Yup I'm tapped in already
Just a few more clarifying questions before I'm ready to go. Again, I really appreciate the help frollic
- What speed should I use in PuTTY when connecting to serial?
- For step 4, what terminal command am I using to send
configure-uboot.sh? Anything in particular I have to do with the file? Is there a particular directory it needs to be in? - For step 7, I don't quite understand which interface I am supposed to use in TFTPD64. I would assume it has to be the wired eth adapter. Also, any particular host name for the server? I recall the port needing to be port 69.
whatever command your terminal software supports. just send the file as is.
yes the server needs to be connected to a LAN port. i think any LAN port will do (not the WAN port), but details surely are on this thread.
if you have some base64 or uu decode tool in the router already, you could send an initramfs image to /tmp and then write it as per the "Upgrading the Recovery OS" section instead of messing around with TFTP. make sure you check that the MD5 hash of the file matches before and after the transfer, before flashing it.
do you have gzip at least? could you ls -l /bin and /usr/bin?
EDIT: avoid TFTP during install
assuming you have awk in the OEM firmware, you can avoid TFTP altogether by:
- uuencode an initramfs image
- transfer this script and the uuencoded image to
/tmpvia the serial (typecat >/tmp/uud.sh, send the file, typeCTRL-D) - use the script to decode the initramfs
- verify its
md5sum - and flash to the recovery OS partition (see "Upgrading the Recovery OS")
I'm not gonna lie, I definitely don't know what you're talking about with the non-TFTP methods. I'm really new to all of this in general. I'd prefer to stick with TFTP because I feel like I'm almost there. I'm just dumb
Right now I'm stuck at the TFTP server step. I have U-boot installed, but when I attempt to run run boot_write_recovery_from_tftp, I get this:
## Starting application at 0x4A9647CC ...
MAC0 addr:*
PHY ID1: 0x4d
PHY ID2: 0xd101
EDMA ver 1 hw init
Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)
RxDesc:1 (15-15) RxFill:1 (7-7)
ipq807x_edma_alloc_rings: successfull
ipq807x_edma_setup_ring_resources: successfull
ipq807x_edma_configure_rings: successfull
ipq807x_edma_hw_init: successfull
, eth0
Warning: eth0 MAC addresses don't match:
Address in SROM is *
Address in environment is *
## Application terminated, rc = 0x1
secure boot fuse is enabled
debug cert - not found
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :1000 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
eth0 PHY5 Down Speed :10 Half duplex
ipq807x_eth_init: done
Using eth0 device
TFTP from server 192.168.1.2; our IP address is 192.168.1.1
Filename 'recovery.img'.
Load address: 0x44000000
Loading: *
It is stuck at Loading: * indefinitely.
I'm using TFTPD64. Default settings. In TFTP client I have the host as 192.168.1.2, local file specified as recovery.img, and port 69. I put the file to the server, which I see in the logs.
When I attempt to request the file in U-boot, I don't see any traffic in the logs. I entirely disabled firewall temporarily to see if that was causing an issue and no change.
I assume I'm just doing something a tiny bit wrong because it's trying to boot via TFTP, it just fails, I just don't know what.
I'm using TFTPD64.
sorry, on the server side i can only help you if you use linux.
In TFTP client I have the host as
192.168.1.2
the TFTP client is the spectrum router you are hacking, and its address is .1 (not .2). on windows you need to configure its ethernet interface (the once cabled to spectrum) with a .2 static address, and then run your TFTP server there.
I entirely disabled firewall temporarily
you absolutely need it disabled, or else a rule for the TFTP server must be added to it.
it would have helped if you had posted the log of the script installation. it told you your uboot version among other things. do you know it?
(to get help please post complete logs of sessions, including boot, not excerpts.)
