Skip to content

Instantly share code, notes, and snippets.

@cyyself
Last active October 27, 2023 00:46
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save cyyself/6f3544348e27aff2df647ba60cc6cc1c to your computer and use it in GitHub Desktop.

RAISECOM DR5364 Hack Note

Get Root Telnet

Backup configuration file in http://192.168.10.1/pc/index.html#/settings/system/backup.

You will found an entry <TelnetEntry Active="No" telnet_username="CMCCAdmin" telnet_passwd="aDm8H%MdA" telnet_port="23" />

replace "No" with "Yes" and write it back to get telnet root shell.

U-Boot Console

directly use of U-boot from factory firmware requires password.

We can get the password from mtd0 dump files. The file can be sent to host by tftp which is included in factory firmware.

➜  dr5364 strings mtd0.bin | grep username
username=telecomadmin
➜  dr5364 strings mtd0.bin | grep password
password=nE7jA%5m

Then, restart your router, connect 3.3V TTL UART on the board, and the serial port is 115200,8n1.

The U-Boot also has ethernet driver avialable, you can connect tftp server to any of the LAN ports.

Links

Flash dump: https://drive.google.com/file/d/1DYi-wEQGzIxi_ut_aYIERcqKKopk8Rxw/view?usp=sharing

dts dump: https://gist.github.com/cyyself/cf18a109a0a491c63ddb65d3bef3795f

bootlog: https://drive.google.com/file/d/15bi7T78g4Jbsn-A73Pz8dvCITFSLidzb/view?usp=sharing

OpenWrt Forum Thread: https://forum.openwrt.org/t/adding-support-for-raisecom-dr5364/173542

squashfs dump(including npu driver .ko for analyze): https://drive.google.com/file/d/1z0VVMVJoHkGg7ExT8i25lUjha1Py1Dmh/view?usp=sharing

Kernel dump and converted to elf: https://drive.google.com/file/d/1Uga6b0OUY2dfmFZCVzx7OtZ_Jx8IThio/view?usp=sharing

RISC-V NPU Firmware npu_rv32.bin: https://drive.google.com/file/d/1z809l45_v8wvjpgoEaZk294BLV9MMEot/view?usp=sharing

Factory MTD Partition

part name offset size
mtd0 bootloader 0x0 0x80000
mtd1 romfile 0x80000 0x40000
mtd2 kernel 0xC0000 0x31CDC9
mtd3 rootfs 0x3DCEC4 0x15D0000
mtd4 tclinux 0xC0000 0x1E00000
mtd5 kernel_slave 0x1EC0000 0x31CDC9
mtd6 rootfs_slave 0x21DCEC4 0x15D0000
mtd7 tclinux_slave 0x1EC0000 0x1E00000
mtd8 data 0x3CC0000 0x400000
mtd9 config 0x40C0000 0x200000
mtd10 yaffs 0x42C0000 0x500000
mtd11 reservearea 0xDDC0000 0x240000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment