Thanks for that hackru, pointed me in the right direction to unlock var11n as well as the mini 300 to use with chaos calmer and development branch.

If anybody wants some help or hinters regarding getting openwrt on these, you'll need a flash programmer to get the initial image, modify it (so that you can interrupt the u-boot) and reflash. I'll provide a more detailed writeup regarding everything I've had to do to make this work in the near future, but am willing to answer questions in the meantime if anybody has any. (Yeah, I know, resurrecting an old thread, but I've been working on these devices for the last month, and there is next to no information online regarding getting openwrt on them)

(Last edited by SixOfFive on 25 Jan 2017, 17:46)

Hi i've recently purchased a var11n plus and had attached a serial connection but can't interrupt u-boot as apparently it's locked? What flash programmer do I need to buy and how do i use it to get the initial image?

Its even easier if you have a system setup to intercept the vonets communication. proftpd does not work (has to do with null character termination from the vonets for file requests). vsftpd does work. The newVersion.txt file is a simple character replacement (not really encrypted, just obfuscated).

I've stopped using the reader/writer as I no longer need it and can flash these fresh from factory with openwrt in a two step process. First step is to enable telnet on these devices so they can be manually flashed with openwrt (there must be some internal checks in the settings program which checks to see if there is a squashfs image in the file and fails if one is found.) The second step is flashing from the telnet prompt in order to get a true openwrt image in there.

None of the openwrt images will work with these devices (the stock images). I had to hack together the dts file as well as the mt7620.c file in order to get openwrt to boot and function 99% properly on these. As I had to hack together the dts, I only have 1 network cable operational (the female plug I do not have operational, and as it is not needed in this project, I didn't pursue making it work)

Since I will be flashing 20 - 50 of these a day, I needed to cut down on time required to push these out the door (hence reverse engineering vonets "encryption" on the ftp server.)

If you need to know the model of reader/writer I used in order to de-brick these devices/read the rom/write the rom manually. I can ask my co-worker who's I borrowed.

Doesn't look like I can upload files here, so I'll have to find a site to upload them to. You will need the openwrt builder, in order to compile the firmwares as well.

If need be, I can provide the hacked vonet firmware with telnet enabled, the newVersion.txt file targetting the var11n model, as well as a base firmware for the 2nd flash with openwrt. My modified dts and mt7620.c files I can also include. Remember, I'm not a developer for openwrt, I just hacked the snot out of this until I made it work.

If you could get the model number of the programmer that would be great as would like to learn how to do it from fresh and also how to read the flash with it.

How would I get the hacked telnet version onto it? I assume I would have to fake the public ftp server and ip it looks for when you click upgrade in the guide?  The ip/server mentioned earlier in this thread appears to be dead.

Had to ask, as I thought it was a programmer.. Forgot it was just a chip clip.
8 pin chip clip to attach to the memory model, and an SPI compatible device (raspberry pi 2 was used in our environment). Then there are numerous tutorials out there on how to read and write roms using pi's SPI interface.

The hacked version .. you are correct. You would need to modify the hosts file so that the vonets servers point at your own machine. Have vsftpd installed and a user setup (qinfang/123456). then you would have the newVersion.txt and related firmware in the ftp directory for that user. The firmware upgrade process will check the newVersion.txt and get the filename from that based on the model/line, download the firmware, run its checks on it, and it thinks its a valid image, and writes it out. After reboot, the model is then accessible via telnet with the login of admin/admin.

Then its as simple as putting your custom firmware in there with something like:
cd /tmp
wget site/test.bin
mtd_write unlock Kernel
mtd_write -r write test.bin Kernel

Then the unit reboots, and your running openwrt (as long as that test.bin is compiled properly.)

If you are going to use my dts and mt7620.c in the future, please realize I have only tested this on the development branch, and your results may vary if used with chaos calmer or other branches. the important thing is to get rid of the DDR stuff in mt7620.c so it only runs with "Board has SDRAM" values, and then obviously the dts which sets up the devices (device tree) for linux to use.

Seriously? Can't have links?
load this in a browser: hvr.biz/var11n-300/

Stuff in qinfang folder is what you would want in for the qinfang ftp user interception.

Also, when compiling with that dts, you obviously select the mt7620 and copy the *7530*.bin firmware built afterwards for the vonets (even though they are mt7620n devices) ... said I had to hack it a lot

(Last edited by SixOfFive on 23 Feb 2017, 17:41)

if any devs see this, it sure would be nice not to have to go to these great lengths in order to get openwrt onto these. Not putting blame, but maybe take a look at the files on hvr.biz that I posted in my previous link so that the var11n-300's can have a stock openwrt firmware.

Can you get the chip clip and programmer info as will pick one up. Thanks for the info does it still look for 211.154.131.164 as the ftp server?

That's fine it's only for experimenting with anyway. I will have a look at your link now.

(Last edited by thetallone on 10 Feb 2017, 14:25)

I can't post links, but if you search google for "IC Test Clip - SOIC 8-Pin" you should find the clip within the first few links. (Think it was the second link with sparkfun in it)
For programmer we just used flashrom program.
The vonets search by dns name, not ip. So its easy enough to redirect via hosts file to your own machine.
these probably are not all needed, but I added them all in just in case
vonets _ com
ww _ vonets _ com
ftp _ vonets _ com
ww _ vonets _ com _ cn

ww is triple w

Just checking, because the thread is hard to follow... What's the current status of building OpenWRT for the MINI300? Are there builds floating around (working or partially working)?

Build method for the MINI300 is the same as for VAR11n-300 (firmware will work on both, but the extra ethernet cable on that var11n-300 is not allocated with my dts file and mt7620.c files.)

Stock firmwares from openwrt will NOT work on the mini300 or var11n-300. Something I wish they would change.

update: Remove the port 5 entries in the DTS file to make things more stable.. Random kernel panic will occur with port 5 entries in the DTS I created.

Hi SixOfFive, I've followed what you've written and now I can telnet my var11n-300.
I would need some help for building the image:
- I read this link: h**ps://wiki_openwrt_org/doc/howto/buildroot.exigence
- I did everything till make menuconfig
- I put the DTS in .\openwrt\target\linux\ramips\dts (which is where I've found another file with the same name)
- I don't know where I should put "mt7620.c"
- Moreover, I don't know how to set menuconfig for this image
These are maybe stupid questions but I'm pretty new to this stuff and I'm pretty lost.
Thanks in advance

Sorry to bump, but I'm still stuck to my last post.
Can anyone help me?