85

No config file are needed. Just add a proper network config to ipq807x/base-files/etc/board.d/02_network

Just add the X80 to that entry:

zte,mf269)
		ucidef_set_interfaces_lan_wan "lan" "wan"

And remove the other entry.

The 1 Gbs port should then be LAN and the 2.5 Gbs port should be WAN

2 Likes
86

First create a new mountpoint (/tmp/rootfs for example) and then try to mount

1 Like
87

Thanks.

Tried that too, getting same error

failed: No such device
88

tray

mount -t ubifs /dev/ubi0_X

replace X with the ubi volume id for rootfs

1 Like
89

Much of the same it seems

root@OpenWrt:/# mkdir /mnt/mtd13

root@OpenWrt:/# ubiattach /dev/ubi_ctrl -m 13
[ 104.396504] ubi0: attaching mtd13
[ 104.635700] ubi0: scanning is finished
[ 104.642879] ubi0: attached mtd13 (name "rootfs_1", size 42 MiB)
[ 104.642923] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 104.647615] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 104.654583] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[ 104.661422] ubi0: good PEBs: 336, bad PEBs: 0, corrupted PEBs: 0
[ 104.668186] ubi0: user volume: 0, internal volumes: 1, max. volumes count: 128
[ 104.674442] ubi0: max/mean erase counter: 6/5, WL threshold: 4096, image sequence number: 477229149
[ 104.681475] ubi0: available PEBs: 312, total reserved PEBs: 24, PEBs reserved for bad PEB handling: 20
[ 104.690428] ubi0: background thread "ubi_bgt0d" started, PID 2348
UBI device number 0, total 336 LEBs (42663936 bytes, 40.6 MiB), available 312 LEBs (39616512 bytes, 37.7 MiB), LEB size 126976 bytes (124.0 KiB)

root@OpenWrt:/# mount -t ubifs ubi0:13 /mnt/mtd13
mount: mounting ubi0:13 on /mnt/mtd13 failed: No such device

root@OpenWrt:/# mount -t ubifs ubi0_13 /mnt/mtd13
[ 122.356988] ubi0 error: ubi_open_volume.part.0: cannot open device 0, volume 13, error -19
mount: mounting ubi0_13 on /mnt/mtd13 failed: No such device

root@OpenWrt:/# mount -t ubifs /dev/ubi0_13
mount: can't find /dev/ubi0_13 in /etc/fstab

root@OpenWrt:/# mount -t ubifs /dev/ubi0_13 /mnt/mtd13
mount: mounting /dev/ubi0_13 on /mnt/mtd13 failed: Invalid argument

90

can you run block info

1 Like
91 

IPQ807x# block info
Unknown command 'block' - try 'help'


root@OpenWrt:/# block info
/bin/ash: block: not found
root@OpenWrt:/# blockinfo
/bin/ash: blockinfo: not found
root@OpenWrt:/#
92

You want to install blkid or block-mount it is in one of those packages.

root@OpenWrt:~# block
block: Usage: block <info|mount|umount|detect>

root@OpenWrt:~# block info
/dev/ubiblock0_1: UUID="eaf14a97-cea20388-4e1c1c5b-1845ea72" VERSION="4.0" MOUNT="/rom" TYPE="squashfs"
/dev/ubi0_2: UUID="556ee49d-7daa-4ffe-a33c-a7481731fd3d" VERSION="w5r0" MOUNT="/overlay" TYPE="ubifs"
root@OpenWrt:~#
93

So I have extracted mtd11-rootfs.bin using ubi reader:
onekey-sec/ubi_reader: Collection of Python scripts for reading information about and extracting data from UBI and UBIFS images. (github.com)

I then extracted the squashfs image using unsquashfs.

Noting that in the boot log is the below

[   35.218749] cnss: Target capability: chip_id: 0x0, chip_family: 0x0, board_id: 0xff, s
oc_id: 0xffffffff, fw_version: 0x220604a5, fw_build_timestamp: 2021-08-12 01:51, otp_vers
ion: 0x0 eeprom_caldata_read_timeout 0s
[   35.218757] cnss: Downloading BDF: bdwlan.bin, size: 64
[   35.218762] cnss: No board_id entry in device tree
[   35.219162] cnss: BDF location : 0x4b0c0000
[   35.219167] cnss: BDF IPQ8074/bdwlan.bin size 131072
[   35.219382] cnss: Downloading BDF: caldata.bin, size: 64
[   35.219801] cnss: per device BDF location : 0x4b0e0000
[   35.219886] cnss: CALDATA IPQ8074/caldata.bin size 131072 offset 0x20000
[   35.306486] wlan: [2623:I:ANY] ol_ath_check_fw_ready: 614: Waiting for FW ready device

In the lib/ firmware/qca8074 folder is a file BDF_X80_0813.bin (128kb in size) and bdwlan.bin (1kb in size)

I'm no expert but is does not seem to add up with the file size listed in the boot log?

I was also under the impression the caldata is stored in the ART partition how do I extract this? or is the caldata the one listed above in the lib firmware folder?

New Bitmap Image
New Bitmap Image1936×1270 323 KB

94

What is the chances of cracking the shadow file to obtain the root password with john the ripper?

95

Have a look in lib/read_caldata_to_fs.sh

They are using the bdwlan with the suffix .b210

caldata is extracted via target/linux/qualcommax/ipq807x/base-files/etc/hotplug.d/firmware/11-ath11k-caldata

Just add the board to the ipq8074 case statement.

96

That depends on many of factors... is the password already in one the the known password lists (even then you have the find the proper list).
If not then it depends on the password length, salt, algorithm....

97

This is all that is in there:

but i think b.210 just referenced the country config NZ.

this is my config:

[ "$board" == "ap-hk01-c5" ] && suffix='.b210'

#!/bin/sh
#
# Copyright (c) 2015 The Linux Foundation. All rights reserved.
# Copyright (C) 2011 OpenWrt.org

. /lib/ipq806x.sh

do_load_ipq4019_board_bin()
{
    local board=$(ipq806x_board_name)
    local mtdblock=$(find_mtd_part 0:ART)

    local apdk="/tmp"
    local dft_country='US'
    local suffix='.b292'
    local country=$(getfirm COUNTRY)
    
    local bd_filename dft_bd_filename target_board_bd_filename target_bd_filename

    if [ -z "$mtdblock" ]; then
        # read from mmc
        mtdblock=$(find_mmc_part 0:ART)
    fi

    [ -n "$mtdblock" ] || return

    # load board.bin
    case "$board" in
            ap-dk0*)
                    mkdir -p ${apdk}
                    dd if=${mtdblock} of=${apdk}/wifi0.caldata bs=32 count=377 skip=128
                    dd if=${mtdblock} of=${apdk}/wifi1.caldata bs=32 count=377 skip=640
            ;;
            ap16* | ap148*)
                    mkdir -p ${apdk}
                    dd if=${mtdblock} of=${apdk}/wifi0.caldata bs=32 count=377 skip=128
                    dd if=${mtdblock} of=${apdk}/wifi1.caldata bs=32 count=377 skip=640
                    dd if=${mtdblock} of=${apdk}/wifi2.caldata bs=32 count=377 skip=1152
            ;;
            ap-hk* | ap-ac* | ap-oa*)
                    HK_BD_FILENAME=/lib/firmware/IPQ8074/bdwlan.bin
                    mkdir -p ${apdk}/IPQ8074

                    [ "$board" == "ap-ac01" ] && suffix='.b291'
                    [ "$board" == "ap-ac02" ] && suffix='.b292'
                    [ "$board" == "ap-ac04" ] && suffix='.b292'
                    [ "$board" == "ap-hk01-c5" ] && suffix='.b210'

                    bd_filename="/lib/firmware/IPQ8074/bdwlan_""$country""$suffix"
                    dft_bd_filename="/lib/firmware/IPQ8074/bdwlan_""$dft_country""$suffix"
                    target_board_bd_filename=${apdk}"/IPQ8074/bdwlan""$suffix"
                    target_bd_filename=${apdk}"/IPQ8074/bdwlan.bin"

