Its usually bdwlan.bin, but you can check the bootlog to see what is the exact one being loaded.
Then you need to wrap it by using:
Thank you, this is exactly what I needed! @robimarko @kirdes
Seems like you’re bringing the CLK to up 3.3V. Probably a better idea to ground it instead, less risk of damage. But otherwise awesome job!
@soxrok2212 I found with grounding it, the SoC resets.. im not sure why. That pin is ACTIVE_HIGH at 3.3V so it should be fine if people are careful
1 Like
The specification of the SoC IPQ8078 can be found here: https://download.siliconexpert.com/pdfs/2018/6/1/5/4/14/17/qcm_/manual/ipq-8078-0-772fcbga-mt-02-0.pdf
@meisterlone Is user operator active in warehouse mode? Maybe it would be possible to log in with it via ssh?
Do you have a router to test with?
No this OpenWrt was built without SSH support. There is an operator user but PW login is disabled. Root user works though.
I am stuck getting caldata for the WIFI firmware, it cant find the 0:ART partition when pulling the caldata. Looking into this now
[ 5.933665] ath11k c000000.wifi: ipq8074 hw2.0
[ 5.933699] ath11k c000000.wifi: FW memory mode: 0
[ 5.937677] remoteproc remoteproc0: powering up cd00000.q6v5_wcss
[ 5.942340] remoteproc remoteproc0: Booting fw image IPQ8074/q6_fw.mdt, size 668
[ 6.300855] remoteproc remoteproc0: remote processor cd00000.q6v5_wcss is now up
[ 6.302247] ath11k c000000.wifi: qmi ignore invalid mem req type 3
[ 6.307875] ath11k c000000.wifi: chip_id 0x0 chip_family 0x0 board_id 0xff soc_id 0xffffffff
[ 6.313337] ath11k c000000.wifi: fw_version 0x250a04a5 fw_build_timestamp 2021-12-20 07:09 fw_build_id WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1
[ 6.322992] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 6.380916] ath11k c000000.wifi: qmi failed to load CAL data file:cal-ahb-c000000.wifi.bin
[ 6.380996] ath11k c000000.wifi: failed to load board data file: -12
I have the device pretty much cracked, the minimum requirement is serial port access.
No, I only have Dynalink.
caldata_extract_mmc "0:art" 0x1000 0x20000
grep: /sys/block/mmcblk*/mmcblk*p*/uevent: No such file or directory
caldata_extract "0:art" 0x1000 0x20000
caldata: no mtd device found for partition 0:art
Any ideas?
No EMMC partitions loaded
root@OpenWrt:/dev# ls /dev
bus loop1 ptmx tty
console loop2 pts ttyMSM0
cpu_dma_latency loop3 random ttyS0
full loop4 remoteproc0 ttyS1
gpiochip0 loop5 rpmsg_ctrl0 ubi_ctrl
gpiochip1 loop6 shm urandom
kmsg loop7 stderr watchdog
log null stdin watchdog0
loop-control port stdout zero
loop0 ppp switch_ssdk
root@OpenWrt:/dev#
root@OpenWrt:/dev# cat /proc/partitions
major minor #blocks name
root@OpenWrt:/dev#
Are you using the DL-WRX36 image?
If so, you should prepare the dts with the correct partition layout and build your own image.
Im building my own image. This device has an EMMC and doesnt use a partition layout in dts
For QNAP and Zyxel with eMMC hs400 bus speed is disabled: https://github.com/openwrt/openwrt/blob/master/target/linux/ipq807x/files/arch/arm64/boot/dts/qcom/ipq8072-301w.dts#L308-L319
I got it working by adding an SDHCI interface in the dts
&sdhc_1 {
status = "okay";
/delete-property/ mmc-hs400-1_8v;
mmc-hs200-1_8v;
mmc-ddr-1_8v;
vqmmc-supply = <&l11>;
};
OpenWrt is now loading the mmc and all the partitions show in /proc/partitions
I also had to put the partition name in uppercase ( 0:ART ). Seems to be case sensitive here.
caldata_extract_mmc "0:ART" 0x1000 0x20000
1 Like
Everything seems to be working flawlessly in my tftp booted image!
Now I just need to get it booting from EMMC
1 Like
Nice work!
For Zyxel G5 there is a flashing script: https://github.com/itorK/nbg7815_tools/blob/main/flash_to_openwrt.sh
Comparing the PCB photos from FCC ID for the K and R variant the SoC looks very similar.
And this router looks like new hardware for Spectrum: https://www.sercomm.com/contpage.aspx?langid=1&type=prod3&L1id=2&L2id=2&L3id=33&Prodid=1019 
Well this seems ready for submission?
I need to make a shell script to do some tests before applying the hack to avoid ppl bricking other revisions this may not work on
Stuck on something kind of silly
I have 2 stock routers, one with older firmware and one with newer firmware.
fw_printenv works on both firmwares
fw_setenv only works on the older firmware
????
Any ideas how I can get fw_setenv to work on the newer firmware? It doesnt fail with an error message. It just doesnt write anything. This is about the last step
I made the hack script for this. It enables automatic TFTP boot tries on startup.
Its here
Askey-RT5010W-D187-REV6/open.sh at master · MeisterLone/Askey-RT5010W-D187-REV6 (github.com)
Openwrt firmware images are here
Askey-RT5010W-D187-REV6/OpenWrt-r22241 at master · MeisterLone/Askey-RT5010W-D187-REV6 (github.com)
-
Only way to get access is via the Serial Port. Wait till the router shows this message in the console;
VERIFY_IB: Success. verify IB ok
It appears after a while. -
Once that message appears, login with username 'root' and password if the serial number of your router in uppercase.
-
Use vi to paste the 'open.sh' script from my github on your device
-
chmod u+x open.sh
./open.sh
Optionally check the crc32 of the script is correct. -
It checks if the device is supported before applying the hack so there is low chance for bricking.
-
There are differences between firmware versions. This works perfectly on my older firmwares, but on the newer firmware I still need to figure out the problem in my previous post.
-
Script either works, or nothing will change
-
Set your ip to 192.168.0.1, plug your computer into the WAN port of the device.
Run a TFTP server
Host the initramfs image on the TFTP server and name it "recovery.img" -
Reboot device. On boot it will try TFTP. Optionally you can use CTRL+C in the serial console to interrupt it and get a uboot shell.
To go back to stock, TFTP boot the initramfs and execute the following command:
fw_setenv bootcmd bootipq
1 Like
How did you find out that the root password is a serial number?