You do not have permission to edit this page, for the following reason:
The action you have requested is limited to users in the group: Users.
Free text:
<noinclude>__TOC__</noinclude> Has a * Mediatek MT7621AT * 8GB SD card * Winbond 25Q128JVSM 128Mbit serial flash * USB2512B USB2.0 hub * U-blox LILY-W131 wifi 2.4GHz, based on Marvell Avastor 88w8801 * Quectel EC25-E (Main, DIV, GNSS) {{PoE |Barrel_plug=none |Barrel_voltage=24V |802:3af_straight=yes |802:3af_crosslink=unknown |Legacy_straight=unknown |Legacy_crosslink=unknown |Compatible_straight=unknown |Compatible_crosslink=unknown |Unifi_straight=unknown |Unifi_crosslink=unknown |Note=has a 4p pluggable terminal block 12-24V }} == connecting UART == * use 3.3V logic to be safe Run terminal client in 56k 8N1: <code>minicom -D/dev/ttyUSB0 -b57600 -os</code> And make sure Hardware Flow Control is off: choose <code>Serial port setup</code>, {{k|f}} (to open the configuration menu, press {{k|Ctrl}}+{{k|a}}, {{k|o}}) === Uboot env === After pressing space to interrupt (within 1 second) you get: <pre> Please choose the operation: 0: Load system code then write to Flash via Serial. 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Enter boot command line interface. 7: Load U-Boot code then write to Flash via Serial. 8: System Load UBoot to SDRAM via TFTP. (hidden in menu) 9: Load U-Boot code then write to Flash via TFTP. </pre> in the command line interface (4), you can continue booting with <code>bootm bc050000</code> <pre> MT7621 # printenv bootcmd=tftp bootdelay=1 baudrate=(57600) ethaddr="AA:BB:CC:DD:EE:FF" ipaddr=192.168.1.1 serverip=192.168.1.2 stdin=serial stdout=serial stderr=serial </pre> == root password == The short answer is: it's on a "factory" partition in the flash, most likely located at 40000<sub>HEX</sub>. How to get root without copying the flash (only using serial): * within the boot sequence at 3/4 of the log: search for "factory", most likely it reads something like: <code>[ 2.290000] 0x000000040000-0x000000050000 : "factory"</code> * remember 40000<sub>HEX</sub> (and add 20<sub>DEC</sub> so it becomes 40014<sub>HEX</sub> * reboot (either press and hold the reset button >4s or pulse X2 pin 2 and 7 * press space in the serial monitor (you have 1 second if it says <code>Press space to enter the bootloader... </code>). * press {{k|4}} * and type <code>spi read 40014 10</code> ** it will return something like this: *: <code>read len: 16</code> *: <code>38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0</code> * use an [http://www.unit-conversion.info/texttools/hexadecimal/ online converter] or run this in a javascript console: *: <code>"38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0".split(" ").filter(n=>n!=="0").map(n=>String.fromCharCode(parseInt(n,16))).join("")</code> You can also retrieve it from the bin file: <code>dd bs=1 skip=$((0x40000+20)) count=10 if=ixrouter.bin 2>/dev/null | tr -d '\000'</code> Oh by the way, it's <code>8MmBR25msm</code> == pins and connectors == === X2 === Labeled. located near reset button, 3.3v logic. # GND # RX # TX === X3 === For programming/reading the SPI flash chip. Note that soldering a straight header will conflict with a SOIC clamp. # VCC # {{~|RST}} # CLK # DI # DO # {{~|CS}} # GND To reset, connect pin 2 and 7 with a small resistor (used 180Ω) == open ports == PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 9230/tcp open unknown == firmware image == === extraction === Used [https://gitlab.com/DavidGriffith/minipro/ minipro] on a TL866II+ with 8 pin SOIC clamp while '''keeping the board in reset''' (connecting X2 pin 2 and 7) <pre>$ minipro -p W25Q128JV@SOIC8 -r ixrouter.bin --vcc=3.3 -y Found TL866II+ 04.2.86 (0x256) Warning: Firmware is out of date. Expected 04.2.128 (0x280) Found 04.2.86 (0x256) WARNING: Chip ID mismatch: expected 0xEF4018, got 0xEF7018 (unknown) Reading Code... 27.08Sec OK</pre> === file information === To extract the image parts, you need sasquatch and jefferson additional to binwalk, see: [https://github.com/ReFirmLabs/binwalk/blob/master/INSTALL.md#dependencies binwalk dependencies] <pre> $ binwalk --signature --term ixrouter.