Support for Netcomm/ ZTE IFWA-40

All of this began when I started researching attaching external directional MIMO antennas to my IFWA-40 (which my cellular provider says “you are not allowed to do” even though it’s got external SMA ports, they are f’ing nuts). So I recall a few months ago logging in to my IFWA-40 and having an “advanced” option in the webGUI administration panel, which allowed you to see detailed information on your cellular connection (Such as bands, signal strength, SNR, etc...) which I want so I can accurately point the MIMO antennas...

My cellular provider must have pushed an OTA firmware update (without my permission) because when I logged in this week, the “Advanced” option was gone. (Though I’m starting to think I’m crazy, because I can’t find any images of the advanced pane as I remember it)

Anyways. My conversation with “advanced tech support” where a tier 2 manager literally threatened me, got me fired up.

I was determined to “own” this device. I proceeded to disassemble the device to get a look at the main PCB. I had vaguely recalled it running Linux, so I thought it might be worthwhile to take a look. Turns out this is a NetComm device, rebranded to ZTE, rebranded to my cellular carrier.

I started by using the built in Backup/ Restore feature to download a copy of the config files, which I soon realized was just an archive of the /etc/config folder, confirming that it was already running OpenWRT.

I tried SSHing to the devices IP and was surprised to get a login prompt. I tried all manner of passwords nothing worked.

After opening the device there were a few notable things, multiple unpopulated headers, and an unpopulated USB port. I made an educated guess, as to which of the unpopulated headers was the serial port by following the PCB traces back to where I knew the SOC was. I hooked up a logic analyzer to be sure, and was elated to see text being spit out at 9600 baud!

Logic Analyzer Output

I got root through the serial port. Got the SSH keys and was in.

Unfortunately this is where my frustrations began... I wanted to replace the heavily modified Luci gui with the standard one. I SCP'd in and tried replacing all the Luci files with ones from a OpenWRT VM (stupid x86 vs ARM...) Well I broke lua. Luckily a factory reset from the gui (once I fixed my mess up) restored things.

I wanted to see if I could boot this thing from a USB stick, which I now know is more complicated then it sounds. I am not versed in embedded systems. I got the multimeter out and tested the unpopulated USB port. To my dismay the port was not only missing the port itself, but all the supporting circuitry as well. (Possibly a common mode choke on the RX/TX lines, a capacitor on the ground, and most annoyingly the 5V regulator) I bypassed all these ESD suppressing components, and got 5V from an external source. I am happy to report the USB port works (even with my horrendous hack). I can see the thumb drive in lsusb, but have not been able to successfully mount it yet.

Here is all the FCC info on the device, which is really helpful because it shows detailed photos of the internals, with the RF shielding cans removed....

This device is running a Qualcomm IPQ4018, winbond 25Q64JVSIQ 64M-bit flash memory, winbond W632GU6MB-12 DRAM, and ESMT M15T2G16128A secondary DRAM.

I feel like this device is pretty similar in construction to others running OpenWRT, I would love to get "vanilla" OpenWRT running on it. I don't have much experience with embedded systems, Uboot, flashing memory and the other things required to get regular OpenWRT on this device. I know there is a firmware builder but have no idea how to configure it for this specific device with it's specific hardware. I really want to be able to install "normal" software such as umbim and other tools so I can get the detailed information I need from the cellular modem in this thing.

I have also entertained the idea of removing the mPCIe modem card which is a netComm brand running a Qualcomm MDM9250 similar to the Sierra Wireless EM7511 and putting it in another "friendlier" router, though I don't know the feasibility of this idea.

Let me know what y'all think...

Great first post. Lots of useful detail!

Could you post the serial log from power-on to login?

I have combined the output from the logic analyzer with the serial output so you guys can also see the hex instructions at the beginning of boot... You can also see I selected the highest verbosity [4].

