[OpenWrt-Devel] GPL Violation to chase + Engenius/Senao firmware non-update

Michael Holstein moholstein at gmail.com
Mon Oct 22 01:15:11 EDT 2018 

Okay .. Engenius problem sorted for the most part, and this works on
all the flavors I've got at hand (couple of indoor kinds, and a couple
of high power outdoor abgn ones)

TLDR version:
1. Via CLI, fake firmware .bin that passes initial muster but not uci
(like correct chipset, wrong something else) will croak into a UCI
shell and get you out of the menu. That's a root shell, and /bin/ash
along with all manner of goodies are there.
2. The FDT and other board goodies are actually here :
https://downloads.compex.com.sg/?dir=  .. all the models/boards.
3. The file to fiddle with would be /lib/uboot-envtools.sh .. but make
sure you add debrick options (turn back on the UART, add boot_wait,
etc.) unless you need skeet targets. Come to think, this would be an
awesome "team retreat" activity. Box of old Cisco's ... box of 2nd
Amendment .. Pull!


Long version:

This works without taking it off the ceiling, you can just telnet
right into it and do the upgrade. Note that I've yet to sort out how
to get the UART working but the pins are (with the triangle being #1)
are:

1 : 3.3v (you cannot deliver enough power this way, don't connect it
and power via 12v adapter).
2 : GND
3 : TXD
4. RXD

I did not bother, but I suppose it behooves to edit u-boot to allow
for input from this UART as this would be the debrick if the below
goes south. The trick about the IP addresses of 192.168.1.1 an .11
gets it wrong on this unit (it's .99) but I never got that to work
anyway.

> I'd nastygram Engenius and make them post the GPL contrib so you have
> the BLOB for the Broacdom IPQ4019 that's in there. This is the
> EAP1250/1300 (identical except for where RJ45 port is) .. there are

Some follow-up on this, here's how you win this stupid little battle.

Telnet into the router, go through the menus sys -> fwgrade ->
(firmware upgrade path from CLI) then do "fwup http://something
plausable that will never work" .. like a .bin for your TiVo or
whatever. When that fails, guess what you get?

uci>

bingo. shell access. as root. (/bin/ash can give you a bit more
functional shell). A suprising amount of utilities are on there (dd,
nc, etc.) .. so if you want to backup /dev/mtd(x) you pull a "dd | nc
--> elsewhere" and "nc -l > incomming.bin"

Then you go here : https://downloads.compex.com.sg/?dir=

and you can get the QSDK and reference firmware and board IDs for all
of these models, again minding Enenius/Saneo are just some. I used the
OpenMesh a62 image with a different FDT blob.

What you find there will look like this (this being the FDT overlays
for an EAP1250, all of the models are in the above site, although I've
not yet found that marking on the board.

Of primary interest? .. will be editing this file to do your bidding.
Always funny to see copied homework that forgot to change the name.

uci>cat /lib/uboot-envtools.sh
#!/bin/sh
#
# Copyright (C) 2011-2012 OpenWrt.org
#

ubootenv_add_uci_config() {

        local dev=$1
        local offset=$2
        local envsize=$3
        local secsize=$4
        local numsec=$5
        uci batch <<EOF

add ubootenv ubootenv
set ubootenv. at ubootenv[-1].dev='$dev'
set ubootenv. at ubootenv[-1].offset='$offset'
set ubootenv. at ubootenv[-1].envsize='$envsize'
set ubootenv. at ubootenv[-1].secsize='$secsize'
set ubootenv. at ubootenv[-1].numsec='$numsec'

EOF
        uci commit ubootenv
}

ubootenv_add_app_config() {
        local dev
        local offs4et
        local envsize
        local secsize
        local numsec
        config_get dev "$1" dev
        config_get offset "$1" offset
        config_get envsize "$1" envsize
        config_get secsize "$1" secsize
        config_get numsec "$1" numsec
        echo "$dev $offset $envsize $secsize $numsec" >>/etc/fw_env.config
}

--- and the cpu --

uci>cat /proc/cpuinfo

processor       : 0
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 96.00
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls
vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

processor       : 1
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 96.00
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls
vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

processor       : 2
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 96.00
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls
vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

processor       : 3
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 96.00
Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls
vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

Hardware        : Qualcomm (Flattened Device Tree)
Revision        : 0000
Serial          : 0000000000000000

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list