Copy and paste works on some tools it works with putty if you right click on the window.
Someone else on the forum suggested that is what they do with TP Link devices, it just does not seem to work for me on this device.
I can keep trying but i have rebooted the device like 50 times with no luck.
We can only try. If it doesn't work then the magic string might be something else.
might be able to find the magic string in the bootloader binary (/dev/mtd0?) if you dump it from your root shell
That is an idea, I was going to try binwalk, currently I have been chatting to the GPL team at TP Link hoping it may be in there somewhere.
After contacting support for several weeks of backwards and forward silly unrelated questions and wanting to know serial numbers place of purchase and all unrelated info they updated their site with GPL sources.
I don't know much about uboot but from reading the docs the board specific file contains the enviroment varables and one of them is CONFIG_AUTOBOOT_MENUKEY but that key is not in there.
I did however find in the file ipq807x.h the below which suggests I have been using the correct string assuming that the console is not disabled somehow:
#define CONFIG_AUTOBOOT_PROMPT "Enter magic string to stop autoboot in " \
_STRINGIFY(CONFIG_BOOTDELAY) " seconds\n"
#define CONFIG_AUTOBOOT_STOP_STR "tpl"
I also found in autoboot.c a hashing function mentioning sha_env_str = CONFIG_AUTOBOOT_STOP_STR_SHA256; but i just think that is how it compares the two strings
I did not find these which would suggest the console is disabled if so:
#define CONFIG_DISABLE_CONSOLE
#define CONFIG_SILENT_CONSOLE
#define CONFIG_SYS_DEVICE_NULLDEV
I have also pulled apart the device again and noted down all the chips and updated the wiki with info.
At this point I'm stumped as into why I can't interrupt autoboot in U-boot and i have a few blockers progressing further as I'm a bit of a noob in this embedded stuff and it seems QSDK setup is different to OpenWrt throwing a spanner in the works also.
I don't know how to enable the network in Failsafe mode.
I don't know how to mount root in failsafe mode.
I can't reset the password in root as I can't access root from failsafe.
So here is my attempt to mount root and change the password from failsafe (and a bit of a look around)
I'm trying to break into a console outside of failsafe as the network is disabled in failsafe so I can't backup partitions or download a nand safe backup tool.
It seems TP link have intentionally broken mount_rooot would anyone have any ideas how to manually mount the root file system I'm not confidant in UBI and the overlay system but as below it does not seem to mount anything in /rom or /overlay as I expected.
my alternative i guess it to make the network go but as you see there is no etc/config/network and it is a read only file system.
I not sure if the sources above contain any hints on the password.
if any one has any ideas on what I may do next?
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
f
- failsafe -
/etc/preinit: line 1: telnetd: not found
BusyBox v1.22.1 (2023-04-10 20:55:41 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
ash: can't access tty; job control turned off
MM NM MMMMMMM M M
$MMMMM MMMMM MMMMMMMMMMM MMM MMM
MMMMMMMM MM MMMMM. MMMMM:MMMMMM: MMMM MMMMM
MMMM= MMMMMM MMM MMMM MMMMM MMMM MMMMMM MMMM MMMMM'
MMMM= MMMMM MMMM MM MMMMM MMMM MMMM MMMMNMMMMM
MMMM= MMMM MMMMM MMMMM MMMM MMMM MMMMMMMM
MMMM= MMMM MMMMMM MMMMM MMMM MMMM MMMMMMMMM
MMMM= MMMM MMMMM, NMMMMMMMM MMMM MMMM MMMMMMMMMMM
MMMM= MMMM MMMMMM MMMMMMMM MMMM MMMM MMMM MMMMMM
MMMM= MMMM MM MMMM MMMM MMMM MMMM MMMM MMMM
MMMM$ ,MMMMM MMMMM MMMM MMM MMMM MMMMM MMMM MMMM
MMMMMMM: MMMMMMM M MMMMMMMMMMMM MMMMMMM MMMMMMM
MMMMMM MMMMN M MMMMMMMMM MMMM MMMM
MMMM M MMMMMMM M M
M
---------------------------------------------------------------
For those about to rock... (Chaos Calmer, 34c568b+r49254)
---------------------------------------------------------------
================= FAILSAFE MODE active ================
special commands:
* firstboot reset settings to factory defaults
* mount_root mount root-partition with config files
after mount_root:
* passwd change root's password
* /etc/config directory with config files
for more help see:
http://wiki.openwrt.org/doc/howto/generic.failsafe
=======================================================
root@(none):/# ls
bin dev ini mnt rom sys usr
cfg etc lib overlay root tmp var
data fw_data lib64 proc sbin tp_data www
root@(none):/# mount_root
mounting /dev/root
root@(none):/# cd ..