\x1C\xAE\x90\x9D\x18\xB9\x94\x11{\0\xBA\x08\x10?\x94\xDD\xDE\xEF\x08\x9D\x88_\0!\xC6\xCF\x08\xD5\x881\x84\xE6\x85\x18!\x84\x04\xBC\xD6&\x14 \xCD\xFC\x10X\x08BU\x14!\xA6\x18\xCD\xDD1\x8F\xB4#\x08\xDE\xFD\x90\xDC\x991\xD4\xE7\0\xB4\xD6L\xFF\x10\xFC\x0E)\x85\xFD\x90-\x90\xFC\xA7\x1CH\x08\xA4y\xE8\x10\xD4)\x10\xD4\x971X)\xA4\x14\xF6\x04\x14\x8D{ \xCC\x0C\x10\xC5{       \\x10\xF4\xCE)1\xD4\xCC1\xDD\x10\xCCY\x10\x9C\x8C\x96\xC0\x10\xDD\xC8\x10\x9D\x8C\x96D\x10\x9C\x88\x10\xE4
\x90\x84\x85\x18]\x9C!\xA4\x1C\x90CN\xFD\x08\xED\x1C\x18\xF6\x85\x14\xDD\x1CL\x0C\xD4\x10\xD5\x14!B\xCC1\xDD\x98\xE5\xCF\x10\x85\x04\xFE\x100\xA4\x1C1\xCC9\xAC\x10\xFC\xF0\0\x1D\x14\x14\xE5\x80\x10\x11\0\xDA\x94\xF9\x84)\xE5\x14\xE5\x80\x10\x11\0\xDA\x94\xF9\x84)\xC4H\xDF\x0E!'\x10!\x82\x94\xE2\x14\xE5\x80\x10\x11\0\xDA\x94\xF9\x84)\xE5\x14\xE5\x80\x10\x11\0\xDA\x94\xF9\x84)\xC4H\xDF\x0E!'\x10!\x82\x94\xE2\x14\xE5\x80\x10\x11\0\xDA\x94\xF9\x84)\xE5\x14\xE5\x80\x10\x11\0\xDA\x94\xF9\x84)\xC4H\xDF\x0E!'\x10!\x82\x94\xE2\x14\xE5\x80\x10\x11\0\xDA\x94\xF9\x14!\x84)\xE5\x14\xE5\x80\x10\x11\0\xDA\x94\xF9\x84)\xC4H\xDF\xEE\x149\x8D\x94)q\x90\x96:)\x9C\x90\x98\x1C!\x88\x9C\xE6\x04!\xCE\xE6\x14!\xC6\xC89\xD8!\xA4\x108\x10\xDD\x8C\xE6B\x84\xC4p9\x95\xEE\xA4\x109\x15\x90\xAE0!\xC4\x86
!!\x01\xE6\x9C\xFE\xF0\xF8\x10(\x85\x10\x85\x08)))\x96\x19\x94\xEC\x10!\xD5J\x80\xC4\x84\x109\x9D\0B\xA5\x10\xB4\xCA\x86<\x18x\x14\xE6H\xC4\x0C\x14!\xEF\x85\x94\x8E\x0E!\xA4\xF0\x98\x9C\x941r9\x85\xFC\x10\x1D\x98\x9D\x94\xFC\x08)\x94!)91\x1A\x909\x82\x14\xF9Start nfsboot
Starting NFS booting...
Setting up VLAN interface
Trying to bring up usb0.3001
usb0.3001 is up now
NFS mounting
Switching RootFS done successfully
NFS mounting - shared /etc
Unmounting the old rootfs
Mounting /nfs (nfs status monitor)
Release usb0 interface
Hand over control to the main init
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
4
377+0 records in
377+0 records out
12064 bytes (11.8KB) copied, 0.042220 seconds, 279.0KB/s
377+0 records in
377+0 records out
12064 bytes (11.8KB) copied, 0.039620 seconds, 297.4KB/s
Please press Enter to activate this console.
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
/sbin/hotplug-call: local: line 66: not in a function
No Direct-Attach chipsets found.
/sbin/hotplug-call: local: line 66: not in a function
WLAN 2 interfaces not ready, failed
/sbin/hotplug-call: local: line 66: not in a function
qcawifi disable radio wifi0
qcawifi disable radio wifi1
qcawifi: enable radio wifi0
/sbin/hotplug-call: local: line 66: not in a function
Terminated
qcawifi: enable radio wifi1
/sbin/hotplug-call: local: line 66: not in a function
Terminated
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv4 raw table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing IPv6 raw table
 * Deleting ipset parental_ipset
 * Flushing conntrack table ...
 * Creating ipset parental_ipset
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ipc'
   * Rule 'block-ipc-access-from-lan'
   * Rule 'block-ipc-access-from-wan'
   * Rule 'block-ipc-forward-from-lan-to-wan'
   * Rule 'block-ipc-forward-from-wan-to-lan'
   * Rule 'block-ipc-access-from-lan-to-router'
   * Rule 'ping-from-lan-to-router'
   * Rule 'admin-from-lan-to-router'
   * Rule 'ping-from-wan-to-router'
   * Rule 'dhcp-for-lan'
   * Rule 'primary-dns-for-lan'
   * Rule #10
   * Rule 'pptp_port_filtering_out'
   * Rule 'pptp_port_filtering_in'
   * Rule 'pptp_gre_out'
   * Rule 'pptp_gre_in'
   * Rule 'openvpn_port_filtering_out'
   * Rule 'openvpn_port_filtering_in'
   * Rule 'l2tp_port_filtering_out'
   * Rule 'l2tp_port_filtering_in'
   * Rule 'ipsec_port_filtering_out'
   * Rule 'ipsec_nat_port_filtering_out'
   * Rule 'ipsec_port_filtering_in'
   * Rule 'ipsec_nat_port_filtering_in'
   * Rule 'ipsec_esp_out'
   * Rule 'ipsec_esp_in'
   * Redirect #0
   * Forward 'lan' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ipc'
   * Redirect #0
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ipc'
 * Populating IPv4 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ipc'
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ipc'
   * Rule 'block-ipc-access-from-lan'
   * Rule 'block-ipc-access-from-wan'
   * Rule 'block-ipc-forward-from-lan-to-wan'
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
   * Rule 'block-ipc-forward-from-wan-to-lan'
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
   * Rule 'block-ipc-access-from-lan-to-router'
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
   * Rule 'ping-from-lan-to-router'
   * Rule 'admin-from-lan-to-router'
   * Rule 'ping-from-wan-to-router'
   * Rule 'dhcp-for-lan'
   * Rule 'primary-dns-for-lan'
   * Rule 'pptp_port_filtering_out'
   * Rule 'pptp_port_filtering_in'
   * Rule 'pptp_gre_out'
   * Rule 'pptp_gre_in'
   * Rule 'openvpn_port_filtering_out'
   * Rule 'openvpn_port_filtering_in'
   * Rule 'l2tp_port_filtering_out'
   * Rule 'l2tp_port_filtering_in'
   * Rule 'ipsec_port_filtering_out'
   * Rule 'ipsec_nat_port_filtering_out'
   * Rule 'ipsec_port_filtering_in'
   * Rule 'ipsec_nat_port_filtering_in'
   * Rule 'ipsec_esp_out'
   * Rule 'ipsec_esp_in'
   * Forward 'lan' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ipc'
 * Populating IPv6 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ipc'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/usr/share/miniupnpd/firewall.include'
 * Running script '/etc/firewall.d/qca-nss-ecm'
 * Flushing conntrack table ...
Terminated



BusyBox v1.25.1 (2020-01-17 02:00:56 UTC) built-in shell (ash)

     MM           NM                    MMMMMMM          M       M
   $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
  MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
  MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
    MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
     MMMM          M                    MMMMMMM        M       M
       M
 ---------------------------------------------------------------
   For those about to rock... (Chaos Calmer, releases-Serpent_Skunkape-R_1.0.1.23+r49254)
 ---------------------------------------------------------------
root@wirelessinternet:/#

This is missing the output from the boot-loader, and early boot.

Maybe the garble-hex at the top are (some of) those messages, but coming in at a different speed than 9600. Have you tried 115200, and 57600? 9600 seems real slow, even for Tech using 7-year-old OpenWrt/QSDK FrankenOS.

Can you post the output of

• dmesg
• cat /proc/interupts
• cat /proc/mtd
• mount
• iw phy
• ip link
  ...

Maybe also dump the mounted fileSystems and all MTD-partitions to a network host.

You are correct! 115200 worked much better... Here's the output:

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00123
S - IMAGE_VARIANT_STRING=DAABANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000021
S - Reset status Config, 0x00000000
S - Core 0 Frequency, 0 MHz
B -       261 - PBL, Start
B -      1339 - bootable_media_detect_entry, Start
B -      1678 - bootable_media_detect_success, Start
B -      1692 - elf_loader_entry, Start
B -      5069 - auth_hash_seg_entry, Start
B -      7211 - auth_hash_seg_exit, Start
B -    577125 - elf_segs_hash_verify_entry, Start
B -    694494 - PBL, End
B -    694518 - SBL1, Start
B -    785293 - pm_device_init, Start
D -         7 - pm_device_init, Delta
B -    786755 - boot_flash_init, Start
D -     52800 - boot_flash_init, Delta
B -    843695 - boot_config_data_table_init, Start
D -      3835 - boot_config_data_table_init, Delta - (419 Bytes)
B -    850905 - clock_init, Start
D -      7575 - clock_init, Delta
B -    862951 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B -    866366 - sbl1_ddr_set_params, Start
B -    871464 - cpr_init, Start
D -         2 - cpr_init, Delta
B -    875847 - Pre_DDR_clock_init, Start
D -         4 - Pre_DDR_clock_init, Delta
D -     13178 - sbl1_ddr_set_params, Delta
B -    889586 - pm_driver_init, Start
D -         2 - pm_driver_init, Delta
B -    959780 - sbl1_wait_for_ddr_training, Start
D -        28 - sbl1_wait_for_ddr_training, Delta
B -    975433 - Image Load, Start
D -    153476 - QSEE Image Loaded, Delta - (299848 Bytes)
B -   1129338 - Image Load, Start
D -      1445 - SEC Image Loaded, Delta - (2048 Bytes)
B -   1139755 - Image Load, Start
D -    217060 - APPSBL Image Loaded, Delta - (443723 Bytes)
B -   1357214 - QSEE Execution, Start
D -        60 - QSEE Execution, Delta
B -   1363423 - SBL1, End
D -    671013 - SBL1, Delta
S - Flash Throughput, 2006 KB/s  (746038 Bytes,  371785 us)
S - DDR Frequency, 537 MHz


U-Boot 2012.07 [Chaos Calmer 15.05.1,33f512d+r49254] (Feb 11 2019 - 02:02:27)

smem ram ptable found: ver: 1 len: 3
DRAM:  256 MiB
machid : 0x8010000
NAND:  SF: Detected W25Q64 with page size 4 KiB, total 8 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x800000
8 MiB
MMC:   
In:    serial
Out:   serial
Err:   serial
machid: 8010000
flash_type: 0
Hit any key to stop autoboot:  2 \x08\x08\x08 1 \x08\x08\x08 0 
(Re)start USB...
USB0:   Register 2000240 NbrPorts 2
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
USB1:   Register 1000140 NbrPorts 1
Starting the controller
USB XHCI 1.00
scanning bus 1 for devices... 1 USB Device(s) found
       scanning usb for storage devices... 0 Storage Device(s) found
No current device selected
(Re)start USB...
USB0:   Register 2000240 NbrPorts 2
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
USB1:   Register 1000140 NbrPorts 1
Starting the controller
USB XHCI 1.00
scanning bus 1 for devices... 1 USB Device(s) found
       scanning usb for storage devices... 0 Storage Device(s) found
No current device selected
(Re)start USB...
USB0:   Register 2000240 NbrPorts 2
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
USB1:   Register 1000140 NbrPorts 1
Starting the controller
USB XHCI 1.00
scanning bus 1 for devices... 1 USB Device(s) found
       scanning usb for storage devices... 0 Storage Device(s) found
No current device selected
(Re)start USB...
USB0:   Register 2000240 NbrPorts 2
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... cannot reset port 1!?
2 USB Device(s) found
USB1:   Register 1000140 NbrPorts 1
Starting the controller
USB XHCI 1.00
scanning bus 1 for devices... 1 USB Device(s) found
       scanning usb for storage devices... 1 Storage Device(s) found
Reading device 0, number of blocks: 7797
7797 blocks read: OK
## Booting kernel from FIT Image at 84000000 ...
   Using 'config@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  ARM OpenWrt Linux-3.14.77
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x840000e4
     Data Size:    3954984 Bytes = 3.8 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x80208000
     Entry Point:  0x80208000
     Hash algo:    crc32
     Hash value:   e453842c
     Hash algo:    sha1
     Hash value:   2212b2cd2910df692740146e9a586729d052fa0d
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Flattened Device Tree from FIT Image at 84000000
   Using 'config@1' configuration
   Trying 'fdt@1' FDT blob subimage
     Description:  ARM OpenWrt qcom-ipq40xx-ap.dk01.1-c1 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x843c5b50
     Data Size:    34566 Bytes = 33.8 KiB
     Architecture: ARM
     Hash algo:    crc32
     Hash value:   c5bdf476
     Hash algo:    sha1
     Hash value:   d6c25e31c24dbcc71d8e75a51f375ec95710ea11
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x843c5b50
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 87064000, end 8706f705 ... OK
eth0 MAC Address from ART is not valid
eth1 MAC Address from ART is not valid
Using machid 0x8010000 from environment

Starting kernel ...

Have you tried interrupting the boot loader?

Hit any key to stop autoboot:

if so, please post the output of printenv too.

bordeaux> printenv
PRODUCT_devver=2.1
PRODUCT_hwver=1.5
PRODUCT_mac=F8:CA:**:**:**:**
PRODUCT_pn=197622193006791
PRODUCT_snextra=Y0W****
baudrate=115200
bootargs=root=/dev/nfs rw rootfstype=nfs nfsroot=169.254.252.1:/var/nfs/rootfs,nfsvers=3 init=/boot/nfsboot ip=169.254.252.2:169.254.252.1:169.254.252.1:255.255.255.0:my.router:usb0:none
bootcmd=while true; do usb start && usb readall ${load} && bootm ${load}; done
bootdelay=2
ethact=eth0
flash_type=0
hardware_version=5
ipaddr=192.168.1.11
load=0x84000000
machid=8010000
serverip=192.168.1.100
stderr=serial
stdin=serial
stdout=serial

Environment size: 611/65532 bytes

Great, that means you can interact with the boot-loader.

Next step would probably be to build an initramfs image for a supported device, that is similar to yours, and attempt to TFTP-boot it, and see how far it gets. Then iterate from there.

I don't know this platform well enough to be the best help for this device, but there are other long threads here on the forum more specific to qca4019. Maybe all the components are already supported, and you "just" need to port the DTS forward from 3.14 to the current kernel. Or maybe this device is a (close to a ) rebrand from an already supported device.

Do you know if there is a command to dump the contents of the flash? So I can have a backup in case things go horribly wrong?

In regards to the above I found this helpful article:

Recovering Firmware Through uboot

It appears the correct proccess is to read the SPI flash into RAM and then copy it over tftp.

A user on IRC requested this output, so here it is:

help command:

bordeaux> help
?       - alias for 'help'
base    - print or set address offset
bootipq - bootipq from flash device
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
chpart  - change active partition
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
dhcp    - boot image via network using DHCP/TFTP protocol
dumpipq_data- dumpipq_data crashdump collection from memory
dumpipq_flash_data- dumpipq_flash_data crashdump collection and storing in flash
echo    - echo args to console
env     - environment handling commands
exit    - exit script
false   - do nothing, unsuccessfully
fdt     - flattened device tree utility commands
fuseipq - fuse QFPROM registers from memory

go      - start application at address 'addr'
help    - print command description/usage
i2c     - I2C sub-system
icache  - enable or disable instruction cache
imxtract- extract a part of a multi-image
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
pci     - list and access PCI Configuration Space
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
showvar - print local hushshell variables
smeminfo- print SMEM FLASH information
source  - run script from memory
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
true    - do nothing, successfully
uartrd  - uartrd read from second UART
uartwr  - uartwr to second UART
ubi     - ubi commands
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version

help usb command:

bordeaux> help usb
usb - USB sub-system

Usage:
usb start - start (scan) USB controller
usb reset - reset (rescan) USB controller
usb stop [f] - stop USB [f]=force stop
usb tree - show USB device tree
usb info [dev] - show available USB devices
usb storage - show details of USB storage devices
usb dev [dev] - show or set current USB storage device
usb part [dev] - print partition table of one or all USB storage devices
usb read addr blk# cnt - read `cnt' blocks starting at block `blk#'
    to memory address `addr'
usb readall addr - read all blocks to memory address `addr'
usb write addr blk# cnt - write `cnt' blocks starting at block `blk#'
    from memory address `addr'

usb info command:

bordeaux> usb info
1: Hub,  USB Revision 3.0
 - u-boot XHCI Host Controller
 - Class: Hub
 - PacketSize: 9  Configurations: 1
 - Vendor: 0x0000  Product 0x0000 Version 1.0
   Configuration: 1
   - Interfaces: 1 Self Powered 0mA
     Interface: 0
     - Alternate Setting 0, Endpoints: 1
     - Class Hub
     - Endpoint 1 In Interrupt MaxPacket 8 Interval 255ms

2: Mass Storage,  USB Revision 3.10
 - Android Android 194922193101889
 - Class: (from Interface) Mass Storage
 - PacketSize: 9  Configurations: 2
 - Vendor: 0x05c6  Product 0x9059 Version 3.24
   Configuration: 1
   - Interfaces: 5 Bus Powered Remote Wakeup 224mA
     Interface: 0
     - Alternate Setting 0, Endpoints: 2
     - Class Mass Storage, Transp. SCSI, Bulk only
     - String: "Mass Storage"
     - Endpoint 1 In Bulk MaxPacket 1024
     - Endpoint 1 Out Bulk MaxPacket 1024
     Interface: 1
     - Alternate Setting 0, Endpoints: 2
     - Class Vendor specific
     - Endpoint 2 In Bulk MaxPacket 1024
     - Endpoint 2 Out Bulk MaxPacket 1024
     Interface: 2
     - Alternate Setting 0, Endpoints: 2
     - Class Vendor specific
     - String: "ADB Interface"
     - Endpoint 3 Out Bulk MaxPacket 1024
     - Endpoint 3 In Bulk MaxPacket 1024
     Interface: 3
     - Alternate Setting 0, Endpoints: 1
     - Class Communication
     - String: "CDC Ethernet Control Model (ECM)"
     - Endpoint 4 In Interrupt MaxPacket 16 Interval 9ms
     Interface: 4
     - Alternate Setting 0, Endpoints: 0
     - Class CDC Data
     - Endpoint 14 In Bulk MaxPacket 1024
     - Endpoint 15 Out Bulk MaxPacket 1024

3: Hub,  USB Revision 3.0
 - u-boot XHCI Host Controller
 - Class: Hub
 - PacketSize: 9  Configurations: 1
 - Vendor: 0x0000  Product 0x0000 Version 1.0
   Configuration: 1
   - Interfaces: 1 Self Powered 0mA
     Interface: 0
     - Alternate Setting 0, Endpoints: 1
     - Class Hub
     - Endpoint 1 In Interrupt MaxPacket 8 Interval 255ms

usb dev command:

bordeaux> usb dev

USB device 0: Vendor: Linux    Rev: 0318 Prod: File-Stor Gadget
            Type: Removable Hard Disk
            Capacity: 3.8 MB = 0.0 GB (7797 x 512)

usb tree command:

bordeaux> usb tree
USB device tree:
  1  Hub (5 Gb/s, 0mA)
  |  u-boot XHCI Host Controller
  |
  +-2  Mass Storage (5 Gb/s, 224mA)
       Android Android 194922193101889

  3  Hub (5 Gb/s, 0mA)
     u-boot XHCI Host Controller

usb info 2 command:

bordeaux> usb info 2
config for device 2
2: Mass Storage,  USB Revision 3.10
 - Android Android 194922193101889
 - Class: (from Interface) Mass Storage
 - PacketSize: 9  Configurations: 2
 - Vendor: 0x05c6  Product 0x9059 Version 3.24
   Configuration: 1
   - Interfaces: 5 Bus Powered Remote Wakeup 224mA
     Interface: 0
     - Alternate Setting 0, Endpoints: 2
     - Class Mass Storage, Transp. SCSI, Bulk only
     - String: "Mass Storage"
     - Endpoint 1 In Bulk MaxPacket 1024
     - Endpoint 1 Out Bulk MaxPacket 1024
     Interface: 1
     - Alternate Setting 0, Endpoints: 2
     - Class Vendor specific
     - Endpoint 2 In Bulk MaxPacket 1024
     - Endpoint 2 Out Bulk MaxPacket 1024
     Interface: 2
     - Alternate Setting 0, Endpoints: 2
     - Class Vendor specific
     - String: "ADB Interface"
     - Endpoint 3 Out Bulk MaxPacket 1024
     - Endpoint 3 In Bulk MaxPacket 1024
     Interface: 3
     - Alternate Setting 0, Endpoints: 1
     - Class Communication
     - String: "CDC Ethernet Control Model (ECM)"
     - Endpoint 4 In Interrupt MaxPacket 16 Interval 9ms
     Interface: 4
     - Alternate Setting 0, Endpoints: 0
     - Class CDC Data
     - Endpoint 14 In Bulk MaxPacket 1024
     - Endpoint 15 Out Bulk MaxPacket 1024

@ide12 I posted some other commands in a post further up, where the output would probably help any porting efforts.

Output of dmesg was too large so it's posted here: https://pastebin.com/bKu3fuNZ

Output of cat /proc/interrupts:

