<digitalcircuit>
I haven't yet made any progress on debugging the NBG6817 ipq806x 1.4 GHz L2 cache frequency bug, but I have finally gotten a reply to the mailing list which also shares Ansuel's reply (since it didn't seem to post from mobile): https://lists.openwrt.org/pipermail/openwrt-devel/2021-July/035935.html
<PaulFertser>
digitalcircuit: and if you suspect power supply do you probably have access to an oscilloscope to inspect the voltage coming from it?
<slh>
using an external PSU for the HDD - or a powered USB hub is probably an easier test
<PaulFertser>
I understand digitalcircuit is not easily/reliably reproducing it.
<slh>
yeah, that's the problem - and potentially load spikes from the external USB HDD
<slh>
but load spikes are pretty difficult to get hold of, it's easier trying to avoid them (at least for testing), than positively ruling them out for such an erratic issue
<PaulFertser>
So adding a constant high load might make it happen all the time
<PaulFertser>
With a 'scope you set a trigger and so you'll see if the input voltage drops at all, no matter how short the spike is.
rejoicetreat has quit [Remote host closed the connection]
rejoicetreat has joined #openwrt-devel
decke has joined #openwrt-devel
rejoicetreat has quit [Remote host closed the connection]
rejoicetreat has joined #openwrt-devel
rejoicetreat has quit [Remote host closed the connection]
rejoicetreat has joined #openwrt-devel
<digitalcircuit>
PaulFertser, slh: Thank you for the heads up and discussion!
<digitalcircuit>
I had overlooked just throwing high power resistors at the power supply. I'll check what I've got and I can order more if needed to fully load the router PSU (without exceeding resistor power limits).
<digitalcircuit>
Definitely not as good as a real scope, but we'll see. I'll keep a powered USB hub in mind as an option, even if it feels a bit like defeat :)
<digitalcircuit>
Unfortunately, I don't have a proper oscilloscope yet, just a digital multimeter. My hope was for an obvious issue (e.g. constant current pointing out the fault), but if not, I'll want to look into options (I've been meaning to get a 'scope eventually anyways). Setting a trigger makes sense!
rejoicetreat has quit [Remote host closed the connection]
rejoicetreat has joined #openwrt-devel
<slh>
sadly a scope isn't in everyone's tool chest, it should be, but prices are a bit discouraging for that - and the cheap old stuff won't help that much with setting triggers
<slh>
(and they're not quite trivial to operate either)
<PaulFertser>
What about cheap fx2lp based devices? They can sample up to 12 MHz with 8-bit for -10 V -- +10 V range.
rejoicetreat has quit [Remote host closed the connection]
<PaulFertser>
It sucks but still better than nothing I think.
rejoicetreat has joined #openwrt-devel
<digitalcircuit>
I think I recall bigclivedotcom on YouTube mentioning inexpensive introductory oscilloscope options - well.. at least compared to high end ones like the kind that were in college electronics labs. I haven't looked into this in depth yet.
<digitalcircuit>
PaulFertser: that also seems promising as a starting point to look around, thanks!
rejoicetreat has quit [Remote host closed the connection]
<PaulFertser>
digitalcircuit: eevblog forums have threads about relatively cheap and reasonable devices from Rigol and Siglent.
<digitalcircuit>
PaulFertser, ah, noted! If I don't achieve success with the tools I've got (once that USB meter arrives), I'll take a look through there as well. Though depending on my patience after further testing, I may try a powered USB hub first, as slh suggested. I'm determined for now, though :)
<digitalcircuit>
Well, not *right* now - I should wind down, but I'll see pings later. Thank you both for your suggestions and remarks throughout my troubleshooting - I appreciate them!
<PaulFertser>
digitalcircuit: trying a different more beefy or just newer power supply for the whole thing might also give additional data points.
* digitalcircuit
nods!
aleasto has joined #openwrt-devel
aleksander has joined #openwrt-devel
chder has quit [Quit: chder]
chder has joined #openwrt-devel
FPSUserename has joined #openwrt-devel
danitool has joined #openwrt-devel
aleksander has quit [Quit: Leaving]
jlsalvador has quit [Quit: jlsalvador]
Tusker has quit [Quit: Time wasted on IRC: 12 hours 49 minutes 55 seconds]
<FPSUserename>
Habbie, which firmware did I say was on my unit?
