Flying Voice G902 VOIP router

I have a Flying Voice VOIP router (based on OpenWRT ans Asterisk). I bought it from my old VOIP provider. Even though it's mine, they won't give me the router admin login info. I can't access the voice menus from a telephone using **** either. I understand that they locked it down to keep customers from messing up the settings but now that I've cancelled my VOIP service with them, I want to set it up to manage it myself.
I tried to reset the firmware to factory but the reset button just reboots the device. Factory reset is blocked in the firmware. (#6 on page 54 of manual) So, is there is a way to force a factory reset by jumping something on the mainboard or install firmware from USB? I would settle for the factory firmware but can't find it anywhere online. Would this router be compatible with LEDE?
Any help would be appreciated.
The Router mainboard has G902_V1_3 and APX9102_V1_3 marked on it.
This is the spec info on the router:
http://www.clickbnb.com/flying-voice-apx9102-wireless-mini-ip-pbx/

Pic::

Manual
https://www.manualslib.com/products/Flying-Voice-Apx9102-4168742.html

Given that it states that it is running OpenWRT, it contains GPL-licensed code. You should be able to get something in the way of source and build chain from them as they're obligated to do so by the terms of the GPL. That would be a good place to start...

2 Likes

The second thing to do...is see if you can find 4 pins or a solder pad of 4 pins...I surmise it's the pins located above the capacitors in the lower-right corner....you'll then need to order yourself a 3 Volt TTL serial converter adapter. You'll need to see if there's a command prompt there...

1 Like

"Dual-core MIPS1004k(880MHz)" suggests a mt7621 SOC or at least something similar (as in MediaTek, the other specs pretty much fall in line as well), this would rule out OpenWrt support (upstream, obviously vendors do fork OpenWrt for their own SDKs in combination with a maze of proprietary blobs) for xDSL and FXS functionality. So far the only SOC with opensource (and OpenWrt-) xDSL and FXS support would be lantiq (which tops out at 2*500 MHz with the xrx200 mips lineup, the newer grx3xx-grx750 SOCs are Atom based instead), chances for MediaTek FXS (or modem-) support are somewhere between very low and non-existent.

2 Likes

Sorry, I tried to reply right after you posted but the system suspended me for trying to post multiple pics, I think but it's all good now.
Thanks for the speedy replies, much appreciated.
Jeff, I emailed Flying Voice, mentioned what you said, a few minutes later I got the stock firmware emailed to me...lol. I had asked a number of times before and got nothing.
lleachii, thanks for reminding me that I had a TTL serial converter...somewhere...after some digging around, I found it. Next to figure out the pin out and see if I can talk to it.
SLH, I also think it's a mt7621 SOC, too bad that the router doesn't support OpenWrt but now that I have a copy of the firmware I hope to be able to get in to write it to the board. Just have to figure out how.
Closeup of pins

There is some sort of GPL available here:
http://www.flyingvoice.com/soft_gpl.aspx

When unpacking Uboot it appears its for MT7621.
In FCC pictures heatsink is removed,but numbers cant be read.
I was able to read that they are using MT7602E as one radio,that is supported by mt76

I was able to figure out the pin connection on the board. My Prolific PL2303 based USB to serial adapter was detected by windows 10 but it had an error in device manager. I found a Windows 8 driver. After installing it the error was gone. I used Putty to attempt comms with the board. When I powered on the router a bunch of trash flew by, After setting the baud rate to 115,200 I started to see text of the boot process but after a few seconds Windows 10 would crash.
I booted an old PC with Windows XP on it. I loaded Putty and was able to watch the boot process but never got a console prompt.
Could I be doing something wrong?
Here is the Putty log
https://www.dropbox.com/s/g8zuzeahv1gqlw4/putty.log?dl=0

1 Like

This looks promising:

Please choose the operation: 

   1: Load system code to SDRAM via TFTP. 

   2: Load system code then write to Flash via TFTP. 

   3: Boot system code via Flash (default).

   4: Entr boot command line interface.

   7: Load Boot Loader code then write to Flash via Serial. 

   9: Load Boot Loader code then write to Flash via TFTP.

In the worse case scenario, it seems you may be able to produce a BIN file to TFTP (meaning, you can test before flashing) and a Sysupgrade file to flash!

The specs look good too:


 ##### The CPU freq = 880 MHZ #### 

 estimate memory size =256 Mbytes

The flash appears to be 16 MB.

flash manufacture id: ef, device id 40 18

find flash: W25Q128BV

See if you can hit the ENTER key and get a prompt...or the F key during boot?

Perhaps it's a watered-down version of OpenWrt and still has failsafe and prompt.

Its 128 Mbit aka 16 megabytes.
It looks everything is supported except the DSL part.

