I have one of these devices and have used them on stock firmware for a period of time. I'll be looking at OpenWrt support since IPQ60xx support seems to be maturing (especially on forks on github). The device uses a 4.4 OpenWrt kernel on the stock firmware.
CPU: IPQ6018
RAM: 512MB
FLASH: 256MB (dual partition)
Bootlog:
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.0.3-00077-IPQ60xxLZB-2
S - IMAGE_VARIANT_STRING=IPQ6018LA
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu64
S - Boot Interface: NAND
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000002e4
S - JTAG ID @ 0x000a607c = 0x0013a0e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0xccea5fc1
S - OEM Config Row 0 @ 0x000a4188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x000a4190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4130 = 0x0000000008000001
S - Feature Config Row 1 @ 0x000a4138 = 0x02c3e83383000009
S - PBL Patch Ver: 1
S - I-cache: On
S - D-cache: On
B - 3413 - PBL, Start
B - 592 - bootable_media_detect_entry, Start
B - 4339 - bootable_media_detect_success, Start
B - 5207 - elf_loader_entry, Start
B - 5380 - auth_hash_seg_entry, Start
B - 7847 - auth_hash_seg_exit, Start
B - 8344 - elf_segs_hash_verify_entry, Start
B - 110495 - elf_segs_hash_verify_exit, Start
B - 114920 - auth_xbl_sec_hash_seg_entry, Start
B - 115063 - auth_xbl_sec_hash_seg_exit, Start
B - 121613 - xbl_sec_segs_hash_verify_entry, Start
B - 121614 - xbl_sec_segs_hash_verify_exit, Start
B - 122543 - PBL, End
B - 103303 - SBL1, Start
B - 243390 - GCC [RstStat:0x0, RstDbg:0x600000] WDog Stat : 0x4
B - 245830 - clock_init, Start
D - 2531 - clock_init, Delta
B - 254309 - boot_flash_init, Start
D - 29707 - boot_flash_init, Delta
B - 287279 - sbl1_ddr_set_default_params, Start
D - 213 - sbl1_ddr_set_default_params, Delta
B - 293898 - boot_config_data_table_init, Start
D - 4727 - boot_config_data_table_init, Delta - (575 Bytes)
B - 303719 - CDT Version:2,Platform ID:8,Major ID:3,Minor ID:2,Subtype:0
B - 308599 - Image Load, Start
D - 6619 - OEM_MISC Image Loaded, Delta - (0 Bytes)
B - 317932 - Image Load, Start
D - 5063 - PMIC Image Loaded, Delta - (0 Bytes)
B - 325801 - sbl1_ddr_set_params, Start
B - 330772 - CPR configuration: 0x366
B - 333975 - Pre_DDR_clock_init, Start
D - 183 - Pre_DDR_clock_init, Delta
D - 0 - sbl1_ddr_set_params, Delta
B - 370636 - Image Load, Start
D - 458 - APDP Image Loaded, Delta - (0 Bytes)
B - 383720 - Image Load, Start
D - 427 - QTI_MISC Image Loaded, Delta - (0 Bytes)
B - 386160 - Image Load, Start
D - 885 - Auth Metadata
D - 701 - Segments hash check
D - 22509 - QSEE Dev Config Image Loaded, Delta - (36354 Bytes)
B - 410621 - Image Load, Start
D - 6527 - Auth Metadata
D - 10553 - Segments hash check
D - 335958 - QSEE Image Loaded, Delta - (1470632 Bytes)
B - 747006 - Image Load, Start
D - 762 - Auth Metadata
D - 976 - Segments hash check
D - 35075 - RPM Image Loaded, Delta - (102664 Bytes)
B - 783789 - Image Load, Start
D - 671 - Auth Metadata
D - 3080 - Segments hash check
D - 117852 - APPSBL Image Loaded, Delta - (541348 Bytes)
B - 917257 - SBL1, End
D - 814259 - SBL1, Delta
S - Flash Throughput, 4000 KB/s (2152245 Bytes, 431872 us)
S - Core 0 Frequency, 800 MHz
S - DDR Frequency, 466 MHz
U-Boot 2016.01-V9.0.0.23 (May 21 2020 - 11:58:58 +0530)
DRAM: smem ram ptable found: ver: 2 len: 4
512 MiB
NAND: ONFI device found
ID = 9500a1ef
Vendor = ef
Device = a1
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0000
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
128 MiB
MMC: sdhci: Node Not found, skipping initialization
PCI0 is not defined in the device tree
In: serial@78B1000
Out: serial@78B1000
Err: serial@78B1000
Product ID: WAX610
HW Version: 1.0
machid: 8030200
Power source: Adaptor
eth2 MAC Address from ART is not valid
eth3 MAC Address from ART is not valid
eth4 MAC Address from ART is not valid
eth5 MAC Address from ART is not valid
Hit any key to stop autoboot: 0
Erasing NAND...
