Natalie's Nonsense Nook

Porting OpenWRT To Cradlepoint Part 1

Published on

Chances are you’ve heard of a Cradlepoint before - they are these cute little cell gateways. Essentially, you toss a SIM in it, some antennas, and power, and you have a cell connection adaptable to Wifi or Ethernet so long as you have coverage. Cradlepoint (now Ericsson, I guess) makes all different types of systems, from tiny embedded gateways to vehicular systems to high speed 5G base stations. I stumbled across them years ago with my first entry to them, the IBR600:

Original Cradlepoint IBR600

It was, at the time, extremely underpowered, had a slow cell modem, and in the case of the one I got, had an EU modem in it (which I didn’t know when I bought it) so using it in the states was a no-go. But, I saw the potential, and a couple years later picked up an IBR600C (its much younger sibling):

Newer Cradlepoint IBR600C

This was much better, with a faster modem and faster processor, and newer features.

But the big drag is that you need to purchase a NetCloud subscription in order to use new firmware on it. Cradlepoint only lets you download firmware up to about June of 2019 publicly (yikes - I for one do not want my car to be a rolling security vulnerability). If you want newer, you need to get a NetCloud subscription, and even worse if your license lapses your modem will stop passing traffic until you re-license it. Which is a huge drag. That said, the subscriptions are actually incredibly reasonable even for us mere mortals who don’t have daddy business bucks to spend - for the IBR600C it’s to the tune of ~$80 a year. While incredibly reasonable, it doesn’t provide a ton of value to me. As far as I can tell, there aren’t a ton of new features (at least that I would use), and there are a number of things I would still miss, like WPA3 (though hardware support is TBD on a few of these) or support for fancy new VPNs like Wireguard or an overlay VPN like Tailscale or Zerotier.

I thought for a while about trying to fake the license, but that is RSA signed so no way for me to make my own without running custom firmware. Which made me think, how hard is it to put custom firmware (OpenWRT) on these? Turns out, it’s already been done (sort of). Mr. Vegan Transistor on GitHub did some security research on the IBR600C a while back and found that the firmware images are not only not encrypted, but not signed either. This means that pushing in a custom firmware image should be extremely trivial once I can get to a U-boot console.

A lot of the building blocks for OpenWRT are there already - the chipsets in a lot of the newer modems are actually supported by another type of device in OpenWRT, so ideally it should be relatively straightforward to make a distro for it. From what I’ve gathered, my steps are basically:

  1. Re-flash SPI flash to enable the U-boot console
  2. Build baseline image for the target chipset
  3. Push image in via TFTP (I should really take a backup first)
  4. Debug any missing/broken peripherals (cell modem, GPS, GPIO, serial, etc)
  5. Build custom firmware update file in the same format the Cradlepoints expect so that others can convert without needing to de-solder the flash chip
  6. Flesh out nice-to-haves (overlay VPN, GPS tracking, etc)

Overall, it seems very achievable, and is something I am already working towards. Initially, I’m going to target the IBR600C, IBR900, IBR1700, and AER2200 (the 1700 and 2200 share a base platform, just a couple different peripherals, so it should be trivial to add the other once I have one working). I’ll post more and update when I have something cooking.