<fda>
additional with latest revision of openwrt, kconfig reports "recursive dependency detected!" with PACKAGE_python3-numpy NUMPY_OPENBLAS_SUPPORT NUMPY_OPENBLAS_SUPPORT
PaulFertser has quit [Remote host closed the connection]
PaulFertser has joined #openwrt-devel
decke has quit [Quit: Leaving.]
Tapper has quit [Ping timeout: 480 seconds]
Tapper has joined #openwrt-devel
Tapper has quit [Ping timeout: 480 seconds]
arifre has quit [Remote host closed the connection]
Tapper has joined #openwrt-devel
goliath has quit [Quit: SIGSEGV]
Tapper has quit [Ping timeout: 480 seconds]
arifre has joined #openwrt-devel
Tapper has joined #openwrt-devel
Tapper has quit [Ping timeout: 480 seconds]
Rentong has joined #openwrt-devel
Rentong has quit [Remote host closed the connection]
Rentong has joined #openwrt-devel
Tapper has joined #openwrt-devel
Rentong has quit [Ping timeout: 480 seconds]
danitool has joined #openwrt-devel
goliath has joined #openwrt-devel
Tapper has quit [Ping timeout: 480 seconds]
<FPSUserename>
Habbie, 12W powersupply doesn't mean that the device will use (up to 12W). I bet that the company found a fitting powersupply that meets the requirements at a good price. By the way, most powersupplies have peak efficiency at around 60% load (especially desktop powersupplies). Having a powersupply that just meets the requirements will mean that it's constantly at 100% load, generating a lot of heat
<Habbie>
FPSUserename, of course
<FPSUserename>
It's that I found on Tweakers that this unit consumes around 4 watts of power, while the older white extender sat at around 11W (they comapred to an ubiquity extender/ap that used around 5.5W)
<FPSUserename>
So all in all, these units are quite capable, provided that we can crack it open and flash openwrt. It's only a shame that they don'
<FPSUserename>
that they don't support AX/ WiFi 6 and 6E
<FPSUserename>
But AC is enough for me anyway, got 200mbps up and down on fiber
Tapper has joined #openwrt-devel
Tapper has quit [Ping timeout: 480 seconds]
<Habbie>
FPSUserename, do you have a log of the password prompt if you pick a TFTP option?
<PaulFertser>
I kinda planned to load it in radare2 , do xref search for the code that references Password== string and then dig the disassembly.
<Habbie>
that makes sense
<Habbie>
i've been looking for an excuse to toy with radare
<Habbie>
but not today for me
<PaulFertser>
The string in question is probably an md5 of the password, and who knows, probably unsalted.
<FPSUserename>
hmm, it says "critical error dqs_gw_coarse > DQS_GW_COARSE_MAX cannot find any pass-window"
<FPSUserename>
lol
Tapper has joined #openwrt-devel
<Habbie>
PaulFertser, oh yes, it is the right size
<PaulFertser>
Habbie: thank you. Do not expect a fast result though, I'm not really a master of it.
Tapper has quit [Ping timeout: 480 seconds]
<Habbie>
i haven't done reverse engineering of binary blobs since 2001 either
Tapper has joined #openwrt-devel
Tapper has quit [Ping timeout: 480 seconds]
<blocktrron_>
nbd: do you have any information if MT7915 firmware supports 802.11mc ranging as Responder?
<blocktrron_>
The vendor driver exchanges (presumably) a per-phy activation sequence, however in contrast to mt7615/mt7622 there is no TMR version defined for the mt7915.
aleasto has quit [Read error: Connection reset by peer]
Tapper has joined #openwrt-devel
FPSUserename has quit [Remote host closed the connection]
<Habbie>
sorry if i'm not answering questions usefully - i'm in a meeting and i don't know what you're looking for :)
<russell-->
you could make a GPL request and cc KPMG Certified Public Accountants
<Habbie>
mm, uboot is GPL
<Habbie>
but the password might be hidden in config, which would not be GPL
<russell-->
it might let you build your own u-boot that doesn't have the undesired parts
<Habbie>
why do you mention KPMG?
<Habbie>
russell--, yes, but then how do we flash that?
<russell-->
with an external programmer on the SPI flash
<Habbie>
right
<wb9688>
JTAG or directly to the flash
<Habbie>
so far I have been assuming that -if- we can flash, there are no actual hard problems
<russell-->
i just was looking at their investor pages and say they have CPAs, which might care more about compliance issues (as a joke)
<Habbie>
russell--, KPN's investor pages?
<russell-->
Arcadyan's
<Habbie>
ah!
