Netgear WAX210 Work In Progress

SwissAdi · November 30, 2025, 9:20pm

Hello all,

I'm trying to build an Open WRT for the Netgear WAX210. Unfortunately, it looks like I've been messing around too much with the memory and ended up "bricking" it (sort of)
I've managed to get back to uboot by using

/mtk_uartboot -s /dev/tty.usbserial-0001 -p bl2.bin --aarch64 -f openwrt-24.10.4-mediatek-filogic-cudy_tr3000-v1-ubootmod-bl31-uboot.fip

wich gave me a pretty useful u-boot (much better than the original Netgear one and used the "itb" file from the cudy tr3000 using an upload with tftp server

Nevertheless, so I have a web access and open wrt loaded in the ram but I'm kind of stuck now.

my idea was to compile open wrt with the DTB that I think I managed to backup and that was in the ubi.bin from Netgear which I got back thx to ubi_reader. Nevertheless, I have no idea if I'm going to the right direction and I have to say that I've spent quiet somenight on that topic so if someone could point me to a direction or something.

just fyi I went from this boot sequence :

0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 3903 0041
F3: 1001 0000 [0200]
F3: 1001 0000
F6: 102C 0000
F5: 480A 0031
00: 1005 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 3903 0041
F3: 1001 0000 [0200]
F3: 1001 0000
F6: 102C 0000
01: 102A 0001
02: 1005 0000
BP: 2000 00C0 [0001]
EC: 0000 0000 [1000]
T0: 0000 00ED [010F]
System halt!

To a "working" openwrt in the ram but I need help to finish the work as I have no idea about what I should do (kids aren't happy currently )

SwissAdi · December 1, 2025, 7:01pm

I wish to have done it before it got bricked the only dump I got is the ubi, fip and factory.

So it's not really working, as it's like I'm using a live linux usb stick loaded but in the ram not the NAND.

I'm wondering if there is not a way to get back those addresses without a dump since I can "access" it ?

SwissAdi · December 1, 2025, 8:53pm

So here is what I do to revive it :

> username@mbp-username mtk_uartboot % ./mtk_uartboot -s /dev/tty.usbserial-0001 -p bl2_ok.bin --aarch64 -f openwrt-24.10.4-mediatek-filogic-cudy_tr3000-v1-ubootmod-bl31-uboot.fip
> mtk_uartboot - 0.1.1
> Using serial port: /dev/tty.usbserial-0001
> Handshake...
> hw code: 0x7981
> hw sub code: 0x8a00
> hw ver: 0xca00
> sw ver: 0x1
> Baud rate set to 460800
> sending payload to 0x201000...
> Checksum: 0x32fc
> Setting baudrate back to 115200
> Jumping to 0x201000 in aarch64...
> Waiting for BL2. Message below:
> ==================================
> 
> NOTICE: BL2: v2.10.0 (release):OpenWrt v2024.01.17~bacca82a-3 (mt7981-ram-ddr4)
> NOTICE: BL2: Built : 16:37:45, Oct 19 2025
> NOTICE: WDT: Cold boot
> NOTICE: WDT: disabled
> NOTICE: EMI: Using DDR4 settings
> NOTICE: EMI: Detected DRAM size: 512MB
> NOTICE: EMI: complex R/W mem test passed
> NOTICE: CPU: MT7981 (1300MHz)
> NOTICE: Starting UART download handshake ...
> ==================================
> BL2 UART DL version: 0x10
> Baudrate set to: 921600
> FIP sent.
> ==================================
> NOTICE: Received FIP 0xddf29 @ 0x40400000 ...
> ==================================

Then I do : (The revive.itb is the itb is this one : openwrt-24.10.4-mediatek-filogic-cudy_tr3000-v1-ubootmod-squashfs-sysupgrade.itb )

