Porting OpenWRT to the Cudy R700

  • #development
  • #openwrt

I like my home network to follow the “do one thing well” philosophy. For this reason, I tend to stay away from “internet gateways” such as the ones usually an ISP will rent you for a low monthly fee (how nice of them). The problem with this hardware is that it is usually garbage. You may know as well as I do how after a pre-determined amount of time, our home networking hardware will inexplicably explode. The only solution seems to be to throw it away and buy something new. Why? We have zero visibility into the hardware and software running our home networks (and as terrifying as the thought may be, our commercial and government infrastructure as well). The biggest news I’ve heard recently is Apple’s “C1” modem - which might be the first wireless networking chip to be free of likely the same shared crusty deep WLAN networking code that as far as I know, all of the proprietary chips run in their firmware somewhere deep inside. Even our beloved ESP32 does not have a blob-free firmware available, as unbelievable as that sounds. I believe it’s due to deep regulatory compliance issues combined with patents and overall industry crustiness thanks to a few small player holding most of the cards. Thankfully we have innovators in China as well as the US such as Apple who, for their own purposes, are interested in some blob-free firmware. I don’t mean to say the Apple stuff is free, it’s proprietary, but I would not be surprised if it is also free of the standard blobs currently in our chips. All this to say - I think networking gear, particularly wireless networking gear, is in a state that could be vastly improved. IEEE seem to be happy chugging away at a new standard each year, leaving behind them a wake of half-implemented marketing jargon in a pile of proprietary firmware blobs. We don’t know what our networking gear is doing, or what is affecting it’s ability over time.

Thanks to all this mess, I follow the “do one thing well” philosophy - if your thing only has one of the nasty chips with nasty firmware blobs, then that’s a single axis it can fail on. But if your device does it all including your doorbell and smart fridge, the complexity of the failure mode vastly increases. So I have a few wireless access points, a small router running OpenWrt, and some bog-standard switches. I view Wi-Fi as “best effort” and essentially, assume it’s not going to be reliable. With that viewpoint, I’m actually quite happy with my home Wi-Fi performance. It actually works most of the time! Anything important has a wire!

I also want to learn as much about my networking gear as I can, to shine a light on all those crusty areas so at least I know why I’m throwing away a router that worked yesterday. With free (as in ‘freedom’) software such as OpenWrt, I can not only gain this important visibility into the system but also easily re-purpose hardware, keeping it out of landfills and in use. A small hobby I’ve picked up is buying old routers from the thrift store and installing OpenWrt on them. You could assemble a “mesh” (which I’ve also learned is an overloaded marketing term) network using about $50 worth of perfectly fine but otherwise e-waste gear from thrift stores or even your own closet. Instead of running out to buy the latest dongle to make your Wi-Fi not terrible, why not flash OpenWrt on your old or existing stuff, learn a little bit about it, and see if you can make it work better. I have almost an anxiety about “bringing new equipment into this world”. Sure, it’s there on the shelf at Best Buy, but if I’m not buying, the sin isn’t on me. I think about that plastic in the landfill. I heard someone say that outdoors, once you touch a piece of trash, it’s now your responsibility and I think about that with our e-waste.

I’m also a cheapskate, so I look for gear that’s cheap. This means the Ubiquiti stuff, even used, is out of the question. Cudy is a Chinese manufacturer of various wireless routers and other networking equipment. They’re similar to another favorite of mine, the confusingly named, “GL.iNet”. Both companies make affordably price consumer networking gear that really strikes a great bang-for-buck thanks largely due to their reliance on OpenWrt. They both offer a skinned version of OpenWrt. I actually like the GL.iNet skin and features quite a bit, it’s a solid value on top of the free OpenWrt in my opinion and they seem to be quite happy to comply with GPL compliance requests.

The Cudy R700 is a “Gigabit Multi-WAN VPN Router” and like most of their gear, is very well-received according the Amazon reviewers. This one is cool because, in addition to it’s single dedicated WAN and LAN ports, it’s has 3 that are able to be WAN or LAN, meaning you can do a multi-WAN setup for under $501.

