IPQ8074A Tp link deco x80 5g info thread

Copy and paste works on some tools it works with putty if you right click on the window.
Someone else on the forum suggested that is what they do with TP Link devices, it just does not seem to work for me on this device.

I can keep trying but i have rebooted the device like 50 times with no luck.

We can only try. If it doesn't work then the magic string might be something else.

might be able to find the magic string in the bootloader binary (/dev/mtd0?) if you dump it from your root shell

That is an idea, I was going to try binwalk, currently I have been chatting to the GPL team at TP Link hoping it may be in there somewhere.

After contacting support for several weeks of backwards and forward silly unrelated questions and wanting to know serial numbers place of purchase and all unrelated info they updated their site with GPL sources.

Download for Deco X80-5G | TP-Link

I don't know much about uboot but from reading the docs the board specific file contains the enviroment varables and one of them is CONFIG_AUTOBOOT_MENUKEY but that key is not in there.

I did however find in the file ipq807x.h the below which suggests I have been using the correct string assuming that the console is not disabled somehow:

#define CONFIG_AUTOBOOT_PROMPT "Enter magic string to stop autoboot in " \
	_STRINGIFY(CONFIG_BOOTDELAY) " seconds\n"
#define CONFIG_AUTOBOOT_STOP_STR "tpl"

I also found in autoboot.c a hashing function mentioning sha_env_str = CONFIG_AUTOBOOT_STOP_STR_SHA256; but i just think that is how it compares the two strings

I did not find these which would suggest the console is disabled if so:

  #define CONFIG_DISABLE_CONSOLE
  #define CONFIG_SILENT_CONSOLE
  #define CONFIG_SYS_DEVICE_NULLDEV

I have also pulled apart the device again and noted down all the chips and updated the wiki with info.

At this point I'm stumped as into why I can't interrupt autoboot in U-boot and i have a few blockers progressing further as I'm a bit of a noob in this embedded stuff and it seems QSDK setup is different to OpenWrt throwing a spanner in the works also.

I don't know how to enable the network in Failsafe mode.
I don't know how to mount root in failsafe mode.
I can't reset the password in root as I can't access root from failsafe.

So here is my attempt to mount root and change the password from failsafe (and a bit of a look around)
I'm trying to break into a console outside of failsafe as the network is disabled in failsafe so I can't backup partitions or download a nand safe backup tool.

It seems TP link have intentionally broken mount_rooot would anyone have any ideas how to manually mount the root file system I'm not confidant in UBI and the overlay system but as below it does not seem to mount anything in /rom or /overlay as I expected.

my alternative i guess it to make the network go but as you see there is no etc/config/network and it is a read only file system.

I not sure if the sources above contain any hints on the password.

if any one has any ideas on what I may do next?

Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
f
- failsafe -
/etc/preinit: line 1: telnetd: not found


BusyBox v1.22.1 (2023-04-10 20:55:41 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

ash: can't access tty; job control turned off
     MM           NM                    MMMMMMM          M       M
   $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
  MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
  MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
    MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
     MMMM          M                    MMMMMMM        M       M
       M
 ---------------------------------------------------------------
   For those about to rock... (Chaos Calmer, 34c568b+r49254)
 ---------------------------------------------------------------
================= FAILSAFE MODE active ================
special commands:
* firstboot          reset settings to factory defaults
* mount_root     mount root-partition with config files

after mount_root:
* passwd                         change root's password
* /etc/config               directory with config files

for more help see:
http://wiki.openwrt.org/doc/howto/generic.failsafe
=======================================================

root@(none):/# ls
bin      dev      ini      mnt      rom      sys      usr
cfg      etc      lib      overlay  root     tmp      var
data     fw_data  lib64    proc     sbin     tp_data  www
root@(none):/# mount_root
mounting /dev/root
root@(none):/# cd ..
root@(none):/# cd dev
root@(none):/dev# ls
console                mtd1ro                 network_throughput
coresight-stm          mtd2                   null
coresight-tmc-etf      mtd2ro                 port
coresight-tmc-etr      mtd3                   ptmx
cpu_dma_latency        mtd3ro                 pts
dcc_sram               mtd4                   ram0
fb0                    mtd4ro                 ram1
full                   mtd5                   ram10
hw_random              mtd5ro                 ram11
i2c-0                  mtd6                   ram12
i2c-1                  mtd6ro                 ram13
iio:device0            mtd7                   ram14
kmsg                   mtd7ro                 ram15
mem                    mtd8                   ram2
memory_bandwidth       mtd8ro                 ram3
msm_sps                mtd9                   ram4
mtd0                   mtd9ro                 ram5
mtd0ro                 mtdblock0              ram6
mtd1                   mtdblock1              ram7
mtd10                  mtdblock10             ram8
mtd10ro                mtdblock11             ram9
mtd11                  mtdblock12             random
mtd11ro                mtdblock13             shm
mtd12                  mtdblock14             subsys_qcom_q6v5_wcss
mtd12ro                mtdblock15             tty
mtd13                  mtdblock16             ttyMSM0
mtd13ro                mtdblock17             ttyMSM1
mtd14                  mtdblock18             ubi0
mtd14ro                mtdblock2              ubi0_0
mtd15                  mtdblock3              ubi0_1
mtd15ro                mtdblock4              ubi_ctrl
mtd16                  mtdblock5              urandom
mtd16ro                mtdblock6              watchdog
mtd17                  mtdblock7              watchdog0
mtd17ro                mtdblock8              zero
mtd18                  mtdblock9
mtd18ro                network_latency
root@(none):/dev# cd ..
root@(none):/# cd rom
root@(none):/rom# ls
note
root@(none):/rom# cat note
SQUASHFS USERS:
After firstboot has been run, / will be jffs2 and /rom will be squashfs
(* except when in failsafe)
root@(none):/rom# cd ..
root@(none):/# cd overlay
root@(none):/overlay# ls
root@(none):/overlay# passwd -d root
passwd: /etc/passwd: Read-only file system
passwd: can't update password file /etc/passwd
root@(none):/overlay# cd ..
root@(none):/# cd etc
root@(none):/etc# cd config
root@(none):/etc/config# ls
basic_security  domain_login    luci            portspeed       tfstats
cnss_diag       dropbear        macsec          qcacfg80211     thermal
dhcp            ecm             mcsd            radvd           ucitrack
dhcp6s          firewall        nat             ssid-steering   uhttpd
dnsproxy        improxy         nss             system          upnpd
root@(none):/etc/config# cat << "EOF" > /etc/config/hello.txt
> 
> hi
> 
> EOF
ash: can't create /etc/config/hello.txt: Read-only file system
root@(none):/etc/config# 
root@(none):/etc/config#  uci show network
uci: Entry not found
root@(none):/etc/config# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00020000 "0:SBL1"
mtd1: 00100000 00020000 "0:MIBIB"
mtd2: 00080000 00020000 "0:BOOTCONFIG"
mtd3: 00080000 00020000 "0:BOOTCONFIG1"
mtd4: 00300000 00020000 "0:QSEE"
mtd5: 00080000 00020000 "0:DEVCFG"
mtd6: 00080000 00020000 "0:APDP"
mtd7: 00080000 00020000 "0:RPM"
mtd8: 00080000 00020000 "0:CDT"
mtd9: 00180000 00020000 "0:APPSBLENV"
mtd10: 00200000 00020000 "0:APPSBL"
mtd11: 00080000 00020000 "0:ART"
mtd12: 02a00000 00020000 "rootfs"
mtd13: 02a00000 00020000 "rootfs_1"
mtd14: 00080000 00020000 "0:ETHPHYFW"
mtd15: 00900000 00020000 "factory_data"
mtd16: 01100000 00020000 "runtime_data"
mtd17: 00573000 0001f000 "kernel"
mtd18: 01341000 0001f000 "ubi_rootfs"
root@(none):/etc/config# cat /proc/partitions
major minor  #blocks  name