> MT7981> tftpboot 0x46000000 revive.itb
> Using ethernet@15100000 device
> TFTP from server 192.168.1.254; our IP address is 192.168.1.1
> Filename 'revive.itb'.
> Load address: 0x46000000
> Loading: #################################################################
>          #################################################################
>          #################################################################
>          #################################################################
>          #################################################################
>          #################################################################
>          #################################################################
>          #################################################################
>          #################################################################
>          #########
>          7 MiB/s
> done
> Bytes transferred = 8716288 (850000 hex)
> MT7981> bootm 0x46000000
> ## Loading kernel from FIT Image at 46000000 ...
>    Using 'config-1' configuration
>    Trying 'kernel-1' kernel subimage
>      Description:  ARM64 OpenWrt Linux-6.6.110
>      Type:         Kernel Image
>      Compression:  lzma compressed
>      Data Start:   0x460000e8
>      Data Size:    4132720 Bytes = 3.9 MiB
>      Architecture: AArch64
>      OS:           Linux
>      Load Address: 0x48000000
>      Entry Point:  0x48000000
>      Hash algo:    crc32
>      Hash value:   9f35b1c3
>      Hash algo:    sha1
>      Hash value:   313ac600ae038fc077ed8cd73679455cf5601f56
>    Verifying Hash Integrity ... crc32+ sha1+ OK
> ## Loading ramdisk from FIT Image at 46000000 ...
>    Using 'config-1' configuration
>    Trying 'initrd-1' ramdisk subimage
>      Description:  ARM64 OpenWrt cudy_tr3000-v1-ubootmod initrd
>      Type:         RAMDisk Image
>      Compression:  uncompressed
>      Data Start:   0x463f119c
>      Data Size:    4553192 Bytes = 4.3 MiB
>      Architecture: AArch64
>      OS:           Linux
>      Load Address: unavailable
>      Entry Point:  unavailable
>      Hash algo:    crc32
>      Hash value:   1c4362bb
>      Hash algo:    sha1
>      Hash value:   26c65e77f00ffad338b33a89a690593ce5b22bec
>    Verifying Hash Integrity ... crc32+ sha1+ OK
> ## Loading fdt from FIT Image at 46000000 ...
>    Using 'config-1' configuration
>    Trying 'fdt-1' fdt subimage
>      Description:  ARM64 OpenWrt cudy_tr3000-v1-ubootmod device tree blob
>      Type:         Flat Device Tree
>      Compression:  uncompressed
>      Data Start:   0x46848c98
>      Data Size:    22763 Bytes = 22.2 KiB
>      Architecture: AArch64
>      Hash algo:    crc32
>      Hash value:   1e344c9b
>      Hash algo:    sha1
>      Hash value:   97c39484f9686a315fb20b38c13b7345ee716fa7
>    Verifying Hash Integrity ... crc32+ sha1+ OK
>    Booting using the fdt blob at 0x46848c98
> Working FDT set to 46848c98
>    Uncompressing Kernel Image to 48000000
>    Loading Ramdisk to 5e378000, end 5e7cf9e8 ... OK
>    Loading Device Tree to 000000005e36f000, end 000000005e3778ea ... OK
> Working FDT set to 5e36f000
> Add 'ramoops@42ff0000' node failed: FDT_ERR_EXISTS
> 
> Starting kernel ...
> 
> [    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
> [    0.000000] Linux version 6.6.110 (builder@buildhost) (aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 13.3.0 r28959-29397011cc) 13.3.5
> [    0.000000] Machine model: Cudy TR3000 v1 (OpenWrt U-Boot layout)
> [    0.000000] OF: reserved mem: 0x0000000042ff0000..0x0000000042ffffff (64 KiB) map non-reusable ramoops@42ff0000
> [    0.000000] OF: reserved mem: 0x0000000043000000..0x000000004302ffff (192 KiB) nomap non-reusable secmon@43000000
> [    0.000000] OF: reserved mem: 0x0000000047c80000..0x0000000047d7ffff (1024 KiB) nomap non-reusable wmcpu-reserved@47c80000
> [    0.000000] OF: reserved mem: 0x0000000047d80000..0x0000000047dbffff (256 KiB) nomap non-reusable wo-emi@47d80000
> [    0.000000] OF: reserved mem: 0x0000000047dc0000..0x0000000047ffffff (2304 KiB) nomap non-reusable wo-data@47dc0000
> [    0.000000] Zone ranges:
> [    0.000000]   DMA      [mem 0x0000000040000000-0x000000005fffffff]
> [    0.000000]   DMA32    empty
> [    0.000000]   Normal   empty
> [    0.000000] Movable zone start for each node
> [    0.000000] Early memory node ranges
> [    0.000000]   node   0: [mem 0x0000000040000000-0x0000000042ffffff]
> [    0.000000]   node   0: [mem 0x0000000043000000-0x000000004302ffff]
> [    0.000000]   node   0: [mem 0x0000000043030000-0x0000000047c7ffff]
> [    0.000000]   node   0: [mem 0x0000000047c80000-0x0000000047ffffff]
> [    0.000000]   node   0: [mem 0x0000000048000000-0x000000005fffffff]
> [    0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x000000005fffffff]
> [    0.000000] psci: probing for conduit method from DT.
> [    0.000000] psci: PSCIv1.1 detected in firmware.
> [    0.000000] psci: Using standard PSCI v0.2 function IDs
> [    0.000000] psci: MIGRATE_INFO_TYPE not supported.
> [    0.000000] psci: SMC Calling Convention v1.4
> [    0.000000] percpu: Embedded 18 pages/cpu s35624 r8192 d29912 u73728
> [    0.000000] pcpu-alloc: s35624 r8192 d29912 u73728 alloc=18*4096
> [    0.000000] pcpu-alloc: [0] 0 [0] 1 
> [    0.000000] Detected VIPT I-cache on CPU0
> [    0.000000] CPU features: detected: GIC system register CPU interface
> [    0.000000] CPU features: kernel page table isolation disabled by kernel configuration
> [    0.000000] alternatives: applying boot alternatives
> [    0.000000] Kernel command line: root=/dev/fit0 rootwait
> [    0.000000] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes, linear)
> [    0.000000] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes, linear)
> [    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 129024
> [    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
> [    0.000000] software IO TLB: SWIOTLB bounce buffer size adjusted to 0MB
> [    0.000000] software IO TLB: area num 2.
> [    0.000000] software IO TLB: mapped [mem 0x000000005f540000-0x000000005f5c0000] (0MB)
> [    0.000000] Memory: 492528K/524288K available (9088K kernel code, 1000K rwdata, 1676K rodata, 448K init, 307K bss, 31760K reserved)
> [    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
> [    0.000000] rcu: Hierarchical RCU implementation.
> [    0.000000] rcu:     RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
> [    0.000000]  Tracing variant of Tasks RCU enabled.
> [    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
> [    0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
> [    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
> [    0.000000] GICv3: GIC: Using split EOI/Deactivate mode
> [    0.000000] GICv3: 640 SPIs implemented
> [    0.000000] GICv3: 0 Extended SPIs implemented
> [    0.000000] Root IRQ handler: 0xffffffc080010080
> [    0.000000] GICv3: GICv3 features: 16 PPIs
> [    0.000000] GICv3: CPU0: found redistributor 0 region 0:0x000000000c080000
> [    0.000000] rcu: srcu_init: Setting srcu_struct sizes based on contention.
> [    0.000000] arch_timer: cp15 timer(s) running at 13.00MHz (phys).
> [    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x2ff89eacb, max_idle_ns: 440795202429 ns
> [    0.000001] sched_clock: 56 bits at 13MHz, resolution 76ns, wraps every 4398046511101ns
> [    0.000083] Calibrating delay loop (skipped), value calculated using timer frequency.. 26.00 BogoMIPS (lpj=130000)
> [    0.000092] pid_max: default: 32768 minimum: 301
> [    0.002971] Mount-cache hash table entries: 1024 (order: 1, 8192 bytes, linear)
> [    0.002981] Mountpoint-cache hash table entries: 1024 (order: 1, 8192 bytes, linear)
> [    0.005172] cacheinfo: Unable to detect cache hierarchy for CPU 0
> [    0.005733] RCU Tasks Trace: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
> [    0.005881] rcu: Hierarchical SRCU implementation.
> [    0.005885] rcu:     Max phase no-delay instances is 1000.
> [    0.006304] smp: Bringing up secondary CPUs ...
> [    0.006679] Detected VIPT I-cache on CPU1
> [    0.006727] GICv3: CPU1: found redistributor 1 region 0:0x000000000c0a0000
> [    0.006759] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
> [    0.006834] smp: Brought up 1 node, 2 CPUs
> [    0.006840] SMP: Total of 2 processors activated.
> [    0.006843] CPU features: detected: 32-bit EL0 Support
> [    0.006846] CPU features: detected: CRC32 instructions
> [    0.006880] CPU features: emulated: Privileged Access Never (PAN) using TTBR0_EL1 switching
> [    0.006884] CPU: All CPU(s) started at EL2
> [    0.006886] alternatives: applying system-wide alternatives
> [    0.010631] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
> [    0.010649] futex hash table entries: 512 (order: 3, 32768 bytes, linear)
> [    0.011925] pinctrl core: initialized pinctrl subsystem
> [    0.013105] NET: Registered PF_NETLINK/PF_ROUTE protocol family
> [    0.013480] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
> [    0.013506] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
> [    0.013527] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
> [    0.013926] thermal_sys: Registered thermal governor 'fair_share'
> [    0.013930] thermal_sys: Registered thermal governor 'bang_bang'
> [    0.013933] thermal_sys: Registered thermal governor 'step_wise'
> [    0.013935] thermal_sys: Registered thermal governor 'user_space'
> [    0.014000] ASID allocator initialised with 65536 entries
> [    0.014865] ramoops: found existing invalid buffer, size 0, start 256
> [    0.014879] ramoops: found existing invalid buffer, size 0, start 131072
> [    0.014887] ramoops: found existing invalid buffer, size 33554432, start 263168
> [    0.014904] ramoops: found existing invalid buffer, size 1024, start 262144
> [    0.014912] ramoops: found existing invalid buffer, size 0, start 2048
> [    0.014968] pstore: Using crash dump compression: deflate
