ELECOM wtc-x1800gc-w

TL;dr It's a wall wart 802.11AX router, with a MT7621. WTC-X1800GC-W OpenWRT build should make an appearance soon.

I am in Japan for work and happened upon one of these things for ~$20USD in a thrift shop. Needing something to tinker with and on the lookout for a replacement to my current travel router I picked it up.

Haven't connected anything to it yet but firmware files from ELECOM's website we're easy enough to find and a binwalk later reveals a normal enough firmware file with a SquashFS root containing 1x /etc/openwrt_release with the contents:

DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="1.05"
DISTRIB_REVISION="d94aaf01"
DISTRIB_CODENAME=""
DISTRIB_TARGET="ramips/generic"
DISTRIB_DESCRIPTION="ELECOM WTC-X1800GC 1.05"
DISTRIB_TAINTS="no-all busybox"
DISTRIB_MANUFACTURER="ELECOM"
DISTRIB_PRODUCT="WTC-X1800GC"
DISTRIB_HWREV="A0AA"
DISTRIB_MACQTY="4"
DISTRIB_YEAR="2021"
DISTRIB_LINK="https://www.elecom.co.jp/m/85"

They've also kindly left a openwrt.config and kernel.config revealing it to be a MT7621.

That's all for now, just a quick blurb on my find, should be back with a build in the near future.

If you ssh to the device:

ubus call system board
free
lspci
cat /proc/mtd
dmesg

I've since connected to it, nothing has jumped out at me as a obvious route to shell. My first move was going to be to copy the openwrt.config and attempt to build a suitable image and see if it'll just flash.

Not expecting that to work, but would be nice if it did. If you have any suggestions for tricking this thing to hand me a shell I'd love to hear them

It is branched off OpenWRT. The basic sanity check would be to compare flash partitioning to existing supported devices.

I did find my way to a shell, turns out it has the familiar config backup option exposed in the web interface, but would encrypt the file on the way out, but the encryption key was readily pulled from the SquashFS image in the firmware. (It was WRT-X1800GC)

The now since removed OpenWRT cocktail recipes reveals that this was forked from 14.07 Barrier Breaker.

It would seem that this thing has 256 MB RAM and 128 MB Flash chip, significantly more then I was expecting or what would be expected of a Wi-Fi Repeater class object.

I have a dts ready to go built from the one I extracted from the firmware, as soon as I've wrestled the OpenWRT build system into submission I'll give it a go.

Also worth mentioning, pciutils is not included in the firmware.

root@WTC-X1800GC:~# cat /etc/banner 
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 WTC-X1800GC (1.05)
 -----------------------------------------------------
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao
 -----------------------------------------------------

root@WTC-X1800GC:~# ubus call system board
{
        "kernel": "4.4.198",
        "hostname": "WTC-X1800GC",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "WTC-X1800GC",
        "release": {
                "distribution": "OpenWrt",
                "version": "1.05",
                "revision": "d94aaf01",
                "codename": "",
                "target": "ramips\/generic",
                "description": "ELECOM WTC-X1800GC 1.05"
        }
}

root@WTC-X1800GC:~# free
             total         used         free       shared      buffers
Mem:        246672        79344       167328         1848         3332
-/+ buffers:              76012       170660
Swap:            0            0            0

root@WTC-X1800GC:~# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 07f80000 00020000 "All"
mtd1: 00100000 00020000 "Bootloader"
mtd2: 00100000 00020000 "Ubootenv"
mtd3: 001c0000 00020000 "Factory"
mtd4: 03240000 00020000 "firmware_now"
mtd5: 00380000 00020000 "kernel"
mtd6: 02e80000 00020000 "rootfs"
mtd7: 00100000 00020000 "Config"
mtd8: 03240000 00020000 "firmware"
mtd9: 00100000 00020000 "Config_2"
mtd10: 00100000 00020000 "persist"
mtd11: 00100000 00020000 "mesh"
mtd12: 01340000 00020000 "Backup"
mtd13: 03240000 00020000 "RAS1"
mtd14: 03240000 00020000 "RAS2"

dmesg

For backup:

sysupgrade -b /tmp/giveittome.tar.gz

I've run into a hiccup in generating a firmware image for the device. The factory image starts with the "elecom-product-header" followed by a u-boot image header and then offset 0x40000 bytes from the beginning of the file is a Flattened Image Tree with the actual kernel. An examination of the MTD partitions shows that this is the same layout used on flash.