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------------------------------- 78080 0x13100 U-Boot version string, "U-Boot 1.1.3 (Dec 21 2017 - 10:47:42)" 327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0x4DD3DDDF, created: 2018-08-07 13:36:39, image size: 1213865 bytes, Data Address: 0x80001000, Entry Point: 0x80001000, data CRC: 0x82EB32CA, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.18.75" 327744 0x50040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3663424 bytes 1541609 0x1785E9 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6334418 bytes, 1478 inodes, blocksize: 262144 bytes, created: 2018-08-07 13:36:44 7929856 0x790000 JFFS2 filesystem, little endian </pre> Note that [[User:Xopr|xopr]] used <code>mtd-utils</code> but <code>jffs2reader</code> gives an <code>Unsupported compression method!</code> error. == generated config file == The config file, to be generated online and put on a stick looks roughly like this: <pre> # Router configuration # Generated by Xosperois Dimitri for ACKspace on Mon Jan 1 1900 ixrouter.wan.3g_apn={auto|MyApn} ixrouter.wan.3g_pincode=[1234] ixrouter.wan.3g_mtu={1200|1499} ixrouter.wan.ip_use_dhcp={true|false} ixrouter.wan.ip_address=[192.168.42.100] ixrouter.wan.ip_netmask=[255.255.255.0] ixrouter.wan.ip_gateway=[192.168.42.1] [ixrouter.wan.dns_server=8.8.4.4] [ixrouter.wan.dns_server=1.1.1.1] ixrouter.wan.digital_input_mode=[disable_vpn_low] ixrouter.wan.http_proxy_address=[10.0.0.1] ixrouter.wan.http_proxy_port=[6667] ixrouter.wan.http_proxy_authentication=[basic] ixrouter.wan.http_proxy_username=[proxyuser] ixrouter.wan.http_proxy_password=[6667] ixrouter.wan.wlan_ssid=[publicwifi] ixrouter.wan.wlan_key=[myfipassword] ixrouter.wan.ixapi_entry_point=https://ixsec-api.ixon.net:443/ ixrouter.wan.ixapi_account_id=nnnn-nnnn-nnnn-nnnn-nnnn ixrouter.lan.gateway_less_routing=true ixrouter.lan.ip_address=192.168.140.1</pre> == convert to regular (4G) router == you need: * IXrouter3 * mini (the regular) SIM card without an active pin code steps: * make it a fresh install, login and type: *: either <code>firstboot -y && reboot now</code> (soft factory reset) *: or <code>umount /overlay && jffs2reset && reboot now</code> (hard factory reset) * login via ssh ( root@192.168.27.1) on LAN port (2-5) or 3.3v serial terminal header near the sim card slot * disable ixagent completely: *: <code>/etc/init.d/ixagent stop</code> *: <code>/etc/init.d/ixagent disable</code> * edit <code>/etc/opkg/distfeeds.conf</code> *: disable or remove <code>src/gz chaos_calmer_ixpackages http://...</code> *: add: <code>src/gz chaos_calmer_luci http://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7621/packages/luci</code> * insert wan cable (check IP lease) and run the following: *: <code>opkg update</code> *: <code>opkg install luci-ssl</code> Note that <code>uqmi</code> doesn't want to install command line, use luci system software to install *: <s>unsure/future: <code>opkg install luci-app-openvpn</code></s> * via luci (https://192.168.27.1), remove all network firewall zones and add: *: WAN (wan, wan6, wwan) masquerading & MSS clamping (maybe include sta_wan and sta_wan6) *: LAN (lan) allow forward to DESTINATION zones WAN * save & apply === enable the 4G router === Note that when a sim card is present, it will connect automatically and be the primary route to internet. * go to network interfaces and edit WWAN *: Protocol: DHCP client, switch protocol and set a nice hostname. Save & Apply * click Connect * if this doesn't seem to work (no RX data), either reboot, go to System Software and install (filter for) uqmi *: login with SSH and