These devices are almost identical to their bigger siblings, the RBR50 & RBS50. Please @wiki-account, I'd like to get permission to edit the wiki so I can add the links with the specs from WikiDevi and other information. I'd also like to see if I can add support for these in OpenWrt.
Any help is appreciated!
I think it's this and IRC PM regarding wiki account?
Do you have hardware in hand? Are you adding support?
https://openwrt.org/supported_devices/adding_to_toh
https://openwrt.org/meta/criteria_for_adding_new_devices_to_the_toh
I own both the router and satellite and would like to try to add support.
Awesome. In parallel to the wiki account issue then:
How are you going with your attempts to add support?
Anything you'd like assistance with?
Do you know where to start in regards to setting up a build environment, serial console, tftp boot etc?
No idea where to start...
Cool no worries.
First thing IMO to identify whether you can get a console on the device, i.e. whether you can get a shell? (Serial console / ssh / exploit etc).
I would then start by trying to get a dump of the existing flash etc so you have a backup.
In parallel, you will probably need to learn how to build firmware. (i.e. set up a build system).
Here's the wiki links I've previously collected:
https://openwrt.org/docs/guide-developer/hw.hacking.first.steps
https://openwrt.org/docs/guide-developer/adding_new_device
https://openwrt.org/docs/guide-developer/add.new.device
https://openwrt.org/docs/guide-developer/defining-firmware-partitions
https://openwrt.org/docs/guide-developer/device-support-policies
https://openwrt.org/docs/guide-developer/toolchain/use-buildsystem
OK. Thanks for the homework. Should keep me busy for a while...
Cool.
Just in case you don't have an electronics background in general:
My only other heads up is please be mindful of TTL (output) voltages of a serial adapter and don't go hooking up the VCC lines of the adapter together with the router if you go for the serial console device. Similarly getting the grounds connected right etc.
That's a sure way to break something.
Adding FCC links containing pictures of the internals:
Cool. Only other thing I can think of is compare the board numbers / identifiers between this and the existing device.
Plus download the factory firmwares and look at them with binwalk and/or a hex editor to find out what the differences are between this version and the existing devices supported. You will probably need to find the magic numbers at least that will allow the bootloader / nmrpflash to work?
Finally. Here's the git commit for supporting the RBR50/RBS50/SRR60/SRS60?
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=2cb24b3f3cd89692f3c0bd137f3f560ada359bfa
That will give you an indication on what sort of files you will need to edit / create to add support.
I went to the debug link on both devices and started a debug log which produced a couple of zipped files with lots of information...
The basic debug and console logs look promising, but they contain some sensitive information that I'll have to redact.
Would this be useful at all?
Ideally we want a full bootlog from the serial console?
If you have "console" i.e. a shell we can start from there?
IDK whether there's a factory shell or what the debug output is like?
DONE:
TODO:
evs, just wanted to say that I appreciate all the guidance so far!
Yeah either try to get a root shell by some sort of exploit, or try to see by opening up the device whether you can hook up a serial terminal? I would go straight to a serial console if you have a 3.3v TTL USB adapter or ttl level converter available?
telnet shouldn't be too challenging to operate from your computer's side if that's what you're asking about? If you're using windows I guess putty is the way to go?
Yeah I would have held off on wiki / hwdata until I had working code on the device. But as you've said this should be very similar to existing hardware? Anyway yeah inbox is the right spot from what I can tell.
I can help with setting up a build system with a debian derivative, but it should be relatively straightforward.
Only thing I suggest is depending on the feed update speeds, you may want to use a custom feeds.conf to point to github....
Source code is here? Haven't had a look.
When I did a netgear device. I just looked at what the magic word was by hex editor in the firmware download. But code may be useful for reference.
No worries!
What kind of stuff can I do while I wait for the router from eBay to arrive?
Looks to me you want to find
NETGEAR_HW_ID
and why the following are in the image.mk file?
KERNEL_SIZE := 3932160
ROOTFS_SIZE := 32243712
IMAGE_SIZE := 36175872
Can you build an image with the build system yet?
Do you know how to run nmrpflash?
Do you have a serial adapter ready and serial ports identified so we can try to look at bootloader?
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------------------------------
128 0x80 Flattened device tree, size: 3705200 bytes, version: 17
356 0x164 gzip compressed data, maximum compression, has original file name:
"Image", from Unix, last modified: 2020-03-10 08:37:12
3360536 0x334718 Flattened device tree, size: 38424 bytes, version: 17
3399228 0x33DE3C Flattened device tree, size: 42850 bytes, version: 17
3442348 0x3486AC Flattened device tree, size: 41916 bytes, version: 17
3484532 0x352B74 Flattened device tree, size: 34248 bytes, version: 17
3519048 0x35B248 Flattened device tree, size: 34407 bytes, version: 17
3553724 0x3639BC Flattened device tree, size: 34547 bytes, version: 17
3588540 0x36C1BC Flattened device tree, size: 38395 bytes, version: 17
3627204 0x3758C4 Flattened device tree, size: 38282 bytes, version: 17
3665756 0x37EF5C Flattened device tree, size: 37980 bytes, version: 17
3801152 0x3A0040 uImage header, header size: 64 bytes, header CRC: 0xEA97D974, created:
2020-03-10 08:38:20, image size: 30148608 bytes, Data Address:
0x40908000, Entry Point: 0x40908000, data CRC: 0xEC782D68, OS: Linux,
CPU: ARM, image type: OS Kernel Image, compression type: lzma, image
name: "ARM OpenWrt Linux-3.14.77"
3801216 0x3A0080 Squashfs filesystem, little endian, version 4.0, compression:xz, size:
29921573 bytes, 4206 inodes, blocksize: 262144 bytes, created:
2020-03-10 08:37:55
Sorry for disappearing! The router from eBay finally arrived. I flashed the firmware to version 2.5.1.16, reset it to factory defaults, enabled the telnet option from the debug page, and proceeded to run most of the commands listed here (I'll make a series of posts with the output of each command).
