devices with the default address to work without having to unplug and re-plug my computer for many devices. However for this exercise I need to connect to OpenWrt before it is configured. So my setup is a little different than the video:

[internet] -- [switch: 192.168.1.x ] --- [yellow ES3500 Internet port]
                                         [blue ES3500 Ethernet port  ] --- [my computer]

While videos are cool, they make for poor reference material for later use. It is difficult to "scroll" though a video looking for a particular technical item. I'll keep track of all the details here.

The first reference is to the WikiDevi Linksys EA3500 page, with a link to the OpenWrt page for the Linksys EA3500. Despite the name factory.bin - this is NOT the stock Linksys software. This is the file to download for OpenWrt. There's more information on the Techdata: Linksys3500 page. That's where you can find a link to Firmware OpenWrt Install URL.

The first thing I did was brick my router. :(  I loaded that openwrt-kirkwood-linksys-audi-squashfs-factory.bin mentioned above. It did not go well. Fortunately there's a magic sequence of events to restore it. Thanks mikemccartney for posting these instructions that worked for me:

1 Plug in the EA3500/4500
2 Power led will blink rapidly
3 Power led will turn off
4 As soon as the power led turns off, unplug the router
5 Wait a few seconds
6 Plug the router back in and repeat the above process

Do that three times, on the fourth time keep the router plugged in and let it boot, hopefully you will now have a functioning router again.

I'm just glad I didn't have to figure out how to JTAG the firmware onto the router.

This time when loading openwrt-kirkwood-linksys-audi-squashfs-factory.bin things went much better.

So back to the video instructions: there's no default web UI when OpenWrt first boots. To initially access the new firmware, use: ssh root@ and it should look something like this:

0 $ ssh root@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 6e:6d:a4:4e:83:9e:54:10:b3:be:c0:76:bf:eb:aa:e3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.

BusyBox v1.24.2 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 DESIGNATED DRIVER (Bleeding Edge, 50107)
  * 2 oz. Orange Juice         Combine all juices in a
  * 2 oz. Pineapple Juice      tall glass filled with
  * 2 oz. Grapefruit Juice     ice, stir well.
  * 2 oz. Cranberry Juice
Next set password with
root@OpenWrt:~# passwd
Changing password for root
New password:
Retype password:
Password for root changed by root

If you are familar with VI/VIM you can skip this step, otherwise you can install nano:
opkg update

You may wish to save you original configs:
cp  /etc/config/network  /etc/config/network.bak
cp  /etc/config/wireless /etc/config/wireless.bak
Edit /etc/config/network that originally looks like this:
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fdbc:cc57:906d::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6'

He edits the network from to
config interface 'lan'
        option ipaddr ''
and changes the wan interface from eth1 to wlan0 for both.
config interface 'wan'
        option ifname 'wlan0'

config interface 'wan6'
        option ifname 'wlan0'

Then edit /etc/config/wireless that for a default config, that originally looks like this.
config wifi-device  radio0
        option type     mac80211
        option channel  11
        option hwmode   11g
        option path     'mbus/mbus:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode   HT20
        option disabled 1

config wifi-iface
        option device   radio0
        option network  lan
        option mode     ap
        option ssid     OpenWrt
        option encryption none

config wifi-device  radio1
        option type     mac80211
        option channel  36
        option hwmode   11a
        option path     'mbus/mbus:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode   HT20
        option disabled 1

config wifi-iface
        option device   radio1
        option network  lan
        option mode     ap
        option ssid     OpenWrt
        option encryption none

Remove the channel selection and enable wifi (by setting disabled to false):
config wifi-device  radio0
        # option channel  11
        option disabled 0
And edit the wifi-iface section for 2GHz:
config wifi-iface
        option device   radio0
        option network  wan
        option mode     sta
        option ssid     yourssid
        option encryption psk2
        option key      yourwifipassword
Edit the wifi-iface section for 5GHz in a similar manner if you have one (I do not). The reboot, wait, and ssh to the NEW IP address:
# wait...
ssh root@
Once everything is configured, the cable between the yellow Ethernet port and the switch can be removed, as the router is now a station

[internet] -- [WiFi (same as above switched network)]   
                            [WiFi]  ---- [blue ES3500 Ethernet port  ] --- [my computer]
Other things installed in the video include installing LuCI (the graphical web gui). Note the video installed regular luci; I prefer the luci-ssl, even though the browser will complain that it is not a secure connection (no trusted root for self-signed cert)

opkg update
# opkg install luci # the non-ssl version
opkg install luci-ssl
/etc/init.d/uhttpd start
/etc/init.d/uhttpd enable
Then see which RTL packages are available:
opkg list | grep rtl
He then goes on to install rtl-sdr
opkg install rtl-sdr
which rtl_fm
which rtl_tcp
rtl_tcp -h
Plugging in my NooElec RTL-SDR that I received for Christmas (what a cool gift!!) I see this latest entry with dmesg:
[ 2819.934581] usb 1-1: new high-speed USB device number 2 using orion-ehci
Then simply run rtl_tcp:
root@OpenWrt:~# rtl_tcp
Found 1 device(s):
  0:  Realtek, RTL2838UHIDIR, SN: 00000001

