ELECOM wtc-x1800gc-w

TL;dr It's a wall wart 802.11AX router, with a MT7621. WTC-X1800GC-W OpenWRT build should make an appearance soon.

I am in Japan for work and happened upon one of these things for ~$20USD in a thrift shop. Needing something to tinker with and on the lookout for a replacement to my current travel router I picked it up.

Haven't connected anything to it yet but firmware files from ELECOM's website we're easy enough to find and a binwalk later reveals a normal enough firmware file with a SquashFS root containing 1x /etc/openwrt_release with the contents:

DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="1.05"
DISTRIB_REVISION="d94aaf01"
DISTRIB_CODENAME=""
DISTRIB_TARGET="ramips/generic"
DISTRIB_DESCRIPTION="ELECOM WTC-X1800GC 1.05"
DISTRIB_TAINTS="no-all busybox"
DISTRIB_MANUFACTURER="ELECOM"
DISTRIB_PRODUCT="WTC-X1800GC"
DISTRIB_HWREV="A0AA"
DISTRIB_MACQTY="4"
DISTRIB_YEAR="2021"
DISTRIB_LINK="https://www.elecom.co.jp/m/85"

They've also kindly left a openwrt.config and kernel.config revealing it to be a MT7621.

That's all for now, just a quick blurb on my find, should be back with a build in the near future.

If you ssh to the device:

ubus call system board
free
lspci
cat /proc/mtd
dmesg

I've since connected to it, nothing has jumped out at me as a obvious route to shell. My first move was going to be to copy the openwrt.config and attempt to build a suitable image and see if it'll just flash.

Not expecting that to work, but would be nice if it did. If you have any suggestions for tricking this thing to hand me a shell I'd love to hear them

It is branched off OpenWRT. The basic sanity check would be to compare flash partitioning to existing supported devices.

I did find my way to a shell, turns out it has the familiar config backup option exposed in the web interface, but would encrypt the file on the way out, but the encryption key was readily pulled from the SquashFS image in the firmware. (It was WRT-X1800GC)

The now since removed OpenWRT cocktail recipes reveals that this was forked from 14.07 Barrier Breaker.

It would seem that this thing has 256 MB RAM and 128 MB Flash chip, significantly more then I was expecting or what would be expected of a Wi-Fi Repeater class object.

I have a dts ready to go built from the one I extracted from the firmware, as soon as I've wrestled the OpenWRT build system into submission I'll give it a go.

Also worth mentioning, pciutils is not included in the firmware.

root@WTC-X1800GC:~# cat /etc/banner 
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 WTC-X1800GC (1.05)
 -----------------------------------------------------
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao
 -----------------------------------------------------

root@WTC-X1800GC:~# ubus call system board
{
        "kernel": "4.4.198",
        "hostname": "WTC-X1800GC",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "WTC-X1800GC",
        "release": {
                "distribution": "OpenWrt",
                "version": "1.05",
                "revision": "d94aaf01",
                "codename": "",
                "target": "ramips\/generic",
                "description": "ELECOM WTC-X1800GC 1.05"
        }
}

root@WTC-X1800GC:~# free
             total         used         free       shared      buffers
Mem:        246672        79344       167328         1848         3332
-/+ buffers:              76012       170660
Swap:            0            0            0

root@WTC-X1800GC:~# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 07f80000 00020000 "All"
mtd1: 00100000 00020000 "Bootloader"
mtd2: 00100000 00020000 "Ubootenv"
mtd3: 001c0000 00020000 "Factory"
mtd4: 03240000 00020000 "firmware_now"
mtd5: 00380000 00020000 "kernel"
mtd6: 02e80000 00020000 "rootfs"
mtd7: 00100000 00020000 "Config"
mtd8: 03240000 00020000 "firmware"
mtd9: 00100000 00020000 "Config_2"
mtd10: 00100000 00020000 "persist"
mtd11: 00100000 00020000 "mesh"
mtd12: 01340000 00020000 "Backup"
mtd13: 03240000 00020000 "RAS1"
mtd14: 03240000 00020000 "RAS2"

dmesg

For backup:

sysupgrade -b /tmp/giveittome.tar.gz

I've run into a hiccup in generating a firmware image for the device. The factory image starts with the "elecom-product-header" followed by a u-boot image header and then offset 0x40000 bytes from the beginning of the file is a Flattened Image Tree with the actual kernel. An examination of the MTD partitions shows that this is the same layout used on flash.