root@(none):/# cd dev
root@(none):/dev# ls
console mtd1ro network_throughput
coresight-stm mtd2 null
coresight-tmc-etf mtd2ro port
coresight-tmc-etr mtd3 ptmx
cpu_dma_latency mtd3ro pts
dcc_sram mtd4 ram0
fb0 mtd4ro ram1
full mtd5 ram10
hw_random mtd5ro ram11
i2c-0 mtd6 ram12
i2c-1 mtd6ro ram13
iio:device0 mtd7 ram14
kmsg mtd7ro ram15
mem mtd8 ram2
memory_bandwidth mtd8ro ram3
msm_sps mtd9 ram4
mtd0 mtd9ro ram5
mtd0ro mtdblock0 ram6
mtd1 mtdblock1 ram7
mtd10 mtdblock10 ram8
mtd10ro mtdblock11 ram9
mtd11 mtdblock12 random
mtd11ro mtdblock13 shm
mtd12 mtdblock14 subsys_qcom_q6v5_wcss
mtd12ro mtdblock15 tty
mtd13 mtdblock16 ttyMSM0
mtd13ro mtdblock17 ttyMSM1
mtd14 mtdblock18 ubi0
mtd14ro mtdblock2 ubi0_0
mtd15 mtdblock3 ubi0_1
mtd15ro mtdblock4 ubi_ctrl
mtd16 mtdblock5 urandom
mtd16ro mtdblock6 watchdog
mtd17 mtdblock7 watchdog0
mtd17ro mtdblock8 zero
mtd18 mtdblock9
mtd18ro network_latency
root@(none):/dev# cd ..
root@(none):/# cd rom
root@(none):/rom# ls
note
root@(none):/rom# cat note
SQUASHFS USERS:
After firstboot has been run, / will be jffs2 and /rom will be squashfs
(* except when in failsafe)
root@(none):/rom# cd ..
root@(none):/# cd overlay
root@(none):/overlay# ls
root@(none):/overlay# passwd -d root
passwd: /etc/passwd: Read-only file system
passwd: can't update password file /etc/passwd
root@(none):/overlay# cd ..
root@(none):/# cd etc
root@(none):/etc# cd config
root@(none):/etc/config# ls
basic_security domain_login luci portspeed tfstats
cnss_diag dropbear macsec qcacfg80211 thermal
dhcp ecm mcsd radvd ucitrack
dhcp6s firewall nat ssid-steering uhttpd
dnsproxy improxy nss system upnpd
root@(none):/etc/config# cat << "EOF" > /etc/config/hello.txt
>
> hi
>
> EOF
ash: can't create /etc/config/hello.txt: Read-only file system
root@(none):/etc/config#
root@(none):/etc/config# uci show network
uci: Entry not found
root@(none):/etc/config# cat /proc/mtd
dev: size erasesize name
mtd0: 00100000 00020000 "0:SBL1"
mtd1: 00100000 00020000 "0:MIBIB"
mtd2: 00080000 00020000 "0:BOOTCONFIG"
mtd3: 00080000 00020000 "0:BOOTCONFIG1"
mtd4: 00300000 00020000 "0:QSEE"
mtd5: 00080000 00020000 "0:DEVCFG"
mtd6: 00080000 00020000 "0:APDP"
mtd7: 00080000 00020000 "0:RPM"
mtd8: 00080000 00020000 "0:CDT"
mtd9: 00180000 00020000 "0:APPSBLENV"
mtd10: 00200000 00020000 "0:APPSBL"
mtd11: 00080000 00020000 "0:ART"
mtd12: 02a00000 00020000 "rootfs"
mtd13: 02a00000 00020000 "rootfs_1"
mtd14: 00080000 00020000 "0:ETHPHYFW"
mtd15: 00900000 00020000 "factory_data"
mtd16: 01100000 00020000 "runtime_data"
mtd17: 00573000 0001f000 "kernel"
mtd18: 01341000 0001f000 "ubi_rootfs"
root@(none):/etc/config# cat /proc/partitions
major minor #blocks name
1 0 4096 ram0
1 1 4096 ram1
1 2 4096 ram2
1 3 4096 ram3
1 4 4096 ram4
1 5 4096 ram5
1 6 4096 ram6
1 7 4096 ram7
1 8 4096 ram8
1 9 4096 ram9
1 10 4096 ram10
1 11 4096 ram11
1 12 4096 ram12
1 13 4096 ram13
1 14 4096 ram14
1 15 4096 ram15
31 0 1024 mtdblock0
31 1 1024 mtdblock1
31 2 512 mtdblock2
31 3 512 mtdblock3
31 4 3072 mtdblock4
31 5 512 mtdblock5
31 6 512 mtdblock6
31 7 512 mtdblock7
31 8 512 mtdblock8
31 9 1536 mtdblock9
31 10 2048 mtdblock10
31 11 512 mtdblock11
31 12 43008 mtdblock12
31 13 43008 mtdblock13
31 14 512 mtdblock14
31 15 9216 mtdblock15
31 16 17408 mtdblock16
31 17 5580 mtdblock17
31 18 19716 mtdblock18
root@(none):/etc/config# df
Filesystem 1K-blocks Used Available Use% Mounted on
mtd:ubi_rootfs 19712 19712 0 100% /
tmpfs 512 0 512 0% /dev
tmpfs 443324 12 443312 0% /tmp
root@(none):/etc/config#
Can I mount the root file system manually with the below or something?
