Backup configuration file in http://192.168.10.1/pc/index.html#/settings/system/backup.
You will found an entry <TelnetEntry Active="No" telnet_username="CMCCAdmin" telnet_passwd="aDm8H%MdA" telnet_port="23" />
replace "No" with "Yes" and write it back to get telnet root shell.
directly use of U-boot from factory firmware requires password.
We can get the password from mtd0
dump files. The file can be sent to host by tftp which is included in factory firmware.
➜ dr5364 strings mtd0.bin | grep username
username=telecomadmin
➜ dr5364 strings mtd0.bin | grep password
password=nE7jA%5m
Then, restart your router, connect 3.3V TTL UART on the board, and the serial port is 115200,8n1.
The U-Boot also has ethernet driver avialable, you can connect tftp server to any of the LAN ports.
Flash dump: https://drive.google.com/file/d/1DYi-wEQGzIxi_ut_aYIERcqKKopk8Rxw/view?usp=sharing
dts dump: https://gist.github.com/cyyself/cf18a109a0a491c63ddb65d3bef3795f
bootlog: https://drive.google.com/file/d/15bi7T78g4Jbsn-A73Pz8dvCITFSLidzb/view?usp=sharing
OpenWrt Forum Thread: https://forum.openwrt.org/t/adding-support-for-raisecom-dr5364/173542
squashfs dump(including npu driver .ko for analyze): https://drive.google.com/file/d/1z0VVMVJoHkGg7ExT8i25lUjha1Py1Dmh/view?usp=sharing
Kernel dump and converted to elf: https://drive.google.com/file/d/1Uga6b0OUY2dfmFZCVzx7OtZ_Jx8IThio/view?usp=sharing
RISC-V NPU Firmware npu_rv32.bin: https://drive.google.com/file/d/1z809l45_v8wvjpgoEaZk294BLV9MMEot/view?usp=sharing
part | name | offset | size |
---|---|---|---|
mtd0 | bootloader | 0x0 | 0x80000 |
mtd1 | romfile | 0x80000 | 0x40000 |
mtd2 | kernel | 0xC0000 | 0x31CDC9 |
mtd3 | rootfs | 0x3DCEC4 | 0x15D0000 |
mtd4 | tclinux | 0xC0000 | 0x1E00000 |
mtd5 | kernel_slave | 0x1EC0000 | 0x31CDC9 |
mtd6 | rootfs_slave | 0x21DCEC4 | 0x15D0000 |
mtd7 | tclinux_slave | 0x1EC0000 | 0x1E00000 |
mtd8 | data | 0x3CC0000 | 0x400000 |
mtd9 | config | 0x40C0000 | 0x200000 |
mtd10 | yaffs | 0x42C0000 | 0x500000 |
mtd11 | reservearea | 0xDDC0000 | 0x240000 |