<FPSUserename>
I'm trying to boot into an alternative mode on the ISP's wifi extender (MT7621 chip), but it asks for a password. Any idea?
<FPSUserename>
also, not sure if it's me, but I don't think I see any messages popping up here
<plntyk>
FPSUserename, its weekend and not everyone is active - you could check for similar hardware commit messages, find out the ODM (chinese company) that designed the board and check similar hardware configurations / dts file
<plntyk>
commit history of past mt7621 , FCC ID / wikidevi entries / check PCB text / "branding" from oem or layout similarities
<FPSUserename>
thanks, will do
<FPSUserename>
Hmm, unfortunately the PCB has no branding at all
<FPSUserename>
So I bet Arcadyan Technology Corporation build it including the housing
<FPSUserename>
Unfortunately it asks for a password when trying any boot option other than the default
<Habbie>
FPSUserename, do you have a SO8 clip?
<FPSUserename>
I do
<Habbie>
ok, good
<FPSUserename>
With a CH341A
<Habbie>
because otherwise i also have the extender and an SO8 clip :)
<FPSUserename>
You do?
<Habbie>
i do
<FPSUserename>
Really cool. Did you already put openwrt on it?
<PaulFertser>
FPSUserename: ok, then dump full flash
<Habbie>
no, just saw your post
<FPSUserename>
Ah okay
<Habbie>
higher on my list is figuring out the protocol that it uses to get the wifi password from the experiabox v8/v10 and disables it
<FPSUserename>
Yeah, this extender is quite useless, since I don't want the experia modem/router to do the router
<PaulFertser>
FPSUserename: feel free to share the dump somewhere. Make it several times to ensure it's all the same.
<Habbie>
because apparently this is entirely automatic
<Habbie>
and that sounds insecure
<Habbie>
FPSUserename, where, roughly, in the country do you live? I ask in case you find yourself needing other tools that I might have :)
<FPSUserename>
Hmm, I heard that it doesn't disable the wifi on the v10a experia box. I bet you can just call your ISP and ask for a new modem/router
<FPSUserename>
The Netherlands
<Habbie>
i know you live in The Netherlands, otherwise you wouldn't have a KPN Experia extender :)
<FPSUserename>
ahah
<FPSUserename>
Near Utrecht
<Habbie>
also your hostname is a big tell
<Habbie>
ok, i'm in Hilversum
<Habbie>
I'll just be paying attention here for now then :)
<FPSUserename>
Ah, not far away, nice
<PaulFertser>
FPSUserename: btw, it's OpenWrt
<FPSUserename>
Ah okay, will fix that
<Habbie>
and, disabling wifi or not, the bit where it gets the network password is the one that interests me
<PaulFertser>
FPSUserename: so is it asking for a password if you're trying to press 1 while that boot menu is shown?
<FPSUserename>
Yes
<PaulFertser>
FPSUserename: should be possible to figure out the password from u-boot dump.
<FPSUserename>
It's nice that it can boot from TFTP. I'm new to this kind of stuff, but this would mean that you can basically test images before flashing
<Habbie>
128mb is plenty for that yes
<PaulFertser>
FPSUserename: of course, the initramfs images.
<FPSUserename>
Oh wait, I don't have such a clip, I have a SOIC8/SOP8 clip
Tapper has quit [Ping timeout: 480 seconds]
<Habbie>
FPSUserename, is that different?
<Habbie>
(i'm quite new to all the hardware stuff)
<Habbie>
ah, mine was sold as SOIC8
<FPSUserename>
Yes, the SOIC8 is a smaller clip, used for 24xx (EEPROM) and 25xx (BIOS) chips
<Habbie>
ah
<Habbie>
i just found out my clip fits on the CPU in my IKEA VINDRIKTNING air quality sensor, which i've been hacking on this week ;)
<Habbie>
ah, which one is the flash chip we're talking about clipping?
<FPSUserename>
And I believe the flash memory is the big chip with the paws
<Habbie>
top left?
<FPSUserename>
yes
<Habbie>
so that's 16 pins
<Habbie>
the 25q256jv indeed is sold as 16-pin SOIC
<FPSUserename>
The rest of the small chips are all SOT types, which usually are things like FETs and voltage regulators/supplies
<PaulFertser>
Well if you're impatient you can solder 8 wires directly to the chip legs
<Habbie>
PaulFertser, even though the chip has 16 legs? is 8 enough?