                    if [ -f $bd_filename ]; then
                    	cp $bd_filename $target_board_bd_filename
                    	cp $bd_filename $target_bd_filename
                    elif [ -f $dft_bd_filename ]; then 
                    	cp $dft_bd_filename $target_board_bd_filename
                    	cp $dft_bd_filename $target_bd_filename
                    fi
	
                    dd if=${mtdblock} of=${apdk}/wifi1.caldata bs=1 count=12064 skip=208896
                    if [ -f "$HK_BD_FILENAME" ]; then
                        FILESIZE=$(stat -Lc%s "$HK_BD_FILENAME")
                    else
                        FILESIZE=131072
                    fi
                    dd if=${mtdblock} of=${apdk}/IPQ8074/caldata.bin bs=1 count=$FILESIZE skip=4096
#                    [ -L /lib/firmware/IPQ8074/caldata.bin ] || \
#                    ln -s ${apdk}/IPQ8074/caldata.bin /lib/firmware/IPQ8074/caldata.bin
            ;;
            ap-cp01-c3*)
                    CP_BD_FILENAME=/lib/firmware/IPQ6018/bdwlan.bin
                    mkdir -p ${apdk}/IPQ6018
                    if [ -f "$CP_BD_FILENAME" ]; then
                        FILESIZE=$(stat -Lc%s "$CP_BD_FILENAME")
                    else
                        FILESIZE=65536
                    fi
                    dd if=${mtdblock} of=${apdk}/IPQ6018/caldata.bin bs=1 count=$FILESIZE skip=4096
                    [ -L /lib/firmware/IPQ6018/caldata.bin ] || \
                    ln -s ${apdk}/IPQ6018/caldata.bin /lib/firmware/IPQ6018/caldata.bin

                    mkdir -p ${apdk}/qcn9000
                    FILESIZE=131072
                    dd if=${mtdblock} of=${apdk}/qcn9000/caldata_1.bin bs=1 count=$FILESIZE skip=157696
                    dd if=${mtdblock} of=${apdk}/qcn9000/caldata_2.bin bs=1 count=$FILESIZE skip=311296
                    ln -s ${apdk}/qcn9000/caldata_1.bin /lib/firmware/qcn9000/caldata_1.bin
                    ln -s ${apdk}/qcn9000/caldata_2.bin /lib/firmware/qcn9000/caldata_2.bin

            ;;
            ap-cp*)
                    CP_BD_FILENAME=/lib/firmware/IPQ6018/bdwlan.bin
                    mkdir -p ${apdk}/IPQ6018
                    if [ -f "$CP_BD_FILENAME" ]; then
                        FILESIZE=$(stat -Lc%s "$CP_BD_FILENAME")
                    else
                        FILESIZE=65536
                    fi
                    dd if=${mtdblock} of=${apdk}/IPQ6018/caldata.bin bs=1 count=$FILESIZE skip=4096
                    [ -L /lib/firmware/IPQ6018/caldata.bin ] || \
                    ln -s ${apdk}/IPQ6018/caldata.bin /lib/firmware/IPQ6018/caldata.bin
            ;;
   esac
}

so the caldata is just extracted from the MTD partition ART and it suggests in the log the file size is 131072 and it is one of the below dumps from ART:

dd if=${mtdblock} of=${apdk}/wifi1.caldata bs=1 count=12064 skip=208896


dd if=${mtdblock} of=${apdk}/IPQ8074/caldata.bin bs=1 count=$FILESIZE skip=4096

BDF_X80_0813.bin is the firmware as it is just bdf with the board name appended

98

Tried John with unshadow rockyou.txt wordlist and had no luck

passwd

root:x:0:0:root:/root:/bin/ash

shadow

root:$1$deco$d12d45CZve2tQoidyZWiB.:17603:0:99999:7:::

unshadow line

root:$1$deco$d12d45CZve2tQoidyZWiB.:0:0:root:/root:/bin/ash

Seems a common password with other models. M9+ is one (Google the shadow)

99

BTW I was able to get the link for the 1.0.3 NZ Firmware as my 1.0.0 was looking for updates and it showed in the shell.

http://download.tplinkcloud.com/firmware/full_x80-5G-SP1-up-ver1-0-3-P1[20230802-rel180]_2023-08-02_08.40.05_1695280736955.bin

Not sure if it is any use :slight_smile:

1 Like
100

I have the Nand dump from you, but it may come in handy Ill try down grade my one to see if my issue if firmware related.

1 Like
101

@kirdes How do I go about creating the board-2.bin?

My board file:

[
    {
        "data": "bus=ahb,qmi-chip-id=0,qmi-board-id=255,variant=tplink_x80-5g.bin",
        "names": [
            "bus=ahb,qmi-chip-id=0,qmi-board-id=255,variant=tplink_x80-5g"
        ]
    }
]

I have both booting logs on the Wiki oem and my initramfs image as below:

[OpenWrt Wiki] TP-Link X80-5G V1

But there is this here loading the file which indicates my board file has the correct data:

[   14.244392] ath11k c000000.wifi: qmi ignore invalid mem req type 3
[   14.251858] ath11k c000000.wifi: chip_id 0x0 chip_family 0x0 board_id 0xff soc_id 0xffffffff
[   14.251894] ath11k c000000.wifi: fw_version 0x290604a5 fw_build_timestamp 2023-10-12 02:06 fw_build_id WLAN.HK.2.9.0.1-01977-QCAHKSWPL_SILICONZ-1
[   14.328822] ath11k c000000.wifi: failed to fetch board data for bus=ahb,qmi-chip-id=0,qmi-board-id=255,variant=tplink_x80-5g from ath11k/IPQ8074/hw2.0/board-2.bin
[   14.328884] ath11k c000000.wifi: failed to fetch board data for bus=ahb,qmi-chip-id=0,qmi-board-id=255 from ath11k/IPQ8074/hw2.0/board-2.bin
[   14.342303] ath11k c000000.wifi: failed to fetch board data for bus=ahb,qmi-chip-id=0,qmi-board-id=255 from ath11k/IPQ8074/hw2.0/board-2.bin
[   14.355106] ath11k c000000.wifi: failed to fetch board.bin from IPQ8074/hw2.0

I did manage to unpack the nand and unsquash the RootFS and dump the contents but, I'm a little confused which is the correct BDF file is as bdwlan.bin mentioned in boot and it is a symbolic link to the file in /tmp and we can't break into a running oem image because of the root password to pull it from there.

Same with the file bdwlan.b210 it is a symbolic link to /tmp

There is however bdwlan_NZ.b210 which is my country code and the obvious file BDF_x80_0813.bin that are 128k in size.

I did run bdencoder -c board.json and the resultant file is only like a header less than 1k in size. it is alongside my renamed firmware file and I tried both the bdwlan_NZ.b210 file and the BDF_x80_0813.bin assuming this is some sort of master file before the country code is patched in

Going backwards with -e board-2.bin it throws errors, so I don't know what I'm doing wrong.

I want to submit this upstream but I'm not really sure on the process as there is not really any documentation and this would be my first attempt from scratch.

102

The log from ath11k only shows that is reading the device entry from the DTS but is failing to load the board file.

For further testing you need to fork the ipq-wifi repo and use that in your OpenWrt fork.

You can then try different board files. I'd start with the BDF_x80_0813.bin.
You need to find a board file that is working generally on your device.

You need to perform a few tests with different country settings. Unfortunately the entire bdf thing is a minefield.

103

it is failing to read the board file as there is not one present in the initramfs image.

I can dump one in the /lib/firmware/qca8074 folder and hope it loads.

I was under the impression I have process the dumped files with the ath11k tools to submit board-2.bin and caldata files to upload to submit.

104

@stifilz can you try the image below and see if the wifi firmware loads?

images/openwrt-qualcommax-ipq807x-tplink_x80-5g-initramfs-uImage.itb at main · professor-jonny/images (github.com)

I'm not sure if it is to be named board.bin or tplink_x80-5g.bin but i guess we will find out :slight_smile: