OpenWrt Forum Archive

Topic: HooToo Tripmate Titan HT-TM05 (MT7620)

The content of this topic has been archived between 8 Apr 2018 and 6 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Hi!

I'm new to this forum but used to run openwrt on some devices. Thank you guys for the good work!!!
So my view on openwrt was from a user perspective, until I bought the HooToo HT-TM05. I couldn't find any openwrt images for this router and also found only posts and device pages about the other routers from HooToo (e.g. TM01, TM02). So I decided to start investigating, how to get openwrt running on that device to gain even more functionalities (the stock firmware is quite good, except for missing 3g support...)

The HooToo HT-TM05 is a battery powerbank (10400 mAh) with ethernet, wifi and usb capabilities. It seems to have 64MByte RAM, which makes it a perfect candidate for running openwrt.

These are the information I already gathered running the stock firmware (I haven't opened it yet since it doesn't seem to have any screws, so I have to break it...):

(Note: Access to the device is quite easy since it has telnetd running by default, at least in my case with firmware version 2.000.022. You might login with username admin and blank password or user root with password 20080826)


#/proc/cpuinfo

system type        : Ralink SoC
processor        : 0
cpu model        : MIPS 24Kc V5.0
BogoMIPS        : 386.04
wait instruction    : yes
microsecond timers    : yes
tlb_entries        : 32
extra interrupt vector    : yes
hardware watchpoint    : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0b78, 0x0ffb]
ASEs implemented    : mips16 dsp
shadow register sets    : 1
core            : 0
VCED exceptions        : not available
VCEI exceptions        : not available

#/proc/meminfo

MemTotal:          59548 kB
MemFree:           11728 kB
Buffers:           12232 kB
Cached:            16560 kB
SwapCached:            0 kB
Active:            14416 kB
Inactive:          18948 kB
Active(anon):       2484 kB
Inactive(anon):     2628 kB
Active(file):      11932 kB
Inactive(file):    16320 kB
Unevictable:         540 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                80 kB
Writeback:             0 kB
AnonPages:          5140 kB
Mapped:             3184 kB
Shmem:                 0 kB
Slab:              10876 kB
SReclaimable:       5828 kB
SUnreclaim:         5048 kB
KernelStack:         520 kB
PageTables:          400 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       29772 kB
Committed_AS:      10020 kB
VmallocTotal:    1048372 kB
VmallocUsed:        2360 kB
VmallocChunk:    1044720 kB

#/proc/mtd

dev:    size   erasesize  name
mtd0: 00800000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00180000 00010000 "Kernel_RootFS"
mtd5: 00010000 00010000 "params"
mtd6: 00010000 00010000 "user_backup"
mtd7: 00010000 00010000 "user"
mtd8: 00600000 00010000 "Rootfs"

#kernel version

Linux HT-TM05 2.6.36 #8 Fri Jul 11 10:44:45 CST 2014 mips unknown

#/proc/partitions

major minor  #blocks  name

  31        0       8192 mtdblock0
  31        1        192 mtdblock1
  31        2         64 mtdblock2
  31        3         64 mtdblock3
  31        4       1536 mtdblock4
  31        5         64 mtdblock5
  31        6         64 mtdblock6
  31        7         64 mtdblock7
  31        8       6144 mtdblock8

#df

Filesystem                Size      Used Available Use% Mounted on
rootfs                    5.3M      5.3M         0 100% /
/dev/root                 5.3M      5.3M         0 100% /

#ps

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.7   3836   448 ?        Ss   01:10   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S    01:10   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    01:10   0:00 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S    01:10   0:00 [kworker/0:0]
root         5  0.0  0.0      0     0 ?        S    01:10   0:00 [kworker/u:0]
root         6  0.0  0.0      0     0 ?        S<   01:10   0:00 [khelper]
root         7  0.0  0.0      0     0 ?        S    01:10   0:00 [sync_supers]
root         8  0.0  0.0      0     0 ?        S    01:10   0:00 [bdi-default]
root         9  0.0  0.0      0     0 ?        S<   01:10   0:00 [kblockd]
root        10  0.0  0.0      0     0 ?        S    01:10   0:00 [khubd]
root        11  0.0  0.0      0     0 ?        S    01:10   0:00 [kswapd0]
root        12  0.0  0.0      0     0 ?        S    01:10   0:00 [fsnotify_mark]
root        13  0.0  0.0      0     0 ?        S<   01:10   0:00 [crypto]
root        17  0.0  0.0      0     0 ?        S    01:10   0:02 [mtdblock0]
root        18  0.0  0.0      0     0 ?        S    01:10   0:00 [mtdblock1]
root        19  0.0  0.0      0     0 ?        S    01:10   0:00 [mtdblock2]
root        20  0.0  0.0      0     0 ?        S    01:10   0:00 [mtdblock3]
root        21  0.0  0.0      0     0 ?        S    01:10   0:00 [mtdblock4]
root        22  0.0  0.0      0     0 ?        S    01:10   0:00 [mtdblock5]
root        23  0.0  0.0      0     0 ?        S    01:10   0:00 [mtdblock6]
root        24  0.0  0.0      0     0 ?        S    01:10   0:00 [mtdblock7]
root        25  0.0  0.0      0     0 ?        S    01:10   0:04 [mtdblock8]
root        26  0.0  0.0      0     0 ?        S    01:10   0:00 [kworker/u:1]
root        33  0.0  0.0      0     0 ?        S    01:10   0:00 [kworker/0:1]
root       146  0.0  0.0      0     0 ?        S    01:10   0:00 [RtmpCmdQTask]
root       147  0.0  0.0      0     0 ?        S    01:10   0:00 [RtmpWscTask]
root       521  0.0  0.6   2084   392 ?        Ss   01:10   0:00 udhcpd /etc/udhcpd.conf
root       879  0.0  0.7   2080   420 ?        S    01:10   0:00 udhcpc -i apcli0 -s /sbin/udhcpc.sh -p /var/run/udhcpc.pid
root      1067  0.0  0.7   4016   420 ?        Ss   01:10   0:00 /usr/sbin/led_control
root      1070  0.0  0.6   1264   372 ?        S<s  01:10   0:00 /usr/sbin/udevd -d
root      1086  0.0  0.7   3612   424 ?        S    01:10   0:00 /usr/sbin/ntp
root      1117  0.0  1.0   4956   616 ?        SN   01:10   0:00 /usr/sbin/fileserv -f /etc/fileserv/lighttpd.conf -m /usr/lib/fileserv
root      1129  0.0  2.0   5452  1216 ?        SN   01:10   0:00 /usr/sbin/fileserv -f /etc/fileserv/lighttpd.conf -m /usr/lib/fileserv
root      1130  0.0  2.0   5452  1216 ?        SN   01:10   0:00 /usr/sbin/fileserv -f /etc/fileserv/lighttpd.conf -m /usr/lib/fileserv
root      1134  0.0  2.0   5616  1216 ?        Ss   01:10   0:00 /usr/sbin/ioos
root      1143  0.0  0.7   3860   460 ?        S    01:10   0:00 /usr/sbin/upnpd
root      1145  0.0  2.0   5616  1216 ?        S    01:10   0:00 /usr/sbin/ioos
root      1146  0.0  2.0   5616  1216 ?        S    01:10   0:00 /usr/sbin/ioos
root      1159  0.0  2.0   5616  1216 ?        S<   01:10   0:00 /usr/sbin/ioos
root      1160  0.0  2.0   5616  1216 ?        S<   01:10   0:00 /usr/sbin/ioos
root      1161  0.0  2.0   5616  1216 ?        S<   01:10   0:00 /usr/sbin/ioos
root      1162  0.0  2.0   5616  1216 ?        S    01:10   0:00 /usr/sbin/ioos
root      1163  0.0  0.3   1184   220 ?        Ss   01:10   0:00 /usr/sbin/control
root      1170  0.0  0.5   2088   308 ?        Ss   01:10   0:00 telnetd
root      1171  0.0  0.5   3948   344 ?        Ss   01:10   0:00 /usr/sbin/wificheck
root      1175  0.0  0.7   2080   424 ttyS1    Ss+  01:10   0:00 /sbin/getty 57600 ttyS1
root      1177  0.0  0.7   4016   420 ?        S    01:10   0:00 /usr/sbin/led_control
root      1178  0.0  0.7   4016   420 ?        S    01:10   0:00 /usr/sbin/led_control
root      1180  0.0  0.7   4016   420 ?        S    01:10   0:00 /usr/sbin/led_control
root      1643  0.0  0.3   1112   200 ?        SN   01:10   0:00 owndns 55
root      1718  0.0  0.3   1124   228 ?        SN   01:10   0:00 ownhttp 85 10.10.10.254
admin     1910  0.0  0.8   2092   508 pts/0    Ss+  01:19   0:00 -sh
root      2956  0.0  0.0      0     0 ?        S    02:22   0:00 [scsi_eh_0]
root      2959  0.0  0.0      0     0 ?        S    02:22   0:00 [usb-storage]
root      2985  0.0  0.0      0     0 ?        S    02:22   0:00 [flush-8:0]
root      3059  0.1  2.4   3336  1468 ?        S<s  02:22   0:00 /usr/sbin/minidlna
root      3060  0.0  2.3   4072  1408 ?        SNs  02:22   0:00 /usr/sbin/smbd -D -s/etc/samba/smb.conf -d0
root      3064  0.0  2.4   3336  1468 ?        S<   02:22   0:00 /usr/sbin/minidlna
root      3066  0.0  2.4   3336  1468 ?        SN   02:22   0:00 /usr/sbin/minidlna
root      3067  0.0  1.8   3216  1088 ?        SNs  02:22   0:00 /usr/sbin/nmbd -D -s/etc/samba/smb.conf -d0
admin     3101  0.0  0.8   2092   524 pts/1    Ss   02:24   0:00 -sh
admin     3189  0.0  0.6   4000   400 ?        Ss   02:27   0:00 /usr/sbin/led_control --help
admin     3190  0.0  0.6   4000   400 ?        S    02:27   0:00 /usr/sbin/led_control --help
admin     3191  0.0  0.6   4000   400 ?        S    02:27   0:00 /usr/sbin/led_control --help
admin     3253  0.0  0.8   1840   496 pts/1    R+   02:30   0:00 ps aux

