KuWfi 830D - Which "target"?


If you're just throwing stuff at it blindly I'd suggest trying the release "CPE830" factory build.

Each model has some code in the build system for how to put together a "factory" image, which typically includes a header with magic numbers, region codes, CRC checksums, etc that is very specific to the make and model.

1 Like


Yes, but my questio is : How to get teh "factory" image (not the sysupgrade) ?



You define the correct recipe for the factory image into the correct image Makefile. And then you compile it.

Nobody without the router can do that for you, asn you need debug access to see how the boot process works. And what is required for the image.

You might also need the OEM firmware sources to understand the possible checksum logic used. So, you should try to get their GPL sources.



No, this is really NOT AT ALL the question

The device is a rebrand of Yurcon 830, supported by OpenWRt

Now, in order to install the firmware, I need the "make" from the Git to produce not only the "sysupgrade" but also the "firmware" version to upload it on the device

How to achieve that ?



I guess you mean Yuncore...

Assuming that it is close to the Yuncore 830 that exists in the Openwrt repo, you possibly need to modify the image generation recipe for the device so that it will get accepted to the checksum logic in the router's OEM firmware's TFTP client/server, flashing routine, whatever... Or if you are lucky, the image gets accepted also otherwise.

Relevant parts are probably here:


Following those places and looking at the source code commits, quite detailed flashing advice gets revealed in the relevant commit messages:

Looks like the device is not the easiest one to flash. Requires rather complex step, as explained in the AP90Q commit message.

Hopefully that helps.

Ps. looks like the advice to check the commits message of AP90Q is also mentioned in the wiki:
"See git commit of AP90Q for installation instructions."



Yes, but provided that I have the root password, which I don't have and the seller refuses to give



Then the question remains How to get the "firmware" version of the built, and not the "sysupgrade" ?



You do not need that.
The commit message explains two ways to flash WITHOUT knowing the root password:

  • First method is using serial cable connection to access the u-boot bootloader, and
  • the second method uses failsafe mode to access the router in early boot stage, before root password is needed, and the root password is changed there, so that you can then use root login after a normal boot.
Flash instruction under U-Boot, using UART:

1. tftp 0x80060000 lede-ar71xx-generic-ap90q-squashfs-sysupgrade
2. erase 0x9f050000 +$filesize
3. cp.b $fileaddr 0x9f050000 $filesize
4. setenv bootcmd "bootm 0x9f050000"
5. saveenv && reset

Flash instruction under vendor fimrware, using telnet/SSH:

1. Connect PC with 192.168.1.x address to WAN port
2. Power up device, enter failsafe mode with button (no LED indicator!)
3. Change root password and reboot (mount_root, passwd ..., reboot -f)
4. Upload lede-ar71xx-generic-ap90q-squashfs-sysupgrade.bin to /tmp using SCP
5. Connect PC with 192.168.188.x address to LAN port, SSH to
6. Invoke:
- cd /tmp
- fw_setenv bootcmd "bootm 0x9f050000"
- mtd erase firmware
- mtd -r write lede-ar71xx-generic-ap90q-squashfs-sysupgrade.bin firmware

As the advice says, you need to flash using the sysupgarde image. Apparently the recipe for a proper factory firmware has not been found out.

Please read that commit message again, and try to believe it.



I am completely lost here

  • The UART thing , sorry, I don't get it. There is no UART or Serial or anything like this visible. Would this be inside teh sealed plastic box and would I dare opening it, it means breaking the whole thing.
  • The Failsafe option : Yes, I boot in failsafe/u-boot using the wan port. But how to "change the password" in practical terms ?



Then, I suggest not using a hammer. Try a screwdriver first.



aahah, but no screws

1 Like


Yes. Like we have all the time said: there is very likely / certainly a serial port header inside the device.

Read about failsafe mode:

Even the commands to be used inside the failsafe were listed above for you: mount_root, passwd reboot -f

1 Like


But the command, I type them where ??? I have the device running a TFTP client to get his upgrade.bin file (see above), but how can I land in the device (no SSH / telnet whatsoever)



in SSH console when the router has entered failsafe mode.
(or telnet instead of SSH, if the device uses very open OpenWrt based variant firmware)



There is no such ports opened : I repeat : there is no SSH/telnet whatsoever.

The device only runs a TFTP client to get the "upgrade.bin" (which is not used when rebooting)



So my only way of getting into the device is this "upgrade.bin" file.

The OpenWrt doc says that I need the "firmware" to get the device to openwrt for the first time, not the "sysupgrade".

