When in recovery mode, nmap shows only port 80 being open.
Looking at the source of the html page that shows up, it looks like what I've seen before when only the port 80 is open.
Using nmap with http-enum, there are no other pages to be found.
I'll take a look at the other links shared, thanks.
What's a ramdisk image? Is there a default one I can download from this versions build repo?
Maybe the strange part is that I cannot run some of the u-boot commands that are shown in some of the links being shared. Is the bootloader on this very old or something other than openwrt maybe?
Press any key to stop autoboot, Autobooting in : 2[08][08]1
[08][08]0
uboot> printenv
printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:128k(u-boot),1024k(kernel),2816k(rootfs),64k(config),64k(ART)
bootcmd=bootm 0x9F020000
bootdelay=2
baudrate=115200
ipaddr=192.168.1.1
serverip=192.168.1.2
bootfile="firmware.bin"
loadaddr=0x80800000
ncport=6666
stdin=serial
stdout=serial
stderr=serial
ethact=eth0
Environment size: 362 bytes
uboot> bdinfo
bdinfo
## Error: unknown command 'bdinfo' - try 'help'
uboot>
uboot> help
help
? - alias for 'help'
bootm - boot application image from memory
cp - memory copy
dhcpd - invoke DHCP server to obtain IP/boot params
erase - erase FLASH memory
erase_gs - erase FLASH support 4_byte mode.
help - print embedded help
httpd - start www server for firmware recovery
md - memory display
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv - print environment variables
printmac - print MAC address(es) stored in flash
printmodel - print router model stored in flash
reset - perform RESET of the CPU
setenv - set environment variables
setmac - save new MAC address in flash
startnc - start net console
startsc - start serial console
tftpboot - boot image via network using TFTP protocol
version - print U-Boot version
write_gs - write FLASH support 4_byte mode.
uboot>
Ramdisk is similar to a other images except it is stored in ram not flash so it is not permanent and does not make permanent changes to the device
Can you share a few steps on how to go about this so I don't mess the device up. I'm sure it could help anyone else that will come across this post, including me if I needed to do that in the future again. There are times we lose something but we don't want to overwrite what's on there because we need to know what happened, what went wrong and looking at the previous you learn more than overwriting.
Set a tftp server on your PC
Download or build the appropriate initramfs image
From boot use the tftpboot command to fetch the initramfs image and boot it.
Note, what I called ramdisk image is refered to as initramfs image in the openwrt downloads.
The part I'm not getting is the initramfs. Is this a full image or just a boot image?
Based on the link you show, it looks like I can install a full imag eusing tftp then run that image on the device without overwriting the original. Once logged into the new image, I can extract the old image.
The loader says AR9330 while this link shows AR9331 so it's probably not this one.
Load the kernel in memory: tftpboot YourKernelName.bin
Boot the loaded kernel from memory: bootm
Does kernel mean a whole, complete firmware image or just some part, like a boot only or something.
And more importantly, how do I figure out what the proper repo build is for this device?
I know it's Chaos Calmer 15.05. I know it's Atheros AR9330.
I think it's got 32m ram and /64m storage.
What else do I need to know to find the correct repo?
[ 0.000000] Linux version 3.18.84 (sean@ubuntu) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r49599) ) #1 Tue Jan 30 17:35:50 PST 2018
[ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[ 0.000000] SoC: Atheros AR9330 rev 1
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 04000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x03ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x03ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x00000000-0x03ffffff]
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
[ 0.000000] Kernel command line: board=MINIBOX-V1 console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 60880K/65536K available (2526K kernel code, 147K rwdata, 540K rodata, 232K init, 188K bss, 4656K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
I deduced it might be this image.
minibox-v1-squashfs-sysupgrade.bin
So I gave it a try....
uboot> tftpboot
tftpboot
eth mode (duplex/speed): 1/100 Mbps
TFTP from IP: 192.168.1.2
Our IP: 192.168.1.1
Filename: 'firmware.bin'
Load address: 0x80800000
Using: eth0
Loading: *[08]T T T T T T T T T T
## Error: retry count exceeded, starting again!
Link down: eth1
TFTP retrying out is usually because the firewall on the PC is preventing the TFTP server from seeing any incoming requests. Disable all firewalls on the PC.
