I know this is a Broadcom device, but I picked up a set of 3 for $10 at Amazon to play around with. I was able to get a serial connection and reset the root password on the device. It is running some custom version of OpenWrt and the web interface points to a landing.html under /www/luci-static/resources that just tells you to download an app. I realize a fully supported and working open version of OpenWrt is likely not happening, but if I can get Luci working to speed up clearing off the junk configs and potential spyware services I could use it as an AP. Here is the boot log along with version information. What other information can I gather to help? Thanks!
opkg works when connected and my reset root password does work for the web interface, but I need to figure out how to reset luci to default configuration.
Also, I was able to enable and start dropbear, it was already there.
T.here are no signs of any luci just one fixed file.
Help ends here.
It appears you are using firmware that is not from the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
Do you have curl with ftp or another way to dump the flash from the device?
Can you get into the bootloader? Can you get it to tftpboot something?
Looks like bcm947622 is the reference design board name?
But yeah looks like you can find device tree for bcm947622 and bcm47622.dtsi.
(u-boot patches?)
Looks like the initial device support was just to get a uart though. Not much else upstreamed? I haven't found any info regarding wifi or ethernet for example.
Edit:
Flash is FM25S01. It's not in a package you can attach a clip to, but it's an SPI interface which means one could recover if one was doing bootloader development.
Found that we also have hsspi driver in mainline linux.
GPHY is B50212E. Haven't found much info on it. But that doesn't matter if you have a phy driver if you don't have an ethernet driver haha.
First of all let me explain that the code we use for BCM54210E is also
executed for the B50212E. They are very similar so it probably makes
sense but it may be worth noting. The IDs are:
0x600d84a1: BCM54210E (rev B0)
0x600d84a2: BCM54210E (rev B1)
0x600d84a5: B50212E (rev B0)
0x600d84a6: B50212E (rev B1)
I also found that there are a couple URLs under luci that will trigger enabling sshd and full access to luci.
/cgi-bin/luci/admin/minim/enable_admin : after a log in will enable full luci
/cgi-bin/luci/admin/minim/start_sshd : after a log in will enable a basic dropbear sshd
What files/commands could I run to get more information for you? I can run any commands or dump a backup of all the partitions. I'm currently working on the original password hash to see if the default is common across all units or tied to them in some way like MAC or serial.
My biggest concern is whatever spyware they have that can upload access data to them. I tested it with the app and sure enough it dumps everything when you request a copy of your data from their app/site. I haven't gotten to port or service level yet to determine that.
I'm currently using it as an AP with no outbound routing for the device itself while I test and it works fine with that configuration.
The only other thing I can think of that may spark developer interest in the future is if it has an unlocked bootloader and/or a simple recovery procedure so you can boot openwrt in the future. i.e. reverse engineering the flash format.
i.e. If we ever get working ethernet and wireless drivers.
It might be an interesting project to do a u-boot build but I have too many projects.
From what I can read. One might be able to get storage via the hsspi driver as well as the UART going in linux. Same one might be able to get a custom u-boot going as broadcom upstreamed that.
But no ethernet and no wireless kind of makes things difficult.
Otherwise it would require reverse engineering the ethernet and wireless drivers? Or finding a source dump from something in the same family?
Given there are other supported alternatives, one is probably limited to hacking the existing rom which is perhaps out of scope for this forum?
Do not put high (or any) hopes at wifi, firstly broadcom wifi does not work well, secondly no AX wifi is supported, and thirdly it is baked into SoC CPU and lessens hope if there is no discrete version of same wifi chip.
ie realistic target is to utilize it as gigabit switch.
Or you can achieve something with 256MiB of ram and 128MiB of storage and quad a7 @ 1.5ghz.
And that's IF you can get ethernet going in the first place =P.
It looks like it is using the unimac driver after looking closer at the bootlog. It does something with the crossbar mux and GPIO's after the MAC bringup but before it prints the ethernet info.