> [    0.014973] pstore: Registered ramoops as persistent store backend
> [    0.014975] ramoops: using 0x10000@0x42ff0000, ecc: 0
> [    0.016445] /soc/interrupt-controller@c000000: Fixed dependency cycle(s) with /soc/interrupt-controller@c000000
> [    0.022468] Modules: 29600 pages in range for non-PLT usage
> [    0.022477] Modules: 521120 pages in range for PLT usage
> [    0.023495] cryptd: max_cpu_qlen set to 1000
> [    0.024638] SCSI subsystem initialized
> [    0.024864] libata version 3.00 loaded.
> [    0.027118] clocksource: Switched to clocksource arch_sys_counter
> [    0.029385] NET: Registered PF_INET protocol family
> [    0.029511] IP idents hash table entries: 8192 (order: 4, 65536 bytes, linear)
> [    0.030989] tcp_listen_portaddr_hash hash table entries: 256 (order: 0, 4096 bytes, linear)
> [    0.031008] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
> [    0.031017] TCP established hash table entries: 4096 (order: 3, 32768 bytes, linear)
> [    0.031048] TCP bind hash table entries: 4096 (order: 5, 131072 bytes, linear)
> [    0.031153] TCP: Hash tables configured (established 4096 bind 4096)
> [    0.031488] MPTCP token hash table entries: 512 (order: 1, 12288 bytes, linear)
> [    0.031601] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
> [    0.031617] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
> [    0.031819] NET: Registered PF_UNIX/PF_LOCAL protocol family
> [    0.031846] PCI: CLS 0 bytes, default 64
> [    0.032061] Unpacking initramfs...
> [    0.033222] workingset: timestamp_bits=46 max_order=17 bucket_order=0
> [    0.038238] squashfs: version 4.0 (2009/01/31) Phillip Lougher
> [    0.038249] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
> [    0.096014] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
> [    0.107608] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
> [    0.110905] printk: console [ttyS0] disabled
> [    0.131277] 11002000.serial: ttyS0 at MMIO 0x11002000 (irq = 72, base_baud = 2500000) is a ST16650V2
> [    0.131321] printk: console [ttyS0] enabled
> [    0.930923] loop: module loaded
> [    0.936915] spi-nand spi0.0: Macronix SPI NAND was found.
> [    0.942370] spi-nand spi0.0: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
> [    1.379056] Freeing initrd memory: 4444K
> [    1.391426] 6 fixed-partitions partitions found on MTD device spi0.0
> [    1.398097] Creating 6 MTD partitions on "spi0.0":
> [    1.402894] 0x000000000000-0x000000100000 : "BL2"
> [    1.408550] 0x000000100000-0x000000180000 : "u-boot-env"
> [    1.414545] 0x000000180000-0x000000380000 : "Factory"
> [    1.421259] 0x000000380000-0x0000003c0000 : "bdinfo"
> [    1.427287] 0x0000003c0000-0x0000005c0000 : "FIP"
> [    1.433450] 0x0000005c0000-0x000008000000 : "ubi"
> [    1.495278] ubi0: default fastmap pool size: 45
> [    1.499834] ubi0: default fastmap WL pool size: 22
> [    1.504621] ubi0: attaching mtd5
> [    1.851862] ubi0: scanning is finished
> [    1.860916] ubi0: attached mtd5 (name "ubi", size 122 MiB)
> [    1.866412] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
> [    1.873299] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
> [    1.880083] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
> [    1.887031] ubi0: good PEBs: 978, bad PEBs: 0, corrupted PEBs: 0
> [    1.893028] ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
> [    1.900238] ubi0: max/mean erase counter: 2/1, WL threshold: 4096, image sequence number: 0
> [    1.908578] ubi0: available PEBs: 934, total reserved PEBs: 44, PEBs reserved for bad PEB handling: 20
> [    1.917882] ubi0: background thread "ubi_bgt0d" started, PID 259
> [    2.049010] mtk_soc_eth 15100000.ethernet: generated random MAC address 65:74:68:25:64:00
> [    2.057415] mtk_soc_eth 15100000.ethernet: generated random MAC address 65:74:68:25:64:00
> [    2.321545] mtk_soc_eth 15100000.ethernet eth0: mediatek frame engine at 0xffffffc081100000, irq 75
> [    2.331483] mtk_soc_eth 15100000.ethernet eth1: mediatek frame engine at 0xffffffc081100000, irq 75
> [    2.341317] i2c_dev: i2c /dev entries driver
> [    2.347579] mtk-wdt 1001c000.watchdog: Watchdog enabled (timeout=31 sec, nowayout=0)
> [    2.356589] NET: Registered PF_INET6 protocol family
> [    2.362556] Segment Routing with IPv6
> [    2.366238] In-situ OAM (IOAM) with IPv6
> [    2.370239] NET: Registered PF_PACKET protocol family
> [    2.375306] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if .
> [    2.388543] 8021q: 802.1Q VLAN Support v1.8
> [    2.415030] phy phy-soc:usb-phy@11e10000.1: type_sw - reg 0x218, index 0
> [    2.422911] clk: Disabling unused clocks
> [    2.427518] Freeing unused kernel memory: 448K
> [    2.432008] Run /init as init process
> [    2.435658]   with arguments:
> [    2.438703]     /init
> [    2.440972]   with environment:
> [    2.444100]     HOME=/
> [    2.446447]     TERM=linux
> [    2.660818] init: Console is alive
> [    2.664363] init: - watchdog -
> [    2.672630] kmodloader: loading kernel modules from /etc/modules-boot.d/*
> [    2.687420] usbcore: registered new interface driver usbfs
> [    2.692965] usbcore: registered new interface driver hub
> [    2.698395] usbcore: registered new device driver usb
> [    2.704002] gpio_button_hotplug: loading out-of-tree module taints kernel.
> [    2.716556] xhci-mtk 11200000.usb: xHCI Host Controller
> [    2.721833] xhci-mtk 11200000.usb: new USB bus registered, assigned bus number 1
> [    2.732280] xhci-mtk 11200000.usb: hcc params 0x01403f99 hci version 0x110 quirks 0x0000000000200010
> [    2.741585] xhci-mtk 11200000.usb: irq 79, io mem 0x11200000
> [    2.747348] xhci-mtk 11200000.usb: xHCI Host Controller
> [    2.752571] xhci-mtk 11200000.usb: new USB bus registered, assigned bus number 2
> [    2.759969] xhci-mtk 11200000.usb: Host supports USB 3.2 Enhanced SuperSpeed
> [    2.767494] hub 1-0:1.0: USB hub found
> [    2.771290] hub 1-0:1.0: 1 port detected
> [    2.775575] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
> [    2.784201] hub 2-0:1.0: USB hub found
> [    2.788027] hub 2-0:1.0: 1 port detected
> [    2.796628] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
> [    2.808384] init: - preinit -
> [    2.936154] mtk_soc_eth 15100000.ethernet eth1: PHY [mdio-bus:00] driver [MediaTek MT7981 PHY] (irq=POLL)
> [    2.949369] mtk_soc_eth 15100000.ethernet eth1: configuring for phy/gmii link mode
> Press the [f] key and hit [enter] to enter failsafe mode
> Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
> [    6.767117] random: crng init done
> [    7.127322] mtk_soc_eth 15100000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx
> [    7.174849] mtk_soc_eth 15100000.ethernet eth1: Link is Down
> [    7.186576] procd: - early -
> [    7.189601] procd: - watchdog -
> [    7.722136] procd: - watchdog -
> [    7.725458] procd: - ubus -
> [    7.879452] procd: - init -
> Please press Enter to activate this console.
> [    8.088825] kmodloader: loading kernel modules from /etc/modules.d/*
> [    8.106479] crypto-safexcel 10320000.crypto: EIP97:230(0,1,4,4)-HIA:270(0,5,5),PE:150/433(alg:7fcdfc00)/0/0/0
> [    8.121781] Loading modules backported from Linux version v6.12.52-0-g2b2cbdcede38
> [    8.129400] Backport generated by backports.git v6.1.110-1-35-g410656ef
> [    8.281076] urngd: v1.0.2 started.
> [    8.477385] mt798x-wmac 18000000.wifi: HW/SW Version: 0x8a108a10, Build Time: 20240823161240a
> [    8.477385] 
> [    8.499629] mt798x-wmac 18000000.wifi: WM Firmware Version: ____000000, Build Time: 20240823161304
> [    8.542160] mt798x-wmac 18000000.wifi: WA Firmware Version: DEV_000000, Build Time: 20240823161841
> [    8.639806] mt798x-wmac 18000000.wifi: eeprom load fail, use default bin
> [    8.646577] mt798x-wmac 18000000.wifi: Direct firmware load for mediatek/mt7981_eeprom_mt7976_dbdc.bin failed with error -2
> [    8.657721] mt798x-wmac 18000000.wifi: Falling back to sysfs fallback for: mediatek/mt7981_eeprom_mt7976_dbdc.bin
> [    8.694846] mt798x-wmac: probe of 18000000.wifi failed with error -12
> [    8.728495] PPP generic driver version 2.4.2
> [    8.734241] NET: Registered PF_PPPOX protocol family
> [    8.743027] kmodloader: done loading kernel modules from /etc/modules.d/*
> [   13.573147] mtk_soc_eth 15100000.ethernet eth1: PHY [mdio-bus:00] driver [MediaTek MT7981 PHY] (irq=POLL)
> [   13.586519] mtk_soc_eth 15100000.ethernet eth1: configuring for phy/gmii link mode
> [   13.599154] br-lan: port 1(eth1) entered blocking state
> [   13.604395] br-lan: port 1(eth1) entered disabled state
> [   13.609714] mtk_soc_eth 15100000.ethernet eth1: entered allmulticast mode
> [   13.616698] mtk_soc_eth 15100000.ethernet eth1: entered promiscuous mode
> [   13.880032] mtk_soc_eth 15100000.ethernet eth0: validation of  with support 00,00000000,00000000,00006000 and advertisement 00,000L
> [   14.127120] mtk_soc_eth 15100000.ethernet eth0: mtk_open: could not attach PHY: -22
> [   16.727319] mtk_soc_eth 15100000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx
> [   16.727353] br-lan: port 1(eth1) entered blocking state
> [   16.740985] br-lan: port 1(eth1) entered forwarding state
> [   19.047289] platform fitblk: deferred probe pending
> 
> 
> 
> BusyBox v1.36.1 (2025-10-19 16:37:45 UTC) built-in shell (ash)
> 
>   _______                     ________        __
>  |       |.-----.-----.-----.|  |  |  |.----.|  |_
>  |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
>  |_______||   __|_____|__|__||________||__|  |____|
>           |__| W I R E L E S S   F R E E D O M
>  -----------------------------------------------------
>  OpenWrt 24.10.4, r28959-29397011cc
>  -----------------------------------------------------
> === WARNING! =====================================
> There is no root password defined on this device!
> Use the "passwd" command to set up a new password
> in order to prevent unauthorized SSH logins.
> --------------------------------------------------
> root@OpenWrt:~#

