dr5364.md

RAISECOM DR5364 Hack Note

Get Root Telnet

Backup configuration file in http://192.168.10.1/pc/index.html#/settings/system/backup.

You will found an entry <TelnetEntry Active="No" telnet_username="CMCCAdmin" telnet_passwd="aDm8H%MdA" telnet_port="23" />

replace "No" with "Yes" and write it back to get telnet root shell.

U-Boot Console

directly use of U-boot from factory firmware requires password.

We can get the password from mtd0 dump files. The file can be sent to host by tftp which is included in factory firmware.

➜  dr5364 strings mtd0.bin | grep username
username=telecomadmin
➜  dr5364 strings mtd0.bin | grep password
password=nE7jA%5m

Then, restart your router, connect 3.3V TTL UART on the board, and the serial port is 115200,8n1.

The U-Boot also has ethernet driver avialable, you can connect tftp server to any of the LAN ports.

Links

Flash dump: https://drive.google.com/file/d/1DYi-wEQGzIxi_ut_aYIERcqKKopk8Rxw/view?usp=sharing

dts dump: https://gist.github.com/cyyself/cf18a109a0a491c63ddb65d3bef3795f

bootlog: https://drive.google.com/file/d/15bi7T78g4Jbsn-A73Pz8dvCITFSLidzb/view?usp=sharing

OpenWrt Forum Thread: https://forum.openwrt.org/t/adding-support-for-raisecom-dr5364/173542

squashfs dump(including npu driver .ko for analyze): https://drive.google.com/file/d/1z0VVMVJoHkGg7ExT8i25lUjha1Py1Dmh/view?usp=sharing

Kernel dump and converted to elf: https://drive.google.com/file/d/1Uga6b0OUY2dfmFZCVzx7OtZ_Jx8IThio/view?usp=sharing

RISC-V NPU Firmware npu_rv32.bin: https://drive.google.com/file/d/1z809l45_v8wvjpgoEaZk294BLV9MMEot/view?usp=sharing

Factory MTD Partition

part	name	offset	size
mtd0	bootloader	0x0	0x80000
mtd1	romfile	0x80000	0x40000
mtd2	kernel	0xC0000	0x31CDC9
mtd3	rootfs	0x3DCEC4	0x15D0000
mtd4	tclinux	0xC0000	0x1E00000
mtd5	kernel_slave	0x1EC0000	0x31CDC9
mtd6	rootfs_slave	0x21DCEC4	0x15D0000
mtd7	tclinux_slave	0x1EC0000	0x1E00000
mtd8	data	0x3CC0000	0x400000
mtd9	config	0x40C0000	0x200000
mtd10	yaffs	0x42C0000	0x500000
mtd11	reservearea	0xDDC0000	0x240000