I have a Flying Voice VOIP router (based on OpenWRT ans Asterisk). I bought it from my old VOIP provider. Even though it's mine, they won't give me the router admin login info. I can't access the voice menus from a telephone using **** either. I understand that they locked it down to keep customers from messing up the settings but now that I've cancelled my VOIP service with them, I want to set it up to manage it myself.
I tried to reset the firmware to factory but the reset button just reboots the device. Factory reset is blocked in the firmware. (#6 on page 54 of manual) So, is there is a way to force a factory reset by jumping something on the mainboard or install firmware from USB? I would settle for the factory firmware but can't find it anywhere online. Would this router be compatible with LEDE?
Any help would be appreciated.
The Router mainboard has G902_V1_3 and APX9102_V1_3 marked on it.
This is the spec info on the router: http://www.clickbnb.com/flying-voice-apx9102-wireless-mini-ip-pbx/
Given that it states that it is running OpenWRT, it contains GPL-licensed code. You should be able to get something in the way of source and build chain from them as they're obligated to do so by the terms of the GPL. That would be a good place to start...
The second thing to do...is see if you can find 4 pins or a solder pad of 4 pins...I surmise it's the pins located above the capacitors in the lower-right corner....you'll then need to order yourself a 3 Volt TTL serial converter adapter. You'll need to see if there's a command prompt there...
"Dual-core MIPS1004k(880MHz)" suggests a mt7621 SOC or at least something similar (as in MediaTek, the other specs pretty much fall in line as well), this would rule out OpenWrt support (upstream, obviously vendors do fork OpenWrt for their own SDKs in combination with a maze of proprietary blobs) for xDSL and FXS functionality. So far the only SOC with opensource (and OpenWrt-) xDSL and FXS support would be lantiq (which tops out at 2*500 MHz with the xrx200 mips lineup, the newer grx3xx-grx750 SOCs are Atom based instead), chances for MediaTek FXS (or modem-) support are somewhere between very low and non-existent.
Sorry, I tried to reply right after you posted but the system suspended me for trying to post multiple pics, I think but it's all good now.
Thanks for the speedy replies, much appreciated.
Jeff, I emailed Flying Voice, mentioned what you said, a few minutes later I got the stock firmware emailed to me...lol. I had asked a number of times before and got nothing.
lleachii, thanks for reminding me that I had a TTL serial converter...somewhere...after some digging around, I found it. Next to figure out the pin out and see if I can talk to it.
SLH, I also think it's a mt7621 SOC, too bad that the router doesn't support OpenWrt but now that I have a copy of the firmware I hope to be able to get in to write it to the board. Just have to figure out how.
Closeup of pins
When unpacking Uboot it appears its for MT7621.
In FCC pictures heatsink is removed,but numbers cant be read.
I was able to read that they are using MT7602E as one radio,that is supported by mt76
I was able to figure out the pin connection on the board. My Prolific PL2303 based USB to serial adapter was detected by windows 10 but it had an error in device manager. I found a Windows 8 driver. After installing it the error was gone. I used Putty to attempt comms with the board. When I powered on the router a bunch of trash flew by, After setting the baud rate to 115,200 I started to see text of the boot process but after a few seconds Windows 10 would crash.
I booted an old PC with Windows XP on it. I loaded Putty and was able to watch the boot process but never got a console prompt.
Could I be doing something wrong?
Here is the Putty log https://www.dropbox.com/s/g8zuzeahv1gqlw4/putty.log?dl=0
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
In the worse case scenario, it seems you may be able to produce a BIN file to TFTP (meaning, you can test before flashing) and a Sysupgrade file to flash!
The specs look good too:
##### The CPU freq = 880 MHZ ####
estimate memory size =256 Mbytes
I'm in, I had the TX line on the wrong pin so keyboard wasn't getting through.
4: gives me a MT7621 # prompt
MT7621 # ?
? - alias for 'help'
bootm - boot application image from memory
cp - memory copy
defaultenv - default environment variables
erase - erase SPI FLASH memory
getimage - burn 8M-image
go - start application at address 'addr'
help - print online help
loadb - load binary file over serial line (kermit mode)
md - memory display
mdio - Ralink PHY register R/W command !!
mm - memory modify (auto-incrementing)
nm - memory modify (constant address)
printenv- print environment variables
reset - Perform RESET of the CPU
rf - read/write rf register
saveenv - save environment variables to persistent storage
setenv - set environment variables
spi - spi command
test - command using by VPT
tftpboot- boot image via network using TFTP protocol
version - print monitor version
After boot...
Enter gives me a # prompt
# help
Built-in commands:
-------------------
. : break cd chdir continue eval exec exit export false hash
help let local pwd read readonly return set shift source times
trap true type ulimit umask unset wait
Is there a way to reset to factory defaults from either console?
I have the most recent .bin firmware file from the manufacturer, how can I flash that?