As near as I can tell the factory firmware expects elecom and uImage header, however u-boot only cares about the FIT and is expecting to find it at that specific address.

Any hints on what the specific recipe is to get the buildsystem to produce an appropriate image is? Thus far I have something like this which is accepted by factory sysupgrade but does not boot.

IMAGE/factory.bin := $$(KERNEL/lzma-loader) | \
    fit lzma $$(KDIR)/image-$$(firstword $$(DEVICE_DTS)).dtb | \
    uImage none -M 0x434f4d43 -n '4.04(XZA.0)b13' | \
    elecom-product-header $$(DEVICE_MODEL)

OEM firmware:

$ binwalk wtc-x1800gc_v1.05.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
262144        0x40000         Flattened device tree, size: 3543168 bytes, version: 17
262372        0x400E4         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 13246848 bytes
3793104       0x39E0D0        Flattened device tree, size: 11398 bytes, version: 17
3932160       0x3C0000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4697518 bytes, 1717 inodes, blocksize: 262144 bytes, created: 2021-07-16 11:55:33

$ hexdump -C -n 0x40100 wtc-x1800gc_v1.05.bin
00000000  45 4c 45 43 4f 4d 00 00  57 54 43 2d 58 31 38 30  |ELECOM..WTC-X180|
00000010  30 47 43 00 00 00 00 00  00 00 00 00 00 00 00 00  |0GC.............|
00000020  00 00 00 00 00 00 00 00  31 2e 30 35 00 00 00 00  |........1.05....|
00000030  00 00 00 00 00 00 00 00  43 4f 4d 43 04 00 80 00  |........COMC....|
00000040  a5 92 a6 10 87 cf 8d 3f  17 46 63 1f 34 2e 30 34  |.......?.Fc.4.04|
00000050  28 58 5a 41 2e 30 29 62  31 33 00 00 00 00 00 00  |(XZA.0)b13......|
00000060  00 00 00 00 00 00 00 00  ff ff ff ff ff ff ff ff  |................|
00000070  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00040000  d0 0d fe ed 00 36 10 80  00 00 00 38 00 36 0e a0  |.....6.....8.6..|
00040010  00 00 00 28 00 00 00 11  00 00 00 10 00 00 00 00  |...(............|
00040020  00 00 00 6c 00 36 0e 68  00 00 00 00 00 00 00 00  |...l.6.h........|
00040030  00 00 00 00 00 00 00 00  00 00 00 01 00 00 00 00  |................|
00040040  00 00 00 03 00 00 00 04  00 00 00 62 60 f1 73 bc  |...........b`.s.|
00040050  00 00 00 03 00 00 00 28  00 00 00 00 4d 49 50 53  |.......(....MIPS|
00040060  20 4f 70 65 6e 57 72 74  20 46 49 54 20 28 46 6c  | OpenWrt FIT (Fl|
00040070  61 74 74 65 6e 65 64 20  49 6d 61 67 65 20 54 72  |attened Image Tr|
00040080  65 65 29 00 00 00 00 03  00 00 00 04 00 00 00 0c  |ee).............|
00040090  00 00 00 01 00 00 00 01  69 6d 61 67 65 73 00 00  |........images..|
000400a0  00 00 00 01 6b 65 72 6e  65 6c 40 31 00 00 00 00  |....kernel@1....|
000400b0  00 00 00 03 00 00 00 1b  00 00 00 00 4d 49 50 53  |............MIPS|
000400c0  20 4f 70 65 6e 57 72 74  20 4c 69 6e 75 78 2d 34  | OpenWrt Linux-4|
000400d0  2e 34 2e 31 39 38 00 00  00 00 00 03 00 35 de a6  |.4.198.......5..|
000400e0  00 00 00 1b 6d 00 00 80  00 80 21 ca 00 00 00 00  |....m.....!.....|
000400f0  00 00 00 6f fd ff ff a3  b7 7f ca 77 9a 1d cd 71  |...o.......w...q|

Little update while I'm in the neighborhood, got around to connecting to the serial header. (Prepopulated pin header, thanks Ele-Com!) and got the U-Boot log.

