Dynalink DL-WRX36 Askey RT5010W IPQ8072A technical discussion

robimarko · 2022-05-28T10:31:43.327Z

This thing has the weirdest partition layout possible:

[    1.051424] 0x000000000000-0x000000100000 : "0:SBL1"
[    1.058166] 0x000000100000-0x000000200000 : "0:MIBIB"
[    1.063010] 0x000000200000-0x000000280000 : "0:BOOTCONFIG"
[    1.067617] 0x000000280000-0x000000300000 : "0:BOOTCONFIG1"
[    1.072966] 0x000000300000-0x000000600000 : "0:QSEE"
[    1.080310] 0x000000600000-0x000000900000 : "0:QSEE_1"
[    1.085570] 0x000000900000-0x000000980000 : "0:DEVCFG"
[    1.088573] 0x000000980000-0x000000a00000 : "0:DEVCFG_1"
[    1.093712] 0x000000a00000-0x000000a80000 : "0:APDP"
[    1.099193] 0x000000a80000-0x000000b00000 : "0:APDP_1"
[    1.104144] 0x000000b00000-0x000000b80000 : "0:RPM"
[    1.109061] 0x000000b80000-0x000000c00000 : "0:RPM_1"
[    1.113838] 0x000000c00000-0x000000c80000 : "0:CDT"
[    1.119088] 0x000000c80000-0x000000d00000 : "0:CDT_1"
[    1.123752] 0x000000d00000-0x000000d80000 : "0:APPSBLENV"
[    1.128996] 0x000000d80000-0x000000e80000 : "0:APPSBL"
[    1.134693] 0x000000e80000-0x000000f80000 : "0:APPSBL_1"
[    1.139739] 0x000000f80000-0x000001000000 : "0:ART"
[    1.144869] 0x000001000000-0x000007100000 : "rootfs"
[    1.220111] mtd: device 18 (rootfs) set to be root filesystem
[    1.220372] mtdsplit: no squashfs found in "rootfs"
[    1.224848] 0x000007100000-0x000007a00000 : "0:WIFIFW_1"
[    1.236736] 0x000007a00000-0x00000db00000 : "rootfs_1"
[    1.308238] 0x00000db00000-0x00000e400000 : "0:WIFIFW"
[    1.315508] 0x00000e400000-0x00000fa00000 : "ubifs"
[    1.332296] 0x00000fa00000-0x00000fa80000 : "0:ETHPHYFW"
[    1.333299] 0x00000fa80000-0x00000fd00000 : "certificate"

On a positive node, we can boot OpenWrt by changing the U-boot env to manually boot UBI.
And, now suddenly SSH password doesn't work anymore, this thing is just getting crazier and crazier, and even factory resetting then importing the backup doesn't work

kirdes · 2022-05-28T11:51:11.138Z

Sounds like it's time for an ubiformat and get rid of this stock firmware.

Was you able to get a full bootlog of the stock firmware? I think that is all we need

robimarko · 2022-05-28T11:52:10.423Z

Yeah, I got everything that was needed.
FW is mostly complete, sysupgrade script needs some love though to switch between FW being flashed

kirdes · 2022-05-28T11:53:37.319Z

Nice, will get mine within next week.

robimarko · 2022-05-28T11:53:59.983Z

Great, the HW is unbeatable for the price

clayface · 2022-06-03T14:05:32.394Z

Could you possibly reshare this backup.cfg? Many thanks

robimarko · 2022-06-03T15:25:45.147Z

I think this is the same file:

wetransfer.com

backup.cfg

1 file sent via WeTransfer, the simplest way to send your files around the world

Not really sure as the config modification folder is kind of a mess now

kirdes · 2022-06-04T07:42:36.582Z

@robimarko
got mine Dynalink. It looks like they are using the QCA bootconfig driver for partition switching. I guess this is QCA propritary, isn't it?
Can we mimic that?

BTW, can you provide the full bootlog from the stock firmware?

robimarko · 2022-06-04T08:56:56.682Z

Its done via SCM calls, really no point in even trying to mimic that as bootqca command that only even uses that cannot be used due to secure boot.

Oh, I did not post the bootlog

robimarko · 2022-06-04T09:59:43.508Z

@kirdes
https://gist.githubusercontent.com/robimarko/5f12728df848caa4ace5c41a12304ed7/raw/fd6f09bdcbd844e7249bb9e6513b955b2047d36f/gistfile1.txt

kirdes · 2022-06-04T12:38:45.276Z

BTW on my device rootfs and rootfs_1 are switched:

0x000007a00000-0x00000db00000 : "rootfs"
0x000001000000-0x000007100000 : "rootfs_1"

I think this is how they are switching partitions after firmware update, right?

At the moment I'm struggling with the uboot_env (fw_printenv...) in openwrt.

If I dump mtd14 (0x000000d00000-0x000000d80000 : "0:appsblenv") it's empty (fw_printenv isn't working either), but there are env variables set that can be read in uboot for sure.

Any ideas? Am I mssing something?

robimarko · 2022-06-04T12:42:41.338Z

github.com

GitHub - robimarko/openwrt at ipq807x-5.15-pr-dynalink

ipq807x-5.15-pr-dynalink

Linux distribution for embedded devices. Contribute to robimarko/openwrt development by creating an account on GitHub.

I pushed the WIP branch, u-boot env worked for me fine, but despite the partition being 0x80000 in size, they are only using 0x40000 for the env, I think that u-boot config is already set in this branch

kirdes · 2022-06-04T14:11:13.551Z

Thanks, but this device is really strange:

cat /etc/fw_env.config
/dev/mtd14 0x0 0x40000 0x20000 2

fw_printenv
Warning: Bad CRC, using default environment
bootcmd=bootp; setenv bootargs root=/dev/nfs nfsroot=${serverip}:${rootpath} ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}::off; bootm
bootdelay=5
baudrate=115200

I have no idea, why this isn't working on my device but is working on yours.

robimarko · 2022-06-04T14:16:38.258Z

Hm, that's really strange then.

Can you save the backup and extract it to check the /etc/fw_env.config in the stock FW?
That is how I figured out that they weren't using the whole partition but just half of it

kirdes · 2022-06-04T14:27:40.899Z

It's the same:

/dev/mtd14 0x0 0x40000 0x00020000 2

I don't get it.....

robimarko · 2022-06-04T14:28:53.680Z

Do you maybe have UART or SSH?
So that you can dump the partition, cause it really makes no sense

kirdes · 2022-06-04T14:31:12.093Z

UART, but if I dump the appsblenv partition from within openwrt initramfs, it's empty.

I can try to gain ssh access to the stock firmware and check there.

robimarko · 2022-06-04T14:32:22.662Z

You can use UART with the stock FW also, I had UART way before SSH

kirdes · 2022-06-04T14:34:46.661Z

But UART is disabled in the stock firmware, or did you used uboot to dump the partitions?

robimarko · 2022-06-04T14:36:12.535Z

Ahh yeah, they intentionally dont pass the console via cmdline to disable it.
I actually used OpenWrt to dump everything since SMEM populated the partitions.

I am getting multiple devices mixed up due to working on like 4 devices in parallel.