<PaulFertser>
Habbie: yes, check the datasheet, the other legs are for extended modes.
rejoicetreat has joined #openwrt-devel
<FPSUserename>
Hmm, my soldering iron from the Gamma won't work well without flux.
<PaulFertser>
Any iron won't
<PaulFertser>
FPSUserename: when you get the dump feel free to ping me, I have some ideas about extracting the password.
<PaulFertser>
FPSUserename: unless it's really just has a hash :/
<FPSUserename>
It was already a pain to solder the header on the PCB, since there was still some solder left. I don't have a vacuum tube to suck it out
<FPSUserename>
Hmm, I'll keep that in mind. If I get further I'll definitely update the reddit post
<FPSUserename>
Well, since it's all linux based, I bet it's hashed
<Habbie>
PaulFertser, ah, that's exactly the answer i hoped for :)
<PaulFertser>
I once used a regular vacuum cleaner and a cocktail tube :)
<PaulFertser>
FPSUserename: no, you say the password is asked by U-Boot, right? So not related to Linux really.
<Habbie>
FPSUserename, where on the picture is the serial?
<PaulFertser>
One can hope they were lazy when implementing that silly measure.
<PaulFertser>
FPSUserename: in any case having access to the flash directly you'll be able to overwrite this u-boot with something that doesn't ask for a password.
<FPSUserename>
Hm yes, it's asked right after the boot option, before it would boot the system, so indeed, not linux related
<dwfreed>
heh, the W25Q256FV in SOIC has 7 pins not connected
<FPSUserename>
Would need a clip and I bet also a new programmer. I highly doubt that the CH341A can program this
<Habbie>
i think I read SPI
<Habbie>
do you have a pi? or any microcontroller?
<Habbie>
dwfreed, that makes sense as they also sell an 8 pin version
<FPSUserename>
Yeah, I currently use my Arduino without the ATMega chip to use it as an USB to UART tool
<FPSUserename>
Also have a pi 3b
<Habbie>
FPSUserename, right, then doing SPI should be doable
<Habbie>
dwfreed, ah, /HOLD and /RESET are shared on the 8 pin version
champtar has joined #openwrt-devel
<PaulFertser>
FPSUserename: 8-pin and 16-pin SOIC NOR SPI has protocol exactly the same, ch341 would work as well.
<FPSUserename>
I wonder if I could get away by starting up the system and then only connect the miso/mosi pins (rx/tx but then in SPI terms)
<FPSUserename>
Then I'd only need two wires
<FPSUserename>
That would be doable
<PaulFertser>
FPSUserename: related, your rpi can be used as a JTAG adapter (and as an SPI adapter for flashrom too) directly with any 3.3 V target.
Tapper has joined #openwrt-devel
<PaulFertser>
FPSUserename: you'd need 7 or 8 wires to get full r/w access to the flash chip.
<FPSUserename>
Well, should be able to flash through serial, which would be the more reliable method (since I have a nice header on it and decent jumper cables
<Habbie>
FPSUserename, right, as you have GND through uart already
<PaulFertser>
FPSUserename: and also in certain cases it might be complicated to get it working without lifting the Vcc pin up or doing some tricks like limiting the current fed (to avoid SoC interfering)
<FPSUserename>
Oh hm, 7/8 wires would be too much to solder with a cheap iron
<Habbie>
PaulFertser, lifting the vcc pin up as in disconnecting it from the board so you can power the flash without powering the rest of the board?
<Habbie>
alternative idea: just sniff the flash to grab the password?
<PaulFertser>
FPSUserename: see https://paulfertser.info/files/useless_buzzfix/ , I used a large old soldering iron to remove and then solder back a small wire connecting one side of a 0603 capacitor to ground.
<PaulFertser>
Habbie: yes
<Habbie>
PaulFertser, i assume you know you don't have a 'valid' cert?
<PaulFertser>
Habbie: sniffing the flash is problematic I'd say, and you can't overwrite it anyway, so better to get full r/w access.
<Habbie>
sure
<Habbie>
not disagreeing, just laying down options
<PaulFertser>
Habbie: it's a valid CAcert certificate, I prefer it to LE.