#dmesg

[    0.104000] 0x0000001f0000-0x000000200000 : "user"
[    0.104000] 0x000000200000-0x000000800000 : "Rootfs"
[    0.104000] rdm_major = 253
[    0.104000] SMACCR1 -- : 0x0000001c
[    0.104000] SMACCR0 -- : 0xc2202bac
[    0.104000] Ralink APSoC Ethernet Driver Initilization. v3.0  256 rx/tx descriptors allocated, mtu = 1500!
[    0.104000] SMACCR1 -- : 0x0000001c
[    0.104000] SMACCR0 -- : 0xc2202bac
[    0.104000] PROC INIT OK!
[    0.108000] PPP generic driver version 2.4.2
[    0.108000] PPP Deflate Compression module registered
[    0.108000] PPP BSD Compression module registered
[    0.112000] PPP MPPE Compression module registered
[    0.112000] NET: Registered protocol family 24
[    0.112000] PPTP driver version 0.8.5
[    0.116000] 
[    0.116000] 
[    0.116000] === pAd = c0045000, size = 843768 ===
[    0.116000] 
[    0.116000] <-- RTMPAllocTxRxRingMemory, Status=0
[    0.116000] <-- RTMPAllocAdapterBlock, Status=0
[    0.116000] AP Driver version-2.7.1.6
[    0.116000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    0.136000] rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller
[    0.136000] rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1
[    0.164000] rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x101c0000
[    0.176000] rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00
[    0.176000] hub 1-0:1.0: USB hub found
[    0.176000] hub 1-0:1.0: 1 port detected
[    0.176000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    0.196000] rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller
[    0.196000] rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2
[    0.196000] rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x101c1000
[    0.256000] hub 2-0:1.0: USB hub found
[    0.256000] hub 2-0:1.0: 1 port detected
[    0.256000] usbcore: registered new interface driver cdc_acm
[    0.256000] cdc_acm: v0.26:USB Abstract Control Model driver for USB modems and ISDN adapters
[    0.256000] Initializing USB Mass Storage driver...
[    0.256000] usbcore: registered new interface driver usb-storage
[    0.256000] USB Mass Storage support registered.
[    0.256000] usbcore: registered new interface driver libusual
[    0.256000] usbcore: registered new interface driver usbserial
[    0.256000] usbserial: USB Serial Driver core
[    0.256000] USB Serial support registered for GSM modem (1-port)
[    0.256000] usbcore: registered new interface driver option
[    0.256000] option: v0.7.2:USB Driver for GSM modems
[    0.256000] USB Serial support registered for Sierra USB modem
[    0.256000] usbcore: registered new interface driver sierra
[    0.256000] sierra: v.1.7.16:USB Driver for Sierra Wireless USB modems
[    0.256000] nf_conntrack version 0.5.0 (927 buckets, 3708 max)
[    0.256000] IPVS: Registered protocols ()
[    0.256000] IPVS: Connection hash table configured (size=4096, memory=32Kbytes)
[    0.256000] IPVS: ipvs loaded.
[    0.256000] GRE over IPv4 demultiplexor driver
[    0.256000] gre: can't add protocol
[    0.264000] ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone
[    0.264000] TCP cubic registered
[    0.264000] NET: Registered protocol family 10
[    0.264000] NET: Registered protocol family 17
[    0.264000] L2TP core driver, V2.0
[    0.264000] PPPoL2TP kernel driver, V2.0
[    0.264000] 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
[    0.264000] All bugs added by David S. Miller <davem@redhat.com>
[    0.288000] Match the module's license!
[    0.292000] VFS: Mounted root (squashfs filesystem) readonly on device 31:8.
[    0.292000] Freeing unused kernel memory: 172k freed
[    1.320000] Algorithmics/MIPS FPU Emulator v1.5
[    2.036000] tntfs: module license 'Commercial. For support email ntfs-support@tuxera.com.' taints kernel.
[    2.056000] Disabling lock debugging due to kernel taint
[    2.092000] Tuxera NTFS driver 3014.4.29 [Flags: R/W MODULE].
[    2.180000] Tuxera FAT driver 3013.2.9 [Flags: R/W MODULE].
[    7.384000] Raeth v3.0 (Tasklet,SkbRecycle)
[    7.396000] 
[    7.396000] phy_tx_ring = 0x035e0000, tx_ring = 0xa35e0000
[    7.396000] 
[    7.396000] phy_rx_ring0 = 0x035e1000, rx_ring0 = 0xa35e1000
[    7.396000] SMACCR1 -- : 0x0000001c
[    7.396000] SMACCR0 -- : 0xc2202bac
[    7.440000] CDMA_CSG_CFG = 81000000
[    7.444000] GDMA1_FWD_CFG = 20710000
[    7.508000] RX DESC a3e3c000  size = 2048
[    7.520000] RTMP_TimerListAdd: add timer obj c00e3798!
[    7.532000] RTMP_TimerListAdd: add timer obj c00a58e8!
[    7.540000] RTMP_TimerListAdd: add timer obj c00a58bc!
[    7.552000] RTMP_TimerListAdd: add timer obj c00a5890!
[    7.560000] RTMP_TimerListAdd: add timer obj c004d018!
[    7.572000] RTMP_TimerListAdd: add timer obj c004cc0c!
[    7.584000] RTMP_TimerListAdd: add timer obj c004cfe8!
[    7.592000] RTMP_TimerListAdd: add timer obj c004d324!
[    7.604000] RTMP_TimerListAdd: add timer obj c004d264!
[    7.612000] RTMP_TimerListAdd: add timer obj c004d294!
[    7.624000] RTMP_TimerListAdd: add timer obj c00501e4!
[    7.632000] RTMP_TimerListAdd: add timer obj c004fdd8!
[    7.644000] RTMP_TimerListAdd: add timer obj c00501b4!
[    7.656000] RTMP_TimerListAdd: add timer obj c00504f0!
[    7.664000] RTMP_TimerListAdd: add timer obj c0050430!
[    7.676000] RTMP_TimerListAdd: add timer obj c0050460!
[    7.684000] RTMP_TimerListAdd: add timer obj c00533b0!
[    7.696000] RTMP_TimerListAdd: add timer obj c0052fa4!
[    7.704000] RTMP_TimerListAdd: add timer obj c0053380!
[    7.716000] RTMP_TimerListAdd: add timer obj c00536bc!
[    7.724000] RTMP_TimerListAdd: add timer obj c00535fc!
[    7.736000] RTMP_TimerListAdd: add timer obj c005362c!
[    7.748000] RTMP_TimerListAdd: add timer obj c005657c!
[    7.756000] RTMP_TimerListAdd: add timer obj c0056170!
[    7.768000] RTMP_TimerListAdd: add timer obj c005654c!
[    7.776000] RTMP_TimerListAdd: add timer obj c0056888!
[    7.788000] RTMP_TimerListAdd: add timer obj c00567c8!
[    7.796000] RTMP_TimerListAdd: add timer obj c00567f8!
[    7.808000] RTMP_TimerListAdd: add timer obj c0059748!
[    7.816000] RTMP_TimerListAdd: add timer obj c005933c!
[    7.828000] RTMP_TimerListAdd: add timer obj c0059718!
[    7.840000] RTMP_TimerListAdd: add timer obj c0059a54!
[    7.848000] RTMP_TimerListAdd: add timer obj c0059994!
[    7.860000] RTMP_TimerListAdd: add timer obj c00599c4!
[    7.868000] RTMP_TimerListAdd: add timer obj c005c914!
[    7.880000] RTMP_TimerListAdd: add timer obj c005c508!
[    7.888000] RTMP_TimerListAdd: add timer obj c005c8e4!
[    7.900000] RTMP_TimerListAdd: add timer obj c005cc20!
[    7.912000] RTMP_TimerListAdd: add timer obj c005cb60!
[    7.920000] RTMP_TimerListAdd: add timer obj c005cb90!
[    7.932000] RTMP_TimerListAdd: add timer obj c005fae0!
[    7.940000] RTMP_TimerListAdd: add timer obj c005f6d4!
[    7.952000] RTMP_TimerListAdd: add timer obj c005fab0!
[    7.960000] RTMP_TimerListAdd: add timer obj c005fdec!
[    7.972000] RTMP_TimerListAdd: add timer obj c005fd2c!
[    7.980000] RTMP_TimerListAdd: add timer obj c005fd5c!
[    7.992000] RTMP_TimerListAdd: add timer obj c0062cac!
[    8.004000] RTMP_TimerListAdd: add timer obj c00628a0!
[    8.012000] RTMP_TimerListAdd: add timer obj c0062c7c!
[    8.024000] RTMP_TimerListAdd: add timer obj c0062fb8!
[    8.032000] RTMP_TimerListAdd: add timer obj c0062ef8!
[    8.044000] RTMP_TimerListAdd: add timer obj c0062f28!
[    8.052000] RTMP_TimerListAdd: add timer obj c00a7cf0!
[    8.064000] RTMP_TimerListAdd: add timer obj c00a78e4!
[    8.076000] RTMP_TimerListAdd: add timer obj c00a7cc0!
[    8.084000] RTMP_TimerListAdd: add timer obj c00a7ffc!
[    8.096000] RTMP_TimerListAdd: add timer obj c00a7d20!
[    8.104000] RTMP_TimerListAdd: add timer obj c00a7d50!
[    8.116000] RTMP_TimerListAdd: add timer obj c00a7d80!
[    8.124000] RTMP_TimerListAdd: add timer obj c00ba104!
[    8.136000] RTMP_TimerListAdd: add timer obj c00ba220!
[    8.144000] RTMP_TimerListAdd: add timer obj c00ba130!
[    8.156000] RTMP_TimerListAdd: add timer obj c00a83ac!
[    8.168000] RTMP_TimerListAdd: add timer obj c004a4d8!
[    8.180000] RTMP_TimerListAdd: add timer obj c004d6a4!
[    8.188000] RTMP_TimerListAdd: add timer obj c0050870!
[    8.200000] RTMP_TimerListAdd: add timer obj c0053a3c!
[    8.208000] RTMP_TimerListAdd: add timer obj c0056c08!
[    8.220000] RTMP_TimerListAdd: add timer obj c0059dd4!
[    8.228000] RTMP_TimerListAdd: add timer obj c005cfa0!
[    8.240000] RTMP_TimerListAdd: add timer obj c006016c!
[    8.248000] RTMP_TimerListAdd: add timer obj c00a80bc!
[    8.364000] RT_CfgSetMacAddress : invalid length (0)
[    8.384000] APSDCapable[0]=0
[    8.392000] APSDCapable[1]=0
[    8.396000] APSDCapable[2]=0
[    8.400000] APSDCapable[3]=0
[    8.408000] APSDCapable[4]=0
[    8.412000] APSDCapable[5]=0
[    8.420000] APSDCapable[6]=0
[    8.424000] APSDCapable[7]=0
[    8.432000] APSDCapable[8]=0
[    8.436000] APSDCapable[9]=0
[    8.440000] APSDCapable[10]=0
[    8.448000] APSDCapable[11]=0
[    8.452000] APSDCapable[12]=0
[    8.460000] APSDCapable[13]=0
[    8.464000] APSDCapable[14]=0
[    8.472000] APSDCapable[15]=0
[    8.476000] default ApCliAPSDCapable[0]=0
[    8.684000] Key1Str is Invalid key length(0) or Type(1)
[    8.692000] Key2Str is Invalid key length(0) or Type(0)
[    8.704000] Key3Str is Invalid key length(0) or Type(0)
[    8.716000] Key4Str is Invalid key length(0) or Type(0)
[    8.732000] APCli_WPAPSK_KEY, key string required 8 ~ 64 characters!!!
[    8.744000] I/F(apcli0) Key1Str is Invalid key length!
[    8.756000] I/F(apcli0) Key2Str is Invalid key length!
[    8.768000] I/F(apcli0) Key3Str is Invalid key length!
[    8.776000] I/F(apcli0) Key4Str is Invalid key length!
[    8.800000] Wrong OBSSScanParamtetrs format in dat file!!!!! Use default value.
[    8.828000] EntryLifeCheck=1024
[    8.836000] 1. Phy Mode = 9
[    8.840000] 2. Phy Mode = 9
[    8.848000] E2PROM: D0 target power=0xffff 
[    8.856000] E2PROM: 40 MW Power Delta= 0 
[    8.864000] 3. Phy Mode = 9
[    8.868000] AntCfgInit: primary/secondary ant 0/1
[    8.868000] Initialize RF Central Registers for E2 !!!
[    8.888000] Initialize RF Central Registers for E3 !!!
[    8.900000] Initialize RF Channel Registers for E2 !!!
[    8.912000] Initialize RF Channel Registers for E3 !!!
[    8.920000] Initialize RF DCCal Registers for E2 !!!
[    8.932000] Initialize RF DCCal Registers for E3 !!!
[    8.940000] D1 = -1, D2 = 6, CalCode = 16 !!!
[    8.952000] RT6352_Temperature_Init : BBPR49 = 0xffffffff
[    8.964000] RT6352_Temperature_Init : TemperatureRef25C = 0xfffffff5
[    8.976000] Current Temperature from BBP_R49=0xfffffff9
[    8.988000]  TX BW Filter Calibration !!!
[    9.112000]  RX BW Filter Calibration !!!
[    9.348000] LOFT Calibration Done!
[    9.356000] IQCalibration Start!
[    9.372000] IQCalibration Done! CH = 0, (gain= 3, phase=3e)
[    9.384000] IQCalibration Start!
[    9.404000] IQCalibration Done! CH = 1, (gain= e, phase=3e)
[    9.412000] TX IQ Calibration Done!
[    9.428000]  VGA Code idx overflow(19), AM_63(0) !!!
[    9.440000]  VGA Code idx overflow(19), AM_63(0) !!!
[    9.476000] RXIQ Sigma_i=0, Sigma_q=0, R_iq=0
[    9.488000] RXIQ calibration FAIL
[    9.492000] internal ALC is not enabled in NVM !
[    9.504000] RTMPSetPhyMode: channel is out of range, use first channel=0 
[    9.516000] MCS Set = ff ff 00 00 01
[    9.528000]  VGA Code idx overflow(19), AM_63(0) !!!
[    9.540000]  VGA Code idx overflow(19), AM_63(0) !!!
[    9.576000] SYNC - BBP R4 to 20MHz.l
[   14.032000] =====================================================
[   14.044000] Channel 1 : Dirty = 0, False CCA = 238, Busy Time = 15180, Skip Channel = FALSE
[   14.060000] Channel 2 : Dirty = 0, False CCA = 18, Busy Time = 605, Skip Channel = FALSE
[   14.076000] Channel 3 : Dirty = 0, False CCA = 38, Busy Time = 1962, Skip Channel = FALSE
[   14.092000] Channel 4 : Dirty = 0, False CCA = 3, Busy Time = 2309, Skip Channel = FALSE
[   14.108000] Channel 5 : Dirty = 40, False CCA = 16, Busy Time = 584, Skip Channel = FALSE
[   14.124000] Channel 6 : Dirty = 48, False CCA = 230, Busy Time = 34938, Skip Channel = FALSE
[   14.140000] Channel 7 : Dirty = 56, False CCA = 28, Busy Time = 2693, Skip Channel = FALSE
[   14.156000] Channel 8 : Dirty = 64, False CCA = 165, Busy Time = 3806, Skip Channel = FALSE
[   14.172000] Channel 9 : Dirty = 140, False CCA = 74, Busy Time = 20459, Skip Channel = FALSE
[   14.192000] Channel 10 : Dirty = 64, False CCA = 70, Busy Time = 3707, Skip Channel = FALSE
[   14.208000] Channel 11 : Dirty = 56, False CCA = 112, Busy Time = 4386, Skip Channel = FALSE
[   14.224000] =====================================================
[   14.236000] Rule 2 CCA value : Min False CCA value ==> Select Channel 5, min falsecca = 600 
[   14.252000] RTMP_TimerListAdd: add timer obj c00b19e0!
[   14.272000]  VGA Code idx overflow(19), AM_63(0) !!!
[   14.284000]  VGA Code idx overflow(19), AM_63(0) !!!
[   14.324000] Main bssid = 00:1c:c2:20:2b:ac
[   14.332000] <==== rt28xx_init, Status=0
[   14.344000] 0x1300 = 00064380
[   15.024000] device eth2 entered promiscuous mode
[   15.232000] device ra0 entered promiscuous mode
[   15.408000] br0: port 1(ra0) entering learning state
[   15.420000] br0: port 1(ra0) entering learning state
[   16.420000] br0: port 1(ra0) entering forwarding state
[   18.176000] eth2: no IPv6 routers present
[   18.312000] udevd version 125 started
[   18.580000] hao: input argv = 1
[   25.136000] ra0: no IPv6 routers present
[   25.184000] enable send the SIGUSR2
[   25.360000] eth2.2: no IPv6 routers present
[   25.504000] eth2.1: no IPv6 routers present
[   26.352000] br0: no IPv6 routers present
[   27.360000] apcli0: no IPv6 routers present
[   85.020000] RTMP_TimerListAdd: add timer obj c00f9540!
[   85.032000] RTMP_TimerListAdd: add timer obj c00f96f8!
[   85.340000] RTMP_TimerListAdd: add timer obj c010d184!
[   85.360000] AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(4)=TKIP
[   85.360000] 
[  110.740000] RTMP_TimerListAdd: add timer obj c010d1c0!
[  480.500000] battery volume change.
[  480.500000] 
[  519.464000] AP SETKEYS DONE - WPA2, AuthMode(7)=WPA2PSK, WepStatus(6)=AES, GroupWepStatus(4)=TKIP
[  519.464000] 
[ 1384.820000] battery volume change.
[ 1384.820000] 
[ 2228.852000] battery volume change.
[ 2228.852000] 
[ 3072.884000] battery volume change.
[ 3072.884000] 
[ 3977.204000] battery volume change.
[ 3977.204000] 

