Senao 2611-AP3 / 2611-CB3 Hacking Page
By Nox Invisus and Brian Oblivion (my email is useless do to the amount of spam I get)
![[nl-2611ap3-basic.gif]]()
Introduction
Known as the Senao or Engenius CB3/AP3, these little devices are rugged, stable,
no frills Access Points and or Client Bridges. You can use them to bridge two
distant networks together, use the client bridge to act as a client to connect
to an Access Pont, or just function as an access point for a particular area.
One hardware base, three functions. We obtained our hardware from www.aerialix.com.
Being in the northeast, we find these people very helpful as they are involved
in quite a few community wireless network organizations in the New Hampshire and
Massachusetts area. They sell all the materials we cover in this article and don't
have a minium order.
The CB3 and AP3 are particularly useful due to their ease of use, high power (200mw),
and the ability to be converted (flashed) from and Access Point(AP) into a Client
Bridge(CB) and back again. No, they can not function as both simultaneously. You
will need to purchase a device with two radio's or take a perfromance hit and
use a Senao AP Pro Plus which will function as an AP and connect back to another
AP in a repeater like mode. Unfortunately, your bandwidth will be severely affected
due to the fact that you are transmitting the same information twice on the same
frequency. However, that discussion if for another document.
Description
First a general description of the AP3 hardware, following with the differences
between the AP3 and a CB3 which are considerable and why you will find that the
CB3 costs $20-30 US Dollars more than the AP3.
Diagram of the AP3 PC Board:
![[NL-2511_AP3_layout.gif]]()
The AP3 can accomodate one Wireless NIC and has one ethernet port. The embedded
card can either be 200mw or 100mw depending no the model you purchased. Most US
(FCC Certified) systems come standard with 200mw. You can order ESTI certified
units that top off at 100mw. Needless to say, you can easily swap the 100mw card
in these units and install a 200mw unit.It runs on 12Vdc at ~500ma, while the
wall wart is rated at 1A. The processor is the UBICOM
IP2022. The IP2022 is a RISC based processor with 100MHz internal core speeds.
The device has 64Kbyte program flash capable of self-programming. It has 16Kbyte
RAM data, with a 4Kbyte linear-addressable RAM useful for packet buffering. It
has two full-duplex SERDES (Serializer/Deserializer) channels that can be programmed
for 10Base-T, USB or other fast protocols. Four hardware LFSR units are capable
for CRC checking, encryption or data-whitening. It has two 16-bit timers and supports
a low power mode enabling the IP2022 to conserve power when in standby or in a
reduced activity mode.
Below, on the left, is an image of the AP3 PCB, on the right, the CB3 PCB. Click
on the image for enlargement. If you want to open it in another window, right
click on the image and select 'open link in new window'.
Programming Resources
We have gathered all the datasheets, reference manuals, and programming manuals
for your experimental convience. We have also found the IP2K Programming software
and JTAG/ISP connector pinouts and a sechematic for the IP2022 programming pod
for further experimenting. There is a Linux or Cygwin software development kit
(SDK) called Unitiy that contains the programming pod, a dev board (awfully similar
to the acutal AP3/CB3 Board layout) ,a suite of libraries, memory maps and sample
code for the IP2022. If anyone has anything else to contribute please contact
nox093@yahoo.com and he will be sure the
content makes it to the guerrilla.net Senao Hacking project.
Upgrading 100mw AP3's to 200mw
You can often find 100mw AP3's around. Other than the European Union power adapter,
you will also find that the embedded pcmcia card within the unit is a 100mw
prism 2 based card. Yes, you read that right, it is a prism 2 based card. The
200mw cards are prism 2.5 based. Upgrading is a simple procedure, take out the
100mw card, insert the 200mw card, after the unit powers up once, press the
reset button, wait for the LED's to return to a normal state, power cycle and
you should now be running a 200mw AP3/CB3. There is no ESTI only firmware for
either the CB3/AP3, as theFCC certified devices can be configured to oeperate
on channels 12 - 14. The cards default to the highest transmission power. One
unfortunate aspect of these units is they DO NOT have a way to back the power
down. It is full power or nothing at all. What a waste...
Note: If your AP3 does not function after the card upgrade, it may be because
the firmware in the 200mw 2511CD+ card is too old. Follow this procedure to
determine if the firmware in your 2511CD+ card is too old, and how to upgrade
it to a functional level.
2511CD Plus EXT2 cards that have a serial number prior to 03xxxxxx do not have
the requisite firmware to operate in an AP3/CB3.
The PRISM utility WinUpdateFlash utility can be used to verify the firmware
revision level of a 2511CD PLUS card. Select Tools -> Query Firmware Version.
