OpenWrt Forum Archive

Topic: Nexx WT1520 support

The content of this topic has been archived between 31 Mar 2018 and 30 Apr 2018. Unfortunately there are posts – most likely complete pages – missing.

Good news everyone! With great help of ValdikSS we've discovered hidden backdoor in firmware(actually, maybe more than just one backdoor). I successfully found way to update from stock firmware to openwrt. Will post details little bit later. It's more like jailbreak, than usual upgrade.
But you can do it without soldering iron!

update Dec 2014 - There's no need to use this instructions now. Just flash openwrt factory image available in trunk via nexx web-interface.


About:
NEXX guys put two(or maybe more) backdoors to system.
First one is "telnetd" daemon with hardcoded login:password.
Second - "upgraded" daemon that is actually is tftpd-server waiting for new firmware. Sadly, we didn't managed yet how to bypass password check protection on tftpd.

First and second one are opened on all ethernet ports, including WAN one, so it's really no good for end users because of possibility of remote attacking.

What you will need to upgrade to openwrt firmware:
mtd3.bin
openwrt-ramips-rt305x-nexx-wt1520-squashfs-sysupgrade.bin

connect your computer to lan port on router.
set your computer ip address to 192.168.8.2/255.255.255.0

run some http-server, i've used "python -m SimpleHTTPServer" on my mac.

So in this example i've running http server on port 8000 with files i need. Please be careful and if something differ from my output do not continue process! You may destroy your router's firmware(not bootloader!) and you will need soldering iron to fix it!

Process:
(password is y1n2inc.com0755)

$ telnet 192.168.8.1
Trying 192.168.8.1...
Connected to 192.168.8.1.
Escape character is '^]'.

(none) login: nexxadmin
Password:

BusyBox v1.12.1 (2013-10-17 11:35:12 HKT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cd /tmp/
# wget http://192.168.8.2:8000/mtd3.bin
Connecting to 192.168.8.2:8000 (192.168.8.2:8000)
mtd3.bin             100% |***************************************************************************************************************|  3776k 00:00:00 ETA
# mtd_write erase mtd3
getFileSize: No such file or directory
Unlocking mtd3 ...
Erasing mtd3 ...
Erase char is 255
# mtd_write -r write mtd3.bin mtd3
Unlocking mtd3 ...
Writing from mtd3.bin to mtd3 ...  [w]

At this time router should reboot(watch at LED) to openwrt firmware. Openwrt firmware's ip address is 10.10.10.123/255.255.255.0, use dhcp for you computer.

ssh login: root
password: openwrt

But it not the end! Download to router your openwrt-ramips-rt305x-nexx-wt1520-squashfs-sysupgrade.bin file to /tmp/ directory(via scp or wget from your server)

Connect with ssh-client to your router and go to /tmp/:

# cd /tmp/
# sysupgrade -F -v -n openwrt-ramips-rt305x-nexx-wt1520-squashfs-sysupgrade.bin
Sysupgrade is not yet supported on generic.
Image check 'platform_check_image' failed but --force given - will update anyway!
killall: watchdog: no process killed
Sending TERM to remaining processes ... dnsmasq ntpd ubusd askfirst logd netifd uhttpd
Sending KILL to remaining processes ... askfirst
Switching to ramdisk...
Performing system upgrade...
Unlocking firmware ...

Writing from <stdin> to firmware ...
Upgrade completed
Rebooting system...

Your router will reboot and that's(finally) the end, you've got openwrt firmware on it!

(Last edited by hackru on 22 Dec 2014, 09:09)

hackru wrote:
Downunder wrote:

How would you add an external aerial to the board ?

I would like to put this in a metal case so an external aerial would be great.

Does this seem ok ?

You can take +5v from usb port pin. If you need 12v then you should use step up converter.

