ZyXEL AG-225H / Linksys WUSBF54G WiFi Finder Reverse Engineering

ZyXEL AG-225H WiFi Finder
(similar to Linksys WUSB54G)

Introduction
I found a new WiFi Finder & Adapter available for sale for about $75*. When operating on its own internal battery, this small dongle listens for all available WiFi base stations. After a few seconds, the tiny LCD screen shows you the name of each base station, its type, signal strength, channel, and encryption protocol (if any). This is handy for conducting audits in a work area to make sure that no employee has set up a rogue base station that could compromise the security of the whole network. It is also makes finding a public access point easier when traveling. When plugged into a laptop, it becomes a WiFi adapter. Even if your laptop has built-in WiFi, this dongle can be connected through a short USB cable and be located at a place that has a better signal.

* Update 2/2006 - I've seen the Trendnet
version available for $40 after rebate

As sold, this product is very useful. But, as a self-contained computer with a WiFi connection, I think this product could be made to do even more. For example, it may be able to modify the firmware in the device to make it automatically connect to any public WiFi stations and download news headlines, weather, or text messages -- all without lugging around a PDA or computer. It could also serve as an uplink for data collection - for example, weather stations in the back yard could post the latest readings onto the internet.

There is only one way to know how expandable this product is -- to analyze its design.

Preliminary Analysis
The device has three controls: an on/off switch, a Seek button, and a Next button. During normal operation, the Seek button causes the device to re-scan the area, while Next cycles through the available base stations. However, these two pushbuttons have two other purposes: holding down Seek while turning the power on enters a self-test mode. Holding down Next while turning on the power enters a firmware upgrade mode(!).

Next, let's take the thing apart -- here are the photos from my disassembly.

The main chip is ZyDAS ZD1211 -- the same chip used in many 802.11a/b/g USB dongles. As you can see from the finder's block diagram, there is a lot in there:

An Atmel AT24C64A Serial EEPROM provides 8kB of memory for the ZD1211.

My initial thought was that the 16-bit interface would connect to the LCD screen and the buttons, while all new functionality would be handled by specialized software -- all that would be needed to change the functionality would be a firmware upgrade. But, this isn't the case.

There is a 10-pin connector that links the two boards in the system. 2 pins are ground, 1 pin is power, 4 pins connect to the ZD1211 to the lower board, 2 pins connect the USB interface to the lower board, and 1 pin looks unused.

During the disassembly, I disconnected the two boards and turned on the power. To my surprise, the lower board (which connects to the battery and has the LCD and switches attached) powered up and acted pretty normal (except that it didn't find any signals, of course!)... I thought that the large chip on that board was just an LCD controller, but it turns out it must be a microcontroller. Closer inspection of the LCD showed that it had a controller built-in to the flex (known as chip-on-glass construction), so just a few pins are needed to control it.

The WHFX30 chip on the lower display board seems to be a custom chip - there were no references on the web, and it is close to the custom label on the PC Board - WHF-430X. It uses a 22.118 MHz clock -- this odd frequency is commonly used to generate standard serial rate clocks (9600, 19200, 115200, etc.), so that's a hint that the two processors communicate serially.

The battery is a lithium-ion polymer battery from High Energy battery company. The H602025 is stores 240mAh at 3.7 volts. (datasheet of the slimmer H402025). This is about the same total power an NiMH AAA battery, but at only 75% of the volume, 45% of the weight (mine weighed 5.3868g), and a higher voltage that is easier to use. It would be easy to reuse in other projects.

Connector Pinout
The upper board is interesting because the PC board has twice as many holes as it needs to:

There are a pair of 10-pin connectors and a pair of USB connectors -- only one set is populated. The board is also scored, so by breaking it there (and moving the USB connector), you might be able to convert this to just a USB WiFi adapter.

J2 (not populated)				J1 (to lower board)
1	unknown_1	2	scanning	1	unknown_1A	2	scanning
3	start	4	GND	3	start	4	GND
5	GND	6	USB Data	5	GND	6	USB Data
7	serial_from_ZD	8	USB Data	7	serial_from_ZD	8	USB Data
9	serial_to_ZD	10	Power to ZD1211 (3v)	9	serial_to_ZD	10	USB Power In (5v)

(Note: connector designation and pin numbering was not marked, so I picked arbitrary references)

Eight of the ten pins on the two connectors are wired to each other. Pin 1 is different on the two connectors (use unknown). The two pin 10s are connected with a diode so that the device does not provide power out the USB connector when running on battery power.

