Dynalink DL-WRX36 Askey RT5010W IPQ8074 OpenWrt support

robimarko · March 29, 2022, 8:26am

Thanks, I gotta dig out a connector like this or try using logic analyzer probes.
Nowhere to get it locally or without 20EUR of shipping cost.

Gost6 · March 29, 2022, 4:01pm

These kind of connectors are commonly used on corded mouses, if you have one that you no longer use, it can be removed, they usually have 6 pins but the extra pin can easily be cut off.

robimarko · March 29, 2022, 4:02pm

Hm, I used to have one for spare parts.
Will have a look

robimarko · April 18, 2022, 12:04pm

Finally got around to soldering the UART adaptor, so they are being d*cks and have disabled UART in the stock FW completely.

robimarko · April 18, 2022, 1:17pm

Ok, managed to pull the DTS using OpenWrt initramfs:

It looks like there are 3 different revision of the Askey board, Dynalink one is: Askey RT5010W-D350/REV0

BTW, stock FW is just the traditional QSDK SquashFS inside of UBI and that's it, its not encrypted or anything so it can easily be unpacked.
They are changing various PHY registers as well as PHY LED config using shell scripts, looks to be built on SFP11.2 QSDK release so semi recent.

rt5010w-rev2 | rt5010w-rev3 | rt5010w-d347-rev0 | rt5010w-d350-rev0 | rt5011w-rev0)
			## PURDA-672
			## QCA8075 setting
			## Askey, Harry Chen, 2020/02/25 , modify LED behavior for QCA8075 (LAN)
			ssdk_sh debug phy set 0x0 0xd 0x7
			ssdk_sh debug phy set 0x0 0xe 0x8076
			ssdk_sh debug phy set 0x0 0xd 0x4007
			ssdk_sh debug phy set 0x0 0xe 0x0640

			ssdk_sh debug phy set 0x1 0xd 0x7
			ssdk_sh debug phy set 0x1 0xe 0x8076
			ssdk_sh debug phy set 0x1 0xd 0x4007
			ssdk_sh debug phy set 0x1 0xe 0x0640

			ssdk_sh debug phy set 0x2 0xd 0x7
			ssdk_sh debug phy set 0x2 0xe 0x8076
			ssdk_sh debug phy set 0x2 0xd 0x4007
			ssdk_sh debug phy set 0x2 0xe 0x0640

			ssdk_sh debug phy set 0x3 0xd 0x7
			ssdk_sh debug phy set 0x3 0xe 0x8076
			ssdk_sh debug phy set 0x3 0xd 0x4007
			ssdk_sh debug phy set 0x3 0xe 0x0640

			ssdk_sh debug phy set 0x4 0xd 0x7
			ssdk_sh debug phy set 0x4 0xe 0x8076
			ssdk_sh debug phy set 0x4 0xd 0x4007
			ssdk_sh debug phy set 0x4 0xe 0x0640

			## QCA8081 setting
			## Askey, Harry Chen, 2020/02/25, modify LED behavior for QCA-8081 (WAN)
			ssdk_sh debug phy set 0x1c 0x40078078 0x8600
		;;

lmore377 · May 10, 2022, 1:01am

Came across this thread while looking for some info on other askey routers. If the stock fw allows it, can you send a backup of the config? If it's anything like RT4230W I might be able to enable telnet or ssh by modifying it. No guarantees tho.

kirdes · May 20, 2022, 7:02pm

@robimarko

If you have some spare time, can you try this as bootcmd on the Dynalink?

"setenv bootargs console=ttyMSM0,115200n8 ubi.mtd=rootfs root=mtd:rootfs rootfstype=squashfs rootwait; ubi part fs; ubi read 43ffd000 kernel; bootm 43ffd000"

This works on a netgear IPQ6018 secure boot enabled device (playing with an image build from the TIP repo, 5.4 kernel)

This avoids the bootipq image signing check etc.

BTW will get a Dynalink myself soon.

robimarko · May 20, 2022, 7:03pm

Sure, I can try tomorrow as its time to get it completed due to its price

robimarko · May 22, 2022, 6:01pm

The config backup does not seem to be a ZIP anymore.

robimarko · May 22, 2022, 6:10pm

Nah, that wont work without setting the NAND ID, and partition table manually first.

lmore377 · May 22, 2022, 6:10pm

Can you send a copy anyways? Askey likes to use their own special methods of compressing the config file

robimarko · May 22, 2022, 6:12pm

Sure, here it is:

lmore377 · May 22, 2022, 6:27pm

I'll take a look at it a bit later

kirdes · May 22, 2022, 8:07pm

Ahh, mtdids and mtdparts is already set on my device.

this should work on the Dynalink:

mtdids=nand0=nand0
mtdparts=mtdparts=nand0:0x6100000@0x7a00000(fs),

robimarko · May 22, 2022, 8:08pm

It's not an issue setting it manually, I am looking now at what the secure boot verifies cause it seems like only the kernel is being verified.