1 Like

I'm in, I had the TX line on the wrong pin so keyboard wasn't getting through.
4: gives me a MT7621 # prompt

MT7621 # ?
?       - alias for 'help'
bootm   - boot application image from memory
cp      - memory copy
defaultenv  - default environment variables
erase   - erase SPI FLASH memory
getimage  - burn 8M-image
go      - start application at address 'addr'
help    - print online help
loadb   - load binary file over serial line (kermit mode)
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
nm      - memory modify (constant address)
printenv- print environment variables
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveenv - save environment variables to persistent storage
setenv  - set environment variables
spi     - spi command
test   - command using by VPT
tftpboot- boot image via network using TFTP protocol
version - print monitor version

After boot...
Enter gives me a # prompt

# help

Built-in commands:
-------------------
        . : break cd chdir continue eval exec exit export false hash
        help let local pwd read readonly return set shift source times
        trap true type ulimit umask unset wait

Is there a way to reset to factory defaults from either console?
I have the most recent .bin firmware file from the manufacturer, how can I flash that?

Thanks everyone for being so helpful.

I think I'm figuring this out, a little at a time...I now have a TFTP server running on the XP box.
I renamed the factory firmware file to G902.bin, not sure if that's the right thing to do or not.
Here is a link to the firmware file: G902 firmware
Upon boot I selected, 1: Load system code to SDRAM via TFTP. It then prompts for the server ip, the router ip and the filename. I expected this would load the firmware to DRAM
This is the console output, then it just seems to reboot itself back to the way it has been, not to factory defaults. I must be doing something wrong with the file:

Input server IP (192.168.100.100) ==:192.168.100.100

	Input Linux Kernel filename (g902.bin) ==:g902.bin


 netboot_common, argc= 3 


 NetTxPacket = 0x8FFE6180 


 KSEG1ADDR(NetTxPacket) = 0xAFFE6180 


 NetLoop,call eth_halt ! 


 NetLoop,call eth_init ! 

Trying Eth0 (10/100-M)


 Waitting for RX_DMA_BUSY status Start... done



 ETH_STATE_ACTIVE!! 

TFTP from server 192.168.100.100; our IP address is 192.168.100.55

Filename 'g902.bin'.


 TIMEOUT_COUNT=10,Load address: 0x80a00000

Loading: *checksum bad

checksum bad

checksum bad

checksum bad

checksum bad

checksum bad

checksum bad

checksum bad

checksum bad

Got ARP REPLY, set server/gtwy eth addr (00:11:11:07:c3:84)

Got it

#################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 #################################################################

	 ####################

done

Bytes transferred = 8750716 (85867c hex)

NetBootFileXferSize= 0085867c

Automatic boot of image at addr 0x80A00000 ...

## Booting image at 80a00000
1 Like

This would only boot the image you has provided with tftp. There will be no factory reset...
Looks like the firmware image does not start with a uImage header or with the kernel...

Firstly i would boot into your current running firmware and backup all partitions to restore it if you bricked your firmware...
Use cat /proc/mtd to check your current partition layout and post this info here.
Use dd if=/dev/mtdX of=/tmp/mtdX.bin to backup the partition named mtdX

Try a passwd with root to set a new password.
Check if you has or could enable ssh to transfer your backups with scp.
If you could not access your router over shh try to figure out where is your directory of the http server and create an symlink of your backups to this dir with ln -s /tmp/mtdX.bin /path/to/webdir/mtdX.bin and download your backups through the webserver.

I'm writing from mobile...

unsure why this was flagged as spam<

Got the partition layout:

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 01000000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Mac"
mtd3: 00010000 00010000 "Factory"
mtd4: 001f0000 00010000 "Kernel"
mtd5: 005b0000 00010000 "RootFs"
mtd6: 001f0000 00010000 "Kernel_bak"
mtd7: 005b0000 00010000 "RootFs_bak"
mtd8: 007a0000 00010000 "Kernel_RootFs"
mtd9: 007a0000 00010000 "Kernel_RootFs_bak"
mtd10: 00000000 00010000 "RootFS_Data"
mtd11: 00020000 00010000 "SystemLog"
mtd12: 00020000 00010000 "Config"
mtd13: 00020000 00010000 "Config_bak"
mtd14: 00010000 00010000 "Mac_bak"
#

Made the backups but SSH connection is refused. Telnet asks for username/password which I don't know.

There are many partitions...
Could you also provide the part of the bootlog where the mtds are printed?

