Hi!
I'm working on adding support for the Netgear RAX9 router. I'm creating this thread because although I've been researching a lot online (I'm a software guy and have never really gotten into hardware) I have some questions for which I could not find an answer.
- I've identified the UART unpopulated pins with the multimeter method. However, these are not pass-through holes, but instead solder pads. What is the usual way to establish a connection with the pads? Solder the male end of a jump wire? Strip a jump wire and solder it? Try to solder a pin header somehow? Here's a picture of the solder pads:
EDIT: I forgot to mention that in the internal photos of the FCC documentation (that I looked up with the FCC ID that appears in the device label; see page 6), these pads are populated with a pin header. How did they do that? 
Taking a closer look, it seems like the bases of the pin headers are horizontal, but I've never seen that.
EDIT 2: I found some right-angled header pins which might work here. I'll try to solder them!
BTW, with a USB to TTL device and by probing the ground and rx pads with the male end of a jump wire I've been able to read part of the bootlog, so that's a win already 
- After reading some commits, the wiki, and some threads, I think the first thing to do would be to create a DTS for my device. The original DTS created by Netgear is already available in the source code they published because of the GPL (
target/linux/ramips/dts/pega-ramips.dtsin firmware 1.0.9.44). Now here are some questions:- Should I base our DTS file on the DTS file created by Netgear? Or should I create it from scratch based on the bootlog and other sources of information?
- In the first case, what should the license of the new DTS file be?
- Netgear's source code also includes many patches in
target/linux/ramips/patches-4.4not upstreamed into OpenWRT. Should I bother understanding them and upstreaming them? Or if I test everything and it seems to work correctly there is no need to upstream them? - Fortunately I have managed to gain root access via SSH by starting dropbear and granting me access to it via a RCE exploit I found (the usual command injection). Would this aid me in any way other than doing recon? I'd love to avoid soldering the UART interface for as long as possible (I'm not very confident on my soldering skills), and I'd like to be able test my builds from ramdisk. Maybe there is a way to set up the bootloader from there to automatically load firmware via TFTP? And permanently flash the new firmware from there as well?
- Even if my device is model RAX9 (as mentioned in its label at the bottom of the device and
uname, which outputsLinux RAX9 4.4.198 #0 SMP Tue Nov 12 02:12:28 UTC 2024 mips GNU/Linux), the board says it's a RAX5 (see the previous photo). In Netgear's GPL site, the source code of firmwares for both models RAX9 and RAX5 point to the same link. I'll try to look into this further, to see if there are any hardware differences between both models or how is this possible.
Many thanks in advance! I'll keep you updated with my progress 
Hardware specs
- Brand: Netgear
- Model: RAX9
- Board: RAX5 WIFI ROUTER, REV:1.02
- SoC/CPU model: MT7621AT (MIPS 1004Kc V2.15)
- The device itself reports its model as "MediaTek MT7621 PEGA Board (802.11ax, NAND with NMBM)".
- Flash: 256MB (F59L2G81XA, [datasheet])
- RAM: 512MB (M15T4G16256A [closest datasheet I found])