<wb9688>
KPN != KPMG
<Habbie>
i assumed KPN because KPMG is dutch too :)
<wb9688>
Oh
<Habbie>
i know that :)
<russell-->
accountants have a reputation for being sticklers for rules they find out about
<wb9688>
Habbie: I was telling russell-- but my typing is not so fast so you had already sent multiple new messages
<Habbie>
hah
<Habbie>
wb9688, are you on your phone again? :)
<wb9688>
Of course I am
<wb9688>
You knew that already ;)
<stintel>
fda: are you fda77 on gh ?
<stintel>
if yes, please let me know how to attribute (Reported-by: Full Name <full@name.tld>)
Tapper has quit [Ping timeout: 480 seconds]
goliath has joined #openwrt-devel
<rsalvaterra>
mangix: Ping. Does transmission fail to run with wolfssl (with your patch), or doesn't even build?
Tapper has joined #openwrt-devel
<fda>
stintel, yes fda77
<fda>
this "full name" is currently my biggest problem. i never used my rn on the internet for anything...
<fda>
im not yet sure if i should, and in case with which mail
<fda>
minor bug: sysupgrade copies losetup to ram if found. even it is only a busybox applet. this applet does not know the "-D" sysupgrade want to execute
<stintel>
fda: well then I'll just skip the reported by and tag you in the PR
Tapper has joined #openwrt-devel
<fda>
thx stintel
<fda>
with freetz we wrote all the time only "by" (patch or something) or "thx nick". in case of known github account "@nick"
<nick[m]12>
me?
<Habbie>
nick[m]12, probably not :D
<fda>
no, not you ...
<nick[m]12>
okay. ;)
<blocktrron_>
Habbie: depending on the bootcommand the device uses (and how the U-Boot lock is implemented), pulling the SPI to reset when loading the kernel image can also lead to a writable shell.
<fda>
this should not catch busybox's losetup in sysupgrade, in case someone want to check and commit.. https://pastebin.com/BvKnHmyx
<Habbie>
blocktrron_, ack, i think PaulFertser mentioned something similar
<blocktrron_>
I have not read the entire backlog, so sorry if this was already proposed
<Habbie>
a few days ago
<Habbie>
and in different terms
<Habbie>
so maybe not even the same
<blocktrron_>
apart from that, the newer mesh series is the same as the one offered from BT
<PaulFertser>
Habbie: that was tmn505
<Habbie>
ah thanks
<blocktrron_>
While other carriers *cough* deutsche telekom *cough* decide to buy the cheaper version from arcadyan
<Habbie>
blocktrron_, ack - many of these devices appear to be rebranded all over the place
<blocktrron_>
Same casing - you receive Quantenna with USB attaches realtek wifi. Works about as nice as you'd expect.
<Habbie>
lol
<Habbie>
anyway, i suspect people might have drawers full of this one
<Habbie>
and the MT7621 chipset is still nice
<Habbie>
so openwrt would be fun
<Habbie>
could even be a router then (the ISP firmware is wifi only)
<blocktrron_>
is there a mtd dump anywhere of the bootloader here?
<Habbie>
is the block that contains the password prompts
<Habbie>
and some hex just near it that might be an md5 hash
<tmn505>
is there separate u-boot environment partition?
<Habbie>
tmn505, how would i recognise it? i sadly need to share partitions carefully at this point
<Habbie>
but i have mtdblock0-11 here
<tmn505>
there is default u-boot environment embedded in Your mtd1, usually if the environment is saved it has the same values, so search for 2nd "bootdelay"
<tmn505>
anyway You can prepare Your own environment with uboot-tools, if the u-boot will pick up the values that could be some vector You could ffiddle with boot process.
shibboleth has joined #openwrt-devel
<Habbie>
tmn505, i know some of these words - how would i get the environment onto the device?
<tmn505>
write it with flash programmer?
<Habbie>
i haven't touched the hardware yet
<Habbie>
FPSUserename has on theirs, but they're not here now
<PaulFertser>
Habbie: what's in block0?
<Habbie>
PaulFertser, everything i found in any other block appears to be in 0 as well - so everything i think?
<Habbie>
i don't know if that normally is how it works
<PaulFertser>
Habbie: how did you dump it?
<tmn505>
also looking at default environment values maybe there is some tftp recovery procedure
<Habbie>
PaulFertser, i may or may not have independently found one of the exploits recently published by tenable
<PaulFertser>
Habbie: you found an exploit to get shell on the target?
