Unable to stop autoboot on a Cambium Networks XE3-4

Spacebar · August 31, 2023, 4:23pm

Hi. I'm trying to see if I can get some information with serial on a Cambium Networks XE3-4. I'm able to see the boot log and interact/login to cli login after booting, but at the start I want to stop autoboot. But it's going fast forward and no countdown or press a key is present.

This is what I see before it's loading kernel etc...

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.0.3-00098-IPQ60xxLZB-1
S - IMAGE_VARIANT_STRING=IPQ6018LA
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu121
S - Boot Interface: SPI
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000002e1
S - JTAG ID @ 0x000a607c = 0x0013a0e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x81ea16fa
S - OEM Config Row 0 @ 0x000a4188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x000a4190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4130 = 0x0000000008000001
S - Feature Config Row 1 @ 0x000a4138 = 0x02c3e83383000009
S - PBL Patch Ver: 1
S - I-cache: On
S - D-cache: On
B -      3413 - PBL, Start
B -       592 - bootable_media_detect_entry, Start
B -      4339 - bootable_media_detect_success, Start
B -      4435 - elf_loader_entry, Start
B -      4607 - auth_hash_seg_entry, Start
B -     10853 - auth_hash_seg_exit, Start
B -     11350 - elf_segs_hash_verify_entry, Start
B -    357984 - elf_segs_hash_verify_exit, Start
B -    362178 - auth_xbl_sec_hash_seg_entry, Start
B -    362323 - auth_xbl_sec_hash_seg_exit, Start
B -    368873 - xbl_sec_segs_hash_verify_entry, Start
B -    368873 - xbl_sec_segs_hash_verify_exit, Start
B -    369803 - PBL, End
B -    296002 - SBL1, Start
B -    435875 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    438315 - clock_init, Start
D -      3812 - clock_init, Delta
B -    448289 - boot_flash_init, Start
D -      8082 - boot_flash_init, Delta
B -    458598 - sbl1_ddr_set_default_params, Start
D -       244 - sbl1_ddr_set_default_params, Delta
B -    465216 - boot_config_data_table_init, Start
D -      1891 - boot_config_data_table_init, Delta - (575 Bytes)
B -    474336 - CDT Version:2,Platform ID:8,Major ID:3,Minor ID:0,Subtype:2
B -    479887 - Image Load, Start
D -      6618 - OEM_MISC Image Loaded, Delta - (0 Bytes)
B -    489220 - Image Load, Start
D -      5063 - PMIC Image Loaded, Delta - (0 Bytes)
B -    497119 - sbl1_ddr_set_params, Start
B -    502091 - CPR configuration: 0x555
B -    505293 - Pre_DDR_clock_init, Start
D -       213 - Pre_DDR_clock_init, Delta
D -         0 - sbl1_ddr_set_params, Delta
B -    540399 - Image Load, Start
D -       549 - APDP Image Loaded, Delta - (0 Bytes)
B -    559248 - Image Load, Start
D -       518 - QTI_MISC Image Loaded, Delta - (0 Bytes)
B -    561749 - Image Load, Start
D -       854 - Auth Metadata
D -       640 - Segments hash check
D -     29188 - QSEE Dev Config Image Loaded, Delta - (36490 Bytes)
B -    592859 - Image Load, Start
D -      6496 - Auth Metadata
D -     10400 - Segments hash check
D -    814533 - QSEE Image Loaded, Delta - (1436620 Bytes)
B -   1407910 - Image Load, Start
D -       702 - Auth Metadata
D -       976 - Segments hash check
D -     64325 - RPM Image Loaded, Delta - (102800 Bytes)
B -   1473882 - Image Load, Start
D -       701 - Auth Metadata
D -      2958 - Segments hash check
D -    296521 - APPSBL Image Loaded, Delta - (530545 Bytes)
B -   1787910 - SBL1, End
D -   1492304 - SBL1, Delta
S - Flash Throughput, 1000 KB/s  (2107702 Bytes,  1120222 us)
S - Core 0 Frequency, 800 MHz
S - DDR Frequency, 466 MHz


U-Boot Jaguar 2016.01 v2.5.0d (May 22 2023 - 17:46:50 +0000), Build: jenkins-Enterprise_Wi-Fi-Official-6.x-83

