83

A new firmware isn’t impossible but I get the feeling that the firmware has oem provided .ko for the hardware, especially if it’s using that old kernel version.

84

Got the .ko files.

At the same time, I've realized I have no idea what I am doing. I've made a password decrypter with ghidra if I can't use the CLI exploits.
I have the EN75xx files, which seem to have the kernel stuff in it, if OpenWRT stores kernels at /target/.../base-files (i have no idea)

I tried searching for people that have documented hacking and installing openwrt for dummies, came up short. Is there a forum thread that has documented any router install process or github?

If not, that's fine. I clearly lack so many fundamentals to this process that I'm quite excited to try. I'll probably wait until I get back home, so I can have some feedback from the router itself. And do (a bunch) of reading on bootloaders.

85

Normally the steps should be:

  1. Research your router architecture and gather files (gpl, firmwares, patches, etc).
  2. Do a full dump of your mtd flash for backup.
  3. Compile an OpenWrt kernel for your architecture and attach relevant patches if needed.
  4. On your router's unlocked bootloader, copy the OpenWrt kernel in RAM and boot from there. On econet, it starts at 0x80020000 (This is a trial-and-error step as the perfect build needs the right patches to function completely)
  5. Once you perfected your build (kernel, boot, init...), compile a full .sysupgrade and flash it to mtd partitions permanently using TFTP.
86

I have a similar device, based on EN7528 using mt7663 and mt7603 for 5g and 2.4g wifi respectively. The firmware seems to be based on linux 3.18 but I have seen firmware images for these devices with linux 4.14. I have the firmware, device and the nand dump. How can I help with this development?

87

What brand and model is it?

88

Genexis Titanium T21A --- the one i described above
Richerlink RL821GWV-DB based on EN7526GT
and a Nokia G-2425-A which are similar to those with different wifi chips
For the first two I have seen firmwares with linux version above 3.8, maybe the support will be better?

89

Hi, I can help with Nokia G-140W-C

CPU: EcoNet EN7526GT MIPS 34Kc V5.8 @900MHz
WLAN: MediaTek MT7602EN/MT7612EN
Originally was in use by Vivacom provider, now I am trying to convert it for use on a different provider.

Please let me know how I can help, I have two or more unites since here the secondhand blackmarket is quite strong right now.

Regards.

90

start by scrolling up 11 posts, or so.

91

Please be more specific. I can't login to webinterface with '; /bin/sh; # and there is no ssh or telnet. I haven't been able to access a uboot IP adress if such a thing even exists. (previously was reflashing CPEs through Broadcoms CFE). '; /bin/sh; # that's not meant literally just to paste it in the weblogin is it ? Give me a hint please.

Maybe we can OMCI through LAN or should I buy a GPON head to do the OMCI ?

92

OMCI is only a way for the router to get setup information from the OLT (VLAN ID, ALLOC-ID, GEM PORT...). Don't really need it now. Better start by tapping onto the UART pins and try to see what can commands you can execute. My router doesn't support tftp for quick kernel tests.

93

Also enroute to my evil hacker mind is G-2425G-A if that's of any help.

A1 telecom use Huawei which sets many things through the OMCI including the accounts. That could be Huawei specific management backdoor.

I don't wanna UART right now as I havent' setup my hardware hacking station yet.

I prefer to try to go in through the front door web and upnp. As well as through bootloader if it listens on LAN for firmwares.

I can also get any thing from bazar bg and olx bg and probably other places for opensourcing the device.

Regards.

1 Like
94

bro it's the same chip as the XR500v and I have the gpl code, what changes is the 5G and the ports are gigabit

95

Dropping this repo as I found some more details about its custom Uboot(TCboot):

Notice there is some sweet PDF documentation on the inner workings of its SoC. I believe that's the entire SDK.

1 Like
96

Hi @Alam ! Could you please share gpl code for XR500v. I cannot find it in TP-Link GPL Code Center (https://www.tp-link.com/baltic/support/gpl-code/)

97
98

Thanks for the link!

