Adding support for Aigital AC1200 SML-1222W / WN1222 / WK410(?)

For Developers
1

Hi everyone.
I grabbed a cheap AC1200 repeater on Amazon and I'm trying to get OpenWrt working on it. I'm not sure about the modell name, hence the question mark in the title. The box and case doesn't mention any modell name. The Amazon product page calls it SML-1222W, the product video calls it WN1222 and U-Boot calls it WK410.

PCB picture + comments

aigital
aigital1920×1440 271 KB

The small chip on the left is a Mediatek MT7612EN.
No chips on the other side of the pcb.
The UART contacts are located to the left of the switch in the lower right corner.
Top to button: TX, RX, GND.
I am unsure about the TX contact as I have not been able to send commands through the serial console.

It seems like the stock firmware is a very cut down version of LEDE with SSH disabled.
However I got serial access through UART (baud 57600) here are some logs:

Normal boot 
DDR Calibration DQS reg = 00008788



U-Boot 1.1.3 (Jul 12 2020 - 09:47:44)


Board: Ralink APSoC DRAM:  64 MB

mtest end addr: 83f31f88

relocate_code Pointer at: 83f94000

flash manufacture id: ef, device id 40 17

find flash: s25fl064k

*** Warning - bad CRC, using default environment


============================================ 

Build Date:Jul 12 2020  Time:09:47:44

============================================ 

   

3: System Boot system code via Flash.

## Booting image at bc050000 ...

   Image Name:   WK410

   Image Type:   MIPS Linux Kernel Image (lzma compressed)

   Data Size:    1274028 Bytes =  1.2 MB

   Load Address: 80000000

   Entry Point:  80000000

   Verifying Checksum ... OK

   Uncompressing Kernel Image ... OK

No initrd

## Transferring control to Linux (at address 80000000) ...

## Giving linux memsize in MB, 64


Starting kernel ...