type the following: *: <code>/sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode offline</code> *: <code>/sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode reset</code> *: wait 20 seconds *: <code>/sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode online</code> *: <code>/sbin/uqmi -d /dev/cdc-wdm0 --set-autoconnect enabled</code> === enable wifi AP === By default (and using the cloud config generator), the U-blox wifi device is set to station (client) when booting. The script is at <code>/lib/wifi/ublox.sh</code> and it read properties generated via <code>ixrouterconf2uci</code> (not sure whether it's possible to trigger the correct data via the ixconfig). The driver is Marvell WiFi-Ex Driver (cfg80211) To prepare for accesspoint mode, run the following: <pre> uci set wireless.ap_lan_dev.channel='11' uci set wireless.ap_lan_iface.ssid='ACKspaceWifi' uci set wireless.ap_lan_iface.key='Nope. Nope nope nope nope nope.' </pre> To switch, do this: <pre> uci set wireless.ap_lan_dev.disabled='0' uci set wireless.sta_wan_dev.disabled='1' </pre> To apply the new wifi settings, run <code>/etc/init.d/network reload</code> and to permanently store them, use <code>uci commit</code> ==== spacenet ==== Not possible with the current (closed) driver+firmware Short version: remove <code>wpad-mini</code> and install <code>wpad</code>. Rest might be command line settings only since the web interface for wifi doesn't play nice with the current setup. === setup openVPN (automatically connects) === Note that this will have OpenVPN connect automatically and DNS might give problems. If so, select both WAN and VPN in the second-to-last step. To connect to the ACKspace VPN (tun), change the interface: * go to Network Interfaces and Edit VPN * under Physical Settings choose Custom interface: tun+ * Save & Apply * go to Network Firewall and add a Zone: *: VPN (vpn) masquerading (possibly also MSS clamping) * Save & Apply * locate your ackspace.ovpn file and make sure it contains the following line: *: <code>auth-user-pass /etc/openvpn/login.conf</code> * copy the file: *: <code>scp ackspace.ovpn root@192.168.27.1:/etc/openvpn/ackspace.conf</code> * SSH into the router and create the following file containing username and password on a separate line: <code>/etc/openvpn/login.conf</code> * <code>/etc/init.d/openvpn restart</code> * finally, in Luci, go to Network Firewall -> Zone LAN and click Edit * switch Allow forward to destination from WAN to VPN * Save & Apply === custom scripts === These modified scripts restore some of the functionality that seems to be absent when not using the ixagent daemon. <div class="mw-collapsible mw-collapsed" id="mw-customcollapsible-wifi-monitor"> custom wifi monitor. When 4G/LTE is enabled, the signal quality will display the cell strength (Reference signal received quality). * blinking red: pending sim card not active * red: bad signal * purple: medium signal * blue: good signal Also, the blue act led will light when the VPN is active (and blink when (dis)connecting) <code>/etc/init.d/wifi-monitor</code> <div class="mw-customtoggle-wifi-monitor mw-code">Click here to view the source code</div> <pre class="mw-collapsible-content"> #!/bin/sh /etc/rc.common START=85 STOP=86 SERVICE_WRITE_PID=1 SERVICE_DAEMONIZE=1 EXTRA_COMMANDS="run_monitor" EXTRA_HELP=$(cat <<EOF run_monitor Run the signal strength monitor EOF ) MONITOR_APP="/bin/sh /etc/rc.common /etc/init.d/wifi-monitor run_monitor" LED_PATH="/sys/class/leds/ix2:%name:3g" LED_NAME_RED=red LED_NAME_BLUE=blue UPDATE_DELAY=5 LED_MORSE_DELAY=300 log() { echo "wifi-monitor: $1" > /dev/kmsg } get_signal_value() { local value=`iwinfo mlan0 info | grep 'Quality'` if [[ "$value" == "${value/Link Quality//}" ]]; then # No value found echo "?" return fi echo "$value" | sed "s/.