===================================================================
     		MT7621   stage1 code Dec 16 2019 17:45:55 (ASIC)
     		CPU=500000000 HZ BUS=166666666 HZ
==================================================================
Change MPLL source from XTAL to CR...
do MEMPLL setting..
MEMPLL Config : 0x11000000
3PLL mode + External loopback
=== XTAL-40Mhz === DDR-1200Mhz ===
PLL3 FB_DL: 0x12, 1/0 = 532/492 49000000
PLL4 FB_DL: 0x12, 1/0 = 539/485 49000000
PLL2 FB_DL: 0x14, 1/0 = 621/403 51000000
DDR patch working
do DDR setting..[01F40000]
Apply DDR3 Setting...(use default AC)
          0    8   16   24   32   40   48   56   64   72   80   88   96  104  112  120
      --------------------------------------------------------------------------------
0000:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0001:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0002:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0003:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0004:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0005:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0006:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0007:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0008:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0009:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000E:|    0    0    0    0    0    0    0    0    0    0    0    1    1    1    1    1
000F:|    0    0    0    0    0    0    1    1    1    1    1    1    1    1    1    0
0010:|    1    1    1    1    1    1    1    1    1    1    0    0    0    0    0    0
0011:|    1    1    1    1    1    0    0    0    0    0    0    0    0    0    0    0
0012:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0013:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0014:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0015:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0016:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0017:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0018:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0019:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001E:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001F:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
DRAMC_DQSCTL1[0e0]=14000000
DRAMC_DQSGCTL[124]=80000000
rank 0 coarse = 16
rank 0 fine = 40
B:|    0    0    0    0    0    0    0    0    0    0    1    1    1    0    0    0
opt_dle value:11
DRAMC_DDR2CTL[07c]=C287223D
DRAMC_PADCTL4[0e4]=000022B3
DRAMC_DQIDLY1[210]=0C0B0C0B
DRAMC_DQIDLY2[214]=080A0A0A
DRAMC_DQIDLY3[218]=0B0A0909
DRAMC_DQIDLY4[21c]=0B0A0D0A
DRAMC_R0DELDLY[018]=00002021
==================================================================
		RX	DQS perbit delay software calibration 
==================================================================
1.0-15 bit dq delay value
==================================================================
bit|     0  1  2  3  4  5  6  7  8  9
--------------------------------------
0 |    9 9 8 12 8 9 9 7 8 7 
10 |    9 9 10 11 9 11 
--------------------------------------

==================================================================
2.dqs window
x=pass dqs delay value (min~max)center 
y=0-7bit DQ of every group
input delay:DQS0 =33 DQS1 = 32
==================================================================
bit	DQS0	bit      DQS1
0  (1~62)31  8  (1~62)31
1  (1~60)30  9  (1~60)30
2  (0~60)30  10  (1~62)31
3  (1~65)33  11  (0~60)30
4  (1~62)31  12  (1~64)32
5  (1~63)32  13  (1~60)30
6  (1~63)32  14  (0~62)31
7  (1~64)32  15  (2~62)32
==================================================================
3.dq delay value last
==================================================================
bit|    0  1  2  3  4  5  6  7  8   9
--------------------------------------
0 |    11 12 11 12 10 10 10 8 9 9 
10 |    10 11 10 13 10 11 
==================================================================
==================================================================
     TX  perbyte calibration 
==================================================================
DQS loop = 15, cmp_err_1 = ffff0000 
dqs_perbyte_dly.last_dqsdly_pass[0]=15,  finish count=1 
dqs_perbyte_dly.last_dqsdly_pass[1]=15,  finish count=2 
DQ loop=15, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqdly_pass[0]=15,  finish count=1 
dqs_perbyte_dly.last_dqdly_pass[1]=15,  finish count=2 
byte:0, (DQS,DQ)=(8,8)
byte:1, (DQS,DQ)=(8,8)
DRAMC_DQODLY1[200]=88888888
DRAMC_DQODLY2[204]=88888888
20,data:88
[EMI] DRAMC calibration passed

