Ipq40xx Netgear ex7700 use it and it's a pita... Was trying to support that but I bricked one trying to flash a unlocked uboot
Hm, thats first one I heard about.
It would be great if @hnyman can verify it.
I may potentially get one RAX120 at work, it would be shame if it had secure boot.
1 Like
As far as I see from FCC photos, there are those 7 screws I found (4 on bottom, 3 on rear), but in addition a nasty row of clips on three sides. The clips are not in the edge, but about one centimeter from the edge.
https://fccid.io/PY318400434
1 Like
Can you figure it out from the bootlog?
I finally managed to open the case, breaking one clip in the process.
But I got the serial connection right on the first try (quite similar as in R7800) 
I uploaded the full bootlog to
Apparently the bootloader in RAX120 is a QSDK varaint of U-boot.
U-Boot 2016.01-23637-g6be947d (Sep 26 2018 - 10:21:39 +0800)
Model: QCA, IPQ807x-HK01
U-boot dni1 V1.2 for DNI HW ID: 29765589; NAND flash 512MB; RAM 1024MB .
developed based on 'qsdk-ipq807x.ilq.8.0-spf.8.0.CS'
And the OEM firmware in RAX120 is based on Chaos Calmer 15.05.1 ...
Chaos Calmer, RAX120-V1.0.1.128+r49254
DISTRIB_DESCRIPTION='OpenWrt Chaos Calmer 15.05.1
I will post photos similarly as with R7800, but in any case, the device is quite connectable for debugging.
3 Likes
I was right about the router based on qsdk 8...
Secure boot should not be enabled... If I remember correctly if it's enabled uboot prints it...
Seems so:
Keeping the reset button pressed during the power-on in RAX120 causes the boot process to trigger the expected TFTP recovery mode (after a few seconds in "factory reset mode", just like with R7800 and others):
U-Boot 2016.01-23637-g6be947d (Sep 26 2018 - 10:21:39 +0800)
Model: QCA, IPQ807x-HK01
U-boot dni1 V1.2 for DNI HW ID: 29765589; NAND flash 512MB; RAM 1024MB .
developed based on 'qsdk-ipq807x.ilq.8.0-spf.8.0.CS'
DRAM: smem ram ptable found: ver: 1 len: 4
1 GiB
NAND: ONFI device found
ID = 1590acef
Vendor = ef
Device = ac
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0000
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
512 MiB
MMC: <NULL>: 0
*** Warning - bad CRC, using default environment
In: serial@78B3000
Out: serial@78B3000
Err: serial@78B3000
machid: 8010000
Net: MAC0 addr:bc:a5:11:a7:ae:f6
PHY ID1: 0x4d
PHY ID2: 0xd0b1
NAND read: device 0 offset 0x7e00000, size 0x80000
524288 bytes read: OK
bad magic on ETHPHYFW partition
PHY ID1: 0x3a1
PHY ID2: 0xb612
EDMA ver 1 hw init
Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)
RxDesc:1 (15-15) RxFill:1 (7-7)
ipq807x_edma_alloc_rings: successfull
ipq807x_edma_setup_ring_resources: successfull
ipq807x_edma_configure_rings: successfull
ipq807x_edma_hw_init: successfull
eth0
ipq807x_eth_halt: done
Factory Reset Mode
10M speed not supported
Using eth0 device
Listening for TFTP transfer on 192.168.1.1
Load address: 0x44000000
So far it looks to me that this follows pretty much the example set by WNDR3700, R7800 and others. And that is good, as the easy recovery has been a nice feature during the years
2 Likes
Great, they are all QSDK based as part of the QSDK building is U-boot so you simply pick the one for your reference board.
U-boot should have a command to check for the secure boot fuse, simply enter help and you will see it.
Its only bad that they used QSDK8, current release is 11.2 and WLAN support is much better
1 Like
Can you get your uboot environment / nvram variables ?
Like these?
IPQ807x# printenv
baudrate=115200
bootargs=console=ttyMSM0,115200n8
bootcmd=mii write 0x4 0x0 0x800; sleep 1; nmrp; echo Loading DNI firmware for checking...; loadn_dniimg 0 0x1980000 0x44000000; calc_rootadd 0x1980000 0x44000000; iminfo 0x44000000; if test $? -ne 0; then echo linux checksum error; fw_recovery; fi;iminfo $rootfs_addr_for_fw_checking; if test $? -ne 0; then echo rootfs checksum error; fw_recovery; fi;nand read 0x44000000 0x1980000 0x06400000; dnibootm
bootdelay=2
eth1addr=bc:a5:11:a7:ae:f7
eth2addr=bc:a5:11:a7:ae:f8
eth3addr=ff:ff:ff:ff:ff:ff
eth4addr=31:30:35:30:33:36
eth5addr=32:31:36:37:55:31
ethact=eth0
ethaddr=bc:a5:11:a7:ae:f6
fdtcontroladdr=4a959a30
ipaddr=192.168.1.1
machid=8010000
netmask=255.255.255.0
serverip=192.168.1.10
stderr=serial@78B3000
stdin=serial@78B3000
stdout=serial@78B3000
Environment size: 845/262140 bytes
IPQ807x# bdinfo
arch_number = 0x08010000
boot_params = 0x40000100
DRAM bank = 0x00000000
-> start = 0x40000000
-> size = 0x40000000
eth0name = eth0
ethaddr = bc:a5:11:a7:ae:f6
current eth = eth0
ip_addr = 192.168.1.1
baudrate = 115200 bps
TLB addr = 0x4A9B0000
relocaddr = 0x4A900000
reloc off = 0x00000000
irq_sp = 0x4A77FA90
sp start = 0x4A77FA80
1 Like
Yep, thanks.
The boot process for your device is more in like with normal QSDK based devices Vs the ax3600 that seems to have a fair few changes (like the boot command)
2 Likes
Yeah, and the uboot seems to have about 100 different commands available.
Those include "ipqfuse" (which robimarko maybe referenced), but that seems to require a parameter.
Xiaomi not following standard things as usual....
1 Like
If I remember correctly there is a dedicated command to check secure boot...
From memory you should see some uboot logs for image signature validation when secure boot is enabled.
If it's anything like QCOM MSM it's enforced from a boot ROM level (validate PBL) then PBL validates uboot/sbl. As there are no logs from PBL or uboot regarding image verification I'd say secure boot is off.
I added similar "how to open cover" photos to wiki as for R7800.
https://openwrt.org/inbox/toh/netgear/netgear_rax120_nighthawk_ax12#opening_the_case
3 Likes
I also have a TP-Link Deco x60 system (3 of them) and a Netgear AX12 that I'd like to use on OpenWrt. It has a IPQ8071 and IPQ8074 chip respectively. The biggest incentive is because the new TP-Link system REQUIRES phone home to TP-Link in HK via USA servers (which has obviously some political issues right now). What can I do to help?
2 Likes
Hey there,
I am reading your progress over the time for the past few months so first thank you for all the people who take part in the effort of porting IPQ807X to OpenWRT.
I really want to buy a 802ax compatible device, which have the highest possibility to get support from openwrt in the future. would you suggest me to go with the ax3600 (xiaomi) or due to all the non-standard problems that you've raised it might don't get a port ?
Thank you
sorry for offtopic
just for the info AX3600
global version 100% confirmed
2 Likes
It´s the same, maybe we can flash the international version.
I wish I could get the global firmware for the mi AX3600, patch it to keep SSH and flash it on my chinese edition of the device.
1 Like