Pay close attention to the partition table reported when the stock firmware boots up, it would be best if your OpenWrt initramfs uses the same table. Otherwise you'll need to rearrange the data in the files you dump to line up with how the stock firmware partitions the chip.
Another way to dump the flash is to use md commands in the bootloader, capture the hex text that results and use a script on your PC to convert it to a bin file. This will take some time to transfer on the serial port. The builds of uboot typically found in routers do not provide a way to export binary data over Ethernet.
The firewall is disabled on the laptop I'm using to work on this device.
I think I'm getting over my head again... tables? I don't care if I trash the device afterwards, I just want to get the current image saved.
But tftp doesn't seem to be allowing the transfer to happen so if I'm doing it ok, I guess I need to figure out why it's timing out.
[ 0.000000] Kernel command line: board=MINIBOX-V1 console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 60880K/65536K available (2526K kernel code, 147K rwdata, 540K rodata, 232K init, 188K bss, 4656K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz
[ 0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
[ 0.080000] pid_max: default: 32768 minimum: 301
[ 0.080000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.090000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.100000] NET: Registered protocol family 16
[ 0.100000] MIPS: machine is MiniBox V1.0
[ 0.590000] Switched to clocksource MIPS
[ 0.590000] NET: Registered protocol family 2
[ 0.600000] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.600000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.600000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.610000] TCP: reno registered
[ 0.610000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.620000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.630000] NET: Registered protocol family 1
[ 0.630000] futex hash table entries: 256 (order: -1, 3072 bytes)
I see why. tftpboot says it's using 192.168.1.1 but it's not even connecting to the laptop. I can't ping that IP from the laptop which is 192.168.1.2..
It helps if the tftp server is started too :).
The image seems to be on the device now. I suppose I need to write it to this correct table now?
I don't see any HEX text, just the transfer pound signs.
TFTP from IP: 192.168.1.2
Our IP: 192.168.1.1
Filename: 'firmware.bin'
Load address: 0x80800000
Using: eth1
Loading: *[08]T T T T T T ########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
########################################
###############
TFTP transfer complete!
Bytes transferred: 16252928 (0xf80000)
uboot> help
help
This is odd, it's really too large for this sort of device. Typically the compressed kernel+initramfs is about 5 MB. OK I see you used a squashfs file, that is the wrong file. You need an initramfs.
In this case, tftpboot only transferred data to RAM. So you next have to boot the image manually.
bootm 0x80800000
This might fail because it is trying to uncompress the kernel into the same RAM space where the compressed kernel is loaded, clobbering the compressed data before it can be used (resulting in LZMA Error). So you may need to tftpboot to a non-default address farther up in RAM such as 0x81000000.
Definitely above my knowledge at this point. The only other file I see in the repo is minibox-openwrt-15.05.1-ar71xx-generic-minibox-v1-squashfs-sysupgrade.bin. I see no others.
I think I have to give up at this point unless someone is willing to walk me through the process.
That is correct
Initramfs boots and runs in RAM. Any files you change are also only in RAM. The whole thing goes away when the power is turned off. It's not "installed." However it is a full system that has drivers to read and write the flash chip if you wanted to.
But my objective is to check out what is running on the current build, not one I would install or temporarily run. That's why I'm asking if someone can walk me through this at this point. It's a lot to learn quickly just to get at this build. However, being able to go through the motions would certainly teach me (and anyone reading this) something interesting and useful if I ever need this again.
The stock firmware doesn't let you log in in any way, so you need to get a copy of the filesystems in the flash and examine the files offline.
Hi,
I am a bit late to this thread, but does the box attempt to do modbus requests to the solar inverters?.
Connect to to the local network via a managed switch, and send all the traffic to wireshark.
Modbus traffic is not encrypted, so you can work out what registers are being read.
You’re doing the process correctly, just with the wrong file. You don’t need a 15.05 image to boot off. 19.07 or 21.02 will be fine.
But! Your device hasn’t been ported to 21.02, when initramfs images began being generated automatically. It’s just too old.
There are mini box images for 19.07, but you would have to compile an initramfs image yourself.