Add support for Beeline SmartBox TURBO+

MAC Addresses

Interface Adress in "Factory" MAC OpenWRT Comment
2.4 GHz BSSID 0x4 ..:..:..:..:..:1c Driver mt76 takes adress calibration1
LAN 0x21000 ..:..:..:..:..:1c mtd-mac-address mac On Sticker
WAN ..:..:..:..:..:1d mtd-mac-address-increment WAN=LAN+1
5 GHz BSSID 0x8004 ..:..:..:..:..:1e Driver mt76 takes adress calibration2

The table was generated using "Tables Generator" in the markdown.
Address start options:

  • 74:9d:79:..:..:..
  • 14:2e:5e:..:..:..
    I watched the "factory" mtd2 partition with the hex editor and confirmed it with the sc_fl_map and sc_dl commands from U-boot.

Device Support: MAC address setup

1 Like

Can you flash it from stock ssh console, or only using UART?

1 Like

The NAND flash partitions are different from the stock firmware. At the moment this is possible via the UART.

Method without UART.
№1 OEM partitions (dualboot)

You can build the firmware with the original partitions, but the rootfs size will be less than 32MB. Haven't tried this method yet. Make sure to back up your NAND-flash before starting and it's good if you have a UART adpater on hand.

Using a commit from the LayOutOEM branch (git cherry-pick beeline-smartbox-turbo_LayOutOEM) build the firmware. From the stock firmware, SSH will switch to the second slot (Sercomm1).
echo -ne "$(echo 31 | sed 's/../\\x&/g')" | dd of=/dev/mtdblock3 bs=1 seek=7 count=1

mtd_write write rootfs.bin Filesystem 1
mtd_write write kernel.bin Kernel 1

echo -ne "$(echo 30 | sed 's/../\\x&/g')" | dd of=/dev/mtdblock3 bs=1 seek=7 count=1

№ 2 Emergency mode (sc_dl (SerComm Upgrade) & Utilities)

It is necessary to investigate the utilities:

№3 Breed

No tested.
Using a commit from the Breed branch (git cherry-pick beeline-smartbox-turbo_Breed) build the firmware. Change in environment autoboot.command = boot flash 0x400100. Flash *-breed.bin

In Russian you can ask again here.
1 Like

I have an adapter, and I can connect it without soldering, but I can't solder those missing bridges at the moment. So I wanted to test another way. Let's see. Thx.

1 Like

What is your nick there?

1 Like

I am not sure this method will work. According to the dual-boot manual, boot loader checks the validity of a kernel on boot. If it is valid, it copies it to another partition. But I didn't get how does it check validity.


I've built your beeline-smartbox-turbo_LayOutOEM branch and installed it right from the stock firmware this way:

  1. Logged with SuperUser password: serial # and enabled SSH.

  2. Logged to the device using SSH.

  3. Ran

printf '\x31' | dd of=/dev/mtdblock3 bs=1 seek=7 count=1
  1. Wrote kernel.bin and rootfs.bin to a thumb drive and plugged it into the device.

  2. Ran

cd /mnt/shares/B 
mtd_write write rootfs.bin "File System 1"
mtd_write write kernel.bin "Kernel 1"
printf '\x30' | dd of=/dev/mtdblock3 bs=1 seek=7 count=1

The device booted to Openwrt!

There is still a problem. After 1 or 2 reboots bootloader switches to another slot and boots stock firmware again.

1 Like

Layouts Partitions OEM Stock Firmware Beeline SmartBox TURBO+

MTD Start Address Size Partition OEM Stock U-Boot SerComm MiB
mtd0 0x0 0x100000 Boot Loader u-boot 1
mtd1 0x100000 0x100000 dynamic partition map part_map 1
mtd2 0x200000 0x100000 Factory factory-data 1
mtd3 0x300000 0x100000 Boot Flag dual-flag 1
mtd4 0x400000 0x600000 Kernel 1 uImage1 6
mtd5 0xa00000 0x600000 Kernel 2 uImage2 6
mtd6 0x1000000 0x2000000 File System 1 rootfs1 32
mtd7 0x3000000 0x2000000 File System 2 rootfs2 32
mtd8 0x5000000 0x1400000 Configuration/log config/log 20
mtd9 0x6400000 0x1b80000 application tmp buffer (Ftool) app-tmp 27,5
mtd10 0x7f80000 0x80000 bad block reserved 0.5

The OpenWrt Flash Layout

1 Like

Layout dynamic partition map - part_map - mtd1

Start Size Comment
0x0 0xa SCFLMAPOK (SerComm Flash Map OK)
0xa 0x7f6 FF FF FF FF FF FF FF
0x800 0x78 Schema partitions mtd
0x878 0x1F788 FF FF FF FF FF FF FF
0x20000 0xa SCFLMAPOK
0x20800 0x78 Schema partitions mtd
0x20878 0xDF788 FF FF FF FF FF FF FF
Schema partitions mtd

little-endian dump

❯ xxd -e -c 12 -s $((0x800)) -l $((0x78)) mtd1
00000800: 00000000 00000000 00100000  ............
0000080c: 00000001 00100000 00100000  ............
00000818: 00000002 00200000 00100000  ...... .....
00000824: 00000003 00300000 00100000  ......0.....
00000830: 00000004 00400000 00600000  ......@...`.
0000083c: 00000005 00a00000 00600000  ..........`.
00000848: 00000006 01000000 02000000  ............
00000854: 00000007 03000000 02000000  ............
00000860: 00000008 05000000 01400000  ..........@.
0000086c: 00000009 06400000 01b80000  ......@.....
Comment-->	№ mtd	Start	Size

Layout factory-data (Factory) - mtd2

0x4 - MAC Wi-Fi 2.4 GHz
0x8004 - MAC Wi-Fi 5 GHz
It is possible to make a script that takes from the factory-data SSID, Pass & PIN.

Layout dual-flag (Boot Flag) - mtd3

boot_flag indicates which slot to load.
boot_count counts the number of times one slot is started.

Slot Flag kernel rootfs Counter
1 Sercomm0 uImage1 (Kernel 1) rootfs1 (File System 1) boot_count1
2 Sercomm1 uImage2 (Kernel 2) rootfs2 (File System 2) boot_count2

When the U-boot of the specified slot is loaded, its counter is incremented (example FF-> 01). When the stock firmware boots successfully, it will write to the FF counter. If the boot_count = 03 when loading the slot, then the flag will be toggled. if boot_count1 = 03 and boot_count2 = 03 then the device will switch to Emergency mode (start sc_dl).

View flag:
# hexdump -Cn 8 /dev/mtd3                                                       
00000000  53 65 72 63 6f 6d 6d 31                           |Sercomm1|          
Set flag:
  • Sercomm0 - # printf 0 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
  • Sercomm1 - # printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
FW OEM v2.0.xx
~ # bootflag_utility --help
bootflag_utility: invalid option -- -
Usage: ./bootflag_utility [-g] [-s value] [-S]
-g get bootflag
-s set bootflag 0 or 1
-S switch bootflag
View flag:
# bootflag_utility -g    
[bootflag_utility.c:get_bootflag:52] bootflag=Sercomm0
Set flag:
  • Sercomm0 - # bootflag_utility -s 0
  • Sercomm1 - # bootflag_utility -s 1
View counter


  • boot_count1 - # hexdump -s 131073 -Cn 1 /dev/mtd3
  • boot_count2 - # hexdump -s 131074 -Cn 1 /dev/mtd3
# hexdump -s 131073 -Cn 2 /dev/mtd3                                             
00020001  ff ff                                             |..|                
Reset counter
  • boot_count1 - # printf '\xFF' | dd bs=1 count=1 seek=131073 of=/dev/mtdblock3
  • boot_count2 - # printf '\xFF' | dd bs=1 count=1 seek=131074 of=/dev/mtdblock3
Algorithm from MTK SDK


APSoC SDK User’s Manual - 209 Page.

1 Like

Device OEM picture/photo

1 Like

SSH for FirmWare OEM v1.0.12 on Beeline SmartBox TURBO+

  1. Login to the web interface (by default) under SuperUser (root) credentials. Password: SDXXXXXXXXXX, where SDXXXXXXXXXX is serial number of the device written on the backplate stick.
Login:		SuperUser
  1. Turning on SSH. Navigate to:
-> Advanced settings 
	-> Others 
		-> Access Control 
			-> Users Root Select 
				-> SSH Admin - Enable LAN 
					-> Save 
						-> Apply
  1. Connect SSH
    $ ssh SuperUser@
  2. Start shell
    view @ Smart Box TURBO+> sh

SmartBOX Pro / SmartBOX Turbo+ – обсуждение | [wifirouter] : 300Mb\s - 1200Mb\s + 5x1Gb | x1

1 Like

SFTP for FirmWare OEM (v1.0.12)

  1. Connect via SSH.
  2. Edit:
    vi /etc/ssh/sshd_config
# override default of no subsystems
Subsystem       sftp    /usr/sbin/sftp-server

(dd, i) Replace string

# override default of no subsystems                           
Subsystem       sftp    internal-sftp


  1. Restart SSHd:
    kill -HUP $(ps | grep /usr/sbin/sshd | grep -v grep | awk '{print $1}')
  2. Connect via SFTP with a client on a PC, example:
    $ sftp SuperUser@
    $ mc sftp://SuperUser@
    $ thunar sftp://SuperUser@

Point № 2, can / should be automated (sed, awk).
In point № 3, there was another option, killall sshd; /usr/sbin/sshd -p 22, but the command was interrupted via SSH, but worked via the UART.

1 Like

Generic NAND backup FW OEM

  1. Connect via SSH or via UART
  2. Create dump
    CSN=$(hexdump -e '/2 "%1s"' -n $((0xC)) -s $((0x21010)) /dev/mtd2)
    mkdir /tmp/$CSN; cd /tmp/$CSN;
    for i in 0 1 2 3 4 5 6 7; do
    echo "===Dump mtd$i.bin backup===";
    nanddump -f mtd$i.bin /dev/mtd$i;
  3. Copy the directory via SFTP or via TFTP, USB or any other method convenient for you. Example:
    $ scp -r SuperUser@ SD2134F98765 with a client on a PC
  4. Delete backup images from RAM router.
    rm -r /tmp/$CSN
  5. Create the remaining backups
    mkdir /tmp/$CSN; cd /tmp/$CSN;
    for i in 8 9 10; do
    echo "===Dump mtd$i.bin backup===";
    nanddump -f mtd$i.bin /dev/mtd$i;
  6. Copy the directory via SFTP on PC.
  7. Delete backup images from RAM.

The creation of a backup takes place in several stages due to the fact that the size of RAM and NAND are the same (128 MiB).
CSN - Serial Number Device.
A directory will be created with the name in the form of the serial number of the device in the /tmp directory with the images of the partitions.
Can be improved. Tried using GZ but no TAR. It turned out the wrong action, there is one combined file in the archive.

Old example for GIGA
CSN=$(hexdump -e '/2 "%1s"' -n $((0xC)) -s $((0x21010)) /dev/mtd2)
for i in 0 1 2 3 4 5 6 7 8 9 10; do
echo "===Dump mtd$i.bin backup===";
nanddump -f mtd$i.bin /dev/mtd$i;
md5sum mtd$i.bin >> mtd.md5;
gzip -c mtd$i.bin >> $CSN.gz;
gzip -c mtd.md5 >> $CSN.gz
1 Like

Image's OEM Stock FirmWare

SmartBox TURBO+

SmartBox TURBO

  • v. 1.0.02 - (build @ 2020-06-05, 19:08:35)
  • v. 1.0.03 - (build @ 2020-07-08, 02:15:32) - No URL

Etisalat S3

  • v. 2.0.05 - (build @ 2020-04-10, 23:52:54) -
  • v. 3.0.04 - (build @ 2020-09-27, 06:31:51) -

If there are more versions and/or links, let me know I will add it.

wget -P /tmp
Notification of the Eurasian Economic Union

OpenWRT images for testing on a device

Have not yet accepted a Pull Request in OpenWRT

Development Snapshot builds


Stable Release builds

  • Sercomm S3 CQR - Beeline SmartBox TURBO+
  • Sercomm S3 DF3 - Beeline SmartBox TURBO
  • Sercomm S3 DDK - Etisalat Sercomm S3
  • Sercomm S3 DKG - Rostelecom Sercomm RT-SF-1
  • Sercomm S3 CX4 - Rostelecom Sercomm RT-FE-1(A)
1 Like

Beeline SmartBox TURBO (not +)

There is information about the existence of another Sercomm S3 clone - Beeline SmartBox Turbo. There is not much known information yet.