I also extracted mtdblock0 up to mtdblock8 via dd to a pendrive for further investigation.

Is someone else also doing some investigation on that device ?

(Last edited by woolman on 11 Dec 2015, 18:42)

Ok, there are screws, well hidden smile

The serial pins are properly labeled and easy to spot.

Here comes the boot log:

U-Boot 1.1.3 (May  7 2014 - 05:35:03)

Board: Ralink APSoC DRAM:  64 MB
relocate_code Pointer at: 83fac000
enable ephy clock...done. rf reg 29 = 5
SSC disabled.
spi_wait_nsec: 29 
spi device id: c2 20 17 c2 20 (2017c220)
find flash: MX25L6405D
raspi_read: from:1d4000 len:1000 
*** Warning - bad CRC, using default environment

============================================ 
Ralink UBoot Version: 4.1.0.0
-------------------------------------------- 
ASIC 7620_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:May  7 2014  Time:05:35:03
============================================ 
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768 

 ##### The CPU freq = 580 MHZ #### 
 estimate memory size =64 Mbytes
raspi_read: from:40028 len:6 

Initialize vs configure module
raspi_read: from:1d0000 len:1000 
Initialize GPIO
check: 0
Input i key to enter menu 0 
raspi_read: from:50000 len:180000 
## Booting image at 80500000 ...
   Image Name:   Linux Kernel Image
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1555808 Bytes =  1.5 MB
   Load Address: 80000000
   Entry Point:  8000c2f0
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8000c2f0) ...
## Giving linux memsize in MB, 64

Starting kernel ...


LINUX started...

