11 June 2020

Views: 653

How to boot the firmware to mess around with:

Rev 6 or Rev 10 router (I explain how to check in part 0 and 1)
Linux PC (preferably Ubuntu)
TTL to USB adapter
An ethernet cable

I set all the mtd partitions to read-only so you should be safe, but this is still a work in progress so do this at your own risk. If something breaks I can try to help you but if it's unfixable, don't come after me.

To open up the router, you take off the 4 rubber feet and unscrew the 4 philips screws (one has a warranty void sticker) to reveal 2 more screws to take off then pop off the top cover and take out the 2 screws. After that you just need to pull the innards up while wiggiling them around and they should come right out.

Part 0: Getting shell access
For routers without a QR code (RAC2V1K):
Download the zip file in this post [1] , unzip it, and restore the appropiate config.cfg file. The file for 1.1.16 also works on 1.1.17. After the router reboots, ssh into it with the user and pass in the README.txt file

For routers with a QR code (SAC2V1K): Because there's no web interface, you'll need to open it up.
0a. Open up the router and connect to the serial console with the TTL adapter. [2]
0b. Open a serial terminal with a baud rate of 115200 and plug power into the router. When you see "Hit space key to stop autoboot:", press the spacebar twice. If it stops booting and you get a prompt that says "(IPQ) #", you're good and can move on. If nothing happens and the router keeps booting, check all your connections. If you're absolutely sure you have everything connected correctly but still nothing happens, do what I said in this post [3]
0c. Reboot the router but this time let it completely boot up. Wait until the blue led on the front is glowing or on. Press enter and you should be presented with a login shell. The username is operator and there's no password. If you get a big banner that says PLUME in ascii art, you're good to go.

Part 1: Checking the firmware version
After you're logged in, just run "cat /proc/device-tree/model".
If you get Askey RT4230W-D187/REV10 and you're already connected with the serial cable, you can move on.
If you get Askey RT4230W-D187/REV6, follow steps 0a and 0b then continue.
If you get anything else (I think there's around 15 different variants floating around so this is very possible), you *really* shouldn't continue because this will problably just end with kernel panics or non-functioning hardware.

Part 2: Setting up the tftp and dhcp server
Go to network settings, click the plus icon next to wired and put in these details, then save:
Identity Tab
Name: *Anything you want*
MAC Address: Leave blank
IPv4 Tab
IPv4 Method: Shared to other computers
IPv6 Tab
IPv6 Method: Disabled
After you configure all of that, go to this website [4] and follow the instructions for setting up the tftp server.

Part 3: Booting up the initramfs image
After you've configured everything and set up the tftp server, download this img file [5] and put it in /tftp. Open the serial terminal again, reboot the router and interrupt uboot. Run "dhcp initramfs.img" then "bootm 0x44000000". With any luck, OpenWRT will start booting and you can now mess round with whatever you want (just stay away from /dev/mtd devices). If you get a permission denied error with the dhcp command, run "sudo chmod 666 /tftp/initramfs.img" on the linux machine you're using as th tftp server.

Since it's just an initramfs image, everything you do will be lost on reboot and opkg is broken. I included luci for easier configuration and also USB storage support so if you want to store any files, any ext4, ntfs, or fat32 formatted flash drive will work. If you have a REV10 router, you can safely dump all of the mtd partitions and they should be fine, but if you have a REV6 router you can only safely dump mtd0 thru mtd19 since they seem to be the same across the two variants.



Disable Third Party Ads