Difference between revisions of "IX2412"

Has a

• Mediatek MT7621AT
• 8GB SD card
• Winbond 25Q128JVSM 128Mbit serial flash
• USB2512B USB2.0 hub
• Ublox LILY-W131 wifi 2.4GHz
• Quectel EC2-5E (Main, DIV, GNSS)

connecting UART

• use 3.3V logic to be safe

Run terminal client in 56k 8N1: minicom -D/dev/ttyUSB0 -b57600 -o And make sure Hardware Flow Control is off: Ctrl+a, o, choose Serial port setup, f

Uboot env

After pressing space to interrupt (within 1 second) you get:

Please choose the operation: 
   0: Load system code then write to Flash via Serial.
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Enter boot command line interface.
   7: Load U-Boot code then write to Flash via Serial.
   8: System Load UBoot to SDRAM via TFTP. (hidden in menu)
   9: Load U-Boot code then write to Flash via TFTP.

in the command line interface (4), you can continue booting with bootm bc050000

MT7621 # printenv
bootcmd=tftp
bootdelay=1
baudrate=(57600)
ethaddr="AA:BB:CC:DD:EE:FF"
ipaddr=192.168.1.1
serverip=192.168.1.2
stdin=serial
stdout=serial
stderr=serial

root password

The short answer is: it's on a "factory" partition in the flash, most likely located at 40000_HEX.

How to get root without copying the flash (only using serial):

• within the boot sequence at 3/4 of the log: search for "factory", most likely it reads something like:

[ 2.290000] 0x000000040000-0x000000050000 : "factory"

• remember 40000_HEX (and add 20_DEC so it becomes 40014_HEX
• reboot (either press and hold the reset button >4s or pulse X2 pin 2 and 7
• press space in the serial monitor (you have 1 second if it says Press space to enter the bootloader... ).
• press 4
• and type spi read 40014 10
  • it will return something like this:

  read len: 16

  38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0

• use an online converter or run this in a javascript console:

  "38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0".split(" ").filter(n=>n!=="0").map(n=>String.fromCharCode(parseInt(n,16))).join("")

You can also retrieve it from the bin file: dd bs=1 skip=$((0x40000+20)) count=10 if=ixrouter.bin 2>/dev/null | tr -d '\000'

Oh by the way, it's 8MmBR25msm

pins and connectors

X2

Labeled. located near reset button, 3.3v logic.

1. GND
2. RX
3. TX

X3

For programming/reading the SPI flash chip. Note that soldering a straight header will conflict with a SOIC clamp.

1. VCC
2. RST
3. CLK
4. DI
5. DO
6. CS
7. GND

To reset, connect pin 2 and 7 with a small resistor (used 180Ω)

open ports

PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
9230/tcp open  unknown

image

extraction

Used minipro on a TL866II+ with 8 pin SOIC clamp while keeping the board in reset (connecting X2 pin 2 and 7)

$ minipro -p W25Q128JV@SOIC8 -r ixrouter.bin --vcc=3.3 -y
Found TL866II+ 04.2.86 (0x256)
Warning: Firmware is out of date.
  Expected  04.2.128 (0x280)
  Found     04.2.86 (0x256)
WARNING: Chip ID mismatch: expected 0xEF4018, got 0xEF7018 (unknown)
Reading Code...  27.08Sec  OK

file information

To extract the image parts, you need sasquatch and jefferson additional to binwalk, see: binwalk dependencies

$ binwalk --signature --term ixrouter.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------------------------------
78080         0x13100         U-Boot version string, "U-Boot 1.1.3 (Dec 21 2017 - 10:47:42)"
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0x4DD3DDDF, created:
                              2018-08-07 13:36:39, image size: 1213865 bytes, Data Address:
                              0x80001000, Entry Point: 0x80001000, data CRC: 0x82EB32CA, OS: Linux,
                              CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image
                              name: "MIPS OpenWrt Linux-3.18.75"
327744        0x50040         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes,
                              uncompressed size: 3663424 bytes
1541609       0x1785E9        Squashfs filesystem, little endian, version 4.0, compression:xz, size:
                              6334418 bytes, 1478 inodes, blocksize: 262144 bytes, created: 2018-08-07
                              13:36:44
7929856       0x790000        JFFS2 filesystem, little endian

Note that xopr used mtd-utils but jffs2reader gives an Unsupported compression method! error.

generated config file

The config file, to be generated online and put on a stick looks roughly like this:

# Router configuration
# Generated by Xosperois Dimitri for ACKspace on Mon Jan 1 1900

ixrouter.wan.3g_apn={auto|MyApn}
ixrouter.wan.3g_pincode=[1234]
ixrouter.wan.3g_mtu={1200|1499}

ixrouter.wan.ip_use_dhcp={true|false}
ixrouter.wan.ip_address=[192.168.42.100]
ixrouter.wan.ip_netmask=[255.255.255.0]
ixrouter.wan.ip_gateway=[192.168.42.1]

[ixrouter.wan.dns_server=8.8.4.4]
[ixrouter.wan.dns_server=1.1.1.1]

ixrouter.wan.digital_input_mode=[disable_vpn_low]

ixrouter.wan.http_proxy_address=[10.0.0.1]
ixrouter.wan.http_proxy_port=[6667]
ixrouter.wan.http_proxy_authentication=[basic]
ixrouter.wan.http_proxy_username=[proxyuser]
ixrouter.wan.http_proxy_password=[6667]

ixrouter.wan.wlan_ssid=[publicwifi]
ixrouter.wan.wlan_key=[myfipassword]

ixrouter.wan.ixapi_entry_point=https://ixsec-api.ixon.net:443/
ixrouter.wan.ixapi_account_id=nnnn-nnnn-nnnn-nnnn-nnnn

ixrouter.lan.gateway_less_routing=true

ixrouter.lan.ip_address=192.168.140.1

convert to regular (4G) router

you need:

• IXrouter3
• mini (the regular) SIM card without an active pin code

steps:

• make it a fresh install, login and type:

  either firstboot -y && reboot now (soft factory reset)

  or umount /overlay && jffs2reset && reboot now (hard factory reset)

• login via ssh ( root@192.168.27.1) on LAN port (2-5) or 3.3v serial terminal header near the sim card slot
• disable ixagent completely:

  /etc/init.d/ixagent stop

  /etc/init.d/ixagent disable

• edit /etc/opkg/distfeeds.conf

  disable or remove src/gz chaos_calmer_ixpackages http://...

  add: src/gz chaos_calmer_luci http://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7621/packages/luci

• insert wan cable (check IP lease) and run the following:

  opkg update

  opkg install luci-ssl Note that uqmi doesn't want to install command line, use luci system software to install

  unsure/future: opkg install luci-app-openvpn

• via luci (https://192.168.27.1), remove all network firewall zones and add:

  WAN (wan, wan6, wwan) masquerading & MSS clamping (maybe include sta_wan and sta_wan6)

  LAN (lan) allow forward to DESTINATION zones WAN

• save & apply

enable the 4G router

Note that when a sim card is present, it will connect automatically and be the primary route to internet.

• go to System Software and install (filter for) uqmi (this might actually not be needed, not sure)
• go to network interfaces and edit WWAN

  Protocol: DHCP client, switch protocol and set a nice hostname. Save & Apply

• click Connect
• if this doesn't seem to work (no RX data):

  login with SSH and type the following:

  /sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode offline

  /sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode reset

  wait 20 seconds

  /sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode online

  /sbin/uqmi -d /dev/cdc-wdm0 --set-autoconnect enabled

setup openVPN (automatically connects)

Note that this will have OpenVPN connect automatically and DNS might give problems. If so, select both WAN and VPN in the second-to-last step.

To connect to the ACKspace VPN (tun), change the interface:

• go to Network Interfaces and Edit VPN
• under Physical Settings choose Custom interface: tun+
• Save & Apply
• go to Network Firewall and add a Zone:

  VPN (vpn) masquerading (possibly also MSS clamping)

• Save & Apply
• locate your ackspace.ovpn file and make sure it contains the following line:

  auth-user-pass login.conf

• copy the file:

  scp ackspace.ovpn root@192.168.27.1:/etc/openvpn/ackspace.conf

• SSH into the router and create the following file containing username and password on a separate line: /etc/openvpn/login.conf
• /etc/init.d/openvpn restart
• finally, in Luci, go to Network Firewall -> Zone LAN and click Edit
• switch Allow forward to destination from WAN to VPN
• Save & Apply

also see

• https://www.ic4.be/2019/07/04/de-ixrouter-onder-de-loep/