User = root?
Do you set a password with passwd from serial console?

unsure why this was flagged as spam<

I think this is the output you want...
brd: module loaded
flash manufacture id: ef, device id 40 18
W25Q128BV(ef 40180000) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
hw_device=G902

Creating 15 MTD partitions on "raspi":
0x000000000000-0x000001000000 : "ALL"
0x000000000000-0x000000030000 : "Bootloader"
0x000000030000-0x000000040000 : "Mac"
0x000000040000-0x000000050000 : "Factory"
0x000000050000-0x000000240000 : "Kernel"
0x000000240000-0x0000007f0000 : "RootFs"
0x0000007f0000-0x0000009e0000 : "Kernel_bak"
0x0000009e0000-0x000000f90000 : "RootFs_bak"
0x000000050000-0x0000007f0000 : "Kernel_RootFs"
0x0000007f0000-0x000000f90000 : "Kernel_RootFs_bak"
0x000000f90000-0x000000f90000 : "RootFS_Data"
0x000000f90000-0x000000fb0000 : "SystemLog"
0x000000fb0000-0x000000fd0000 : "Config"
0x000000fd0000-0x000000ff0000 : "Config_bak"
0x000000ff0000-0x000001000000 : "Mac_bak"
rdm_major = 253
GMAC1_MAC_ADRH -- : 0x0000000c
GMAC1_MAC_ADRL -- : 0x432880fa

user= root
passwd :not found

unsure why this was flagged as spam<

I found a couple of passwd text files. Was hoping would work for webgui login but nope, no such luck.

# pwd
/etc
# ls
mdev.conf           iproute2            miniupnpd.conf
group               resolv.conf         ipphone
passwd-             dhcp_option43.conf  init.d
passwd              hosts               cron
services            udhcpd.conf
Wireless            udhcpd.conf_bak
# cat passwd
admin:FGGCFL0ga7Tes:0:0:Adminstrator:/:/bin/sh
# cat passwd-
admin::0:0:Adminstrator:/:/bin/sh

unsure why this was flagged as spam<

Was able to change password

# chpasswd
admin:admin
Password for 'admin' changed

Before password change:

# login
Mediatek login: admin
Password: 
Login incorrect

After password change:

Mediatek login: admin
Password: 
BusyBox v1.12.1 (2016-08-26 17:31:27 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# help

Built-in commands:
-------------------
	. : break cd chdir continue eval exec exit export false hash
	help let local pwd read readonly return set shift source times
	trap true type ulimit umask unset wait

Seems that is only for the console, I tried that user:pass combo in the web interface and got:
goahead[12125]: User:user Web login Fail: Password wrong. IP:xxx.xxx.xxx.xxx (removed ip)

Not much there for logs:

# cd /var/log
# ls
messages

Your goal is to have access the vendor fw? Porting OpenWRT has to be done by anyone who has this device, so would be hard to do this...

The vendor fw that you had linked did have a 96 byte header infornt of the uImage header, so this is the reason why you couldn´t boot that with bootloader option 1.
Here i have a image without this header, could you boot that with bl option 1?

Are you able to backup your partitions and transfer it now with your know password?

Please upload your backups so that we can analyze the binaries.
If that is done, we could advise your for the next steps...
Probably you could flash the bin from bootloader with option 2, but firstly you should backup everything and try to boot the image with the non permanent option 1...

Edit: Why you removed all this stuff in your posts???

1 Like

I just created another account to let you know...I didn't remove anything, the system keeps putting my account on hold. I guess an admin has to review them.
This is what I was trying to post...hope it doesn't get blocked :grinning:
juppin, thanks for you input and time, I really appreciate it.
I understand OpenWRT is an not an option.
After password change, still can't find a way to backup.
Yes, I want to install or factory reset the vendor firmware.
The options that I think might work are: find, reset or bypass password for web GUI so I can turn off the switch in the installed firmware that's blocking the hardware reset button from doing a factory reset or install factory firmware from USB inside the web GUI or test factory firmware via option 1, as you suggest, then flash with option2.
I tried option 1, I tried to post the full output and a link to it but the forum system flags it as spam and blocks it so I'm just posting the bit at the end...

VFS: Cannot open root device "mtdblock5" or unknown-block(31,5)
Please append a correct "root=" boot option; here are the available partitions:
1f00           16384 mtdblock0 (driver?)
1f01             192 mtdblock1 (driver?)
1f02              64 mtdblock2 (driver?)
1f03              64 mtdblock3 (driver?)
1f04            1472 mtdblock4 (driver?)
1f05            6336 mtdblock5 (driver?)
1f07            1472 mtdblock7 (driver?)
1f08            6336 mtdblock8 (driver?)
1f09            7808 mtdblock9 (driver?)
1f0a            7808 mtdblock10 (driver?)
1f0c           15616 mtdblock12 (driver?)
1f0d             128 mtdblock13 (driver?)
1f0e             128 mtdblock14 (driver?)
1f0f             128 mtdblock15 (driver?)
1f10              64 mtdblock16 (driver?)
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,5)