Hi,
I just opened my TP-Link Deco M5. Do you think that the pads J1 is jtag ?
https://drive.google.com/file/d/1s-2qNWb6hDxUJHqS3UmTRemkWuEgoeg_/view?usp=sharing
Kind regards,
It's UART, see: https://blog.keane.space/tp-link-deco-m5-hardware-hacking.html
1 Like
Thank you so much ! I'll be able to play with it quickly without microsoldering.
u-boot
U-Boot 2012.07 [Chaos Calmer 15.05.1,unknown] (Aug 19 2018 - 14:09:05)
smem ram ptable found: ver: 1 len: 3
DRAM: 256 MiB
machid : 0x8010001
NAND: SF: Detected GD25Q256 with page size 4 KiB, total 32 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x2000000
32 MiB
SF: Detected GD25Q256 with page size 4 KiB, total 32 MiB
MAC is 00 00
MMC:
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
machid: 8010001
flash_type: 0
Net: MAC0 addr:0:3:7f:ba:db:ad
PHY ID1: 0x4d
PHY ID2: 0xd0b2
ipq40xx_ess_sw_init done
eth0
disable phy 3 val is 0x1840
disable phy 4 val is 0x1840
Enter magic string to stop autoboot in 1 seconds
SF: Detected GD25Q256 with page size 4 KiB, total 32 MiB
## Booting kernel from FIT Image at 84000000 ...
Using 'config@ap.dk04.1-c1' configuration
Trying 'kernel@1' kernel subimage
Description: ARM OpenWrt Linux-3.14.43
Type: Kernel Image
Compression: gzip compressed
Data Start: 0x840000e4
Data Size: 2599185 Bytes = 2.5 MiB
Architecture: ARM
OS: Linux
Load Address: 0x80208000
Entry Point: 0x80208000
Hash algo: crc32
Hash value: 26201082
Hash algo: sha1
Hash value: 9d90b440c2dfb5715fb6ef342a8989387aeff7b1
Verifying Hash Integrity ... crc32+ sha1+ OK
## Flattened Device Tree from FIT Image at 84000000
Using 'config@ap.dk04.1-c1' configuration
Trying 'fdt@ap.dk04.1-c1' FDT blob subimage
Description: ARM OpenWrt qcom-ipq40xx-ap.dkxx device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x842c3dbc
Data Size: 37439 Bytes = 36.6 KiB
Architecture: ARM
Hash algo: crc32
Hash value: 77cfc545
Hash algo: sha1
Hash value: ef88c8aa5ab90e003d645732a12182bfbb71c447
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x842c3dbc
Uncompressing Kernel Image ... OK
Loading Device Tree to 862a3000, end 862af23e ... OK
Device nand0 not found!
eth0 MAC Address from ART is not valid
eth1 MAC Address from ART is not valid
Using machid 0x8010001 from environment
Failsafe mode (let kernel boot and press reset button for ten seconds then f key ) 
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
f
- failsafe -
/etc/preinit: line 1: telnetd: not found
BusyBox v1.22.1 (2020-09-24 16:30:59 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
ash: can't access tty; job control turned off
MM NM MMMMMMM M M
$MMMMM MMMMM MMMMMMMMMMM MMM MMM
MMMMMMMM MM MMMMM. MMMMM:MMMMMM: MMMM MMMMM
MMMM= MMMMMM MMM MMMM MMMMM MMMM MMMMMM MMMM MMMMM'
MMMM= MMMMM MMMM MM MMMMM MMMM MMMM MMMMNMMMMM
MMMM= MMMM MMMMM MMMMM MMMM MMMM MMMMMMMM
MMMM= MMMM MMMMMM MMMMM MMMM MMMM MMMMMMMMM
MMMM= MMMM MMMMM, NMMMMMMMM MMMM MMMM MMMMMMMMMMM
MMMM= MMMM MMMMMM MMMMMMMM MMMM MMMM MMMM MMMMMM
MMMM= MMMM MM MMMM MMMM MMMM MMMM MMMM MMMM
MMMM$ ,MMMMM MMMMM MMMM MMM MMMM MMMMM MMMM MMMM
MMMMMMM: MMMMMMM M MMMMMMMMMMMM MMMMMMM MMMMMMM
MMMMMM MMMMN M MMMMMMMMM MMMM MMMM
MMMM M MMMMMMM M M
M
---------------------------------------------------------------
For those about to rock... (Chaos Calmer, unknown)
---------------------------------------------------------------
================= FAILSAFE MODE active ================
special commands:
* firstboot reset settings to factory defaults
* mount_root mount root-partition with config files
after mount_root:
* passwd change root's password
* /etc/config directory with config files
for more help see:
http://wiki.openwrt.org/doc/howto/generic.failsafe
=======================================================
Pushing reset button just after plugging the power supply gives this log
U-Boot 2012.07 [Chaos Calmer 15.05.1,unknown] (Aug 19 2018 - 14:09:05)
smem ram ptable found: ver: 1 len: 3
DRAM: 256 MiB
machid : 0x8010001
NAND: SF: Detected GD25Q256 with page size 4 KiB, total 32 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x2000000
32 MiB
SF: Detected GD25Q256 with page size 4 KiB, total 32 MiB
MAC is 00 00
MMC:
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
machid: 8010001
flash_type: 0
Net: MAC0 addr:0:3:7f:ba:db:ad
PHY ID1: 0x4d
PHY ID2: 0xd0b2
ipq40xx_ess_sw_init done
eth0
disable phy 3 val is 0x1840
disable phy 4 val is 0x1840
Enter magic string to stop autoboot in 1 seconds
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
Error writing the chip.
enable phy 3 val is 0x1040
enable phy 4 val is 0x1040
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 Down Speed :10 Half duplex
eth0 PHY4 Down Speed :10 Half duplex
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :1000 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
Using eth0 device
TFTP from server 192.168.0.66; our IP address is 192.168.0.11
Filename 'M5v1_tp_recovery.bin'.
1 Like
Here is how I got root access to the device with a modified firmware
binwalk M5v1_tp_recovery.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
9242 0x241A ELF, 32-bit LSB shared object, ARM, version 1 (SYSV)
362963 0x589D3 Certificate in DER format (x509 v3), header length: 4, sequence length: 1284
363079 0x58A47 Certificate in DER format (x509 v3), header length: 4, sequence length: 1288
429866 0x68F2A CRC32 polynomial table, little endian
431554 0x695C2 CRC32 polynomial table, little endian
526634 0x8092A Flattened device tree, size: 3048968 bytes, version: 17
526862 0x80A0E gzip compressed data, maximum compression, has original file name: "Image", from Unix, last modified: 2020-10-22 10:32:25
3126446 0x2FB4AE Flattened device tree, size: 37462 bytes, version: 17
3164190 0x30481E Flattened device tree, size: 42054 bytes, version: 17
3206526 0x30ED7E Flattened device tree, size: 37106 bytes, version: 17
3243914 0x317F8A Flattened device tree, size: 37360 bytes, version: 17
3281554 0x321292 Flattened device tree, size: 37439 bytes, version: 17
3319274 0x32A5EA Flattened device tree, size: 34223 bytes, version: 17
3353778 0x332CB2 Flattened device tree, size: 34077 bytes, version: 17
3388138 0x33B2EA Flattened device tree, size: 41088 bytes, version: 17
3429506 0x345482 Flattened device tree, size: 34223 bytes, version: 17
3464010 0x34DB4A Flattened device tree, size: 37156 bytes, version: 17
3501446 0x356D86 Flattened device tree, size: 37559 bytes, version: 17
3539286 0x360156 Flattened device tree, size: 34376 bytes, version: 17
3575603 0x368F33 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 11824407 bytes, 2007 inodes, blocksize: 262144 bytes, created: 2020-10-22 10:33:06
sudo rm -fr squashfs-root/dev
sudo vim squashfs-root/etc/shadow
Blank root password
sudo mksquashfs squashfs-root/ squash_fs_repacked.bin -comp xz -no-duplicates -nopad -noappend -root-owned -p '/dev d 755 0 0' -p '/dev/console c 600 0 0 5 1' -b 512k -no-exports -no-xattrs -no-sparse
cp M5v1_tp_recovery.bin repacked.bin
dd if=squash_fs_repacked.bin of=repacked.bin bs=1 seek=3575603 conv=notrunc
dd bs=20 skip=1 if=repacked.bin of=repacked_trimmed.bin
echo -n $'\x7A\x2B\x15\xED\x9B\x98\x59\x6D\xE5\x04\xAB\x44\xAC\x2A\x9F\x4E' > md5key.bin
echo -n "0000000000000000000000000000" | xxd -r -p > 14byte_zeros.bin
dd bs=34 skip=1 if=repacked.bin of=repacked_trimmed.bin
cat md5key.bin 14byte_zeros.bin repacked_trimmed.bin > repacked_md5rdy.bin
md5sum repacked_md5rdy.bin |awk '{print $1"0000000000000000000000000000"}' | xxd -r -p > md5_new.bin
dd if=md5_new.bin of=repacked.bin bs=1 seek=4 conv=notrunc
Rename repacked.bin to M5v1_tp_recovery.bin and upload with tftp
reboot and get shell with JTAG console
root/nopasswd
root@M5:/# id
uid=0(root) gid=0(root) groups=0(root)
root@M5:/# cat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 26.81
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
processor : 1
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 26.81
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
processor : 2
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 26.81
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
processor : 3
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 26.81
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
Hardware : Qualcomm (Flattened Device Tree)
Revision : 0000
Serial : 0000000000000000
I am almost done with the access to the device.
I need to get the button and led info for generating the dts file.
If somewone can help me.
Regards
Hi, I just bought a set of three Deco M5's and am slightly disappointed by its out-of-the-box capabilities. If there's any way in which I can help you, let me know.
Regards,
1 Like
I am working on adding support for this device. Currently I am struggling with the ath10k firmwares but it is only a matter of discovering the job...
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.