===================================================================
     		MT7621   stage1 code done 
     		CPU=500000000 HZ BUS=166666666 HZ
===================================================================

U-Boot 1.41.05 (Feb 24 2021 - 15:08:53)
Trying to boot from NAND


U-Boot 1.41.05 (Feb 24 2021 - 15:08:53)

CPU:   MediaTek MT7621AT ver 1, eco 3
Clocks: CPU: 880MHz, DDR: 1200MHz, Bus: 220MHz, XTAL: 40MHz
Model: MediaTek MT7621 reference board (NAND)
DRAM:  256 MiB
NAND:  128 MiB
Loading Environment from NAND... OK
In:    uartlite0@1e000c00
Out:   uartlite0@1e000c00
Err:   uartlite0@1e000c00
Net:   eth0: eth@1e100000
gpio: pin 4 (gpio 4) value is 1
bootnum =1 
bootnum =1 
Checking FW1 combo magic and checksum ...  OK.

Loading from nand0, offset 0x400000
Fit image detected...
   FIT description: MIPS OpenWrt FIT (Flattened Image Tree)
    Image 0 (kernel@1)
     Description:  MIPS OpenWrt Linux-4.4.198
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x820000e4
     Data Size:    3530406 Bytes = 3.4 MiB
     Architecture: MIPS
     OS:           Linux
     Load Address: 0x81001000
     Entry Point:  0x81001000
     Hash algo:    crc32
     Hash value:   e969d94a
     Hash algo:    sha1
     Hash value:   bf98537636a49a6a46b05fad487e78b6365ad4f9
    Image 1 (fdt@1)
     Description:  MIPS OpenWrt mt7621-rfb-ax-nand device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x8235e0d0
     Data Size:    11398 Bytes = 11.1 KiB
     Architecture: MIPS
     Hash algo:    crc32
     Hash value:   702df1a9
     Hash algo:    sha1
     Hash value:   c8e639bde65fdc56b8e8e428eccff295d66da612
    Default Configuration: 'config@1'
    Configuration 0 (config@1)
     Description:  OpenWrt
     Kernel:       kernel@1
     FDT:          fdt@1
Automatic boot of image at addr 0x82000000 ...
## Loading kernel from FIT Image at 82000000 ...
   Using 'config@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  MIPS OpenWrt Linux-4.4.198
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x820000e4
     Data Size:    3530406 Bytes = 3.4 MiB
     Architecture: MIPS
     OS:           Linux
     Load Address: 0x81001000
     Entry Point:  0x81001000
     Hash algo:    crc32
     Hash value:   e969d94a
     Hash algo:    sha1
     Hash value:   bf98537636a49a6a46b05fad487e78b6365ad4f9
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 82000000 ...
   Using 'config@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  MIPS OpenWrt mt7621-rfb-ax-nand device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x8235e0d0
     Data Size:    11398 Bytes = 11.1 KiB
     Architecture: MIPS
     Hash algo:    crc32
     Hash value:   702df1a9
     Hash algo:    sha1
     Hash value:   c8e639bde65fdc56b8e8e428eccff295d66da612
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x8235e0d0
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 8fe77000, end 8fe7cc85 ... OK
[    0.000000] Linux version 4.4.198 (cmtien@stbbuilder-lxc-vm) (gcc version 5.4.0 (OpenWrt GCC 5.4.0 d94aaf01) ) #1 SMP Fri Jul 16 19:55:18 CST 2021
[    0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[    0.000000] MIPS: machine is MediaTek MT7621 RFB (802.11ax,NAND)
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 10000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x0000000000000000-0x0000000000ffffff]
[    0.000000]   Normal   [mem 0x0000000001000000-0x000000000fffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x000000000fffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x000000000fffffff]