Difference between revisions of "IX2412"

From Hackerspace ACKspace
Jump to: navigation, search
(got root?)
m (wrong number base)
Line 58: Line 58:
 
* within the boot sequence at 3/4 of the log: search for "factory", most likely it reads something like:
 
* within the boot sequence at 3/4 of the log: search for "factory", most likely it reads something like:
 
<code>[    2.290000] 0x000000040000-0x000000050000 : "factory"</code>
 
<code>[    2.290000] 0x000000040000-0x000000050000 : "factory"</code>
* remember 40000<sub>HEX</sub> (and add 20<sub>HEX</sub> so it becomes 40014<sub>HEX</sub>
+
* remember 40000<sub>HEX</sub> (and add 20<sub>DEC</sub> so it becomes 40014<sub>HEX</sub>
 
* reboot (either press and hold the reset button >4s or pulse X2 pin 2 and 7
 
* reboot (either press and hold the reset button >4s or pulse X2 pin 2 and 7
 
* press space in the serial monitor (you have 1 second if it says <code>Press space to enter the bootloader... </code>).
 
* press space in the serial monitor (you have 1 second if it says <code>Press space to enter the bootloader... </code>).

Revision as of 17:14, 23 February 2022

Project: IX2412
Featured: Yes
State Active
Members Xopr
GitHub No GitHub project defined. Add your project here.
Description IXON IXrouter3 4G "cloud" modem
Picture
No project picture! Fill in form Picture or Upload a jpeg here

Has a

  • Mediatek MT7621AT
  • 8GB SD card
  • Winbond 25Q128JVSM 128Mbit serial flash
  • USB2512B USB2.0 hub
  • Ublox LILY-W131 wifi 2.4GHz
  • Quectel EC2-5E (Main, DIV, GNSS)

connecting UART

  • use 3.3V logic to be safe

Run terminal client in 56k 8N1: minicom -D/dev/ttyUSB0 -b57600 -o And make sure Hardware Flow Control is off: Ctrl+a, o, choose Serial port setup, f

Uboot env

After pressing space to interrupt (within 1 second) you get:

Please choose the operation: 
   0: Load system code then write to Flash via Serial.
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Enter boot command line interface.
   7: Load U-Boot code then write to Flash via Serial.
   8: System Load UBoot to SDRAM via TFTP. (hidden in menu)
   9: Load U-Boot code then write to Flash via TFTP.

in the command line interface (4), you can continue booting with bootm bc050000

MT7621 # printenv
bootcmd=tftp
bootdelay=1
baudrate=(57600)
ethaddr="AA:BB:CC:DD:EE:FF"
ipaddr=192.168.1.1
serverip=192.168.1.2
stdin=serial
stdout=serial
stderr=serial

root password

The short answer is: it's on a "factory" partition in the flash, most likely located at 40000HEX.

How to get root without copying the flash (only using serial):

  • within the boot sequence at 3/4 of the log: search for "factory", most likely it reads something like:

[ 2.290000] 0x000000040000-0x000000050000 : "factory"

  • remember 40000HEX (and add 20DEC so it becomes 40014HEX
  • reboot (either press and hold the reset button >4s or pulse X2 pin 2 and 7
  • press space in the serial monitor (you have 1 second if it says Press space to enter the bootloader... ).
  • press 4
  • and type spi read 40014 10
    • it will return something like this:
    read len: 16
    38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0
  • use an online converter or run this in a javascript console:
    "38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0".split(" ").filter(n=>n!=="0").map(n=>String.fromCharCode(parseInt(n,16))).join("")

You can also retrieve it from the bin file: dd bs=1 skip=$((0x40000+20)) count=10 if=ixrouter.bin 2>/dev/null | tr -d '\000'


Oh by the way, it's 8MmBR25msm

pins and connectors

X2

Labeled. located near reset button, 3.3v logic.

  1. GND
  2. RX
  3. TX

X3

For programming/reading the SPI flash chip. Note that soldering a straight header will conflict with a SOIC clamp.

  1. VCC
  2. RST
  3. CLK
  4. DI
  5. DO
  6. CS
  7. GND

To reset, connect pin 2 and 7 with a small resistor (used 180Ω)

open ports

PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
9230/tcp open  unknown

image

extraction

Used minipro on a TL866II+ with 8 pin SOIC clamp while keeping the board in reset (connecting X2 pin 2 and 7)

$ minipro -p W25Q128JV@SOIC8 -r ixrouter.bin --vcc=3.3 -y
Found TL866II+ 04.2.86 (0x256)
Warning: Firmware is out of date.
  Expected  04.2.128 (0x280)
  Found     04.2.86 (0x256)
WARNING: Chip ID mismatch: expected 0xEF4018, got 0xEF7018 (unknown)
Reading Code...  27.08Sec  OK

file information

To extract the image parts, you need sasquatch and jefferson additional to binwalk, see: binwalk dependencies

$ binwalk --signature --term ixrouter.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------------------------------
78080         0x13100         U-Boot version string, "U-Boot 1.1.3 (Dec 21 2017 - 10:47:42)"
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0x4DD3DDDF, created:
                              2018-08-07 13:36:39, image size: 1213865 bytes, Data Address:
                              0x80001000, Entry Point: 0x80001000, data CRC: 0x82EB32CA, OS: Linux,
                              CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image
                              name: "MIPS OpenWrt Linux-3.18.75"
327744        0x50040         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes,
                              uncompressed size: 3663424 bytes
1541609       0x1785E9        Squashfs filesystem, little endian, version 4.0, compression:xz, size:
                              6334418 bytes, 1478 inodes, blocksize: 262144 bytes, created: 2018-08-07
                              13:36:44
7929856       0x790000        JFFS2 filesystem, little endian

Note that xopr used mtd-utils but jffs2reader gives an Unsupported compression method! error.

generated config file

The config file, to be generated online and put on a stick looks roughly like this:

# Router configuration
# Generated by Xosperois Dimitri for ACKspace on Mon Jan 1 1900

ixrouter.wan.3g_apn={auto|MyApn}
ixrouter.wan.3g_pincode=[1234]
ixrouter.wan.3g_mtu={1200|1499}

ixrouter.wan.ip_use_dhcp={true|false}
ixrouter.wan.ip_address=[192.168.42.100]
ixrouter.wan.ip_netmask=[255.255.255.0]
ixrouter.wan.ip_gateway=[192.168.42.1]

[ixrouter.wan.dns_server=8.8.4.4]
[ixrouter.wan.dns_server=1.1.1.1]

ixrouter.wan.digital_input_mode=[disable_vpn_low]

ixrouter.wan.http_proxy_address=[10.0.0.1]
ixrouter.wan.http_proxy_port=[6667]
ixrouter.wan.http_proxy_authentication=[basic]
ixrouter.wan.http_proxy_username=[proxyuser]
ixrouter.wan.http_proxy_password=[6667]

ixrouter.wan.wlan_ssid=[publicwifi]
ixrouter.wan.wlan_key=[myfipassword]

ixrouter.wan.ixapi_entry_point=https://ixsec-api.ixon.net:443/
ixrouter.wan.ixapi_account_id=nnnn-nnnn-nnnn-nnnn-nnnn

ixrouter.lan.gateway_less_routing=true

ixrouter.lan.ip_address=192.168.140.1

also see