but like I said I can't write it properly thus it doesn't work

in case it's useful ?

`root@OpenWrt:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00020000 "BL2"
mtd1: 00080000 00020000 "u-boot-env"
mtd2: 00200000 00020000 "Factory"
mtd3: 00040000 00020000 "bdinfo"
mtd4: 00200000 00020000 "FIP"
mtd5: 07a40000 00020000 "ubi"
root@OpenWrt:~# ubinfo -a
UBI version:                    1
Count of UBI devices:           1
UBI control device major/minor: 10:127
Present UBI devices:            ubi0

ubi0
Volumes count:                           2
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     978 (124182528 bytes, 118.4 MiB)
Amount of available logical eraseblocks: 934 (118595584 bytes, 113.1 MiB)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  20
Current maximum erase counter value:     2
Minimum input/output unit size:          2048 bytes
Character device major/minor:            250:0
Present volumes:                         0, 1

Volume ID:   0 (on ubi0)
Type:        dynamic
Alignment:   1
Size:        9 LEBs (1142784 bytes, 1.0 MiB)
State:       OK
Name:        ubootenv
Character device major/minor: 250:1
-----------------------------------
Volume ID:   1 (on ubi0)
Type:        dynamic
Alignment:   1
Size:        9 LEBs (1142784 bytes, 1.0 MiB)
State:       OK
Name:        ubootenv2
Character device major/minor: 250:2
root@OpenWrt:~# lsblk
-ash: lsblk: not found
root@OpenWrt:~# df -h
ount
Filesystem                Size      Used Available Use% Mounted on
tmpfs                   242.9M     25.5M    217.3M  11% /
tmpfs                   242.9M    372.0K    242.5M   0% /tmp
tmpfs                   512.0K         0    512.0K   0% /dev
root@OpenWrt:~# mount
tmpfs on / type tmpfs (rw,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
tmpfs on /dev type tmpfs (rw,nosuid,noexec,noatime,size=512k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,noatime,mode=600,ptmxmode=000)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,noatime)
bpffs on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,noatime,mode=700)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,noatime)
root@OpenWrt:~# `