<FPSUserename>
Yeah, the CH341A is a nice cheap programmer. I used it to modify the EEPROM from my car's instrument cluster (add needle sweep and the lap timer), and I tried reviving my motherboard's bios, but that one is dead. It's shipped to Germany for a proper repair. I could do it myself, but the problem with the 25xx chip it uses is that it has some sort of protection
<Habbie>
PaulFertser, right - i guess debian doesn't ship cacert
<PaulFertser>
Alas
<Habbie>
PaulFertser, i assumed something like that, hence the quotes
<dwfreed>
Nobody ships CAcert anymore
<dwfreed>
iirc Debian used to
<PaulFertser>
FPSUserename: so have you checked my pics? Don't dare to complain about a cheap iron after that ;)
<FPSUserename>
Habbie, since you already own a clip and the extender, could you try and read the EEPROM? I highly doubt that they'd use different passwords on each unit
<Habbie>
FPSUserename, i probably can, but it's not the plan I had for today ;)
<Habbie>
(i've never done such a thing, but that usually doesn't stop me)
<PaulFertser>
(it's 0402 cap actually)
<FPSUserename>
Yes Paul, I saw them. My iron is definitely better. I've soldered a ton with good stations, but it's difficult to solder without flux (it takes 10x as long).
<PaulFertser>
FPSUserename: soldering without flux just shouldn't be done, period.
<Habbie>
i should buy some flux
<PaulFertser>
I like my TS100 btw, I recommend to check out Pinecil or TS80P especially if you have Type-C PD power banks.
<FPSUserename>
0402 is insane. I've manually put PCBs together with 0402 caps on the rear side (under a BGA chip), puts some strain on your eyes and back lol
<FPSUserename>
I wanted to buy flux, but then I reminded myself that they have a due date of about a year. I rarely solder at home, so I didn't feel like spending ~10-15 euro on a tube
<Habbie>
eleshop.nl has flux from 3 bucks
<FPSUserename>
I was interested in the TS100, have it for years on my wishlist, but then again, rarely solder
<PaulFertser>
FPSUserename: just buy some suitable resin flux. Even if the liquid evaporates just add some IPA or ethanol and it's all good again.
<FPSUserename>
Useful, thanks for the link, I'll definitely order the small tube
<PaulFertser>
Or you can buy solid resin, its shelf life is like forever.
<Habbie>
FPSUserename, where on the board is the serial? or did i miss your answer?
<PaulFertser>
BTW, with proper access to flash chances are that any bootloader image for a similar board can run there.
<FPSUserename>
The J4 section is the serial port. It's near the ethernet ports and the big black component
<Habbie>
ah there
<Habbie>
very inconveniently placed then
<PaulFertser>
Big black component meaning the Ethernet transformer?
<PaulFertser>
Yeah, I see
<FPSUserename>
I edited the reddit post with the serial port findings
<FPSUserename>
yes
<FPSUserename>
I wouldn't say inconveniently placed. You can easily stick jumper cables in a header
Acinonyx_ has joined #openwrt-devel
Acinonyx has quit [Ping timeout: 480 seconds]
<Habbie>
FPSUserename, well, i have another clip which just grips, but only at the edge of a board
<Habbie>
FPSUserename, so for that, the placement is inconvenient :)
Borromini has quit [Quit: leaving]
<FPSUserename>
Oh ha lol
<Habbie>
i've been wondering if i can make it longer
<Habbie>
with some protoboard or something
<FPSUserename>
Yes, usually you should put connectors on the edges of the PCB, not somewhere in the middle
<FPSUserename>
But sometimes, especially when it's supposed to be a one time only type of connector, it doesn't matter. Things like TAG "connectors" (just PCB footprints) or JTAG connectors are somewhere in the middle, close to the chips they're connected to
<Habbie>
sure
<Habbie>
i'm not yet great at soldering
<wb9688>
Me neither
<FPSUserename>
I can tell you, soldering gets a lot easier if you have a good station and good flux. It's not like gaming where a better keyboard and mouse make you a better player. Upgrading gear instantly make your solder stuff a lot better, because the solder just flows a lot better
<xdarklight>
hauke: in some older UGW version I found drivers/net/ifxmips_ppa/platform/ar9/d5/ifxmips_ppa_datapath_ar9_d5.c which has: https://pastebin.com/KMQRxJxT - also the WDT driver in AVM sources has: *IFX_NMI_CR = (1<<31); /*--- clear NMI-IrqStatus ---*/
<Habbie>
FPSUserename, right, i do need to get flux
<xdarklight>
hauke: so I'm wondering if EIU also provides some NMI interrupt lines
<Habbie>
FPSUserename, btw, do you know who owns the experia wifi extender?
<FPSUserename>
You mean bruikleen or that you own it?
<Habbie>
FPSUserename, yes, that
<Habbie>
wow that on/off switch is cheap
<FPSUserename>
I think you own them, because you normally buy them. KPN is generous towards new customers and give two extenders for free
<Habbie>
right
<Habbie>
i got one for free
<Habbie>
for no reason that i can figure out
<FPSUserename>
Ì got two for free, because the modem is placed in the "meterkast". Stupid people put the fiber cable section there instead of the living room
<FPSUserename>
And the guy that connected the fiber to ethernet transformer gave me two extenders for compensation regarding internet speeds in the attic and the yard
<Habbie>
nice
<Habbie>
my previous home had the fiber in the living room, yes
<Habbie>
but not this one
* wb9688
at some point just got a broken(?) Fritz!WLAN thingy from my ISP for free
<FPSUserename>
Anyway, I have this netgear router that I hoped would fix the poor internet latencies with Ziggo, but even their modem in bridge mode sucked. The intel puma 6 (and 7) chips are horrible
<PaulFertser>
Folks, want to remind you to save full flash dumps as these devices have per-board calibration data, so it's better to have full backup just in case.
<Habbie>
PaulFertser, can you type a bit more? what kind of calibration data?
<PaulFertser>
And then I think you should be able to use u-boot from any other SPI NOR MT7621 device.
<FPSUserename>
In case one is broken, I have another one to try on haha
<Habbie>
FPSUserename, haha
<Habbie>
FPSUserename, i don't :D
<PaulFertser>
Habbie: wireless calibration data, should be present somewhere on flash.
<wb9688>
Broken as in after the set-up wizard it does literally nothing, though you could reset it and then use the set-up wizard again… lol
<PaulFertser>
Habbie: if you check DTS files for similar devices you'll see a partition defined and referenced in @wlan or something like that.
<Habbie>
PaulFertser, ah, thanks, good to know
<FPSUserename>
The extenders never worked for me, the modem didn't configure them, so they're just sitting in their box dusting up until I was looking around and found a post on Tweakers
<Habbie>
heh
<Habbie>
i never even tried
<Habbie>
so, i looked at the post, did anybody other than you mention openwrt?
<FPSUserename>
Yes, looks the same, it's not difficult to "read" the PCB really, it's quite simplisticly made in terms of connections
<Habbie>
ack
<fda>
is someone with basic C knowledge here? i have a "char x[]" and want to replace the 1st '.' with '\0'. but i cant get it to work: for (int i = 0; i < (int)strlen(x) -1; i++) if (x[i] == '.') x[i] = '\0';
<Habbie>
that looks fine
<Habbie>
why -1?
<Habbie>
and why not use strchr?
<fda>
i have 0 knowledge of C and googled it :)
<Habbie>
hehe
<Habbie>
anyway, that code looks fine unless the . is the last char in the existing strin
<Habbie>
g
<Habbie>
inefficient, but fine
<fda>
reall.... i want to have only the host of a maybe FQDN, abc.def.gh
<Habbie>
ok, please do this: write a program, no longer than 10 lines, that does -just this-
<Habbie>
then it's easy to figure out why it's not working
<Habbie>
for you but also for us
<fda>
i thought it could not be so hard to just cut a string in C :)
<Habbie>
it shouldn't be, no
<fda>
i try to get rid of the domain part here: https://git.openwrt.org/?p=project/cgi-io.git;a=blob;f=main.c;h=95a62b827011ce911967705c21dae5180c5ac70d;hb=HEAD#l663
<dwfreed>
hostnames shouldn't have dots in them anyway
<fda>
it could contain a fqdn or just the host
<fda>
eg output of "hostname --help"
<fda>
but most people set the hostname without domain
<dwfreed>
gethostname should *never* return an fqdn; if somebody set the hostname to an fqdn, they should be cluebatted, and hard
<fda>
not meeeee!!
