critical WPA2 vulnerabilities afoot, see KRACK attacks (discussion @ /r/KRaCK, HN, /r/netsec, Slashdot)

Amped Wireless AP20000G

From WikiDevi
Jump to: navigation, search

Amped Wireless AP20000G

Manuf/OEM/ODM Loopcomm

FCC approval date: 11 September 2012
(Est.) release date: 15 September 2012
UPC: 850214003423 (UPC DB, On eBay)
Country of manuf.: Taiwan

Amazon image

ASIN
B008WJ6ISY (Flag of the United States.svg, On Amazon, On CCC)

Type: wireless router

FCC ID: ZTT-AP20000G
Industry Canada ID: 10233A-AP20000G

Power: 12 VDC, 1 A
Connector type: barrel

CPU1: Realtek RTL8198 (620 MHz)
FLA1: 8 MiB
8,388,608 B
65,536 Kib
8,192 KiB
64 Mib
0.00781 GiB
(Macronix MX25L6406EM2I-12G)
RAM1: 64 MiB
67,108,864 B
524,288 Kib
65,536 KiB
512 Mib
0.0625 GiB
(Hynix H5PS5162GFR-S6C)

Expansion IFs: USB 2.0
USB ports: 1
Serial: yes, (38400,8,N,1)

WI1 chip1: Realtek RTL8192DR
WI1 802dot11 protocols: an
WI1 MIMO config: 2x2:2
WI1 antenna connector: RP-SMA
WI2 chip1: Realtek RTL8192CE
WI2 802dot11 protocols: bgn
WI2 MIMO config: 2x2:2
WI2 antenna connector: RP-SMA

ETH chip1: Realtek RTL8198
Switch: Realtek RTL8198
LAN speed: 10/100/1000
LAN ports: 4
WAN speed: 10/100/1000
WAN ports: 1

abgn

Stock bootloader: rtkload

Stock FW OS: Linux

Default SSID: Amped_AP_2.4GHz, Amped_AP_5.0GHz
Default IP address: 192.168.80.240
the IP 192.168.80.240 is used by 1 additional devices
of which 1 are Amped Wireless devices
Default login user: admin
Default login password: admin
admin:admin credentials used by 1021 additional devices
of which 7 are Amped Wireless devices

802dot11 OUI: F8:7B:8C (6 E, 8 W, 2012)
Ethernet OUI: F8:7B:8C (6 E, 8 W, 2012)

For a list of all currently documented Realtek chipsets with specifications, see Realtek.
Regarding third party firmware support, Realtek SoC support in OpenWrt
+ (success) RTL8196C port status. on the OpenWrt Forum
and the Realtek thread on the DD-WRT Forum may be of interest.


High Power Wireless-N 600mW Gigabit Dual Band Access Point
Product page

"LOO0070 REV: 1.3" is silkscreened on the board.

The board is using all Tocon capacitors.

The device uses 2x Skyworks (SiGe) SE5004L / 5004L power amplifiers for the 5GHz radio and 2x Skyworks (SiGe) SE2576L / 2576L power amplifiers for the 2.4GHz radio.

Device recovery[edit]

If the device has been misflashed and is unable to boot, recovery (without serial) should be manageable by switching the device into recovery mode (hold 'reset' button while connecting power until LAN ports stay solid blue). The device is then flashable via TFTP @ 192.168.1.6.

Firmware would seem to be accepted in the standard Realtek format.

You will need to split the vendor's firmware into the three constituent files (using binwalk would be highly recommended).. and then likely upload in the following order..
  • the webpages bin (unk. name, don't care enough to find out now)
  • root.bin
  • linux.bin

Additionally, the firmware of other devices sharing the same board (i.e. the SR20000G and R20000G) appears to be easily flashable using this method (functionallity was not tested aside from noting successful boot and persistence of previous AP mode settings).

See conjur's post on the Realtek thread on the DD-WRT Forum and, presumably, the RTK SDK code and documentation for more details.