edit removed the link to the corrupt flash image
I had some trial and error time using rrCrcmanipulator to get the same checksum. Still no "proper" boot both leds light up blue and there is no action on the LAN leds. I'll have a look at the script to see if that can fix it for me. Thank you eisaev for helping out. Im starting to belive it's bricked for good after just one day.
Update I 3.3V modded the ch341a and soldered up some wires to stick down the uart. I just held them in place while starting putty at 115200. I get no resonable readout which is fairly expected still I guess when the checksums isnt 100% factory. the rrCrcmanipulator did make the whole rom have the right checksum but im treating the whole rom and not the partitions individually so thats maybe where it fails?
In your dump, part of the bootloader is corrupted. I restored this part in the dump without touching the rest. Try to flash the fixed dump I attached through the programmer.
https://mega.nz/file/DJtmSDoa#zXcb0hSqqwB8rfF1ppHQRe_owZJ81mwPkJLR8wDYL0w
1 Like
Oh man I sure will give me 15 minutes.
I get no resonable readout
Try disabling flow control in the terminal. In minicom, this is done like this: Ctrl+z -> o -> Serial port setup -> F
Also make sure that you RX and TX are not swapped.
1 Like
Thats fantastic! Boot's beautifully! Thank you eisaev a hundred hundreds!
Back to waiting for openwrt support now I guess 
For the future, there is a good rule: take three dumps and check that all three are the same 
Also, if you have set up a UART console, we can try to unlock the factory firmware. As a last resort, you now have the original working dump, which can be restored at any time. Are you ready?
2 Likes
Yea I sure learned a lesson and a half from all the reading thats for sure. The clip I got isnt very Jackie Chan tough so I had to hold it in place for the only read i did. That got boring real quick so these other flashes i had a crowbar leaning over the clip so I didnt have to support it 
I'll wait a day or two for UART sorry! Im thankful it's alive again and I have to lift/unlift the 3.3/5V mod every time because the flash doesnt show up on 3.3V. I'll order another clip and the stepdown board for 3.3V And have a look at it later. I can't thank you enough for getting it right!
Boot log of my first OpenWRT build: openwrt_0.log
Unfortunately, I was not able to get the device tree in any of the ways I know of. Therefore, now it is written according to the few indirect data known to me, and sometimes even blindly 
1 Like
Now we need to make the router think that we are in emergency mode and let us go to the u-boot console. Connect the power to the router and turn it off after 5-10 seconds. After the next power connection, the startup will be stopped for 2 seconds. At this time, you should see the inscription
Hit any key to stop autoboot:and a countdown (2..1..0). At this time, you need to press any key and you will be taken to the u-boot console. If everything is done correctly, you will see the prompt:ath>.
I apologize, but here I confused the actions to reset with the actions required to unlock u-boot console. Instead of "5-10 seconds", it should be "2-3 seconds". It is necessary that the power off occurs when the bootloader overwrites the parameter in the flash. Only then does the countdown appear on the next reboot.
hey
I have AC2350 and same problem as You. It is based on OpenWRT so quite hard to break into 
I nmap'ed that device and found some other open ports.
One of services other than nginx is dnsmasq which afaik is 2.80. Could You confirm that version and on which openwrt it is based? I found sec disclosure about DNSpooq vulnerabilities which could affect <2.85 (unfortunately no bugs/exploits found for dnsmasq on exploitdb)
EDIT: I asking because I not seen any possibility to enable DNSSEC in that device from native web ui, so if there is a way and that dnsmasq is possibly vulnerable (I will check it in my free time maybe...) then we could use it. If no DNSSEC support - then no usage of RCE probably..
EDIT2: seen that sth called PandoraBox was here (could You confirm that was similar one?):
http://downloads.openwrt.org.cn/PandoraBox/
Do You think we could use that to pwn that device and provide easier way install openwrt?
@slh I have pretty the same question as @kamazee 
If You could PM me or point out some "cheap" stuff working with AC/AX and still being able to work with OpenWRT w/o other device that would be awesome
One of services other than nginx is dnsmasq which afaik is 2.80. Could You confirm that version and on which openwrt it is based?
root@XiaoQiang:~# /usr/sbin/dnsmasq --version
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack ipset no-auth no-DNSSEC no-ID loop-detect no-inotify dumpfile
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
If no DNSSEC support - then no usage of RCE probably..
...no-auth no-DNSSEC no-ID...
thanks @eisaev
will review the tftp (default off unfortunately...) and ipv6 features while ipv4 mode is on bc that could maybe help us...
https://wiki.archlinux.org/index.php/dnsmasq#TFTP_server
anyone could please share latest CN firmware please ?
In first post was version 3.0.36 - maybe this is developer version and can enable SSH.
No.
3.0.36 - latest international firmware.
1.3.8 - latest CN
2 Likes
I try to bind my router with this 1.3.8 CN rom and i haven't success - so I can't download SSH tools. I thinks it is possible so I have in this rom backup and restore option so I haven't on rom 3.0.36:
Maybe there was miwifi_ssh.bin for my AC2350 and we can install on this version.
Bakup file was like that:
2021-02-07--15_28_33.tar.gz
I run Linux Mint and look at them.
I used on Linux Mint - OpenWRTInvasion an it works, but it dosen't setup password for root, and i can't log in so I need to reset router or maybe you have another solution to setup password.
1 Like