SwissAdi · December 1, 2025, 9:02pm

Also the content of the different partition :

and we can see that ubi (mtd5) starts with UBI# which is good no ? But I can't manage to make it boot

root@OpenWrt:~# head -c 256 /dev/mtd0 | hexdump -C                                                                                    
00000000  f4 03 00 aa f5 03 01 aa  f6 03 02 aa f7 03 03 aa  |................|                                                        
00000010  00 06 81 d2 a0 18 a6 f2  00 10 1e d5 df 3f 03 d5  |.............?..|                                                        
00000020  00 3f 19 10 00 c0 1e d5  df 3f 03 d5 0d 01 00 94  |.?.......?......|                                                        
00000030  41 01 82 d2 00 10 3e d5  00 00 01 aa 00 10 1e d5  |A.....>.........|                                                        
00000040  df 3f 03 d5 00 47 80 d2  00 11 1e d5 00 00 90 d2  |.?...G..........|                                                        
00000050  20 00 a2 f2 20 13 1e d5  ff 44 03 d5 00 80 80 d2  | ... ....D......|                                                        
00000060  00 02 b8 f2 40 11 1e d5  1b 0f 00 94 60 00 00 35  |....@.......`..5|                                                        
00000070  8e 01 00 94 3f 00 00 94  a6 0d 00 94 80 01 00 f0  |....?...........|                                                        
00000080  00 00 00 91 a1 01 00 d0  21 00 00 91 21 00 00 cb  |........!...!...|                                                        
00000090  52 00 00 94 a0 01 00 90  00 00 17 91 a1 01 00 b0  |R...............|                                                        
000000a0  21 00 16 91 21 00 00 cb  5a 00 00 94 a0 01 00 d0  |!...!...Z.......|                                                        
000000b0  00 00 00 91 a1 01 00 d0  21 00 00 91 21 00 00 cb  |........!...!...|                                                        
000000c0  54 00 00 94 bf 40 00 d5  10 01 00 94 e0 03 14 aa  |T....@..........|                                                        
000000d0  e1 03 15 aa e2 03 16 aa  e3 03 17 aa cb 01 00 94  |................|                                                        
000000e0  cf 01 00 94 07 01 00 94  f4 03 00 aa 8c 00 00 94  |................|                                                        
000000f0  1f 87 0e d5 e5 0c 00 94  80 86 40 a9 20 40 1e d5  |..........@. @..|                                                        
00000100                                                                                                                              
00000000  f4 03 00 aa f5 03 01 aa  f6 03 02 aa f7 03 03 aa  |................|
00000010  00 06 81 d2 a0 18 a6 f2  00 10 1e d5 df 3f 03 d5  |.............?..|
00000020  00 3f 19 10 00 c0 1e d5  df 3f 03 d5 0d 01 00 94  |.?.......?......|
00000030  41 01 82 d2 00 10 3e d5  00 00 01 aa 00 10 1e d5  |A.....>.........|
00000040  df 3f 03 d5 00 47 80 d2  00 11 1e d5 00 00 90 d2  |.?...G..........|
00000050  20 00 a2 f2 20 13 1e d5  ff 44 03 d5 00 80 80 d2  | ... ....D......|
00000060  00 02 b8 f2 40 11 1e d5  1b 0f 00 94 60 00 00 35  |....@.......`..5|
00000070  8e 01 00 94 3f 00 00 94  a6 0d 00 94 80 01 00 f0  |....?...........|
00000080  00 00 00 91 a1 01 00 d0  21 00 00 91 21 00 00 cb  |........!...!...|
00000090  52 00 00 94 a0 01 00 90  00 00 17 91 a1 01 00 b0  |R...............|
000000a0  21 00 16 91 21 00 00 cb  5a 00 00 94 a0 01 00 d0  |!...!...Z.......|
000000b0  00 00 00 91 a1 01 00 d0  21 00 00 91 21 00 00 cb  |........!...!...|
000000c0  54 00 00 94 bf 40 00 d5  10 01 00 94 e0 03 14 aa  |T....@..........|
000000d0  e1 03 15 aa e2 03 16 aa  e3 03 17 aa cb 01 00 94  |................|
000000e0  cf 01 00 94 07 01 00 94  f4 03 00 aa 8c 00 00 94  |................|
000000f0  1f 87 0e d5 e5 0c 00 94  80 86 40 a9 20 40 1e d5  |..........@. @..|
00000100
root@OpenWrt:~# head -c 256 /dev/mtd0 | hexdump -C
00000000  f4 03 00 aa f5 03 01 aa  f6 03 02 aa f7 03 03 aa  |................|
00000010  00 06 81 d2 a0 18 a6 f2  00 10 1e d5 df 3f 03 d5  |.............?..|
00000020  00 3f 19 10 00 c0 1e d5  df 3f 03 d5 0d 01 00 94  |.?.......?......|
00000030  41 01 82 d2 00 10 3e d5  00 00 01 aa 00 10 1e d5  |A.....>.........|
00000040  df 3f 03 d5 00 47 80 d2  00 11 1e d5 00 00 90 d2  |.?...G..........|
00000050  20 00 a2 f2 20 13 1e d5  ff 44 03 d5 00 80 80 d2  | ... ....D......|
00000060  00 02 b8 f2 40 11 1e d5  1b 0f 00 94 60 00 00 35  |....@.......`..5|
00000070  8e 01 00 94 3f 00 00 94  a6 0d 00 94 80 01 00 f0  |....?...........|
00000080  00 00 00 91 a1 01 00 d0  21 00 00 91 21 00 00 cb  |........!...!...|
00000090  52 00 00 94 a0 01 00 90  00 00 17 91 a1 01 00 b0  |R...............|
000000a0  21 00 16 91 21 00 00 cb  5a 00 00 94 a0 01 00 d0  |!...!...Z.......|
000000b0  00 00 00 91 a1 01 00 d0  21 00 00 91 21 00 00 cb  |........!...!...|
000000c0  54 00 00 94 bf 40 00 d5  10 01 00 94 e0 03 14 aa  |T....@..........|
000000d0  e1 03 15 aa e2 03 16 aa  e3 03 17 aa cb 01 00 94  |................|
000000e0  cf 01 00 94 07 01 00 94  f4 03 00 aa 8c 00 00 94  |................|
000000f0  1f 87 0e d5 e5 0c 00 94  80 86 40 a9 20 40 1e d5  |..........@. @..|
00000100
root@OpenWrt:~# head -c 256 /dev/mtd1 | hexdump -C
00000000  1b bf 10 e0 28 5e 9e 7d  4a b1 0a fb 74 b3 3f d9  |....(^.}J...t.?.|
00000010  a8 0c 82 83 b5 d1 b5 1c  46 88 9d 43 3f 37 1b 28  |........F..C?7.(|
00000020  4b 3e c0 fc 3f c3 8a 03  ae d2 03 1b 5d aa cc 33  |K>..?.......]..3|
00000030  e8 08 ec c3 c3 3e a6 05  97 10 cb 91 02 87 e4 da  |.....>..........|
00000040  7c c8 e3 c5 6d 77 74 88  b6 53 cc 77 bd 73 f9 8e  ||...mwt..S.w.s..|
00000050  d5 d9 93 7c 3a 98 d3 f8  ec c4 da 1e 1e 82 6b fa  |...|:.........k.|
00000060  4f 35 55 fc 84 71 51 04  49 85 b4 af e6 ff 26 d3  |O5U..qQ.I.....&.|
00000070  d6 b0 0e 9b 67 bc 14 c5  79 09 8d 1c 90 db aa 2a  |....g...y......*|
00000080  da 68 5f 2a 16 6b 47 ec  72 d8 75 24 0d 23 de df  |.h_*.kG.r.u$.#..|
00000090  4e e1 f3 da 5a 90 2a f2  6d ae 62 df f3 81 6d 02  |N...Z.*.m.b...m.|
000000a0  d2 4b d1 7a b6 82 a9 e2  d6 c0 f8 1d 21 54 50 0c  |.K.z........!TP.|
000000b0  ee ea 7e 95 f4 f5 f4 ef  5c d9 a9 19 32 4c b4 59  |..~.....\...2L.Y|
000000c0  59 ba c9 f8 b4 f4 1b 89  7e b1 8b 3e e6 74 a0 de  |Y.......~..>.t..|
000000d0  3f 6f 38 38 44 ed f9 bd  9f 09 eb 03 b9 4e ce da  |?o88D........N..|
000000e0  46 ff 12 dd 2d cc 90 c0  92 61 13 26 03 f7 88 09  |F...-....a.&....|
000000f0  fc a9 fe f6 03 9c 51 64  85 6e a3 c3 20 d5 c8 37  |......Qd.n.. ..7|
00000100
root@OpenWrt:~# head -c 256 /dev/mtd2 | hexdump -C
00000000  3e 4f 39 4e 2d 0b f0 98  3a ca 33 d9 00 8e ae fc  |>O9N-...:.3.....|
00000010  9f f3 ca cf 06 d7 a8 f1  65 ef 62 87 d0 17 50 7b  |........e.b...P{|
00000020  cc e4 63 64 6f e4 07 c8  bd f7 b9 6f 4a 1d 3c 91  |..cdo......oJ.<.|
00000030  6b eb 19 c1 f0 92 2a c5  aa b9 bb 41 62 2a 44 b2  |k.....*....Ab*D.|
00000040  70 70 53 4f ac ff 05 63  a5 b9 ff 53 9e b1 77 fc  |ppSO...c...S..w.|
00000050  a1 43 97 57 3d d1 6a fa  e1 a2 52 7e 4e 4f a5 b0  |.C.W=.j...R~NO..|
00000060  03 59 7f 7c 1d 0b 8d 0d  b8 4c 41 2a ed f3 4e 02  |.Y.|.....LA*..N.|
00000070  c0 99 01 d2 cb 5c 18 dd  db 52 8d 7f d9 a8 6d be  |.....\...R....m.|
00000080  76 8a d2 fa d8 1f e2 2f  15 81 29 06 07 c7 42 25  |v....../..)...B%|
00000090  a0 eb b1 c2 91 ae a1 0f  79 4e 76 05 c2 4f 71 34  |........yNv..Oq4|
000000a0  2c a2 ef d8 84 b2 ea 3b  f2 d6 c7 e7 6d 5f 6c 6c  |,......;....m_ll|
000000b0  dd ca 4c 03 fe 22 a8 d0  f1 2f f2 30 ab e0 54 fd  |..L..".../.0..T.|
000000c0  46 94 9d 9b 94 2f cc a0  cc e0 ff 7d ee 17 33 29  |F..../.....}..3)|
000000d0  80 bb 49 8b 28 78 a5 1e  6b f9 ee ba 62 bb 56 d5  |..I.(x..k...b.V.|
000000e0  18 02 af 69 8c 31 54 6e  24 76 9e 81 81 29 1e df  |...i.1Tn$v...)..|
000000f0  ed 58 87 cf 1d 9e 06 81  cd 5f bc dc db 15 cf ec  |.X......._......|
00000100
root@OpenWrt:~# head -c 256 /dev/mtd3 | hexdump -C
00000000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000100
root@OpenWrt:~# head -c 256 /dev/mtd4 | hexdump -C
00000000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000100
root@OpenWrt:~# head -c 256 /dev/mtd5 | hexdump -C
00000000  55 42 49 23 01 00 00 00  00 00 00 00 00 00 00 02  |UBI#............|
00000010  00 00 08 00 00 00 10 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 40 93 2d 8c  |............@.-.|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000100
root@OpenWrt:~#