   1        0       4096 ram0
   1        1       4096 ram1
   1        2       4096 ram2
   1        3       4096 ram3
   1        4       4096 ram4
   1        5       4096 ram5
   1        6       4096 ram6
   1        7       4096 ram7
   1        8       4096 ram8
   1        9       4096 ram9
   1       10       4096 ram10
   1       11       4096 ram11
   1       12       4096 ram12
   1       13       4096 ram13
   1       14       4096 ram14
   1       15       4096 ram15
  31        0       1024 mtdblock0
  31        1       1024 mtdblock1
  31        2        512 mtdblock2
  31        3        512 mtdblock3
  31        4       3072 mtdblock4
  31        5        512 mtdblock5
  31        6        512 mtdblock6
  31        7        512 mtdblock7
  31        8        512 mtdblock8
  31        9       1536 mtdblock9
  31       10       2048 mtdblock10
  31       11        512 mtdblock11
  31       12      43008 mtdblock12
  31       13      43008 mtdblock13
  31       14        512 mtdblock14
  31       15       9216 mtdblock15
  31       16      17408 mtdblock16
  31       17       5580 mtdblock17
  31       18      19716 mtdblock18
root@(none):/etc/config# df
Filesystem           1K-blocks      Used Available Use% Mounted on
mtd:ubi_rootfs           19712     19712         0 100% /
tmpfs                      512         0       512   0% /dev
tmpfs                   443324        12    443312   0% /tmp
root@(none):/etc/config#

Can I mount the root file system manually with the below or something?

mount -t ubifs ubi0:rootfs_data /rom/overlay

Hey, I've got a couple of these units and started having a dabble. I can see the output in Putty, I am unable to interupt boot with f enter.

Can you please show me your setup / schematic?

Also, have you tried shell from recovery mode?

Find no boot alter flag!

Enter magic string to stop autoboot in 1 seconds

FW GPIO is pressed. Enter firmware recovery mode!

MAC0 addr:0:3:7f:ba:db:ad

PHY ID1: 0x4d

PHY ID2: 0xd101

PHY ID1: 0x4d

PHY ID2: 0xd074

EDMA ver 1 hw init

Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)

RxDesc:1 (15-15) RxFill:1 (7-7)

ipq807x_edma_alloc_rings: successfull

ipq807x_edma_setup_ring_resources: successfull

ipq807x_edma_configure_rings: successfull

ipq807x_edma_hw_init: successfull

eth0

Start web server.

ipq807x_eth_halt: done

Phy ops not mapped

Phy ops not mapped

Phy ops not mapped

Phy ops not mapped

eth0 PHY4 Down Speed :10 Half duplex

eth0 PHY5 Down Speed :10 Half duplex

ipq807x_eth_halt: done

Exit web server



Net:   MAC0 addr:0:3:7f:ba:db:ad

PHY ID1: 0x4d

PHY ID2: 0xd101

PHY ID1: 0x4d

PHY ID2: 0xd074

EDMA ver 1 hw init

Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)

RxDesc:1 (15-15) RxFill:1 (7-7)

ipq807x_edma_alloc_rings: successfull

ipq807x_edma_setup_ring_resources: successfull

ipq807x_edma_configure_rings: successfull

ipq807x_edma_hw_init: successfull

, eth0

IPQ807x# 

I have created ASCII art schematic and posted info on the wiki as linked below:

[OpenWrt Wiki] TP-Link X80-5G V1

I had to fit a 10k pullup otherwise I got interference between the TX and RX lines.

I have not currently tried to access the device from HTTP U-boot recovery mode yet.

1 Like