Adding OpenWrt support for Cudy LT400

works with Cudy LT400 ?

CPU : MTK Chipset for Wi-Fi and Qualcomm Chipset for 4G
DRAM/FLASH : 64MB DDR2 / 8M SPI Flash

if yes, witch version and config I need?

OpenWrt: Supported devices

From a quick examination of the firmware for LT400, it seems to have a MediaTek MT7628AN SoC and it can be supported by OpenWrt. But it hasn't been done yet.

        00010203 04050607 08090A0B 0C0D0E0F  0123456789ABCDEF
000400  90230008 00000000 4F575254 4454423A  .#......OWRTDTB:
000410  D00DFEED 00002281 00000038 00001FD8  ......"....8....
000420  00000028 00000011 00000010 00000000  ...(............
000430  000002A9 00001FA0 00000000 00000000  ................
000440  00000000 00000000 00000001 00000000  ................
000450  00000003 00000004 00000000 00000001  ................
000460  00000003 00000004 0000000F 00000001  ................
000470  00000003 00000021 0000001B 4F454D2C  .......!....OEM,
000480  4D543736 3238006D 65646961 74656B2C  MT7628.mediatek,
000490  6D743736 3238616E 2D736F63 00000000  mt7628an-soc....
0004A0  00000003 00000003 00000026 52380000  ...........&R8..

Thanks, but for installing, but witch Mediatek snapshots I need ? mt7622, mt7623 or mt7629 ?

You can't install. Currently, Cudy LT400 is not supported in OpenWrt and the usage of the firmware for other devices may breaks your device.
It will be possible if someone creates support for the device in OpenWrt.
(And also, mt7622, mt7623 and mt7629 in mediatek target are sub-targets for Arm SoC of MediaTek. MT7628AN is a MIPS SoC and ramips/mt76x8 sub-target supports this SoC.)

The problem with the original Cudy router firmware: is not possible to choose your subnet mask.
They have limited to two choices: either 255.255.255.0 or 255.255.0.0.
I juste want use 255.255.252.0 for my network node...
OpenWrt seemed like a good alternative.

It's possible?
MediaTek MT7628AN is use by 6 routeurs in https://openwrt.org/toh/views/toh_fwdownload :

GL.iNet : GL-MT300N v2
HiWiFi/Gee : HC5861B
HiWiFi/Gee : HC5761A
UniElec : U7628-01
VoCore : VoCore2
WRTnode : WRTnode

the usage of the firmware for other devices may breaks your device

you need to gather information to make a DTS file and build your own images for testing

1. open the case and record all chip models
2. Identify the UART pins
3. study a similar commit to make a similar DTS and profile
4. build an initramfs-kernel.bin and load that over TFTP to boot (NOT with reset button)

image building guide

to build initramfs-kernel.bin in ramips

in make menuconfig
after selecting Target Profile
select Target Images
enable ramdisk

example of similar device

https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=ff5dd32164bb430b7a5966a36291f5a8636e7af8

wiki pages on 4G support

I read the flash chip of the device a few days ago; the cudy LT400 is running a modified LEDE 17.01.5 as stock firmware.

OpenWRT is definitely doable. I'm trying to get it into mainline OpenWRT and asked the vendor for details a few days ago, but have not yet received an answer of them.

Good evening everyone.
I just compiled OpenWrt for the Cudy LT400,
which has working LEDs, a properly configured reset button as well as a fully functional LTE modem.

So yes @TronEncom OpenWrt will run on the LT400.
I performed the steps @mpratt14 outlined with more or less success.

Now to the bad news.
The device is pretty much locked down. It does not allow to flash anything but firmware signed by Cudys RSA-key.
Getting in required me to desolder the flash in order to dump it...
However I've got reason to believe this wont be necessary for others.

The check is enforced on regular firmware upgrades, u-boots web-boot, as well as tftp.
This will likely not be a problem for long, as Cudy usually provides escape-images from their rsa-chain, once reminded...

If anyone who reads this owns the device, I'd be very much interested to discuss an alternate way in.
So long, aiyion.

you mean to flash it, or you want a copy of the original flash? (which I recommend anyway)

you may be able to solder wires without desoldering the chip. one way requires more skill, the other requires better tools and the right flux etc.

just to be clear for flashing...you have no access to the bootloader console?
or you have access to a shell for flashing but it is rejected?

Nice to see a response, thanks.

I needed to desolder it in order to read as well flash it reliably.
Pulling pins down, to effectivly halt the system, was not enough.

I'm using a decent clamp in order to read and flash chips, so adding wires is not necessary - usually.

The bootloader console does not exist on the stock image.
There's output, but no way to halt it, in order to get access to the console, except for a faulty image on rom, or powering the device up with the reset button held.
Either way, console is still read only, and will only accept signed images.

What I need to continue now is either Cudy accepting my proposed tree and signing an image built for OpenWrt like they did for other devices,
or someone else owning the device, that can provide me with his dump, so I can determine a potential weak spot my device has, which might be a shared flaw/vulnerability across the whole revision.

does Cudy have an interface to send and receive commands to the modem?

I'm using uqmi to talk to it, if that what you are asking for;
I think Cudy didn't, but I don't remember which they used.

Do you own such a device?

I’m considering buying this device. Have you had any additional success flashing OpenWRT to this router since May?

Can you share the image you compiled, as well as a visual on how to desolder the flash chip?

I successfully flashed the device before May and have therefore not had the need to flash it again.

I can share the image for my device, but that won't help you as it depends on the contents of one of the devices partitions.
(I hope it just depends on the mac, but cannot tell yet, as I never found someone here, that had the device to verify.

I desoldered the flash chip using a heat gun following a hand full of youtube videos.
Only thing I can recommend there, is to decrease airflow to a bare minimum.

Once you extracted the flash contents though, I'd be glad to compile you an image.
That will work regardless of whether the partition differs in more than just the mac.

hey @jlpapple,
i saw your thumbs up under my suggestion for you to extract the flash content.
Have you had any luck with that?

@aiyion

I'm working on the LT500 and would like to have a peek at what you did.
Could you create a draft PR for the LT400?

Here's mine:

Not sure if I'll get to it this weekend, but I'll try.