In order to work in a AP3/CB3 the revision of the firmware in the card must be:
Primary: 1.1.0
Station: 1.4.2
If the card you are examining does not have at least this revision level, you
must program the card with the contents of this file:
2511CD_FRM_142.zip
Contents:
PK010100.HEX Primary Firmware 1.1.0
SF010402.HEX Station Firmware 1.4.2
To reprogram a card perform the following steps.
Unpack the contents of the 2511CD_FRM_142.zip into a subdirectory on the same
computer as the Prism WinUpdateFlash utility is installed.
Launch the WinUpdateFlash utility and click on the Detect Adapters button.
Select your adapter in the top window and press select adapter.
Now, click on the Add File... button and browse to the subdirecty you unpacked
the 2511CD_FRM_142.zip file into and select the PK010100.HEX file.
Then, click on the Add File... button a second time and select the SF010402.HEX
file.
Then Click Update to flash the card with the selected firmware.
After you flash the card, verify the card has the new firmware using the
WinUpdateFlash utility. Select Tools -> Query Firmware version.
Once this is complete install the card in the CB3/AP3 hardware and turn on.
You must RESET the unit by pressing the reset button located at the rear of
the unit. This process will reset the unit to defaults and you will then be
able to communicate with the AP3/CB3.
NOTE: If you are upgrading a customers unit, you must record the configuration
before performing the upgrade procedure.
Verify through the AP3/CB3 interface that the newly installed card reports the
following on the initial configuration screen:
WLAN Primary Firmware: 1.1.0
WLAN Secondary Firmware: 1.4.2
WLAN Tetriary Firmware: 1.2.1
If you see that, the procedure is complete.
AP3 <---> CB3 Conversions
AP3 / CB3 useage Hints and Tips:
The CB3 hardware is more desirable because you have the ability to use an 802.3ah
Power Over Ethernet injector with this hardware. An AP with PoE and a built in
RP-TNC connecter is pretty nice. However, we also find that flashing an AP3 hardware
to be a CB3 is adventageous because in many instances, to connect a desktop PC
to a wireless network, you either have to puchase a crappy USB wireless dongle
(which are generally lower power due to power constraints on the USB bus) or to
rip open the client machine and install a PCMCIA<-> PCI or ISA adapter and
then stick a card into that and then play the device driver hastle. This way you
just connect the CB3 hardware via a crossover ethernet cable to the client PC
and you are on the network. You save a little dough because you don't necessarily
need the POE or the removeable antenna if inside a home or apartment complex.
As stated earilier, the AP3 and CB3 can be converted into one another by flashing
the unit with the appropriate BIOS. FIRST OFALL: THERE IS A POTENTIAL OF FOULING
UP YOUR AP3/CB3 BY FLASHING IT. FLASH AT YOUR OWN RISK. We have done this many
times and have never had a problem. There are a few prerequisites:
Make sure you are running at least 1.6.0 flash in the target unit. You will see
this when you boot the unit. If it is not v1.6.0, you can upgrade it to CB3 v1.6.0,
then you can upgrade that to either CB3 1.8.0 or AP3 1.8.0.
How to do it:
1. Download the firmware you want to upgrade to to a PC. Note: if this PC is running
windows 98 or ME, you will need a tftp client program. We like to use Weird
Solutions TFTP Client. It isn't a drop in replacement, but it is nice once
you get it working. You need to tweak the do.bat files to work with it.
NOTE: If you do not use the client outlined above, then be sure that you transfer
the images using binary mode and not ascii!!!
Joris writes:
I was using 'atftp', ("advanced tftp") as available in Debian (linux).
I don't really know who made it, but it appears all linux tftp clients
default to ascii mode.
Files Required:
For Win98, ME only:
Change your do.bat files from:
tftp -i 192.168.1.1 put ap180sp1.bin /
to:
tfp -i 192.168.1.1 --put ap180sp1.bin /
Note, this is an example of the difference from the original to the modified one.
Don't copy that line verbatim into every do.bat file you have.
2. Extract the firmware into a folder.
3. Connect the device to be flash to a hub or directly to the PC with the firmware
on it via a crossover ethernet cable.
4. If you haven't done so, reset the unit to be flashed to defaults. Yes, JUST
DO IT.
5. If flashing a device to become a CB3, run do.bat in the directory with the
appropriate firmware files. If flashing a device to become and AP3, run do1.bat
first, then do2.bat. NOTE: do1.bat is the application software. do2.bat is the
web pages. If after you flash the device you get an error when trying to connect
to the default ip address of 192.168.1.1, run do2.bat a second time (or for the
first time). You probably just forgot to do it, or tried to do it before the other
flash cycle was completed.
