IX2412

From Hackerspace ACKspace
Revision as of 16:51, 3 March 2022 by Xopr (talk | contribs) (added conversion step)
Jump to: navigation, search
Project: IX2412
Featured: Yes
State Active
Members Xopr
GitHub No GitHub project defined. Add your project here.
Description IXON IXrouter3 4G "cloud" modem
Picture
No project picture! Fill in form Picture or Upload a jpeg here

Has a

  • Mediatek MT7621AT
  • 8GB SD card
  • Winbond 25Q128JVSM 128Mbit serial flash
  • USB2512B USB2.0 hub
  • Ublox LILY-W131 wifi 2.4GHz
  • Quectel EC2-5E (Main, DIV, GNSS)

connecting UART

  • use 3.3V logic to be safe

Run terminal client in 56k 8N1: minicom -D/dev/ttyUSB0 -b57600 -o And make sure Hardware Flow Control is off: Ctrl+a, o, choose Serial port setup, f

Uboot env

After pressing space to interrupt (within 1 second) you get:

Please choose the operation: 
   0: Load system code then write to Flash via Serial.
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Enter boot command line interface.
   7: Load U-Boot code then write to Flash via Serial.
   8: System Load UBoot to SDRAM via TFTP. (hidden in menu)
   9: Load U-Boot code then write to Flash via TFTP.

in the command line interface (4), you can continue booting with bootm bc050000

MT7621 # printenv
bootcmd=tftp
bootdelay=1
baudrate=(57600)
ethaddr="AA:BB:CC:DD:EE:FF"
ipaddr=192.168.1.1
serverip=192.168.1.2
stdin=serial
stdout=serial
stderr=serial

root password

The short answer is: it's on a "factory" partition in the flash, most likely located at 40000HEX.

How to get root without copying the flash (only using serial):

  • within the boot sequence at 3/4 of the log: search for "factory", most likely it reads something like:

[ 2.290000] 0x000000040000-0x000000050000 : "factory"

  • remember 40000HEX (and add 20DEC so it becomes 40014HEX
  • reboot (either press and hold the reset button >4s or pulse X2 pin 2 and 7
  • press space in the serial monitor (you have 1 second if it says Press space to enter the bootloader... ).
  • press 4
  • and type spi read 40014 10
    • it will return something like this:
    read len: 16
    38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0
  • use an online converter or run this in a javascript console:
    "38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0".split(" ").filter(n=>n!=="0").map(n=>String.fromCharCode(parseInt(n,16))).join("")

You can also retrieve it from the bin file: dd bs=1 skip=$((0x40000+20)) count=10 if=ixrouter.bin 2>/dev/null | tr -d '\000'


Oh by the way, it's 8MmBR25msm

pins and connectors

X2

Labeled. located near reset button, 3.3v logic.

  1. GND
  2. RX
  3. TX

X3

For programming/reading the SPI flash chip. Note that soldering a straight header will conflict with a SOIC clamp.

  1. VCC
  2. RST
  3. CLK
  4. DI
  5. DO
  6. CS
  7. GND

To reset, connect pin 2 and 7 with a small resistor (used 180Ω)

open ports

PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
9230/tcp open  unknown

image

extraction

Used minipro on a TL866II+ with 8 pin SOIC clamp while keeping the board in reset (connecting X2 pin 2 and 7)

$ minipro -p W25Q128JV@SOIC8 -r ixrouter.bin --vcc=3.3 -y
Found TL866II+ 04.2.86 (0x256)
Warning: Firmware is out of date.
  Expected  04.2.128 (0x280)
  Found     04.2.86 (0x256)
WARNING: Chip ID mismatch: expected 0xEF4018, got 0xEF7018 (unknown)
Reading Code...  27.08Sec  OK

file information

To extract the image parts, you need sasquatch and jefferson additional to binwalk, see: binwalk dependencies

$ binwalk --signature --term ixrouter.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------------------------------
78080         0x13100         U-Boot version string, "U-Boot 1.1.3 (Dec 21 2017 - 10:47:42)"
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0x4DD3DDDF, created:
                              2018-08-07 13:36:39, image size: 1213865 bytes, Data Address:
                              0x80001000, Entry Point: 0x80001000, data CRC: 0x82EB32CA, OS: Linux,
                              CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image
                              name: "MIPS OpenWrt Linux-3.18.75"
327744        0x50040         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes,
                              uncompressed size: 3663424 bytes
1541609       0x1785E9        Squashfs filesystem, little endian, version 4.0, compression:xz, size:
                              6334418 bytes, 1478 inodes, blocksize: 262144 bytes, created: 2018-08-07
                              13:36:44
7929856       0x790000        JFFS2 filesystem, little endian