Using device 0: Generic RTL2832U OEM
Found Rafael Micro R820T tuner
[R82XX] PLL not locked!
Tuned to 100000000 Hz.
Use the device argument 'rtl_tcp=' in OsmoSDR (gr-osmosdr) source
to receive samples in GRC and control rtl_tcp parameters (frequency, gain, ...).
Other things installs in the video:

opkg list | grep dump
opkg install dump1090
opkg install iperf
Part two of the video starts out a bit confusing... but skip the first 7 minutes and pick up at the OpenWrt login prompt. There's a reminder on restarting WiFi:

wifi down; wifi up
# or
ifconfig wlan0 down
ifconfig wlan0 up

Basically to ensure there's an IP address listed for wlan0. (the client DHCP address for your WiFi network; remember this device was configured as STA, not AP (above).
As such, the ES3500 is connected to the "internet" via WiFi instead of via the yellow RJ-45 connector. Thus for wireless access, port forwarding is needed. At first, I setup a simple traffic rule that worked:

However I wanted to follow along and use port forwarding instead, like this:

A port forward that looks like it should work, but does not.

Unfortunately, the video already had many of the port forwards already configured. I had a difficult time with getting ssh working. I kept getting these odd connection refused errors:
gojimmypi@ElectronicsDesk : ~
255 $ ssh root@
ssh: connect to host port 22: Connection refused
Now "connection refused" is an interesting error. It says things are working but being rejected. I was sure I had it configured correctly. As it turns out there's a feature specifically to allow ssh under System - Administration:

Even setting the "allow remote hosts", I continued to get the port refusal error. So in the video, he connects to the client STA address of the EA3500. Yet when on the local 192.168.2.x network, I was ssh'ing into the router IP address: and not its client STA address of - so I used that as a port forward instead. Note that it shows up in the drop-down as "(Openwrt,lan)" next to the IP addy

And so once that is working, several other ports also need to be forwarded:

Note that when moving your client computer between the ES3500 network (192.168.2.x) and the local wired/wireless network (192.168.1.x) - there's a delay of up to several minutes in Windows obtaining the new address and getting everything setup, during which you'll see messages like this when attempting ssh:

ssh: connect to host port 22: Software caused connection abort
ssh: connect to host port 22: Resource temporarily unavailable
ssh: connect to host port 22: Network is unreachable

If you still have problems connecting, recheck settings and try reboot. But be patient, it does take some time. Again, note that I believe the port forwards in the video are completely wrong - and the only reason he was able to get it working was the traffic rules. I have no traffic rules - just the port forwards, but to a different address. But then again, I spent the better part of the afternoon playing with this - and the video author sped though the entire process in an impressive 37 minutes apparently with no editing / interruptions. Impressive.
Once that is working, I setup iperf as a server on the EA3500:
iperf -s
In a separate shell, staying local the PC (I also needed to install iperf):
sudo apt-get install iperf
iperf -c -i 3 -t 30
and saw mediocre performance from this "gigabit" router:

Client connecting to, TCP port 5001
TCP window size:  512 KByte (default)
[  3] local port 5607 connected with port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 3.0 sec  6.75 MBytes  18.9 Mbits/sec
[  3]  3.0- 6.0 sec  8.00 MBytes  22.4 Mbits/sec
[  3]  6.0- 9.0 sec  7.12 MBytes  19.9 Mbits/sec
[  3]  9.0-12.0 sec  7.75 MBytes  21.7 Mbits/sec
[  3] 12.0-15.0 sec  7.38 MBytes  20.6 Mbits/sec
[  3] 15.0-18.0 sec  7.25 MBytes  20.3 Mbits/sec
[  3] 18.0-21.0 sec  7.88 MBytes  22.0 Mbits/sec
[  3] 21.0-24.0 sec  7.62 MBytes  21.3 Mbits/sec
[  3] 24.0-27.0 sec  7.75 MBytes  21.7 Mbits/sec
[  3] 27.0-30.0 sec  7.88 MBytes  22.0 Mbits/sec
[  3]  0.0-30.1 sec  75.5 MBytes  21.1 Mbits/sec
Note that Norton Antivirus popped up and warned about the iperf traffic; the default recommended action was to block it. Your AV may simply quietly block it. So if ssh and the web interface are working but not iperf; check your antivirus software. YMMV.

The video moves on to trying performance with a 5GHz band. I don't have any other 5GHz routers, so I could not test this. Important thing to note is that he ended up apparently needed to power cycle the router when changing from 2.5GHx to 5GHz.

So on to SDR "Sharp" (which was also already install in the video). You can download the AirSpy SDR# here. Norton AV gave me a ton of grief on many of the SDR# executables. Here's the config in SDR#. The only thing is setting the IP address for RTL-SDR (tcp):

Although the original pic above has the RTL-SDR plugged directly into the router, it is probably a good idea to use an extension cord, as shown in the video to get the receiver a bit farther away.

Note that we are port forwarding the br-lan address: from the 192.168.1.x network. Thus we need to tell rtl_tcp to listen on that address:

rtl_tcp -a -f 95300000
Press play button in SDR# and voila!

Resources, Inspiration, Credits, and Other Links:

No comments:

Post a Comment

comments are welcome, but I prefer not to allow links to promotions or other unrelated services.

OpenWrt Remote Network WireShark Packet Feed

After my last post on installing OpenWrt on a Cisco/LinkSys EA3500 to stream RTL-SDR data , I was inspired to investigate other "intere...