Add Support for T-Mobile MTK7622 5G IDU

For Developers
1

Hello,

The router provided by my ISP runs a very minimalistic version of Openwrt/LEDE. It's unuseable.
I accessed uboot and extracted the entire firmware. So, I have access to the filesystem, which includes the kernel.config among other relevant files.

I've tried loading few LEDE images through tftp, but u-boot keeps telling me "Wrong Image Format for bootm command. Error: can't get kernel image!"
Attempts at building my own image were also a unsuccessful.

  • Hardware:
    • Mediatek MT638GN 2348-BNSL DCMJ61W2 (PMIC)
    • Mediatek MT7975DN 2349-AJCAL DAP45504 (5G radio?)
    • Mediatek MT7915DAN 2345-BXDAL CCMCLFY9R (5G radio?)
    • ESMT M15T4G16256A AS81-DEB P3A8Z01342 (ram)
    • Mediatek MT7622EV 2344-BHHSH ATTHST33 (SoC)
    • Mediatek MT7531BE 2340-BXDAL ACMCHTP2-PD (switch)
    • Winbond 25N01GVZEIG 2337 62505G70001 (flash memory)

Can someone help me create a compatible OpenWRT image for this router?

etc/openwrt_release: https://0x0.st/XGIG.txt
etc/openwrt.config: https://0x0.st/XGID.config
etc/openwrt_version: r0-af73c7fa
etc/kernel.config: https://0x0.st/XGIk.config
etc/os-release: https://0x0.st/XGIF.txt

uboot:
iminfo: https://0x0.st/XG0s.txt
uboot log: https://0x0.st/XGGe.log (yea, I don't get any kernel messages)

If there are any additional files that might be necessary, then please tell me!

2

same as Unable to find UART/TTL pins | T-Mobile 5G IDU

3

No. This is about creating a new openwrt image. The other thread is about accessing the serial console and getting the original firmware. I don't want to merge these two topics as the one is very Hardware related and this one only software.

4

well, they could easily be merged into one ...

5

Because these cover potential development questions/work for the same device, the two threads in question will be merged. I'll merge the UART topic into this one since the topic title here is more broad.

2 Likes
6

Hello OpenWRT community,

recently I decided to switch to the 5G home internet solution of my ISP. Up until now I was using a very slow xDSL connection, which makes the new faster data rates even better. But that's about it. Unsurprisingly, the router that's included in the contract is worse than you could ever imagine. (no support for wifi mesh; can't limit internet access for individual clients; frequent IP distribution problems; ...). Since the router is legally speaking mine now, I decided, I want to flash it.

Yes, the router is not officially supported by openwrt. BUT, I searched online and found routers with basically the exact same chips, which are in fact supported. Hardware:

  • Chips:
    • Mediatek MT638GN 2348-BNSL DCMJ61W2 (PMIC)
    • Mediatek MT7975DN 2349-AJCAL DAP45504 (5G radio?)
    • Mediatek MT7915DAN 2345-BXDAL CCMCLFY9R (5G radio?)
    • ESMT M15T4G16256A AS81-DEB P3A8Z01342 (ram)
    • Mediatek MT7622EV 2344-BHHSH ATTHST33 (SoC)
    • Mediatek MT7531BE 2340-BXDAL ACMCHTP2-PD (switch)
    • Winbond 25N01GVZEIG 2337 62505G70001 (flash memory)
  • Connectors:
    • ZSNOW GV2001 2346A5
    • ZSNOW GD1000 2352A6 x2
  • Random strings on the board:
    • 48RAWT01.0G A 2021..
    • SH 94V-0 E248779 2350

The label on the packaging and the MAC address point toward "Winstron Neweb Corp." Unfortunately their website has no information about this product. I also went through public WiFi certifications of their products, but without any luck (https://device.report/Wistron/)

This is an example of a somewhat similar router: https://openwrt.org/toh/reyee/rg-e5

The inside of my router:

magenta_shitbox
magenta_shitbox1920×1046 326 KB

As you can tell, I already messed around with JX1 on the front of the board which wasn't a success at all. (I swear I can solder better than that). And I know, it wouldn't make sense for that to be UART, just had to try it since the rest of the board doesn't look any better.

I would really appreciate if some of you could give me some tips as to which part of this board could be used to create a serial connection. Doesn't matter how destructive, it doesn't have any value to me with that terrible firmware on it.

7

Hmm.

I can't see anything that makes it definitely not a UART. Other than one might prefer a line driver / buffer to protect the CPU? I might be missing something though so please let me know =/

Only other thing I can think of is somehow remove the cans safely and try to trace the traces and/or try to look at the vias, hook up test points to logic analyser, refer to mt7622 pinout and keep going with reverse engineering...

Only other advice I can think of is try to get root shell on the device and see if it's just something silly like it's an actual serial port but it's disabled....

To sanity check :

  • Is there solder mask over the pins and you're just not making a good electrical connection? Similarly if you don't have a good ground because of no preheat, I'd just find a ground elsewhere....
  • Did you try to see if the (potential) serial lines are actually pulled up?
  • Do you have your serial device configured for no flow control and at the right baud rate?
    (Access to a logic analyser?)
  • is your serial device the correct voltage, or did you just accidentally blow up the TTL connection into the CPU directly?

I'd try using a DMM if not already tried and see what sort of continuity you're getting with those resistors near JX1?
If it is bad electrical connection. Get some 30AWG / 0.3mm wire and solder directly onto the resistors hahahaha. Or scrape off the solder mask....