Note that xopr used mtd-utils but jffs2reader gives an Unsupported compression method! error.

generated config file

The config file, to be generated online and put on a stick looks roughly like this:

# Router configuration
# Generated by Xosperois Dimitri for ACKspace on Mon Jan 1 1900

ixrouter.wan.3g_apn={auto|MyApn}
ixrouter.wan.3g_pincode=[1234]
ixrouter.wan.3g_mtu={1200|1499}

ixrouter.wan.ip_use_dhcp={true|false}
ixrouter.wan.ip_address=[192.168.42.100]
ixrouter.wan.ip_netmask=[255.255.255.0]
ixrouter.wan.ip_gateway=[192.168.42.1]

[ixrouter.wan.dns_server=8.8.4.4]
[ixrouter.wan.dns_server=1.1.1.1]

ixrouter.wan.digital_input_mode=[disable_vpn_low]

ixrouter.wan.http_proxy_address=[10.0.0.1]
ixrouter.wan.http_proxy_port=[6667]
ixrouter.wan.http_proxy_authentication=[basic]
ixrouter.wan.http_proxy_username=[proxyuser]
ixrouter.wan.http_proxy_password=[6667]

ixrouter.wan.wlan_ssid=[publicwifi]
ixrouter.wan.wlan_key=[myfipassword]

ixrouter.wan.ixapi_entry_point=https://ixsec-api.ixon.net:443/
ixrouter.wan.ixapi_account_id=nnnn-nnnn-nnnn-nnnn-nnnn

ixrouter.lan.gateway_less_routing=true

ixrouter.lan.ip_address=192.168.140.1

convert to regular (4G) router

you need:

  • IXrouter3
  • mini (the regular) SIM card without an active pin code

steps:

  • make it a fresh install, login and type:
    either firstboot -y && reboot now (soft factory reset)
    or umount /overlay && jffs2reset && reboot now (hard factory reset)
  • login via ssh ( root@192.168.27.1) on LAN port (2-5) or 3.3v serial terminal header near the sim card slot
  • disable ixagent completely:
    /etc/init.d/ixagent stop
    /etc/init.d/ixagent disable
  • edit /etc/opkg/distfeeds.conf
    disable or remove src/gz chaos_calmer_ixpackages http://...
    add: src/gz chaos_calmer_luci http://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7621/packages/luci
  • insert wan cable (check IP lease) and run the following:
    opkg update
    opkg install luci-ssl Note that uqmi doesn't want to install command line, use luci system software to install
    unsure/future: opkg install luci-app-openvpn
  • via luci (https://192.168.27.1), remove all network firewall zones and add:
    WAN (wan, wan6, wwan) masquerading & MSS clamping (maybe include sta_wan and sta_wan6)
    LAN (lan) allow forward to DESTINATION zones WAN
  • save & apply

enable the 4G router

Note that when a sim card is present, it will connect automatically and be the primary route to internet.

  • go to System Software and install (filter for) uqmi (this might actually not be needed, not sure)
  • go to network interfaces and edit WWAN
    Protocol: DHCP client, switch protocol and set a nice hostname. Save & Apply
  • click Connect
  • if this doesn't seem to work (no RX data):
    login with SSH and type the following:
    /sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode offline
    /sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode reset
    wait 20 seconds
    /sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode online
    /sbin/uqmi -d /dev/cdc-wdm0 --set-autoconnect enabled

setup openVPN (automatically connects)

Note that this will have OpenVPN connect automatically and DNS might give problems. If so, select both WAN and VPN in the second-to-last step.

To connect to the ACKspace VPN (tun), change the interface:

  • go to Network Interfaces and Edit VPN
  • under Physical Settings choose Custom interface: tun+
  • Save & Apply
  • go to Network Firewall and add a Zone:
    VPN (vpn) masquerading (possibly also MSS clamping)
  • Save & Apply
  • locate your ackspace.ovpn file and make sure it contains the following line:
    auth-user-pass login.conf
  • copy the file:
    scp ackspace.ovpn root@192.168.27.1:/etc/openvpn/ackspace.conf
  • SSH into the router and create the following file containing username and password on a separate line: /etc/openvpn/login.conf
  • /etc/init.d/openvpn restart
  • finally, in Luci, go to Network Firewall -> Zone LAN and click Edit
  • switch Allow forward to destination from WAN to VPN
  • Save & Apply

also see