Got an AX3200 from an official reseller in Europe, telnet was enabled by default, the python script worked. I enabled ssh and am proceeding with openwrt installation.
Update: I used @thorsten97 build and I'm happy to report it works. I'll be hanging this boy later during the day and will report once I have more time to play with it.
I believe the telnet enable/disable is related to whether you have the international version (RB01) or the chinese version (RB03).
I have RB03 v1.0.19 with telnet not enabled.
I'm feeling a bit daft as I am under the impression their is an exploit available for the RB03, but after a month+ looking for it, I can't find it.
It appears everything is working in order. I have some issues with 160Hz wide channels but that is per client.
I'm topping 800mbps on iperf (80hz channel), I'd say pretty good!
All I'm missing now is SQM, can't install it since the snapshot is few days old.
Is there a way I could do it without creating an image from scratch?
Chances are I'll probably just end up adding a couple more commands into the install to point it at firmware partition and give the firmware1's 30mb to ubi though. Not sure what that means for migration from initial builds. It'll probably just mean slightly modified installation from the terminal.
Since apparently the dual-boot selection does not actually look like it's modified anywhere within the bootloader itself, there sadly ends up being no benefit to keeping around another copy, since there's no actual way to switch to it in the event of a corrupted kernel image, except from within the serial terminal. However, if you have serial terminal access, you could just directly reflash images...
Probably better on the flash endurance on that 30mb in the long run anyway, since ubi will at least spread the writes out on sysupgrade...
This hack looked easy but turned out to be very hard even for me, who had soldering and programmer experience.
I have purchased Chinese RB03 (1.0.13) version of router, purchased CH341A programmer (without 3.3v data-pins mod yet), soldered the wires and ... failed.
I succeeded,.. You should modify the crash partition and entery the factory mode. In the factory mode, telnet will be forced to be enable. Also you can login without password!
@zfgeng you have used method to make it without reading and modifying CRC-32, so you failed with that like me. I just want to clarify that snander-modify-crc32 instructions do not work at all. I tried to cut OOB data from the dump, but I failed with that too, OOB chunks locations are not consistent and I think it is programmer problem (or I just don't understand nand good enough).