<Habbie>
PaulFertser, because they provide zero details
<Habbie>
PaulFertser, i did
<PaulFertser>
Habbie: awesome. Probably you could dump dmesg output via that, and then you'd see what offsets and sizes the blocks use.
<Habbie>
dmesg was useless (full of wifi scan data) but i can reboot tomorrow and see
<Habbie>
or maybe this meeting will become boring soon ;)
<Habbie>
PaulFertser, would dmesg do anything that /proc/partitions wouldn't?
<dwfreed>
"Sorry I dropped from the meeting, my wifi died"
<tmn505>
haha! with that the device is Yours, from there You can also write new u-boot environment. Maybe fw_setenv is there, mtd should also be there.
<Habbie>
dwfreed, haha, no i want to be in this meeting for the interesting bits :)
<PaulFertser>
Habbie: for i in /sys/class/mtd/mtd?; do grep . $i/offset $i/size; done
<Habbie>
tmn505, yes, until i brick it and can't fix that because I haven't even taken the heatsink off ;)
<Habbie>
PaulFertser, cool, will try that soon
<Habbie>
tmn505, but yes, i did realise i can do anything i want now - once ;)
<Habbie>
but that may not help other openwrt users
<Habbie>
i'm also on very old firmware so the exploit may have been fixed in most existing devices
<stintel>
happy late night hacking folks :)
<Habbie>
stintel, thanks!
<tmn505>
indeed, with current state only tftp recovery is viable if images from provider are signed
<Habbie>
FPSUserename reported that picking tftp in the uboot menu asked for a password
<Habbie>
i also noticed that 'config backup downloads' are reported as 'openssl enc' by 'file'
<Habbie>
but i should be able to figure that out from my dumps
<Habbie>
the white button next to it is a very cheap power switch
<Habbie>
one more button on the side, WPS i think
<Habbie>
(not my photo, my heatsink is still on)
<Habbie>
i'm not a hardware person so i went looking for other 'ins' before i broke stuff
<fda>
i someone want to check, i changed setting export filename to backup_HOSTNAMEWITHOUTDOMAIN_rREV-HASH_D-A-T-E_TIME.tgz + included insta3lled pkgs list. place in feeds/packages/net/cgi-io/patches/ https://pastebin.com/saR6z8ne
<tmn505>
maybe there is recovery procedure wtih pressing reset button or cobination of buttons which won't ask for password
<Habbie>
right, that's possible
<Habbie>
i should probably try the UART soon
<Habbie>
(FPSUserename has that, I don't yet)
<tmn505>
if format of image to upload is figured out then that would be the vector to upload OpenWrt
<Habbie>
ok
<Habbie>
how about dts?
<Habbie>
(i barely know what i'm saying here)
<tmn505>
its simple
<Habbie>
i believe there also may still be a JTAG angle to get around all of this, but not very user friendly
<Habbie>
tmn505, please go on :)
<tmn505>
usually its replicating already existing ones
<tmn505>
but tbf I haven't done any commits in ramips target :)
<Habbie>
hehe
<Habbie>
me neither
<Habbie>
my only openwrt work before this has been in packages, testing on ath79 and x86_64 :)
<tmn505>
if You know how to exploit a device then dts is least of Your worries
<Habbie>
good to know
<Habbie>
i'm just afraid that i'll replace some things and brick it
<Habbie>
to the point that I do need to touch SPI on some flash chip :)
ephemer0l has joined #openwrt-devel
<Habbie>
(or JTAG, or ...)
<stintel>
can you clamp the spi and read it before continuing ?
<stintel>
ehr, the NOR*
<tmn505>
then shove all testing to FPSUsername :)
<Habbie>
stintel, i don't know - this was the plan until i decided to try software first :)
<stintel>
:D
<Habbie>
FPS does not have a fitting clamp
<Habbie>
i don't know if my clamp fits
<stintel>
I do, but I'm ~2000km away :(
<Habbie>
haha
<Habbie>
where are you?
<stintel>
Sofia
<Habbie>
2128km
<Habbie>
yep
<Habbie>
could probably get the right clamp from aliexpress quicker and cheaper ;)
<stintel>
I can do it in <24h
<Habbie>
google maps tells me that too :D
<Habbie>
but i'm not in any rush anyway
<stintel>
but I've recently done the trip from sofia to belgium and back so no way :P
<Habbie>
haha
<Habbie>
if we had to do that, i would happily drive to belgium ;)
<Habbie>
i've done two day conferences in belgium while sleeping at home
<hurricos>
v
champtar has quit [Quit: WeeChat 3.0.1]
<stintel>
Fosdem ?