I tried the sysupgrade file of course, but the device rebot with the existing firmware.

So, back to my initial question : How to get this "firmware" file (I recompile the openwrt from git, but this does not produce the firmware file, only the sysupgrade)



The OpenWrt docs say:

Ensure that the OpenWrt firmware file that you are about to flash, matches your router model and is called β€œβ€¦.factory.bin” (only true for 30% of all supported devices; 70% of devices have different image names , see above), as you will use it to modify a vendor's factory firmware towards OpenWrt.

70% of devices have different image names than factory.bin, e.g. sysupgrade.bin.

For installation instructions see above Flash instruction under U-Boot, using UART

You need to open the device to get access to the serial console.

Suggested reading:



Routers that come with some manufacturer version of OpenWrt stock would use a sysupgrade to change over to the official build.

According to the developer notes, the u-boot TFTP mode has not been successfully used. It's a dead end for now.

If the router still boots into OpenWrt, the failsafe mode described would be the only possible way to flash without opening the case. Since there is no "system" LED to watch flashing, you're going to have to figure out the timing of pressing the reset button. I suggest connecting the Ethernet cable to a switch so you have a light indicating the port is up. When the bootloader loads, the port will come up. Then when the bootloader starts OpenWrt, the port will go down for a short time until OpenWrt brings it back up. This is when you should start pressing the reset button repeatedly. Do that for about 15-20 seconds then check if you are in OpenWrt failsafe mode.

Again, do not press the reset button immediately after power on, you have to wait for the bootloader to finish so you don't get bootloader TFTP mode. And don't hold the button down, press and release rapidly.

As far as opening the case, it looks like most outdoor CPEs of this design. The main part of the case is an empty tube that has the top, sides, front and back all made as one piece of plastic so that rain can't get in. The entire works of the unit will slide out the bottom, usually after removing one or two screws that are hidden under a label.

1 Like


This what I get after some help from chinese factory behind the resser:

root@CPE830:~# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    5.4M    288.0K      5.1M   5% /
/dev/root                 9.0M      9.0M         0 100% /rom
tmpfs                    29.6M    636.0K     29.0M   2% /tmp
tmpfs                   512.0K         0    512.0K   0% /dev
root                     29.6M     92.0K     29.5M   0% /tmp/root
overlayfs:/tmp/root      29.6M     92.0K     29.5M   0% /tmp/root
/dev/mtdblock3            5.4M    288.0K      5.1M   5% /overlay
overlayfs:/overlay        5.4M    288.0K      5.1M   5% /
root@CPE830:~# dmesg 
[    0.000000] Linux version 3.3.8 (yangyi@ubuntu) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #7 Thu Dec 27 11:15:12 CST 2018
[    0.000000] MyLoader: sysp=ce8cae65, boardp=f9502a4e, parts=0ad2c130
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Qualcomm Atheros QCA9531 rev 2
[    0.000000] Clocks: CPU:650.000MHz, DDR:597.583MHz, AHB:216.666MHz, Ref:25.000MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone PFN ranges:
[    0.000000]   Normal   0x00000000 -> 0x00004000
[    0.700000] m25p80 spi0.0: found w25q128, expected m25p80
[    0.710000] m25p80 spi0.0: w25q128 (16384 Kbytes)
[    0.710000] 6 cmdlinepart partitions found on MTD device spi0.0
[    0.720000] Creating 6 MTD partitions on "spi0.0":
[    0.720000] 0x000000000000-0x000000040000 : "u-boot"
[    0.730000] 0x000000040000-0x000000050000 : "u-boot-env"
[    0.740000] 0x000000050000-0x000000e80000 : "rootfs"
[    0.740000] mtd: partition "rootfs" set to be root filesystem
[    0.750000] mtd: partition "rootfs_data" created automatically, ofs=920000, len=560000 
[    0.760000] 0x000000920000-0x000000e80000 : "rootfs_data"
[    0.760000] 0x000000e80000-0x000000ff0000 : "kernel"
[    0.770000] 0x000000ff0000-0x000001000000 : "art"
[    0.780000] 0x000000050000-0x000000ff0000 : "firmware"
[    0.800000] ag71xx_mdio: probed


Router Name	CPE830
Router Model	Qualcomm Atheros AP147 reference board
Firmware Version	QSDK Premium Router QCA9531 / LuCI 0.11.1 Release (0.11.1)
Kernel Version	3.3.8


Current target would likely be ath79 (ar71xx is being abandoned as devices migrated to ath79)