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S - IMAGE_VARIANT_STRING=HAASANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e3
B - 201 - PBL, Start
B - 2735 - bootable_media_detect_entry, Start
B - 99255 - bootable_media_detect_success, Start
B - 99259 - elf_loader_entry, Start
B - 100675 - auth_hash_seg_entry, Start
B - 138715 - auth_hash_seg_exit, Start
B - 153087 - elf_segs_hash_verify_entry, Start
B - 215720 - PBL, End
B - 228353 - SBL1, Start
B - 280508 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B - 287005 - pm_device_init, Start
B - 415989 - PM_SET_VAL:Skip
D - 128557 - pm_device_init, Delta
B - 418460 - pm_driver_init, Start
D - 5185 - pm_driver_init, Delta
B - 424529 - clock_init, Start
D - 2135 - clock_init, Delta
B - 428799 - boot_flash_init, Start
D - 7869 - boot_flash_init, Delta
B - 440359 - boot_config_data_table_init, Start
D - 1098 - boot_config_data_table_init, Delta - (575 Bytes)
B - 448014 - Boot Setting : 0x00000618
B - 451735 - CDT version:2,Platform ID:8,Major ID:117,Minor ID:1,Subtype:6
B - 458842 - sbl1_ddr_set_params, Start
B - 462563 - CPR configuration: 0x30c
B - 466040 - cpr_init, Start
B - 468907 - Rail:0 Mode: 5 Voltage: 800000
B - 474031 - CL CPR settled at 752000mV
B - 476837 - Rail:1 Mode: 5 Voltage: 880000
B - 481137 - Rail:1 Mode: 7 Voltage: 904000
D - 16409 - cpr_init, Delta
B - 487908 - Pre_DDR_clock_init, Start
B - 491934 - Pre_DDR_clock_init, End
B - 495320 - DDR Type : PCDDR4
B - 502091 - do ddr sanity test, Start
D - 1067 - do ddr sanity test, Delta
B - 505812 - DDR: Start of HAL DDR Boot Training
B - 510539 - DDR: End of HAL DDR Boot Training
B - 516212 - DDR: Checksum to be stored on flash is 2087628403
B - 526613 - Image Load, Start
D - 345229 - QSEE Image Loaded, Delta - (1380872 Bytes)
B - 871934 - Image Load, Start
D - 427 - SEC Image Loaded, Delta - (0 Bytes)
B - 879467 - Image Load, Start
D - 287859 - DEVCFG Image Loaded, Delta - (32468 Bytes)
B - 1167418 - Image Load, Start
D - 292830 - RPM Image Loaded, Delta - (93060 Bytes)
B - 1460340 - Image Load, Start
D - 312808 - APPSBL Image Loaded, Delta - (617520 Bytes)
B - 1773239 - QSEE Execution, Start
D - 61 - QSEE Execution, Delta
B - 1779065 - USB D+ check, Start
D - 0 - USB D+ check, Delta
B - 1785439 - SBL1, End
D - 1559404 - SBL1, Delta
S - Flash Throughput, 34296 KB/s (2125167 Bytes, 61965 us)
S - DDR Frequency, 600 MHz
S - Core 0 Frequency, 1651 MHz
U-Boot 1.3.3 [spf11.1_csu2] (Jan 27 2021 - 09:14:27 +0000)
DRAM: smem ram ptable found: ver: 1 len: 4
2 GiB
[Askey] Led init ...
NAND: Could not find nand_gpio in dts, using defaults
Not an ONFI device
ONFI probe failed
ID = ffffffff
Vendor = ff
Device = ff
qpic_nand: unknown NAND device manufacturer: ff device: ff
U-Boot BUG at drivers/mtd/mtdcore.c:420!
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC: <NULL>: 0 (eMMC)
In: serial@78B3000
Out: serial@78B3000
Err: serial@78B3000
machid: 8750106
eth5 MAC Address from ART is not valid
Hit space key to stop autoboot: 0
Hit Ctrl+C for shell...
sleep - delay execution for some time
Net: MAC0 addr:2c:ea:dc:30:f7:55
PHY ID1: 0x4d
PHY ID2: 0xd0b1
PHY ID1: 0x4d
PHY ID2: 0xd101
EDMA ver 1 hw init
Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)
RxDesc:1 (15-15) RxFill:1 (7-7)
ipq807x_edma_alloc_rings: successfull
ipq807x_edma_setup_ring_resources: successfull
ipq807x_edma_configure_rings: successfull
ipq807x_edma_hw_init: successfull
eth0
IPQ807x#
Here's the entire boot log!
