Bringing OpenWrt to the Mikrotik hAP lite (RB941-2nD-TC)

In a previous post I described the Mikrotik hAP lite (RB941-2nD-TC) and its RouterOS and already suggested that I prefer to run OpenWrt on it. Because Mikrotik routers behave a bit different than the usual TP-Link, GL.iNet etc. devices and because there were some pitfalls I had to master myself, here’s some advice to keep you out of this trouble. I tried to reflect this in the OpenWrt Wiki as well but maybe you prefer a consistent blog post, at least I’d do so, so here you go.

Backup your RouterOS license beforehand

The RB941-2nD-TC comes with a RouterOS license pre-installed that will be lost if you flash OpenWrt on it. Should you ever want to go back, it would have been a good idea if you backed up that license beforehand. There is a a special OpenWrt wiki page for this process.

Building your own firmware vs. downloading a stock firmware

At the time of this writing, the router’s OpenWrt Wiki device page suggests building an OpenWrt firmware yourself. This is outdated information as you can just use one of the provided images on downloads.openwrt.org just fine. The page has not yet been updated to this regard.

Stable release vs. development snapshot

For older models such as the RB941-2nD (without -TC), the latest stable release version, 18.06.2, would be a good choice. If you have one of the first RB941-2nD-TC routers manufactured, this might apply, too. However at least on my units purchased in March 2019, I got struck by a missing wan interface because the switch was not setup correctly. This is due to a changed model string in the flash: /proc/cpuinfo‘s model string shows “RouterBOARD RB941-2nD” instead of “RouterBOARD 941-2nD” as with older routers (notice the two letters “RB”).

A patch for this was merged on February 4th, 2019, but the latest stable release, 18.06.2, was released on January 31st, thus even if it would have found its way into the 18.06 branch, it would have come too late, so you currently need a development snapshot. This sounds worse than it is, so far I have not had any trouble with development snapshots.

Finding the right files to download

By contrast to common TP-Link routers such as the Archer C7 variants, where you flash an OpenWrt firmware provided in a vendor-specific format from within the running vendor firmware using the vendor firmware’s update mechanism, the bootloader in MikroTik routers supports a mode in which it attempts to boot into firmware retrieved over the network (netbooting). This is not a recovery mode as in the TP-Link routers where the firmware retrieved over the network doesn’t become active until after having been written to flash – in fact, with the MikroTik bootloader, it doesn’t get written to flash at all but runs right out of the RAM, similar to PXE booting on your x86 PC.

This is nice in that you can safely try out the OpenWrt build first: if anything goes wrong, simply power-cycle the router to return to the original RouterOS firmware. It does however also mean that there is a second step if you want OpenWrt to persist: since you did already netboot into OpenWrt, we can use its sysupgrade command instead of a vendor-specific firmware update mechanism to do the actual flashing. This does however require you to download the OpenWrt firmware a second time, this time in a format compatible with sysupgrade.

Both files can be found in the /snapshots/targets/ar71xx/mikrotik/ directory (updated nightly, be sure to download both at the same time to avoid confusion):

Using the right Ethernet port

The RB941-2nD-TC has four ports of which one is marked “Internet” and three are marked “LAN”. One pitfall is that you need to use the right ports for the different steps of the flashing process:

  • The bootloader only boots from the “Internet” port, so for the first step of netbooting OpenWrt you need to connect your PC or laptop to this port.
  • OpenWrt however by default blocks all access on its “WAN” interface which is mapped to the “Internet” port, so you will need to move the Ethernet cable to one of the LAN ports for the following steps of SSHing into OpenWrt and actually flashing OpenWrt.

Netbooting OpenWrt

Netbooting OpenWrt on the RB941-2nD-TC is a two-step process:

  1. First you need to set up your PC or laptop to answer BOOTP and TFTP requests and supply the *-initramfs-kernel.bin file downloaded above.
  2. Then you need to bring the router into netbooting mode.

PC/laptop setup

For the first step, we can use dnsmasq. After installing it you can use a script such as the following (based on the one on the Wiki’s device page and assuming em1 is the right Ethernet interface):

#!/bin/bash
USER=$(whoami)
sudo /sbin/ip addr replace 192.168.1.10/24 dev em1
sudo /sbin/ip link set dev em1 up
sudo /usr/sbin/dnsmasq --user=${USER} \
                       --no-daemon \
                       --listen-address 192.168.1.10 \
                       --bind-interfaces \
                       -p0 \
                       --dhcp-authoritative \
                       --dhcp-range=192.168.1.100,192.168.1.200 \
                       --bootp-dynamic \
                       --dhcp-boot=openwrt-ar71xx-mikrotik-rb-nor-flash-16M-initramfs-kernel.bin \
                       --log-dhcp \
                       --enable-tftp \
                       --tftp-root=$(pwd)

Note that you might additionally have to add suitable rules to your PC/laptop’s firewall. As I only flash for a short amount of time where the laptop has no other network connectivity, I’m just lazy and shut it down completely.

Also, if dnsmasq complains about startup that it can’t find the --tftp-root directory, this might be due to security frameworks such as AppArmor that prevent dnsmasq from using a custom location. In this case sudo /usr/sbin/aa-teardown is one quick and dirty solution.

Bringing the router into netboot mode

To bring the router into netboot mode:

  1. Make sure the router is powered off. I recommend not to unplug the Micro USB connector but to plug out the power supply from the power outlet.
  2. Rotate the router so that all ports face upwards.
  3. With one hand using a screwdriver or another device with a small tip, press on the “Reset/WPS” button and keep it pressed. You could also simply use a finger but because of the proximity to the Micro USB port this would require a very small finger.
  4. With the other hand, plug in the power supply into the power outlet again.
  5. The “Pwr” LED will light up. Keep the “Reset/WPS” button pressed.
  6. The “Pwr” LED will start blinking for some seconds. Keep the “Reset/WPS” button pressed.
  7. The “Pwr” LED will light up steadily again. You still need to keep the “Reset/WPS” button pressed.
  8. Only when the “Pwr” LED finally turns off, release the “Reset/WPS” button.
  9. Observe the output on your PC/laptop. dnsmasq should not only show you the router’s BOOTP requests but also the TFTP download. It doesn’t really tell you when the download has finished, though, so give it some time or run Wireshark in parallel.

When sure that the download has finished, move the Ethernet cable to the router’s LAN ports as described above and try running a ping 192.168.1.1 until you get a reply. You should then be able to ssh in shortly after. Notice that development snapshots of OpenWrt do not include the LuCI web interface by default, so you won’t get a reply on port 80 unless you install LuCI manually.

Flashing OpenWrt

Once you’re convinced that things look good and OpenWrt should persist across reboots, the flashing process is rather easy:

  1. From your PC/laptop, scp the sysupgrade firmware file over to the router’s /tmp directory. Do not use / or /root as target directory since you don’t want the file to persist and take up valuable space in the flash filesystem.
  2. Then ssh into the router and run sysupgrade /tmp/openwrt-ar71xx-mikrotik-rb-nor-flash-16M-squashfs-sysupgrade.bin.
  3. By contrast to devices such as the TP-Link Archer C7 where you get at least some feedback on the flashing process, the SSH connection will now close and the router will reboot into the bootloader which will take care of the flashing. This can take up to a minute, so be patient and observe the router’s LED and at some moment run the ping 192.168.1.1 to see if OpenWrt is back alive, this time booted from flash.

You’re now ready to configure the router to your needs, a topic on which I’ll write another blog post some time.