Products > Networking & Wireless

Phicomm PSG1218 K2 HW Rev.A2 OpenWRT - How To

(1/1)

Black Phoenix:
Well I had this router at home that I wanted to install the OpenWRT on it. Although being only sold in Asia, most of the instructions are on Chinese were there is a big community associated to it with their own versions of OpenWRT just for their own market, with OpenVPN and ShadowSocksR Plus+, functions tailored to bypass the GFW.

The Router is based in the MediaTek MT7620A with 64MB of DDR2. The procedure are the same to all the HW Revs available in the market, from A1 to B2.

For this we are going to need the TFTP program or OpenFTP (TFTP was used here), a program to Serial connection, it can be the Putty (I used the SecureCRT), the BreedWeb version for our router - https://breed.hackpascal.net/.

In our case it's going to be the breed-mt7620-phicomm-psg1208.bin what we are going to rename to breed.bin and put in the same folder as the TFTP exe and the firmware we are interested in since there are various forks from the OpenWRT from Pandora to LEDE to Padavan etc. We are going to use the Fork from coolsnowwolf LEDE released by RealKiro - https://github.com/RealKiro/lede/releases. For this model as before we use the MT7620 one again.

The equipment itself from start came with the dared firmware V22.6.532.231 that doesn't allow downgrades and most of the known vulnerabilities to allow to install non official firmware were patched, including deactivating the telnet option.

[attachimg=1]

For that the only way to unlock the bootloader was to locate the diagnose port and solder contact points for serial access and firmware upgrade via TFTP. First we locate the 2 screws under the bottom sticker that we need to remove:

[attachimg=2]

[attachimg=3]

[attachimg=4]

For that we going to solder contacts onto the TX, RX and GND, and connect the opposite of the USB UART adapter. VCCIO is not needed.

[attachimg=5]

Select 3,3V on the adapter and load it up with the following config for the serial connection program of choice:
Baud Rate: 57600
Data bits: 8
Parity: None
Stop bits: 1
No Flow Control options.

[attachimg=6]

If everything is Ok, the connection to the USB TTL adapter should be on in the program and when connected to the router diagnostic pins it should light up one of the leds:

[attachimg=7]

Let's then see what the equipment says to us:


--- Quote ---   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1259101 Bytes =  1.2 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 64

Starting kernel ...


LINUX started...

 THIS IS ASIC

SDK 5.0.S.0
[    0.000000] Linux version 3.10.14 (jenkins@compile) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 unknown) ) #1 Tue May 21 11:09:07 CST 2019
[    0.000000]
[    0.000000]  The CPU feqenuce set to 580 MHz
[    0.000000]  PCIE: bypass PCIe DLL.
[    0.000000]  PCIE: Elastic buffer control: Addr:0x68 -> 0xB4
[    0.000000]  disable all power about PCIe
[    0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)
[    0.000000] Software DMA cache coherency
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03ffffff]
[    0.000000] Primary instruction cache 64kB, 4-way, VIPT, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock6 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=0001afdf
[    0.000000] Readback ErrCtl register=0001afdf
[    0.000000] Memory: 61020k/65536k available (2776k kernel code, 4516k reserved, 655k data, 212k init, 0k highmem)
[    0.000000] NR_IRQS:128
[    0.000000] console [ttyS1] enabled
[    0.108000] Calibrating delay loop... 385.02 BogoMIPS (lpj=770048)
[    0.148000] pid_max: default: 32768 minimum: 301
[    0.152000] Mount-cache hash table entries: 512
[    0.156000] NET: Registered protocol family 16
[    0.160000] RALINK_GPIOMODE = 1a311d
[    0.164000] RALINK_GPIOMODE = 18311d
[    0.168000] PPLL_CFG1=0xe54000
[    0.172000] MT7620 PPLL lock
[    0.176000] PPLL_DRV =0x80080504
[    0.180000] start PCIe register access
[    0.680000] RALINK_RSTCTRL = 2400000
[    0.684000] RALINK_CLKCFG1 = 75afffc0
[    0.688000]
[    0.688000] *************** MT7620 PCIe RC mode *************
[    1.188000] PCIE0 enabled
[    1.192000] Port 0 N_FTS = 1b105000
[    1.196000] init_rt2880pci done
[    1.216000] bio: create slab <bio-0> at 0
[    1.220000] PCI host bridge to bus 0000:00
[    1.224000] pci_bus 0000:00: root bus resource [mem 0x20000000-0x2fffffff]
[    1.228000] pci_bus 0000:00: root bus resource [io  0x10160000-0x1016ffff]
[    1.232000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    1.236000] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    1.240000] pci 0000:00:00.0: BAR 0: can't assign mem (size 0x80000000)
[    1.244000] pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x200fffff]
[    1.248000] pci 0000:00:00.0: BAR 9: assigned [mem 0x20100000-0x201fffff pref]
[    1.252000] pci 0000:00:00.0: BAR 1: assigned [mem 0x20200000-0x2020ffff]
[    1.256000] pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff 64bit]
[    1.260000] pci 0000:01:00.0: BAR 6: assigned [mem 0x20100000-0x2010ffff pref]
[    1.264000] pci 0000:00:00.0: PCI bridge to [bus 01]
[    1.268000] pci 0000:00:00.0:   bridge window [mem 0x20000000-0x200fffff]
[    1.272000] pci 0000:00:00.0:   bridge window [mem 0x20100000-0x201fffff pref]
[    1.276000] BAR0 at slot 0 = 0
(...)
--- End quote ---

Okay now lets prepare the installation of the new bootloader. First with the router off we going to connect to the router on Port 1 with the ethernet cable to the pc and define the Static IP of the PC as 192.168.2.10, Subnet 255.255.255.0 and Gateway as 192.168.2.1. On TFTP Server Tab we going do choose the Server Interface as the one we defined on our ethernet card, so 192.168.2.10, the directory is the one were the breed.bin is located.

