Qualcomm IPQ6018 / IPQ60xx -- Adding New Device Support

I began reverse engineering the device upon discovering some serious vulnerabilities and CVEs. The vendor has corrected some of the vulnerabilities, but there are other vulns and bugs , and their responsiveness is too slow.

I've used Adding new device support - Phase (1): Information collection - For Developers - OpenWrt Forum to define the specifications for this device.

I'm working to scope out what it would take to get OpenWRT working on the device. I see other attempts on IPQ60xx e.g. Xiaomi & Synology


  • can openwrt run with pre-built images from vendor image (e.g. kernel, soc & wifi drivers?)
  • would someone be interested in partnering on this?


  • Linux (none) 4.4.60 #57 SMP PREEMPT Wed Sep 6 14:56:26 CST 2023 armv7l GNU/Linux
  • firmware version = WLAN.HK.2.5.r4-00745-QCAHKSWPL_SILICONZ-1 v1
  • built from Openwrt GCC: (OpenWrt GCC 5.2.0 eea552a14b+r49254) 5.2.0
  • Qualcomm IPQ6018 Quad-core 1.8GHz processor
  • 256MB flash and 512MB DDR4 RAM
  • tri-band wifi
    • 2.4GHz AX: 2x2(Tx/Rx) 1024/256-QAM 20/40MHz, up to 574 Mbps
      5GHz-L AX: 2x2(Tx/Rx) 1024/256-QAM 20/40/80MHz, up to 1201 Mbps
      5GHz-H AX: 4x4(Tx/Rx) 1024/256-QAM 20/40/80/160MHz, up to 4804 Mbps
  • 2.5 gHz ethernet WAN support

Here's what I have so far

  • SSH access as unprivileged user.
  • can extract firmware binary & signature. firmware itself is still encrypted
  • enumeration of the major services e.g. ssh (dropbear), dns (dnsmaq), web admin panel sources, binaries for CGI , init scripts
  • users & hashes

I'm close to having

  • root access
  • access to flash parameters
  • GPL snapshot from vendor

Still working on

  • obtaining firmware encryption key and extracting firmware via binwalk

Here are some specs

$ cat device-tree/model
Qualcomm Technologies, Inc. IPQ6018/AP-CP01-C3

# built from OpenWrt 5.2.0
$ cat /proc/version
Linux version 4.4.60 (root@Op) (gcc version 5.2.0 (OpenWrt GCC 5.2.0 eea552a14b76+r49254) ) #57 SMP PREEMPT Wed Sep 6 14:56:26 CST 2023

# Device list
$ cat /proc/devices
Character devices:
  1 mem
  5 /dev/tty
  5 /dev/console
  5 /dev/ptmx
 10 misc
 13 input
 29 fb
 89 i2c
 90 mtd
108 ppp
128 ptm
136 pts
153 spi
180 usb
189 usb_device
238 ecm_state
239 diag
240 sfe_ipv6
241 sfe_ipv4
242 ubi1
243 ubi0
244 subsys
245 ttyMSM
246 ttyMSM
247 dcc_sram
248 mhi_uci
249 watchdog
250 ptp
251 pps
252 rtc
253 msm_sps
254 rpmsg

Block devices:
  1 ramdisk
259 blkext
  7 loop
  8 sd
 31 mtdblock
 65 sd
 66 sd
 67 sd
 68 sd
 69 sd
 70 sd
 71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd
179 mmc
254 ubiblock

those are already openwrt spin off images ?

openwrt is using kernel 6.x for it's next release, the vendor fw .... doesn't.

those are already openwrt spin off images ?

some components are from OpenWRT but I don't know how old or how complete the fork was made

most likely has qsdk 11.4 on it, so whats the device ? i also have a ipq6018 device ... yuncore ax1750 im trying to get a good dts for.. there is also now a ipq6018 device from mango in the tree, along with a bunch of ipq8072-8074 devices that work under openwrt qualcommax builds

most likely has qsdk 11.4 on it

what are other diagnostics / tools I can run to pull info about the qualcomm toolkit?

so whats the device

Let me see how the gpl pull goes and I'll provide some updates

dmesg from the device, motd, and / or url for their git repo

SSH access as unprivileged user.

can you get a dmesg off it ?

not yet

$ ls -l /proc/kmsg
-r--------    1 root     root             0 Feb 26 12:25 /proc/kmsg

$ dmesg
-sh: dmesg: not found

probably need root.. my bet is its qsdk 4.4


@dingo MSI came through
GPL Drop for Qualcomm IPQ6018 -- MSI Radix AX6600-E AKA Grax66 -- What's Next - For Developers - OpenWrt Forum

1 Like

device : MSI Radix AX6600-E AKA Grax66

gist:c51ab3b8edc5150bfdb0f18134329730 (github.com)

repo & specs:

GPL Drop for Qualcomm IPQ6018 -- MSI Radix AX6600-E AKA Grax66 -- What's Next - For Developers - OpenWrt Forum

Closing this thread. Please continue in the other topic linked immediately above this post.

1 Like