2 Likes
8

Thank you so much for insightful reply.

I can't see anything that makes it definitely not a UART. Other than one might prefer a line driver / buffer to protect the CPU? I might be missing something though so please let me know =/

Honestly, I was just assuming, that every serial connector should consist of only 4 pins. silly me

Only other thing I can think of is somehow remove the cans safely and try to trace the traces and/or try to look at the vias, hook up test points to logic analyser, refer to mt7622 pinout and keep going with reverse engineering...

That's an amazing recommendation. I am new to this board stuff as you can tell so I didn't even think about going at it like that.

Using a DMM, but analog (yeah my DMM just fell apart), I found the following values of these six pins:

pin ohm voltage
1 0 0
2 3999 3.9-5.9
3 - -
4 4100 0
5 - -
6 0 6.1

- means no connection

Pin 2 is fluctuating only shortly (2sec) after boot and at most 4 times.
Videos on the internet show that Rx should be fluctuating like hundreds of times, but maybe its also just my DMM.

9

Yeah no worries. A least a datasheet / pinout is available for mt7622. I'm reasonably happy with mediatek over the other chip manufacturers because of this.

Usually at the point where bootloader is locked or there's no serial port etc I give up though =P Slowly with a pair of side cutters it's possible. Desoldering one I wouldn't attempt.

Lol. I think we call that an analog multimeter not a digital multimeter =P
That voltage is quite high =(

Anyway as long as you found a good ground.

Regarding the timing. A couple seconds might be enough for a bootloader to do its thing. I'd guess the kernel isn't outputting much to the serial port then but I have no idea.

No connection to what?
To just make sure, this is resistance and voltage to a known ground?

Three pins are sufficient. But there's plenty of reasons for an engineer to use more.... But yeah this could also be something completely different.

Regarding logic analysers:
There's saleae USB logic analyser clones that can run on open firmware and open gui. Or you can get the USB FIFO chip to get a 16 channel version if you want to take that path. But I'd try to sure up the electrical connection to those ports after checking the voltage for the serial pins once you get a DMM again.

1 Like
10

No connection to what?
To just make sure, this is resistance and voltage to a known ground?

Oh, I thought I had escaped that. I was referring to the character - in the table.
And yes, all of it is through a "known" ground, aka the metall can thingy around the chips, which I hope is a valid choice. :slight_smile:

There's saleae USB logic analyser clones that can run on open firmware and open gui.

Do you mean something like this?:
https://www.aliexpress.us/item/3256807787635647.html

1 Like
11

I think that's a real one? At least they're claiming it's real.

1 Like
12

Wow these are a lot cheaper. Thank you so much!

I tried following the traces from the 6 pin header back to the soc. But now I am running into a problem.

20241028_234108
20241028_2341081736×1302 227 KB

The lines coming from the top make their way through this mess of contact points, from which point I am unable to follow them any further.

Also, I was only able to find this datasheet: https://drive.google.com/file/d/1cW8KQmmVpwDGmBd48KNQes9CRn7FEgBb/view
I apologize for my incompetence.

13

Yeah only hope there is to see whether those traces go into the board and come out the other side. If they end up as internal traces only hope then is that there's vias on the back near the serial pins and then scrape off solder mask and trace them out. And that still won't help with 100% certainty that those are actually the serial pins if there's something nearby that it could also be.

Anyway. No point with this rabbit hole until we get a good visualisation on what's going on electrically with those pins. Either with a better electrical connection and trying baud rates, or with the logic analyser etc.

Might be worthwhile investing in a test fixture or pogo pins or some way to be able to connect without soldering to test points but that's trading a soldering problem for a mechanical fixturing problem. Or getting a second pair of hands =P.

Don't worry about it.

I would say inexperience if anything. Everyone starts from somewhere =) Competency is earned. You're earning competency right now =)

Yeah banana pi is what I could find too.
https://wiki.banana-pi.org/Banana_Pi_BPI-R64#Documents

That's the reference manual not the electrical datasheet FYI.

1 Like
14

Thank you for linking the correct reference manual.
Next step is learning how to read it ~.~

I got a real DMM now and tried to optimize the contact a little bit more:

pin ohm voltage
1 0 0
2 5.459 kΩ 3.3-2.5-3.3-2.5-3.3-2.5-3.3 (7 sec)
3 - -
4 18.24 kΩ 0.8 - 0
5 - -
6 4.4 Ω 3.37
  • pin 2 is changing its electrical current as above in the table for the duration of 7 seconds, then stays at 3.3v

If some of the values don't make sense, please tell me and I will try to get even better contact.

Also, the logic analyzer should arrive tomorrow.

15

Fluctuating voltage could mean Tx pin, but I dont think it's supposed to stay at 3.3v

2 Likes
16

Hm, I see.
So I just gotta invert the signal then. /j

I guess tracing the lines is my last hope.
... until the LA arrives tomorrow.

1 Like
17

I think UART is meant to be push-pull yes. But I thought the "idle" voltage was logic high?

18

that's why there was a ? in the post, I'm not sure, and have no device to compare with ...

1 Like
19

Any success finding tp0 tp1? They might be to measure stabilised voltage to LNA too.

20

Yeah no worries. I had to do some reading to make sure.

Comes from RS232 with mark being high and space being low. But now it's logic levels of 0v and 5v instead of the normal RS232 logic levels?
I haven't found the best reference to explain yet though so I'm not going to link anything yet.