Signal	Description
unknown_1	A little pulse at radio turn-on and turn-off, but it doesn't look like a digital signal.
unknown_1A	Mostly on during reception, but turns off and on a lot. Not data, but some sort of control.
scanning	This is high when scanning, low when not. May be used to drive the LED.
start	A 500 msec high pulse at the beginning of scan; quiet otherwise.
serial_from_ZD	Serial data from ZD1211 to WHFX30, 115200 baud. Many packets of fixed size are sent during scanning.
serial_to_ZD	Serial data from WHFX30 to ZD1211, 115200 baud. During scanning, single-bytes are sent. Occasionally bigger packets are sent.

The USB interface is not used by the WHFX30 to talk to the ZD1211.

When in the "update firmware" mode, the WHFX30 sends a few multi-byte packets not seen in normal operation. This is probably asking it for USB data.

Liquid Crystal Display
The LCD is a graphical LCD with a Sitronix ST7565 controller chip built onto its flex connector. This arrangement is advantageous in a couple of ways.

First, LCD displays must be constantly refreshed to avoid damaging them -- this controller does that so the microcontroller can concentrate on other things. If you notice that when you turn off the unit, the controller stops refreshing the display and a few lines are lit up for a few seconds.

Second, the controller reduces the number of wires needed to connect to the microcontroller. The controller connects 128 wires on the glass to about a dozen on the microcontroller. Often times, the cost of an IC's package be almost as much as the silicon inside it. Adding 128 pins to the microcontroller would probably double or triple its price.

Third, a controller can have additional memory to store the fonts displayed. That's not the case for this display, but it's true for most of the character-based displays. Again, a possible cost reduction.

A variety of font sizes are used, but the smallest font -- used during the firmware upgrade mode -- makes it easy to calculate the resolution. This font shows 16 columns x 4 rows of characters at 6x8 pixels each. This works out to 96x32 pixels total. Knowing this can help identify the graphics in the microcontroller's memory.

This 96x32 resoulution also jives with the part number... I didn't record all of it before putting the device back together (whoops), but the picture shows it starts with something like "PG9632AR..."

Besides the 6x8 font, there is another complete font in use: the big 8x16 font used to display SSID names and the words "..Scanning..". Only 12 columns x 2 rows of this font would fit on the screen. I couldn't find this in the firmware update (below) and it doesn't seem to be built into the most common controller chips.

Interestingly, the PC Board has pads to mount 3 LEDs to illuminate the LCD screen. These are unpopulated, but could be used if the corresponding resistors are also installed.

Firmware Updates
At the end of 2005, ZyXel released their first firmware upgrade for this product - version 1.0.2.56. (This file was unavailable for a some time while they moved it on to a different server). The executable AG225H_v10256FCC.exe can be unzipped - it contains a file called "WHF430X_v10256FCC.bin" that seems to be the firmware for the display board. It is exactly 32KB is size and seems to be approximately 96% full. It contains the text "ZyDAS" and "USB2.0 WLAN" (which seem to be USB-related) and "..Scanning.." (which appears on the LCD screen), so it appears this file contains code for both chips.

Interesting portions of Firmware v10256FCC

bytes 0E and 0F may be a checksum
0000 55 4d 44 41 01 01 01 01 00 02 00 38 1f e0 23 4c |UMDA.......8..#L|
0010 37 32 33 30 5f 32 30 30 35 2f 31 30 2f 32 37 00 |7230_2005/10/27.|
0020 0a 95 d2 07 00 ee c1 d4 00 ee 0f 9f 95 f8 10 48 |...............H|
0030 10 00 06 00 00 00 00 00 55 66 66 66 00 00 70 70 |........Ufff..pp|
0040 70 70 70 70 70 70 70 70 70 70 70 70 00 00 60 60 |pppppppppppp..``|
0050 60 60 60 60 60 60 60 60 60 60 60 60 00 00 ff 07 |````````````....|
0060 00 00 12 01 00 02 ff ff ff 40 ce 0a 11 a2 10 48 |.........@.....H|
0070 10 20 00 01 04 03 09 04 00 00 00 00 00 00 50 50 |. ............PP|
0080 50 50 50 50 50 50 50 50 50 50 50 50 00 00 40 40 |PPPPPPPPPPPP..@@|
0090 40 40 40 40 40 40 40 4a 4a 4a 4a 50 50 00 40 40 |@@@@@@@JJJJPP.@@|
00a0 40 40 40 40 40 40 40 40 40 40 40 40 00 00 40 40 |@@@@@@@@@@@@..@@|
00b0 40 40 60 40 40 40 70 90 90 90 90 90 90 00 40 40 |@@`@@@p.......@@|
00c0 40 40 40 40 40 40 40 40 40 40 40 40 00 00 40 40 |@@@@@@@@@@@@..@@|
00d0 40 40 50 38 38 38 60 80 80 80 80 80 80 00 0c 03 |@@P888`.........|

