Backup OEM router firmware, can't find firmware online (SOLVED) also Port Phicomm K2 to EDUP_2655 (SOLVED)

#1

I have a new router EPLINK-9001 K2. I've setup a serial connection and the dump console says: OpenWrt BARRIER BREAKER (Bleeding Edge, r13014). MTK-OpenWrt-2.6.36
local-rev: build-time: Wed Apr 12 11:48:04 CST 2017. I can't find an image of the firmware. I want to put OpenWrt on it but I want to have a backup of the OEM firmware. Can someone point me in the right direction?

Also, I would like to know what bin of OpenWrt I can use. Otherwise, I'm happy to work on building a version if someone can also point me in that direction as well. I've used OpenWrt many times and am familiar with hacking routers (TFTP, serial console, bin, chk, etc.) but I'd like to go to the next step of building my own but I don't know what to look out for.

I'm assuming since this is already running some version of OpenWrt mixed into the OEM firmware that I should be able to at least extract any proprietary drivers that I may need?

Thanks for the help in advance.

0 Likes

#2

Regrettably, Barrier Breaker is on an obsolete, unsupportable kernel (3.10), and the drivers that might be there are very unlikely to be usable with current kernels (4.9 now, about to be 4.14). Given that the device was released in 2017, it may just be the name that remains, and little else from a five-year-old release.

https://wikidevi.com/wiki/EDUPLINK_EPLINK-9001 shows MediaTek MT7620A which is, as I understand it, a supported platform, though I didn't see your device or the three others with the same FCC ID listed as supported.

The first steps would to see if you can get shell access to the device, and go from there.

1 Like

#3

As I said. I have a serial connection to the device. What do you need to know? I have full access to the OS. I'm messing with looking through the www files to see if I can find a way to get the firmware as there is a firmware update check in the web page.

0 Likes

#4

Some of the following will likely be useful to determine how the kernel is loaded, what drivers might be in use, and how the flash is utilized

dmesg
logread
cat /proc/mtd

That could be compared with other MT7620A devices' pages and there may be a "close match" that would make porting a lot more straightforward.

0 Likes

#5

dmesg > https://pastebin.com/JbWwvAiB
logread > https://pastebin.com/q8b4gsjt

cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00800000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00010000 00010000 "params"
mtd5: 007a0000 00010000 "firmware"
mtd6: 0065b243 00010000 "rootfs"
mtd7: 00390000 00010000 "rootfs_data"
0 Likes

#6

You can download a copy of /dev/mtd0 to back up the whole flash memory.

1 Like

#7

Thanks for the info. How exactly should I do it. I noticed that dd is on the router. Do I dd /dev/mtd0 to a file and then tftp it? Or is there an easier way?

0 Likes

#8

You can use dd or cat for spi-nor flash (like yours), for NAND those tools would be dangerous and nanddump must be used instead.

0 Likes

#9

Ok, so I've dump ALL, but the size for everything is 00010000 is that correct? I want to try chipping out the firmware and uploading it back to the router through the web interface just to make sure that it will work.

Also, at the beginning of the firmware location (0x7A0000) is 85 19 03 20 0C 00 00 00 B1 B0 1E E4 and then just FF's (a few random bytes in between but not many) up to about 0x7E0000. Does that sound right?

0 Likes

#10

I'd also take backups of each MTD partition. You should be able to use binwalk to find out more about the file systems, and likely be able to extract the complete file system

0 Likes

#11

Ok, thanks for all the help! I dumped all the MTD partitions and had a look in a hex editor (first step) and saw EDUP_2655 and found that there is a router on http://www.szedup.com/product-item/long-range-ac1200-dual-band-wireless-wifi-smart-router-app-management/ and downloaded the firmware. Inside it also says EDUP_2655 in the same place so I think I found a firmware for it. I'm going to have a look at things with binwalk now but I'm now thinking about what version of Openwrt to try the router is 16megs and 64megs ram from what I can see so far. Having flashed other firmware using tftp and serial console, I imagine I can just try a matching mediatek version? Worst case it won't boot I imagine? I will only be writing to the firmware partition.