*Link Quality: //" } set_led_status() { local led_name=$1 local trigger=$2 local arg=$3 echo $trigger > ${LED_PATH/%name/$led_name}/trigger case $trigger in "none") echo $arg > ${LED_PATH/%name/$led_name}/brightness ;; "morse") echo $arg > ${LED_PATH/%name/$led_name}/message echo $LED_MORSE_DELAY > ${LED_PATH/%name/$led_name}/delay ;; "timer") echo $arg > ${LED_PATH/%name/$led_name}/delay_on echo $arg > ${LED_PATH/%name/$led_name}/delay_off ;; esac } update_led() { local signal=$(get_signal_value) VPN=$(route|grep tun|awk '{ print $2 }'|grep -v "*"|head -1) if [[ -n "$VPN" ]]; then ping -W 1 -c 1 $VPN > /dev/null VPN=$? fi if [[ -n "$VPN" ]]; then echo "none" > /sys/class/leds/ix2:blue:vpn/trigger echo 1 > /sys/class/leds/ix2:blue:vpn/brightness elif [[ -n "$(ps w|grep openvpn|grep -v grep)" ]]; then echo "timer" > /sys/class/leds/ix2:blue:vpn/trigger echo 500 > /sys/class/leds/ix2:blue:vpn/delay_on echo 500 > /sys/class/leds/ix2:blue:vpn/delay_off else echo "none" > /sys/class/leds/ix2:blue:vpn/trigger echo 0 > /sys/class/leds/ix2:blue:vpn/brightness fi # Check if cellular device is enabled multiwan, then dont override if [[ "1" == $(uci get mwan3.wwan.enabled) ]]; then signal="off" # Check if wireless device is enabled elif [[ "1" == $(uci get wireless.sta_wan_dev.disabled) ]]; then if [[ -x "/sbin/uqmi" ]]; then # get rsrq (bad -40 to -3 good) status RSRQ=$(/sbin/uqmi -d /dev/cdc-wdm0 --get-signal-info|grep rsrq|grep -Eo "\-[0-9]+") if [[ "$RSRQ" -ge -10 ]]; then # Excellent signal="5/5" elif [[ "$RSRQ" -ge -15 ]]; then # Ok signal="3/5" elif [[ "$RSRQ" -ge -20 ]]; then # Terrible signal="1/5" elif [[ "$RSRQ" -ge -40 ]]; then # None signal="0/5" else signal="pending" fi else signal="off" fi elif ! ifstatus sta_wan 2> /dev/null | grep -q "pending.*false"; then signal="pending" logger -t wifi "Interface 'mlan0' is pending" fi # Only update signal value when needed if [[ "$signal" == "$last_signal" ]]; then return fi case $signal in "pending") set_led_status $LED_NAME_RED none 0 set_led_status $LED_NAME_BLUE timer 1500 ;; "0/5") set_led_status $LED_NAME_RED timer 1500 set_led_status $LED_NAME_BLUE none 0 ;; "1/5") set_led_status $LED_NAME_RED none 1 set_led_status $LED_NAME_BLUE none 0 ;; "2/5") set_led_status $LED_NAME_RED none 1 set_led_status $LED_NAME_BLUE none 1 ;; "3/5") set_led_status $LED_NAME_RED none 1 set_led_status $LED_NAME_BLUE none 1 ;; "4/5") set_led_status $LED_NAME_RED none 0 set_led_status $LED_NAME_BLUE none 1 ;; "5/5") set_led_status $LED_NAME_RED none 0 set_led_status $LED_NAME_BLUE none 1 ;; *) set_led_status $LED_NAME_RED none 0 set_led_status $LED_NAME_BLUE none 0 ;; esac last_signal=$signal } start() { service_start $MONITOR_APP } stop() { log "Killing wifi signal strength monitor" SERVICE_SIG="KILL" service_stop $MONITOR_APP set_led_status $LED_NAME_RED none 0 set_led_status $LED_NAME_BLUE none 0 } run_monitor() { log "Running wifi signal strength monitor" last_signal="off" while /bin/true; do sleep $UPDATE_DELAY update_led done } </pre> </div> <div class="mw-collapsible mw-collapsed" id="mw-customcollapsible-reset"> custom reset that toggles VPN service if pressed <3s In the future, the opticoupler input will be used for this and the short reset will (re-)enable the access point. <code>/etc/rc.button/reset</code> <div class="mw-customtoggle-reset mw-code">Click here to view the source code</div> <pre class="mw-collapsible-content"> #!