USB text strings?

00e0 5a 00 79 00 44 00 41 00 53 00 00 00 00 00 00 00 |Z.y.D.A.S.......|
00f0 00 00 00 00 18 03 55 00 53 00 42 00 32 00 2e 00 |......U.S.B.2...|
0100 30 00 20 00 57 00 4c 00 41 00 4e 00 00 00 00 00 |0. .W.L.A.N.....|
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 88 |................|
0120 88 88 88 88 88 88 88 88 88 88 08 91 ff ed 09 93 |................|

0fa0 01 00 88 98 90 9a 00 00 00 00 00 00 00 00 00 00 |................|
0fb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
1000 02 00 08 ec 00 00 ed f7 12 00 00 00 00 00 00 00 |................|

1ff0 00 00 04 83 01 00 01 84 08 14 02 84 98 80 00 00 |................|

2000 55 4d 44 41 00 00 00 01 00 02 00 38 1f e0 b1 64 |UMDA.......8...d|
2010 32 32 33 30 5f 32 30 30 35 2f 30 39 2f 30 35 00 |2230_2005/09/05.|

The same USB text strings as above, and so is much of the data ... is this an alternate profile?
20e0 5a 00 79 00 44 00 41 00 53 00 ff ff ff ff ff ff |Z.y.D.A.S.......|
20f0 ff ff ff ff 18 03 55 00 53 00 42 00 32 00 2e 00 |......U.S.B.2...|
2100 30 00 20 00 57 00 4c 00 41 00 4e 00 ff ff ff ff |0. .W.L.A.N.....|

2f90 08 0b 01 00 40 f0 b1 fe 88 98 90 9a 88 da 08 0b |....@...........|
2fa0 01 00 88 98 90 9a 00 00 00 00 00 00 00 00 00 00 |................|
2fb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
3000 02 00 08 ec 00 00 56 f7 98 00 00 00 00 00 00 00 |......V.........|

3fd0 04 83 01 00 01 84 08 14 02 84 98 80 00 00 00 00 |................|
3fe0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*

4000 55 4d 44 41 05 01 01 01 00 02 00 38 3f e0 6e 33 |UMDA.......8?.n3|
4010 32 30 30 35 2f 31 31 2f 31 31 00 00 00 00 00 00 |2005/11/11......|
4020 78 7f e4 f6 d8 fd 75 81 a1 02 76 fb ff ff ff ff |x.....u...v.....|
4030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
4070 02 76 fb 22 ff ff ff ff ff ff ff ff ff ff ff ff |.v."............|
4080 32 ea 8b d0 22 12 40 80 85 d0 0b 75 d0 08 fa c2 |2...".@....u....|
4090 8c e5 8a 24 f7 f5 8a e5 8c 34 d8 f5 8c d2 8c ed |...$.....4......|

4550 f0 d0 e0 32 ff ff ff ff ff ff ff ff ff ff ff ff |...2............|
4560 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*

4800 85 0e 4f 85 0f 50 75 51 00 75 52 00 75 53 00 c2 |..O..PuQ.uR.uS..|
4810 0a c2 0b c2 0c c2 0d c2 0e 85 50 82 85 4f 83 e0 |..........P..O..|
4820 64 aa 60 03 02 50 2f a3 e0 54 fc 60 03 02 50 2f |d.`..P/..T.`..P/|

5ba7-5c06 top \
5c07-5c66       \ This has the graphics for the
5c67-5cc6         / "Wifi finder" power-on screen.
5cc7-5d26 bottom /

5d27-5f01 has a font table 5x8 font table (with upper and lower cases).
          The lowercase 'p' is unusual because it is sickle-shaped
          (example in the word "Upgrading" in this picture) :

          5eb7 ..######..##....
          5eb8 ......##..##....    rotated 90 degrees
          5eb9 ......##..##....
          5eba ......##..##....    two characters per pixel
        5ebb ........##......

