DIR-818LW Hardware

After cracked open the casing by unscrewing the 3 screws at the bottom (under the rubber anti-skid pads) and 2 screws at the top (under the adhesive plastic ring) and removing the antennas by cutting through the hot glue, the whole PCB is out.

There is only one place which got un-populated header (JP1), so I soldered a header on it:

There are two pull-up resistors on the unknown lines, which are 4.7K and 9.9K(Probably 10K) measured. My first thought is those are for the I²C, as 4.7K is always a good value for I²C pull-ups. But why the hell they put I²C on a header along with the power line? But IF those where UART, why they put pull-up resistors?

To really find out what are those lines, I have hook them up to my logic analyzer:

I have started the capture and turned the router on and I got this:

At this point, I am pretty sure it's UART as CH1 got nothing since power on, It's impossible for an I²C bus to only have SDA activities and no SCL activity or only have SCL activities and no SDA activity. So, it's definitely CH0 is Tx and CH1 is Rx for RTL8881AB.

Next, I am going to guess the baud rate. Fortunately, Saleae Logic got a UART analyzer:

 

Now, I just have to go through the common bit rates (Hope they use a standard bit rate...).

Finally, at 38400bps...: PROFIT!

I got some readable text and I am sure I got the right bit rate!
CLK_SEL=0x00000004,DIV=0x00000000

Now, I can explore the stock firmware of the router :D

Last but not least, let's go through some of the hardware on the router:
The PCB construction is 4 layer, with top and bottom filled with ground plane.

Front:

Back:

Power section (left hand side of the front):

5GHz RF section:

Note that the marking of the RF Frontend IC is:

SKY11
85703
526YV

The last line should be date code, where the first line SKY should be stands for Skyworks Solutions, Inc.

And that's it! I am gonna start playing with the UART!