Support for Mikrotik RB3011UiAS-RM?

Looks like I will have to do it that way, then I gotta figure out where rootfs starts.
I tried mounting whole partition but mount is throwing that it needs block device

Some result about Your lhgg60-ad:
YAFFS starts from: 0xb21c70 - 0xE61440. Maybe kernel ?

To find beginning of this part you need to find bytecode "hsqs" (0x68737173) which is little endian squashfs signature
So, SuashFS is started from: 0xe61860 but it seems to be crypted?

I set the rootfs partition to that offset and its building now.
But I wouldnt be surprised if YAFFS is actually used for rootfs as squashfs is small in size compared to YAFFS.
Best thing would be If somehow I could dd older NPK and then reuse one of CVEs to get root

It looks like some kind of auxiliary file systems that do not carry special value for us.

I can dump current RouterOS partition and then try simply overwriting it with dd and old NPK.
I figured out that I defined RouterOS partition wrongly so after correcting it per stock firmware and enabling all of the splitters there is something new, but not usefull.

[    1.047724] m25p80 spi0.0: w25q128jv (16384 Kbytes)
[    1.048143] 5 fixed-partitions partitions found on MTD device spi0.0
[    1.052885] Creating 5 MTD partitions on "spi0.0":
[    1.059505] 0x000000080000-0x00000008e000 : "RouterBoot"
[    1.064810] 0x00000008e000-0x00000008f000 : "hard_config"
[    1.070211] 0x000000090000-0x0000000a0000 : "dts_config"
[    1.075415] 0x0000000bd000-0x0000000be000 : "soft_config"
[    1.080887] 0x000000100000-0x000001000000 : "firmware"
[    1.112934] no rootfs found after FIT image in "firmware"

Mount does not work:
mount: mounting /dev/mtd4 on mount_dir/ failed: Block device required

Did you try this?

No, but I can try it

In RouterOS:
/system telnet
address:
Then press enter and get telnet>

Well, you could say it worked but it returns me to standard shell and not root shell.

[admin@MikroTik] /system> telnet
address: 
telnet> environ define DISPLAY AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
telnet> ?Invalid command
telnet> open 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.


telnet: buffer overflow, losing data, sorry
telnet: ring.cc: 143: int ringbuf::flush(): Assertion `top-bot > 0 && top-bot <= count' failed.

Welcome back!
[admin@MikroTik] /system

The problem is that instead of letters A, you need an exploit code specifically made for this system.

Well that is gonna be a problem since most likely that is not public
This one should drop the root shell but Its hard to use it as this thing only has one port

Yes, I saw this vulnerability. But she does not give a shell access.
I have an idea. You can read and write DTB(DTS) mtd: 0x90000.
Is it possible to add something like?:

chosen {
		bootargs-append = " clk_ignore_unused";
		bootargs = "init=/bin/bash";
		linux,initrd-start = <0x0>;
		linux,initrd-end = <0x0>;
	};

Then compile back and write to DTS mtd...

Hm,it could actually be possible.
I already have it set as a partition, just gotta remove read-only flag.
Ok, recompiled it again with dtc and set into files folder so it should be included with initramfs.
So I can try using mtd erase and then dd to write it.

Didnt help, thing is that there is no UART console after RouterOS boots

All ipq4018 mikrotik devices are probably similar, i can jailbreak hapac2 i have at home, what data do you need and how to dump it? Than you can check if it will work for you...

Well thing is that they are not, this one has external PHY transciever which is the source of all this trouble.
adron and myself have RB450Gx4 which we jailbroke and got OpenWrt working but its nowhere the same.

I tried uploading full busybox to /flash and then forcing init to it but after jumping to kernel code it reboots.
So I am now trying to force it to at least boot to /bin/busybox.
And this boots but does not get a shell

Hello.
Did you add additional parameters for UART in DTS?:

chosen {
  bootargs = "console=ttyS0,115200 init=/bin/bash";
  stdout-path = "serial0:115200n8";
}

On Rb3011 I see this in /proc/cmdline:

root=/dev/ram0 ubifs_support console=ttyS0,115200 lcd_ctrl=84 parts=1 boot_part_size=8388608 eth_mac=6C:3B:6B:5C:72:B6 board=3011 Board=3011 ver=6.43.7 bver=3.27 hw_opt=00518004 boot=1 mlc=11

Hm, I only added stdout-path part, I can try adding console.
Hm, it does not like that at all, simply reboots after jumping to kernel its most likely overwriting important parts of cmdline.
I am now gonna move it to bootargs-append.