mount -t ubifs ubi0:rootfs_data /rom/overlay
Hey, I've got a couple of these units and started having a dabble. I can see the output in Putty, I am unable to interupt boot with f enter.
Can you please show me your setup / schematic?
Also, have you tried shell from recovery mode?
Find no boot alter flag!
Enter magic string to stop autoboot in 1 seconds
FW GPIO is pressed. Enter firmware recovery mode!
MAC0 addr:0:3:7f:ba:db:ad
PHY ID1: 0x4d
PHY ID2: 0xd101
PHY ID1: 0x4d
PHY ID2: 0xd074
EDMA ver 1 hw init
Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)
RxDesc:1 (15-15) RxFill:1 (7-7)
ipq807x_edma_alloc_rings: successfull
ipq807x_edma_setup_ring_resources: successfull
ipq807x_edma_configure_rings: successfull
ipq807x_edma_hw_init: successfull
eth0
Start web server.
ipq807x_eth_halt: done
Phy ops not mapped
Phy ops not mapped
Phy ops not mapped
Phy ops not mapped
eth0 PHY4 Down Speed :10 Half duplex
eth0 PHY5 Down Speed :10 Half duplex
ipq807x_eth_halt: done
Exit web server
Net: MAC0 addr:0:3:7f:ba:db:ad
PHY ID1: 0x4d
PHY ID2: 0xd101
PHY ID1: 0x4d
PHY ID2: 0xd074
EDMA ver 1 hw init
Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)
RxDesc:1 (15-15) RxFill:1 (7-7)
ipq807x_edma_alloc_rings: successfull
ipq807x_edma_setup_ring_resources: successfull
ipq807x_edma_configure_rings: successfull
ipq807x_edma_hw_init: successfull
, eth0
IPQ807x#
I have created ASCII art schematic and posted info on the wiki as linked below:
[OpenWrt Wiki] TP-Link X80-5G V1
I had to fit a 10k pullup otherwise I got interference between the TX and RX lines.
I have not currently tried to access the device from HTTP U-boot recovery mode yet.
I managed to get in with tpl !!!
Fail safe stopped working for me, so I did some investigation.
I checked voltage on RX and it was a little low 1.05v. I added another 10k resistor in parallel with the original one and i was getting 1.12v. To my surprise, not only did failsafe work but tpl worked too!
ok Ill try again, but I was getting constant and reliable console input with my wiring setup when in the console I did not see a reason to say that it would not work during loader interrupt string.
I was really worried id kill the input if I went too far with the pullup.
I tried it heaps of times but still no luck, after about 40 times I gave up I even tried automating it with a script and an external device to cut the power with a relay.
I tried adding a resistor in parallel and it just saturated the line, and I got no console input.
At that point I gave up, I admit I have never modded a tp-link device and was not sure when to input the string and I did not know if I was doing it correct or if I needed to press enter afterwards.
If you can get a dump of the device there would be a few interested here.
It is just that it is a rather expensive device not many would be willing to dump $1000 on it to play with.
I did update the wiki with a note about your findings about adding a parallel resistor.
I should note. This is on a 1.0.0 firmware version too 
I have 3 devices total.and would love to get into it.
Where do I start?
