Install Openwrt to an ISP provided AX6000 Router with root access

Hello,
i have root access to the isp supplied router, which is based on openwrt, but runs lot of customized scripts.
i need help in installing openwrt on this device.

Some Details of the device are as below.

DISTRIB_TARGET='mediatek/mt7986'
DISTRIB_ARCH='aarch64_cortex-a53'

BusyBox v1.35.0 (2024-05-28 07:02:28 UTC) built-in shell (ash)


| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -| || | | || || |
|
_____|| |
||||___||| |____|
|
| W I R E L E S S F R E E D O M

OpenWrt ARCNBULL_LALU6909_R2.7.9, r0-6757f9e5a

root@GAJERA00004079:/# cat /proc/mtd
dev: size erasesize name
mtd0: 10000000 00020000 "spi0.1"
mtd1: 00100000 00020000 "BL2"
mtd2: 00080000 00020000 "u-boot-env"
mtd3: 00200000 00020000 "Factory"
mtd4: 00200000 00020000 "FIP"
mtd5: 08c00000 00020000 "ubi"
mtd6: 05a00000 00020000 "ubi2"
mtd7: 00200000 00020000 "MFG"
mtd8: 00200000 00020000 "Bull-Reserved"

Can someone point me in a right direction?

your device (probably) isn't supported here, to make sure, post the output of command
ubus call system board.

On running ubus call system board i get below.
{

    "kernel": "5.4.225",
    "hostname": "GAJERA00004079",
    "system": "ARMv8 Processor rev 4",
    "model": "MediaTek MT7986a RFB",
    "board_name": "mediatek,mt7986a-spim-snand-rfb",
    "release": {
            "distribution": "OpenWrt",
            "version": "ARCNBULL_LALU6909_R2.7.9",
            "revision": "r0-6757f9e5a",
            "target": "mediatek/mt7986",
            "description": "OpenWrt ARCNBULL_LALU6909_R2.7.9 r0-6757f9e5a"
    }

For non-messed-up devices, upgrading via SSH goes like this:
https://openwrt.org/docs/guide-user/installation/sysupgrade.cli

Depending on how deeply your ISP messed up things, you could go to the Web-UI and try to install the "attended sysupgrade" instead.
https://openwrt.org/docs/guide-user/installation/attended.sysupgrade

But please read up on the situation thoroughly and not keep any settings your ISP made. Let the installation procedure reset configuration to default and re-enter your credentials manually. Your ISP might have used a configuration that is not compatible with stock OpenWRT and prevents your router from even spinning up a network.

Download config backup and back up oem flash fully for when you have to return it.

Thanks, Thats done.

1 Like

are you suggesting OP should flash it with https://firmware-selector.openwrt.org/?version=23.05.5&target=mediatek%2Ffilogic&id=mediatek_mt7986a-rfb-nand ?

it's the closest thing I could find to the board_name string ...

I didn't mean to suggest any specific firmware.
I only wanted to point him towards where to find and how to use the upgrade CLI and the UI package name by urging him not to keep any settings.

There are tons of devices named "AX6000" and I started typing before any information about his board was known. But since he didn't ask for the "how-to on my device" explanation but merely a starting point for further read-up, I thought that's where he wanted to take it from himself.

So (especially directed @lazarus) if you don't find your router on the supported list pointing to a firmware file you trust, there's a real chance you're aiming for your device ending up a brick.

Thank you, @frollic, for pointing out that I wasn't clear in my previous post.

Turns out thats not the one.
Device mediatek,mt7986a-spim-snand-rfb not supported by this image.
Need something for mediatek,mt7986a-rfb-snand.

Also i found out the firmware is signed. i got below message as well.
jcrypt[22624]: Image Signature of MODEL_NO : LALU6909 Verification - FAILED
Validation Failed!!
Image check failed.

How would one guage the amount of effort required to make this device supported?

Month to year, and now you need serial port to rig device to boot (unsigned) openwrt from the network without modifying flash.
Do you have firmware upgrade file from OEM that upgrades to same version?