I think I'm figuring this out, a little at a time...I now have a TFTP server running on the XP box.
I renamed the factory firmware file to G902.bin, not sure if that's the right thing to do or not.
Here is a link to the firmware file: G902 firmware
Upon boot I selected, 1: Load system code to SDRAM via TFTP. It then prompts for the server ip, the router ip and the filename. I expected this would load the firmware to DRAM
This is the console output, then it just seems to reboot itself back to the way it has been, not to factory defaults. I must be doing something wrong with the file:
Input server IP (192.168.100.100) ==:192.168.100.100
Input Linux Kernel filename (g902.bin) ==:g902.bin
netboot_common, argc= 3
NetTxPacket = 0x8FFE6180
KSEG1ADDR(NetTxPacket) = 0xAFFE6180
NetLoop,call eth_halt !
NetLoop,call eth_init !
Trying Eth0 (10/100-M)
Waitting for RX_DMA_BUSY status Start... done
ETH_STATE_ACTIVE!!
TFTP from server 192.168.100.100; our IP address is 192.168.100.55
Filename 'g902.bin'.
TIMEOUT_COUNT=10,Load address: 0x80a00000
Loading: *checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
checksum bad
Got ARP REPLY, set server/gtwy eth addr (00:11:11:07:c3:84)
Got it
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
####################
done
Bytes transferred = 8750716 (85867c hex)
NetBootFileXferSize= 0085867c
Automatic boot of image at addr 0x80A00000 ...
## Booting image at 80a00000
This would only boot the image you has provided with tftp. There will be no factory reset...
Looks like the firmware image does not start with a uImage header or with the kernel...
Firstly i would boot into your current running firmware and backup all partitions to restore it if you bricked your firmware...
Use cat /proc/mtd to check your current partition layout and post this info here.
Use dd if=/dev/mtdX of=/tmp/mtdX.bin to backup the partition named mtdX
Try a passwd with root to set a new password.
Check if you has or could enable ssh to transfer your backups with scp.
If you could not access your router over shh try to figure out where is your directory of the http server and create an symlink of your backups to this dir with ln -s /tmp/mtdX.bin /path/to/webdir/mtdX.bin and download your backups through the webserver.
Mediatek login: admin
Password:
BusyBox v1.12.1 (2016-08-26 17:31:27 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# help
Built-in commands:
-------------------
. : break cd chdir continue eval exec exit export false hash
help let local pwd read readonly return set shift source times
trap true type ulimit umask unset wait
Seems that is only for the console, I tried that user:pass combo in the web interface and got:
goahead[12125]: User:user Web login Fail: Password wrong. IP:xxx.xxx.xxx.xxx (removed ip)
Your goal is to have access the vendor fw? Porting OpenWRT has to be done by anyone who has this device, so would be hard to do this...
The vendor fw that you had linked did have a 96 byte header infornt of the uImage header, so this is the reason why you couldn´t boot that with bootloader option 1.
Here i have a image without this header, could you boot that with bl option 1?
Are you able to backup your partitions and transfer it now with your know password?
Please upload your backups so that we can analyze the binaries.
If that is done, we could advise your for the next steps...
Probably you could flash the bin from bootloader with option 2, but firstly you should backup everything and try to boot the image with the non permanent option 1...
Edit: Why you removed all this stuff in your posts???
I just created another account to let you know...I didn't remove anything, the system keeps putting my account on hold. I guess an admin has to review them.
This is what I was trying to post...hope it doesn't get blocked
juppin, thanks for you input and time, I really appreciate it.
I understand OpenWRT is an not an option.
After password change, still can't find a way to backup.
Yes, I want to install or factory reset the vendor firmware.
The options that I think might work are: find, reset or bypass password for web GUI so I can turn off the switch in the installed firmware that's blocking the hardware reset button from doing a factory reset or install factory firmware from USB inside the web GUI or test factory firmware via option 1, as you suggest, then flash with option2.
I tried option 1, I tried to post the full output and a link to it but the forum system flags it as spam and blocks it so I'm just posting the bit at the end...
VFS: Cannot open root device "mtdblock5" or unknown-block(31,5)
Please append a correct "root=" boot option; here are the available partitions:
1f00 16384 mtdblock0 (driver?)
1f01 192 mtdblock1 (driver?)
1f02 64 mtdblock2 (driver?)
1f03 64 mtdblock3 (driver?)
1f04 1472 mtdblock4 (driver?)
1f05 6336 mtdblock5 (driver?)
1f07 1472 mtdblock7 (driver?)
1f08 6336 mtdblock8 (driver?)
1f09 7808 mtdblock9 (driver?)
1f0a 7808 mtdblock10 (driver?)
1f0c 15616 mtdblock12 (driver?)
1f0d 128 mtdblock13 (driver?)
1f0e 128 mtdblock14 (driver?)
1f0f 128 mtdblock15 (driver?)
1f10 64 mtdblock16 (driver?)
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,5)