SwissAdi · December 1, 2025, 9:54pm

So i made some progress it seems that it's my bl2 here is why :

        ( ( ( OpenWrt ) ) )       U-Boot 2024.10-OpenWrt-r28959-29397011cc (Oct 19 2025 - 16:37:45 +0000)

      1. Run default boot command.
      2. Boot system via TFTP.
      3. Boot production system from NAND.
      4. Boot recovery system from NAND.
      5. Load production system via TFTP then write to NAND.
      6. Load recovery system via TFTP then write to NAND.
      7. Load BL31+U-Boot FIP via TFTP then write to NAND.
      8. Load BL2 preloader via TFTP then write to NAND.
      9. Reboot.
      a. Reset all settings to factory defaults.
      0. Exit


  Press UP/DOWN to move, ENTER to select, ESC to quit

I tried to use menu 8 and write NAND with it but event if it works to revive my wax210 as we can see just here :

username@mbp-username mtk_uartboot % ./mtk_uartboot -s /dev/tty.usbserial-0001 -p bl2_ok.bin --aarch64 -f openwrt-24.10.4-mediatek-filogic-cudy_tr3000-v1-ubootmod-bl31-uboot.fip
mtk_uartboot - 0.1.1
Using serial port: /dev/tty.usbserial-0001
Handshake...
hw code: 0x7981
hw sub code: 0x8a00
hw ver: 0xca00
sw ver: 0x1
Baud rate set to 460800
sending payload to 0x201000...
Checksum: 0x32fc
Setting baudrate back to 115200
Jumping to 0x201000 in aarch64...
Waiting for BL2. Message below:
==================================
NOTICE:  BL2: v2.10.0	(release):OpenWrt v2024.01.17~bacca82a-3 (mt7981-ram-ddr4)
NOTICE:  BL2: Built : 16:37:45, Oct 19 2025
NOTICE:  WDT: Cold boot
NOTICE:  WDT: disabled
NOTICE:  EMI: Using DDR4 settings
NOTICE:  EMI: Detected DRAM size: 512MB
NOTICE:  EMI: complex R/W mem test passed
NOTICE:  CPU: MT7981 (1300MHz)
NOTICE:  Starting UART download handshake ...
==================================
BL2 UART DL version: 0x10
Baudrate set to: 921600
FIP sent.
==================================
NOTICE:  Received FIP 0xddf29 @ 0x40400000 ...
==================================
deradi@mbp-deradi mtk_uartboot %

when I use it in menu 8 I get a

system halt !

and if use the preloader from the TR3000 here is what I get :

resetting ...

F0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 0000 0000
V0: 0000 0000 [0001]
00: 0000 0000
BP: 2400 0041 [0000]
G0: 1190 0000
EC: 0000 0000 [1000]
T0: 0000 0236 [010F]
Jump to BL

NOTICE:  BL2: v2.10.0   (release):OpenWrt v2024.01.17~bacca82a-3 (mt7981-cudy-tr3000-v1)
NOTICE:  BL2: Built : 16:37:45, Oct 19 2025
NOTICE:  WDT: [40000000] Software reset (reboot)
NOTICE:  EMI: Using DDR3 settings
NOTICE:  EMI: Detected DRAM size: 0MB

which is logic since the wax210 has DDR4 while I just realized that the Cudy TR3000 has DDR3 so it seems that I'm only missing a preloader with MT7981 cpu and DDR4 ? Right ? or is it more complicated than that ?