Edit: What voltages are you reading on Rx when sending data?
Edit Edit: tpl doesn't seem to be time sensitive, I type tpl(and pressed enter) well before the prompt to do so.
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00158
S - IMAGE_VARIANT_STRING=HAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e5
B - 201 - PBL, Start
B - 2735 - bootable_media_detect_entry, Start
B - 3442 - bootable_media_detect_success, Start
B - 3447 - elf_loader_entry, Start
B - 6111 - auth_hash_seg_entry, Start
B - 6354 - auth_hash_seg_exit, Start
B - 68315 - elf_segs_hash_verify_entry, Start
B - 131156 - PBL, End
B - 142587 - SBL1, Start
B - 194559 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B - 201025 - pm_device_init, Start
B - 322263 - PM_SET_VAL:Skip
D - 120749 - pm_device_init, Delta
B - 324672 - pm_driver_init, Start
D - 5337 - pm_driver_init, Delta
B - 331016 - clock_init, Start
D - 2104 - clock_init, Delta
B - 335012 - boot_flash_init, Start
D - 12566 - boot_flash_init, Delta
B - 351360 - boot_config_data_table_init, Start
D - 3080 - boot_config_data_table_init, Delta - (575 Bytes)
B - 358832 - Boot Setting : 0x00000618
B - 362767 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:4,Subtype:0
B - 369690 - sbl1_ddr_set_params, Start
B - 373503 - CPR configuration: 0x30c
B - 376858 - cpr_init, Start
B - 379725 - Rail:0 Mode: 5 Voltage: 800000
B - 384849 - CL CPR settled at 752000mV
B - 387655 - Rail:1 Mode: 5 Voltage: 880000
B - 391955 - Rail:1 Mode: 7 Voltage: 896000
D - 16531 - cpr_init, Delta
B - 398726 - Pre_DDR_clock_init, Start
B - 402844 - Pre_DDR_clock_init, End
B - 406138 - DDR Type : PCDDR3
B - 411872 - do ddr sanity test, Start
D - 1067 - do ddr sanity test, Delta
B - 416660 - DDR: Start of HAL DDR Boot Training
B - 421388 - DDR: End of HAL DDR Boot Training
B - 427061 - DDR: Checksum to be stored on flash is 1280080391
B - 437461 - Image Load, Start
D - 224419 - QSEE Image Loaded, Delta - (1376448 Bytes)
B - 661972 - Image Load, Start
D - 30 - SEC Image Loaded, Delta - (0 Bytes)
B - 669658 - Image Load, Start
D - 10705 - DEVCFG Image Loaded, Delta - (26008 Bytes)
B - 680455 - Image Load, Start
D - 22051 - RPM Image Loaded, Delta - (86584 Bytes)
B - 702598 - Image Load, Start
D - 108885 - APPSBL Image Loaded, Delta - (672668 Bytes)
B - 811605 - QSEE Execution, Start
D - 61 - QSEE Execution, Delta
B - 817430 - USB D+ check, Start
D - 0 - USB D+ check, Delta
B - 823805 - SBL1, End
D - 683536 - SBL1, Delta
S - Flash Throughput, 6745 KB/s (2162955 Bytes, 320641 us)
S - DDR Frequency, 466 MHz
S - Core 0 Frequency, 1651 MHz
U-Boot 2016.01 (Feb 25 2021 - 20:16:45 +0800)
DRAM: smem ram ptable found: ver: 1 len: 4
1 GiB
NAND: Could not find nand_gpio in dts, using defaults
ONFI device found
ID = 158061c8
Vendor = c8
Device = 61
tpl
SF: Unsupported flash IDs: manuf 00, jedec 1c78, ext_jedec 4a74
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
128 MiB
MMC: <NULL>: 0
PCI0 is not defined in the device tree
PCI1 is not defined in the device tree
In: serial@78B3000
Out: serial@78B3000
Err: serial@78B3000
machid: 8010400
Card did not respond to voltage select!
eth0 MAC Address from ART is not valid
eth1 MAC Address from ART is not valid
eth2 MAC Address from ART is not valid
eth3 MAC Address from ART is not valid
eth4 MAC Address from ART is not valid
eth5 MAC Address from ART is not valid
gpio 38 set BOARD_3V9_5V_EN_GPIO to high[1]
gpio 64 set PHY_QCA8081_1V8_EN_GPIO to high[1]
gpio 33 set PHY_AR8033_3V3_EN_GPIO to high[1]
gpio 35 set ONOFF_MODULE_5G_GPIO to low[0] ... 1s
gpio 35 set ONOFF_MODULE_5G_GPIO to high[1]
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 9 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 72, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 1, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 6/3, WL threshold: 4096, image sequence number: 1097309032
ubi0: available PEBs: 0, total reserved PEBs: 72, PEBs reserved for bad PEB handling: 20
Find no boot alter flag!