Ultimately the Cudy just wasn’t flexible for what I needed and I can’t quite remember why. I think it might have had something to do with PPPoE, or maybe I just refused to use this nice of hardware locked down with their restrictive skin. It really blocks you out of a lot of stuff, and most importantly, enforces a firmware signature check when uploading a new firmware.

I settled on a MicroTik Hex-S running OpenWrt which was a journey in itself. Hardware wise, they’re pretty much identical. The Cudy has a metal enclosure and metal RJ45 jacks, but the MicroTik has a micro SD slot and a USB port. The MikroTik has been ‘ticking’ away fine, but the Cudy has been tempting me every time I open my closet. I just couldn’t let it go.

Assuming the device was nicely built but poorly secured, like most consumer grade gear is, I set out to simply hack the existing firmware to give me root access and start interacting with the base OpenWrt system already running. This proved more challenging than my skill set demands currently. I found an XSS exploit in the network device nickname input, but wasn’t able to exploit it further the underlying Luci instance. There may be another route yet, but I couldn’t find it.

I then turned to hardware exploits, starting with the UART. The UART header on the PCB needs two jumpers soldered in order to even connect to the chip, and even then, it seemed the UART was totally disabled in software. I unpacked the firmware image and seemed to find confirmation of all this. Even with an idea of the code it was running, I still could not find a way in. No root access2.

I bought one of the cheap on-board SOIC chip clips and dumpers but wasn’t brave enough to try and write anything back onto the device. I also thought it would be out of reach for most people. Ultimately, if we were going to get OpenWrt running on this device, we’d need Cudy to help us.

It’s not exactly written out anywhere I could see, other than some very useful notes on the pull requests and commits that added support for other Cudy devices to OpenWrt. It seems like the process is as follows:

  • user ports/builds a native OpenWrt image for the device
  • cudy signs one-off built firmware as an “intermediary” to remove the signature check
  • user flashes intermediary firmware, then whatever latest or stable mainline version they want

OpenWrt docs recommend finding a commit for a similar device and using that as a base for your work. I found the commit which added support for the Cudy WR2100 and found it very enlightening↗ .

Upon further review, it turns out the Cudy WR2100 and the R700 are essentially the same exact thing, with the exception of the WR2100 having 2 MediaTek WLAN chips which the R700 does not. Using that commit as a guide, I modified the 3 files needed to get a new target for the R700.

Much harder, was building the firmware itself. I ended up spinning up an Alpine Linux VM and used that as the build environment since there were good docs on installing the needed dependencies. I had a few snags along the way, one because I was building as the root user which something didn’t like. Another was with compiling cmake, which ultimately needed me to stub out a function definition. It all built and compiled, but I don’t really have any way to know if it works or not.

I’ve sent an email over to Cudy with the firmware images I built so I will update this post if and when they get back to me. More than likely my work is all wrong because I don’t actually know what I’m doing but spoiler alert - I never do!

I’ve also submitted a pull request to OpenWrt with my changes and you can monitor the progress of that here: https://github.com/openwrt/openwrt/pull/18532↗

We’ll see what all comes out of this work, but it’s fun and exciting to contribute to a new project. OpenWrt is cool and I’ve been interested in it for well over a decade now. This whole project with the Cudy started several years back as well and I’ve been actively trying to get OpenWrt on it for about 6 months. I’ve learned a lot about Linux, OpenWrt, embedded linux hardware design, router chipsets and manufacturers. It’s been a wild ride. Even if I never get OpenWrt running on this bad boy, I’ve enjoyed the journey so far!

I also streamed the bulk of the actual dev work, as well as writing this blog post, so if you’re interested in unstructured video format, check it out!

Play Video: Porting OpenWRT to the Cudy r700 router

  1. I’m not sure what secret sauce enables the multi-WAN capability. I don’t think it’s in hardware, and if it’s in software then I don’t know if that will make it to the OpenWrt build which untested as of writing. 

  2. Technically all operations in the web UI done as the root user, but the UI is locked down to only a few specific operations and enforces the firmware signature check.