99

This XR500v GPL dump is nice because it's a 3.18 kernel, not 2.6, but unfortunately all of the fun stuff is stuck in blobs.

user@cjd-dev:~/en7526/GPL_XR500v/PON_trunk_bba_1_5$ grep -nr 'macMT753SetPortUpDown'
grep: EN7526G_3.18Kernel_SDK/tplink/output/XR500vSPv1/modules/eth.ko: binary file matches
user@cjd-dev:~/en7526/GPL_XR500v/PON_trunk_bba_1_5$

That macMT753SetPortUpDown is a symbol that's used in the ETH driver we're looking for, and we have it, but it's only in one of the 2.6 dumps. :exploding_head: :gun:

A fruitful search method would be to just make a list of every device with this chipset and go download GPL dumps and post the kernel version and the result of running grep -nr 'macMT753SetPortUpDown'

100

I just looked at this thread and it looks like there is no factory boot log so got one: https://gist.github.com/cjdelisle/818cf870ad486cb4eb3e3c0214d33642

Line 79: Config7: 0x80080500 that decodes to MIPS_CONF7_WII | MIPS_CONF7_IAR | MTI_CONF7_PTC | 1<<8. Don't know what 1<<8 signifies.

2 VPEs, 4 TCs, so the newer kernels are only considering the VPEs as processors, hence why the old kernel sees 4 CPUs but the new ones only see 2.

PCIe driver version: 751221.3.20160516 matches tclinux_phoenix which is a REALLY good sign.

USB driver version: 751221.2.20160516 also matches.

xhc_mtk xhc_mtk: irq 18, io mem 0x1fb90000 - USB20_INT is 20, and USB11_INT is 23, this is definitely something to keep an eye on.

MCM MT7530 - good news because there are drivers for this

usb 1-2: new high speed USB device number 4 using xhc_mtk
scsi0 : usb-storage 1-2:1.0
...
scsi 0:0:0:0: Direct-Access     Generic  STORAGE DEVICE   0208 PQ: 0 ANSI: 0
Cannot fsd 0:0:0:0: [sda] Attached SCSI removable disk

Neato, I have nothing plugged into the USB on this board so it looks like they left me a nice little easter egg.

PON PHY driver version is 170228.105.107 - tclinux_phoenix is older, namely 160329

Test cmd :echo user:$1$$iC.dUsGpxNNJGeOm1dFio/:0:0:root:/:/bin/sh >> /etc/passwd,4,1234,0 - This password hash is popular and the internet agrees that it's the hash of the password 1234, but trying to login with serial does not work.

Also, I started a dtsi file, which is really just a scratchpad for drilling down on the memory map.

1 Like
101

That's a bitshift.

$ cat bitshift.c 
#include <stdio.h>

int main(void) {
        int i=1<<8;
        printf("binary\t\ti=%b\n", i);
        printf("hexadecimal\ti=0x%x\n", i);
        printf("decimal\t\ti=%i\n", i);

        return 0;
}

$ gcc -Wall -o bitshift bitshift.c

$ ./bitshift 
binary          i=100000000
hexadecimal     i=0x100
decimal         i=256

This approach is often used when setting a specific bit in the hardware (register or similar) or for feature bits, it's an easier to read abbreviation.

102

I own two Zyxel units (EX3301-T0 and VMG8623-T50B) which appear to have a similar SoC to this one : EN751627

If support is added to PMG5617GA, can we hope for a relatively easy patch to include those two above?

My boot log shows:

BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=256MB
Set new TRFC.
ddr-1333

7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.


EN751627 at Thu Feb 23 19:36:07 CST 2023 version 1.1 free bootbase

Set SPI Clock to 50 Mhz
spi_nand_probe: mfr_id=0xef, dev_id=0xaa, dev_id2=0x21
Using Flash ECC.
Detected SPI NAND Flash : _SPI_NAND_DEVICE_ID_W25N01G, Flash Size=0x8000000
bmt pool size: 81
BMT & BBT Init Success



ZyXEL zloader v1.4.5 (02/23/2023 - 19:36:05)
Multiboot client version: 2.6
Not found TC Phy
Not found TC Phy
Not found TC Phy
Not found TC Phy
Not found TC Phy
  GE Rext AnaCal Done! (1)(0x1f)

Hit any key to stop autoboot:  0

==> boot flag = 0

 main tclinux.bin have ZYXEL trx header!
from main
Decompress to 80002000 free_mem_ptr=81100000 free_mem_ptr_end=80780000
Uncompressing [LZMA] ...  done.

but everything after that is very different to your boot log. Is the bootflag = 1 making the whole diffrence?