Also, when trying to dump the firmware image using binwalk -Me, I received a message about symlinks being removed for security reasons. Does that affect anything?
root@RBR20:/# uname -an
Linux RBR20 3.14.77 #1 SMP PREEMPT Tue Mar 10 16:36:59 CST 2020 armv7l GNU/Linux
root@RBR20:/# cat /proc/device-tree/boot_version
CRM-BOOT.BF.3.1.1-00110
root@RBR20:/# cat /proc/device-tree/model
Qualcomm Technologies, Inc. IPQ40xx/AP-DK04.1-C1
root@RBR20:/# cat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 96.00
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
processor : 1
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 96.00
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
processor : 2
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 96.00
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
processor : 3
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 96.00
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
Hardware : Qualcomm (Flattened Device Tree)
Revision : 0000
Serial : 0000000000000000
root@RBR20:/# cat /proc/mtd
dev: size erasesize name
mtd0: 00100000 00020000 "0:SBL1"
mtd1: 00100000 00020000 "0:MIBIB"
mtd2: 00100000 00020000 "0:BOOTCONFIG"
mtd3: 00100000 00020000 "0:QSEE"
mtd4: 00100000 00020000 "0:QSEE_1"
mtd5: 00080000 00020000 "0:CDT"
mtd6: 00080000 00020000 "0:CDT_1"
mtd7: 00080000 00020000 "0:BOOTCONFIG1"
mtd8: 00080000 00020000 "0:APPSBLENV"
mtd9: 00200000 00020000 "0:APPSBL"
mtd10: 00200000 00020000 "0:APPSBL_1"
mtd11: 00080000 00020000 "0:ART"
mtd12: 00080000 00020000 "0:ART.bak"
mtd13: 00100000 00020000 "config"
mtd14: 00080000 00020000 "boarddata1"
mtd15: 00040000 00020000 "boarddata2"
mtd16: 00100000 00020000 "pot"
mtd17: 00080000 00020000 "boarddata1.bak"
mtd18: 00040000 00020000 "boarddata2.bak"
mtd19: 00300000 00020000 "language"
mtd20: 00080000 00020000 "cert"
mtd21: 09300000 00020000 "ntgrdata"
mtd22: 02800000 00020000 "firmware"
mtd23: 003a0000 00020000 "kernel"
mtd24: 02460000 00020000 "rootfs"
mtd25: 007c0000 00020000 "rootfs_data"
mtd26: 03200000 00020000 "reserved"
mtd27: 0020f000 0001f000 "vol_traffic"
mtd28: 0020f000 0001f000 "vol_traffic.bak"
mtd29: 00516000 0001f000 "vol_devtable"
mtd30: 0009b000 0001f000 "vol_oopsdump"
mtd31: 01e08000 0001f000 "vol_circle"
mtd32: 04107000 0001f000 "vol_ntgr"
mtd33: 00516000 0001f000 "vol_ntgrcrydata"
mtd34: 00516000 0001f000 "vol_arlo"
mtd35: 0020f000 0001f000 "vol_rae"
mtd36: 00117000 0001f000 "vol_jdx"
root@RBR20:/# cat /proc/partitions
major minor #blocks name
31 0 1024 mtdblock0
31 1 1024 mtdblock1
31 2 1024 mtdblock2
31 3 1024 mtdblock3
31 4 1024 mtdblock4
31 5 512 mtdblock5
31 6 512 mtdblock6
31 7 512 mtdblock7
31 8 512 mtdblock8
31 9 2048 mtdblock9
31 10 2048 mtdblock10
31 11 512 mtdblock11
31 12 512 mtdblock12
31 13 1024 mtdblock13
31 14 512 mtdblock14
31 15 256 mtdblock15
31 16 1024 mtdblock16
31 17 512 mtdblock17
31 18 256 mtdblock18
31 19 3072 mtdblock19
31 20 512 mtdblock20
31 21 150528 mtdblock21
31 22 40960 mtdblock22
31 23 3712 mtdblock23
31 24 37248 mtdblock24
31 25 7936 mtdblock25
31 26 51200 mtdblock26
31 27 2108 mtdblock27
31 28 2108 mtdblock28
31 29 5208 mtdblock29
31 30 620 mtdblock30
31 31 30752 mtdblock31
31 32 66588 mtdblock32
31 33 5208 mtdblock33
31 34 5208 mtdblock34
31 35 2108 mtdblock35
31 36 1116 mtdblock36
No worries. No rush. This is volunteer time =) Best effort basis.
To clean up the output when pasting here. Easiest is probably not to use the extract.
i.e. just binwalk <image file> without any other options to start. Then go and do that to what you've extracted if you found anything interesting.
It looks like you'll have a device tree that we can extract, that will be helpful for creating your own for the openwrt build system?