root@wirelessinternet:/# cat /proc/interrupts
           CPU0       CPU1       CPU2       CPU3
 20:    1633143      11024      14266      22077       GIC  20  arch_timer
 35:          0          0          0          0       GIC  35  watchdog bark
 97:          0          0          0          0       GIC  97  edma_eth_tx0
 98:          0          0          0          0       GIC  98  edma_eth_tx1
 99:          0          0        284          0       GIC  99  edma_eth_tx2
100:          0          0        237          0       GIC 100  edma_eth_tx3
101:          0          0          0          0       GIC 101  edma_eth_tx4
102:          0          0          0          0       GIC 102  edma_eth_tx5
103:          0          0          0        125       GIC 103  edma_eth_tx6
104:          0          0          0         38       GIC 104  edma_eth_tx7
105:          0          0          0          0       GIC 105  edma_eth_tx8
106:          0          0          0          0       GIC 106  edma_eth_tx9
107:         70          0          0          0       GIC 107  edma_eth_tx10
108:          9          0          0          0       GIC 108  edma_eth_tx11
109:          0          0          0          0       GIC 109  edma_eth_tx12
110:          0          0          0          0       GIC 110  edma_eth_tx13
111:          0        297          0          0       GIC 111  edma_eth_tx14
112:          0         12          0          0       GIC 112  edma_eth_tx15
127:        581          0          0          0       GIC 127  78b5000.spi
139:        995          0          0          0       GIC 139  msm_serial_hsl0
164:     129976          0          0          0       GIC 164  xhci-hcd:usb1
168:          0          0          0          0       GIC 168  xhci-hcd:usb3
200:       1860          0      35098          0       GIC 200  wifi0
201:       1763          0          0      34776       GIC 201  wifi1
239:          0          0          0          0       GIC 239  sps
270:        194          0          0          0       GIC 270  sps
272:        808          0          0          0       GIC 272  edma_eth_rx0
274:          0        303          0          0       GIC 274  edma_eth_rx2
276:          0          0        341          0       GIC 276  edma_eth_rx4
278:          0          0          0        347       GIC 278  edma_eth_rx6
293:          0          0          0          0   msmgpio   5  gpio_keys.8
IPI0:          0          0          0          0  CPU wakeup interrupts
IPI1:          0          0          0          0  Timer broadcast interrupts
IPI2:       7558      19854      17931      20277  Rescheduling interrupts
IPI3:          1          4          3          4  Function call interrupts
IPI4:         15          8          3          5  Single function call interrupts
IPI5:          0          0          0          0  CPU stop interrupts
IPI6:       3177       1478       1847       1455  IRQ work interrupts
IPI7:          0          0          0          0  completion interrupts
Err:          0

Output of cat /proc/mtd:

root@wirelessinternet:/# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00010000 "0:SBL1"
mtd1: 00020000 00010000 "0:MIBIB"
mtd2: 00060000 00010000 "0:QSEE"
mtd3: 00010000 00010000 "0:CDT"
mtd4: 00010000 00010000 "0:DDRPARAMS"
mtd5: 00010000 00010000 "0:APPSBLENV"
mtd6: 00080000 00010000 "0:APPSBL"
mtd7: 00010000 00010000 "0:ART"

Output of mount:

root@wirelessinternet:/# mount
rootfs on / type rootfs (rw)
169.254.251.1:/var/nfs/rootfs on / type nfs (rw,relatime,vers=3,rsize=16384,wsize=16384,namlen=255,hard,nolock,proto=tcp,port=2049,timeo=70,retrans=3,sec=sys,local_lock=all,addr=169.254.251.1)
169.254.251.1:/var/nfs/rootfs/etc on /etc type nfs (rw,relatime,vers=3,rsize=16384,wsize=16384,namlen=255,hard,nolock,proto=tcp,port=2049,timeo=70,retrans=3,sec=sys,local_lock=all,addr=169.254.251.1)
proc on /proc type proc (rw,relatime)
169.254.251.1:/tmp/nfs_monitor on /nfs type nfs (rw,relatime,vers=3,rsize=16384,wsize=16384,namlen=255,hard,nolock,proto=tcp,port=2049,timeo=70,retrans=3,sec=sys,local_lock=all,addr=169.254.251.1)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,noatime)
cgroup on /sys/fs/cgroup type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,cpu,cpuacct,memory,devices)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,size=512k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600,ptmxmode=000)
debugfs on /sys/kernel/debug type debugfs (rw,noatime)

Output of iw phy:

root@wirelessinternet:/# iw phy
-ash: iw: not found

Output of ip link:

root@wirelessinternet:/# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc hyfi_pfifo_fast state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether fe:df:0e:7d:53:12 brd ff:ff:ff:ff:ff:ff
3: usb0.3001@usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether fe:df:0e:7d:53:12 brd ff:ff:ff:ff:ff:ff
4: miireg: <> mtu 0 qdisc noop state DOWN mode DEFAULT group default
    link/generic
5: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN mode DEFAULT group default
    link/tunnel6 :: brd ::
6: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default
    link/sit 0.0.0.0 brd 0.0.0.0
7: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc hyfi_pfifo_fast state DOWN mode DEFAULT group default qlen 32
    link/ether f2:87:e5:72:28:9a brd ff:ff:ff:ff:ff:ff
8: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc hyfi_pfifo_fast state DOWN mode DEFAULT group default qlen 32
    link/ether 6e:90:b8:a3:b7:32 brd ff:ff:ff:ff:ff:ff
9: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN mode DEFAULT group default
    link/gre 0.0.0.0 brd 0.0.0.0
10: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc hyfi_pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
11: ip6gre0@NONE: <NOARP> mtu 1448 qdisc noop state DOWN mode DEFAULT group default
    link/gre6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
12: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN mode DEFAULT group default
    link/ether 42:76:25:e5:24:4e brd ff:ff:ff:ff:ff:ff
13: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc hyfi_pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether ba:e9:70:57:ea:6e brd ff:ff:ff:ff:ff:ff
14: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc hyfi_pfifo_fast master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether f8:ca:59:08:10:dd brd ff:ff:ff:ff:ff:ff
15: teql0: <NOARP> mtu 1500 qdisc hyfi_pfifo_fast state DOWN mode DEFAULT group default qlen 100
    link/void
16: wifi0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 2699
    link/ieee802.11 f8:ca:59:08:10:de brd ff:ff:ff:ff:ff:ff
17: wifi1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 2699
    link/ieee802.11 f8:ca:59:08:10:df brd ff:ff:ff:ff:ff:ff
18: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether f8:ca:59:08:10:dd brd ff:ff:ff:ff:ff:ff
19: ath0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UNKNOWN mode DEFAULT group default
    link/ether f8:ca:59:08:10:de brd ff:ff:ff:ff:ff:ff
20: ath1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UNKNOWN mode DEFAULT group default
    link/ether f8:ca:59:08:10:df brd ff:ff:ff:ff:ff:ff

I am currently in the process of trying to dump the SPI Flash (containing u-boot), and the internal USB mass storage device (containing the OS)... I will post the results here if I am successful.

OK, now with the information gathered, I think, you'll have to find a similar-enough device in the DTS list of upstream openwrt, and then build a firmware to boot via tftp from the U-Boot boot-loader.

If you can talk to U-boot, and it has the tftpboot-command available, then I don't think you'd need to "care" about dumping the contents of the SPI-flash U-Boot partition.

At this point other ipq40xx specialists could probably step in with much more capable help, but if this were my device, i'd probably:

• try to tftpboot an initramfs image for an image for a device with roughly similar hardware, partitioning and wifi. Primary focus would be checking for functioning serial I/O.
• In parallel attempt to frankenstein a custom DTS with my findings from the above experiments.

The Openwrt Wiki has a page about the details of adding a new device

For some inspiration, you can run grep -lri gl-b1300 target/ in the OpenWrt source directory, and compare with the example on the wiki-page, then you see which file are minimally necessary for adding support for new device.

So I have perused the DTS List and also the Table of Hardware, unfortunately all of the devices I came across are just WAPs or REs. None of them have LTE modems, so even if I can get this device to boot a firmware built for one of those devices, I would still be stuck trying to figure out how to talk with the internal LTE modem. I guess it's worth a try... I think this is a worthwhile endeavor so once I am successful in this (If I ever am) I will surely be documenting the process not only here but elsewhere, and adding it to the device list.

The LTE modem I would consider a secondary concern for now. It'll probably be easy, once you get an OpenWrt booting. Right now you care about the wired interfaces and serial only. Then you look at partitions, then wifi, and then the rest (LTE, LEDs, USB, ...)

(at least, that would be my approach)

Agreed. Priority should be getting upstream OpenWRT booted. I was finally able to build an image from source for a 8bitdevices Jalapeno which seems similar enough.

I’m going to attempt to boot from that image later today.

I am still worried about the LTE modem though, as I have no idea how the OS is talking to it. If the drivers are baked into the kernel this project is basically over. The chances of me finding the drivers are nil, and the feasibility of decompiling the code is… meh.

FINALLY!!!

chrome_MHL08BnSoh1146×1378 86.7 KB

Obviously still a long road ahead, but this is promising.

Now you could add the package usbutils, and check with lsusb, if your LTE-device shows up as a USB device, which from the vendor and productid it will display you can see, which driver it might use.

How would I go about that? The box doesn't have a connection to the internet. I see a way to upload packages in the software section, but that would be terrible with all the dependencies. I think I should be able to connect to my local WLAN, but I haven't been able to get it working...