<Habbie>
loadays, very small, 50km more to the north (Antwerp North instead of Brussels South)
<hurricos>
is
<hurricos>
sorry ugh. Trying ut radare2
<Habbie>
i've always gotten a hotel for FOSDEM
<stintel>
ah yeah, I know loadays, never been though
<stintel>
I believe I know some of the guys organising it
<hurricos>
OK, as someone who has briefly used Ghidra, I am loving radare. Wayyyy less overhead :^)
<Habbie>
FOSDEM is 200km for me
<stintel>
walk in the park ;)
<Habbie>
hurricos, you're not PaulFertser? but you're looking at my dumps? :)
<stintel>
LOL
<stintel>
"looking at my dumps"
<stintel>
sorry
<Habbie>
lol
<Habbie>
no can do, my toilets don't have these plateaus :D
<hurricos>
yeah, I also threw that hash you dropped into `john --format=md5-raw ...`
<Habbie>
hurricos, nice
<hurricos>
no dice, btw. Only running it on 2xL5640.
<hurricos>
yet*
<dwfreed>
Habbie: someone posted an image of those toilets to imgur recently; weirdest thing I'd ever seen
<Habbie>
i only tried 500k words on it, no juice
<Habbie>
dwfreed, with the plateaus?
<dwfreed>
Habbie: yeah
<stintel>
I could feed it to hashcat maybe
<Habbie>
dwfreed, super normal here 30 days ago
<hurricos>
stintel: you need hardware for that ....
<Habbie>
hashcat can run on CPU
<dwfreed>
Habbie: what changed in a month? :D
<stintel>
I have hardware :P
<Habbie>
it's how i did 500k in a few seconds
<hurricos>
it's not really much better than John on CPU
<Habbie>
but i don't know how to operate hashcat beyond that ;)
<hurricos>
at least not for md5
<Habbie>
well i'm too dumb to run john at all ;)
<hurricos>
ah
<Habbie>
dwfreed, a month?
<dwfreed>
Habbie: "super normal here 30 *days* ago" (emphasis mine)
<stintel>
where was the hash ?
<Habbie>
dwfreed, oops! 30 years :D
<dwfreed>
Habbie: I figured :D
<Habbie>
taking the liberty to paste 7 lines:
<Habbie>
Input Password==>
<Habbie>
%02x
<Habbie>
46947c0bc8d2803f511b5f1ae08cf819
<Habbie>
Fail!!!
<Habbie>
Input Password==>
<Habbie>
Correct!!!
<Habbie>
that's strings output from mtdblock1
<Habbie>
so we suspect that is an md5 for the uboot password
<hurricos>
great. well I was getting around 24x9MH/s :|
<hurricos>
lol
<PaulFertser>
From a cursory look I have an impression most of the text strings are relocated somewhere so no direct xrefs are available. I'd probably try compiling https://github.com/pinney/MT7621-u-boot-mod/ to see how it usually goes.
<PaulFertser>
0xbfc00000 looks like the correct offset for the code
<Habbie>
PaulFertser, apparently i have size but not offset in the mtd dirs, i'll try a reboot soon
<PaulFertser>
Don't forget it's little endian mips.
<Habbie>
yes, i also pondered building 'uboot with a password' to see how things look
<Habbie>
If you like expensive bricks proceed without caution.
<Habbie>
lol
<stintel>
let's see how long the AC can keep up, it's going to be 38C here tomorrow, not a good day to run hashcat 😂
<Habbie>
wow
<dwfreed>
it is currently 35 C with a heat index of 42 C here
<dwfreed>
But I also live in a humid subtropical climate, so this is mostly to be expected
<stintel>
oof
<Habbie>
dwfreed, where are you then?
<dwfreed>
Habbie: Oklahoma now
<Habbie>
ah
<dwfreed>
The freedom units are 95 and 108 respectively
<Habbie>
108% of freedom, wow
<dwfreed>
We have an extreme heat warning today, and a heat advisory has already been issued for tomorrow
<Habbie>
i believe that
<hurricos>
what does an implementation md5 look like in MIPS? :|
Acinonyx_ has joined #openwrt-devel
<Habbie>
hah, i wish i could answer that
<Habbie>
we don't even know if it's MD5
<hurricos>
that's what I'm trying to confirm lol
<Habbie>
i'd really love to spend some time with radare later this week