[    0.000000] Linux version 4.4.186 (junleng@junlengdeMacBook-Pro-2.local) (gcc version 5.4.0 (LEDE GCC 5.4.0 1.3.1) ) #0 Mon Jun 1 08:56:03 2020
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7628AN ver:1 eco:2
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019655 (MIPS 24KEc)
[    0.000000] MIPS: machine is LEDE WK410 board
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=0003306b
[    0.000000] Readback ErrCtl register=0003306b
[    0.000000] Memory: 60848K/65536K available (2858K kernel code, 138K rwdata, 680K rodata, 156K init, 185K bss, 4688K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:256
[    0.000000] intc: using register map from devicetree
[    0.000000] CPU Clock: 580MHz
[    0.000000] clocksource_probe: no matching clocksources found
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6590553264 ns
[    0.000010] sched_clock: 32 bits at 290MHz, resolution 3ns, wraps every 7405115902ns
[    0.015359] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[    0.080518] pid_max: default: 32768 minimum: 301
[    0.089748] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.102716] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.122340] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.141730] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.153861] pinctrl core: initialized pinctrl subsystem
[    0.164780] NET: Registered protocol family 16
[    0.277922] mt7620-pci 10140000.pcie: Port 0 N_FTS = 1b105000
[    0.438923] PCI host bridge /pcie@10140000 ranges:
[    0.448259]  MEM 0x0000000020000000..0x000000002fffffff
[    0.458570]   IO 0x0000000010160000..0x000000001016ffff
[    0.481930] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.493011] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.504002] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.515632] PCI host bridge to bus 0000:00
[    0.523594] pci_bus 0000:00: root bus resource [mem 0x20000000-0x2fffffff]
[    0.537214] pci_bus 0000:00: root bus resource [io  0xffffffff]
[    0.548877] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.562293] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.578394] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    0.594795] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[    0.607769] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[    0.621503] pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x200fffff]
[    0.634920] pci 0000:00:00.0: BAR 9: assigned [mem 0x20100000-0x201fffff pref]
[    0.649195] pci 0000:00:00.0: BAR 1: assigned [mem 0x20200000-0x2020ffff]
[    0.662625] pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff 64bit]
[    0.677077] pci 0000:01:00.0: BAR 6: assigned [mem 0x20100000-0x2010ffff pref]
[    0.691333] pci 0000:00:00.0: PCI bridge to [bus 01]
[    0.701130] pci 0000:00:00.0:   bridge window [mem 0x20000000-0x200fffff]
[    0.714551] pci 0000:00:00.0:   bridge window [mem 0x20100000-0x201fffff pref]
[    0.728841] pci 0000:00:00.0: card - bus=0x0, slot = 0x0 irq=0
[    0.740357] pci 0000:01:00.0: card - bus=0x1, slot = 0x0 irq=4
[    0.752790] clocksource: Switched to clocksource MIPS
[    0.764200] NET: Registered protocol family 2
[    0.773574] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.787282] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.799792] TCP: Hash tables configured (established 1024 bind 1024)
[    0.812441] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.823901] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.836565] NET: Registered protocol family 1
[    0.851222] Crashlog allocated RAM at address 0x3f00000
[    0.877912] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.889382] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.911497] io scheduler noop registered
[    0.919173] io scheduler deadline registered (default)
[    0.930097] Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
[    0.943786] console [ttyS0] disabled
[    0.950744] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 28, base_baud = 2500000) is a 16550A
[    0.968675] console [ttyS0] enabled
[    0.968675] console [ttyS0] enabled
[    0.982365] bootconsole [early0] disabled
[    0.982365] bootconsole [early0] disabled
[    0.998920] mtdsplit_uimage: mtk: generic
[    1.007552] spi-mt7621 10000b00.spi: sys_freq: 193333333
[    1.022264] m25p80 spi32766.0: using chunked io (size=32)
[    1.033030] m25p80 spi32766.0: s25fl064k (8192 Kbytes)
[    1.043239] flash id(spi32766.0): 312053C7202060DF
[    1.052767] 6 ofpart partitions found on MTD device spi32766.0
[    1.064318] Creating 6 MTD partitions on "spi32766.0":
[    1.074497] 0x000000000000-0x000000030000 : "u-boot"
[    1.086060] 0x000000030000-0x000000040000 : "kpanic"
[    1.097789] 0x000000040000-0x000000050000 : "factory"
[    1.109655] 0x0000007e0000-0x0000007f0000 : "ledeinfo"
[    1.194727] 0x0000007f0000-0x000000800000 : "reserve"
[    1.206644] 0x000000050000-0x0000007e0000 : "firmware"
[    1.219139] 2 uimage-fw partitions found on MTD device firmware
[    1.230956] 0x000000050000-0x0000001870ec : "kernel"
[    1.242523] 0x0000001870ec-0x0000007e0000 : "rootfs"
[    1.254244] mtd: device 7 (rootfs) set to be root filesystem
[    1.265614] 1 squashfs-split partitions found on MTD device rootfs
[    1.277873] 0x0000005c0000-0x0000007e0000 : "rootfs_data"
[    1.307298] rt3050-esw 10110000.esw: link changed 0x00
[    1.319410] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5
[    1.336315] mt7621_wdt 10000120.watchdog: Initialized
[    1.346926] NET: Registered protocol family 17
[    1.355862] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[    1.380862] 8021q: 802.1Q VLAN Support v1.8
[    1.400859] VFS: Mounted root (squashfs filesystem) readonly on device 31:7.
[    1.415737] Freeing unused kernel memory: 156K
[    2.907707] init: Console is alive
[    2.914762] init: - watchdog -
[    4.823116] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    4.836948] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    4.861754] init: - preinit -
[    5.407228] random: procd: uninitialized urandom read (4 bytes read, 8 bits of entropy available)
[    5.686978] jffs2: notice: (281) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[    5.719417] mount_root: switching to jffs2 overlay
[    5.737935] urandom-seed: Seeding with /etc/urandom.seed
LEDE Starting
[    6.008348] procd: - early -
[    6.014919] procd: - watchdog -
[    6.657056] procd: - watchdog -
[    6.668044] procd: - ubus -
[    7.122865] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.279908] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.298223] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.316095] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.334439] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.352296] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.370253] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.388509] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.406712] procd: - init -
[    7.893678] kmodloader: loading kernel modules from /etc/modules.d/*
[    7.991504] zram: Added device: zram0
[    8.016798] Netfilter messages via NETLINK v0.30.
[    8.035810] ip_set: protocol 6
[    8.846622] MT7628 module init
[    8.862059] MT7628 AP Driver version-4.0.1.3.P1
[    8.871116] load: mtk/WIFI_RAM_CODE_MT7628_e2.bin
[    9.022251] E2pAccessMode=2
[    9.921642] MT7612E module init
[    9.942243] MT76x2 AP Driver version-3.0.4.0.P1.20150909
[   10.668031] ip_tables: (C) 2000-2006 Netfilter Core Team
[   10.700190] nf_conntrack version 0.5.0 (953 buckets, 3812 max)
[   10.764286] ctnetlink v0.93: registering with nfnetlink.
[   10.796400] nf_conntrack_rtsp v0.7 loading
[   10.862390] nf_nat_rtsp v0.7 loading
[   10.922065] xt_time: kernel timezone is -0000
[   10.949184] PPP generic driver version 2.4.2
[   10.960600] NET: Registered protocol family 24
[   10.975624] kmodloader: done loading kernel modules from /etc/modules.d/*
[   12.954849] random: jshn: uninitialized urandom read (4 bytes read, 23 bits of entropy available)
[   16.579069] rt3050-esw 10110000.esw: link changed 0x00
[   18.714378] device eth0.1 entered promiscuous mode
[   18.723960] device eth0 entered promiscuous mode
[   18.758704] br-lan: port 1(eth0.1) entered forwarding state
[   18.769854] br-lan: port 1(eth0.1) entered forwarding state
[   20.762857] br-lan: port 1(eth0.1) entered forwarding state
[   22.401744] S95done (1240): drop_caches: 3
[   25.718852] device rai0 entered promiscuous mode
[   25.728144] br-lan: port 2(rai0) entered forwarding state
[   25.738870] br-lan: port 2(rai0) entered forwarding state
[   27.732863] br-lan: port 2(rai0) entered forwarding state
[   28.783631] device ra0 entered promiscuous mode
[   28.792656] br-lan: port 3(ra0) entered forwarding state
[   28.803264] br-lan: port 3(ra0) entered forwarding state
[   30.802804] br-lan: port 3(ra0) entered forwarding state
[   54.439070] random: nonblocking pool is initialized
Boot while pressing the reset button 
[04020C0E][04020C0D]