Enter magic string to stop autoboot in 1 seconds
Net: MAC0 addr:0:3:7f:ba:db:ad
PHY ID1: 0x4d
PHY ID2: 0xd101
PHY ID1: 0x4d
PHY ID2: 0xd074
EDMA ver 1 hw init
Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)
RxDesc:1 (15-15) RxFill:1 (7-7)
ipq807x_edma_alloc_rings: successfull
ipq807x_edma_setup_ring_resources: successfull
ipq807x_edma_configure_rings: successfull
ipq807x_edma_hw_init: successfull
eth0
IPQ807x# help
help
? - alias for 'help'
aq_load_fw- LOAD aq-fw-binary
aq_phy_restart- Restart Aquantia phy
base - print or set address offset
bdinfo - print Board Info structure
bootipq - bootipq from flash device
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootz - boot Linux zImage image from memory
canary - test stack canary
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
dcache - enable or disable data cache
dhcp - boot image via network using DHCP/TFTP protocol
dm - Driver model low level access
echo - echo args to console
env - environment handling commands
erase - erase FLASH memory
exectzt - execute TZT
exit - exit script
false - do nothing, unsuccessfully
fdt - flattened device tree utility commands
flash - flash part_name
flash part_name load_addr file_size
flasherase- flerase part_name
flinfo - print FLASH memory information
fuseipq - fuse QFPROM registers from memory
go - start application at address 'addr'
help - print command description/usage
httpd - Start httpd server
i2c - I2C sub-system
icache - enable or disable instruction cache
imxtract- extract a part of a multi-image
ipq_mdio- IPQ mdio utility commands
is_sec_boot_enabled- check secure boot fuse is enabled or not
itest - return true/false on integer compare
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
pci - list and access PCI Configuration Space
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
reset - Perform RESET of the CPU
run - run commands in an environment variable
runmulticore- Enable and schedule secondary cores
saveenv - save environment variables to persistent storage
secure_authenticate- authenticate the signed image
setenv - set environment variables
sf - SPI flash sub-system
showvar - print local hushshell variables
sleep - delay execution for some time
smeminfo- print SMEM FLASH information
source - run script from memory
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
true - do nothing, successfully
uart - UART sub-system
ubi - ubi commands
ubifsload- load file from an UBIFS filesystem
ubifsls - list files in a directory
ubifsmount- mount UBIFS volume
ubifsumount- unmount UBIFS volume
usb - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version
IPQ807x#
Probably the best way is to dump the flash by booting an intraram fs version of OpenWrt , but we don't know if TFTboot is enabled in U-boot yet.
can you run printenv and ? from U-boot and post contents here at least we will then know what we are working with?
Printenv below.
I was able to:
setenv ipaddr 192.168.0.1
setenv serverip 192.168.0.66
and see activity (on Tftpd64 by Ph. Jounin) when using tftpput
IPQ807x# printenv
printenv
baudrate=115200
ethact=eth0
ethaddr=00:03:7f:ba:db:ad
fdt_high=0x4A400000
fdtcontroladdr=4a994f40
flash_type=2
has_default_mac=1
machid=8010400
mtddevname=fdata
mtddevnum=0
mtdids=nand0=nand0
mtdparts=mtdparts=nand0:0x900000@0x6080000(fdata),
partition=nand0,0
soc_version_major=2
soc_version_minor=0
stderr=serial@78B3000
stdin=serial@78B3000
stdout=serial@78B3000
Output from ?
IPQ807x# ?
?
