Back to the graphical version

 Magnus Wedberg, design and photography

 
Home
Articles
Services
Photos
About
 
 

How to run DD-WRT firmware on your SparkLAN WX-6800 II without doing the JTAG flash-dance

This has got to be one of the most obscure articles I will ever write.

Yeah, that's the problem right there. Also, innocent OKI printer.
The problem
SparkLAN WX-6800 II is a pretty decent access point... oh who am I kidding, it's made of 100% unparallelled suckage. If it sucked more, it wouldn't be allowed to be called "sucky"; it would have to be called "Belkin". But! It can actually be coerced into not sucking, much more easily than you might think. A teensy weensy bit of potentially hardware-destroying hacking is however required.

The background
You know how it goes. Taiwanese manufacturer meets chinese manufacturer. One of them puts his name on the others hardware. An electronic lovechild is born. Three months later, the baby is abandoned in the woods.

What happens is that an OEM (original equipment manufacturer) sells a design to the company you think makes the stuff (in this case, SparkLAN). The latter company then modify the OEM firmware (or hire the OEM to do it for them) with their own logotypes, etcetera, and might make some features inaccessible to fit the overall product lineup; and then they just resell it. The thing is, they will have to pay the OEM for "real" updates to the firmware, meaning bug fixes and the like. This is all cost and no profit, and the smaller companies (often just pure rebranding operations, outsourcing most everything) are less prepared to pay for this. So, after some time, the product is no longer updated and you'll have to live with the bugs. This SparkLAN branded product is the exact same hardware as Linksys WAP54G v2, BeWAN WIFI AP54 Turbo and TRENDnet TEW-410APBplus. Sexy names all.

That's what she said!
The OEM of the SparkLAN is, according to Interwebs and the FCC (ID: MXF-A930209G), Gemtek. The board is marked WAPB108GL_V02. The processor is a 200MHz Broadcom BCM4712KPB, which is decent considering its age, it has two megabytes of flash memory (which is... anemic, but not the worst we've seen) and eight megabytes of RAM (likewise).

So, when was the latest firmware released?

  • SparkLAN: 2004-11-30
  • Trendnet: 2004-12-01
  • Linksys: 2005-10-31

Ouch. You can see a pattern: the two rebranding operations releasing pretty much on the same date (and with the same version numbers, actually). Linksys supported the product for another year, and they might have done some of their own programming, too; the version numbers are all different and the change logs don't match.

The latest firmware, sadly, is what sucks with this SparkLAN product. The hardware is a bit underspecified but fine (the processor is the same as in several versions of the venerable Linksys WRT-54G). The software is a pile of bugs, and the product has a hard time working for a day without hanging. This must be rectified. The logical choice is running DD-WRT on it. It's listed as supported for the "micro" distribution, which is made for such a low amount of RAM and flash memory on a Broadcom platform. Instructions only exist for the Linksys version, and, unfortunately, they don't work for the SparkLAN version.

The only "officially" supported procedure thus seems to involve JTAG flashing the firmware. This means building a JTAG adapter, which while not complicated, I'm WAY too lazy for. Come on! There has to be another way.

The solution
You can set the access point into flashing mode by shorting out two pins on the flash chip, namely pins 15 and 16. There are lots of instructions on the web, for example here. Do note that this is crazy dangerous and might destroy your equipment permanently but face it, the thing is useless anyway. You will need a TFTP utility, I used the Linksys version but you can use any TFTP utility. PEEK, but don't POKE

The SparkLAN uses a different non-standard IP address in flashing mode than the Linksys though, 192.168.1.250. Remember to set your computer to a matching IP, for example, 192.168.1.100. And if you try to send an official DD-WRT image, it won't accept it. Even if you rename it to .trx. Bummer. Why oh why, Ye Technology Gods?

It turns out that the access point checks for a specific header, just a couple of bytes at the beginning of the file, and won't even try to flash the image if this isn't correct. If you change these with a hex editor, you can flash DD-WRT in this way. I figured out what to put there from looking at the different firmware files (Trendnet/Linksys/Sparklan/DD-WRT generic) in hex, and if I can do it, so can you! Or just download the complete pre-edited image I put here for your convenience WHICH YOU SHOULD NOTE IS TOTALLY UNOFFICIAL AND UNSUPPORTED IN EVERY WAY. Then TFTP away! The version is DD-WRT v24-sp2 (08/07/10) micro (SVN revision 14896). Latest uptime for this bad boy is, as of this writing, 50 days at a busy office.

Remember

  • Some of the facts above might be slightly off. That's because I actually did this in August 2011 but only managed to write it down nine months later. Corrections to any errors would be welcomed.
  • However, I am supremely uninterested in the opinion "you shouldn't short pins or recommend others to do it!". Well, 1) I did it knowingly and proudly, and 2) I don't. Generally.
  • Timing of the TFTP process is of the essence.
  • It's not my fault. It's never my fault. You should have bought a new access point! Look, now it's broken! *makes a dramatic gesture*
  • I haven't tried actually using it as a router, but it might well be possible. My goal was for "free access point" (I got this piece of crap for free), not "router without fixed LAN ports".
  • You might want to drill some holes in the casing while you're at it, not because it seems to overheat, but because the casing has very little air flowing through it. It can't hurt.
  • I have absolutely zero idea about what will happen if you try flashing a future upgrade from the web interface, but I guess you can do the header thingy again if nothing else works.
  • Ho-ho beriberi.

 All content copyright © Magnus Wedberg 2000 - 2019