Two things:
U-Boot is also reports about:
PHY ID1: 0xffff
PHY ID2: 0xffff
So, maybe bitbang is all we have?
It looks like they could be doing it after all.
But I have no idea to which GPIOs and there is no source for the custom 8327 driver that they appear to be partially reusing for QCA8075.
Well kind of.
IPQ40XX series have a variant of AR8327 switch built in and you have QCA8072 and QCA8075 as 2 or 5 port PHY transcievers which are connected to AR8327 via PSGMII.
This is what RJ45 ports are actually connected to.
Well, its effectively the same as there is a dedicated 1Gbit line for each port.
You can even see QCA8075 on the board and that all ports are connected to it, QCA saved some pins and space in silicon and they didnt include the actual PHY in the silicon and that is what QCA8072 or QCA8075 do.
I have reverse engineering tools that were developed for MIPS systems and which allow to build custom kernel module for an RouterOS kernel and inject a callback to any address of this kernel. I used it on rb2011 to catch an mdio_write of a ath8327.ko module, to find out what registers and values it uses.
But as I said, this thing is for mips and need a lot of time to prepare it (cook fake kernel image for the build). But if we do not have other options, we can try it.
Yes. We need to know a gpio numbers for MDIO bit-bang with QCA8075. I'll go and try to build a fake kernel to build custom kernel modules for RouterOS IPQ-4019.
Did you jailbreaking a rb450Gx4?? I'm trying but no luck.
Trying to enable jailbreak...0...1...2...3...4...5...ERROR: Unable to upload jailbreak to 172.20.1.51:22 with user admin. Are you sure that magic USB is connected?
There are only 2 pairs of GPIOs that have MDC/MDIO groups.
Those are: GPIO6 MDC and GPIO7 MDIO, GPIO52 MDC and GPIO53 MDIO
But they make no difference and I have tried both combinations.
But I got SPI-NOR detected, so that is pretty much only positive news.
You can get a temporary root shell using this exploint and microSD card
Oh. I did not notice that RB450Gx4 has a microsd slot. I has it in a metallic case. Thanks.
And with root shell you can then use this busybox with a lot more applets, or compile your own
https://github.com/0ki/mikrotik-tools/blob/master/exploit-backup/busybox-arm
Yes I know. I already used it for RB2011/RB3011.
I pushed a version with SPI-NOR detected and working.
Issue was that Mikrotiks DTB contained completely wrong GPIO pins for SPI communication and using DK04.1 as a reference GPIO pins used there actually worked.
Winbond flash that is used was also a newer revision that did not have JEDEC ID added to the kernel driver so that was patched too and included.
NAND is detected even without pinctrl being set, but is complaining about not being able to read BBM.
Still its not worth it if networking does not work.
Great news. I also thought that a wrong binary dtb was presented on the SPI flash drive.
With the network, I'll try to figure it out. Now I try to create an fake kernel source and compile a kernel module for RouterOS.
Adding the DK04.1 NAND pins fixed the BBM error.
I have a feeling that there is gotta be another DTB located somewhere in UBI, but Binwalk is really bad at exctracting UBI
Ok.
/ram/disk1/owl # insmod ./test_m.ko owl=69
/ram/disk1/owl # rmmod test_m
/ram/disk1/owl # dmesg
Test module start
Test module stop
Finally I did to manage to make a fake RouterOS kernel source tree for with which to load alien modules.
Now it remains to correct the module for injecting callbacks (till now it work only for MIPS) and then we can reverse engineer the insides of a RouterOS kernel.
Awesome work.
You are really paving a way for a lot of Mikrotik IPQ40XX series devices that are becoming really cheap.