[attachimg=8]

We are going to turn on the router but at the same time we are going to press the button on the back for 2 sec. On the Serial connection we going to see that it says the button was pressed. Release and when it shows the following log hit 9 only once. Don't hit other keys or it will restart the loading again. It may need a couple tries to get the time right. Basically is Power ON with the back button pressed, release the button and less than a second after hit 9. It should show following log if it was successful:


--- Quote ---Catution: hardware button wasn't pressed or not long enough!
Continuing normal boot...

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   6: Load all then write to Flash via TFTP.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.
default:3

You choosed 9




9: System Load Boot Loader then write to Flash via TFTP.
Warning!! Erase Boot Loader in Flash then burn new one. Are you sure?(Y/N)
--- End quote ---

Press Y and configure the as follows, following with an enter after each insertion.


--- Quote ---9: System Load Boot Loader then write to Flash via TFTP.
Warning!! Erase Boot Loader in Flash then burn new one. Are you sure?(Y/N)
Please Input new ones /or Ctrl-C to discard
        Input device IP (192.168.2.1) ==:192.168.2.1
        Input server IP (192.168.2.10) ==:192.168.2.10
        Input Uboot filename () ==:breed.bin
--- End quote ---

After the last command press enter and the router should find the file, and start downloading, and you will see in the TFTP window the file being uploaded to the router.


--- Quote ---9: System Load Boot Loader then write to Flash via TFTP.
Warning!! Erase Boot Loader in Flash then burn new one. Are you sure?(Y/N)
Please Input new ones /or Ctrl-C to discard
        Input device IP (192.168.2.1) ==:192.168.2.1
        Input server IP (192.168.2.10) ==:192.168.2.10
        Input Uboot filename () ==:breed.bin

NetTxPacket = 0x87FE5480

KSEG1ADDR(NetTxPacket) = 0xA7FE5480

NetLoop,call eth_halt !

NetLoop,call eth_init !
Trying Eth0 (10/100-M)

Waitting for RX_DMA_BUSY status Start... done


ETH_STATE_ACTIVE!!
TFTP from server 192.168.2.10; our IP address is 192.168.2.1
Filename 'breed.bin'.

TIMEOUT_COUNT=10,Load address: 0x84000000
Loading: Got ARP REPLY, set server/gtw eth addr (HIDDEN)
Got it
=====================
done
Bytes transferred = 106428 (19fbc hex)
LoadAddr=84000000 NetBootFileXferSize= 00019fbc
.
.
.
.
Done!
--- End quote ---

After its done, turn off the router, change the Static IP configuration to 192.168.1.10 and keep the subnet, removing the gateway. Turn on again the router. If no action is taken the router will load his default image, the original phicomm one and work as before. But when turning on the router if the back button is pressed for more that 4 sec or via Serial a key is hit the router will enter in the bootloader mode, with the IPs 192.168.1.1 and subnet 255.255.255.0.


--- Quote ---Boot and Recovery Environment for Embedded Devices
Copyright (C) 2018 HackPascal <hackpascal@gmail.com>
Build date 2018-12-29 [git-135bed9]
Version 1.1 (r1266)

DRAM: 64MB
Platform: MediaTek MT7620A ver 2, eco 6
Board: Phicomm PSG1208 (K1)
Clocks: CPU: 580MHz, Bus: 193MHz
Flash: GigaDevice GD25Q64 (8MB) on rt2880-spi
rt2880-eth: Using MAC address (HIDDEN)
eth0: MediaTek MT7620A built-in 5-port 10/100M switch

Network started on eth0, inet addr 192.168.1.1, netmask 255.255.255.0

Press any key to interrupt autoboot ... 3   
Autoboot aborted due to key press.

Starting breed built-in shell

breed>
--- End quote ---

Open your browser of choice and you should see the following page after input of the router IP, 192.168.1.1:

[attachimg=9]

Now let's change the firmware.
Select the 2nd option on the menu on the left and load the file in the respective field, and hit the bottom button.

[attachimg=10]

Next window confirm the operation on the bottom button again.

[attachimg=11]

Then wait for the file to load to the router. It will take some minutes and the router LED will flash blue for a while. When the LED stays blue fixed the operation is finished.

[attachimg=12]

Turn off the router and on again, let it load and it's done. The new IP of the router will be 192.168.2.1, so put the Ethernet adapter from the PC from Static IP to DHCP.
Using the IP of the router on the browser it will result on his default home page:

[attachimg=13]

His default password is, well, password.

And done. From there it's to configure the router as you wish. It's possible to use other images as the OpenWRT non china specific.

To change the Image, redo the steps from the "After its done, turn off the router, change the Static IP configuration to 192.168.1.10 and keep the subnet(...)".

Here with the Official English OpenWRT 18.06.4.

[attachimg=14]

Navigation

[0] Message Index

There was an error while thanking
Thanking...
Go to full version