[patcat88]

I bought these routers to use as disposable APs (not routers, my DDWRTed WRT54GL works very well) until 4x4:4 N hardware comes out.

This thread
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=71960 didn't go very far. I was disappointed to learn there was were no 3rd party firmwares for this router, so I've decided to help along the process.
The FCCID for the router is VYTLP-8616, in the smallest point size in the world, with my young eyes. Loopcomm is apparently the OEM. Its a 1R1T router. The PCB has provision for 2 antennas. The 2nd blank external antenna connector would have obviously been coaxed back to the radio area since there are no traces. There are 2 chips missing, I guess they would have allowed the 2nd antenna to exist. The manual on FCC.gov says its a 1T2R router, so I guess that would've been the 2 antenna N mode. The case has no screws, if you know where to press you can open it with just your fingers

I got the serial port working. Had to solder headers on. No JTAG header on the board from the pics obviously. The middle 2 pins have no continuity to ground with voltmeter, so I guess they are NC. Power pin is 3.3v. GND is next to it. Last 2 pins are serial data. Used a USB TTL adapter to do all my work. I get the prompt at end of booting if I have the serial port attached. Thanks faceless asian firmware developers!

[patcat88]

deleted

[patcat88]

deleted

[patcat88]

deleted

[patcat88]

deleted

[patcat88]

Here is the serial port boot console and I found the tool "flash" in /bin and if you run it as "flash -all" you get a nice dump of nvram settings.

[patcat88]

Rosewill didn't post the GPL sources for the router, but I found a router manufacturer that posted the GPLed sources for the RTL8196B. Seems to include the wifi driver source code in it too, and a bunch of other source code for other realtek drivers of the router (clock/timer, CPU, interrupts, LEDs, power management, etc). The kernel in this gzip has squashfs with LZMA. Supposedly by the official LZMA project.

http://www.canyon-tech.com/support/drivers?NODE_ID=70321073952139526&ITEM=91123091053591746

You can dump the flash chip with /dev/mtd using the serial port. The begining looks like the Realtek bootloader ("version 1.4" string is same as on boot message), I also saw the config file, and I saw the bzip, and the kernel header. Notably, searching for "sqsh" didn't find anything.

edit: turns out you can run commands through the web GUI, no serial console required, goto 192.168.X.X/syscmd.asp , commands must be done in 1 line, ';' works for being able to do a cd and then an echo * on the same line

[chateau]

Not sure if this helps but the Rosewill RNX-N400 is a re-branded Engenius ESR-9850 according to the FCC ID.

The FCC ID is U2M-SR9850 which is here https://fjallfoss.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=141446&fcc_id=%27U2M-SR9850%27

According to what others have said the firmware is encrypted on the ESR-9850.

[patcat88]

different PCB