0 Likes

#12

Worst case would be overwriting bootloader and/ or wlan calibration data, at least the former would perma-brick your device (without unsoldering flash, rewriting externally and resoldering). Just throwing random binary firmwares at it until something sticks is a horrible idea.

0 Likes

#13

Ok slh, more homework on that before trying.

As to the firmware: after comparing the downloaded version (similar router as mentioned above) and the firmware extracted from mtd5, the extracted one is 8megs and the downloaded is 4.5megs. binwalk extracted an additional jffs2-root which is a bunch of fs_1,2,3... with a few having subdirs but no files, just dir structure. Comparing the two firmwares, I found that at the end of the downloaded firmware had DEADC0DE in a couple of different places, so I went into the extracted one and found the same DEADC0DE so I clipped the file at the last one and now it's about 4.2megs. I'm leary to upload the new one as it is from a "similar" though is has the same name in firmware. There's a file in etc/config/fwinfo that has dates in and the downloaded one is a few months newer. I'm thinking about trying to re-upload the clipped firmware to see what happens. Any feedback or warnings? Since this is from the web upload, I should be safe if the cut isn't correct? I might just upload the downloaded one first just to see if it works and then try the cut one just in case it does wierd things.

BTW - This router was only $10 so I'm not really too worried about permanent-brick. It's more for learning OpenWrt a little better.

0 Likes

#14

Not correct. 0x00010000 (64 KB) is the erase size. The flash memory size is 0x00800000 (8 MB).

This is a range of 0x40000 bytes (256 KB).

There is a difference in flash size.

0 Likes

#15

I'm wrong about the 16 megs. Mtd0 is 8megs.

Here is a df:

df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    3.6M    312.0K      3.3M   9% /
/dev/root                 2.8M      2.8M         0 100% /rom
tmpfs                    16.0M     96.0K     15.9M   1% /tmp
/dev/mtdblock7            3.6M    312.0K      3.3M   9% /overlay
overlayfs:/overlay        3.6M    312.0K      3.3M   9% /
tmpfs                   512.0K         0    512.0K   0% /dev
[root@OpenWrt]

Ok, some success. I flashed my cut version of the firmware and it flash and everything seems to be working. I then flashed the downloaded version from the other router and it flashed and seems ok. Not exhaustively tested but ifconfig shows all same ports. Only change was the router defaulted back to 192.168.0.1 when I had changed it to 192.168.0.111 so it could be on the same network as I am. The cut version is 1.26.6 and the downloaded version is 1.26.7 so I'm happy the routers are similar if not the same. So... next step is to play with OpenWrt. Going to do some research and see what I find. Open to any suggestions. Thanks again for the great feedback, it helped a lot!

0 Likes

#16

Ok, further success. I found an option in the firmware to "Load system code to SDRAM via TFTP." So I setup the env to point to my tftp server and renamed the OpenWrt firmware to test.bin and here's what happened.

Automatic boot of image at addr 0x80A00000 ...
## Booting image at 80a00000 ...
   Image Name:   MIPS OpenWrt Linux-4.14.95
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1437410 Bytes =  1.4 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 64
 
Starting kernel ...
 