 THIS IS ASIC
[    0.104000] PROC INIT OK!
[    0.256000] gre: can't add protocol
enter init
Start rootfs
mounted
echo 7 > /proc/sys/kernel/printk
[    2.036000] tntfs: module license 'Commercial. For support email ntfs-support@tuxera.com.' taints kernel.
[    2.056000] Disabling lock debugging due to kernel taint
[    2.092000] Tuxera NTFS driver 3014.4.29 [Flags: R/W MODULE].
[    2.180000] Tuxera FAT driver 3013.2.9 [Flags: R/W MODULE].
init dev files
mounted end
Sun Jan  1 01:10:35 UTC 2012
Get time information first
tz_minuteswest=0
Set time information
offset=0  tz.tz_minuteswest=0
Get time information again
tz_minuteswest=0
GMT-00:00
Finish the check crc
SSID_PREFIX:TripMateSith
wireless port last two bytes:-2bac!
str_buf=2BAC
SSID:TripMateSith-2BAC
init net
/etc/initnet: line 29: wanMode_restore: not found
[    7.372000] Raeth v3.0 (Tasklet,SkbRecycle)
[    7.384000] 
[    7.384000] phy_tx_ring = 0x035e0000, tx_ring = 0xa35e0000
[    7.384000] 
[    7.384000] phy_rx_ring0 = 0x035e1000, rx_ring0 = 0xa35e1000
[    7.384000] SMACCR1 -- : 0x0000001c
[    7.384000] SMACCR0 -- : 0xc2202bac
[    7.428000] CDMA_CSG_CFG = 81000000
[    7.432000] GDMA1_FWD_CFG = 20710000
[    7.496000] RX DESC a3e3c000  size = 2048
[    7.508000] RTMP_TimerListAdd: add timer obj c00e3798!
[    7.520000] RTMP_TimerListAdd: add timer obj c00a58e8!
[    7.528000] RTMP_TimerListAdd: add timer obj c00a58bc!
[    7.540000] RTMP_TimerListAdd: add timer obj c00a5890!
[    7.548000] RTMP_TimerListAdd: add timer obj c004d018!
[    7.560000] RTMP_TimerListAdd: add timer obj c004cc0c!
[    7.572000] RTMP_TimerListAdd: add timer obj c004cfe8!
[    7.580000] RTMP_TimerListAdd: add timer obj c004d324!
[    7.592000] RTMP_TimerListAdd: add timer obj c004d264!
[    7.600000] RTMP_TimerListAdd: add timer obj c004d294!
[    7.612000] RTMP_TimerListAdd: add timer obj c00501e4!
[    7.620000] RTMP_TimerListAdd: add timer obj c004fdd8!
[    7.632000] RTMP_TimerListAdd: add timer obj c00501b4!
[    7.644000] RTMP_TimerListAdd: add timer obj c00504f0!
[    7.652000] RTMP_TimerListAdd: add timer obj c0050430!
[    7.664000] RTMP_TimerListAdd: add timer obj c0050460!
[    7.672000] RTMP_TimerListAdd: add timer obj c00533b0!
[    7.684000] RTMP_TimerListAdd: add timer obj c0052fa4!
[    7.692000] RTMP_TimerListAdd: add timer obj c0053380!
[    7.704000] RTMP_TimerListAdd: add timer obj c00536bc!
[    7.712000] RTMP_TimerListAdd: add timer obj c00535fc!
[    7.724000] RTMP_TimerListAdd: add timer obj c005362c!
[    7.736000] RTMP_TimerListAdd: add timer obj c005657c!
[    7.744000] RTMP_TimerListAdd: add timer obj c0056170!
[    7.756000] RTMP_TimerListAdd: add timer obj c005654c!
[    7.764000] RTMP_TimerListAdd: add timer obj c0056888!
[    7.776000] RTMP_TimerListAdd: add timer obj c00567c8!
[    7.784000] RTMP_TimerListAdd: add timer obj c00567f8!
[    7.796000] RTMP_TimerListAdd: add timer obj c0059748!
[    7.808000] RTMP_TimerListAdd: add timer obj c005933c!
[    7.816000] RTMP_TimerListAdd: add timer obj c0059718!
[    7.828000] RTMP_TimerListAdd: add timer obj c0059a54!
[    7.836000] RTMP_TimerListAdd: add timer obj c0059994!
[    7.848000] RTMP_TimerListAdd: add timer obj c00599c4!
[    7.856000] RTMP_TimerListAdd: add timer obj c005c914!
[    7.868000] RTMP_TimerListAdd: add timer obj c005c508!
[    7.876000] RTMP_TimerListAdd: add timer obj c005c8e4!
[    7.888000] RTMP_TimerListAdd: add timer obj c005cc20!
[    7.900000] RTMP_TimerListAdd: add timer obj c005cb60!
[    7.908000] RTMP_TimerListAdd: add timer obj c005cb90!
[    7.920000] RTMP_TimerListAdd: add timer obj c005fae0!
[    7.928000] RTMP_TimerListAdd: add timer obj c005f6d4!
[    7.940000] RTMP_TimerListAdd: add timer obj c005fab0!
[    7.948000] RTMP_TimerListAdd: add timer obj c005fdec!
[    7.960000] RTMP_TimerListAdd: add timer obj c005fd2c!
[    7.968000] RTMP_TimerListAdd: add timer obj c005fd5c!
[    7.980000] RTMP_TimerListAdd: add timer obj c0062cac!
[    7.992000] RTMP_TimerListAdd: add timer obj c00628a0!
[    8.000000] RTMP_TimerListAdd: add timer obj c0062c7c!
[    8.012000] RTMP_TimerListAdd: add timer obj c0062fb8!
[    8.020000] RTMP_TimerListAdd: add timer obj c0062ef8!
[    8.032000] RTMP_TimerListAdd: add timer obj c0062f28!
[    8.040000] RTMP_TimerListAdd: add timer obj c00a7cf0!
[    8.052000] RTMP_TimerListAdd: add timer obj c00a78e4!
[    8.064000] RTMP_TimerListAdd: add timer obj c00a7cc0!
[    8.072000] RTMP_TimerListAdd: add timer obj c00a7ffc!
[    8.084000] RTMP_TimerListAdd: add timer obj c00a7d20!
[    8.092000] RTMP_TimerListAdd: add timer obj c00a7d50!
[    8.104000] RTMP_TimerListAdd: add timer obj c00a7d80!
[    8.112000] RTMP_TimerListAdd: add timer obj c00ba104!
[    8.124000] RTMP_TimerListAdd: add timer obj c00ba220!
[    8.132000] RTMP_TimerListAdd: add timer obj c00ba130!
[    8.144000] RTMP_TimerListAdd: add timer obj c00a83ac!
[    8.156000] RTMP_TimerListAdd: add timer obj c004a4d8!
[    8.168000] RTMP_TimerListAdd: add timer obj c004d6a4!
[    8.176000] RTMP_TimerListAdd: add timer obj c0050870!
[    8.188000] RTMP_TimerListAdd: add timer obj c0053a3c!
[    8.196000] RTMP_TimerListAdd: add timer obj c0056c08!
[    8.208000] RTMP_TimerListAdd: add timer obj c0059dd4!
[    8.216000] RTMP_TimerListAdd: add timer obj c005cfa0!
[    8.228000] RTMP_TimerListAdd: add timer obj c006016c!
[    8.240000] RTMP_TimerListAdd: add timer obj c00a80bc!
[    8.356000] RT_CfgSetMacAddress : invalid length (0)
[    8.372000] APSDCapable[0]=0
[    8.380000] APSDCapable[1]=0
[    8.384000] APSDCapable[2]=0
[    8.388000] APSDCapable[3]=0
[    8.396000] APSDCapable[4]=0
[    8.400000] APSDCapable[5]=0
[    8.408000] APSDCapable[6]=0
[    8.412000] APSDCapable[7]=0
[    8.420000] APSDCapable[8]=0
[    8.424000] APSDCapable[9]=0
[    8.428000] APSDCapable[10]=0
[    8.436000] APSDCapable[11]=0
[    8.440000] APSDCapable[12]=0
[    8.448000] APSDCapable[13]=0
[    8.452000] APSDCapable[14]=0
[    8.460000] APSDCapable[15]=0
[    8.464000] default ApCliAPSDCapable[0]=0
[    8.672000] Key1Str is Invalid key length(0) or Type(1)
[    8.680000] Key2Str is Invalid key length(0) or Type(0)
[    8.692000] Key3Str is Invalid key length(0) or Type(0)
[    8.704000] Key4Str is Invalid key length(0) or Type(0)
[    8.720000] APCli_WPAPSK_KEY, key string required 8 ~ 64 characters!!!
[    8.732000] I/F(apcli0) Key1Str is Invalid key length!
[    8.744000] I/F(apcli0) Key2Str is Invalid key length!
[    8.756000] I/F(apcli0) Key3Str is Invalid key length!
[    8.764000] I/F(apcli0) Key4Str is Invalid key length!
[    8.788000] Wrong OBSSScanParamtetrs format in dat file!!!!! Use default value.
[    8.816000] EntryLifeCheck=1024
[    8.824000] 1. Phy Mode = 9
[    8.828000] 2. Phy Mode = 9
[    8.836000] E2PROM: D0 target power=0xffff 
[    8.844000] E2PROM: 40 MW Power Delta= 0 
[    8.852000] 3. Phy Mode = 9
[    8.856000] AntCfgInit: primary/secondary ant 0/1
[    8.856000] Initialize RF Central Registers for E2 !!!
[    8.876000] Initialize RF Central Registers for E3 !!!
[    8.888000] Initialize RF Channel Registers for E2 !!!
[    8.900000] Initialize RF Channel Registers for E3 !!!
[    8.908000] Initialize RF DCCal Registers for E2 !!!
[    8.920000] Initialize RF DCCal Registers for E3 !!!
[    8.928000] D1 = -1, D2 = 6, CalCode = 16 !!!
[    8.940000] RT6352_Temperature_Init : BBPR49 = 0xffffffff
[    8.952000] RT6352_Temperature_Init : TemperatureRef25C = 0xfffffff5
[    8.964000] Current Temperature from BBP_R49=0xffffffee
[    8.976000]  TX BW Filter Calibration !!!
[    9.104000]  RX BW Filter Calibration !!!
[    9.340000] LOFT Calibration Done!
[    9.348000] IQCalibration Start!
[    9.368000] IQCalibration Done! CH = 0, (gain= 3, phase=3d)
[    9.380000] IQCalibration Start!
[    9.396000] IQCalibration Done! CH = 1, (gain= e, phase= 1)
[    9.408000] TX IQ Calibration Done!
[    9.420000]  VGA Code idx overflow(19), AM_63(0) !!!
[    9.432000]  VGA Code idx overflow(19), AM_63(0) !!!
[    9.472000] RXIQ Sigma_i=0, Sigma_q=0, R_iq=0
[    9.480000] RXIQ calibration FAIL
[    9.484000] internal ALC is not enabled in NVM !
[    9.496000] RTMPSetPhyMode: channel is out of range, use first channel=0 
[    9.508000] MCS Set = ff ff 00 00 01
[    9.520000]  VGA Code idx overflow(19), AM_63(0) !!!
[    9.532000]  VGA Code idx overflow(19), AM_63(0) !!!
[    9.572000] SYNC - BBP R4 to 20MHz.l
[   14.024000] =====================================================
[   14.036000] Channel 1 : Dirty = 0, False CCA = 159, Busy Time = 9287, Skip Channel = FALSE
[   14.052000] Channel 2 : Dirty = 0, False CCA = 5, Busy Time = 2423, Skip Channel = FALSE
[   14.068000] Channel 3 : Dirty = 0, False CCA = 37, Busy Time = 1592, Skip Channel = FALSE
[   14.084000] Channel 4 : Dirty = 0, False CCA = 2636, Busy Time = 51140, Skip Channel = FALSE
[   14.100000] Channel 5 : Dirty = 0, False CCA = 1091, Busy Time = 7211, Skip Channel = FALSE
[   14.116000] Channel 6 : Dirty = 0, False CCA = 627, Busy Time = 24360, Skip Channel = FALSE
[   14.132000] Channel 7 : Dirty = 0, False CCA = 133, Busy Time = 2987, Skip Channel = FALSE
[   14.148000] Channel 8 : Dirty = 0, False CCA = 111, Busy Time = 1696, Skip Channel = FALSE
[   14.168000] Channel 9 : Dirty = 0, False CCA = 3, Busy Time = 4842, Skip Channel = FALSE
[   14.184000] Channel 10 : Dirty = 0, False CCA = 75, Busy Time = 2557, Skip Channel = FALSE
[   14.200000] Channel 11 : Dirty = 0, False CCA = 236, Busy Time = 18448, Skip Channel = FALSE
[   14.216000] =====================================================
[   14.228000] Rule 2 CCA value : Min False CCA value ==> Select Channel 3, min falsecca = 1629 
[   14.244000] RTMP_TimerListAdd: add timer obj c00b19e0!
[   14.264000]  VGA Code idx overflow(19), AM_63(0) !!!
[   14.276000]  VGA Code idx overflow(19), AM_63(0) !!!
[   14.316000] Main bssid = 00:1c:c2:20:2b:ac
[   14.324000] <==== rt28xx_init, Status=0
[   14.336000] 0x1300 = 00064380
ifconfig: SIOCGIFFLAGS: No such device
brctl: bridge br0: No such device or address
vconfig: ioctl error for rem: No such device
vconfig: ioctl error for rem: No such device
[   15.016000] device eth2 entered promiscuous mode
restore RT6855 ESW to dump switch mode
switch reg write offset=2004, value=ff0000
switch reg write offset=2104, value=ff0000
switch reg write offset=2204, value=ff0000
switch reg write offset=2304, value=ff0000
switch reg write offset=2404, value=ff0000
switch reg write offset=2504, value=ff0000
switch reg write offset=2604, value=ff0000
switch reg write offset=2704, value=ff0000
switch reg write offset=2010, value=810000c0
switch reg write offset=2110, value=810000c0
switch reg write[   15.224000] device ra0 entered promiscuous mode
 offset=2210, value=810000c0
switch reg write offset=2310, value=810000c0
switch reg write offset=2410, value=810000c0
switch reg write offset=2510, value=810000c0
switch reg write offset=2610, value=810000c0
switch reg write offset=2710, value=810000c0
REG_ESW_WT_MAC_ATC is 0x7ff0002
done.
/sbin/netinit.sh: line 269: addRax2Br0: not found
[   15.404000] br0: port 1(ra0) entering learning state
[   15.412000] br0: port 1(ra0) entering learning state
Set: phy[0].reg[0] = 3900
[   16.412000] br0: port 1(ra0) entering forwarding state
Set: phy[4].reg[0] = 3900
Set: phy[0].reg[0] = 3100
Set: phy[4].reg[0] = 3100
udhcpc (v1.12.1) started
[   18.308000] udevd version 125 started
/etc/rc.d/rc1.d/S34ntp start
[   18.572000] hao: input argv = 1
/etc/rc.d/rc1.d/S75fileserv start
(ntp.c,main,224)/bin/ntpclient -s -c 0 -h 0.asia.pool.ntp.org -i 86400 &
(ntp.c,main,236)SYNC:date "+%Y.%m.%d-%H:%M:%S" > /etc/timedate