In the meantime scan partition backup for MAC address on label, and binwalk -e -M partitions and try to figure out like kernel conf left behind etc specialties.

https://openwrt.org/docs/guide-developer/adding_new_device
https://openwrt.org/docs/guide-developer/add.new.device

Yes I have the firmware upgrade file from the OEM and its signature.
I will binwalk it and try to find out more.

I was able to binwalk the original firmware, which came out as
sysupgrade-mt7986a-ax6000-spim-nand-rfb-sb.zip
there is file bull.config which looks manufacturer specific.


**# Configuration file for fw_(printenv/saveenv) utility.**
**# Up to two entries are valid, in this case the redundant**
**# environment sector is assumed present.**

**# NAND example**
**# MTD device name       Device offset   Env. size       Flash sector size       Number of sectors**
**/dev/mtd8             0x0             0x20000         0x40000                 2**

and there is this file bullinit.sh which is as below.


#!/bin/sh /etc/rc.common

START=12

function number_to_mac () {

    printf "%012x" $1 |  sed 's/../&:/g;s/:$//'

}

mac_wan=""
mac_lan=""
mac_24g=""
mac_5g=""

updateMACaddr() {

    mac_wan=$(number_to_mac $(($1 + 0)))
    echo mac_wan $mac_wan  >> /dev/console
    mac_lan=$(number_to_mac $(($1 + 1)))
    echo mac_lan $mac_lan  >> /dev/console
    mac_24g=$(number_to_mac $(($1 + 2)))
    echo mac_24g $mac_24g  >> /dev/console
    mac_5g=$(number_to_mac $(($1 + 3)))
    echo mac_5g $mac_5g  >> /dev/console

}

function hex_to_acsii () {
    echo -n $1 | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf && echo ''
}

boot() {
    ######## Read factory data and device information #############################
    deviceSerialFilePath="/tmp/deviceSerial"
    deviceSerial="000000000000000"

    deviceHWRevisionFilePath="/tmp/hwVersion"
    deviceHWRevision="0000"

    firmVersionFilePath="/tmp/firmVersion"
    firmVersion=""

    productTypeFilePath="/tmp/productType"
    productType="IDU"

    brlan_addressFilePath="/tmp/br-lan"

    wanMACaddressFilePath="/tmp/wanMAC"
    wanMACaddress=""

    mfgNamePath="/tmp/mfgName"
    mfgName=""
    wifiSSID24G=""
    wifiSSID5G=""
    wifiKey24G=""
    wifiKey5G=""

    wifi24gMACaddressFilePath="/tmp/phy0"
    wifi5gMACaddressFilePath="/tmp/phy1"

    modelInfoFilePath="/tmp/deviceModel"
    modelName=""

    acsPrePasswordFilePath="/tmp/acsPrePasswd"
    acsPrePassword=""

    consumerFilePath="/tmp/consumer"
    consumer=""

    firmVersion=`awk -F "\"" '/VERSION=/ { print $2 }' /rom/etc/os-release`
    if [ -n $firmVersion ]; then
        /bin/echo $firmVersion > $firmVersionFilePath
    fi

    deviceSerial=`bull_factory_data.sh rsn`
    deviceHWRevision=`bull_factory_data.sh hwversion`
    wanMACaddress=`bull_factory_data.sh wanmacaddr`
    acsPrePassword=`bull_factory_data.sh  acsPrePassword`
    wifiSSID24G=`bull_factory_data.sh ssid2G`
    wifiSSID5G=`bull_factory_data.sh ssid5G`
    wifiKey24G=`bull_factory_data.sh key2G`
    wifiKey5G=`bull_factory_data.sh key5G`

    mfgName=`awk -F "'" '/DEVICE_MANUFACTURER=/ {print $2}' /etc/device_info`
    #translate the base mac env to a number
    base=0x$(echo $wanMACaddress | cut -d= -f2 | tr -d ':')
    #
    updateMACaddr $base

    brlanMACaddr=`uci -q get network.brlan.macaddr`
    wanMACaddr=`uci -q get network.eth1.macaddr`
    wifi2gMACaddr=`uci -q get wireless.PRIMARY_2G.macaddr`
    wifi5gMACaddr=`uci -q get wireless.PRIMARY_5G.macaddr`