/bin/sh /etc/rc.common APP="leds" PID_FILE="/tmp/run/rc.button.reset.pid" LED_PATH_R="/sys/class/leds/ix2:red:status" LED_PATH_B="/sys/class/leds/ix2:blue:vpn" log() { echo "rc.button.reset $1" > /dev/kmsg } process_reset_button() { # Start sleeping sleep 3 & local SLEEP_PID=$! # Put PID of sleep process to file echo $SLEEP_PID > $PID_FILE # Wait for sleep to finish wait $SLEEP_PID # If sleep was killed, do nothing if [ "$?" != "0" ]; then # Remove PID file so next push can work properly log "User let go before timeout - not resetting" rm "$PID_FILE" exit fi # User waited 3 seconds after pressing the button. Factory reset time # Update file so next button press knows it can't be stopped echo "TOOLATE" > $PID_FILE log "Waited long enough - factory resetting now" # Stop IXagent to get control of LEDs log "Stopping IXagent" /etc/init.d/ixagent stop # Inform user we've started to factory reset log "Setting LEDs" echo "timer" > $LED_PATH_R/trigger echo 50 > $LED_PATH_R/delay_on echo 50 > $LED_PATH_R/delay_off echo "timer" > $LED_PATH_B/trigger echo 60 > $LED_PATH_B/delay_on echo 60 > $LED_PATH_B/delay_off # Do a reset on the 3G module # Should improve stability and ease-of-use echo 0 > /sys/class/gpio/3g-perst/value # Do the actual factory reset jffs2reset -y if [ "$?" != "0" ]; then log "jffs2reset failed!" fi reboot } if [ "${ACTION}" = "pressed" ]; then if [[ -z "$(ps w|grep openvpn|grep -v grep)" ]]; then /etc/init.d/openvpn start else /etc/init.d/openvpn stop fi if [ -f "$PID_FILE" ]; then log "Ignoring pressed - already running" exit fi log "Starting reset" process_reset_button & fi if [ "${ACTION}" = "released" ]; then if [ ! -f "$PID_FILE" ]; then log "Ignoring released - not running" exit fi SLEEP_PID=$(cat $PID_FILE) if [ "TOOLATE" = "$SLEEP_PID" ]; then log "Button released after reset started" exit fi log "Stopping reset" kill $(cat $PID_FILE) if [ "$?" != "0" ]; then log "Kill failed" exit fi log "Reset stopped" fi return 0 </pre> </div> === oneliners === <pre> echo 0 > /sys/class/gpio/wifi-pd/value # disable wifi echo 1 > /sys/class/gpio/wifi-pd/value && wifi reload # enable wifi echo 0 > /sys/class/gpio/3g-perst/value # disable 3g (fast) echo 0 > /sys/class/gpio/3g-power-enable/value # disable 3g (slow) </pre> === alternative power === It is possible to power the router with a USB-C powerbank for off-the-grid usage, ideal for a [[hackers on a bike]] tour. All you need is: * a USB-C powerbank that supports >=12V * USB-C to USB-C cable [https://www.ebay.com/itm/294691148942 ZY12PDN USB-C Fast Charge Trigger Poll Detector], set to highest voltage possible (but lower than 24V) * removable screw terminal connector ([https://www.tinytronics.nl/shop/en/cables-and-connectors/connectors/screw-terminals/removable-2-pin-screw-terminal-connector two] or [https://www.tinytronics.nl/shop/en/cables-and-connectors/connectors/screw-terminals/removable-4-pin-screw-terminal-connectorfour] pins) (see the green connector in [[Media:HoaB-upgrades.jpg|this picture]]) Tested on a fully charged Xiaomi Mi Powerbank 3 (20Ah) and had an uptime of 26:45h. ==== spacenet ==== Alternative power combined with a [[Unifi PoE hack]], this could be used for a mobile [[spacenet]]. [[User:Xopr|xopr]]'s "event" accesspoint has spacenet on VLAN 6; it's easier to add a VLAN than to reprovision the accesspoint every time: * in Network > Switch ** Add, 6 off, tagged, tagged, tagged, tagged, off, tagged ** Save, apply * in Network > Interfaces ** Add new interface... ** Name: ACK ** Protocol: Static ** Covering: VLAN interface eth0.6 ** Next > ** Setup DHCP server (first!) ** IPv4 192.168.6.1 ** Netmask: 255.255.255.0 ** Advanced: Bring up on boot ** Create firewall zone: LAN ** Save & apply Disable regular wifi with <code>uci set wireless.sta_wan_dev.disabled='0'</code> and apply with <code>/etc/init.d/network reload</code>. (TODO: verify that it's back up after reboot)> === TODO === * new firmware: determine DSA wan/lan layout location (U-boot?) * new firmware: determine gpio pinout mapping * new firmware: get/compile working U-blox LILY-W131 (Marvell Avastor 88w8801) driver+firmware * new firmware: get/compile working Quectel EC25-E driver * determine DNS requests when vpn is active (currently doesn't work) * toggle/enable AP upon short reset * determine external gpio == also see == * https://www.ic4.be/2019/07/04/de-ixrouter-onder-de-loep/ [[Category:PD Type-C]]
Summary:
This is a minor edit Watch this page
Cancel