DRAM:  smem ram ptable found: ver: 2 len: 4
1 GiB
NAND:  ONFI device found
ID = 1590aac2
Vendor = c2
Device = aa
SPI_ADDR_LEN=3
SF: Detected W25Q128FW with page size 256 Bytes, erase size 4 KiB, total 16 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x1000000
272 MiB
MMC:   sdhci: Node Not found, skipping initialization

PCI Link Intialized
In:    serial@78B1000
Out:   serial@78B1000
Err:   serial@78B1000
machid: 8030002
Jaguar Hardware ID: 0x3
cal_mcs: count 1
cal_mcs: count 1
cal_mcs: count 2
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 7
cal_mcs: count 9
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 7
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 1
cal_mcs: count 2
cal_mcs: count 2
cal_mcs: count 3
cal_mcs: count 2
cal_mcs: count 2
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 1
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 10
cal_mcs: count 1
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 7
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 7
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 1
cal_mcs: count 2
cal_mcs: count 2
cal_mcs: count 1
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 10
cal_mcs: count 1
mec_events: looped 16 times
Erasing SPI flash...Writing to SPI flash...done
Erasing SPI flash...Writing to SPI flash...done
ubi0: attaching mtd2
ubi0: scanning is finished
ubi0: attached mtd2 (name "mtd=0", size 96 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 768, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 10/9, WL threshold: 4096, image sequence number: 1343497044
ubi0: available PEBs: 443, total reserved PEBs: 325, PEBs reserved for bad PEB handling: 40
Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (4698112)
## Loading kernel from FIT Image at 44000000 ...
   Using 'config@cp01-c3-xv3-4' configuration
   Trying 'kernel@1' kernel subimage
     Description:  Jaguar Linux -1
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x440000d4
     Data Size:    4273272 Bytes = 4.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x41208000
     Entry Point:  0x41208000
     Hash algo:    crc32
     Hash value:   0acc06e7
   Verifying Hash Integrity ... crc32+ OK
## Loading fdt from FIT Image at 44000000 ...
   Using 'config@cp01-c3-xv3-4' configuration
   Trying 'fdt@cp01-c3-xv3-4' fdt subimage
     Description:  Jaguar XE3-4 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x4444a5f4
     Data Size:    75761 Bytes = 74 KiB
     Architecture: ARM
     Hash algo:    crc32
     Hash value:   1ad58626
   Verifying Hash Integrity ... crc32+ OK
   Booting using the fdt blob at 0x4444a5f4
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 484ea000, end 484ff7f0 ... OK
Using machid 0x8030002 from environment

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 4.4.60 (ubuntu@ip-10-200-21-136) (gcc version 5.4.0 (crosstool-NG crosstool-ng-1.23.0 - 2) ) #1 SMP PREEMPT Mon May 22 17:37:45 UTC 2023
[    0.000000] CPU: ARMv7 Processor [51af8014] revision 4 (ARMv7), cr=10c0383d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine model: Qualcomm Technologies, Inc. IPQ6018/AP-CP01-C3
[    0.000000] Ignoring memory range 0x40000000 - 0x41000000
[    0.000000] Reserved memory: created DMA memory pool at 0x52f00000, size 24 MiB
[    0.000000] Reserved memory: initialized node dma_pool0@52f00000, compatible id shared-dma-pool
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv1.0 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: MIGRATE_INFO_TYPE not supported.
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 211748
[    0.000000] Kernel command line: console=ttyMSM0,115200n8 cnss2.bdf_pci0=0xab ubi.mtd=rootfs_1 root=mtd:ubi_rootfs rootfstype=squashfs rootwait swiotlb=1 coherent_pool=2M
[    0.000000] PID hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
[    0.000000] Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
[    0.000000] Memory: 836032K/856064K available (6316K kernel code, 457K rwdata, 2024K rodata, 1024K init, 457K bss, 20032K reserved, 0K cma-reserved, 0K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0xbf800000 - 0xff800000   (1024 MB)
[    0.000000]     lowmem  : 0x80000000 - 0xbf000000   (1008 MB)
[    0.000000]     pkmap   : 0x7fe00000 - 0x80000000   (   2 MB)
[    0.000000]     modules : 0x7f000000 - 0x7fe00000   (  14 MB)
[    0.000000]       .text : 0x80208000 - 0x80b25108   (9333 kB)
[    0.000000]       .init : 0x80c00000 - 0x80d00000   (1024 kB)
[    0.000000]       .data : 0x80d00000 - 0x80d72458   ( 458 kB)
[    0.000000]        .bss : 0x80d75000 - 0x80de76f0   ( 458 kB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] Preemptible hierarchical RCU implementation.
[    0.000000]  Build-time adjustment of leaf fanout to 32.
[    0.000000] NR_IRQS:16 nr_irqs:16 16
[    0.000000] Architected cp15 timer(s) running at 24.00MHz (virt).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x588fe9dc0, max_idle_ns: 440795202592 ns
...

I was able to get fw_printenv from the cli with built in command:

fw_printenv
artsum=85f934d6c6077e0851963acd8bc6eda8
baudrate=115200
bootargs=console=ttyMSM0,115200n8 cnss2.bdf_pci0=0xab
bootcmd=bootipq
bootdelay=4
dump_to_flash=0x0f000000
dump_to_nand=1
eth1addr=b4:a0:5x:08:5b:23
ethaddr=b4:a0:5x:08:5b:22
fdt_high=0x48500000
fdtcontroladdr=4a473b60
flash_type=7
hwid=3
image=0
ipaddr=192.168.1.1
machid=8030002
nand256=1
netmask=255.255.255.0
nss=1
poe=802.3bt5
serverip=192.168.1.120
soc_hw_version=20170100
soc_version_major=1
soc_version_minor=0
stderr=serial@78B1000
stdin=serial@78B1000
stdout=serial@78B1000
ver=U-Boot Jaguar 2016.01 v2.5.0d (May 22 2023 - 17:46:50 +0000)
bootcount=0
curr_time=1684778769

I know, I know... it's a IPQ6018(LA), but I'm curious

Happy to get any hint or tips, if there's anything that can be done.

tomtom · August 31, 2023, 6:43pm

As fw_printenv shows

bootdelay=4

There seems to be a way to interrupt the boot process.
The Dynalink WRX36 (with newer OEM firmware) needs some env. variables

console_enable=1
console_unlock=1

You might try to

setenv console_enable 1
setenv console_unlock 1
saveenv

followed by a reboot ...

Good luck

Spacebar · August 31, 2023, 7:46pm

Thanks. I was looking at that post and tried it, but it did not work for me.
Do you know where I need to type this to make it work?
I've tried different "places" but unsure where's the correct "place" is. If I wait too long the CLI login is loaded, so then I need to reboot again.

tomtom · August 31, 2023, 8:09pm

Where did you type "fw_printenv" ?
This would be the right place to type setenv/saveenv.

Spacebar · August 31, 2023, 8:28pm

That comes from a diagnostic function on the unit. They generate a file with that command. But for me while booting I don’t have any place to type any commands.

tomtom · August 31, 2023, 9:19pm

That's bad news ...
Do you have the possibility to save/export the configuration of the the device and take "a look insight" ?

Spacebar · August 31, 2023, 9:31pm

I’m afraid I can’t. I’ve only done a binwalk on the firmware and extracted squash root and dts.
But I’m going to try to see if there’s any other way to set parameters.
If I remembered correctly a netgear ap used a ssh command to set active fw.

Will try that tomorrow

hnyman · September 1, 2023, 4:58am

If you are able to enter the cli, ssh console?, you could then try using the fw_printenv and fw_setenv commands.

With the already mentioned dl-wrx36 the u-boot console is initially locked, but you can set those mentioned u-boot variables to "unlock" the u-boot console for the next boots. So, you first need SSH access for being able to config u-boot.

In the SSH console after normal login.
fw_printenv
fw_setenv console_enable 1
fw_setenv console_unlock 1

You should then see the set new variables with fw_printenv

Spacebar · September 1, 2023, 7:06am

Hello, and thanks for the input. I did try the commands in the CLI with ssh. Sadly the feedback is "uknown command". It's similar to Netgear and cli + ssh in a way.

So I have only cli access with ssh, and very limited functionality.

hnyman · September 1, 2023, 10:44am

As you have access to CLI, you should also be able to check the u-boot binary contents for hints.

you should be able to copy & look at all mtd partition contents, so that you could possibly find out which strings are mentions there. /proc/mtd gives hints, but /dev/mtd2 etc. should be viewable with hexdump. "dmesg" kernel log might also show the partition names.

You might try to find out if there are something like console_enable, console_lock, console_unlock etc. mentioned in u-boot, so that you might figure out what you need to change in the u-boot env (and only then figure out how to get write access to that).

If the firmware is based on an ancient OpenWrt with the exactly same libc version as OpenWrt, there is a remote possibility that u-boot env tools package from the similar OpenWrt might be compatible. That might give you the fw_printenv and fw_setenv.

Is there fw_printenv already? Your messages above are a bit unclear.

Spacebar · September 1, 2023, 11:49am

Hmm, I'll see if I can find out anything about console_enable etc. I'm looking at the clish that they have created to look for clues, but so far there's nothing.

Yeah, the thing is. In the web ui I can generate a diagnostic report. Inside this zip there's information about fw_printenv ifconfig etc.
So I'm able to see some information from the system.

However, I did find a command service start-shell that is only for Cambium. This is probably where they have root access and all the fun stuff.

# From the clish file
/mnt/flash/config/last_startshell_password
something something danger zone %02X-%02X-%02X-%02X-%02X-%02X
/etc/allow_root
Last password on %02X-%02X-%02X-%02X-%02X-%02X was '%s'. Enter new password:
%%Error: Incorrect password
/bin/sh
something something danger zone %s

(I guess they like Family guy and Archer tho) I did try to set a new password and login to shell, but no luck there.

Here are some more details that I can see (remember this is from the generated file, I can't type any of these commands).

df -h
Filesystem                Size      Used Available Use% Mounted on
mtd:ubi_rootfs           27.1M     27.1M         0 100% /
devtmpfs                407.7M         0    407.7M   0% /dev
tmpfs                   408.2M         0    408.2M   0% /dev/shm
tmpfs                   408.2M    512.0K    407.7M   0% /tmp
tmpfs                   408.2M    296.0K    407.9M   0% /run
tmpfs                   408.2M    408.0K    407.8M   0% /var/log
ubi1:nvram               36.3M      3.9M     30.5M  11% /mnt/flash
overlay                  36.3M      3.9M     30.5M  11% /etc

dev:    size   erasesize  name
mtd0: 000c0000 00010000 "0:SBL1"
mtd1: 00010000 00010000 "0:MIBIB"
mtd2: 00020000 00010000 "0:BOOTCONFIG"
mtd3: 00020000 00010000 "0:BOOTCONFIG1"
mtd4: 001a0000 00010000 "0:QSEE"
mtd5: 001a0000 00010000 "0:QSEE_1"
mtd6: 00010000 00010000 "0:DEVCFG"
mtd7: 00010000 00010000 "mfginfo"
mtd8: 00040000 00010000 "0:RPM"
mtd9: 00040000 00010000 "0:RPM_1"
mtd10: 00010000 00010000 "0:CDT"
mtd11: 00010000 00010000 "0:CDT_1"
mtd12: 00010000 00010000 "0:APPSBLENV"
mtd13: 000a0000 00010000 "0:APPSBL"
mtd14: 000a0000 00010000 "0:APPSBL_1"
mtd15: 00080000 00010000 "0:ART"
mtd16: 06000000 00020000 "rootfs"
mtd17: 06000000 00020000 "rootfs_1"
mtd18: 03000000 00020000 "NVRAM"
mtd19: 01000000 00020000 "crashLog"
mtd20: 004b9000 0001f000 "kernel"
mtd21: 01b01000 0001f000 "ubi_rootfs"
mtd22: 0292c000 0001f000 "nvram"

Spacebar · October 23, 2023, 7:56pm

Do anyone happen to know how to add:

------BEGIN MANIFEST
MANIFEST_VERSION=2
IMAGE_FORMAT=3
SUPPORTED_PRODUCTS=XV2-2:XE3-4
IMAGE_VERSION=6.4.1-r15
IMAGE_UBOOT_VERSION=v2.4.1e
IMAGE_SIZE=34603008
------END MANIFEST

to a image?

I have a .cimg with 2 ubi images inside, but stock use this manifest in the head, to validate the image. I have just extracted the squashfs-root image and changed some settings to be able to stop autoboot. Then I used ubinize to create a new image.

Thanks.

Edit:
@hnyman do you happen to know why Hit any key to stop autoboot doesn't show up on boot? I can see in the config bootdelay=2. Did they disable that option?

hnyman · November 21, 2023, 4:46am

No idea about it.