Thanks for your reply Hackru, but it was post 175 on that link, sorry didn't know how to link to a specific post, maybe this link below has worked correctly,  it is an aerial not the fan I am trying to upgrade

http://www.techpowerup.com/forums/threa … st-1638467

Sorry for the confusion

Downunder wrote:
hackru wrote:
Downunder wrote:

How would you add an external aerial to the board ?

I would like to put this in a metal case so an external aerial would be great.

Does this seem ok ?

You can take +5v from usb port pin. If you need 12v then you should use step up converter.

Thanks for your reply Hackru, but it was post 175 on that link, sorry didn't know how to link to a specific post, maybe this link below has worked correctly,  it is an aerial not the fan I am trying to upgrade

http://www.techpowerup.com/forums/threa … st-1638467

Sorry for the confusion

Well, okay, i'm not expert but image in that post looks quite alike this router. Two test points near antennae looks like it's for ext antenna.

hackru, great job!

the only bad thing is that it is still not in trunk and people won't be able to use the opkg to deploy something

not in trunk, but it should accept packages from ramips repo, with no problem.
and you always can(and should!) assemble your own firmware. you can use my patches from github repo.

(Last edited by hackru on 23 Jul 2014, 18:10)

hackru,

Great job on the router. I have been looking for a portable router for quite some time now and this is finally what I need with the exception of having OpenVPN client on the device. Do you think its possible to run OpenVPN client on this thing so that all traffic flows through the VPN tunel?

Thanx! again great job!

Yes, it's possible, but openvpn speed may be low (lower than 20mbps), i don't tested it quite good.

(Last edited by hackru on 23 Jul 2014, 20:51)

Awesome! I ordered 2 from Ali, cant wait to get them now so I can play with them. I will be happy with 3-5Mbps, thanx again!

hackru wrote:

About:
NEXX guys put two(or maybe more) backdoors to system.
First one is "telnetd" daemon with hardcoded login:password.
Second - "upgraded" daemon that is actually is tftpd-server waiting for new firmware. Sadly, we didn't managed yet how to bypass password check protection on tftpd.

First and second one are opened on all ethernet ports, including WAN one, so it's really no good for end users because of possibility of remote attacking.

What you will need to upgrade to openwrt firmware:
mtd3.bin
openwrt-ramips-rt305x-nexx-wt1520-squashfs-sysupgrade.bin

connect your computer to lan port on router.
set your computer ip address to 192.168.8.2/255.255.255.0

run some http-server, i've used "python -m SimpleHTTPServer" on my mac.

So in this example i've running http server on port 8000 with files i need. Please be careful and if something differ from my output do not continue process! You may destroy your router's firmware(not bootloader!) and you will need soldering iron to fix it!

Process:
(password is y1n2inc.com0755)

$ telnet 192.168.8.1
Trying 192.168.8.1...
Connected to 192.168.8.1.
Escape character is '^]'.

(none) login: nexxadmin
Password:

BusyBox v1.12.1 (2013-10-17 11:35:12 HKT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cd /tmp/
# wget http://192.168.8.2:8000/mtd3.bin
Connecting to 192.168.8.2:8000 (192.168.8.2:8000)
mtd3.bin             100% |***************************************************************************************************************|  3776k 00:00:00 ETA
# mtd_write erase mtd3
getFileSize: No such file or directory
Unlocking mtd3 ...
Erasing mtd3 ...
Erase char is 255
# mtd_write -r write mtd3.bin mtd3
Unlocking mtd3 ...
Writing from mtd3.bin to mtd3 ...  [w]

At this time router should reboot(watch at LED) to openwrt firmware. Openwrt firmware's ip address is 10.10.10.123/255.255.255.0, use dhcp for you computer.

ssh login: root
password: openwrt

But it not the end! Download to router your openwrt-ramips-rt305x-nexx-wt1520-squashfs-sysupgrade.bin file to /tmp/ directory(via scp or wget from your server)

Connect with ssh-client to your router and go to /tmp/:

# cd /tmp/
# sysupgrade -F -v -n openwrt-ramips-rt305x-nexx-wt1520-squashfs-sysupgrade.bin
Sysupgrade is not yet supported on generic.
Image check 'platform_check_image' failed but --force given - will update anyway!
killall: watchdog: no process killed
Sending TERM to remaining processes ... dnsmasq ntpd ubusd askfirst logd netifd uhttpd
Sending KILL to remaining processes ... askfirst
Switching to ramdisk...
Performing system upgrade...
Unlocking firmware ...