Today I also tried booting a image with 6.41.4 npk in custom files to overwrite current RouterOS partition but its too large to boot.

Some digging results:
When RouterOS starts, it init process mount /flash/bootimage(aka routeros-arm.npk with squashfs) as rootfs! You can find bootimage at offset 0xe60820 at your NOR dump.

bootimage file in turn also packed by yaffs1!

So, if we add init=/bin/bash before real init that cooks /flash/bootimage - then no /bin/bash was found !

That makes sense, so in theory if I could somehow squeeze npk inside the initramfs and get it to boot since I think that limit is 12MB using dd I could actually write the npk.

Even better thing would be if I could mount that yaffs partition and replace busybox in it.
But as far as I know newer kernels have no hope of getting yaffs to work.

Here is something new when using bootargs-append instead, even without init part touching bootargs-append makes kernel crash

RouterBOOT booter 6.44

RBLHGG-60ad

CPU frequency: 716 MHz
  Memory size: 256 MiB
 Storage size:  16 MiB

Press any key within 2 seconds to enter setup..

loading kernel... OK
setting up elf image... OK
jumping to kernel code
Could not mount ubifs filesystem: No such device
opendir: No such file or directory
opendir: No such file or directory
ERROR: no system package found!
Kernel panic - not syncing: Attempted to kill init!
{8f83df0c} panic+0x84/0x1c0
{8f83df44} do_exit+0x80/0x688
{8f83df84} do_group_exit+0x4c/0xc0
{8f83df9c} __wake_up_parent+0x0/0x18
CPU0: stopping
{80417f3c} handle_IPI+0xf4/0x1e0
{80417f5c} gic_handle_irq+0x94/0xa4
{80417f74} __irq_svc+0x40/0x60
Exception stack(0x80417f78 to 0x80417fc0)
7f60:                                                       80686890 00000000
7f80: 80417fc0 00000000 80416000 80451648 8041ba38 8041ba2c 8000406a 410fc075
7fa0: 00000000 00000000 00000001 80417fc0 8000e820 8000e824 60000013 ffffffff
{80417fbc} default_idle+0x24/0x28
{80417fc4} cpu_idle+0x50/0x8c
{80417fd4} start_kernel+0x290/0x2e4
CPU1: stopping
{8f869f5c} handle_IPI+0xf4/0x1e0
{8f869f7c} gic_handle_irq+0x94/0xa4
{8f869f94} __irq_svc+0x40/0x60
Exception stack(0x8f869f98 to 0x8f869fe0)
9f80:                                                       80693890 00000000
9fa0: 8f869fe0 00000000 8f868000 80451648 8041ba38 804518c8 8000406a 410fc075
9fc0: 00000000 00000000 00000000 8f869fe0 8000e820 8000e824 60000013 ffffffff
{8f869fdc} default_idle+0x24/0x28
{8f869fe4} cpu_idle+0x50/0x8c
{8f869ff4} __enable_mmu+0x0/0x2c
CPU3: stopping
{8f881f5c} handle_IPI+0xf4/0x1e0
{8f881f7c} gic_handle_irq+0x94/0xa4
{8f881f94} __irq_svc+0x40/0x60
Exception stack(0x8f881f98 to 0x8f881fe0)
1f80:                                                       806ad890 00000000
1fa0: 8f881fe0 00000000 8f880000 80451648 8041ba38 804518c8 8000406a 410fc075
1fc0: 00000000 00000000 00000000 8f881fe0 8000e820 8000e824 60000013 ffffffff
{8f881fdc} default_idle+0x24/0x28
{8f881fe4} cpu_idle+0x50/0x8c
{8f881ff4} __enable_mmu+0x0/0x2c
Rebooting in 1 seconds..

The only problem with fake NPK is that they have a digital signature, so you just can’t modify it. kernel2minor can pack one single file to yaffs1. In theory we can use it to pack modified npk to yaffs1...