? - alias for 'help'
aq_load_fw- LOAD aq-fw-binary
aq_phy_restart- Restart Aquantia phy
base - print or set address offset
bdinfo - print Board Info structure
bootipq - bootipq from flash device
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootz - boot Linux zImage image from memory
canary - test stack canary
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
dcache - enable or disable data cache
dhcp - boot image via network using DHCP/TFTP protocol
dm - Driver model low level access
echo - echo args to console
env - environment handling commands
erase - erase FLASH memory
exectzt - execute TZT
exit - exit script
false - do nothing, unsuccessfully
fdt - flattened device tree utility commands
flash - flash part_name
flash part_name load_addr file_size
flasherase- flerase part_name
flinfo - print FLASH memory information
fuseipq - fuse QFPROM registers from memory
go - start application at address 'addr'
help - print command description/usage
httpd - Start httpd server
i2c - I2C sub-system
icache - enable or disable instruction cache
imxtract- extract a part of a multi-image
ipq_mdio- IPQ mdio utility commands
is_sec_boot_enabled- check secure boot fuse is enabled or not
itest - return true/false on integer compare
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
pci - list and access PCI Configuration Space
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
reset - Perform RESET of the CPU
run - run commands in an environment variable
runmulticore- Enable and schedule secondary cores
saveenv - save environment variables to persistent storage
secure_authenticate- authenticate the signed image
setenv - set environment variables
sf - SPI flash sub-system
showvar - print local hushshell variables
sleep - delay execution for some time
smeminfo- print SMEM FLASH information
source - run script from memory
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
true - do nothing, successfully
uart - UART sub-system
ubi - ubi commands
ubifsload- load file from an UBIFS filesystem
ubifsls - list files in a directory
ubifsmount- mount UBIFS volume
ubifsumount- unmount UBIFS volume
usb - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version
it looks like U-Boot has not been crippled from first look.
We just now need to create an intraramfs image to create a dump of the device.
I can try to create a target and hobble together an image but I'm not sure how to create a compatable DTS.
it is easy enough to add the device a git local build and copy of an existing device in the ipq80x platform.
[OpenWrt Wiki] Adding a new device
and there is a recent device added with a simular platform.
git.openwrt.org Git - openwrt/openwrt.git/commit
Keen to try boot intramfs.
Have managed to recieve file from device via TFTP.
IPQ807x# tftpput
tftpput
ipq807x_eth_halt: done
Phy ops not mapped
Phy ops not mapped
Phy ops not mapped
Phy ops not mapped
eth0 PHY4 up Speed :1000 Full duplex
eth0 PHY5 Down Speed :10 Half duplex
ipq807x_eth_init: done
*** Warning: no boot file name; using 'C0A80001.img'
Using eth0 device
TFTP to server 192.168.0.66; our IP address is 192.168.0.1
Filename 'C0A80001.img'.
Save address: 0x0
Save size: 0x0
Saving: *
Got TFTP_OACK: TFTP remote port: changes from 69 to 59650
0 Bytes/s
done
cool I have sent a PM to Robmarco for a bit of help or guidance unless someone chimes in here with some advice, I'm just a tinkerer.
But if we do get a dump of the flash we can see if an exploit can be made for the recovery mode as they have for other TP-link devices.
the dev said that current exploits would not work because of the different platform SOC.
Basically you need an initramfs image with the correct nand partition layout.
Please post the output of "smeminfo" in u-boot.
If smem contains a valid partition schema, you can just try an image from a IPQ807x device which is utilizing the smem partition parser, for example the DL-WRX36
IPQ807x# smeminfo
smeminfo
flash_type: 0x2
flash_index: 0x0
flash_chip_select: 0x0
flash_block_size: 0x20000
flash_density: 0x100000
partition table offset 0x0
No.: Name Attributes Start Size
0: 0:SBL1 0x0000ffff 0x0 0x100000
1: 0:MIBIB 0x0000ffff 0x100000 0x100000
2: 0:BOOTCONFIG 0x0000ffff 0x200000 0x80000
3: 0:BOOTCONFIG1 0x0000ffff 0x280000 0x80000
4: 0:QSEE 0x0000ffff 0x300000 0x300000
5: 0:DEVCFG 0x0000ffff 0x600000 0x80000
6: 0:APDP 0x0000ffff 0x680000 0x80000
7: 0:RPM 0x0000ffff 0x700000 0x80000
8: 0:CDT 0x0000ffff 0x780000 0x80000
9: 0:APPSBLENV 0x0000ffff 0x800000 0x180000
10: 0:APPSBL 0x0000ffff 0x980000 0x200000
11: 0:ART 0x0000ffff 0xb80000 0x80000
12: rootfs 0x0000ffff 0xc00000 0x2a00000
13: rootfs_1 0x0000ffff 0x3600000 0x2a00000
14: 0:ETHPHYFW 0x0000ffff 0x6000000 0x80000
15: factory_data 0x0000ffff 0x6080000 0x900000
16: runtime_data 0x0000ffff 0x6980000 0x1100000