5f25-5f9c has the inverted 0-9 fonts used to show the channel numbers
6029      has a battery symbol
60dd-60ff has the lower half of the "WPA" symbol, rotated 90 degrees.
6141-6171 are the "F", "D" and "S" operating mode symbols.
6191-619f is the "CH:" (channel) symbol

62f1-632e top half    \    the "FULL" battery symbol,
633e-637c lower half /    used when charging.

6380 f0 f8 fc fe ff ff ff ff ff ff ff ff ff 25 32 64 |.............%2d|
6390 2f 25 64 00 25 64 00 20 00 20 4e 6f 20 53 65 72 |/%d.%d. . No Ser|
63a0 76 69 63 65 20 00 2e 2e 53 63 61 6e 6e 69 6e 67 |vice ...Scanning|
63b0 2e 2e 00 28 48 69 64 64 65 6e 29 00 20 31 2f 25 |...(Hidden). 1/%|
63c0 64 20 00 2e 2e 53 6c 65 65 70 69 6e 67 2e 2e 00 |d ...Sleeping...|
63d0 3f 00 58 01 fa 00 64 00 02 30 02 30 02 30 02 30 |?.X...d..0.0.0.0|

7a70 58 75 ab 50 3b 12 7a 1d 02 7a 43 ff ff ff ff ff |Xu.P;.z..zC.....|
7a80 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
8000

There appears to be four distinct areas of memory. This is indicated by "filler" bytes that are used to start new sections at round-numbered addresses, and also by the reptition of the "UMDA" bytes. Also, the ZD1211's serial EEPROM is 8kB, and that fits neatly with the size of two of the sections.

The partitioning I'm assuming is:

File Address	Description	Extracted Version Number	Notes
0000-1FFF (8 kB)	Serial EEPROM Image 1	UMDA 7230_2005/10/27	Similar to code found in zd1211-WS11Ub.fw
2000-3FFF (8 kB)	Serial EEPROM Image 2	UMDA 2230_2005/09/05	Similar to code found in zd1211-WS11Ub.fw
4000-47FF (2 kB)	Serial EEPROM Image 3 (I suspect this is a partial image or has limited functionality)	UMDA 2005/11/11
4800-7FFF (14 kB)	WHFX30 Code	version is not coded as a text string

There are a couple of graphical images to look for (like the startup screen and the "WEP" icon), and there may be a font table (Alternatively, the font table may be in the LCD controller). Locating these pictures should tell if a section of code is used by the WHFX30 or by the ZD1211.

The C-style format string at $638D ("%2d/%d.%d") indicates that a C compiler was used. Because assembly language is more compact than C, it should be possible to add more functionality to the device (subject, of course, to whatever the processor that executes this code can do).

Firmware Disassembly I
Here's some data from a suspected EEPROM Image area that looks like it could be code for the ZyDAS controller:

1150: c2 92 51 95 5a 95 02 93 c5 a2 c8 d2 09 93 a0 01 |..Q.Z...........|
1160: c8 d2 40 f0 c6 f7 42 00 42 00 88 98 90 9a 88 da |..@...B.B.......|

Disassembling this by hand into 8051 code, we get:

C2 92 -
CLR bit address

51 95 - ACALL xx95

5A    - ANL A, R2

95 02 - SUBB A, data addr

lines up with data at right ->

92 51 -
MOV bit address, C  

95 5a - SUBB A, data addr

95 02 - SUBB A, data addr

93    - MOVC A,@A+DPTR

c5 a2 - XCH A, data addr

c8    - XCH A, R0

d2 09 - SETB bit address

93    - MOVC A, @A+DPTR

a0 01 - ORL C, /bit ADDR

c8    - XCH A,R0

d2 40 - SETB bit addr

f0    - MOVX @DPTR, A

c6    - XCH A, @R0

f7    - MOV @R1, A

42 00 - ORL data addr, A

... doesn't look promising yet, so this code is probably for another type of processor -- which makes sense; the 8051 wouldn't make a good baseband controller.

The earlier ZD1201 uses an Arm processor (at least according to the picture), so it's a good bet that the ZD1211 uses it, too.