<fda>
gethostname returns my FQDN, and so it its in the filename of backups...
<fda>
how should linux know its full hostname?
<dwfreed>
the kernel doesn't care about fqdn
<dwfreed>
if gethostname gives you an fqdn, then you're setting the hostname incorrectly
<fda>
if you dont set the domain in hostname, arguments like "--fqdn" dont work, as it only shows the host - it does not know anything about a domain
<dwfreed>
it does if you do it right
<fda>
how?
<fda>
where do you set the domain?
<dwfreed>
if something cares about getting the fqdn (like hostname --fqdn), that is retrieved by looking up the hostname using gethostbyname or getaddrinfo, then taking the first address and doing gethostbyaddr or getnameinfo
<dwfreed>
thus you specify the fqdn in /etc/hosts, along with the bare hostname, usually on 127.0.0.1
<fda>
what about client, which dont have a local hosts file?
<fda>
btw, this is the PTR
<fda>
but i notice the openwrt people seem all to think a fqdn should no be used. there are bugs i many packages like in samba, syslog, backup, ...
<dwfreed>
your hostname should not be an fqdn
<dwfreed>
also, how the fqdn is determined is mentioned in the hostname man page
<dwfreed>
if there are PTR records that match, great, but /etc/hosts is 10,000x faster than DNS usually
<fda>
you didnt answer: what about clients, which dont have a local hosts file?
<dwfreed>
they need a local hosts file
<fda>
managing on my 100 local pcs is much work!
<dwfreed>
have you heard of our lord and savior configuration management?
<fda>
no, im using openwrt sind 2 weeks or so
<fda>
google does not find "lord and savior configuration management"
<dwfreed>
also the /etc/hosts file only needs to contain the local system's information; it doesn't need any other system's information, that's what DNS is for
<dwfreed>
just search for "configuration management"
<dwfreed>
the rest of that line is a joke :)
<fda>
-.
<fda>
-
<fda>
im not native english so i dont get some things!
<fda>
if you mean backup/restore settgins, i know it
<dwfreed>
it's a play on a common Christian saying "Have you heard of our Lord and Savior Jesus Christ"
<fda>
i never hear it....
<fda>
here its more like 'Frohe Weihnachten, und schaff mal endlich die Geschenke bei'
<fda>
(for preple without fqdn it does not change the name)
<dwfreed>
no, because you want your dot stripper in the else case; gethostname returns 0 (equivalent to false) if it's successful, and -1 (any non-zero is equivalent to true in C) on failure
<fda>
does this "sprintf" on failure does make any sense?
<fda>
this file created the tar with settings
<fda>
to download
<fda>
shell is the opposite: [ true ] && echo success || echo failure
<fda>
[ ! true ] && echo success || echo failure so the "else" is the failure case
<fda>
dwfreed: i tried "hostname --fqdn" on fedora after set a hostname without domain. it shows only the hostname, even there is a ptr by dns
<Habbie>
yes
<Habbie>
many libc functions return 0 on success
<Habbie>
which is false
<fda>
yes, thank!. it works now (in else). as i said, i have 0 c knowledge
<fda>
you dont want to know how long i searched for it before :)
<dwfreed>
fda: the PTR is only going to matter if the resolver can go from the bare hostname to an IP address, and whatever that IP address is has that PTR
<dwfreed>
if you can't "ping <hostname>" and have it work, then hostname --fqdn isn't going to work either
rejoicetreat has quit [Ping timeout: 480 seconds]
<fda>
ptr gives for an ip a string (hostname, maybe fqdn) back
<Habbie>
ptr has to be fqdn
<fda>
ping hostname works, as i have set a searchdomain in resolve.conf :)
<fda>
and additional dnsmasq (could if set) attach to requests without a "." in it a configured domain
<fda>
"expand-hosts" option
FPSUserename has quit [Quit: Page closed]
<fda>
dwfreed: i read https://linux.die.net/man/1/hostname . there is nothing about set hostname as host-only or fqdn! but it should be avoided to use "---fqdn" to get it - as is could cause bad results if there are multiple names/network connections
<fda>
and "Usually (if the hosts file is parsed before DNS or NIS) you can change it in /etc/hosts" - lookups by network are slow and managing every hosts is much work. so i set fqdn as hostname. and everyone other could use it as they wan