    # config ethernet

    if [ $brlanMACaddr != $mac_lan ]; then
        uci -q set network.brlan.macaddr=$mac_lan
        uci commit
    fi
    if [ -z "$wanMACaddr" ] || [ $wanMACaddr != $mac_wan ]; then
        uci -q set network.eth1.macaddr=$mac_wan
        uci commit
    fi
    if [ $wifi2gMACaddr != $mac_24g ]; then
        uci -q set wireless.PRIMARY_2G.macaddr=$mac_24g
        uci commit
    fi
    if [ $wifi5gMACaddr != $mac_5g ]; then
        uci -q set wireless.PRIMARY_5G.macaddr=$mac_5g
        uci commit
    fi

    ifconfig eth0 down
    ifconfig eth0 hw ether $mac_lan
    ifconfig eth0 up

    /bin/echo $mac_lan > $brlan_addressFilePath

    if [ -n $deviceSerial ]; then
        /bin/echo $deviceSerial > $deviceSerialFilePath
    fi

    if [ -n $acsPrePassword ]; then
	if grep -qF "LALU6909" /etc/device_info ;then
		acsPrePassword=`hex_to_acsii $acsPrePassword`
	fi
	/bin/echo $acsPrePassword > $acsPrePasswordFilePath
    fi

    if [ -n $deviceHWRevision ]; then
        /bin/echo $deviceHWRevision > $deviceHWRevisionFilePath
    fi

    /bin/echo $productType > $productTypeFilePath

    if [ -n "$wanMACaddress" ]; then
        /bin/echo $wanMACaddress > $wanMACaddressFilePath
    fi

    if [ -n "$mac_24g" ]; then
        /bin/echo $mac_24g > $wifi24gMACaddressFilePath
    fi

    if [ -n "$mac_5g" ]; then
        /bin/echo $mac_5g > $wifi5gMACaddressFilePath
    fi

    modelName=`awk -F "'" '/DEVICE_PRODUCT=/ {print $2}' /etc/device_info`
    if [ -n $modelName ]; then
	    /bin/echo $modelName > $modelInfoFilePath
    fi

    if [ -n $mfgName ]; then
         /bin/echo $mfgName > $mfgNamePath
    fi

    if [ $(uci get ui_defaults.frstatus.wifi_factoryreset) -eq 1 ]; then
        wifiEncryption24GValue="psk2+ccmp"
        wifiEncryption5GValue="psk2+ccmp"
        if [ -n "$wifiSSID24G" ] && [ -n "$wifiSSID5G" ]; then
            uci set wireless.PRIMARY_2G.ssid=$wifiSSID24G
            uci set wireless.PRIMARY_2G.key=$wifiKey24G
            uci set wireless.PRIMARY_2G.encryption=$wifiEncryption24GValue
            uci set wireless.PRIMARY_5G.ssid=$wifiSSID5G
            uci set wireless.PRIMARY_5G.key=$wifiKey5G
            uci set wireless.PRIMARY_5G.encryption=$wifiEncryption5GValue
            uci commit wireless
        fi
        uci set ui_defaults.frstatus.wifi_factoryreset='0'
        uci commit ui_defaults
    fi
    
    ######## Set wanmode flag to bull-reserved if not present ###################
    wanmode=`bull_factory_data.sh get wanmode`
    wanmode_reset=`bull_factory_data.sh get wanmode_reset`
    if [ -z "$wanmode" ] || [ -z "$wanmode_reset" ] || [ "$wanmode_reset" = "0" ]; then
        wanmode="mod"
        bull_factory_data.sh set wanmode $wanmode
        bull_factory_data.sh set wanmode_reset 1
    fi

    uci_wanmode=`uci get ui_defaults.mode.wan`
    if [ "$uci_wanmode" != "$wanmode" ]; then
        uci set ui_defaults.mode.wan=$wanmode
        uci commit ui_defaults
    fi
    ############################################################################