Erasing at 0xde0000 -- 100% complete.
Writing to NAND... OK
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 44 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 356, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 4, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 60/18, WL threshold: 4096, image sequence number: 139228212
ubi0: available PEBs: 0, total reserved PEBs: 356, PEBs reserved for bad PEB handling: 20
Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (4595836)
## Loading kernel from FIT Image at 44000000 ...
Using 'config@cp03-c1' configuration
Trying 'kernel@1' kernel subimage
Description: ARM OpenWrt Linux-4.4.60
Type: Kernel Image
Compression: gzip compressed
Data Start: 0x440000e4
Data Size: 3985847 Bytes = 3.8 MiB
Architecture: ARM
OS: Linux
Load Address: 0x41008000
Entry Point: 0x41008000
Hash algo: crc32
Hash value: 31a23c74
Hash algo: sha1
Hash value: 673770d28a245817617477d628482770eb2ced65
Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000000 ...
Using 'config@cp03-c1' configuration
Trying 'fdt@cp03-c1' fdt subimage
Description: ARM OpenWrt qcom-ipq60xx-cpxx device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x4444f5e8
Data Size: 73811 Bytes = 72.1 KiB
Architecture: ARM
Hash algo: crc32
Hash value: 57916838
Hash algo: sha1
Hash value: 3f17eb5447993d1bafb4a83cec543cf1df9f3d7e
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x4444f5e8
Uncompressing Kernel Image ... OK
Loading Device Tree to 484ea000, end 484ff052 ... OK
Could not find PCI in device tree
Using machid 0x8030200 from environment
Starting kernel ...
The device has serial headers already installed. Connection is as follows (remember TX to RX, RX to TX):
A little off topic, but my device is a WAX610NA, normally locked to the United States region on stock firmware. Halting uboot and waiting a moment for the IPQ6018 prompt allows us to dump device specific info and rewrite it to change the region:
IPQ6018# board_parameters_show
NAND read: device 0 offset 0x6b00000, size 0x20000
131072 bytes read: OK
Serial Number: XXXXXXXXXXXXX
productid: WAX610
hwversion : 1.0
subhwversion : 1.0
region-info : 1
board_type : WAX610
device_type : WAX610NA
default_ssid : NETGEARXXXXXX-SETUP
default_wifi_password : sharedsecret
default_ipaddr : 192.168.0.100
default_admin_user : admin
default_admin_password : password
lan_mac: XX:XX:XX:XX:XX:XX
wlan_mac: XX:XX:XX:XX:XX:XX
(Unique information has been removed)
Regions
0 - Unused?
1 - NA/US
2 - JP
3 - EU/WW
Changing device_type appears to be unnecessary, but could be done.
To write this data, one could edit the command below as needed. The example given uses the EU region, which unlocks most regions aside from US and Japan (maybe others).
board_parameters_set XXXXXXXXXXXXX WAX610 1.0 1.0 3 WAX610 WAX610NA NETGEARXXXXXX-SETUP sharedsecret 192.168.0.100 admin password XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX
Then factory reset the device via GUI or button to make the new region take effect.
More findings / development to come as time allows. Help welcome.