[    0.000000] Linux version 4.14.95 (buildbot@builds-03.infra.lede-project.org) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7627-753531d)) #0 Mon Jan 28 08:54:32 2019
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7620A ver:2 eco:6
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)
[    0.000000] MIPS: machine is Phicomm PSG1218 rev.A
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] random: get_random_bytes called from 0x8042472c with crng_init=0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=0003f26b
[    0.000000] Readback ErrCtl register=0003f26b
[    0.000000] Memory: 60240K/65536K available (3590K kernel code, 178K rwdata, 464K rodata, 176K init, 214K bss, 5296K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 256
[    0.000000] CPU Clock: 580MHz
[    0.000000] clocksource: systick: mask: 0xffff max_cycles: 0xffff, max_idle_ns: 583261500 ns
[    0.000000] systick: enable autosleep mode
[    0.000000] systick: running - mult: 214748, shift: 32
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6590553264 ns
[    0.000013] sched_clock: 32 bits at 290MHz, resolution 3ns, wraps every 7405115902ns
[    0.015476] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[    0.087704] pid_max: default: 32768 minimum: 301
[    0.097128] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.110148] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.130128] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.149606] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.161784] pinctrl core: initialized pinctrl subsystem
[    0.173381] NET: Registered protocol family 16
[    0.186607] Can't analyze schedule() prologue at 8037d498
[    0.450301] PCI host bridge /pcie@10140000 ranges:
[    0.459694]  MEM 0x0000000020000000..0x000000002fffffff
[    0.470070]   IO 0x0000000010160000..0x000000001016ffff
[    0.497607] rt2880_gpio 10000600.gpio: registering 24 gpios
[    0.508638] rt2880_gpio 10000600.gpio: registering 24 irq handlers
[    0.521762] PCI host bridge to bus 0000:00
[    0.529761] pci_bus 0000:00: root bus resource [mem 0x20000000-0x2fffffff]
[    0.543471] pci_bus 0000:00: root bus resource [io  0xffffffff]
[    0.555205] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.568704] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.584916] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    0.601473] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[    0.614523] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[    0.628338] pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x200fffff]
[    0.641841] pci 0000:00:00.0: BAR 9: assigned [mem 0x20100000-0x201fffff pref]
[    0.656204] pci 0000:00:00.0: BAR 1: assigned [mem 0x20200000-0x2020ffff]
[    0.669715] pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff 64bit]
[    0.684259] pci 0000:01:00.0: BAR 6: assigned [mem 0x20100000-0x2010ffff pref]
[    0.698605] pci 0000:00:00.0: PCI bridge to [bus 01]
[    0.708464] pci 0000:00:00.0:   bridge window [mem 0x20000000-0x200fffff]
[    0.721974] pci 0000:00:00.0:   bridge window [mem 0x20100000-0x201fffff pref]
[    0.740278] clocksource: Switched to clocksource systick
[    0.751915] NET: Registered protocol family 2
[    0.761484] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.775258] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.787847] TCP: Hash tables configured (established 1024 bind 1024)
[    0.800620] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.812126] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.824821] NET: Registered protocol family 1
[    0.836160] rt-timer 10000100.timer: maximum frequency is 1220Hz
[    0.848866] Crashlog allocated RAM at address 0x3f00000
[    0.860987] workingset: timestamp_bits=30 max_order=14 bucket_order=0
[    0.879676] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.891168] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.921013] io scheduler noop registered
[    0.928658] io scheduler deadline registered (default)
[    0.939850] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.955298] console [ttyS0] disabled
[    0.962351] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 20, base_baud = 2500000) is a Palmchip BK-3103
[    0.982017] console [ttyS0] enabled
[    0.982017] console [ttyS0] enabled
[    0.995834] bootconsole [early0] disabled
[    0.995834] bootconsole [early0] disabled
[    1.012394] cacheinfo: Failed to find cpu0 device node
[    1.022668] cacheinfo: Unable to detect cache hierarchy for CPU 0
[    1.042211] spi spi0.0: force spi mode3
[    1.050691] m25p80 spi0.0: mx25l6405d (8192 Kbytes)
[    1.060501] 4 fixed-partitions partitions found on MTD device spi0.0
[    1.073162] Creating 4 MTD partitions on "spi0.0":
[    1.082720] 0x000000000000-0x000000030000 : "u-boot"
[    1.093536] 0x000000030000-0x000000040000 : "u-boot-env"
[    1.105056] 0x000000040000-0x000000050000 : "factory"
[    1.116038] 0x000000050000-0x000000800000 : "firmware"
[    2.059970] libphy: Fixed MDIO Bus: probed
[    2.072500] gsw: setting port4 to ephy mode
[    2.080903] mtk_soc_eth 10100000.ethernet eth0 (uninitialized): port 0 link up (100Mbps/Full duplex)
[    2.099353] mtk_soc_eth 10100000.ethernet: loaded mt7620 driver
[    2.111862] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5
[    2.128870] rt2880_wdt 10000120.watchdog: Initialized
[    2.140421] NET: Registered protocol family 10
[    2.153303] Segment Routing with IPv6
[    2.160793] NET: Registered protocol family 17
[    2.169692] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    2.195525] 8021q: 802.1Q VLAN Support v1.8
[    2.206692] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6
[    2.221671] Please append a correct "root=" boot option; here are the available partitions:
[    2.238324] 1f00             192 mtdblock0
[    2.238329]  (driver?)
[    2.251364] 1f01              64 mtdblock1
[    2.251369]  (driver?)
[    2.264389] 1f02              64 mtdblock2
[    2.264393]  (driver?)
[    2.277416] 1f03            7872 mtdblock3
[    2.277420]  (driver?)
[    2.290451] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[    2.308240] Rebooting in 1 seconds..

