Flash ar9331 for WiFi Pineapple NANO

I recently did some research on the pineapple, and found that the original device is quite expensive. I have a board with a ready-made CPU, so I wanted to try if it can be used normally. Also, I will record the pitfalls I encountered.

Official Hardware Description

WiFi Pineapple NANO

Specifications

CPU: 400 MHz MIPS Atheros AR9331 SoC
Memory: 64 MB DDR2 RAM
Disk: 16 MB ROM + Micro SD (not included. up to 200GB)
Wireless: Atheros AR9331 (wlan0) + Atheros AR9271 (wlan1), both IEEE 802.11 b/g/n
Ports: (2) RP-SMA Antenna, Ethernet over USB (ASIX AX88772A)
USB 2.0 Host, Micro SD card reader
Power: USB 5V 1.5A. Includes USB Y-Cable
Configurable Status Indicator LED
Configurable Reset Button

The nano version of the configuration looks like a very common outdated router, like the tp-link 703N. By changing the ram and rom, it should be able to be used directly.

Firmware Download and Flashing

Official Firmware Download Address

https://www.wifipineapple.com/downloads

Flashing Method

Flashing via the web interface usually fails, indicating that the board type does not match

Directly upload the firmware to the router's /tmp directory and refresh it with the command, -F does not verify the board type and forces a refresh. It is recommended to add -n to not save the configuration. Command Update After the success, configure it through http://172.16.42.1:1471/ Configuration Interface

The pitfalls I encountered

The main pitfalls are still in the configuration and activation. If you use a third-party board, if lucky, the button configuration is exactly the same as the official board, and it can be activated smoothly. The one I encountered was different.

Here, due to security configuration, you need to press the rest button on the board to continue.

If it can be solved by software, I will not touch the hardware (failed)

The first thing that comes to mind is a web program, just bypass it, hahaha.

Open the browser's debugging function to see if there is this request

Let's try burpsuit.

Intercept the return of the requestModify the return value, it looks like we can proceed to the next stepClick submit after configuration is complete, and voila~ it's gone.

Failure Analysis

There might be other verifications. Since there is a firmware, let's analyze it. Open binwalk to unzip the firmware.A prominent directoryThe management interface is right here. I checked and it's a php interface.

Locate the code position according to the interface error prompt as follows:

There is a detection function hereDirectly check if the file exists, since the ssh password is generated after configuration, we cannot use ssh to touch a file. Here is the system button listening file I looked at:It seems that we can only go with the hardware solution.

Hardware Solution

The hardware solution is actually to fix the button issue.

I checked the gpio port definition of the buttonHere you can see that the button is defined in gpio12

Check the datasheet of ar9331You can see that the gpio is on pin A56.

Compare the circuit board to find the corresponding positionI saw that a resistor is connected to the muc pin. You just need to ground the pin of the resistor arrow with a Dupont wire to trigger the corresponding button.Completed Successfully