I tried to use SolarWinds as well. No dice. The recovery.img file is in the proper directory, IP set 192.168.1.2, there is an active TFTP server on port 69. Nothing in the logs in SolarWinds besides the server being started and stopped. Of course, firewall is disabled every time I'm attempting to boot from TFTP. I get the same response as posted earlier in the log after running run boot_write_recovery_from_tftp
your uboot is fully supported. so something in your windows or physical setup (cable) should be to blame. you may have your windows wifi interface in the same subnet, or the cable connected to the wrong ports, a bad cable, a badly setup TFTP server, or who knows.
you can run wireshark or windows equivalent to see traffic from/to router. or use linux instead of windows. the possibilities are too many. at this point, look for general help on the forums on how to spy on traffic or debug TFTP from windows: i can't help you, and these things are generic and related to windows and not particularly to this device.
I figured it out! It was something silly of course. I'm all set on the firmware side of things. Just having some issues unrelated to this thread.
I really appreciate the help guys!
Is there any support for controlling the onboard fan?
interesting, haven't thought about it because i never heard it. when i power up the device the fan is off. and stays off because i never loaded the device with any real task.
but it is kinda sus that the router powers on with the fan off. is this normal? do you see the same thing?
EDIT:
i just stress tested the CPU for 2 minutes and the fan did not turn on. maybe my device is defective?
EDIT 2:
i monitored all the temps while stress testing the CPU (4 threads) and couldn't get any temp past 64 C, which maybe is not enough to turn the fan on? i used:
watch -n1 cat /sys/class/thermal/thermal_zone*/temp
EDIT 3:
i couldn't find any mentions of tachometers or pwms or gpios that could be related to a fan in the DTS. also i found no related devices in /sys.
the only thermal mitigation as far as the kernel is concerned is CPU throttling:
cat /sys/class/thermal/cooling_device0/type
cpufreq-cpu0
AFAICT, linux has zero awareness of the fan.
which means the fan is controlled either by:
- autonomous hardware
- or trustzone firmware (not hackable)
Perhaps OT (depends on answer), do you know the difference between the device discussed here and the SAX2V1K.
never heard of it
my fan doesn't turn on when i power up and boot the SAX1V1K.
is that normal?
Ok, then I'll open it up once I get back home from US.
Pretty sure the V1K's fan spins up when you power it on, but if I look att all the used units I've "liberated", all fans have been spotless clean, makes me think it's actually not used at all (or broken in stock too).
Interesting. Mine was also spotless when I was in the unit. I also did not notice any fan motion when turning the unit on and off and on and off however many times when flashing OpenWrt.
@Lanchon I don't notice the fan kicking on when powering up, though I may pop the unit open to see for sure. Since nothing was yielded from your monitoring and attempts to see if Linux is aware of the hardware, I think the next step would be to see what chip the fan is wired to. Could be a good hint as to how it's being controlled, maybe?....
Unless it's managed through firmware that is unhackable like you mentioned there has to be a way to manage the fan speed through firmware. Actually figuring that out is definitely far over my head though. But I'll see what I can do lol
I wonder if there are any hints in the OEM boot?
This isn't an issue obviously, but I would think it would increase the longevity (and stability? though that isn't an issue I think) of the unit.
I got the model wrong, it was SAX2V1S.
It's Broadcom - https://fccid.io/VW3FAST5295/, leaving it here in case anyone ever search the forum.
@Lanchon you ever had a device not responding to serial input ?
I disassembled one I got from eBay, I can see the whole boot sequence, but I can't get it to display the logon prompt after "VERIFY_IB: Success. verify IB ok".
Seems it doesn't want to take the Enter key.
i only ever interacted with one device. what is the uboot version? (the string is printed during boot)
U-Boot 1.5.1 [spf11.4_csu2] (Jun 15 2022 - 09:05:59 +0000)
well good to know they haven't patched the BL. maybe someone tried hacking your device before and ruined the input pin with improper voltages or ESD.
(note that ESD can be an issue, and the failure could have been your doing if you were not careful.)