OpenWrt support for WAX206

This PR for WAX202 also mentions WAX206, so I guess that user looked at both downstream source releases:

So maybe just ask her/him if he started on it?

Or start with that PR and compare the downstream dts files?

1 Like

The MT7621 is a Ramips 1004KEc SOC, while MT7622 (which is in the WAX206) is an ARM Cortex-A53.
I don't think one can use anything from wax202 in wax206

haa, he's speaking about an encryption key

  • openwrt/tools/imgencoder/src/imagekey.h
    Contains the encryption key and IV. It appears the same key/IV is used
    for other Netgear devices including WAX206 and EX6400v3.
1 Like

Oh lol, nevermind then :wink: I obviously didn't even check that, I just saw that PR and this thread with the very similar device name.

I got my two WAX206 in my hands now. Already soldered serial on one but won't get to actual porting action until next week. Stay tuned!

1 Like

Found an open box for 50€, on ebay yesterday, it'll arrive tomorrow.

Unfortunately I don't have the tools to get the serial up and running, but I'll try to create an initramfs.

In @d4rkeagle6591's boot log (and in the photos), you can see it using the RTL221B for the 2.5gbe port. It was added in kernel 5.10, so I can't use most recent stable as base.

https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=caaac9ab3bb34a067001595648f6fb6b57621202

For those with serial console access, I've made my 1st attempt (ever) to build an initramfs.
If the boot loader accepts input, select 1. System Load Linux to SDRAM via TFTP.
and UL the file below.
You will probably need to rename it, and set a static IP on the TFTP host NIC.

Let it try, it should print the values used, make the changes required to the TFTP host (IP, file name), and retry.
Post the TFTP params.

Image's based on the Linksys E8450, and I also tried to add the Realtek 2.5gbe, but I'm
not sure it was successful.

Link is live for 30 days from the time of posting https://1fichier.com/?424f2ztb6e9pdczfqiku

I'm unable to try the image myself, even if the device is delivered on time, I don't have any USB TTL adapter until I get home, in one week.

1 Like

Hello Everyone,

I just got mine today.
How do I open the device? I can see no screws, so I suppose it's held together by plastic claws that snap in place. How do I undo them properly without breaking them?

Check under the bottom stickers, or the photos in the 2nd post.

1 Like

There are a few screws from the stand itself. Once you get those open, the panel on the bottom (if you orient it based on the majority of the ethernet ports) opens via the plastic claws. They actually used pretty good plastic for the plastic claws and its rather thick. I got mine opened without considering breakage and nothing broke.

For ease of access, I also ended up drilling a hold right next to the reset hole and fished a USB-TTL cable through. In my homelab environment I like to have console access to as many devices as possible, without needing to plug things in.

Okay, thanks for the information.
Your commend gave me enough courage to apply a bit of force, that allowed me to open the box without anything breaking.

So we can telnet into the device and get full access. All the commands needed for OpenWRT to update the firmware is there. However, I don't really see instructions on how to create a firmware for a model. Any ideas?

Well, it's currently not supported, so there's no image.

OK - So compiling a new image, how can I pick both 2 target systems or do I even need to? The driver for the network switch is under the Realtek MIPS target and the wifi drivers are under the Mediatek RaLink ARM. I did try a compile and sysupgrade, but I was unable to connect to the router afterwards.

Here's some dev doc's that may help others.

MediaTek Dev Docs

So the image worked to the extent I tested. However, it appears Netgear added a protection where once I rebooted, it hashed the sdram and if it did not match what was expected, it reflashed to stock and rebooted again.

Thnx for the feedback.

There might be a watch dog, but I still haven't hooked up mine to serial.

Post the dmesg, and lspci after a complete boot, printenv from uboot as well, don't think it's been posted previously.

Got around and soldered the serial console, but the solder they used have a high melting point (or my iron's too weak), I really struggled with one of the holes, and ended up drilling it instead.

anyway, here's the uboot printenv.