Writing from <stdin> to firmware ...
Upgrade completed
Rebooting system...

Your router will reboot and that's(finally) the end, you've got openwrt firmware on it!

hackru,

Great guide! Great job! Thanks!
Your firmware has a DLNA server and a web interface?

hugocomh wrote:

Great guide! Great job! Thanks!
Your firmware has a DLNA server and a web interface?

Have web interface, but no dlna. If you need dlna - compile your own firmware, all needed patches present in this topic, it should be very easy.

guys, can you submit your patches to add support to the trunk? since you have  the way to push openwrt without ironing people would need to do it once and then 'sysupgrade' will work for them for future upgrades

(Last edited by gently on 31 Jul 2014, 10:42)

hackru wrote:
hugocomh wrote:

Great guide! Great job! Thanks!
Your firmware has a DLNA server and a web interface?

Have web interface, but no dlna. If you need dlna - compile your own firmware, all needed patches present in this topic, it should be very easy.

Thanks hackru!
The last question: with this firmware all still working? (ie. LED, USB with HDD (samba server), WiFi, Reset button)

Sorry, but how to set up WiFi in client mode ? The firmware scan mode WiFi does not work.

(Last edited by sergun on 1 Aug 2014, 13:14)

sergun wrote:

Sorry, but how to set up WiFi in client mode ? The firmware scan mode WiFi does not work.

You speaking about original firmware or openwrt? If it's about my variant of firmware, then client mode would not work because i compiled firmware without wpa_supplicant to save extra space. You should compile your own version(with wpasupplicant) if you need client mode.

hugocomh wrote:

Thanks hackru!
The last question: with this firmware all still working? (ie. LED, USB with HDD (samba server), WiFi, Reset button)

in compiled firmware:
LED works
usb - working for 3g dongle, for samba server you need to install samba to hdd itself but i think i didn't added  kmod-ext4 to firmware.
WiFi works(see message above about client mode)
Reset button - should work as button for entering safe mode, can't check it now.

Universal way - compile your own version of firmware with packages that would fit for your needs.

It seems that ruined the firmware, please write a guide on how to flash through a serial port.

If your bootloader is alive, then you should use method i described in post 22.

Sorry, but at these points on the board to solder impossible. May specify other points tx and rx?

Подпаяться к указанным точкам на плате не получается, там какой-то клей. Может есть другие точки тх и rx к которым можно подпаяться ? Если возможно выложите ваше изображение, как вы подпаялись. Заранее большое спасибо.

These are only two known points.
If you're in moscow, pm me, i can write full dump to flash.

I've tried everything. Found the expected point, connected, and after running the Putty hangs a black screen and all.

Я уже всё перепробовал. Нашёл предполагаемые точки, подключился, а после запуска программы Putty висит чёрный экран и всё.

Я не из Москвы.

May need to be connected in some manner?

Может подключаться нужно в каком-то порядке ?

make sure you're:
- using usb-ttl adapter, not pc's com-port.
- using correct port speed, should be 57600
- powering your router from same pc as usb-ttl, or else you need to connect gnd cable too.

(Last edited by hackru on 4 Aug 2014, 13:27)

Router using an adapter is loaded. But I can not choose to boot from FTP, all so quickly slips. How to boot from FTP?

Роутер с помощью переходника загружается. Но не могу сделать выбор загрузки с фтп, всё так быстро проскакивает. Как загрузиться с фтп ?

Probably you didn't properly connected the tx cable and/or ground cable. Check everything up, try to press "2" all the times when bootloader print it's messages.