IX2412

From Hackerspace ACKspace
Revision as of 12:21, 8 March 2022 by Xopr (talk | contribs) (fixed wifi part (the ssid and key came from another setting))
Jump to: navigation, search
Project: IX2412
Featured: Yes
State Active
Members Xopr
GitHub No GitHub project defined. Add your project here.
Description IXON IXrouter3 4G "cloud" modem
Picture
No project picture! Fill in form Picture or Upload a jpeg here

Has a

  • Mediatek MT7621AT
  • 8GB SD card
  • Winbond 25Q128JVSM 128Mbit serial flash
  • USB2512B USB2.0 hub
  • Ublox LILY-W131 wifi 2.4GHz
  • Quectel EC2-5E (Main, DIV, GNSS)

connecting UART

  • use 3.3V logic to be safe

Run terminal client in 56k 8N1: minicom -D/dev/ttyUSB0 -b57600 -o And make sure Hardware Flow Control is off: Ctrl+a, o, choose Serial port setup, f

Uboot env

After pressing space to interrupt (within 1 second) you get: 

Please choose the operation: 
   0: Load system code then write to Flash via Serial.
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Enter boot command line interface.
   7: Load U-Boot code then write to Flash via Serial.
   8: System Load UBoot to SDRAM via TFTP. (hidden in menu)
   9: Load U-Boot code then write to Flash via TFTP.

in the command line interface (4), you can continue booting with bootm bc050000 

MT7621 # printenv
bootcmd=tftp
bootdelay=1
baudrate=(57600)
ethaddr="AA:BB:CC:DD:EE:FF"
ipaddr=192.168.1.1
serverip=192.168.1.2
stdin=serial
stdout=serial
stderr=serial

root password

The short answer is: it's on a "factory" partition in the flash, most likely located at 40000HEX.

How to get root without copying the flash (only using serial):

  • within the boot sequence at 3/4 of the log: search for "factory", most likely it reads something like:

[ 2.290000] 0x000000040000-0x000000050000 : "factory"

  • remember 40000HEX (and add 20DEC so it becomes 40014HEX
  • reboot (either press and hold the reset button >4s or pulse X2 pin 2 and 7
  • press space in the serial monitor (you have 1 second if it says Press space to enter the bootloader... ).
  • press 4
  • and type spi read 40014 10
    • it will return something like this:
    read len: 16
    38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0
  • use an online converter or run this in a javascript console:
    "38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0".split(" ").filter(n=>n!=="0").map(n=>String.fromCharCode(parseInt(n,16))).join("")

You can also retrieve it from the bin file: dd bs=1 skip=$((0x40000+20)) count=10 if=ixrouter.bin 2>/dev/null | tr -d '\000'


Oh by the way, it's 8MmBR25msm

pins and connectors

X2

Labeled. located near reset button, 3.3v logic.

  1. GND
  2. RX
  3. TX

X3

For programming/reading the SPI flash chip. Note that soldering a straight header will conflict with a SOIC clamp.

  1. VCC
  2. RST
  3. CLK
  4. DI
  5. DO
  6. CS
  7. GND

To reset, connect pin 2 and 7 with a small resistor (used 180Ω)

open ports

PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
9230/tcp open  unknown

image

extraction

Used minipro on a TL866II+ with 8 pin SOIC clamp while keeping the board in reset (connecting X2 pin 2 and 7) 

$ minipro -p W25Q128JV@SOIC8 -r ixrouter.bin --vcc=3.3 -y
Found TL866II+ 04.2.86 (0x256)
Warning: Firmware is out of date.
  Expected  04.2.128 (0x280)
  Found     04.2.86 (0x256)
WARNING: Chip ID mismatch: expected 0xEF4018, got 0xEF7018 (unknown)
Reading Code...  27.08Sec  OK

file information

To extract the image parts, you need sasquatch and jefferson additional to binwalk, see: binwalk dependencies 

$ binwalk --signature --term ixrouter.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------------------------------
78080         0x13100         U-Boot version string, "U-Boot 1.1.3 (Dec 21 2017 - 10:47:42)"
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0x4DD3DDDF, created:
                              2018-08-07 13:36:39, image size: 1213865 bytes, Data Address:
                              0x80001000, Entry Point: 0x80001000, data CRC: 0x82EB32CA, OS: Linux,
                              CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image
                              name: "MIPS OpenWrt Linux-3.18.75"
327744        0x50040         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes,
                              uncompressed size: 3663424 bytes
1541609       0x1785E9        Squashfs filesystem, little endian, version 4.0, compression:xz, size:
                              6334418 bytes, 1478 inodes, blocksize: 262144 bytes, created: 2018-08-07
                              13:36:44
7929856       0x790000        JFFS2 filesystem, little endian

Note that xopr used mtd-utils but jffs2reader gives an Unsupported compression method! error.

generated config file

The config file, to be generated online and put on a stick looks roughly like this: 