MT7622> printenv
arch=arm
atf_filename=trustzone.bin
backup_os_need_check=1
baudrate=115200
board=mt7622_evb
board_name=mt7622_evb
boot0=download_setting kernel;tftpboot ${loadaddr} ${kernel_filename}; bootm
boot1=download_setting kernel;tftpboot ${loadaddr} ${kernel_filename};run boot_wr_img;run boot_rd_img;bootm
boot10=if dialog "WARNING, this operation will flash all partitions (preloader + atf + uboot + linux)";then download_setting flashimage;tftpboot ${loadaddr} ${flashimage_filename};run wr_flashimage;invaild_env;else echo "operation aborted by user";fi;
boot2=run boot_check_backup_os;run boot_rd_img;bootm
boot3=download_setting uboot;tftpboot ${loadaddr} ${uboot_filename};run wr_uboot;invaild_env
boot4=loadb;run wr_uboot;invaild_env
boot5=download_setting atf;tftpboot ${loadaddr} ${atf_filename};run wr_atf
boot6=download_setting preloader;tftpboot ${loadaddr} ${preloader_filename};run wr_pl
boot7=download_setting hdr;tftpboot ${loadaddr} ${hdr_filename};run wr_rom_hdr
boot8=download_setting ctp;tftpboot ${loadaddr} ${ctp_filename};run wr_ctp
boot9=run boot_rd_ctp;boot_to_ctp
boot_backup_img=run boot_check_os; if test ${check_os_error} = 0; then nand read ${loadaddr} 0x2C0000 0x2600000;nand erase.spread 0x28C0000 0x2600000;nand write ${loadaddr} 0x28C0000 0x2600000 ;fi
boot_check_backup_os=setenv skip_load_os 1;nand read ${loadaddr} 0x28C0000 0x2600000;check_image;bootm; setenv skip_load_os 0;if test ${check_os_error} = 1; then  echo Bad backup os !!;run boot_backup_img; else setenv backup_os_need_check 0;fi
boot_check_os=setenv skip_load_os 1; run boot_rd_img;bootm;setenv skip_load_os 0;if test ${check_os_error} = 1; then echo Bad os !!;fi
boot_nmrp_clr_str_blks=nand erase.spread  ${stringtableoffset}  ${stringtablefreesize}
boot_nmrp_wr_str=filesize_check 0x40000;if test ${filesize_result} = good; then str_blks ; if test ${str_blk_crc} = ok;then nand erase.spread  ${stringtableoffset}  ${filesize};nand write ${loadaddr}  ${stringtableoffset} ${filesize};fi;fi
boot_rd_ctp=nand read 0x40000000 0x1400000 3000000
boot_rd_img=nand read ${loadaddr} 0x2C0000 0x2600000;check_image
boot_restore_img=setenv backup_os_need_check 1; run  boot_check_backup_os; if test ${backup_os_need_check} = 0; then nand read ${loadaddr} 0x28C0000 0x2600000;nand erase.spread 0x2C0000 0x2600000;nand write ${loadaddr} 0x2C0000 0x2600000 ;reset;fi
boot_version=20210401
boot_wr_img=decrypt_image;if test ${decrypt_result} = good; then filesize_check 0x2600000;if test ${filesize_result} = good; then check_image; setenv skip_load_os 1;bootm;setenv skip_load_os 0;if test ${check_os_error} = 0; then nand erase.spread 0x2C0000  ${filesize};nand write ${loadaddr} 0x2C0000 ${filesize};else echo Bad os !!; fi;fi;fi
bootcmd=No
bootdelay=3
bootfile=iverson_uImage
bootmenu_0=1. System Load Linux to SDRAM via TFTP.=run boot0
bootmenu_1=2. System Load Linux Kernel then write to Flash via TFTP.=run boot1
bootmenu_10=b. System Load SingleImage then write to Flash via TFTP.=run boot10
bootmenu_2=3. Boot system code via Flash.=run boot2
bootmenu_3=4. System Load U-Boot then write to Flash via TFTP.=run boot3
bootmenu_4=5. System Load U-Boot then write to Flash via Serial.=run boot4
bootmenu_5=6. System Load ATF then write to Flash via TFTP.=run boot5
bootmenu_6=7. System Load Preloader then write to Flash via TFTP.=run boot6
bootmenu_7=8. System Load ROM header then write to Flash via TFTP.=run boot7
bootmenu_8=9. System Load CTP then write to Flash via TFTP.=run boot8
bootmenu_9=a. System Load CTP then Boot to CTP (via Flash).=run boot9
bootmenu_delay=30
cpu=armv7
ctp_filename=ctp.bin
ethact=mtk_eth
ethaddr=AA:BB:CC:DD:EE:FF
fdt_high=0x6c000000
fenv_factory=off
fenv_model=WAX206
fenv_region=EU
flashimage_filename=flashimage.bin
gpt_filename=GPT_EMMC
hdr_filename=hdr.binary
invaild_env=no
ipaddr=192.168.1.1
kernel_filename=iverson_uImage
loadaddr=0x4007FF28
preloader_filename=preloader_fpga7622_64_ldvt.bin
serverip=192.168.1.100
soc=mt7622
stderr=serial
stdin=serial
stdout=serial
stringtablefreesize=0
stringtableoffset=0x5bc0000
uboot_filename=u-boot-mtk.bin
vendor=mediatek
wr_atf=filesize_check 0x20000;if test ${filesize_result} = good; then mtk_image_blks 131072;nand erase.spread 0x80000   ${filesize} ;mtk_image_blks 2048;nand write ${loadaddr} 0x80000 ${filesize};fi
wr_ctp=filesize_check 0xF20000;if test ${filesize_result} = good; then nand erase.spread 0x1400000 3000000 ;nand write ${loadaddr} 0x1400000 3000000;fi
wr_flashimage=decrypt_image;if test ${decrypt_result} = good; then filesize_check 0x8000000;if test ${filesize_result} = good; then nand erase.chip ;nand write ${loadaddr} 0x0 8000000;fi;fi
wr_pl=filesize_check 0x40000;if test ${filesize_result} = good; then nand erase.spread 0x00000 40000 ;nand write ${loadaddr} 0x00000 40000;fi
wr_rom_hdr=filesize_check 0x40000;if test ${filesize_result} = good; then nand erase.spread 0x00000 20000 ;nand write ${loadaddr} 0x00000 20000;fi
wr_uboot=filesize_check 0x80000;if test ${filesize_result} = good; then mtk_image_blks 131072;if test ${check_boot_error} = 0;then nand erase.spread 0xC0000  ${filesize} ;nand write ${loadaddr} 0xC0000 ${filesize};fi;fi
MT7622> help
?       - alias for 'help'
backup_message- print backup message.
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
boot_to_ctp- boot to ctp
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootmenu- ANSI terminal bootmenu
bootp   - boot image via network using BOOTP/TFTP protocol
check_image- check image in load_addr.
chpart  - change active partition
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
ctp_check- check if ctp in load_addr is normal.
decrypt_image- decrypt image in load_addr.
dialog  - echo args to console, and get yes or no response from user
download_setting- set download image file name , and device IP , server IP before upgrade
echo    - echo args to console
editenv - edit environment variable
env     - environment handling commands
esw_read- esw_read   - Dump external switch/GMAC status !!

