Spectrum SAX1V1K (Askey RT5010W) OpenWrt Support

michaeldjc655 · April 9, 2025, 6:41pm

Hello! I don't have a root password like you, have you solved it?

frollic · April 9, 2025, 7:28pm

That's not what @unplugmiso wrote...

ShahariarRabby · April 10, 2025, 1:20am

Anyone checked the new WiFi 7 router ( SBE1V1K) from spectrum?
Device details:
https://device.report/m/79ebc4a76a3f9db4a64dd8d985ab373a6e08484aecc50bc6f6382a0f427c5e2e.pdf

It’s using Qualcomm.

StableGenius · April 30, 2025, 12:17am

I just walked through opening my router and logged in via serial console. The hash values for contents of both mmcblk0p15 and mmcblk0p16 are the same - I am assuming this is to store a running version and a backup version. My device has never been connected / updated, so this would make sense for them to be the same:

U-Boot 1.3.3, Linux version 4.4.60
QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
U-Boot Partition(s) Hash: d75be109e242ee8923cb45f1cb082f83

This hash is the same as the backup U-boot reported by iv7777 on their device.

Is it safe to add this as an optional hash in the previously linked open.sh file and boot over TFTP or should I follow some other process (e.g. write directly to the active u-boot partition?) Thanks!

tryitagain · May 7, 2025, 5:45pm

@iv7777 Thank you , just want make sure if my device

root@SAX1V1K:/tmp# cat /dev/mmcblk0p16 | md5sum | cut -d' ' -f1
7bc2f7766b270ea120495334cd1e5c56
root@SAX1V1K:/tmp# cat /dev/mmcblk0p15 | md5sum | cut -d' ' -f1
85ae38d2a62b124f431ba5baba6b42ad

then need to

dd if=/dev/mmcblk0p15 of=/dev/mmcblk0p16

?

Lanchon · May 10, 2025, 3:28am

root@SAX1V1K:/tmp# cat /dev/mmcblk0p15 | md5sum | cut -d' ' -f1
85ae38d2a62b124f431ba5baba6b42ad

BL @ p15 is known, as you can see here:

github.com/Lanchon/openwrt-sax1v1k

configure-uboot.sh

ad6d1c192


      
          case "$uboot0_hash" in
            f3066582267c857e24097b4aecd3e9a1)
              uboot_ver="hash1"
              uboot_hack="mw 4a910cd0 0a000007 1; mw 4a91dc6c 0a000006 1; go 4a96433c"
              break
              ;;
            ab709449c98f89cfa57e119b0f37b388)
              uboot_ver="hash2"
              uboot_hack="mw 4a911044 0a000007 1; mw 4a91dfdc 0a000006 1; go 4a9647cc"
              break
              ;;
            85ae38d2a62b124f431ba5baba6b42ad)
              uboot_ver="hash3"
              uboot_hack="mw 4a9115c8 0a000007 1; mw 4a91e534 0a000006 1; go 4a966bc4"
              break
              ;;
            *)
              error "unknown U-Boot hash! dump U-Boot (/dev/mmcblk0p15) and contact support forum"
              ;;
          esac

which is hackable U-Boot version 1.5.1

p16 contains v1.5.0, not hacked.

1st: verify that you are actually booting 1.5.1 (p15) !!!
check the log during booting.

2nd: then copy p15 to p16:

dd if=/dev/mmcblk0p15 of=/dev/mmcblk0p16

3rd) then run this: https://github.com/Lanchon/openwrt-sax1v1k

Lanchon · May 10, 2025, 3:33am

hell no, it is not safe!

the code will poke random bytes into the bootloader program on ram. it will NOT disable secure boot. and if you alter anything else, then you are bricked. in any case, you are guaranteed either a fail or a brick.

i suggest you start by running this and posting the output here.

also post the boot log up to the command prompt.