Icotera i4882 Wi-Fi 6 Router with 2.5G Ethernet

DavidBrent · November 10, 2024, 6:05pm

TL/DR

It uses a MIPS interAptiv Realtek 9607CP which I believe has a limited future for OpenWrt development but wanted to share these findings in case it was useful to someone smarter. The hardware and antenna design are really good, it's let down by the stock firmware but quite customisable even as a dumb access point.

Specifications and Datasheet

Firmware

Can be downloaded at http://icotera.as42611.net/gold5k-2.2.4_generic_release.bin, it's encrypted with a static key obfuscated inside /bin/cliic but can be decrypted with:

tail -c +150 firmware.bin | openssl enc -aes-256-cbc -nosalt -d -out firmware.tar.gz -K 'c47bd740511eb0c13b00250417db62301389cb91d0f3c94d39ac6a4357506744' -iv `dd skip=129 count=16 if=firmware.bin bs=1 status=none | hexdump -e '16/1 "%02x"'` -nopad

Getting Complete Admin

The easiest way is to factory reset, then serve the filename WANMACADDRESSGOESHERE.dat on the WAN interface via a TFTP server containing a replacement configuration file with the following:

management ssh enable
management ssh authentication password enable
management ssh port 22
management ssh listen all
management ssh filter enable
management ssh filter rule 1 enable
management ssh filter rule 1 description
management ssh filter rule 1 inif any
management ssh filter rule 1 srcip 0.0.0.0
management ssh filter rule 1 action allow
management cli timeout 300
management cli username admin
management cli password $1$aKaa.d9.$6IzZ0e8gYlTf8gvpMxmfa0
management login basic
management cwmp disable

Then SSH with username admin and password 123 to get complete admin access via the Icotera CLI.

Useful Commands

Dump all logs and debug info: (time consuming)
debug techsupport screen

Revert any changes without applying:
copy boot progress

Review current configuration:
copy progress screen

Apply changes:
copy progress boot

Wi-Fi settings:
interface wifi

Bridge and VLAN membership:
bridge

Disable routing:
router disable

Interface info:
show interface

System summary:
show management

Holding the reset button on boot for more than 15 seconds switches the active/backup firmware partitions.

mikael1 · February 16, 2025, 6:05pm

The link for the firmware doesn't seem to be working anymore. If you happen to still have the file, would you be willing to provide it ?

icotera-freedom · April 21, 2025, 8:14pm

@mikael1
Send them an e-maild and request to get the current firmware file.
If they refuse, then tell to them that their workers told at the angacom 2024 conference, that they would like to support adding OpenWrt support to their hardware. You want to look at the firmware to take a look if you could get that far adding support for a Icotera device.
Lets see how their reaction would be when you tell them that. I can send you the some of the full names of the people that was working on the conference for Icotera and making promises they do not fulfilled afterwards.

brada4 · April 22, 2025, 12:23am

Neither supported in current mainline linux.

TempestJunior · May 31, 2025, 7:38am

Hello, Thanks for sharing this. I have this device and trying to set it up as dumb AP.

Could you please provide more information regarding how you were able to TFTP the WANMACADDRESSGOESHERE.dat file on the WAN side? Did you setup any specific IP addresses on the TFTP server or on your computer? Or did you need UART access to achieve this?

Your help with how to gain admin access or SSH will be appreciated.

DavidBrent · May 31, 2025, 8:45am

The easiest way is to use Tftpd64 or similar to act as a DHCP server for the WAN interface, the IP addresses don't matter as long as the i4882 gets one and can then reach a TFTP server on the same server IP. Just pick a subnet that doesn't overlap with anything else on your network.

No UART access required, it can all be done without opening it up.

TempestJunior · May 31, 2025, 4:15pm

Thanks a bunch for the reply.

tftpd64 appears to have compatibility issues on Windows 11 but an IP is assigned to the router wan port via dhcp server but the router does not get the file while starting up.

Can you confirm if the file name should contain only alphanumeric characters or the column ":" separator of the mac address should also be included on the file name?

brada4 · May 31, 2025, 4:19pm

You can have any filename in tftp, just run the server and it will log requested filename.

TempestJunior · May 31, 2025, 4:22pm

Perhaps I'm doing something wrong hence the router is not requesting the file.

Is there a specific way to reset the router in order to enter into the loop where the file should be requested ? Via the web gui or by pressing the reset button in a certain way, do you have any suggestions?

brada4 · May 31, 2025, 4:25pm

Make sure your cable is only connected, and run wireshark to find same info other way.

DavidBrent · May 31, 2025, 4:50pm

Just the alphanumeric characters, no colons or spaces. And yes, you'll see it trying to request the filename anyway in the log. If on Windows, check UDP on port 69 is allowed in the firewall.

This behaviour is part of initial provisioning so either the reset button or via the GUI should have the same effect after first boot. It won't work if it's already got a management URL configured from your ISP.

I agree that Wireshark is a good way to troubleshoot, otherwise you'll need a serial console which may well be read-only anyway depending on how locked down your firmware is.