SwissAdi · December 1, 2025, 10:30pm

Does it worth it to make some extra soldering on an other wax210 that I have ? to make some dumps ?

ElektromAn · December 2, 2025, 9:56am

With dump I mean do a backup …

And this is only needed, if you run like a headless chicken.

`root@OpenWrt:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00020000 "BL2"
mtd1: 00080000 00020000 "u-boot-env"
mtd2: 00200000 00020000 "Factory"
mtd3: 00040000 00020000 "bdinfo"
mtd4: 00200000 00020000 "FIP"
mtd5: 07a40000 00020000 "ubi"

BL2 and u-boot-env are for the bootloader, but I’m not realy sure,

.. the chip vendor doc may help here

for factory, bdinfo and FIP I don’t know

On top of this you used some Image from cudy tr3000 which may or may not correct for your device.

If you some some other WAX210, take the “broken” one aside and start from the very begining

add a serial, follow here

also you need to find the device dts, usualy this should be in the firmware update files, binwalk, dd, dtc and others tools are needed.

and don’t write any file/data to flash,

.. and I don’t need to accidenly delete my own post …

ElektromAn · December 2, 2025, 10:35am

-rw-rw-rw- 1 elektroman elektroman 27485079 Jul 25 07:51 WAX210-V1.1.0.34.bin
-rw-rw-rw- 1 elektroman elektroman     3435 Jul 25 07:50 WAX210-V1.1.0.34_Release_Notes.HTML
-rw-r--r-- 1 elektroman elektroman 27470494 Dec  2 11:22 WAX210-V1.1.0.34.zip

Vendor firmware is useless. zip file and bin file have almost the same size, so bin is encrypted.

SwissAdi · December 2, 2025, 8:39pm

That's correct but I managed to unencrypted it with the code below (I tried to make it nicer so if you want to try it's easier)

You'll need : pip3 install pycryptodome

and run decrypt_wax210.py (or the name you want) with the firmware :

WAX210-V1.1.0.34.bin

In the same folder. It should work. FYI, I've just HIDDEN my Mac and serial number

#!/usr/bin/env python3
"""
Bruteforce WAX210 firmware encryption
Testing on candidate key derived from know MAC/Serial/Key Netgear
"""

from Crypto.Cipher import AES
import hashlib
import time

def test_decrypt(encrypted_data, key, iv, mode=AES.MODE_CBC):
    """looking for magical byte"""
    try:
        cipher = AES.new(key, mode, iv)
        decrypted = cipher.decrypt(encrypted_data[:2048])
        
        # Common Magic bytes in firmwares
        magic_patterns = [
            b'hsqs',           # SquashFS
            b'\x1f\x8b\x08',   # gzip
            b'\x85\x19',       # LZMA
            b'UBI#',           # UBI filesystem
            b'\x27\x05\x19',   # U-Boot legacy
            b'\xd0\x0d\xfe\xed', # Device tree
            b'Linux version',  # Kernel string
        ]
        
        for magic in magic_patterns:
            if magic in decrypted:
                return True, magic
        return False, None
    except Exception as e:
        return False, None

def derive_keys():
    """Generate all possible keys"""
    
    # WAX210 informations
    mac = "HIDDEN"
    serial = "HIDDEN"
    model = "WAX210"
    
    candidates = []
    
    # 1. Brut Force keys
    raw_keys = [
        mac,
        serial,
        model,
        f"{mac}{serial}",
        f"{model}{mac}",
        f"{model}{serial}",
        "NtgrBusiness",
        "DNI_FIRMWARE",
        "NETGEAR_FW",
        "DNI_WAX210",
        "Delta_Networks",
        "wax210_key",
        "NETGEAR2024",
        "DNI2024",
    ]
    
    # 2. Variation with case
    for key in raw_keys[:]:
        candidates.append(key.encode())
        candidates.append(key.lower().encode())
        candidates.append(key.upper().encode())
    
    # 3. Hash derivations (often MD5/SHA256)
    hash_funcs = [
        lambda x: hashlib.md5(x).digest(),
        lambda x: hashlib.sha256(x).digest(),
        lambda x: hashlib.sha1(x).digest(),
    ]
    
    derived = []
    for raw in candidates:
        for hash_func in hash_funcs:
            derived.append(hash_func(raw))
    
    return derived

def main():
    print("[*] WAX210 Firmware Decryptor")
    print("[*] Loading firmware...")
    
    # reading firmware
    try:
        with open('WAX210-V1.1.0.34.bin', 'rb') as f:
            header = f.read(256)
            encrypted = f.read()
    except FileNotFoundError:
        print("[-] Erreur: WAX210-V1.1.0.34.bin introuvable!")
        print("    Assure-toi d'être dans le dossier ~/Downloads/WAX210-V1/")
        return
    
    print(f"[*] Firmware loaded: {len(encrypted)} bytes")
    print(f"[*] Header: {header[:32].hex()}")
    
    # Generate possible Keys
    key_candidates = derive_keys()
    print(f"[*] {len(key_candidates)} possible key generated")
    
    # IVs possibles
    iv_candidates = [
        b'\x00' * 16,                    # IV nul (courant)
        header[0x20:0x30],               # IV from header
        header[0x10:0x20],               # Other position
        b'\xff' * 16,                    # IV 0xFF
    ]
    
    #  AES Key Size
    key_sizes = [16, 32]  # AES-128, AES-256
    
    # counter
    total = len(key_candidates) * len(iv_candidates) * len(key_sizes)
    tested = 0
    start_time = time.time()
    
    print(f"[*] Test of {total} combinaisons...")
    print("[*] Starting bruteforce...\n")
    
    # Bruteforce
    for key_raw in key_candidates:
        for key_size in key_sizes:
            # adjust key size
            if len(key_raw) < key_size:
                key = key_raw.ljust(key_size, b'\x00')
            else:
                key = key_raw[:key_size]
            
            for iv in iv_candidates:
                tested += 1
                
                # show progress every 100 tests
                if tested % 100 == 0:
                    elapsed = time.time() - start_time
                    rate = tested / elapsed
                    print(f"\r[*] Testé: {tested}/{total} ({rate:.0f} tests/sec)", end='')
                
                # Testing decypher
                success, magic = test_decrypt(encrypted, key, iv)
                
                if success:
                    print(f"\n\n[+] *** KEY FOUND! ***")
                    print(f"[+] Clé (hex): {key.hex()}")
                    print(f"[+] IV (hex): {iv.hex()}")
                    print(f"[+] Taille: AES-{key_size*8}")
                    print(f"[+] Magic bytes: {magic}")
                    