Two other places to check for more information:

The official ZyXel ZD1211 Linux Driver. I haven't tested this, but at first glance it looks like exactly what I'd want from a hardware vendor. Documented source code, plus a user's manual. Great job, ZyXel.
The open source ath.cx ZD1211 Linux Driver (is this the same as the Sourceforge ZD1211 Linux Driver?) based on the above.

Both sources include firmware uploads for the ZD1211 - these can be compared to the the update file.

Another clue is a line in the zd1211.c driver file that has a snippet of zd1211 code:

{ 0x0F, 0x9F, 0x00, 0xEE }; // JMP 0xEE00

Thanks to Niel for finding this low-level ARM and Thumb documentation: Atmel Thumb info and ARMv5T specs. It didn't help disassembling the JMP instruction, but there is still a larger body of code I have to check it against.

Firmware Disassembly II
And here's some data from the suspected WHFX30 area:

6eb0: e6 75 f0 0a a4 24 21 fd 7b ff 7a 63 79 24 75 55 |.u...$!.{.zcy$uU|
6ec0: 00 75 56 04 7f 01 7e 00 12 79 44 78 8a e6 75 f0 |.uV...~..yDx..u.|
6ed0: 0a a4 24 21 fd 7b ff 7a 63 79 72 75 55 00 75 56 |..$!.{.zcyruU.uV|
6ee0: 04 80 23 7b ff 7a 62 79 f1 75 55 00 75 56 3e 7d |..#{.zby.uU.uV>}|

This data looks repetitive, so hopefully it disassembles into something meaningful.

Hand disassembling into 8051 code, we get:

e6        
MOV A,@R0

75 f0 0a   MOV $F0,#$0A

a4         MUL AB

24 21      ADD A,#$21

fd         MOV R5,A

7b ff      MOV R3,#$FF

7a 63      MOV R2,#$63

79 24      MOV R1, #$24

75 55 00   MOV $55,#$00

      75 56 04   MOV $56,#$04

7f 01      MOV R7,#$01 

7e 00      MOV R6,#$00

12 79 44   LCALL $7944

78 8a      MOV R0,#$8A

e6         MOV A,@R0

75 f0...

This looks like it could be valid code! It looks like it is setting up registers (R1,2,3,5,6,7) in preparation for calling a subroutine. And, just as a sanity check, let's see what is at $7944...

 7941: 02 5b 23   LJMP $5b23 
... this kind of instruction is expected before a subroutine = good!

      7944: 8d
51      MOV $51,R5   
;entry point

7946: ac 55      MOV R4,$55

7948: ad 56      MOV R5,$56

794a: c0 04      PUSH
$04      ;actually "PUSH R4" because R4 can be
at address $04

794c: c0 05      PUSH
$05      ;actually "PUSH R5"

794e: 7c 00      MOV R4,#$00

7950: 7d 60      MOV R5,#$60

This code seems to be using the data that was being passed to it! Register R5 -- which is was a parameter -- is saved before being used for other things. On the face of it, the routine at that point looks like reasonable code to find at the start of a function -- a good start!

To Do

Experiment with changing the code. Niel confirms that the firmware can be uploaded multiple times (i.e. a newer version number isn't required)
Finish analyzing the link between PC boards.
Determine if/how I can get this thing to do more.
Find firmware upgrade protocol (and does it apply to both processors?)
Identify what is inside the WHFX30 (it probably contains a standard microprocessor core plus some custom logic)

Resources

ZyDAS ZD1211 Product Page
Engadget Linksys WUSBF54G Discussion
ZyXel Firmware Upgrade Site
Portelligent's professional teardown of the Linksys WUSBF54G. Like my disassembly, but much more focused on manufacturing cost estimates and methods and less on hacking. Their market is companies that develop similar products, and the industry analysts that cover those companies. 62 pages, $950.

About Me
Contrary to what some people say, I'm not some nameless hacker working for the Maushammer.com website. Sure it's a cool website name and I'd like to think that I was part of the whole Maushammer.com empire, but the truth is that it's just my last name. And my first name is John. I'm an electrical engineer who likes to take things apart and improve them to suit my needs. While I am a former rocket scientist (actually, embedded design engineer for satellites, but that doesn't sound nearly as sexy), this isn't rocket-scientist level work. It's just for fun.

contact me: my email address is my first name (john) at my last name (maushammer) dot com.

Info on the original most recent still disposable digital camera
Info on the disposable camcorder
other systems I've played with
visit my homepage