Loftek LK5200 as an rtl-sdr server

The sacrificial offering.

I have had this router sitting in a bag for approximately 4 years. About 2 years ago, I had the idea that it would be a good platform to try to build a pineapple if it supported OpenWRT as I had already done a TP-Link MR3020 to be one, and the Loftek had a built in battery, making it easier to deploy. I went through various attempts to find a way to install OpenWRT on the device to no avail. I finally came back to the LK5200 today, and decided to dig a little deeper. To start with today, I opened the case.

You can see its bare circuits

An AR9331-AL1A is the processor that this device uses. Well, we know that it is an ARM processor, and it is very similar to the one in the MR-3020. (Exactly the same as the V1.8 of the hardware). This bodes well for me. Before I go and attempt to flash this though, let’s see what else I can find out about the device. Connecting the router to my network, the defaults are to not use DCHP and instead assign itself a static IP of, so I’ll use that address and run an nmap scan on it with “nmap -vv”. The image below shows the results.

Hmmm. These look normal. Almost.

This gives us a listing of all of the open ports. Port 53 is a DNS server (expected), port 80 is the admin interface webserver (expected), ports 139 and 445 are used for Samba shares (expected as there is a usb port for file sharing on the network), and port 8181 is … Wait, what is that? It’s up in the non-privileged area. Most times i’ve come across this port it’s another webserver. Let’s try and get to it in the browser.

Odd, it looks like a command prompt and a banner for OpenWRT.

That is interesting. It seems as if the Loftek LK5200 is already running OpenWRT. Let’s try connecting to the same address and port with telnet using telnet 8181

Well, that was easier than I thought it would be.

Now I have access to the root shell on the router. First thing to do is update the package listing because I don’t believe it has ever been done. This is accomplished with opkg update . Once done, I install rtl_sdr with opkg install rtl_sdr. This installed all of the tools for using my neSDR smart as a SDR receiver. One last thing to do is blacklist the original driver built into the kernel. On this device there was no /etc/modprobe.d/ folder, so it had to be created with mkdir /etc/modprobe.d/ . Then we needed to create the blacklist.conf file underneath the directory we had just created. To do this use, echo “blacklist dvb_usb_rtl28xxu” >> /etc/modprobe.d/blacklist.conf . This command puts what is inside the quotes into a the file “blacklist.conf” in the directory “/etc/modprode.d/”.

A simple reboot later, and we can plug in our USB SDR stick, login over telnet as before and run the rtl_tcp program to feed the data to another device on the network. This is accomplished with rtl_tcp -a . This command effectively creates a server that feeds the data received by the SDR to another machine on the network. The -a in the command tells rtl_tcp which address to serve it on. Now we can load up whatever our preferred application to view the stream (which for me is GQRX). If it’s your first time loading GQRX, you will be greeted by this screen, which should be filled in thusly.

Look at all the numbers!

After clicking OK, you may then press the play button and search the waterfall for interesting things.

This is definitely an interesting thing.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.