Difference between revisions of "IX2412"
(got root?) |
m (wrong number base) |
||
Line 58: | Line 58: | ||
* within the boot sequence at 3/4 of the log: search for "factory", most likely it reads something like: | * within the boot sequence at 3/4 of the log: search for "factory", most likely it reads something like: | ||
<code>[ 2.290000] 0x000000040000-0x000000050000 : "factory"</code> | <code>[ 2.290000] 0x000000040000-0x000000050000 : "factory"</code> | ||
− | * remember 40000<sub>HEX</sub> (and add 20<sub> | + | * remember 40000<sub>HEX</sub> (and add 20<sub>DEC</sub> so it becomes 40014<sub>HEX</sub> |
* reboot (either press and hold the reset button >4s or pulse X2 pin 2 and 7 | * reboot (either press and hold the reset button >4s or pulse X2 pin 2 and 7 | ||
* press space in the serial monitor (you have 1 second if it says <code>Press space to enter the bootloader... </code>). | * press space in the serial monitor (you have 1 second if it says <code>Press space to enter the bootloader... </code>). |
Revision as of 17:14, 23 February 2022
Project: IX2412 | |
---|---|
Featured: | Yes |
State | Active |
Members | Xopr |
GitHub | No GitHub project defined. Add your project here. |
Description | IXON IXrouter3 4G "cloud" modem |
Picture | |
No project picture! Fill in form Picture or Upload a jpeg here |
Contents
Has a
- Mediatek MT7621AT
- 8GB SD card
- Winbond 25Q128JVSM 128Mbit serial flash
- USB2512B USB2.0 hub
- Ublox LILY-W131 wifi 2.4GHz
- Quectel EC2-5E (Main, DIV, GNSS)
connecting UART
- use 3.3V logic to be safe
Run terminal client in 56k 8N1:
minicom -D/dev/ttyUSB0 -b57600 -o
And make sure Hardware Flow Control is off: Ctrl+a, o, choose Serial port setup
, f
Uboot env
After pressing space to interrupt (within 1 second) you get:
Please choose the operation: 0: Load system code then write to Flash via Serial. 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Enter boot command line interface. 7: Load U-Boot code then write to Flash via Serial. 8: System Load UBoot to SDRAM via TFTP. (hidden in menu) 9: Load U-Boot code then write to Flash via TFTP.
in the command line interface (4), you can continue booting with
bootm bc050000
MT7621 # printenv bootcmd=tftp bootdelay=1 baudrate=(57600) ethaddr="AA:BB:CC:DD:EE:FF" ipaddr=192.168.1.1 serverip=192.168.1.2 stdin=serial stdout=serial stderr=serial
root password
The short answer is: it's on a "factory" partition in the flash, most likely located at 40000HEX.
How to get root without copying the flash (only using serial):
- within the boot sequence at 3/4 of the log: search for "factory", most likely it reads something like:
[ 2.290000] 0x000000040000-0x000000050000 : "factory"
- remember 40000HEX (and add 20DEC so it becomes 40014HEX
- reboot (either press and hold the reset button >4s or pulse X2 pin 2 and 7
- press space in the serial monitor (you have 1 second if it says
Press space to enter the bootloader...
). - press 4
- and type
spi read 40014 10
- it will return something like this:
read len: 16
38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0
- use an online converter or run this in a javascript console:
"38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0".split(" ").filter(n=>n!=="0").map(n=>String.fromCharCode(parseInt(n,16))).join("")
You can also retrieve it from the bin file: dd bs=1 skip=$((0x40000+20)) count=10 if=ixrouter.bin 2>/dev/null | tr -d '\000'
Oh by the way, it's 8MmBR25msm
pins and connectors
X2
Labeled. located near reset button, 3.3v logic.
- GND
- RX
- TX
X3
For programming/reading the SPI flash chip. Note that soldering a straight header will conflict with a SOIC clamp.
- VCC
- RST
- CLK
- DI
- DO
- CS
- GND
To reset, connect pin 2 and 7 with a small resistor (used 180Ω)
open ports
PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 9230/tcp open unknown
image
extraction
Used minipro on a TL866II+ with 8 pin SOIC clamp while keeping the board in reset (connecting X2 pin 2 and 7)
$ minipro -p W25Q128JV@SOIC8 -r ixrouter.bin --vcc=3.3 -y Found TL866II+ 04.2.86 (0x256) Warning: Firmware is out of date. Expected 04.2.128 (0x280) Found 04.2.86 (0x256) WARNING: Chip ID mismatch: expected 0xEF4018, got 0xEF7018 (unknown) Reading Code... 27.08Sec OK
file information
To extract the image parts, you need sasquatch and jefferson additional to binwalk, see: binwalk dependencies
$ binwalk --signature --term ixrouter.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------------------------------- 78080 0x13100 U-Boot version string, "U-Boot 1.1.3 (Dec 21 2017 - 10:47:42)" 327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0x4DD3DDDF, created: 2018-08-07 13:36:39, image size: 1213865 bytes, Data Address: 0x80001000, Entry Point: 0x80001000, data CRC: 0x82EB32CA, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.18.75" 327744 0x50040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3663424 bytes 1541609 0x1785E9 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6334418 bytes, 1478 inodes, blocksize: 262144 bytes, created: 2018-08-07 13:36:44 7929856 0x790000 JFFS2 filesystem, little endian
Note that xopr used mtd-utils
but jffs2reader
gives an Unsupported compression method!
error.
generated config file
The config file, to be generated online and put on a stick looks roughly like this:
# Router configuration # Generated by Xosperois Dimitri for ACKspace on Mon Jan 1 1900 ixrouter.wan.3g_apn={auto|MyApn} ixrouter.wan.3g_pincode=[1234] ixrouter.wan.3g_mtu={1200|1499} ixrouter.wan.ip_use_dhcp={true|false} ixrouter.wan.ip_address=[192.168.42.100] ixrouter.wan.ip_netmask=[255.255.255.0] ixrouter.wan.ip_gateway=[192.168.42.1] [ixrouter.wan.dns_server=8.8.4.4] [ixrouter.wan.dns_server=1.1.1.1] ixrouter.wan.digital_input_mode=[disable_vpn_low] ixrouter.wan.http_proxy_address=[10.0.0.1] ixrouter.wan.http_proxy_port=[6667] ixrouter.wan.http_proxy_authentication=[basic] ixrouter.wan.http_proxy_username=[proxyuser] ixrouter.wan.http_proxy_password=[6667] ixrouter.wan.wlan_ssid=[publicwifi] ixrouter.wan.wlan_key=[myfipassword] ixrouter.wan.ixapi_entry_point=https://ixsec-api.ixon.net:443/ ixrouter.wan.ixapi_account_id=nnnn-nnnn-nnnn-nnnn-nnnn ixrouter.lan.gateway_less_routing=true ixrouter.lan.ip_address=192.168.140.1