So it looks like the kernel is booting but needs more info about rootfs ( Full dump at https://pastebin.com/upGF44w6 as well) I'm kind of out of my league here but it seems to me that the mtdblocks are different then the original firmware, but I'm assuming that the blocks are created by the firmware on boot. All in all it looks like this firmware should work. I tried to do a tftp upload and mtd write firmware.bin firmware but it just came back to the command line without doing anything. I (dangerously) tried -f but same thing.

BTW - I'm using the OpenWrt Image from the Phicomm K2 PSG1218 router as it had similar specs, but on further investigation, I think I'm wrong about the configuring of the MTD's as I did an upgrade flash (holding the button on boot with tftp of upgrade.bin) of the firmware and got the same error. I was able to reflash the original firmware so at least I know I'm close. (Sorry slh for being so reckless)

I'm currently compiling git for Phicomm PSG1218 rev.A. I looked at the dsti file and see where the MTD's setup happens. Going to try modifying those to reflect the original firmware. Any help here is GREATLY appreciated. I'm not all that clear on the MTD configuration yet.

Victory! I change ./target/linux/ramips/dts/PSG1218.dtsi as follows:

		partitions {
			compatible = "fixed-partitions";
			#address-cells = <1>;
			#size-cells = <1>;

			partition@0 {
				label = "bootloader";
				reg = <0x0 0x30000>;
				read-only;
			};

			partition@30000 {
				label = "config";
				reg = <0x30000 0x10000>;
				read-only;
			};

			factory: partition@40000 {
				label = "factory";
				reg = <0x40000 0x10000>;
				read-only;
			};

			partition@50000 {
				label = "params";
				reg = <0x50000 0x10000>;
				read-only;
			};

			partition@60000 {
				compatible = "denx,uimage";
				label = "firmware";
				reg = <0x60000 0x7a0000>;
			};
		};

Did an update via tftp. Seems to be working now. Booted up. wlan0/1. Luci running. Tested. Seems good!

1 Like

#17

How did you do this? Thanks.

0 Likes

#18

If you look at the homepage for open wrt. Org there are some how to documents. It is a very good collection. One of the documents will cover exactly how to connect via cereal. It's pretty easy. Open the router and find the uart pins. There will be four of them. The two outside pins are ground and v+. Connect a USB to TTL serial connector to your computer USB port. Run wires from the TTL connector to the uark port on the routers motherboard. Make sure ground goes to ground and don't hook up the v plus. When you turn the router on if you don't get anything on your terminal then you probably have the two middle wires reversed. Those are RX and TX. there are more detailed insctructions on setting up your terminall software on your computer. I use minicom on Ubuntu. You can check to see which one is ground and which one is v plus with an OHM meter.
I am going to step through building an image from source code for a wndr4300.. watch for my posts, I will document some details.

1 Like

#19

and probably need to disable HW+SW flow offload....

0 Likes

closed #20

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

0 Likes