    ######## Set Plume Status flag to bull-reserved if not present ##############
    #PlumeEnabled=`bull_factory_data.sh get PlumeEnabled`
    PlumeEnabled="0"
    if [ -f "/usr/opensync/bin/dm" ]; then
        PlumeEnabled="1"
        ######## Disable virtual interface creation through uci when plume is enbaled ########
        if [ $(uci get wireless.PRIMARY_2G.disabled) -eq 0 ]; then
            uci set wireless.PRIMARY_2G.disabled='1'
            flag="1"
        fi
        if [ $(uci get wireless.PRIMARY_5G.disabled) -eq 0 ]; then
            uci set wireless.PRIMARY_5G.disabled='1'
            flag="1"
        fi
        if [ "$flag" == "1" ]; then
            uci commit wireless
        fi
        touch /tmp/update_ntptime_required
    fi
    bull_factory_data.sh set PlumeEnabled $PlumeEnabled

    ###########Set led default value #################################################
    uci set led.status.wifi='0'
    uci set led.status.ipv6='0'
    uci set led.status.currentled='redon'
    uci set led.status.ipv4='0'
    uci commit led
    
    old_firmware=`awk -F "'" '/option software_version / { print$2 }' /etc/config/tr069`
    if [ "$firmVersion" != "$old_firmware" ]; then
	    rm -rf /usr/opensync/data
    fi

     # Run bull ntpd in the background
    if [ -f "/sbin/ntpd_time.sh" ]; then
        /sbin/ntpd_time.sh 120 &
    fi

    #remove files from /overlay/upper/sbin
    if [ -e "/overlay/upper/sbin/mfg_led.sh" ]; then
        rm -f /overlay/upper/sbin/mfg_led.sh
    fi

    if [ -e "/overlay/upper/sbin/mfg_button.sh" ]; then
        rm -f /overlay/upper/sbin/mfg_button.sh
    fi

    if [ -e "/overlay/upper/sbin/init_ubi2.sh" ]; then
        rm -f /overlay/upper/sbin/init_ubi2.sh
    fi
    
    #Check if filesystem recovery has taken place and reboot
    if [ -s "/tmp/copy_files.txt" ] || [ -s "/tmp/opensync_copy_files.txt" ]; then
        echo "Filesystem recovery has taken place, performing a reboot." > /dev/kmsg
        reboot_file="/etc/recovery_reboots.txt"

        # Check if the reboot file exists
        if [ ! -f "$reboot_file" ]; then
            # If not, initialize the file with 0 reboots
            echo "0" > "$reboot_file"
        fi

        # Read the current number of reboots from the file
        reboot_count=$(cat "$reboot_file")

        # Check if the reboot count is less than 3
        if [ $reboot_count -lt 3 ]; then
            # Increment the reboot count
            reboot_count=$(($reboot_count+1))
            # echo $reboot_count > /dev/console
            # Update the reboot count in the file
            echo "$reboot_count" > "$reboot_file"
            rm -f /tmp/copy_files.txt
            reboot
        else
            echo "Reached maximum reboots (3)." > /dev/kmsg
        fi
    else
        echo "Recovery file is empty." > /dev/kmsg
        # Delete reboot count file if recovery is no longer required
        if [ -s "/tmp/recovery_reboots.txt" ]; then
            rm -f /etc/recovery_reboots.txt 
        fi
    fi

    #Check the consumer flag
    consumer=`bull_factory_data.sh get consumer`
    if [ -n "$consumer" ] && [ "$wanmode" = "ont" ] && [ "$consumer" = "retail" ]; then
        echo $consumer > $consumerFilePath
    fi

}