Thanksgiving week looks like it might be dedicated to continuing the project from the last hack night. Ken’s SWN Node south of me on 26th looks like the closest node to my place. Alas, there’s trees and such in between, but we’ve been playing a little bit with some old 900mhz tech, The Arlan (of doom). The product line that lead up to the Cisco Aironet’s that still kick around today was a popular platform for barcode scanners and such inventory tracking devices.
Some ol’ chap named xam ended up with a bunch of the 900mhz models and hacked around with the firmware for a bit. His pages aren’t around anymore but you can hit them up via the archive. Ken and Matt picked up a pile of these and since the last hack night we own all of them in the world (We’ll sell them back to you at $250ea btw). Anyways, we bricked a 630-900 following xam’s instructions for downgrading (most of ours started at 4.2c although they had ‘shipped firmware 2.39 stickers’). Not trusting the downloaded firmware from the archive, a few connections were hit up and we found a couple other places from filename searches. We have since reamassed a collection of arlan firmware on the swn website.
After bricking a second (the downgraded firmware installs, but then reboots, prints “Decompressing the code”, and reboots again (GOTO 10)) we tried upgrading and successfully brought it up to the latest firmware. We weren’t really sure about all of the menu settings so we tried getting a fourth working and managed to swap some parts around from the bricked radios. The product is three boards: the motherboard, a radio board and an network interface board. There are Ethernet and Token ring network interfaces which appear to be swappable. Some of the radio boards are swappable, but there are two different connectors. The odd part is that the motherboards all seem to have traces for both connections. Some of the older 900mhz radios were large and used the larger connector but we had other 900mhz radios that had the smaller radio. We successfully swapped the 900mhz off a bricked arlan into a 630-2400 (2.4ghz) model that we had that was having complaints about it’s radio anyways. (this was the one model we had working at the time).
Another model had a write password (it all seems snmp based) and last I knew we had some brute force scripts running against it.
Power supplies are scarce but we have plans to build a few now that we know the pinouts and power levels. Hopefully next hacknight we can make a bridge and start plans to actually deploy these through some trees.
Any chance to “de-brick” those units?? 🙂
i don’t think so. a few hardware-ish people have stared at them. they only have enough flash memory on board for on copy of the software. I figure if there is a way to recover them without a soldering iron it’s a matter of finding a startup mode where it will tftp from a certain IP address on boot.
Unfortunately and oddly, the full interface only supported ftp, so the chances of anything convenient like that seem slim.
That is strange but I understand what you are saying. If it only does ftp when it is working, it would be up to something special in the boot code to do tftp or serial xfer. I wonder if there is someway to get them to do something like xmodem from the serial port? I used to do firmware upgrades to ciscos and ascend stuff (especially the isdn ta’s) over the seral port. Slow but it worked.
What kind of links are you getting with these with the yagi antennas? These might be handy for some NLOS links.
Yeah. Cisco used to have a copy of IOS in ROM so even if you hosed your IOS you could boot with limited functionality and get another one up. I’m not sure about all the newer lines but I know that the 2600 dropped the boot rom, but still had rommon which supported the likes of xmodem.
whereas on the arlan, ctrl+break, random key pounding, etc, brings up not rommon like interface on boot. such a thing probably doesn’t exist.
we haven’t verified the link distance yet, still burn-in testing my plastic bag based outdoor case.
I got a couple of these linking but just using omni antennas right now.
You guys play with these bridges anymore? I got some even later firmware, version 5.29 I have loaded on mine..
not recently, i’ve still got one on my deck pointing at kens. I don’t think I have another around that’s been reflashed.
In case you ever have the need, these can be modified for POE fairly easy. Pins 4,5,7 and 8 are just “hanging” on the board, not connected to anything..
Hey – Any luck at all with the brocked Arlan 630-900’s – I have two with the same issue, the downgrade loads and goes into an endless loop of decompressing…. Is there a jtag port on any of these?
Nope. Haven’t touched any of them again and probably want. Ken and I have both moved and our arlans are in a box somewhere. Ubiquity has 900mhz cards, so it’s not really worth the time.
Thanks… I cant believe Cisco doesnt have some way to fix this … ( or Arlan )
OK, last post here is 2008-june but here it goes.
I am using a Mac (too stupid to use real computers) it has 10.5.6 in it.
It does have a terminal for doing real unix (please remember too stupid, lazy or ignorant for real computers).
How do I get into an Aironet ARLAN 630-900 900MHz Ethernet Access Point PN 200-001842-001
Or an Aironet ARLAN 631-900 900MHz Token Ring Access Point PN: 200-001843-001
My ethernet sees and connect automatically, But I am trying to connect to the other one which is connected to a Windows computer.
Eventually we want to try to connect them to 13dBi Yagi antennas and connect to a sister one mile away.
I am a novice, but fairly quick study, especially when someone says, “type xxxxxxx then hit enter and you see xxxxxx” sort of instructions.
I have been on the net for 12 hours looking for this.
Any help would be greatly appreciated.
This really isn’t a novice project as you’re trying to get them to do something they weren’t really designed for. So unfortunately I can’t tell you what to type to make them work. I wish you the best of luck.
Hi. I have 2 Aironet Arlan 631-900 – 900MHz Token Ring Access Point (PN 200-001844-001). I’m getting ready to sell them on eBay, but don’t really know much about them. Came to your sight to find out some info. Can anyone help?. Thanks.
Well, somehow ebay spoke and I listened, and now I’m determined to get these 6 Arlan 630-900 to do something interesting – if only to feel that they’re not taking advantage of me and just using me for my shelf space. I’ll let you know (If you don’t notice) how it turns out. Maybe I can talk them into helping my cell phone reception
I STILL HAVE 2 AIRONET ARLAN 631-900/900MHz TOKEN RING ACCESS POINTS UP FOR GRABS. ANY TAKERS? LET ME KNOW. THANKS
Got a pair converted to bridges! But now having trouble with figuring out all the myriad settings. So far I have set up
-1- Radio frequency channel
-2- data rate
-3- IP addresses
-4- set one of the units to ROOT
but still can not get them to bridge. Any other settings? ( send all clues to registration AT temperaturecontrolwiki DOT com please! )