The issue is that they are making an SCM call to do so, the certificate partition is LUKS encrypted UBI volume

kirdes · May 22, 2022, 8:15pm

On my device they are parsing the elf image header ( parse_elf_image_phdr) and this fails with " It is not a elf image"

robimarko · May 22, 2022, 8:17pm

The same is being done here, they are just using the bog standard QCA bootloader and bootqca/bootipq command which does everything automagically.

Looking at the code I dont see an obvious exploit.

Here is the bootipq in debug mode:

IPQ807x# bootipq debug
call do_boot_signedimg()
Using nand device 0
setenv mtdids nand0=nand0 && setenv mtdparts mtdparts=nand0:0x6100000@0x1000000(fs),0x6100000@0x7a00000(fs_1),${msmparts} 
[Askey] check_dualimg_nand()-3
******* check firmware img *****
ubi part fs && ubi read 0x44000000 kernel 0x800 
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 97 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 776, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 509821238
ubi0: available PEBs: 0, total reserved PEBs: 776, PEBs reserved for bad PEB handling: 40
Read 2048 bytes from volume kernel to 44000000
NOT unsigned kernel FW header


[Askey] Secure boot Rev 2.00
[Askey] signed kernel FW package
ubi read 0x44000000 kernel 0x3fd800 
Read 4184064 bytes from volume kernel to 44000000
checkImage magic img 0x27051956  IH_MAGIC 0x27051956 imgsize 0x3fac00
   Image Name:   Linux-4.4.60
   Image Type:   ARM Linux Kernel Image (lzma compressed)
   Data Size:    4172736 Bytes = 4 MiB
   Load Address: 41080000
   Entry Point:  41080000

   Verifying Checksum ...  OK 

kernel_size 0x3fd000 eb_size 0x800 rootfs_size_temp 0x2180840
ubi read 0x443fd040 ubi_rootfs 0x2181000
Read 35131392 bytes from volume ubi_rootfs to 443fd040
checkImage magic img 0x27051956  IH_MAGIC 0x27051956 imgsize 0x2180840
   Image Name:   root.squashfs
   Image Type:   ARM Linux Firmware (lzma compressed)
   Data Size:    35129344 Bytes = 33.5 MiB
   Load Address: 00000000
   Entry Point:  00000000

   Verifying Checksum ...  OK 

******* OK *****
bootargs=ubi.mtd=rootfs root=mtd:ubi_rootfs rootfstype=squashfs uboot-version=0.0.1-1-80112-CS rootwait
[Askey] do_boot_signedimg()
Booting from flash
[Askey] do_boot_signedimg() debug-01, addr: 44000000
ubi0: detaching mtd1
ubi0: mtd1 is detached
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 97 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 776, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 509821238
ubi0: available PEBs: 0, total reserved PEBs: 776, PEBs reserved for bad PEB handling: 40
ubi read 0x44000000 kernel && Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (4190208)
[Askey] do_boot_signedimg() debug-02, size: 0
[Askey] do_boot_signedimg() debug-05, 44000000 4190208
dtb_config_name: <config@rt5010w-d350-rev0>
bootm 0x44000068#config@rt5010w-d350-rev0
## Loading kernel from FIT Image at 44000068 ...
   Using 'config@rt5010w-d350-rev0' configuration
   Trying 'kernel@1' kernel subimage
     Description:  ARM64 OpenWrt Linux-4.4.60
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x44000150
     Data Size:    3922338 Bytes = 3.7 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x41080000
     Entry Point:  0x41080000
     Hash algo:    crc32
     Hash value:   71ea479e
     Hash algo:    sha1
     Hash value:   805491e1ce0ad2c317e3a52a8b9654091160d743
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000068 ...
   Using 'config@rt5010w-d350-rev0' configuration
   Trying 'fdt@rt5010w-d350-rev0' fdt subimage
     Description:  ARM64 OpenWrt rt5010w-d350 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x443e6150
     Data Size:    82227 Bytes = 80.3 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   877a0dfe
     Hash algo:    sha1
     Hash value:   19595d50a1c0362b772db8f69b3dbd5773e444a0
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x443e6150
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 4a3e8000, end 4a3ff132 ... OK
Could not find PCI in device tree
Using machid 0x8850105 from environment

Starting kernel ...

Jumping to AARCH64 kernel via monitor

lmore377 · May 22, 2022, 8:19pm

By any chance were you able to get any sort of firmware dump from the router? All I really need is either the rootfs or an ota

robimarko · May 22, 2022, 8:19pm

I can give you the rootfs that I dumped from initramfs, I was not able to capture the OTA image.
No idea if it matches the exported config file though, it was a while ago.

Here are all of the partitions dumped:
https://drive.google.com/drive/folders/1-Juhxm29UgfRqwX9doycXJK-L3gk01HK?usp=sharing

lmore377 · May 22, 2022, 9:14pm

Were you able to extract any files? I'm trying with binwalk -e but the two rootfs files are basically empty