0.asia.pool.ntp.org: Unknown host
/etc/rc.d/rc1.d/S77qos start
/etc/rc.d/rc: line 37: /etc/rc.d/rc1.d/S77qos: not found
/etc/rc.d/rc1.d/S80webd start
/etc/rc.d/rc1.d/S82upnpd start
/etc/rc.d/rc1.d/S99local start
/usr/sbin/listen_sleep &
/etc/rc.d/rc: line 105: /usr/sbin/listen_sleep: not found
ddddddddddddd

HT-TM05 login: [   25.184000] enable send the SIGUSR2

(Last edited by woolman on 11 Dec 2015, 14:53)

I was able to boot trunk via tftp:

MT7620 # tftp 400000 openwrt-ramips-mt7620-uImage.bin                                         

 netboot_common, argc= 3 

 NetTxPacket = 0x83FE3F00 

 KSEG1ADDR(NetTxPacket) = 0xA3FE3F00 

 NetLoop,call eth_halt ! 

 NetLoop,call eth_init ! 
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!! 
TFTP from server 192.168.1.1; our IP address is 192.168.1.10
Filename 'openwrt-ramips-mt7620-uImage.bin'.

 TIMEOUT_COUNT=10,Load address: 0x400000
Loading: Got ARP REPLY, set server/gtwy eth addr (64:66:b3:f3:ce:c5)
#################################################################
         #################################################################
         #################################################################
         #########################################################
done
Bytes transferred = 1288664 (13a9d8 hex)
NetBootFileXferSize= 0013a9d8
MT7620 # bootm
## Booting image at 00400000 ...
   Image Name:   MIPS OpenWrt Linux-3.18.23
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1288600 Bytes =  1.2 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 64

Starting kernel ...

[    0.000000] Linux version 3.18.23 (thepeople@viasatpilot) (gcc version 5.2.0 (OpenWrt GCC 5.2.0 r47548) ) #1 Sun Nov 22 04:13:32 CET 2015
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7620N ver:2 eco:6
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)
[    0.000000] Linux version 3.18.23 (thepeople@viasatpilot) (gcc version 5.2.0 (OpenWrt GCC 5.2.0 r47548) ) #1 Sun Nov 22 04:13:32 CET 2015
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7620N ver:2 eco:6
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)
[    0.000000] Linux version 3.18.23 (thepeople@viasatpilot) (gcc version 5.2.0 (OpenWrt GCC 5.2.0 r47548) ) #1 Sun Nov 22 04:13:32 CET 2015
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7620N ver:2 eco:6
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)
[    0.000000] Linux version 3.18.23 (thepeople@viasatpilot) (gcc version 5.2.0 (OpenWrt GCC 5.2.0 r47548) ) #1 Sun Nov 22 04:13:32 CET 2015
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7620N ver:2 eco:6
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)

Kernel messages are printed in a loop....but anyway it is booting something! smile

(Last edited by woolman on 11 Dec 2015, 18:44)

Ok, I totally missed the device tree stuff which was introduced somewhere around version 3.x .
So I'm trying to gather more data from the stock firmware so I can create a device tree file for that board for properly booting.

Hey woolman,

thank you for trying to get OpenWrt running on the TM-05. I really hope this works out, as it would be really helpful for me.

Keep up the Work :-)

Do you have pics showing the disassembly?  I want to crack mine open and start playing. :-)

Good to see someone dealing with this device. Actually the software is not too bad - I've seen worse - but one feature I am badly missing is the usage of a 4G usb stick/dongle. And since I had this running on OpenWRT before I'd love to check OpenWRT as an option for the HT-TM05.

TL;DR:
Any assistance needed? Please ask for it.

One note:
I've done an update to the most recent version of the OS of the HT-TM05 and telnet has been disabled here.

I will join the thread! Thank you for trying to install openwrt on this.
Can't wait to install openvpn.