6. Power off the device and turn back on. I always reset the device to defaults
after flashing. It seems to clear up the few times I ran into a minor problem.
7. That's it... enjoy your new device.
Adding an External Connector to an AP3
There are times when PoE isn't required, and the addtion of a pigtail to an AP3
is the better way to go. Perhaps you already have one of these units and you want
to put a directional antenna on it. Whatever the case may be, you can do it with
these instructions.
Equipment Required:
Dremel or equivelant rotory tool with gouging bit
phillips screwdriver
small hand drill with 1/4" bit
.100 diameter crimp die with crimp tool
Small metal file
Soldering iron (A weller will do the trick)
Vise or some sort of third hand
Small needle nose pliers
A pair of fine dykes
A fine dental pic or a straight pin
X-acto knife
Safety Glasses
Picture of the Players. Not pictured: Tamper
bits, small metal file, Crimp tool w/ die.
Materials:
1 MMCX RT.Angle, Male Connector (for LMR100A)
1 TNC, Bulkhead Connector, Female (for LMR100A) (or SMA, Bulkhead Connector,
Female for LMR100A)
1 6.5 in. length of LMR100A
1.5 in. of 3/16 in. OD Shrink tubing
Modification:
1. First thing to do is disconnect all cabling, and turn the unit over to
gain access to the screws on the bottom of the unit. Remove the screws.
2. Flip the unit over, and remove the top cover.
3. Carefully take note of which port the MMCX Rt.Angle connector is connected
to, disconnect, then carefully lift the board out of the bottom chassis and then set the PC board aside.
4. It is important to do these steps in order, unless you have extra
bulknead connectors to use as fitting samples.
Now we will retrofit the bottom chassis to accomodate the new RF connector.
Using these pictures as a guide, you can see approximately where you will need
to drill a hole to accomdate the RF connector. Obviously, the TNC bulkhead connector
will require a larger diameter hole. If you center the hole in the same place
as if you were installing the TNC, you will not run into trouble. The TNC connector
was a pretty snug fit. As you can see from the completed picture, the hole was
center right over the middle of the unpopulated DB9 port.
[Click on the images to enlarge]
|
|
|
Rear view of new connector hole. |
Inside chassis view of new connector hole. |
Pigtail installed with PCB |
5. When you drill the hole make sure you drill it just a little bit smaller than
it needs to be, then, using a file, gently file until you get an extremely SNUG
fit. It should almost feel like a press fitting when you install the connector with
pigtail. Note: with the TNC pigtail, we mount the bulkhead connector in an unorthodox
way. This is because there is not enough room above the PCB to fit the base of the RF
connector. The SMA bulkhead connector fit perfectly and is mounted correctly.
|
|
MMCX Rt.Angle, male to TNC, bulkhead, female Pigtail |
TNC Pigtail installed. |
Re-Assembly
6. The pigtail bulkhead connector, whether SMA or TNC, now installed, allows us
to maneuver the PCB back into the bottom chassis. If you removed the PCMCIA radio
card, be sure to re-install. When installing the pcb be sure to thread the mmcx
end of the pigtail under the PCMCIA card holder. If you don't do this you will
have to remove the board and do it again. The picture below shows the final reassembly
with the pigtails installed in the proper antenna ports. When re-attaching the
mmcx connectors to the radio, remember that the PRIMARY port is the port facing
the front of the unit. In most instances you will want to leave the internal antenna
disconnected and have the pigtail connected to the primary port. Connecting the
integrated antenna to the other jack will cause very bizarre behavior depending
on the environment you are operating in. You can always remove the integrated
antenna and drill out an area to install an external connector there. There is
more room to accomodate larger RF connectors. We modified the AP3 chassis this
way so if need be, we switch the unit back to the internal antenna if redeployed.
|
|
Internal wiring. |
Newly installed external RF connector. |
Carefully snap the front face cover back into the bottom chassis, install
the top cover, and screw together.
Summary and Conclusion
We found the the senao AP3/CB3 was a very adaptable hardware platform to use in
infrastructure mode. The ability of the unit to be re-programmed based on the
requirements of the site, and not having to constantly purchase new equipment
makes support of this item valuable to those with a tight budget, but don't want
to be left playing with all the crappy cheap 802.11 gear on the market these days.
We didn't go into pigtail construction in this project because it is very difficult
to solder and crimp the MMCX RT.Angle connectors. There is a press fit disk that
you need a press to properly set into the connector housing, and we find that
most people do not have the soldering skills or equipment required to center conductor
of the coax to the center pin post in the MMCX Rt.Angle connector housing.
We suggest purchasing a pigtail at your favorite custom cable company. We purchase
all of our custom pigtails here.