DDR Calibration DQS reg = 00008788



U-Boot 1.1.3 (Jul 12 2020 - 09:47:44)


Board: Ralink APSoC DRAM:  64 MB

mtest end addr: 83f31f88

relocate_code Pointer at: 83f94000

flash manufacture id: ef, device id 40 17

find flash: s25fl064k

*** Warning - bad CRC, using default environment


============================================ 

Build Date:Jul 12 2020  Time:09:47:44

============================================ 

reset button pressed



 netboot_common, argc= 3 


 NetTxPacket = 0x83FE7EC0 


 KSEG1ADDR(NetTxPacket) = 0xA3FE7EC0 


 NetLoop,call eth_halt ! 


 NetLoop,call eth_init ! 

Trying Eth0 (10/100-M)


 Waitting for RX_DMA_BUSY status Start... done



 ETH_STATE_ACTIVE!! 

TFTP from server 192.168.2.88; our IP address is 192.168.2.119

Filename 'lede-firmware.bin'.


 TIMEOUT_COUNT=10,Load address: 0x80100000

Loading: *

ArpTimeoutCheck 

T 

ArpTimeoutCheck 

T 

ArpTimeoutCheck 

T 

ArpTimeoutCheck 

T 

ArpTimeoutCheck 

T 

ArpTimeoutCheck 

T 

ArpTimeoutCheck 

T 

ArpTimeoutCheck 

T 

ArpTimeoutCheck 

T 

ArpTimeoutCheck 

T 

ArpTimeoutCheck 


Retry count exceeded; starting again


ArpTimeoutCheck 

TFTP from server 192.168.2.88; our IP address is 192.168.2.119
Boot reset button + active TFTP server with different renamed LEDE/OpenWRT images 
[04030C0E][04030C0C]

DDR Calibration DQS reg = 00008788



U-Boot 1.1.3 (Jul 12 2020 - 09:47:44)


Board: Ralink APSoC DRAM:  64 MB

mtest end addr: 83f31f88

relocate_code Pointer at: 83f94000

flash manufacture id: ef, device id 40 17

find flash: s25fl064k

*** Warning - bad CRC, using default environment


============================================ 

Build Date:Jul 12 2020  Time:09:47:44

============================================ 

reset button pressed



 netboot_common, argc= 3 


 NetTxPacket = 0x83FE7EC0 


 KSEG1ADDR(NetTxPacket) = 0xA3FE7EC0 


 NetLoop,call eth_halt ! 