@tkaefer, exactly which h 4g usb stick did you use and with which drivers?

Hi there,

I just purchased that device and used Openwrt y the past, was hoping to find it here, can you tell us where you are at, and if you need help...

Cheer and thanks for what you already did !

mskiller51 wrote:

Hi there,

I just purchased that device and used Openwrt y the past, was hoping to find it here, can you tell us where you are at, and if you need help...

Cheer and thanks for what you already did !

Same here.  I'd love to help get OpenWrt running on my HT-TM05 if possible!

Count another person in! I own one, running software version 2.000.046. Anything I can do to help make this a reality?

EDIT: I found this https://github.com/cryptographrix/HooTo … 05-hacking which seems to be based off of the original firmware (2.000.022). Could be helpful.

(Last edited by BlackSpark on 14 Apr 2016, 03:09)

Hey im new here and i want to help you with the hootoo tripmate titan ht-tm05,
if you get one of these firmwares from http://www.hootoo.com/downloads-81-8800 … loads-2000
you can open the firmware file fw-7620-WiFiDGRJ-HooToo-HT-TM05-2.000.058 with notepad++ and the first 262 lines smees to be the flashing routin
here they are:

#!/bin/sh
# constant
CRCSUM=21898846
VENDOR=HooToo
PRODUCTLINE=WiFiDGRJ
SKIP=263
TARGET_OS="linux"
TARGET_ARCH="arm"
DEVICE_TYPE=HT-TM05
VERSION=2000058
CPU=7620
if [ "$1" = "" ]; then
       FWPT="/data/UsbDisk1/Volume1/.vst/"
else    
       FWPT=$1
fi
#FWPT="/data/UsbDisk1/Volume1/.vst/"
#FWPT="/tmp"
FWCFPT="/proc/vstinfo"
SRVLIST="mlnet.sh ftp.sh nfs.sh smb.sh xl.sh ushare.sh mt-daapd.sh ddns.sh serverdev.sh fileserv.sh upnpc.sh ntp.sh web upnpd.sh upnpc.sh nasclient.sh minidlna.sh"
SPELIST="vst_daemon etc_tools web ioos usbdongled led_control au pppd upnpd listen_sleep.sh udhcpc udhcpd ntp vstddns ntpclient dropbox p2pset.sh mipsp2p listen_sleep control"
ETCMTD="/dev/mtd6"
# function
[ -f /tmp/update_flag ] && exit 0
touch /tmp/update_flag 
rm -f /etc/init.d/etcsync

upstat() {
        if [ $1 -eq 1 ]; then
                sed "s/^UPSTAT=[0-9]*/UPSTAT=$2/g" $FWCFPT > $FWCFPT
        elif [ $1 -eq 2 ]; then
                sed "s/^UPSTAT=[0-9]*/UPSTAT=0/g" $FWCFPT > $FWCFPT
                sed "s/^ERRSTAT=[0-9]*/ERRSTAT=$2/g" $FWCFPT > $FWCFPT
        else
                return 1
        fi

}
close5gled() {
    if [ "ASUS" == "$VENDOR" ]; then
        if [ -f /proc/vs_5g_led ]; then
            echo 3 > /proc/vs_5g_led
            echo 0 > /proc/vs_5g_led
        fi    
    fi
}
checkmount() {
        LINE=`mount | cut -d" " -f3`
        for p in $LINE
        do
                if [[ "$p" == /opt* ]]; then
                        umount -f $p
                fi
        done

}

extendfunc() {
#        if [ -e $ETCMTD ];then
#                /bin/flash_eraseall $ETCMTD > /dev/null 2>&1
#        fi
    /bin/mtd_write erase /dev/mtd6
    /bin/mtd_write erase /dev/mtd7
    if [ -f "/boot/tmp/etcbackup.tar.gz" ];then
        /usr/sbin/etc_tools p 7 /boot/tmp/etcbackup.tar
    fi

#        umount -f /etc > /dev/null 2>&1
#        if [ -e /boot/tmp/etc ];then
#                rm -rf /boot/tmp/etc > /dev/null 2>&1
#        fi
}
chgusrhome() {
        if [ -f /tmp/passwd ]; then
                rm -f /tmp/passwd
        fi
        if [ -f /tmp/passwd- ]; then
                rm -f /tmp/passwd-
        fi
        awk -F: '{print $1,$2,$3,$4,$5,$6,$7}' /etc/passwd > /tmp/passwd
        while read USER UX USERID GRPID NOTE HDIR HSHELL; do
                if [ $USERID -eq 15 ]; then
                        echo "$USER:$UX:$USERID:$GRPID:user:/data:/bin/sh" >> /tmp/passwd-
                else
                        if [ $USERID -gt 499 ] && [ $USERID -lt 65534 ]; then
                                echo "$USER:$UX:$USERID:$GRPID:$NOTE:/data:$HSHELL" >> /tmp/passwd-
                        else
                                if [ $USERID -eq 8 ]; then
                                        echo "$USER:$UX:$USERID:$GRPID:mail:/var/mail:/bin/sh" >> /tmp/passwd-
                                else
                                        echo "$USER:$UX:$USERID:$GRPID:$NOTE:$HDIR:$HSHELL" >> /tmp/passwd-
                                fi
                        fi
                fi
        done < /tmp/passwd
 
        if [ -f /etc/passwd ]; then
                cp /tmp/passwd- /etc/passwd
        fi
}

# check crc
upstat 1 1
echo "check firmware crc"
crcsum=`sed '1,3d' $0|cksum|sed -e 's/ /Z/' -e 's/   /Z/'|cut -dZ -f1`
[ "$crcsum" != "$CRCSUM" ] && {
        echo "firmware crc error!"
        upstat 2 1
        [ -f /tmp/update_flag ] && exit 0    
        exit 1
}
echo "firmware crc success!"

#disable poweroff key for toshiba
[ -f /proc/vs_poweroff_key_status ] && echo 0 > /proc/vs_poweroff_key_status

sleep 2

# check device type
upstat 1 2
#echo "check device tpye"
#tmpver=`awk -F= '/^CURFILE/{print $2}' $FWCFPT`
#if [ "$tmpver" != "$DEVICE_TYPE" ];then
#    if [ "$tmpver" != "wifi-disk" ];then
#            echo "Device type error!please check your device type!"
#            upstat 2 2
#            exit 1
#    fi
#fi

# close service 
upstat 1 3
# wait web
sleep 5
[ -f /proc/vs_sd_spin_down ] && echo 0 > /proc/vs_sd_spin_down
close5gled
close_services()
{
    echo "close services, waiting ..."
    for ser in $SRVLIST
    do
            if [ -e /etc/init.d/$ser ]; then
                    /etc/init.d/$ser stop > /dev/null 2>&1
             fi
    done

    # close spe service
    for spefile in $SPELIST
    do
            rm -f /var/run/$spefile*  > /dev/null 2>&1
    done

    spepid=`pidof $SPELIST`
    for pid in $spepid
    do
            kill -9 $pid > /dev/null 2>&1
    done
}
close_services

#add by ljd
#down all net interforce
{
    for IF in `ifconfig | cut -d' ' -f1 | sed '/^$/d'`
    do
        ifconfig $IF down 1>/dev/null 2>&1
    done

}
#close all app
{
    SELF_PID=$$
    ps aux > /tmp/ps.log
    [ -n `pidof watchdog` ] && diswatchdog && sleep 1 && WPID=`pidof watchdog`
    vv=`cat /etc/firmware | grep CURVER | awk -F"=" '{print $2}'`

    while read USER       PID CPU MEM    VSZ   RSS TTY      STAT START   TIME COMMAN
    do
        [  $PID == 1 ] && continue
        [ "$SELF_PID" == "$PID" ] && continue
        [ "$TTY" != '?' ] && continue
        [ -n "$WPID" ] && [ "$SELF_PID" == "$PID" ] && continue
        [ $vv == "2.000.148" ] && [ -n "$COMMAN" ] && [ "watchdog -t 5 /dev/watchdog" == "$COMMAN" ] && continue
#        echo "Will kill $PID"
        kill -9 $PID 1>/dev/null 2>&1

#            [ ! $PID == 1 ] && [ "$SELF_PID" != "$PID" ] && [ "$TTY" == '?' ] && echo "Will kill $PID" && kill -9 $PID 1>/dev/null 2>&1
    done < /tmp/ps.log
#    ps auxw
    sleep 1
#    ps aux > /data/UsbDisk1/Volume1/end_ps.log
#    sync
}
#killall -KILL watchdog
#echo 0 > /dev/watchdog

echo "services closed"
# Modify the password file
chgusrhome
sync

#/etc/init.d/etcsync
/etc/init.d/etcbak_firm_up

# extend operation
extendfunc

# untar
echo "unzip firmware package"
upstat 1 4
if [ -e "$FWPT/upfs.gz" ];then
        rm -f $FWPT/upfs.gz
fi
if [ -e "$FWPT/upfs" ];then
        rm -f $FWPT/upfs
fi
tail -n +$SKIP $0 > $FWPT/upfs.gz
if [ $? -ne 0 ]; then
        upstat 2 4
    [ -f /proc/vs_poweroff_key_status ] && echo 1 > /proc/vs_poweroff_key_status
    #[ -f /proc/vs_sd_spin_down ] && echo 3 > /proc/vs_sd_spin_down
    [ -f /tmp/update_flag ] && exit 0
        exit 1
fi
# mount
upstat 1 5
checkmount
gzip -d $FWPT/upfs.gz
mount -o ro $FWPT/upfs /opt
if [ $? -ne 0 ];then
    #modify by zhangwei
    /usr/sbin/udevtrigger
    /bin/sleep 5
    mount -o ro $FWPT/upfs /opt
    if [ $? -ne 0 ];then    
            upstat 2 5
        [ -f /proc/vs_poweroff_key_status ] && echo 1 > /proc/vs_poweroff_key_status
        #[ -f /proc/vs_sd_spin_down ] && echo 3 > /proc/vs_sd_spin_down
        [ -f /tmp/update_flag ] && exit 0
            exit 1
    fi
fi
cp -arfv /dev/* /opt/dev/ > /dev/null 2>&1
#close udev telnet zhangwei
killall -kill udevd
#killall -kill telnetd
#chroot
echo "start update firmware"
stop_watchdog()
{
    if [ -f /opt/bin/diswatchdog ]; then
        echo close watchdog
        /opt/bin/diswatchdog
        sleep 5
    fi
}
#ls -l /bin/diswatchdog > /data/UsbDisk1/Volume1/diswatchdog.log
#
stop_watchdog
chroot /opt /etc/initsh
exit 0
END_OF_STUB

after that it sems to contain the complete file system exept the bootloader compressed with gzip
if you open the fw-7620-WiFiDGRJ-HooToo-HT-TM05-2.000.058 with eg. 7zip
it contains one file: initrdup and if you open this there is the file system from the linux os
/
bin
boot
config
dev
etc
firmware
lib
mnt
proc
sys
var
update.sh

Any news about hacking HooToo HT-TM05, please?

I don't have really any knowledge about building and modifying OpenWRT to work on the TM-05, but I'm doing my best to help! @tr1g4d0n: If you look in the firmware folder, the "rootfs" file is also decompressable. I'm currently working on making a git repo that will have all the 2.000.022 firmware, and then I'll commit the most recent firmware which will show us all the differences.

Our first priority should be to enable telnetd on the most recent firmware, and seeing what's changed should help.

I dumped the rootfs from 064 and found this:

# find .| grep -i telnet
./etc/checktelnetflag
./etc/init.d/opentelnet.sh
./etc/telnetpasswd
./etc/telnetshadow
./usr/sbin/telnetd

# cat etc/init.d/opentelnet.sh 

#!/bin/sh
if [ ! -f /etc/telnetflag ]; then
    touch /etc/telnetflag
       sed -i "s|:/root:/sbin/nologin|:/root:/bin/sh|" /etc/passwd
#    cp -f /etc/telnetpasswd /etc/passwd
#    cp -f /etc/telnetshadow /etc/shadow
    telnetd &
    /etc/init.d/etcsync
fi

Looks like you just need to remove that check junk and resquash rootfs + stub everything back up + flash it to get telnetd on the latest firmware. The hashes in telnetpasswd and telnetshadow match those in 022.

Incidentally, this toolkit for unpacking and mounting the firmware images exists: https://github.com/cryptographrix/HooTo … 05-hacking

Being the lazy git I am, I plugged an ext2-formatted USB stick into mine with a copy of most of the OS from my mipsel 74k asuswrt/merlin router, and chrooted into it. Works like a champ after a little tweaking. I got ipkg-opt working inside the chroot, installed bash + dropbear + tmux + htop + wget + nmap, as well as the latest busybox, and I'm off to the races. It's not as good as real OpenWRT, but it lets me mess around while we figure out how to get this thing to cooperate.

(Last edited by theodric on 24 May 2016, 22:27)

Disassembly guide:
1. Spudge the red trim piece off the side
2. Using the now-exposed corner of the bottom cap, pop + spudge the bottom cap off
3. Remove the four Philips screws at the indicated points
4. Pull the top off (careful-- wires will remain connected from the motherboard to the battery controller), then remove the four screws holding the black top inner retainer to the red outer shell
5. Remove the rubber surround
6. Pull out the motherboard

Assembly is the reverse of disassembly.

https://i.imgur.com/BZIeRF9.jpg

Serial pads are clearly visible on the top daughterboard:

https://dl2.pushbulletusercontent.com/iFJ0Ri9S96DQDr0rwkfEWYjbpalevBll/IMAG0117.jpg

EDIT: nevermind, I'm an idiot and a sed novice. 'sed 1-3d' strips out the top three lines of the file, which contain the following on 064:

head -3 fw-7620-WiFiDGRJ-HooToo-HT-TM05-2.000.064
#!/bin/sh
# constant
CRCSUM=1503745883

So it's not an issue.

Leaving this post intact to shame my future self and because there's a limited amount of useful information in it.
========

Fail, and now my brain hurts.

I made some changes in the rootfs filesystem, resquashed it, inserted it into the initrdup, gzipped the initrdup, and catted them together into a package. Binwalk shows the same format. Great.

Attempted to flash, and "invalid file format." Poop. So I decided to have a look at the start_script.sh to see if there's a checksum in there. There is. The checksum creation method is clearly readable in the script, so I broke it out and ran it on files from the unmodified 064 firmware to see what the checksum was of.

Here's the part that wrecks my brain: it's the checksum of the entire firmware stub, which includes the start_script.sh that contains the CRCSUM value that start_script.sh calculates. Is it just me, or is this a chicken-egg problem? I'm contemplating living on the edge and just removing the CRCSUM checks altogether, making it flash whatever I feed it.

I github'd the CRCSUM function from start_script.sh broken out as a shell script, in case anyone wants it: https://github.com/theodric/HooToo_HT-T … um_tool.sh

(Last edited by theodric on 25 May 2016, 16:21)

It appears that the firmware running on this device is well-understood and used lots of places, and a couple of the methods for obtaining shell access without a serial connection should be easily portable. Today I Learned. I started reverse-engineering it from zero, only to discover that a lot of the work was already done for me. Examples:


/usr/sbin/etc_tools p

seems to be what you need to type to commit any changes you make in the /etc ramdisk (passwords, init scripts, etc.) to the MTD

I've updated my current internal spin of the firmware with the latest BusyBox (+full install of symlinks) and Dropbear SSH server. Once I get Dropbear working - it runs the binary, but I can't get to a shell - I'll remove telnetd from the init process. I'll post it when ready.

The firmware contains an /opt directory by default, so it should be trivial to add in an init script to check for a filesystem containing optware, mount it at /opt if found, and update PATH accordingly.

What I don't yet understand, but aim to grok today, is how I can recover this thing if I accidentally the whole MTD with a crappy flash.

Bonus image: my craptastic pogo pin serial breakout board https://i.imgur.com/0f6gXFC.jpg

Thank you so much for the disassembly guide.  Looking forward to hearing the progress of getting a version of OpenWRT on this thing!

2nd this! Thank you so much in advance!

zonyl wrote:

Thank you so much for the disassembly guide.  Looking forward to hearing the progress of getting a version of OpenWRT on this thing!

Sorry, posts 26 to 25 are missing from our archive.