As near as I can tell the factory firmware expects elecom and uImage header, however u-boot only cares about the FIT and is expecting to find it at that specific address.

Any hints on what the specific recipe is to get the buildsystem to produce an appropriate image is? Thus far I have something like this which is accepted by factory sysupgrade but does not boot.

IMAGE/factory.bin := $$(KERNEL/lzma-loader) | \
    fit lzma $$(KDIR)/image-$$(firstword $$(DEVICE_DTS)).dtb | \
    uImage none -M 0x434f4d43 -n '4.04(XZA.0)b13' | \
    elecom-product-header $$(DEVICE_MODEL)

OEM firmware:

$ binwalk wtc-x1800gc_v1.05.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
262144        0x40000         Flattened device tree, size: 3543168 bytes, version: 17
262372        0x400E4         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 13246848 bytes
3793104       0x39E0D0        Flattened device tree, size: 11398 bytes, version: 17
3932160       0x3C0000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4697518 bytes, 1717 inodes, blocksize: 262144 bytes, created: 2021-07-16 11:55:33

$ hexdump -C -n 0x40100 wtc-x1800gc_v1.05.bin
00000000  45 4c 45 43 4f 4d 00 00  57 54 43 2d 58 31 38 30  |ELECOM..WTC-X180|
00000010  30 47 43 00 00 00 00 00  00 00 00 00 00 00 00 00  |0GC.............|
00000020  00 00 00 00 00 00 00 00  31 2e 30 35 00 00 00 00  |........1.05....|
00000030  00 00 00 00 00 00 00 00  43 4f 4d 43 04 00 80 00  |........COMC....|
00000040  a5 92 a6 10 87 cf 8d 3f  17 46 63 1f 34 2e 30 34  |.......?.Fc.4.04|
00000050  28 58 5a 41 2e 30 29 62  31 33 00 00 00 00 00 00  |(XZA.0)b13......|
00000060  00 00 00 00 00 00 00 00  ff ff ff ff ff ff ff ff  |................|
00000070  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00040000  d0 0d fe ed 00 36 10 80  00 00 00 38 00 36 0e a0  |.....6.....8.6..|
00040010  00 00 00 28 00 00 00 11  00 00 00 10 00 00 00 00  |...(............|
00040020  00 00 00 6c 00 36 0e 68  00 00 00 00 00 00 00 00  |...l.6.h........|
00040030  00 00 00 00 00 00 00 00  00 00 00 01 00 00 00 00  |................|
00040040  00 00 00 03 00 00 00 04  00 00 00 62 60 f1 73 bc  |...........b`.s.|
00040050  00 00 00 03 00 00 00 28  00 00 00 00 4d 49 50 53  |.......(....MIPS|
00040060  20 4f 70 65 6e 57 72 74  20 46 49 54 20 28 46 6c  | OpenWrt FIT (Fl|
00040070  61 74 74 65 6e 65 64 20  49 6d 61 67 65 20 54 72  |attened Image Tr|
00040080  65 65 29 00 00 00 00 03  00 00 00 04 00 00 00 0c  |ee).............|
00040090  00 00 00 01 00 00 00 01  69 6d 61 67 65 73 00 00  |........images..|
000400a0  00 00 00 01 6b 65 72 6e  65 6c 40 31 00 00 00 00  |....kernel@1....|
000400b0  00 00 00 03 00 00 00 1b  00 00 00 00 4d 49 50 53  |............MIPS|
000400c0  20 4f 70 65 6e 57 72 74  20 4c 69 6e 75 78 2d 34  | OpenWrt Linux-4|
000400d0  2e 34 2e 31 39 38 00 00  00 00 00 03 00 35 de a6  |.4.198.......5..|
000400e0  00 00 00 1b 6d 00 00 80  00 80 21 ca 00 00 00 00  |....m.....!.....|
000400f0  00 00 00 6f fd ff ff a3  b7 7f ca 77 9a 1d cd 71  |...o.......w...q|