  • NAND flash: 256 MiB
  • Ethetnet interfaces have LEDs (Green)
  • CSN: SN2F********
  • MAC LAN: E0:0E:E4:**:**:**
  • Manufacturer's code: 0DF30500QW1
  • NFS? code (Код НФС): 930000610

Thank neopiten [1] [2].
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xda (Micron NAND 256MiB 3,3V 8-bit), 128MiB, page size: 2048, OOB size: 128

Photo Device


Screenshot of the stock firmware web interface


Thank MellonMike [1] [2].

  • In web interface - TURBO+
view @ Smart Box TURBO> show sysinfo 
	Vendor:                       Sercomm
	Model:                        Smart Box TURBO
	CPU:                          MT7621
	Firmware Version:             v1.0.03
	Build Time:                    (build @ 2020-07-08, 02:15:32)
	Hardware Version:             v1
	Bootloader Version: 
	Serial Number:                SN2F********
	Time Since Last Boot:          0:48:09
	Reboot Cause:                 
	Product Class:                Smart Box TURBO
	Current Time:                 2020-07-08 03:03:02
1 Like
1 Like

ZigBee on SmartBox TURBO+

  • EFR32MG1B232GG
  • Baudrate - 57600
  • UART-EZSP Gateway Protocol
Probe CLI
opkg update
opkg install git-http python3-pip
cd /tmp
git clone
cd elelabs-zigbee-ezsp-utility
pip3 install -r requirements.txt
python3 probe -p /dev/ttyS1 -b 57600
root@OpenWrt:/tmp/elelabs-zigbee-ezsp-utility# python3 
restart -m btl -p /dev/ttyS1 -b 57600
2022/01/22 19:36:32 Elelabs_EzspFwUtility:   Generic Zigbee EZSP adapter detected:
2022/01/22 19:36:32 Elelabs_EzspFwUtility:   Firmware: 6.2.0-147
2022/01/22 19:36:32 Elelabs_EzspFwUtility:   EZSP v6
2022/01/22 19:36:32 Elelabs_EzspFwUtility:   Launch in bootloader mode
2022/01/22 19:36:43 Elelabs_EzspFwUtility:   EZSP adapter in bootloader mode detected:
2022/01/22 19:36:43 Elelabs_EzspFwUtility:   EFR32 Serial Btl v6.2.1.3 b0
On Home Assistant
opkg install ser2net luci-i18n-ser2net-ru
vi /etc/ser2net.conf
5000:raw:0:/dev/ttyS1:57600 NONE 1STOPBIT 8DATABITS XONXOFF LOCAL -RTSCTS remctl
# on Host
sudo socat pty,raw,link=/dev/ttyVS1 tcp:

Снимок экрана_2022-01-23_17-28-40

Thank Harwest & lmahmutov

1 Like

SSH for FirmWare OEM v1.0.03 on Beeline SmartBox TURBO

  1. Login to the web interface (by default) under SuperUser (root) credentials. Password: SDXXXXXXXXXX, where SDXXXXXXXXXX is serial number of the device written on the backplate stick.
Login:		SuperUser
  1. Configure WAN. Navigate to:
	-> WAN 
		-> ADD
			* Name - WAN1
			* Connection Type - Static
			* IP Address -
			* Netmask -
				-> Save 
					-> Apply
Default WAN1
  1. Enable SSH and HTTP on WAN.
	-> Remote control 
		-> ADD
			* Protocol - SSH
			* Port - 22
			* IP Address -
			* Netmask -
			* WAN Interface - WAN1
				-> Save 
					-> Apply
		-> ADD
			* Protocol - HTTP
			* Port - 80
			* IP Address -
			* Netmask -
			* WAN Interface - WAN1
				-> Save 
					-> Apply
  1. Set up on PC
	* Connection Type - Static
	* IP Address -
	* Netmask -
	* Gateway -
  1. Connect PC cable to WAN TURBO
  2. Connect SSH. Example on Linux without key saving.
    $ ssh -o "UserKnownHostsFile /dev/null" SuperUser@
  3. Start shell
    view @ Smart Box TURBO+> sh
1 Like