EDUP EP-RT2960 AX1800 - Strange OpenWRT router

Hi,
I have bought this router, the EDUP EP=RT2960 that could come pre-installed with OpenWRT. I have received it, and the strange thing that I found is that an customized openwrt version.
I asked the support wha version I could download directly from OpenWRT repositori, but it replys the e-mail with another customized version.
As always, I´m very skeptical about this "customized" versions, because it could have something nasty inside it.
I´d like some help if anyone here could show me the real version of it:
Original from edup: From EDUP site

Aliexpress Seller: Aliexpress

size of ram, flash wifi chipset?

You can't.
This device is not supported in OpenWrt.
You are stuck with their fork.

If you want to use official OpenWrt, it's better to check the Table of Hardware for supported devices before buying.

It is already wonderful they provide current release albeit with hidden customizations. dont be so pessimistic. If they go up in sales somebody will connect serial or jtag and try discovering their hidden work.

ssh to the system
get

dmesg
lspci
cat /proc/mtd
free
chipset MT7621+MT7905+MT7975
FLASH NAND 128MB / 256MB DDR3

looks similar to https://openwrt.org/toh/asus/rt-ax53u but no visible USB port

1 Like

I expect visible kernel+squash in mtd and some supported wifi device from lspci

1 Like

root@AP-Sala:~# lspci
00:00.0 PCI bridge: Device 0e8d:0801 (rev 01)
00:01.0 PCI bridge: Device 0e8d:0801 (rev 01)
01:00.0 Unclassified device [0002]: MEDIATEK Corp. MT7905D/MT7975
02:00.0 Unclassified device [0002]: MEDIATEK Corp. MT7915E 802.11ax PCI Express Wireless Network Adapter

How do I get the "kernel+squash"?

Here is the firmware they sent to me:

1 Like

Cool stuff.

Looks like your device is just a renamed
https://openwrt.org/toh/hwdata/sim/sim_simax1800t
or https://openwrt.org/toh/hwdata/haier/haier_har-20s2u1

Can you confirm the flash layout?

1 Like

cat /proc/mtd
thanks (like partition table of flash memory)

binwalking

i vouch for OEM firmware being 23.05.3 with some packages bumped to main, like mwan3 and fw4, and no strange executables lurking around.

I'm not saying you're wrong here -- I don't have any specific information to suggest that this is not a 'clean' 3rd party firmware -- but how can you vouch for it if you haven't seen the source code from which is is built?

2 Likes

Ok, mwan3 ping host is alibaba :slight_smile:

2 Likes

You may find it funny, but I am serious. Using the word 'vouch' means that you can affirm something that I'm not sure you are qualified to do (or if you are qualified, it doesn't seem likely you've spent the time to be able to promise this).

Typically, this would mean some sort of authoritative knowledge of OpenWrt and a full review of the source code in the 3rd party firmware to ensure that it doesn't contain any modified code (or even just config defaults) that could create a that a vulnerability or other unexpected/unknown behavior or code (relative to OpenWrt). Unless you have performed this complete review, you should not be 'vouching' that code from another source is effectively identical to OpenWrt and clean from any questionable code.

Again, I'm not saying you're incorrect, nor am I implying that this firmware is indeed malicious. But until and unless the code is reviewed by experts, you cannot and should not make statements vouching for the security of any 3rd party code.
(exceptions usually made for stuff that is submitted/built by recognized and trustworthy developers.)

@pabloalcantara can you get the mtd layout here? Firmware update you posted mentions simax1800t as target, if layout is identical you are 99% safe to flash as if it was simax1800t without having to worry about serial cables.

root@AP-Sala:~# cat /proc/mtd
dev: size erasesize name
mtd0: 00080000 00020000 "u-boot"
mtd1: 00080000 00020000 "u-boot-env"
mtd2: 00080000 00020000 "factory"
mtd3: 07a80000 00020000 "firmware"
mtd4: 00400000 00020000 "kernel"
mtd5: 07680000 00020000 "ubi"

1 Like

https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=target/linux/ramips/dts/mt7621_haier-sim_wr1800k.dtsi;h=32d42fe813a3627be933338ed0abef0bf66e435b;hb=f7f9203854c7173a91655683aa7ad2a0af43f518#l85

@dnd wdyt

You´re thinking it´s the same?

Yes, I think it is the same. But it is dnd-s hypothesis, maybe he has more stringent checks in mind.

1 Like