# Router configuration
# Generated by Xosperois Dimitri for ACKspace on Mon Jan 1 1900

ixrouter.wan.3g_apn={auto|MyApn}
ixrouter.wan.3g_pincode=[1234]
ixrouter.wan.3g_mtu={1200|1499}

ixrouter.wan.ip_use_dhcp={true|false}
ixrouter.wan.ip_address=[192.168.42.100]
ixrouter.wan.ip_netmask=[255.255.255.0]
ixrouter.wan.ip_gateway=[192.168.42.1]

[ixrouter.wan.dns_server=8.8.4.4]
[ixrouter.wan.dns_server=1.1.1.1]

ixrouter.wan.digital_input_mode=[disable_vpn_low]

ixrouter.wan.http_proxy_address=[10.0.0.1]
ixrouter.wan.http_proxy_port=[6667]
ixrouter.wan.http_proxy_authentication=[basic]
ixrouter.wan.http_proxy_username=[proxyuser]
ixrouter.wan.http_proxy_password=[6667]

ixrouter.wan.wlan_ssid=[publicwifi]
ixrouter.wan.wlan_key=[myfipassword]

ixrouter.wan.ixapi_entry_point=https://ixsec-api.ixon.net:443/
ixrouter.wan.ixapi_account_id=nnnn-nnnn-nnnn-nnnn-nnnn

ixrouter.lan.gateway_less_routing=true

ixrouter.lan.ip_address=192.168.140.1

convert to regular (4G) router

you need:

  • IXrouter3
  • mini (the regular) SIM card without an active pin code

steps:

  • make it a fresh install, login and type:
    either firstboot -y && reboot now (soft factory reset)
    or umount /overlay && jffs2reset && reboot now (hard factory reset)
  • login via ssh ( root@192.168.27.1) on LAN port (2-5) or 3.3v serial terminal header near the sim card slot
  • disable ixagent completely:
    /etc/init.d/ixagent stop
    /etc/init.d/ixagent disable
  • edit /etc/opkg/distfeeds.conf
    disable or remove src/gz chaos_calmer_ixpackages http://...
    add: src/gz chaos_calmer_luci http://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7621/packages/luci
  • insert wan cable (check IP lease) and run the following:
    opkg update
    opkg install luci-ssl Note that uqmi doesn't want to install command line, use luci system software to install
    unsure/future: opkg install luci-app-openvpn
  • via luci (https://192.168.27.1), remove all network firewall zones and add:
    WAN (wan, wan6, wwan) masquerading & MSS clamping (maybe include sta_wan and sta_wan6)
    LAN (lan) allow forward to DESTINATION zones WAN
  • save & apply

enable the 4G router

Note that when a sim card is present, it will connect automatically and be the primary route to internet.

  • go to System Software and install (filter for) uqmi (this might actually not be needed, not sure)
  • go to network interfaces and edit WWAN
    Protocol: DHCP client, switch protocol and set a nice hostname. Save & Apply
  • click Connect
  • if this doesn't seem to work (no RX data):
    login with SSH and type the following:
    /sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode offline
    /sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode reset
    wait 20 seconds
    /sbin/uqmi -d /dev/cdc-wdm0 --set-device-operating-mode online
    /sbin/uqmi -d /dev/cdc-wdm0 --set-autoconnect enabled

enable wifi AP

By default (and using the cloud config generator), the U-blox wifi device is set to station (client) when booting. The script is at /lib/wifi/ublox.sh and it read properties generated via ixrouterconf2uci (not sure whether it's possible to trigger the correct data via the ixconfig). The driver is Marvell WiFi-Ex Driver (cfg80211)

To prepare for accesspoint mode, run the following: 

uci set wireless.ap_lan_dev.channel='11'
uci set wireless.ap_lan_iface.ssid='ACKspaceWifi'
uci set wireless.ap_lan_iface.key='Nope. Nope nope nope nope nope.'

To switch, do this: 

uci set wireless.ap_lan_dev.disabled='0'
uci set wireless.sta_wan_dev.disabled='1'

To apply the new wifi settings, run /etc/init.d/network reload and to permanently store them, use uci commit

spacenet

TBD.

Short version: remove wpad-mini and install wpad. Rest might be command line settings only since the web interface for wifi doesn't play nice with the current setup.

setup openVPN (automatically connects)

Note that this will have OpenVPN connect automatically and DNS might give problems. If so, select both WAN and VPN in the second-to-last step.

To connect to the ACKspace VPN (tun), change the interface:

  • go to Network Interfaces and Edit VPN
  • under Physical Settings choose Custom interface: tun+
  • Save & Apply
  • go to Network Firewall and add a Zone:
    VPN (vpn) masquerading (possibly also MSS clamping)
  • Save & Apply
  • locate your ackspace.ovpn file and make sure it contains the following line:
    auth-user-pass login.conf
  • copy the file:
    scp ackspace.ovpn root@192.168.27.1:/etc/openvpn/ackspace.conf
  • SSH into the router and create the following file containing username and password on a separate line: /etc/openvpn/login.conf
  • /etc/init.d/openvpn restart
  • finally, in Luci, go to Network Firewall -> Zone LAN and click Edit
  • switch Allow forward to destination from WAN to VPN
  • Save & Apply

also see

Retrieved from "https://ackspace.nl/w/index.php?title=IX2412&oldid=9169"