                    # decipher the firmware
                    print(f"[*] Complete decipher the firmware...")
                    cipher = AES.new(key, AES.MODE_CBC, iv)
                    decrypted_full = cipher.decrypt(encrypted)
                    
                    with open('WAX210-decrypted.bin', 'wb') as out:
                        out.write(decrypted_full)
                    
                    print(f"[+] Unencrypted Firmware Saved: WAX210-decrypted.bin")
                    print(f"[*] Total Time: {time.time() - start_time:.2f}s")
                    print(f"\n[*] Analyse with: binwalk -e WAX210-decrypted.bin")
                    return
    
    # No key Found
    elapsed = time.time() - start_time
    print(f"\n\n[-] No key found after {tested} attempt ({elapsed:.2f}s)")
    print(f"[-] Taux: {tested/elapsed:.0f} tests/sec")

if __name__ == '__main__':
    main()

but it looked like a dead end (or my piece of code isn't really working )

SwissAdi · December 2, 2025, 8:43pm

It's too late I already messed the router (it's a brick now )
I managed to get the DTS that was backed up in my UBI.bin extracted from the original dump :

// SPDX-License-Identifier: GPL-2.0-or-later OR MIT

/dts-v1/;
#include "mt7981.dtsi"
#include "mt7981-pinctrl.dtsi"

/ {
	model = "Netgear WAX210";
	compatible = "netgear,wax210", "mediatek,mt7981";

	aliases {
		serial0 = &uart0;
		led-boot = &led_power;
		led-failsafe = &led_power;
		led-running = &led_power;
		led-upgrade = &led_power;
	};

	chosen {
		stdout-path = "serial0:115200n8";
	};

	leds {
		compatible = "gpio-leds";

		led_power: power {
			label = "green:power";
			gpios = <&pio 13 0>; 
			default-state = "on";
		};

		led_amber {
			label = "amber:power";
			gpios = <&pio 12 0>; 
			default-state = "off";
		};
	};

	keys {
		compatible = "gpio-keys";

		reset {
			label = "reset";
			gpios = <&pio 1 1>;
			linux,code = <KEY_RESTART>;
		};
	};
};

&uart0 {
	status = "okay";
};

&eth {
	status = "okay";
	phy-mode = "gmii";
	phy-handle = <&phy0>;

	mdio {
		phy0: ethernet-phy@0 {
			reg = <0>;
			phy-mode = "gmii";
		};
	};
};

&spi0 {
	pinctrl-names = "default";
	pinctrl-0 = <&spi0_flash_pins>;
	status = "okay";

	spi_nand@0 {
		#address-cells = <1>;
		#size-cells = <1>;
		compatible = "spi-nand";
		reg = <0>;
		spi-max-frequency = <52000000>;

		partitions {
			compatible = "fixed-partitions";
			#address-cells = <1>;
			#size-cells = <1>;

			partition@0 {
				label = "bl2";
				reg = <0x0 0x100000>;
				read-only;
			};

			partition@100000 {
				label = "u-boot-env";
				reg = <0x100000 0x80000>;
			};

			partition@180000 {
				label = "factory";
				reg = <0x180000 0x200000>;
				read-only;
			};

			partition@380000 {
				label = "fip";
				reg = <0x380000 0x200000>;
				read-only;
			};

			partition@580000 {
				label = "firmware";
				reg = <0x580000 0x3A80000>;
			};
		};
	};
};

&pio {
	spi0_flash_pins: spi0-pins {
		mux {
			function = "spi";
			groups = "spi0", "spi0_wp_hold";
		};
		conf-pu {
			pins = "SPI0_CS", "SPI0_HOLD", "SPI0_WP";
			drive-strength = <8>;
			bias-pull-up = <103>;
		};
		conf-pd {
			pins = "SPI0_CLK", "SPI0_MOSI", "SPI0_MISO";
			drive-strength = <8>;
			bias-pull-down = <103>;
		};
	};
};

not sure it's the first version though cause I played a bit with it...

I ran this python script to get the dtb from the ubi.bin partition : (commented in French but nothing crazy to understand I think)

import sys
import struct

def find_dtbs(filename):
    # Signature magique du Device Tree (d0 0d fe ed) Big Endian
    DTB_MAGIC = b'\xd0\x0d\xfe\xed'
    
    with open(filename, 'rb') as f:
        data = f.read()

    file_len = len(data)
    offset = 0
    found_count = 0

    print(f"Analyse de {filename} ({file_len} bytes)...")

    while True:
        # Chercher la signature magique
        offset = data.find(DTB_MAGIC, offset)
        if offset == -1:
            break

        # On a trouvé un header potentiel
        print(f"\n[+] Header DTB trouvé à l'offset: {offset} (0x{offset:x})")
        
        # Lire la taille du DTB (elle est stockée 4 octets après le magic)
        # Format: Magic(4) + TotalSize(4) en Big Endian
        try:
            totalsize_bytes = data[offset+4 : offset+8]
            totalsize = struct.unpack('>I', totalsize_bytes)[0]
            
            print(f"    Taille déclarée: {totalsize} bytes")
            
            # Vérification de bon sens (un DTB fait rarement plus de 200KB ou moins de 100 bytes)
            if 100 < totalsize < 200000:
                dtb_content = data[offset : offset+totalsize]
                output_name = f"extracted_{found_count}.dtb"
                
                with open(output_name, 'wb') as out:
                    out.write(dtb_content)
                
                print(f"    ---> Extrait vers : {output_name} ✅")
                found_count += 1
            else:
                print("    ---> Faux positif (taille incohérente).")

        except Exception as e:
            print(f"    Erreur de lecture: {e}")

        # Avancer pour chercher le suivant
        offset += 4

    print(f"\nTerminé. {found_count} fichier(s) .dtb extrait(s).")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python find_dtb.py <fichier_ubi>")
    else:
        find_dtbs(sys.argv[1])

from there I ran :

dtc -I dtb -O dts extracted_0.dtb > wax210.dts

(don't pay attention to warnings)

and I got the dts

(or what I think looks like it )

SwissAdi · December 2, 2025, 9:08pm

@kjoshj hello, maybe you have an idea ? Since you managed to do it for the wax 202 ?
or maybe @RaylynnKnight since you managed to install openwrt on wax 220 ?

very sorry bother you guys

ElektromAn · December 3, 2025, 1:57pm

I don’t do this-

Kernel (which is noch uptream) is already hard enough

ElektromAn · December 3, 2025, 2:03pm

So you can backup the flash from the “working” device and know the partitions are right.

for finding dtb use binwalk and dd it’s esier to write a script.

And sometimes you get more information ..

SwissAdi · December 3, 2025, 5:48pm

Hello,

It's actually already done :
Here

SwissAdi · December 3, 2025, 6:23pm

Not what the Github Bio says

SwissAdi · December 8, 2025, 7:48pm

Anyone else would have an idea besides doing extra soldering ?

ElektromAn · December 9, 2025, 8:08pm

If both devices boot via serial, your don’t need extra soldering.

Openwrt uses some other dts layout, especially for kernel+squashfs and overlay.

Note

BL2, u-boot-env, Factory, bdinfo, and FIP are write protected …, they can be disabled via dts

bdinfo contains the mac-adress.