 NetLoop,call eth_init ! 

Trying Eth0 (10/100-M)


 Waitting for RX_DMA_BUSY status Start... done



 ETH_STATE_ACTIVE!! 

TFTP from server 192.168.2.88; our IP address is 192.168.2.119

Filename 'lede-firmware.bin'.


 TIMEOUT_COUNT=10,Load address: 0x80100000

Loading: *

ArpTimeoutCheck 

Got ARP REQUEST, return our IP

Got ARP REQUEST, return our IP

T Got ARP REPLY, set server/gtwy eth addr (64:00:6a:4b:64:57)

Got it

#################################################################

###############checksum bad

checksum bad

checksum bad

##############Got ARP REQUEST, return our IP

####################################

 #########checksum bad

########################################################
 #################################################################

###########################################checksum bad

checksum bad

#checksum bad

checksum bad

#####################
##################checksum bad
###############################################
#################################################################
##########################ù###ä################################
 #################################################################Got ARP REQUEST, return our IP
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
################################################

done

Bytes transferred = 5898580 (5a0154 hex)

NetBootFileXferSize= 005a0154

image name len check failed(27 5)

image name check failed WK410 MIPS OpenWrt Linux-5.10.138

WK410 firmware check failed

I don't have access to the stock firmware image since the aigital website is down and I couldn't find it anywwere else.

U-Boot won't take any commands and the only open ports are 53 und 80.

I can't upload the LEDE/OpenWrt firmware image through the webgui since it won't accept the image format:

The uploaded image file does not contain a supported format. Make sure that you choose the generic image format for your platform.

Product picture
Picture of the webgui

Any tips on what I should try next, and a way to backup the default firmware before I mess with it too much, would be greatly appreciated.

2

Check the situation about R87 (vs R18); if you're lucky, it might suffice to bridge R87 (test it temporarily with a screw driver first, before taking out the soldering iron - and try to check the traces first, the photo isn't quite good enough to tell for sure).

1 Like
3

R18 (or R16?) connects to the assumed TX and R87 and R89 to RX.
Seems like I have to count the pins of the MT7628AN to make sure that it's connected.

4

From the picture, it could be either - I can't quite make it out, but I'm referring to the one directly above R87 (which might pull down rx, but doesn't necessarily need to - my main suspect would be about bridging R87).

5

Yes, I know which one you are talking about. The solder maks is so messy that I can't even see it up close.
I tested all the contacts with a multimeter, so I could tell that R87 and R89 are connected to RX and R16/18 is connected to TX. Also, I just followed the traces and tested random pins of the MT7628AN and I got contact for RX and TX.
Seems like the next step is soldering some pin headers to them.

Is it possible that the U-Boot is configured to block incoming commands? Out of curiosity, I tried booting while pressing reset or the wps button on the back, but I still couldn't send any commands to it.

6

It's possible, uncommon, but possible (e.g. Xiaomi does this).

7

Soldering done, but it's still the same.
I tried switching RX and TX just to see what would happen, but the device wouldn't even boot.
I'll study the datasheet tomorrow, maybe the third pin isn't TX after all. My USB adapter should be working fine since I just flashed a ARV752DPW22 a few days ago.

8

Today I follwed the traces with good light and a sharp eye. TX and RX are right next to each other, with no vias or additional components except for the resistors at R16/18 and R89. The datasheet confirmed that both pins are next to each other.
However, since the TX pin is under the chip, I could not check the connection with my multimeter. Seems like I was imagining things the last time I tried.

I have also tested another UART USB adapter, but also without success.
I noticed that before I soldered the header pins I could type into the serial console (screen) without getting a response. Now with the header pins I can't even type into the serial console.

Since I'm out of ideas, I'm currently looking for rce exploits for the old uhttpd (assumed) or dnsmasq versions.

9

One possibility is to look with an oscilloscope for find the TX outpout

Now if you have connected TX to TX you may have destroyed this output