exit    - exit script
false   - do nothing, unsuccessfully
fdt     - flattened device tree utility commands
filesize_check- check if filesize of the image that you want to upgrade is normal.
go      - start application at address 'addr'
help    - print command description/usage
image_blks- read image size from img_size or image header if no specifying img_size, and divided by blk_size and save image blocks in image_blks variable.
image_check- check if image in load_addr is normal.
iminfo  - print header information for application image
imxtract- extract a part of a multi-image
invaild_env- need to invaild env.
itest   - return true/false on integer compare
led     - <set|clear|blink>  <power|net|wifin|wifia>  <green|red>
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loadx   - load binary file over serial line (xmodem mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mdio    - mdio   - Mediatek PHY register R/W command !!

mm      - memory modify (auto-incrementing address)
mmd     - mmd   - Mediatek MMD PHY register R/W command !!

mtdparts- define flash/nand partitions
mtk_image_blks- read image size from image header (MTK format) located at load_addr, divided by blk_size and save image blocks in image_blks variable.
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
nmrp    - netgear nmrp tools
nor     - nor   - nor flash command

ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reco_message- print recovery message.
reg     - reg   - Mediatek PHY register R/W command !!

reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
serious_image_check- seriously check if image in load_addr is normal.
setenv  - set environment variables
showvar - print local hushshell variables
sleep   - delay execution for some time
snor    - snor   - spi-nor flash command

source  - run script from memory
str_blks- check str table blk from load_addr
switch_rxcal- Re-cal PHY Rx DC offset of mt7531 switch !!
switch_txcal- Re-cal PHY Tx offset of mt7531 switch !!
swreg   - swreg   - Mediatek switch register R/W command !!

test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpsrv - act as a TFTP server and boot the first received file
true    - do nothing, successfully
uboot_check- check if uboot in load_addr is normal.
version - print monitor, compiler and linker version
3 Likes

There's a service starting during boot, called S99telnetenabled, it runs in the background, and I guess it's checking if the telnet have been enabled, somewhere, but I don't know where.

but, if one got serial access, it's easy to enable telnet anyway.

simply run ln -s /etc/init.d/telnet /etc/rc.d/S99telnet, or service telnet start, if it isn't needed after a reboot.

EDIT: seems the old telnetenable2 utility works here, execute with params, and telnet will be enabled.
Additional info can be found here: https://www.myopenrouter.com/article/telnetenable-netgear-r7000-and-netgear-r7500
link (not mine) to archive with Windows and Linux binaries: http://www.mediafire.com/file/tcen54n6k66yu58/telnetenable2.zip/file

Yeah, it took me upping my temp quite a bit to melt the solder that was there. Any idea on the watchdog you mentioned? I see some interesting things in the uboot printenv, but I dont know enough about uboot yet to understand it all.

Not yet, haven't tried to boot the image I created, want to see it for myself, and
have access to additional commands, from the openwrt image.

Btw, try the telnet enable binary I just updated my last post with.

Seems my FW got rolled back to 1.0.1.5 when I pressed the reset button for > 10 sec,
it was previously 1.0.4.0, YMMV.